CVE-2023-5363

Issue summary: A bug has been identified in the processing of key and<br /> initialisation vector (IV) lengths. This can lead to potential truncation<br /> or overruns during the initialisation of some symmetric ciphers.<br /> <br /> Impact summary: A truncation in the IV can result in non-uniqueness,<br /> which could result in loss of confidentiality for some cipher modes.<br /> <br /> When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or<br /> EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after<br /> the key and IV have been established. Any alterations to the key length,<br /> via the "keylen" parameter or the IV length, via the "ivlen" parameter,<br /> within the OSSL_PARAM array will not take effect as intended, potentially<br /> causing truncation or overreading of these values. The following ciphers<br /> and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.<br /> <br /> For the CCM, GCM and OCB cipher modes, truncation of the IV can result in<br /> loss of confidentiality. For example, when following NIST&amp;#39;s SP 800-38D<br /> section 8.2.1 guidance for constructing a deterministic IV for AES in<br /> GCM mode, truncation of the counter portion could lead to IV reuse.<br /> <br /> Both truncations and overruns of the key and overruns of the IV will<br /> produce incorrect results and could, in some cases, trigger a memory<br /> exception. However, these issues are not currently assessed as security<br /> critical.<br /> <br /> Changing the key and/or IV lengths is not considered to be a common operation<br /> and the vulnerable API was recently introduced. Furthermore it is likely that<br /> application developers will have spotted this problem during testing since<br /> decryption would fail unless both peers in the communication were similarly<br /> vulnerable. For these reasons we expect the probability of an application being<br /> vulnerable to this to be quite low. However if an application is vulnerable then<br /> this issue is considered very serious. For these reasons we have assessed this<br /> issue as Moderate severity overall.<br /> <br /> The OpenSSL SSL/TLS implementation is not affected by this issue.<br /> <br /> The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because<br /> the issue lies outside of the FIPS provider boundary.<br /> <br /> OpenSSL 3.1 and 3.0 are vulnerable to this issue.