OpenSSL Command-Line Tool Input Truncation Vulnerability in One-Shot Signing Algorithms

A vulnerability exists in the OpenSSL command-line tool 'dgst' when using one-shot signing algorithms such as Ed25519, Ed448, or ML-DSA. The tool silently truncates input data larger than 16MB to the first 16MB, without reporting an error, contrary to the documentation. This truncation creates an integrity gap, as trailing data beyond 16MB remains unauthenticated, potentially allowing undetected modifications. The issue arises because the 'dgst' command buffers input with a 16MB limit for algorithms that only support one-shot signing. While the vulnerability does not affect OpenSSL's library APIs, it impacts workflows that use the command-line tool for both signing and verification.

Impact

The truncation of input data can lead to unauthorized modifications of trailing bytes, creating a risk of undetected tampering, especially in workflows that involve both signing and verification with the affected 'openssl dgst' command.

Reproduction

To reproduce this vulnerability, use the 'openssl dgst' command with a one-shot signing algorithm such as Ed25519 or Ed448. Provide a file larger than 16MB for signing. The command will truncate the input to 16MB and report success, creating a false sense of integrity.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.1. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.5.