GCM cipher in provider now fails if passed bad keylength

Fixes #9500

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9512)
This commit is contained in:
Shane Lontis 2019-08-07 11:39:04 +10:00
parent 88f19d86d9
commit e9c116ebcb
2 changed files with 34 additions and 0 deletions

View file

@ -209,6 +209,25 @@ static int gcm_ctx_set_params(void *vctx, const OSSL_PARAM params[])
} }
} }
/*
* TODO(3.0) Temporary solution to address fuzz test crash, which will be
* reworked once the discussion in PR #9510 is resolved. i.e- We need a
* general solution for handling missing parameters inside set_params and
* get_params methods.
*/
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
if (p != NULL) {
int keylen;
if (!OSSL_PARAM_get_int(p, &keylen)) {
PROVerr(0, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
/* The key length can not be modified for gcm mode */
if (keylen != (int)ctx->keylen)
return 0;
}
return 1; return 1;
} }

View file

@ -100,6 +100,20 @@ static int kat_test(void)
&& do_decrypt(gcm_iv, ct, ctlen, tag, taglen); && do_decrypt(gcm_iv, ct, ctlen, tag, taglen);
} }
static int badkeylen_test(void)
{
int ret;
EVP_CIPHER_CTX *ctx = NULL;
const EVP_CIPHER *cipher;
ret = TEST_ptr(cipher = EVP_aes_192_gcm())
&& TEST_ptr(ctx = EVP_CIPHER_CTX_new())
&& TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL))
&& TEST_false(EVP_CIPHER_CTX_set_key_length(ctx, 2));
EVP_CIPHER_CTX_free(ctx);
return ret;
}
#ifdef FIPS_MODE #ifdef FIPS_MODE
static int ivgen_test(void) static int ivgen_test(void)
{ {
@ -116,6 +130,7 @@ static int ivgen_test(void)
int setup_tests(void) int setup_tests(void)
{ {
ADD_TEST(kat_test); ADD_TEST(kat_test);
ADD_TEST(badkeylen_test);
#ifdef FIPS_MODE #ifdef FIPS_MODE
ADD_TEST(ivgen_test); ADD_TEST(ivgen_test);
#endif /* FIPS_MODE */ #endif /* FIPS_MODE */