git: 87826c87c63b - main - ossl: Fix handling of separate AAD buffers in ossl_aes_gcm()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 28 Nov 2023 19:43:13 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=87826c87c63b2995cb69e9c1a624c7e20dd70fcd

commit 87826c87c63b2995cb69e9c1a624c7e20dd70fcd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-11-28 19:35:49 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-11-28 19:35:49 +0000

    ossl: Fix handling of separate AAD buffers in ossl_aes_gcm()
    
    Consumers may optionally provide a reference to a separate buffer
    containing AAD, but ossl_aes_gcm() didn't handle this and would thus
    compute an incorrect digest.
    
    Fixes:          9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64")
    Reviewed by:    jhb
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
    Differential Revision:  https://reviews.freebsd.org/D42736
---
 sys/crypto/openssl/ossl_aes.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c
index 130bf292e521..c0cb8ba08d35 100644
--- a/sys/crypto/openssl/ossl_aes.c
+++ b/sys/crypto/openssl/ossl_aes.c
@@ -198,14 +198,20 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp,
 	crypto_read_iv(crp, iv);
 	ctx->ops->setiv(ctx, iv, csp->csp_ivlen);
 
-	crypto_cursor_init(&cc_in, &crp->crp_buf);
-	crypto_cursor_advance(&cc_in, crp->crp_aad_start);
-	for (size_t alen = crp->crp_aad_length; alen > 0; alen -= seglen) {
-		inseg = crypto_cursor_segment(&cc_in, &inlen);
-		seglen = MIN(alen, inlen);
-		if (ctx->ops->aad(ctx, inseg, seglen) != 0)
+	if (crp->crp_aad != NULL) {
+		if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0)
 			return (EINVAL);
-		crypto_cursor_advance(&cc_in, seglen);
+	} else {
+		crypto_cursor_init(&cc_in, &crp->crp_buf);
+		crypto_cursor_advance(&cc_in, crp->crp_aad_start);
+		for (size_t alen = crp->crp_aad_length; alen > 0;
+		    alen -= seglen) {
+			inseg = crypto_cursor_segment(&cc_in, &inlen);
+			seglen = MIN(alen, inlen);
+			if (ctx->ops->aad(ctx, inseg, seglen) != 0)
+				return (EINVAL);
+			crypto_cursor_advance(&cc_in, seglen);
+		}
 	}
 
 	crypto_cursor_init(&cc_in, &crp->crp_buf);