Skip to content

Commit

Permalink
Don't overflow the output length in EVP_CipherUpdate calls
Browse files Browse the repository at this point in the history
CVE-2021-23840

Reviewed-by: Paul Dale <pauli@openssl.org>
  • Loading branch information
mattcaswell committed Feb 16, 2021
1 parent 481a88f commit 6a51b9e
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 6 deletions.
3 changes: 2 additions & 1 deletion crypto/err/openssl.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -2283,6 +2283,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
Expand Down
27 changes: 27 additions & 0 deletions crypto/evp/evp_enc.c
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
*/

#include <stdio.h>
#include <limits.h>
#include <assert.h>
#include "internal/cryptlib.h"
#include <openssl/evp.h>
Expand Down Expand Up @@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
return 1;
} else {
j = bl - i;

/*
* Once we've processed the first j bytes from in, the amount of
* data left that is a multiple of the block length is:
* (inl - j) & ~(bl - 1)
* We must ensure that this amount of data, plus the one block that
* we process from ctx->buf does not exceed INT_MAX
*/
if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
EVP_R_OUTPUT_WOULD_OVERFLOW);
return 0;
}
memcpy(&(ctx->buf[i]), in, j);
inl -= j;
in += j;
Expand Down Expand Up @@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}
/*
* final_used is only ever set if buf_len is 0. Therefore the maximum
* length output we will ever see from evp_EncryptDecryptUpdate is
* the maximum multiple of the block length that is <= inl, or just:
* inl & ~(b - 1)
* Since final_used has been set then the final output length is:
* (inl & ~(b - 1)) + b
* This must never exceed INT_MAX
*/
if ((inl & ~(b - 1)) > INT_MAX - b) {
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
return 0;
}
memcpy(out, ctx->final, b);
out += b;
fix_len = 1;
Expand Down
4 changes: 3 additions & 1 deletion crypto/evp/evp_err.c
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operaton not initialized"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
"output would overflow"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
"partially overlapping buffers"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
Expand Down
7 changes: 3 additions & 4 deletions include/openssl/evperr.h
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand All @@ -11,9 +11,7 @@
#ifndef HEADER_EVPERR_H
# define HEADER_EVPERR_H

# ifndef HEADER_SYMHACKS_H
# include <openssl/symhacks.h>
# endif
# include <openssl/symhacks.h>

# ifdef __cplusplus
extern "C"
Expand Down Expand Up @@ -179,6 +177,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
# define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
Expand Down

0 comments on commit 6a51b9e

Please sign in to comment.