From: Daiki Ueno Date: Thu, 20 Jul 2023 06:54:36 +0000 (+0200) Subject: accelerated: check nonce length in aead_{encrypt,decrypt} X-Git-Tag: 3.8.1~5^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1e4e40b556bdd476d6ff8f8b123ee40babbd398;p=thirdparty%2Fgnutls.git accelerated: check nonce length in aead_{encrypt,decrypt} This propagates any IV length mismatch detected as an error, in the accelerated code for x86. Signed-off-by: Daiki Ueno --- diff --git a/lib/accelerated/x86/aes-gcm-aead.h b/lib/accelerated/x86/aes-gcm-aead.h index 3041861f5c..577a3d7780 100644 --- a/lib/accelerated/x86/aes-gcm-aead.h +++ b/lib/accelerated/x86/aes-gcm-aead.h @@ -6,12 +6,19 @@ static int aes_gcm_aead_encrypt(void *ctx, const void *nonce, size_t nonce_size, size_t tag_size, const void *plain, size_t plain_size, void *encr, size_t encr_size) { + int ret; + /* proper AEAD cipher */ if (unlikely(encr_size - tag_size < plain_size)) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - aes_gcm_setiv(ctx, nonce, nonce_size); - aes_gcm_auth(ctx, auth, auth_size); + ret = aes_gcm_setiv(ctx, nonce, nonce_size); + if (ret < 0) { + return gnutls_assert_val(ret); + } + + /* Always succeeds in this call sequence. */ + (void)aes_gcm_auth(ctx, auth, auth_size); aes_gcm_encrypt(ctx, plain, plain_size, encr, encr_size); @@ -26,6 +33,7 @@ static int aes_gcm_aead_decrypt(void *ctx, const void *nonce, size_t nonce_size, size_t plain_size) { uint8_t tag[MAX_HASH_SIZE]; + int ret; if (unlikely(encr_size < tag_size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); @@ -33,8 +41,13 @@ static int aes_gcm_aead_decrypt(void *ctx, const void *nonce, size_t nonce_size, if (unlikely(plain_size < encr_size - tag_size)) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - aes_gcm_setiv(ctx, nonce, nonce_size); - aes_gcm_auth(ctx, auth, auth_size); + ret = aes_gcm_setiv(ctx, nonce, nonce_size); + if (ret < 0) { + return gnutls_assert_val(ret); + } + + /* Always succeeds in this call sequence. */ + (void)aes_gcm_auth(ctx, auth, auth_size); encr_size -= tag_size; aes_gcm_decrypt(ctx, encr, encr_size, plain, plain_size); diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c index fd1689e930..7e941bdb14 100644 --- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c +++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c @@ -298,12 +298,18 @@ static int aesni_gcm_aead_encrypt(void *_ctx, const void *nonce, { struct aes_gcm_ctx *ctx = _ctx; size_t s = 0; + int ret; if (encr_size < plain_size + tag_size) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - aes_gcm_setiv(ctx, nonce, nonce_size); - aes_gcm_auth(ctx, auth, auth_size); + ret = aes_gcm_setiv(ctx, nonce, nonce_size); + if (ret < 0) { + return gnutls_assert_val(ret); + } + + /* Always succeeds in this call sequence. */ + (void)aes_gcm_auth(ctx, auth, auth_size); if (plain_size >= 96) { s = aesni_gcm_encrypt(plain, encr, plain_size, @@ -330,6 +336,7 @@ static int aesni_gcm_aead_decrypt(void *_ctx, const void *nonce, struct aes_gcm_ctx *ctx = _ctx; uint8_t tag[MAX_HASH_SIZE]; size_t s = 0; + int ret; if (unlikely(encr_size < tag_size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); @@ -337,8 +344,13 @@ static int aesni_gcm_aead_decrypt(void *_ctx, const void *nonce, if (unlikely(plain_size < encr_size - tag_size)) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - aes_gcm_setiv(ctx, nonce, nonce_size); - aes_gcm_auth(ctx, auth, auth_size); + ret = aes_gcm_setiv(ctx, nonce, nonce_size); + if (ret < 0) { + return gnutls_assert_val(ret); + } + + /* Always succeeds in this call sequence. */ + (void)aes_gcm_auth(ctx, auth, auth_size); encr_size -= tag_size;