Commit 00d96547 authored by Andy Polyakov's avatar Andy Polyakov Committed by Matt Caswell
Browse files

crypto/evp: harden AEAD ciphers. 



Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent f3a7e57c

crypto/evp/e_aes.c

+12 −2
Original line number Diff line number Diff line
@@ -1388,10 +1388,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 
                EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8

                | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];

            /* Correct length for explicit IV */

            if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)

                return 0;

            len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;

            /* If decrypting correct for tag too */

            if (!EVP_CIPHER_CTX_encrypting(c))

            if (!EVP_CIPHER_CTX_encrypting(c)) {

                if (len < EVP_GCM_TLS_TAG_LEN)

                    return 0;

                len -= EVP_GCM_TLS_TAG_LEN;

            }

            EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;

            EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;

        }
@@ -1946,10 +1951,15 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 
                EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8

                | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];

            /* Correct length for explicit IV */

            if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)

                return 0;

            len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;

            /* If decrypting correct for tag too */

            if (!EVP_CIPHER_CTX_encrypting(c))

            if (!EVP_CIPHER_CTX_encrypting(c)) {

                if (len < cctx->M)

                    return 0;

                len -= cctx->M;

            }

            EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;

            EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;

        }

crypto/evp/e_chacha20_poly1305.c

+3 −2
Original line number Diff line number Diff line
@@ -398,6 +398,8 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 
            len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |

                  aad[EVP_AEAD_TLS1_AAD_LEN - 1];

            if (!ctx->encrypt) {

                if (len < POLY1305_BLOCK_SIZE)

                    return 0;

                len -= POLY1305_BLOCK_SIZE;     /* discount attached tag */

                memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);

                aad = temp;
@@ -407,8 +409,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 
            actx->tls_payload_length = len;



            /*

             * merge record sequence number as per

             * draft-ietf-tls-chacha20-poly1305-03

             * merge record sequence number as per RFC7905

             */

            actx->key.counter[1] = actx->nonce[0];

            actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);