Fix out-of-bounds read in ctr_XOR
Looking at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf we see that in the CTR_DRBG_Update() algorithm (internal page number 51), the provided input data is (after truncation to seedlen) xor-d with the key and V vector (of length keylen and blocklen respectively). The comment in ctr_XOR notes that xor-ing with 0 is the identity function, so we can just ignore the case when the provided input is shorter than seedlen. The code in ctr_XOR() then proceeds to xor the key with the input, up to the amount of input present, and computes the remaining input that could be used to xor with the V vector, before accessing a full 16-byte stretch of the input vector and ignoring the calculated length. The correct behavior is to respect the supplied input length and only xor the indicated number of bytes. Reviewed-by:Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3971)
parent
16960a9b
Please register or sign in to comment