generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Sanity check EVP_CTRL_AEAD_TLS_AAD

Browse Source 
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c8269881093324b881b81472be037055571f73f3)

Conflicts:
	ssl/record/ssl3_record.c
This commit is contained in:
Matt Caswell 2015-04-27 11:07:06 +01:00
parent 4ce06271aa
commit 1a3701f4fe
7 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/speed.c
View File

@ -2791,7 +2791,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
print_message(alg_name, 0, mblengths[j]); print_message(alg_name, 0, mblengths[j]);
Time_F(START); Time_F(START);
for (count = 0, run = 1; run && count < 0x7fffffff; count++) { for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
unsigned char aad[13]; unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
size_t len = mblengths[j]; size_t len = mblengths[j];
int packlen; int packlen;
@ -2826,7 +2826,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
aad[11] = len >> 8; aad[11] = len >> 8;
aad[12] = len; aad[12] = len;
pad = EVP_CIPHER_CTX_ctrl(&ctx, pad = EVP_CIPHER_CTX_ctrl(&ctx,
EVP_CTRL_AEAD_TLS1_AAD, 13, aad); EVP_CTRL_AEAD_TLS1_AAD,
EVP_AEAD_TLS1_AAD_LEN, aad);
EVP_Cipher(&ctx, out, inp, len + pad); EVP_Cipher(&ctx, out, inp, len + pad);
} }
} }

2
crypto/evp/e_aes.c
View File

@ -1227,7 +1227,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_AEAD_TLS1_AAD: case EVP_CTRL_AEAD_TLS1_AAD:
/* Save the AAD for later use */ /* Save the AAD for later use */
if (arg != 13) if (arg != EVP_AEAD_TLS1_AAD_LEN)
return 0; return 0;
memcpy(c->buf, ptr, arg); memcpy(c->buf, ptr, arg);
gctx->tls_aad_len = arg; gctx->tls_aad_len = arg;

9
crypto/evp/e_aes_cbc_hmac_sha1.c
View File

@ -845,7 +845,12 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
case EVP_CTRL_AEAD_TLS1_AAD: case EVP_CTRL_AEAD_TLS1_AAD:
{ {
unsigned char *p = ptr; unsigned char *p = ptr;
unsigned int len = p[arg - 2] << 8 | p[arg - 1]; unsigned int len;
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return -1;
len = p[arg - 2] << 8 | p[arg - 1];
if (ctx->encrypt) { if (ctx->encrypt) {
key->payload_length = len; key->payload_length = len;
@ -862,8 +867,6 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
- len); - len);
} else { } else {
if (arg > 13)
arg = 13;
memcpy(key->aux.tls_aad, ptr, arg); memcpy(key->aux.tls_aad, ptr, arg);
key->payload_length = arg; key->payload_length = arg;

7
crypto/evp/e_aes_cbc_hmac_sha256.c
View File

@ -813,6 +813,11 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
unsigned char *p = ptr; unsigned char *p = ptr;
unsigned int len = p[arg - 2] << 8 | p[arg - 1]; unsigned int len = p[arg - 2] << 8 | p[arg - 1];
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return -1;
len = p[arg - 2] << 8 | p[arg - 1];
if (ctx->encrypt) { if (ctx->encrypt) {
key->payload_length = len; key->payload_length = len;
if ((key->aux.tls_ver = if ((key->aux.tls_ver =
@ -828,8 +833,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
- len); - len);
} else { } else {
if (arg > 13)
arg = 13;
memcpy(key->aux.tls_aad, ptr, arg); memcpy(key->aux.tls_aad, ptr, arg);
key->payload_length = arg; key->payload_length = arg;

7
crypto/evp/e_rc4_hmac_md5.c
View File

@ -258,7 +258,12 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
case EVP_CTRL_AEAD_TLS1_AAD: case EVP_CTRL_AEAD_TLS1_AAD:
{ {
unsigned char *p = ptr; unsigned char *p = ptr;
unsigned int len = p[arg - 2] << 8 | p[arg - 1]; unsigned int len;
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return -1;
len = p[arg - 2] << 8 | p[arg - 1];
if (!ctx->encrypt) { if (!ctx->encrypt) {
len -= MD5_DIGEST_LENGTH; len -= MD5_DIGEST_LENGTH;

3
crypto/evp/evp.h
View File

@ -424,6 +424,9 @@ struct evp_cipher_st {
# define EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT 0x1b # define EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT 0x1b
# define EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 0x1c # define EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 0x1c
/* RFC 5246 defines additional data to be 13 bytes in length */
# define EVP_AEAD_TLS1_AAD_LEN 13
typedef struct { typedef struct {
unsigned char *out; unsigned char *out;
const unsigned char *inp; const unsigned char *inp;

7
ssl/t1_enc.c
View File

@ -803,7 +803,7 @@ int tls1_enc(SSL *s, int send)
bs = EVP_CIPHER_block_size(ds->cipher); bs = EVP_CIPHER_block_size(ds->cipher);
if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
unsigned char buf[13], *seq; unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq;
seq = send ? s->s3->write_sequence : s->s3->read_sequence; seq = send ? s->s3->write_sequence : s->s3->read_sequence;
@ -827,7 +827,10 @@ int tls1_enc(SSL *s, int send)
buf[10] = (unsigned char)(s->version); buf[10] = (unsigned char)(s->version);
buf[11] = rec->length >> 8; buf[11] = rec->length >> 8;
buf[12] = rec->length & 0xff; buf[12] = rec->length & 0xff;
pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
EVP_AEAD_TLS1_AAD_LEN, buf);
if (pad <= 0)
return -1;
if (send) { if (send) {
l += pad; l += pad;
rec->length += pad; rec->length += pad;