Skip to content

Commit 6a51b9e

Browse files
committed
Don't overflow the output length in EVP_CipherUpdate calls
CVE-2021-23840 Reviewed-by: Paul Dale <pauli@openssl.org>
1 parent 481a88f commit 6a51b9e

File tree

4 files changed

+35
-6
lines changed

4 files changed

+35
-6
lines changed

Diff for: crypto/err/openssl.txt

+2-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
1+
# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
22
#
33
# Licensed under the OpenSSL license (the "License"). You may not use
44
# this file except in compliance with the License. You can obtain a copy
@@ -2283,6 +2283,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
22832283
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
22842284
operation not supported for this keytype
22852285
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
2286+
EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
22862287
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
22872288
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
22882289
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\

Diff for: crypto/evp/evp_enc.c

+27
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
*/
99

1010
#include <stdio.h>
11+
#include <limits.h>
1112
#include <assert.h>
1213
#include "internal/cryptlib.h"
1314
#include <openssl/evp.h>
@@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
355356
return 1;
356357
} else {
357358
j = bl - i;
359+
360+
/*
361+
* Once we've processed the first j bytes from in, the amount of
362+
* data left that is a multiple of the block length is:
363+
* (inl - j) & ~(bl - 1)
364+
* We must ensure that this amount of data, plus the one block that
365+
* we process from ctx->buf does not exceed INT_MAX
366+
*/
367+
if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
368+
EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
369+
EVP_R_OUTPUT_WOULD_OVERFLOW);
370+
return 0;
371+
}
358372
memcpy(&(ctx->buf[i]), in, j);
359373
inl -= j;
360374
in += j;
@@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
502516
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
503517
return 0;
504518
}
519+
/*
520+
* final_used is only ever set if buf_len is 0. Therefore the maximum
521+
* length output we will ever see from evp_EncryptDecryptUpdate is
522+
* the maximum multiple of the block length that is <= inl, or just:
523+
* inl & ~(b - 1)
524+
* Since final_used has been set then the final output length is:
525+
* (inl & ~(b - 1)) + b
526+
* This must never exceed INT_MAX
527+
*/
528+
if ((inl & ~(b - 1)) > INT_MAX - b) {
529+
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
530+
return 0;
531+
}
505532
memcpy(out, ctx->final, b);
506533
out += b;
507534
fix_len = 1;

Diff for: crypto/evp/evp_err.c

+3-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/*
22
* Generated by util/mkerr.pl DO NOT EDIT
3-
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3+
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
44
*
55
* Licensed under the OpenSSL license (the "License"). You may not use
66
* this file except in compliance with the License. You can obtain a copy
@@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
239239
"operation not supported for this keytype"},
240240
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
241241
"operaton not initialized"},
242+
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
243+
"output would overflow"},
242244
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
243245
"partially overlapping buffers"},
244246
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},

Diff for: include/openssl/evperr.h

+3-4
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/*
22
* Generated by util/mkerr.pl DO NOT EDIT
3-
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3+
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
44
*
55
* Licensed under the OpenSSL license (the "License"). You may not use
66
* this file except in compliance with the License. You can obtain a copy
@@ -11,9 +11,7 @@
1111
#ifndef HEADER_EVPERR_H
1212
# define HEADER_EVPERR_H
1313

14-
# ifndef HEADER_SYMHACKS_H
15-
# include <openssl/symhacks.h>
16-
# endif
14+
# include <openssl/symhacks.h>
1715

1816
# ifdef __cplusplus
1917
extern "C"
@@ -179,6 +177,7 @@ int ERR_load_EVP_strings(void);
179177
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
180178
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
181179
# define EVP_R_OPERATON_NOT_INITIALIZED 151
180+
# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
182181
# define EVP_R_PARTIALLY_OVERLAPPING 162
183182
# define EVP_R_PBKDF2_ERROR 181
184183
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179

0 commit comments

Comments
 (0)