git.openssl.org Git - openssl.git/commit

author	Pauli <pauli@openssl.org>
	Thu, 5 Oct 2023 23:26:23 +0000 (10:26 +1100)
committer	Matt Caswell <matt@openssl.org>
	Tue, 24 Oct 2023 13:32:24 +0000 (14:32 +0100)
commit	f3a7e6c057b5054aa05710f3d528b92e3e885268
tree	8bb8924b1c0813932b1f1560cb816c21583f336d	tree \| snapshot
parent	0bf18140f491024232beca4e139c8feecfe207e9	commit \| diff

evp: process key length and iv length early if present

evp_cipher_init_internal() takes a params array argument and this is processed
late in the initialisation process for some ciphers (AEAD ones).

This means that changing the IV length as a parameter will either truncate the
IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised
bytes.

Truncation is very bad if SP 800-38d section 8.2.1 is being used to
contruct a deterministic IV. This leads to an instant loss of confidentiality.

Grabbing extra bytes isn't so serious, it will most likely result in a bad
decryption.

Problem reported by Tony Battersby of Cybernetics.com but earlier discovered
and raised as issue #19822.

Fixes CVE-2023-5363
Fixes #19822

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>