diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2017-07-19 17:59:52 -0500 |
|---|---|---|
| committer | Benjamin Kaduk <kaduk@mit.edu> | 2017-07-20 12:12:36 -0500 |
| commit | b8a437ffa09bbf22c04a55015a6d2743cd0b7529 (patch) | |
| tree | 6cae60752292c12053620207e1a330456d238688 | |
| parent | 16960a9b17ebc39498d113cd6dd1f83784f018a4 (diff) | |
| download | openssl-b8a437ffa09bbf22c04a55015a6d2743cd0b7529.tar.gz | |
Fix out-of-bounds read in ctr_XOR
Looking at
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
we see that in the CTR_DRBG_Update() algorithm (internal page number 51),
the provided input data is (after truncation to seedlen) xor-d with the
key and V vector (of length keylen and blocklen respectively). The comment
in ctr_XOR notes that xor-ing with 0 is the identity function, so we can
just ignore the case when the provided input is shorter than seedlen.
The code in ctr_XOR() then proceeds to xor the key with the input, up
to the amount of input present, and computes the remaining input that
could be used to xor with the V vector, before accessing a full 16-byte
stretch of the input vector and ignoring the calculated length. The correct
behavior is to respect the supplied input length and only xor the
indicated number of bytes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3971)
| -rw-r--r-- | crypto/rand/drbg_rand.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c index 4ff347c7ea..77d59ec813 100644 --- a/crypto/rand/drbg_rand.c +++ b/crypto/rand/drbg_rand.c @@ -77,7 +77,7 @@ static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen) /* Should never happen */ n = 16; } - for (i = 0; i < 16; i++) + for (i = 0; i < n; i++) cctx->V[i] ^= in[i + cctx->keylen]; } |