diff options
author | Andy Polyakov <appro@openssl.org> | 2017-01-19 00:20:49 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-26 10:54:01 +0000 |
commit | 2198b3a55de681e1f3c23edb0586afe13f438051 (patch) | |
tree | 8db94da0ed2bd6354ba723fc5dc491ad8dd7b614 /crypto/evp/e_aes.c | |
parent | 8e20499629b6bcf868d0072c7011e590b5c2294d (diff) | |
download | openssl-2198b3a55de681e1f3c23edb0586afe13f438051.zip openssl-2198b3a55de681e1f3c23edb0586afe13f438051.tar.gz openssl-2198b3a55de681e1f3c23edb0586afe13f438051.tar.bz2 |
crypto/evp: harden AEAD ciphers.
Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.
Thanks to Robert Święcki for report.
CVE-2017-3731
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/evp/e_aes.c')
-rw-r--r-- | crypto/evp/e_aes.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index c0b0a1e..2e5e4ed 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1388,10 +1388,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; /* Correct length for explicit IV */ + if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) + return 0; len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; /* If decrypting correct for tag too */ - if (!EVP_CIPHER_CTX_encrypting(c)) + if (!EVP_CIPHER_CTX_encrypting(c)) { + if (len < EVP_GCM_TLS_TAG_LEN) + return 0; len -= EVP_GCM_TLS_TAG_LEN; + } EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; } @@ -1946,10 +1951,15 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; /* Correct length for explicit IV */ + if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN) + return 0; len -= EVP_CCM_TLS_EXPLICIT_IV_LEN; /* If decrypting correct for tag too */ - if (!EVP_CIPHER_CTX_encrypting(c)) + if (!EVP_CIPHER_CTX_encrypting(c)) { + if (len < cctx->M) + return 0; len -= cctx->M; + } EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; } |