diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2020-04-27 19:31:03 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-04-27 19:31:03 +0000 |
| commit | 861d0e845bca4cfd167e89dadd0498fd9dbb7b43 (patch) | |
| tree | dcee84635e8b0518775526bb961c37729ee3c942 /lib/libcrypto | |
| parent | d0151520f3dd730a7d82cd2e3d7c33a44907c4af (diff) | |
Disallow the use of zero length IVs in AES-GCM via
EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key.
Issue reported and fix tested by Guido Vranken.
ok beck, jsing
This commit adds a constant to a public header despite library lock,
as discussed with deraadt and sthen.
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/evp/e_aes.c | 12 | ||||
| -rw-r--r-- | lib/libcrypto/evp/evp.h | 3 | ||||
| -rw-r--r-- | lib/libcrypto/evp/evp_err.c | 3 |
3 files changed, 15 insertions, 3 deletions
diff --git a/lib/libcrypto/evp/e_aes.c b/lib/libcrypto/evp/e_aes.c index 8fddeaaa40a..e1b53c2ce79 100644 --- a/lib/libcrypto/evp/e_aes.c +++ b/lib/libcrypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.39 2019/05/12 15:52:46 tb Exp $ */ +/* $OpenBSD: e_aes.c,v 1.40 2020/04/27 19:31:02 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -1441,6 +1441,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) @@ -1487,6 +1492,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h index 81f89c142b4..f1fe8a1e34b 100644 --- a/lib/libcrypto/evp/evp.h +++ b/lib/libcrypto/evp/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.78 2019/10/24 15:43:09 jsing Exp $ */ +/* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1507,6 +1507,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 #define EVP_R_INVALID_FIPS_MODE 168 +#define EVP_R_INVALID_IV_LENGTH 194 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 diff --git a/lib/libcrypto/evp/evp_err.c b/lib/libcrypto/evp/evp_err.c index 89f980b7962..2494cf57905 100644 --- a/lib/libcrypto/evp/evp_err.c +++ b/lib/libcrypto/evp/evp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_err.c,v 1.25 2019/03/18 05:34:29 tb Exp $ */ +/* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -111,6 +111,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"}, + {ERR_REASON(EVP_R_INVALID_IV_LENGTH) , "invalid iv length"}, {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"}, {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, |