git: 7e9e6d5d491c - releng/14.0 - ossl: Fix handling of separate AAD buffers in ossl_aes_gcm()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Dec 2023 18:27:31 UTC
The branch releng/14.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7e9e6d5d491cd844677331980cc2ea92b9130ed1 commit 7e9e6d5d491cd844677331980cc2ea92b9130ed1 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-11-28 19:35:49 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-12-04 14:01:24 +0000 ossl: Fix handling of separate AAD buffers in ossl_aes_gcm() Consumers may optionally provide a reference to a separate buffer containing AAD, but ossl_aes_gcm() didn't handle this and would thus compute an incorrect digest. Fixes: 9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64") Reviewed by: jhb MFC after: 3 days Sponsored by: Klara, Inc. Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D42736 Approved by: so Security: FreeBSD-EN-23:17.ossl (cherry picked from commit 87826c87c63b2995cb69e9c1a624c7e20dd70fcd) (cherry picked from commit 24cd42aeb6232b4678f45dc6d242e8982dbea8e6) --- sys/crypto/openssl/ossl_aes.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c index 84d694a7199f..40162b6943df 100644 --- a/sys/crypto/openssl/ossl_aes.c +++ b/sys/crypto/openssl/ossl_aes.c @@ -199,14 +199,20 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, crypto_read_iv(crp, iv); ctx->ops->setiv(ctx, iv, csp->csp_ivlen); - crypto_cursor_init(&cc_in, &crp->crp_buf); - crypto_cursor_advance(&cc_in, crp->crp_aad_start); - for (size_t alen = crp->crp_aad_length; alen > 0; alen -= seglen) { - inseg = crypto_cursor_segment(&cc_in, &inlen); - seglen = MIN(alen, inlen); - if (ctx->ops->aad(ctx, inseg, seglen) != 0) + if (crp->crp_aad != NULL) { + if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0) return (EINVAL); - crypto_cursor_advance(&cc_in, seglen); + } else { + crypto_cursor_init(&cc_in, &crp->crp_buf); + crypto_cursor_advance(&cc_in, crp->crp_aad_start); + for (size_t alen = crp->crp_aad_length; alen > 0; + alen -= seglen) { + inseg = crypto_cursor_segment(&cc_in, &inlen); + seglen = MIN(alen, inlen); + if (ctx->ops->aad(ctx, inseg, seglen) != 0) + return (EINVAL); + crypto_cursor_advance(&cc_in, seglen); + } } crypto_cursor_init(&cc_in, &crp->crp_buf);