openssl/providers
Matt Caswell 36cf45ef3b Correctly calculate the length of SM2 plaintext given the ciphertext
Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.

The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.

If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.

CVE-2021-3711

Issue reported by John Ouyang.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
..
common Update copyright year 2021-07-29 15:41:35 +01:00
fips fips: add power up test for TLS 1.3 KDF 2021-08-05 15:44:00 +10:00
implementations Correctly calculate the length of SM2 plaintext given the ciphertext 2021-08-24 14:22:07 +01:00
baseprov.c Update copyright year 2021-04-08 13:04:41 +01:00
build.info Avoid duplicating prov_running.o in libdefault and libcrypto 2021-06-14 09:18:41 +10:00
decoders.inc prov: tag SM2 encoders and decoders as non-FIPS 2021-06-16 14:42:38 +01:00
defltprov.c Add support for camellia cbc cts mode 2021-08-18 08:38:40 +10:00
encoders.inc prov: tag SM2 encoders and decoders as non-FIPS 2021-06-16 14:42:38 +01:00
fips-sources.checksums make update 2021-07-29 15:50:27 +01:00
fips.checksum make update 2021-07-29 15:50:27 +01:00
fips.module.sources make update 2021-07-29 15:50:27 +01:00
legacyprov.c provider: use #define for PBKDF1 algorithm name 2021-07-05 11:49:42 +10:00
nullprov.c null prov: fix gettable param array type. 2020-10-16 10:33:38 +10:00
prov_running.c keygen: add FIPS error state management to conditional self tests 2020-09-12 16:46:51 +10:00
stores.inc prov: prefix all OSSL_DISPATCH tables names with ossl_ 2020-09-29 16:31:46 +10:00