From e0e338c8c50c226efc92fe79c788c9cdc03fc01f Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 26 Jul 2022 11:46:45 +1000 Subject: [PATCH] Fix bug in EVP_CIPHER_CTX_get_iv_length() Out of range values could possibly be returned due to a lack of range checking. Very unlikely to be exploitable for our provider because sensible values are returned for all ciphers. Also fixed the defaulting code so that the cipher's IV length is returned if the cipher ctx doesn't support getting. Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/18875) --- crypto/evp/evp_lib.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 32482b733f8..98bb25655d7 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -509,12 +509,17 @@ int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx) size_t v = len; OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &v); - rv = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); - if (rv != EVP_CTRL_RET_UNSUPPORTED) { - if (rv <= 0) + if (ctx->cipher->get_ctx_params != NULL) { + params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, + &v); + rv = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); + if (rv > 0) { + if (OSSL_PARAM_modified(params) + && !OSSL_PARAM_get_int(params, &len)) + return -1; + } else if (rv != EVP_CTRL_RET_UNSUPPORTED) { return -1; - len = (int)v; + } } /* Code below to be removed when legacy support is dropped. */ else if ((EVP_CIPHER_get_flags(ctx->cipher) -- 2.47.3