From: erbsland-dev Date: Tue, 10 Sep 2024 19:24:59 +0000 (+0200) Subject: Add Missing Error Messages for AES-OCB Tag Length Validation X-Git-Tag: openssl-3.1.8~132 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd5fb900dedd29fe93d3ed02e0d1f0e4e2f03063;p=thirdparty%2Fopenssl.git Add Missing Error Messages for AES-OCB Tag Length Validation Related to #8331 Addressing found issues by adding specific error messages to improve feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG` parameter in the AES-OCB algorithm. - Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag length exceeds the maximum tag length of the algorithm. - Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag length in the context does not match a custom tag length provided as a parameter. - Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an invalid pointer is passed in encryption mode. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25425) (cherry picked from commit 645edf50f0274448174d9739543bf01b1708b2f5) --- diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index eab315453ef..891e73f6726 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -369,12 +369,20 @@ static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } if (p->data == NULL) { /* Tag len must be 0 to 16 */ - if (p->data_size > OCB_MAX_TAG_LEN) + if (p->data_size > OCB_MAX_TAG_LEN) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; + } ctx->taglen = p->data_size; } else { - if (p->data_size != ctx->taglen || ctx->base.enc) + if (ctx->base.enc) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if (p->data_size != ctx->taglen) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; + } memcpy(ctx->tag, p->data, p->data_size); } }