Skip to content
  1. Jun 24, 2019
  3. May 28, 2019
  5. May 22, 2019
  7. May 21, 2019
  9. May 08, 2019
    • Tobias Nießen's avatar
      Allow specifying the tag after AAD in CCM mode · b48e3be9
      Tobias Nießen authored 
      

This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)

(cherry picked from commit 67c81ec311d696464bdbf4c6d6f8a887a3ddf9f8)
      b48e3be9
  11. Apr 10, 2019
  13. Apr 06, 2019
  15. Mar 27, 2019
  17. Mar 21, 2019
  19. Mar 06, 2019
    • Matt Caswell's avatar
      Prevent over long nonces in ChaCha20-Poly1305 · f426625b
      Matt Caswell authored 
      

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

CVE-2019-1543

Fixes #8345

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 2a3d0ee9)
      f426625b
  21. Dec 22, 2018
  23. Dec 10, 2018
  25. Nov 20, 2018
  27. Oct 02, 2018
  29. Sep 21, 2018
  31. Sep 13, 2018
  33. Sep 11, 2018
  35. Sep 07, 2018
  37. Sep 06, 2018
  39. Sep 05, 2018
  41. Aug 07, 2018
  43. Aug 06, 2018
  45. Aug 03, 2018
  47. Aug 01, 2018
  49. Jul 12, 2018
  51. Jul 06, 2018
  53. Jun 29, 2018
  55. Jun 20, 2018
  57. Jun 19, 2018
  59. Jun 18, 2018
  61. Jun 08, 2018
  63. Jun 03, 2018
  65. Apr 17, 2018