From 36cf45ef3ba71e44a8be06ee81cb31aa02cb0010 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 13 Aug 2021 14:14:51 +0100 Subject: Correctly calculate the length of SM2 plaintext given the ciphertext Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri --- providers/implementations/asymciphers/sm2_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'providers') diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c index c9dba32ffb..9577d16e83 100644 --- a/providers/implementations/asymciphers/sm2_enc.c +++ b/providers/implementations/asymciphers/sm2_enc.c @@ -110,7 +110,7 @@ static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen, return 0; if (out == NULL) { - if (!ossl_sm2_plaintext_size(psm2ctx->key, md, inlen, outlen)) + if (!ossl_sm2_plaintext_size(in, inlen, outlen)) return 0; return 1; } -- cgit v1.2.3