From 810682d10d61446a284ceed210d46b3393aa80fc Mon Sep 17 00:00:00 2001 From: erbsland-dev Date: Tue, 10 Sep 2024 21:24:59 +0200 Subject: [PATCH] Add Missing Error Messages for AES-OCB Tag Length Validation Related to #8331 Addressing found issues by adding specific error messages to improve feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG` parameter in the AES-OCB algorithm. - Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag length exceeds the maximum tag length of the algorithm. - Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag length in the context does not match a custom tag length provided as a parameter. - Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an invalid pointer is passed in encryption mode. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25425) (cherry picked from commit 645edf50f0274448174d9739543bf01b1708b2f5) --- providers/implementations/ciphers/cipher_aes_ocb.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index aec988e44ed..041a1aed229 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -367,12 +367,20 @@ static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } if (p->data == NULL) { /* Tag len must be 0 to 16 */ - if (p->data_size > OCB_MAX_TAG_LEN) + if (p->data_size > OCB_MAX_TAG_LEN) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; + } ctx->taglen = p->data_size; } else { - if (p->data_size != ctx->taglen || ctx->base.enc) + if (ctx->base.enc) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if (p->data_size != ctx->taglen) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); return 0; + } memcpy(ctx->tag, p->data, p->data_size); } } -- 2.47.2