crypto/evp: harden RC4_MD5 cipher.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory (or bogus MAC value is produced if x86 MD5 assembly module is involved). Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Andy Polyakov <appro@openssl.org> 2017-01-19 00:17:30 +0100
committer: Matt Caswell <matt@openssl.org> 2017-01-26 10:55:03 +0000
commit: 51d009043670a627d6abe66894126851cf3690e9 (patch)
tree: 9e367ece5bd14d982e2978c4d277508d29d3206f
parent: 8957adda165f77589090627d6563796331c0c94b (diff)
download: openssl-new-51d009043670a627d6abe66894126851cf3690e9.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
index 5e92855dfd..93cfe3f107 100644
--- a/crypto/evp/e_rc4_hmac_md5.c
+++ b/crypto/evp/e_rc4_hmac_md5.c
@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
             len = p[arg - 2] << 8 | p[arg - 1];
 
             if (!ctx->encrypt) {
+                if (len < MD5_DIGEST_LENGTH)
+                    return -1;
                 len -= MD5_DIGEST_LENGTH;
                 p[arg - 2] = len >> 8;
                 p[arg - 1] = len;
author	Andy Polyakov <appro@openssl.org>	2017-01-19 00:17:30 +0100
committer	Matt Caswell <matt@openssl.org>	2017-01-26 10:55:03 +0000
commit	51d009043670a627d6abe66894126851cf3690e9 (patch)
tree	9e367ece5bd14d982e2978c4d277508d29d3206f
parent	8957adda165f77589090627d6563796331c0c94b (diff)
download	openssl-new-51d009043670a627d6abe66894126851cf3690e9.tar.gz