Skip to content

Commit 00d9654

Browse files
Andy Polyakovmattcaswell
Andy Polyakov
authored andcommitted
crypto/evp: harden AEAD ciphers.
Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory. Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Other ciphers were hardened. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by: Rich Salz <rsalz@openssl.org>
1 parent f3a7e57 commit 00d9654

File tree

2 files changed

+15
-4
lines changed

2 files changed

+15
-4
lines changed

Diff for: crypto/evp/e_aes.c

+12-2
Original file line numberDiff line numberDiff line change
@@ -1388,10 +1388,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
13881388
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
13891389
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
13901390
/* Correct length for explicit IV */
1391+
if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1392+
return 0;
13911393
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
13921394
/* If decrypting correct for tag too */
1393-
if (!EVP_CIPHER_CTX_encrypting(c))
1395+
if (!EVP_CIPHER_CTX_encrypting(c)) {
1396+
if (len < EVP_GCM_TLS_TAG_LEN)
1397+
return 0;
13941398
len -= EVP_GCM_TLS_TAG_LEN;
1399+
}
13951400
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
13961401
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
13971402
}
@@ -1946,10 +1951,15 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
19461951
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
19471952
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
19481953
/* Correct length for explicit IV */
1954+
if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
1955+
return 0;
19491956
len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
19501957
/* If decrypting correct for tag too */
1951-
if (!EVP_CIPHER_CTX_encrypting(c))
1958+
if (!EVP_CIPHER_CTX_encrypting(c)) {
1959+
if (len < cctx->M)
1960+
return 0;
19521961
len -= cctx->M;
1962+
}
19531963
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
19541964
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
19551965
}

Diff for: crypto/evp/e_chacha20_poly1305.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -398,6 +398,8 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
398398
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
399399
aad[EVP_AEAD_TLS1_AAD_LEN - 1];
400400
if (!ctx->encrypt) {
401+
if (len < POLY1305_BLOCK_SIZE)
402+
return 0;
401403
len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
402404
memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);
403405
aad = temp;
@@ -407,8 +409,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
407409
actx->tls_payload_length = len;
408410

409411
/*
410-
* merge record sequence number as per
411-
* draft-ietf-tls-chacha20-poly1305-03
412+
* merge record sequence number as per RFC7905
412413
*/
413414
actx->key.counter[1] = actx->nonce[0];
414415
actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);

0 commit comments

Comments
 (0)