[openssl-commits] [openssl] master update

kaduk at mit.edu kaduk at mit.edu
Thu Jul 20 17:18:51 UTC 2017


The branch master has been updated
       via  b8a437ffa09bbf22c04a55015a6d2743cd0b7529 (commit)
       via  16960a9b17ebc39498d113cd6dd1f83784f018a4 (commit)
       via  4468b6ed59a7e2afc145b3d260dfa096cb7eb2eb (commit)
      from  63f483e10d4e04158be234ed431e9f03d707ad82 (commit)


- Log -----------------------------------------------------------------
commit b8a437ffa09bbf22c04a55015a6d2743cd0b7529
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Jul 19 17:59:52 2017 -0500

    Fix out-of-bounds read in ctr_XOR
    
    Looking at
    http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
    we see that in the CTR_DRBG_Update() algorithm (internal page number 51),
    the provided input data is (after truncation to seedlen) xor-d with the
    key and V vector (of length keylen and blocklen respectively).  The comment
    in ctr_XOR notes that xor-ing with 0 is the identity function, so we can
    just ignore the case when the provided input is shorter than seedlen.
    
    The code in ctr_XOR() then proceeds to xor the key with the input, up
    to the amount of input present, and computes the remaining input that
    could be used to xor with the V vector, before accessing a full 16-byte
    stretch of the input vector and ignoring the calculated length.  The correct
    behavior is to respect the supplied input length and only xor the
    indicated number of bytes.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3971)

commit 16960a9b17ebc39498d113cd6dd1f83784f018a4
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Jul 19 17:32:08 2017 -0500

    typedef's for RAND_DRBG methods
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3971)

commit 4468b6ed59a7e2afc145b3d260dfa096cb7eb2eb
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Jul 19 17:18:16 2017 -0500

    Remove trailing whitespace from drbgtest.c
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3971)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rand/drbg_rand.c |  2 +-
 crypto/rand/rand_lcl.h  | 11 ++++-------
 include/internal/rand.h | 22 +++++++++++++++-------
 test/drbgtest.c         |  4 ++--
 4 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c
index 4ff347c..77d59ec 100644
--- a/crypto/rand/drbg_rand.c
+++ b/crypto/rand/drbg_rand.c
@@ -77,7 +77,7 @@ static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
         /* Should never happen */
         n = 16;
     }
-    for (i = 0; i < 16; i++)
+    for (i = 0; i < n; i++)
         cctx->V[i] ^= in[i + cctx->keylen];
 }
 
diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h
index 0c1aa72..de1f2cd 100644
--- a/crypto/rand/rand_lcl.h
+++ b/crypto/rand/rand_lcl.h
@@ -71,16 +71,13 @@ struct drbg_ctx_st {
     DRBG_CTR_CTX ctr;
 
     /* entropy gathering function */
-    size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-            int entropy, size_t min_len, size_t max_len);
+    RAND_DRBG_get_entropy_fn get_entropy;
     /* Indicates we have finished with entropy buffer */
-    void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-
+    RAND_DRBG_cleanup_entropy_fn cleanup_entropy;
     /* nonce gathering function */
-    size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-            int entropy, size_t min_len, size_t max_len);
+    RAND_DRBG_get_nonce_fn get_nonce;
     /* Indicates we have finished with nonce buffer */
-    void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
+    RAND_DRBG_cleanup_nonce_fn cleanup_nonce;
 };
 
 
diff --git a/include/internal/rand.h b/include/internal/rand.h
index 0d386f6..07568ea 100644
--- a/include/internal/rand.h
+++ b/include/internal/rand.h
@@ -26,14 +26,22 @@ int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
                        const unsigned char *adin, size_t adinlen);
 void RAND_DRBG_free(DRBG_CTX *dctx);
 
+typedef size_t (*RAND_DRBG_get_entropy_fn)(DRBG_CTX *ctx, unsigned char **pout,
+                                           int entropy, size_t min_len,
+                                           size_t max_len);
+typedef void (*RAND_DRBG_cleanup_entropy_fn)(DRBG_CTX *ctx, unsigned char *out,
+                                             size_t olen);
+typedef size_t (*RAND_DRBG_get_nonce_fn)(DRBG_CTX *ctx, unsigned char **pout,
+                                         int entropy, size_t min_len,
+                                         size_t max_len);
+typedef void (*RAND_DRBG_cleanup_nonce_fn)(DRBG_CTX *ctx, unsigned char *out,
+                                           size_t olen);
+
 int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
-    size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-                          int entropy, size_t min_len, size_t max_len),
-    void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-    size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-                        int entropy, size_t min_len, size_t max_len),
-    void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)
-    );
+                            RAND_DRBG_get_entropy_fn get_entropy,
+                            RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
+                            RAND_DRBG_get_nonce_fn get_nonce,
+                            RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
 
 int RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval);
 
diff --git a/test/drbgtest.c b/test/drbgtest.c
index 80d0b8b..37c5bde 100644
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@@ -323,7 +323,7 @@ static int error_check(DRBG_SELFTEST_DATA *td)
      */
 
     /* Test too small nonce */
-    if (dctx->min_nonce) { 
+    if (dctx->min_nonce) {
         t.noncelen = dctx->min_nonce - 1;
         if (!init(dctx, td, &t)
                 || RAND_DRBG_instantiate(dctx, td->pers, td->perslen) > 0
@@ -366,7 +366,7 @@ static int error_check(DRBG_SELFTEST_DATA *td)
             || !uninstantiate(dctx))
         goto err;
 
-    /* Instantiate again with valid data */ 
+    /* Instantiate again with valid data */
     if (!instantiate(dctx, td, &t))
         goto err;
     reseed_counter_tmp = dctx->reseed_counter;


More information about the openssl-commits mailing list