From 87826c87c63b2995cb69e9c1a624c7e20dd70fcd Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Tue, 28 Nov 2023 14:35:49 -0500 Subject: [PATCH] ossl: Fix handling of separate AAD buffers in ossl_aes_gcm() Consumers may optionally provide a reference to a separate buffer containing AAD, but ossl_aes_gcm() didn't handle this and would thus compute an incorrect digest. Fixes: 9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64") Reviewed by: jhb MFC after: 3 days Sponsored by: Klara, Inc. Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D42736 --- sys/crypto/openssl/ossl_aes.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c index 130bf292e521..c0cb8ba08d35 100644 --- a/sys/crypto/openssl/ossl_aes.c +++ b/sys/crypto/openssl/ossl_aes.c @@ -198,14 +198,20 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, crypto_read_iv(crp, iv); ctx->ops->setiv(ctx, iv, csp->csp_ivlen); - crypto_cursor_init(&cc_in, &crp->crp_buf); - crypto_cursor_advance(&cc_in, crp->crp_aad_start); - for (size_t alen = crp->crp_aad_length; alen > 0; alen -= seglen) { - inseg = crypto_cursor_segment(&cc_in, &inlen); - seglen = MIN(alen, inlen); - if (ctx->ops->aad(ctx, inseg, seglen) != 0) + if (crp->crp_aad != NULL) { + if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0) return (EINVAL); - crypto_cursor_advance(&cc_in, seglen); + } else { + crypto_cursor_init(&cc_in, &crp->crp_buf); + crypto_cursor_advance(&cc_in, crp->crp_aad_start); + for (size_t alen = crp->crp_aad_length; alen > 0; + alen -= seglen) { + inseg = crypto_cursor_segment(&cc_in, &inlen); + seglen = MIN(alen, inlen); + if (ctx->ops->aad(ctx, inseg, seglen) != 0) + return (EINVAL); + crypto_cursor_advance(&cc_in, seglen); + } } crypto_cursor_init(&cc_in, &crp->crp_buf);