rpm/libica
SHA256
1
0
Fork 0
forked from pool/libica
Code Pull Requests Activity
d2f5998194
libica/libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch

76 lines
2.8 KiB
Diff
Raw Normal View History

- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567) - Added the following patches (bsc#1058567) - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch - libica-3.0.2-03-fix-aes-ctr.patch - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=13
2017-09-19 22:49:59 +02:00
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix aes-gcm to allow zero pt/ct length.
Patch-mainline: v3.1.1
Git-commit: 089670367c8f645fcf5e4f8e59640877d2400ce4
References: LTC#158531
Description: libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom: When the tag values of (unmodified) data are wrong, it is
(wrongly) indicated that the data has been modified.
Problem: With AES-GCM in-place decryption, the tag is computed from the
plaintext. With AES-CCM in-place encryption, the tag is computed
from the ciphertext.
Solution: AES-GCM decryption always computes the tag from the ciphertext.
AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
libica's AES-GCM for libcrypto): (1) A SSH connection fails
using an AES-GCM based cipher-suite, (2) A connection of
openssl's s_client and s_server using an AES-GCM based
cipher-suite fails.
Upstream-Description:
fix aes-gcm to allow zero pt/ct length.
In case of zero pt/ct lenght, only aad is processed (ghash).
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/ica_api.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1750,9 +1750,16 @@ unsigned int ica_aes_gcm(unsigned char *
return EACCES;
#endif /* ICA_FIPS */
- if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, iv, key_length,
- key, ciphertext))
- return EINVAL;
+ if (plaintext_length != 0) {
+ if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, iv, key_length,
+ key, ciphertext))
+ return EINVAL;
+ } else {
+ /* If only aad is processed (ghash), pt/ct may be NULL. */
+ if (check_aes_parms(MODE_GCM, plaintext_length, (unsigned char *)1,
+ iv, key_length, key, (unsigned char *)1))
+ return EINVAL;
+ }
if (check_gcm_parms(plaintext_length, aad, aad_length, tag, tag_length, iv_length))
return EINVAL;
@@ -1825,9 +1832,16 @@ unsigned int ica_aes_gcm_intermediate(un
return EACCES;
#endif /* ICA_FIPS */
- if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, cb, key_length,
- key, ciphertext))
- return EINVAL;
+ if (plaintext_length != 0) {
+ if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, cb, key_length,
+ key, ciphertext))
+ return EINVAL;
+ } else {
+ /* If only aad is processed (ghash), pt/ct may be NULL. */
+ if (check_aes_parms(MODE_GCM, plaintext_length, (unsigned char *)1,
+ cb, key_length, key, (unsigned char *)1))
+ return EINVAL;
+ }
if (check_gcm_parms(plaintext_length, aad, aad_length, tag, tag_length,
iv_length_dummy))
return EINVAL;
Copy Permalink