summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2019-04-03 15:33:37 +0000
committertb <>2019-04-03 15:33:37 +0000
commit0974fba21e49535e60936c798269b670d2ed764a (patch)
tree8077e8ba614ed3a964beb415a20d1db8a87aecc9
parentcd6dd381f1ef67941eda5e6ff9f13348a913adfb (diff)
downloadopenbsd-0974fba21e49535e60936c798269b670d2ed764a.tar.gz
openbsd-0974fba21e49535e60936c798269b670d2ed764a.tar.bz2
openbsd-0974fba21e49535e60936c798269b670d2ed764a.zip
Avoid some out of bound accesses in aesni_cbc_hmac_sha1_cipher().
The plen variable can be NO_PAYLOAD_LENGTH == (size_t)-1, so doing tls_aad[plen-4] is no good. Also check that the length of the AAD set via the control interface is equal to 13 since the whole file is written with that case in mind. Note that we no longer use this code in LibreSSL/OpenBSD. We eliminated the use of these control interfaces and stitched cipher modes in libssl a while ago. Problem found by Guido Vranken with his cryptofuzz - thanks! input & ok beck, jsing
Diffstat
-rw-r--r--src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
index f25b927aeb..9be17e36f2 100644
--- a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.14 2016/11/05 10:47:57 miod Exp $ */ 1/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.15 2019/04/03 15:33:37 tb Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -249,7 +249,11 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
249 /* decrypt HMAC|padding at once */ 249 /* decrypt HMAC|padding at once */
250 aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); 250 aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0);
251 251
252 if (plen) { /* "TLS" mode of operation */ 252 if (plen == 0 || plen == NO_PAYLOAD_LENGTH) {
253 SHA1_Update(&key->md, out, len);
254 } else if (plen < 4) {
255 return 0;
256 } else { /* "TLS" mode of operation */
253 size_t inp_len, mask, j, i; 257 size_t inp_len, mask, j, i;
254 unsigned int res, maxpad, pad, bitlen; 258 unsigned int res, maxpad, pad, bitlen;
255 int ret = 1; 259 int ret = 1;
@@ -459,8 +463,6 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
459 ret &= (int)~res; 463 ret &= (int)~res;
460#endif 464#endif
461 return ret; 465 return ret;
462 } else {
463 SHA1_Update(&key->md, out, len);
464 } 466 }
465 } 467 }
466 468
@@ -505,7 +507,13 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
505 case EVP_CTRL_AEAD_TLS1_AAD: 507 case EVP_CTRL_AEAD_TLS1_AAD:
506 { 508 {
507 unsigned char *p = ptr; 509 unsigned char *p = ptr;
508 unsigned int len = p[arg - 2] << 8 | p[arg - 1]; 510 unsigned int len;
511
512 /* RFC 5246, 6.2.3.3: additional data has length 13 */
513 if (arg != 13)
514 return -1;
515
516 len = p[arg - 2] << 8 | p[arg - 1];
509 517
510 if (ctx->encrypt) { 518 if (ctx->encrypt) {
511 key->payload_length = len; 519 key->payload_length = len;
@@ -521,8 +529,6 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
521 return (int)(((len + SHA_DIGEST_LENGTH + 529 return (int)(((len + SHA_DIGEST_LENGTH +
522 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); 530 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len);
523 } else { 531 } else {
524 if (arg > 13)
525 arg = 13;
526 memcpy(key->aux.tls_aad, ptr, arg); 532 memcpy(key->aux.tls_aad, ptr, arg);
527 key->payload_length = arg; 533 key->payload_length = arg;
528 534
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 08:21:03 +0000