openssl/crypto/evp
Matt Caswell f426625b6a Prevent over long nonces in ChaCha20-Poly1305
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

CVE-2019-1543

Fixes #8345

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 2a3d0ee9d5)
2019-03-06 13:30:39 +00:00
..
bio_b64.c Set error code on alloc failures 2018-04-03 11:31:16 -04:00
bio_enc.c Update copyright year 2018-04-17 15:18:40 +02:00
bio_md.c Fix invalid function type casts. 2017-12-15 19:33:48 +01:00
bio_ok.c Update copyright year 2018-04-17 15:18:40 +02:00
build.info s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
c_allc.c SM4: Add SM4 block cipher to EVP 2017-10-31 15:19:14 +10:00
c_alld.c SHA512/224 and SHA512/256 2018-01-24 07:09:46 +10:00
cmeth_lib.c
digest.c Support setting SM2 ID 2018-09-07 18:12:26 +08:00
e_aes.c typo-fixes: miscellaneous typo fixes 2018-09-21 23:59:02 +02:00
e_aes_cbc_hmac_sha1.c Don't use a ssl specific DRBG anymore 2018-03-19 15:04:40 +01:00
e_aes_cbc_hmac_sha256.c Don't use a ssl specific DRBG anymore 2018-03-19 15:04:40 +01:00
e_aria.c Set error code on alloc failures 2018-04-03 11:31:16 -04:00
e_bf.c
e_camellia.c Update copyright year 2018-02-27 13:59:42 +00:00
e_cast.c
e_chacha20_poly1305.c Prevent over long nonces in ChaCha20-Poly1305 2019-03-06 13:30:39 +00:00
e_des.c Update copyright year 2018-04-03 13:57:12 +01:00
e_des3.c Update copyright year 2018-04-03 13:57:12 +01:00
e_idea.c
e_null.c
e_old.c
e_rc2.c Update copyright year 2018-11-20 13:27:36 +00:00
e_rc4.c
e_rc4_hmac_md5.c
e_rc5.c
e_seed.c
e_sm4.c SM4: Add SM4 block cipher to EVP 2017-10-31 15:19:14 +10:00
e_xcbc_d.c
encode.c Update copyright year 2018-04-17 15:18:40 +02:00
evp_cnf.c
evp_enc.c Prevent calling decryption in an encryption context and vice versa 2018-12-10 10:08:32 +01:00
evp_err.c make update 2018-12-10 10:08:32 +01:00
evp_key.c
evp_lib.c Allow EVP_MD_CTX_set_pkey_ctx to accept NULL pctx 2018-09-07 18:12:26 +08:00
evp_locl.h Update copyright year 2018-04-17 15:18:40 +02:00
evp_pbe.c Update copyright year 2018-09-11 13:45:17 +01:00
evp_pkey.c
m_md2.c
m_md4.c
m_md5.c
m_md5_sha1.c
m_mdc2.c
m_null.c
m_ripemd.c
m_sha1.c Avoid fragile aliasing of SHA224/384 update/final 2018-02-13 23:27:51 -05:00
m_sha3.c Update copyright year 2018-09-11 13:45:17 +01:00
m_sigver.c Update document for SM2 stuffs 2018-09-07 18:12:26 +08:00
m_wp.c
names.c
p5_crpt.c
p5_crpt2.c Consistent formatting for sizeof(foo) 2017-12-07 19:11:49 -05:00
p_dec.c
p_enc.c
p_lib.c EVP_PKEY_size declared to take a const parameter 2018-12-23 00:27:23 +01:00
p_open.c
p_seal.c Update copyright year 2018-09-11 13:45:17 +01:00
p_sign.c
p_verify.c
pbe_scrypt.c Update copyright year 2018-04-03 13:57:12 +01:00
pmeth_fn.c
pmeth_gn.c Support public key and param check in EVP interface 2017-11-20 07:20:30 +01:00
pmeth_lib.c Make some return checks consistent with others 2018-09-13 23:23:18 +09:00