From a630fda5093859b58f059ee07f2b9ce28c928b72 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 29 Sep 2016 12:30:53 -0600 Subject: [PATCH 1/2] Sanity check on memcpy and xorbuf Sanity check on memcpy and xorbuf --- wolfcrypt/src/aes.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index bb660cefd..d07c66d5e 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3425,6 +3425,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, GMULT(x, h); /* Copy the result into s. */ + if (sSz > AES_BLOCK_SIZE) + sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3573,6 +3575,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, GMULT(x, aes->M0); /* Copy the result into s. */ + if (sSz > AES_BLOCK_SIZE) + sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3697,6 +3701,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords64(x, x, AES_BLOCK_SIZE); #endif + if (sSz > AES_BLOCK_SIZE) + sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3844,6 +3850,8 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords(x, x, AES_BLOCK_SIZE); #endif + if (sSz > AES_BLOCK_SIZE) + sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3914,6 +3922,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz); wc_AesEncrypt(aes, initialCounter, scratch); + if (authTagSz > AES_BLOCK_SIZE) + authTagSz = AES_BLOCK_SIZE; xorbuf(authTag, scratch, authTagSz); return 0; From 05fcbb001aeacf8c833945454d4bb462f8c23863 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 6 Oct 2016 15:01:16 -0600 Subject: [PATCH 2/2] move sanity check and remove silent truncation --- wolfcrypt/src/aes.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index d07c66d5e..5d5a4903a 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3425,8 +3425,6 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, GMULT(x, h); /* Copy the result into s. */ - if (sSz > AES_BLOCK_SIZE) - sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3575,8 +3573,6 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, GMULT(x, aes->M0); /* Copy the result into s. */ - if (sSz > AES_BLOCK_SIZE) - sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3701,8 +3697,6 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords64(x, x, AES_BLOCK_SIZE); #endif - if (sSz > AES_BLOCK_SIZE) - sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3850,8 +3844,6 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz, #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords(x, x, AES_BLOCK_SIZE); #endif - if (sSz > AES_BLOCK_SIZE) - sSz = AES_BLOCK_SIZE; XMEMCPY(s, x, sSz); } @@ -3872,6 +3864,10 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte *ctr ; byte scratch[AES_BLOCK_SIZE]; + /* Sanity check for XMEMCPY in GHASH function and local xorbuf call */ + if (authTagSz > AES_BLOCK_SIZE) + return BAD_FUNC_ARG; + #ifdef WOLFSSL_AESNI if (haveAESNI) { AES_GCM_encrypt((void*)in, out, (void*)authIn, (void*)iv, authTag, @@ -3922,8 +3918,6 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz); wc_AesEncrypt(aes, initialCounter, scratch); - if (authTagSz > AES_BLOCK_SIZE) - authTagSz = AES_BLOCK_SIZE; xorbuf(authTag, scratch, authTagSz); return 0; @@ -3945,6 +3939,10 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte *ctr ; byte scratch[AES_BLOCK_SIZE]; + /* Sanity check for local ConstantCompare call */ + if (authTagSz > AES_BLOCK_SIZE) + return BAD_FUNC_ARG; + #ifdef WOLFSSL_AESNI if (haveAESNI) { if (AES_GCM_decrypt(in, out, authIn, iv, authTag,