[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Wed Mar 6 15:07:52 UTC 2019


The branch OpenSSL_1_1_1-stable has been updated
       via  f7a6d1122befe9cd1d3de70cb2c19595a701b9aa (commit)
       via  9b10d1bf77b734f15c4ed5d1b619cd598b7c13fc (commit)
       via  f426625b6ae9a7831010750490a5f0ad689c5ba3 (commit)
      from  c9a826d28f8211e86b3b866809e1b30a2de48740 (commit)


- Log -----------------------------------------------------------------
commit f7a6d1122befe9cd1d3de70cb2c19595a701b9aa
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 5 15:41:27 2019 +0000

    Update ChaCha20-Poly1305 documentation
    
    Correctly describe the maximum IV length.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8406)
    
    (cherry picked from commit 27d5631236325c3fd8a3bd06af282ac496aac64b)

commit 9b10d1bf77b734f15c4ed5d1b619cd598b7c13fc
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 5 14:51:07 2019 +0000

    Test an overlong ChaCha20-Poly1305 nonce
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8406)
    
    (cherry picked from commit a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)

commit f426625b6ae9a7831010750490a5f0ad689c5ba3
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 5 14:39:15 2019 +0000

    Prevent over long nonces in ChaCha20-Poly1305
    
    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
    every encryption operation. RFC 7539 specifies that the nonce value (IV)
    should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
    front pads the nonce with 0 bytes if it is less than 12 bytes. However it
    also incorrectly allows a nonce to be set of up to 16 bytes. In this case
    only the last 12 bytes are significant and any additional leading bytes are
    ignored.
    
    It is a requirement of using this cipher that nonce values are unique.
    Messages encrypted using a reused nonce value are susceptible to serious
    confidentiality and integrity attacks. If an application changes the
    default nonce length to be longer than 12 bytes and then makes a change to
    the leading bytes of the nonce expecting the new value to be a new unique
    nonce then such an application could inadvertently encrypt messages with a
    reused nonce.
    
    Additionally the ignored bytes in a long nonce are not covered by the
    integrity guarantee of this cipher. Any application that relies on the
    integrity of these ignored leading bytes of a long nonce may be further
    affected.
    
    Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
    because no such use sets such a long nonce value. However user
    applications that use this cipher directly and set a non-default nonce
    length to be longer than 12 bytes may be vulnerable.
    
    CVE-2019-1543
    
    Fixes #8345
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8406)
    
    (cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/e_chacha20_poly1305.c          | 4 +++-
 doc/man3/EVP_EncryptInit.pod              | 4 +++-
 test/recipes/30-test_evp_data/evpciph.txt | 9 +++++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index c1917bb..d3e2c62 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -30,6 +30,8 @@ typedef struct {
 
 #define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
 
+#define CHACHA20_POLY1305_MAX_IVLEN     12
+
 static int chacha_init_key(EVP_CIPHER_CTX *ctx,
                            const unsigned char user_key[CHACHA_KEY_SIZE],
                            const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
-        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
+        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
             return 0;
         actx->nonce_len = arg;
         return 1;
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index b43a3e5..faf7bb4 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -436,7 +436,9 @@ The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm.
 
 Sets the nonce length. This call can only be made before specifying the nonce.
 If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
-nonce length is 16 (B<CHACHA_CTR_SIZE>, i.e. 128-bits).
+nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
+then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
+in length.
 
 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
 
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
index d117455..ff90acd 100644
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -2506,3 +2506,12 @@ AAD = f33388860000000000004e91
 Tag = e0723bce23528ce6ccb10ff9627038bf
 Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
 Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+
+Cipher = chacha20-poly1305
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+IV = ff000000000102030405060708
+AAD = f33388860000000000004e91
+Tag = e0723bce23528ce6ccb10ff9627038bf
+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+Result = INVALID_IV_LENGTH


More information about the openssl-commits mailing list