From: Shane Lontis Date: Thu, 19 Sep 2019 08:40:07 +0000 (+1000) Subject: Move gcm decryption tag check higher up in the callstack X-Git-Tag: openssl-3.0.0-alpha1~1311 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=2e9645c8b9a81e7617395553088560847ac1b8c8 Move gcm decryption tag check higher up in the callstack Code was updated for s390 that accidently removed the check inside the final method. Moving the check up before the final method is called is a better way of handling this. The oneshot method also calls the final method but doesnt need to do this check. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9945) --- diff --git a/providers/common/ciphers/cipher_gcm.c b/providers/common/ciphers/cipher_gcm.c index 9a61eabdfc..b5c79daee7 100644 --- a/providers/common/ciphers/cipher_gcm.c +++ b/providers/common/ciphers/cipher_gcm.c @@ -344,7 +344,9 @@ static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out, goto err; } } else { - /* Finished when in == NULL */ + /* The tag must be set before actually decrypting data */ + if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET) + goto err; if (!hw->cipherfinal(ctx, ctx->buf)) goto err; ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */ diff --git a/providers/common/ciphers/cipher_gcm_hw.c b/providers/common/ciphers/cipher_gcm_hw.c index e2587f2e5e..8b2913c695 100644 --- a/providers/common/ciphers/cipher_gcm_hw.c +++ b/providers/common/ciphers/cipher_gcm_hw.c @@ -90,8 +90,7 @@ int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag) CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE); ctx->taglen = GCM_TAG_MAX_SIZE; } else { - if (ctx->taglen == UNINITIALISED_SIZET - || CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0) + if (CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0) return 0; } return 1;