Skip to content

Commit 36cf45e

Browse files
committed
Correctly calculate the length of SM2 plaintext given the ciphertext
Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
1 parent 4b8a8bb commit 36cf45e

File tree

4 files changed

+12
-20
lines changed

4 files changed

+12
-20
lines changed

crypto/sm2/sm2_crypt.c

+8-16
Original file line numberDiff line numberDiff line change
@@ -67,29 +67,21 @@ static size_t ec_field_size(const EC_GROUP *group)
6767
return field_size;
6868
}
6969

70-
int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest,
71-
size_t msg_len, size_t *pt_size)
70+
int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
71+
size_t *pt_size)
7272
{
73-
const size_t field_size = ec_field_size(EC_KEY_get0_group(key));
74-
const int md_size = EVP_MD_get_size(digest);
75-
size_t overhead;
73+
struct SM2_Ciphertext_st *sm2_ctext = NULL;
7674

77-
if (md_size < 0) {
78-
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
79-
return 0;
80-
}
81-
if (field_size == 0) {
82-
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_FIELD);
83-
return 0;
84-
}
75+
sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size);
8576

86-
overhead = 10 + 2 * field_size + (size_t)md_size;
87-
if (msg_len <= overhead) {
77+
if (sm2_ctext == NULL) {
8878
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
8979
return 0;
9080
}
9181

92-
*pt_size = msg_len - overhead;
82+
*pt_size = sm2_ctext->C2->length;
83+
SM2_Ciphertext_free(sm2_ctext);
84+
9385
return 1;
9486
}
9587

include/crypto/sm2.h

+2-2
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,8 @@ int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen,
6767
int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest,
6868
size_t msg_len, size_t *ct_size);
6969

70-
int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest,
71-
size_t msg_len, size_t *pt_size);
70+
int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
71+
size_t *pt_size);
7272

7373
int ossl_sm2_encrypt(const EC_KEY *key,
7474
const EVP_MD *digest,

providers/implementations/asymciphers/sm2_enc.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen,
110110
return 0;
111111

112112
if (out == NULL) {
113-
if (!ossl_sm2_plaintext_size(psm2ctx->key, md, inlen, outlen))
113+
if (!ossl_sm2_plaintext_size(in, inlen, outlen))
114114
return 0;
115115
return 1;
116116
}

test/sm2_internal_test.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
183183
if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len))
184184
goto done;
185185

186-
if (!TEST_true(ossl_sm2_plaintext_size(key, digest, ctext_len, &ptext_len))
186+
if (!TEST_true(ossl_sm2_plaintext_size(ctext, ctext_len, &ptext_len))
187187
|| !TEST_int_eq(ptext_len, msg_len))
188188
goto done;
189189

0 commit comments

Comments
 (0)