| 8 | 8 |
|
| 9 | 9 |
Changes between 1.1.1k and 1.1.1l [xx XXX xxxx]
|
| 10 | 10 |
|
| 11 | |
*)
|
|
11 |
*) Fixed an SM2 Decryption Buffer Overflow.
|
|
12 |
|
|
13 |
In order to decrypt SM2 encrypted data an application is expected to call the
|
|
14 |
API function EVP_PKEY_decrypt(). Typically an application will call this
|
|
15 |
function twice. The first time, on entry, the "out" parameter can be NULL and,
|
|
16 |
on exit, the "outlen" parameter is populated with the buffer size required to
|
|
17 |
hold the decrypted plaintext. The application can then allocate a sufficiently
|
|
18 |
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
|
|
19 |
value for the "out" parameter.
|
|
20 |
|
|
21 |
A bug in the implementation of the SM2 decryption code means that the
|
|
22 |
calculation of the buffer size required to hold the plaintext returned by the
|
|
23 |
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
|
|
24 |
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
|
|
25 |
called by the application a second time with a buffer that is too small.
|
|
26 |
|
|
27 |
A malicious attacker who is able present SM2 content for decryption to an
|
|
28 |
application could cause attacker chosen data to overflow the buffer by up to a
|
|
29 |
maximum of 62 bytes altering the contents of other data held after the
|
|
30 |
buffer, possibly changing application behaviour or causing the application to
|
|
31 |
crash. The location of the buffer is application dependent but is typically
|
|
32 |
heap allocated.
|
|
33 |
(CVE-2021-3711)
|
|
34 |
[Matt Caswell]
|
|
35 |
|
|
36 |
*) Fixed various read buffer overruns processing ASN.1 strings
|
|
37 |
|
|
38 |
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
|
|
39 |
structure which contains a buffer holding the string data and a field holding
|
|
40 |
the buffer length. This contrasts with normal C strings which are repesented as
|
|
41 |
a buffer for the string data which is terminated with a NUL (0) byte.
|
|
42 |
|
|
43 |
Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
|
|
44 |
own "d2i" functions (and other similar parsing functions) as well as any string
|
|
45 |
whose value has been set with the ASN1_STRING_set() function will additionally
|
|
46 |
NUL terminate the byte array in the ASN1_STRING structure.
|
|
47 |
|
|
48 |
However, it is possible for applications to directly construct valid ASN1_STRING
|
|
49 |
structures which do not NUL terminate the byte array by directly setting the
|
|
50 |
"data" and "length" fields in the ASN1_STRING array. This can also happen by
|
|
51 |
using the ASN1_STRING_set0() function.
|
|
52 |
|
|
53 |
Numerous OpenSSL functions that print ASN.1 data have been found to assume that
|
|
54 |
the ASN1_STRING byte array will be NUL terminated, even though this is not
|
|
55 |
guaranteed for strings that have been directly constructed. Where an application
|
|
56 |
requests an ASN.1 structure to be printed, and where that ASN.1 structure
|
|
57 |
contains ASN1_STRINGs that have been directly constructed by the application
|
|
58 |
without NUL terminating the "data" field, then a read buffer overrun can occur.
|
|
59 |
|
|
60 |
The same thing can also occur during name constraints processing of certificates
|
|
61 |
(for example if a certificate has been directly constructed by the application
|
|
62 |
instead of loading it via the OpenSSL parsing functions, and the certificate
|
|
63 |
contains non NUL terminated ASN1_STRING structures). It can also occur in the
|
|
64 |
X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
|
|
65 |
|
|
66 |
If a malicious actor can cause an application to directly construct an
|
|
67 |
ASN1_STRING and then process it through one of the affected OpenSSL functions
|
|
68 |
then this issue could be hit. This might result in a crash (causing a Denial of
|
|
69 |
Service attack). It could also result in the disclosure of private memory
|
|
70 |
contents (such as private keys, or sensitive plaintext).
|
|
71 |
(CVE-2021-3712)
|
|
72 |
[Matt Caswell]
|
| 12 | 73 |
|
| 13 | 74 |
Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
|
| 14 | 75 |
|