[openssl.org #3087] OpenSSL 1.0.2: seg fault with AES_CBC

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3087] OpenSSL 1.0.2: seg fault with AES_CBC

Rich Salz via RT
Hi

We've been testing OpenSSL 1.0.2 AES-CBC, and we encountered a seg fault
when the input length is less than a block size.

Looking at e_aes.c, aes_cbc_cipher() doesn't have the length check seen
in aes_ecb_cipher().
I patched aes_cbc_cipher() as follows, and that seems to fix the seg
fault issue.

--- openssl-1.0.1e/crypto/evp/e_aes.c        Tue Jul  2 11:03:12 2013
+++ openssl-1.0.1e/crypto/evp/e_aes.c.new    Tue Jul  2 11:04:56 2013
@@ -574,8 +574,11 @@
  static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
         const unsigned char *in, size_t len)
  {
+       size_t  bl = ctx->cipher->block_size;
         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;

+       if (len<bl)     return 1;
+
         if (dat->stream.cbc)
                 
(*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
         else if (ctx->encrypt)


Any help in integrating this fix is much appreciated.

Thank you

-- misaki

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3087] OpenSSL 1.0.2: seg fault with AES_CBC

Rich Salz via RT
Hi,

> We've been testing OpenSSL 1.0.2 AES-CBC, and we encountered a seg fault
> when the input length is less than a block size.
>
> Looking at e_aes.c, aes_cbc_cipher() doesn't have the length check seen
> in aes_ecb_cipher().
> I patched aes_cbc_cipher() as follows, and that seems to fix the seg
> fault issue.

Could you elaborate on SEGV? I mean basically it shouldn't happen in
sense that caller, which is EVP, should not call this function with
length non-divisible by cipher block size. Of course there is corner
case of 0 being divisible by cipher block size. So that it might be more
appropriate to check for len==0 when returning 1 indicating success.
Meaning that ECB might have to be modified accordingly.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3087] OpenSSL 1.0.2: seg fault with AES_CBC

Rich Salz via RT
>> We've been testing OpenSSL 1.0.2 AES-CBC, and we encountered a seg fault
>> when the input length is less than a block size.
>>
>> Looking at e_aes.c, aes_cbc_cipher() doesn't have the length check seen
>> in aes_ecb_cipher().
>> I patched aes_cbc_cipher() as follows, and that seems to fix the seg
>> fault issue.
>
> Could you elaborate on SEGV? I mean basically it shouldn't happen in
> sense that caller, which is EVP, should not call this function with
> length non-divisible by cipher block size. Of course there is corner
> case of 0 being divisible by cipher block size. So that it might be more
> appropriate to check for len==0 when returning 1 indicating success.
> Meaning that ECB might have to be modified accordingly.

AES-CBC is not the only one that should suffer from this and for the
moment I've chosen to patch assembly modules in
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=cc6dc9b2294f7dd59899452470b4bbeaed1eb57d.
Yes, it's kind of quick-n-dirty resolution, as we arguably need more
sanity checks in *_cipher methods...


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3087] OpenSSL 1.0.2: seg fault with AES_CBC

Misaki Miyashita
Thank you so much for addressing the issue, Andy!

AES-ECB was not suffering from the issue as aes_ecb_cipher() was already
checking the input length.
However, you are right that the problem probably exists in DES as well.

We'll verify your fix and get back to you.

Thank you.

Best Regards,

-- misaki

On 03/07/14 03:56, Andy Polyakov via RT wrote:

>>> We've been testing OpenSSL 1.0.2 AES-CBC, and we encountered a seg fault
>>> when the input length is less than a block size.
>>>
>>> Looking at e_aes.c, aes_cbc_cipher() doesn't have the length check seen
>>> in aes_ecb_cipher().
>>> I patched aes_cbc_cipher() as follows, and that seems to fix the seg
>>> fault issue.
>> Could you elaborate on SEGV? I mean basically it shouldn't happen in
>> sense that caller, which is EVP, should not call this function with
>> length non-divisible by cipher block size. Of course there is corner
>> case of 0 being divisible by cipher block size. So that it might be more
>> appropriate to check for len==0 when returning 1 indicating success.
>> Meaning that ECB might have to be modified accordingly.
> AES-CBC is not the only one that should suffer from this and for the
> moment I've chosen to patch assembly modules in
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=cc6dc9b2294f7dd59899452470b4bbeaed1eb57d.
> Yes, it's kind of quick-n-dirty resolution, as we arguably need more
> sanity checks in *_cipher methods...
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]