[openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Wed Mar 6 15:08:08 UTC 2019 

The branch OpenSSL_1_1_0-stable has been updated
       via  09af525c2e8a11a0701d3d80e4d795e03be93606 (commit)
       via  ee22257b1418438ebaf54df98af4e24f494d1809 (commit)
      from  c62896c2c0cbd47ab01693d403e37fe5fe15aab8 (commit)


- Log -----------------------------------------------------------------
commit 09af525c2e8a11a0701d3d80e4d795e03be93606
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 5 14:51:07 2019 +0000

    Test an overlong ChaCha20-Poly1305 nonce
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8406)
    
    (cherry picked from commit a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)

commit ee22257b1418438ebaf54df98af4e24f494d1809
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 5 14:39:15 2019 +0000

    Prevent over long nonces in ChaCha20-Poly1305
    
    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
    every encryption operation. RFC 7539 specifies that the nonce value (IV)
    should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
    front pads the nonce with 0 bytes if it is less than 12 bytes. However it
    also incorrectly allows a nonce to be set of up to 16 bytes. In this case
    only the last 12 bytes are significant and any additional leading bytes are
    ignored.
    
    It is a requirement of using this cipher that nonce values are unique.
    Messages encrypted using a reused nonce value are susceptible to serious
    confidentiality and integrity attacks. If an application changes the
    default nonce length to be longer than 12 bytes and then makes a change to
    the leading bytes of the nonce expecting the new value to be a new unique
    nonce then such an application could inadvertently encrypt messages with a
    reused nonce.
    
    Additionally the ignored bytes in a long nonce are not covered by the
    integrity guarantee of this cipher. Any application that relies on the
    integrity of these ignored leading bytes of a long nonce may be further
    affected.
    
    Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
    because no such use sets such a long nonce value. However user
    applications that use this cipher directly and set a non-default nonce
    length to be longer than 12 bytes may be vulnerable.
    
    CVE-2019-1543
    
    Fixes #8345
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8406)
    
    (cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/e_chacha20_poly1305.c          | 4 +++-
 test/recipes/30-test_evp_data/evpciph.txt | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index 7fd4f8d..4adc64c 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -30,6 +30,8 @@ typedef struct {
 
 #define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
 
+#define CHACHA20_POLY1305_MAX_IVLEN     12
+
 static int chacha_init_key(EVP_CIPHER_CTX *ctx,
                            const unsigned char user_key[CHACHA_KEY_SIZE],
                            const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -357,7 +359,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
-        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
+        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
             return 0;
         actx->nonce_len = arg;
         return 1;
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
index 6236a9f..4cf011f 100644
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -2269,3 +2269,11 @@ Tag = e0723bce23528ce6ccb10ff9627038bf
 Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
 Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
 
+Cipher = chacha20-poly1305
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+IV = ff000000000102030405060708
+AAD = f33388860000000000004e91
+Tag = e0723bce23528ce6ccb10ff9627038bf
+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+Result = INVALID_IV_LENGTH

More information about the openssl-commits mailing list