Correctly calculate the length of SM2 plaintext given the ciphertext

Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.

The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.

If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.

CVE-2021-3711

Issue reported by John Ouyang.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>

diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
index 105dd4ce704d02849a6eefe87a180ba73ed906c9..2c7264e42b633f62534ebf4fb11b6e668f84b749 100644 (file)
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@@ -67,29 +67,21 @@ static size_t ec_field_size(const EC_GROUP *group)
     return field_size;
 }
 
-int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest,
-                            size_t msg_len, size_t *pt_size)
+int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
+                            size_t *pt_size)
 {
-    const size_t field_size = ec_field_size(EC_KEY_get0_group(key));
-    const int md_size = EVP_MD_get_size(digest);
-    size_t overhead;
+    struct SM2_Ciphertext_st *sm2_ctext = NULL;
 
-    if (md_size < 0) {
-        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
-        return 0;
-    }
-    if (field_size == 0) {
-        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_FIELD);
-        return 0;
-    }
+    sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size);
 
-    overhead = 10 + 2 * field_size + (size_t)md_size;
-    if (msg_len <= overhead) {
+    if (sm2_ctext == NULL) {
         ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
         return 0;
     }
 
-    *pt_size = msg_len - overhead;
+    *pt_size = sm2_ctext->C2->length;
+    SM2_Ciphertext_free(sm2_ctext);
+
     return 1;
 }
 

diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h
index 165c01810f8cc20d73d6d19c92a9fc54554dc948..9ab6c0b722364b9e8554e2093675300e6a90bbe6 100644 (file)
--- a/include/crypto/sm2.h
+++ b/include/crypto/sm2.h
@@ -67,8 +67,8 @@ int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen,
 int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest,
                              size_t msg_len, size_t *ct_size);
 
-int ossl_sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest,
-                            size_t msg_len, size_t *pt_size);
+int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
+                            size_t *pt_size);
 
 int ossl_sm2_encrypt(const EC_KEY *key,
                      const EVP_MD *digest,

diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c
index c9dba32ffb6c741a7c9056ac60e359b390c021ef..9577d16e8384153c5cbf934c6c6401185f505562 100644 (file)
--- a/providers/implementations/asymciphers/sm2_enc.c
+++ b/providers/implementations/asymciphers/sm2_enc.c
@@ -110,7 +110,7 @@ static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen,
         return 0;
 
     if (out == NULL) {
-        if (!ossl_sm2_plaintext_size(psm2ctx->key, md, inlen, outlen))
+        if (!ossl_sm2_plaintext_size(in, inlen, outlen))
             return 0;
         return 1;
     }

diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
index e91a1a489861b4d83a7b0f18004ce69614b34602..22d23b6c5c7e42c5288b87405e0c360e18e42f38 100644 (file)
--- a/test/sm2_internal_test.c
+++ b/test/sm2_internal_test.c
@@ -183,7 +183,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
     if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len))
         goto done;
 
-    if (!TEST_true(ossl_sm2_plaintext_size(key, digest, ctext_len, &ptext_len))
+    if (!TEST_true(ossl_sm2_plaintext_size(ctext, ctext_len, &ptext_len))
             || !TEST_int_eq(ptext_len, msg_len))
         goto done;