Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/f426625b6ae9a7831010750490a5f0ad689c5ba3] |
| 2 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 3 | |
| 4 | From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001 |
| 5 | From: Matt Caswell <matt@openssl.org> |
| 6 | Date: Tue, 5 Mar 2019 14:39:15 +0000 |
| 7 | Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305 |
| 8 | |
| 9 | ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for |
| 10 | every encryption operation. RFC 7539 specifies that the nonce value (IV) |
| 11 | should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and |
| 12 | front pads the nonce with 0 bytes if it is less than 12 bytes. However it |
| 13 | also incorrectly allows a nonce to be set of up to 16 bytes. In this case |
| 14 | only the last 12 bytes are significant and any additional leading bytes are |
| 15 | ignored. |
| 16 | |
| 17 | It is a requirement of using this cipher that nonce values are unique. |
| 18 | Messages encrypted using a reused nonce value are susceptible to serious |
| 19 | confidentiality and integrity attacks. If an application changes the |
| 20 | default nonce length to be longer than 12 bytes and then makes a change to |
| 21 | the leading bytes of the nonce expecting the new value to be a new unique |
| 22 | nonce then such an application could inadvertently encrypt messages with a |
| 23 | reused nonce. |
| 24 | |
| 25 | Additionally the ignored bytes in a long nonce are not covered by the |
| 26 | integrity guarantee of this cipher. Any application that relies on the |
| 27 | integrity of these ignored leading bytes of a long nonce may be further |
| 28 | affected. |
| 29 | |
| 30 | Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe |
| 31 | because no such use sets such a long nonce value. However user |
| 32 | applications that use this cipher directly and set a non-default nonce |
| 33 | length to be longer than 12 bytes may be vulnerable. |
| 34 | |
| 35 | CVE: CVE-2019-1543 |
| 36 | |
| 37 | Fixes #8345 |
| 38 | |
| 39 | Reviewed-by: Paul Dale <paul.dale@oracle.com> |
| 40 | Reviewed-by: Richard Levitte <levitte@openssl.org> |
| 41 | (Merged from https://github.com/openssl/openssl/pull/8406) |
| 42 | |
| 43 | (cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6) |
| 44 | --- |
| 45 | crypto/evp/e_chacha20_poly1305.c | 4 +++- |
| 46 | 1 file changed, 3 insertions(+), 1 deletion(-) |
| 47 | |
| 48 | diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c |
| 49 | index c1917bb86a6..d3e2c622a1b 100644 |
| 50 | --- a/crypto/evp/e_chacha20_poly1305.c |
| 51 | +++ b/crypto/evp/e_chacha20_poly1305.c |
| 52 | @@ -30,6 +30,8 @@ typedef struct { |
| 53 | |
| 54 | #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) |
| 55 | |
| 56 | +#define CHACHA20_POLY1305_MAX_IVLEN 12 |
| 57 | + |
| 58 | static int chacha_init_key(EVP_CIPHER_CTX *ctx, |
| 59 | const unsigned char user_key[CHACHA_KEY_SIZE], |
| 60 | const unsigned char iv[CHACHA_CTR_SIZE], int enc) |
| 61 | @@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, |
| 62 | return 1; |
| 63 | |
| 64 | case EVP_CTRL_AEAD_SET_IVLEN: |
| 65 | - if (arg <= 0 || arg > CHACHA_CTR_SIZE) |
| 66 | + if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) |
| 67 | return 0; |
| 68 | actx->nonce_len = arg; |
| 69 | return 1; |