Fix buffer overrung in SRTPKDF

our fuzzer caught this:
https://github.com/openssl/openssl/actions/runs/21625445341/job/62324333796

Overnight.

We're getting a heap buffer overrun in the SRTP KDF.

Its caused by the fact that the fuzzer will occasionally generate salt
parameters that are very small, which passes the
OSSL_PARAM_get_octet_string function, but isn't long enough to be a
valid salt.  Because of this, when we actually do the key derivation,
the SRTPKDF function assumes the salt is long enough and blindly
attempts to copy KDF_SRTP_SALT_LEN (14) bytes from the fetched parameter
into a local buffer, resulting in an overrun.

Fix it by checking the parameter length in the ctx_set_params method for
SRTPKDF, and if the octet string value is less than the required amount,
return an error to fail the ctx_set_params call.

While we're at it, based on review suggestions, also check that the
provided key parameter matches the requested cipher's expected key
length

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29938)

diff --git a/providers/implementations/kdfs/srtpkdf.c b/providers/implementations/kdfs/srtpkdf.c
index 5fe65831a944ca7a2ed7edaa18e78e544cf8c53c..24d9f399354311f45870ec4c81e0238a3ea3ab34 100644 (file)
--- a/providers/implementations/kdfs/srtpkdf.c
+++ b/providers/implementations/kdfs/srtpkdf.c
@@ -208,6 +208,7 @@ static int kdf_srtpkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     KDF_SRTPKDF *ctx = vctx;
     OSSL_LIB_CTX *libctx;
     const EVP_CIPHER *cipher;
+    int key_len;
 
     if (params == NULL)
         return 1;
@@ -224,17 +225,25 @@ static int kdf_srtpkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     cipher = ossl_prov_cipher_cipher(&ctx->cipher);
     if (cipher == NULL)
         return 0;
+
     if (!EVP_CIPHER_is_a(cipher, "AES-128-CTR") && !EVP_CIPHER_is_a(cipher, "AES-192-CTR")
         && !EVP_CIPHER_is_a(cipher, "AES-256-CTR"))
         return 0;
 
-    if ((p.key != NULL)
-        && !srtpkdf_set_membuf(&ctx->key, &ctx->key_len, p.key))
-        return 0;
+    if (p.key != NULL) {
+        key_len = EVP_CIPHER_get_key_length(cipher);
+        if (!srtpkdf_set_membuf(&ctx->key, &ctx->key_len, p.key))
+            return 0;
+        if (ctx->key_len != (size_t)key_len)
+            return 0;
+    }
 
-    if ((p.salt != NULL)
-        && !srtpkdf_set_membuf(&ctx->salt, &ctx->salt_len, p.salt))
-        return 0;
+    if (p.salt != NULL) {
+        if (!srtpkdf_set_membuf(&ctx->salt, &ctx->salt_len, p.salt))
+            return 0;
+        if (ctx->salt_len < KDF_SRTP_SALT_LEN)
+            return 0;
+    }
 
     if ((p.index != NULL)
         && !srtpkdf_set_membuf(&ctx->index, &ctx->index_len, p.index))