diff options
| author | tb <> | 2020-04-27 19:31:02 +0000 |
|---|---|---|
| committer | tb <> | 2020-04-27 19:31:02 +0000 |
| commit | 30a0f6e6eb2e9f8944e28e141ddfa6f640033c2c (patch) | |
| tree | 690e769e57ab9ebb2919a9465adde8c1621ffb33 /src/lib | |
| parent | 241295e8155a67d455196dd25c2c9728ad04ca61 (diff) | |
| download | openbsd-30a0f6e6eb2e9f8944e28e141ddfa6f640033c2c.tar.gz openbsd-30a0f6e6eb2e9f8944e28e141ddfa6f640033c2c.tar.bz2 openbsd-30a0f6e6eb2e9f8944e28e141ddfa6f640033c2c.zip | |
Disallow the use of zero length IVs in AES-GCM via
EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key.
Issue reported and fix tested by Guido Vranken.
ok beck, jsing
This commit adds a constant to a public header despite library lock,
as discussed with deraadt and sthen.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/evp/e_aes.c | 12 | ||||
| -rw-r--r-- | src/lib/libcrypto/evp/evp.h | 3 | ||||
| -rw-r--r-- | src/lib/libcrypto/evp/evp_err.c | 3 |
3 files changed, 15 insertions, 3 deletions
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index 8fddeaaa40..e1b53c2ce7 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: e_aes.c,v 1.39 2019/05/12 15:52:46 tb Exp $ */ | 1 | /* $OpenBSD: e_aes.c,v 1.40 2020/04/27 19:31:02 tb Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -1441,6 +1441,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, | |||
| 1441 | } | 1441 | } |
| 1442 | 1442 | ||
| 1443 | memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | 1443 | memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
| 1444 | |||
| 1445 | if (nonce_len == 0) { | ||
| 1446 | EVPerror(EVP_R_INVALID_IV_LENGTH); | ||
| 1447 | return 0; | ||
| 1448 | } | ||
| 1444 | CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | 1449 | CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
| 1445 | 1450 | ||
| 1446 | if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | 1451 | if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
| @@ -1487,6 +1492,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, | |||
| 1487 | } | 1492 | } |
| 1488 | 1493 | ||
| 1489 | memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | 1494 | memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
| 1495 | |||
| 1496 | if (nonce_len == 0) { | ||
| 1497 | EVPerror(EVP_R_INVALID_IV_LENGTH); | ||
| 1498 | return 0; | ||
| 1499 | } | ||
| 1490 | CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | 1500 | CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
| 1491 | 1501 | ||
| 1492 | if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | 1502 | if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 81f89c142b..f1fe8a1e34 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: evp.h,v 1.78 2019/10/24 15:43:09 jsing Exp $ */ | 1 | /* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1507,6 +1507,7 @@ void ERR_load_EVP_strings(void); | |||
| 1507 | #define EVP_R_INPUT_NOT_INITIALIZED 111 | 1507 | #define EVP_R_INPUT_NOT_INITIALIZED 111 |
| 1508 | #define EVP_R_INVALID_DIGEST 152 | 1508 | #define EVP_R_INVALID_DIGEST 152 |
| 1509 | #define EVP_R_INVALID_FIPS_MODE 168 | 1509 | #define EVP_R_INVALID_FIPS_MODE 168 |
| 1510 | #define EVP_R_INVALID_IV_LENGTH 194 | ||
| 1510 | #define EVP_R_INVALID_KEY_LENGTH 130 | 1511 | #define EVP_R_INVALID_KEY_LENGTH 130 |
| 1511 | #define EVP_R_INVALID_OPERATION 148 | 1512 | #define EVP_R_INVALID_OPERATION 148 |
| 1512 | #define EVP_R_IV_TOO_LARGE 102 | 1513 | #define EVP_R_IV_TOO_LARGE 102 |
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c index 89f980b796..2494cf5790 100644 --- a/src/lib/libcrypto/evp/evp_err.c +++ b/src/lib/libcrypto/evp/evp_err.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: evp_err.c,v 1.25 2019/03/18 05:34:29 tb Exp $ */ | 1 | /* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -111,6 +111,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { | |||
| 111 | {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, | 111 | {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, |
| 112 | {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, | 112 | {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, |
| 113 | {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"}, | 113 | {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"}, |
| 114 | {ERR_REASON(EVP_R_INVALID_IV_LENGTH) , "invalid iv length"}, | ||
| 114 | {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"}, | 115 | {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"}, |
| 115 | {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, | 116 | {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, |
| 116 | {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, | 117 | {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, |