accelerated: check nonce length in aead_{encrypt,decrypt}

This propagates any IV length mismatch detected as an error, in the
accelerated code for x86.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/accelerated/x86/aes-gcm-aead.h b/lib/accelerated/x86/aes-gcm-aead.h
index 3041861f5c7a12d2cfb630a4c98db7efd0484781..577a3d7780a3e6bb4cb86bb4f27bff45f455b67b 100644 (file)
--- a/lib/accelerated/x86/aes-gcm-aead.h
+++ b/lib/accelerated/x86/aes-gcm-aead.h
@@ -6,12 +6,19 @@ static int aes_gcm_aead_encrypt(void *ctx, const void *nonce, size_t nonce_size,
                                size_t tag_size, const void *plain,
                                size_t plain_size, void *encr, size_t encr_size)
 {
+       int ret;
+
        /* proper AEAD cipher */
        if (unlikely(encr_size - tag_size < plain_size))
                return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-       aes_gcm_setiv(ctx, nonce, nonce_size);
-       aes_gcm_auth(ctx, auth, auth_size);
+       ret = aes_gcm_setiv(ctx, nonce, nonce_size);
+       if (ret < 0) {
+               return gnutls_assert_val(ret);
+       }
+
+       /* Always succeeds in this call sequence.  */
+       (void)aes_gcm_auth(ctx, auth, auth_size);
 
        aes_gcm_encrypt(ctx, plain, plain_size, encr, encr_size);
 
@@ -26,6 +33,7 @@ static int aes_gcm_aead_decrypt(void *ctx, const void *nonce, size_t nonce_size,
                                size_t plain_size)
 {
        uint8_t tag[MAX_HASH_SIZE];
+       int ret;
 
        if (unlikely(encr_size < tag_size))
                return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
@@ -33,8 +41,13 @@ static int aes_gcm_aead_decrypt(void *ctx, const void *nonce, size_t nonce_size,
        if (unlikely(plain_size < encr_size - tag_size))
                return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-       aes_gcm_setiv(ctx, nonce, nonce_size);
-       aes_gcm_auth(ctx, auth, auth_size);
+       ret = aes_gcm_setiv(ctx, nonce, nonce_size);
+       if (ret < 0) {
+               return gnutls_assert_val(ret);
+       }
+
+       /* Always succeeds in this call sequence.  */
+       (void)aes_gcm_auth(ctx, auth, auth_size);
 
        encr_size -= tag_size;
        aes_gcm_decrypt(ctx, encr, encr_size, plain, plain_size);

diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
index fd1689e93019675393c3b21a6b45dd1e4f1d01f2..7e941bdb1490b4f6ed227e00e7db62a807153b4d 100644 (file)
--- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
@@ -298,12 +298,18 @@ static int aesni_gcm_aead_encrypt(void *_ctx, const void *nonce,
 {
        struct aes_gcm_ctx *ctx = _ctx;
        size_t s = 0;
+       int ret;
 
        if (encr_size < plain_size + tag_size)
                return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-       aes_gcm_setiv(ctx, nonce, nonce_size);
-       aes_gcm_auth(ctx, auth, auth_size);
+       ret = aes_gcm_setiv(ctx, nonce, nonce_size);
+       if (ret < 0) {
+               return gnutls_assert_val(ret);
+       }
+
+       /* Always succeeds in this call sequence.  */
+       (void)aes_gcm_auth(ctx, auth, auth_size);
 
        if (plain_size >= 96) {
                s = aesni_gcm_encrypt(plain, encr, plain_size,
@@ -330,6 +336,7 @@ static int aesni_gcm_aead_decrypt(void *_ctx, const void *nonce,
        struct aes_gcm_ctx *ctx = _ctx;
        uint8_t tag[MAX_HASH_SIZE];
        size_t s = 0;
+       int ret;
 
        if (unlikely(encr_size < tag_size))
                return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
@@ -337,8 +344,13 @@ static int aesni_gcm_aead_decrypt(void *_ctx, const void *nonce,
        if (unlikely(plain_size < encr_size - tag_size))
                return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-       aes_gcm_setiv(ctx, nonce, nonce_size);
-       aes_gcm_auth(ctx, auth, auth_size);
+       ret = aes_gcm_setiv(ctx, nonce, nonce_size);
+       if (ret < 0) {
+               return gnutls_assert_val(ret);
+       }
+
+       /* Always succeeds in this call sequence.  */
+       (void)aes_gcm_auth(ctx, auth, auth_size);
 
        encr_size -= tag_size;