From 9327b5c9c9e3a1b18e5b52491dc438d1e28b5e40 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 25 Nov 2020 15:18:15 +0000 Subject: [PATCH] Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT If OPENSSL_SMALL_FOOTPRINT was defined then the CHACHA20-POLY1305 implementation for TLS went down a different codepath that failed to adjust the payload length to remove the tag. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13513) --- .../ciphers/cipher_chacha20_poly1305_hw.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c index 8bbae6529a..65f0fe1ee8 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c @@ -120,9 +120,6 @@ static int chacha20_poly1305_tls_cipher(PROV_CIPHER_CTX *bctx, DECLARE_IS_ENDIAN; - if (len != plen + POLY1305_BLOCK_SIZE) - return 0; - buf = storage + ((0 - (size_t)storage) & 15); /* align */ ctr = buf + CHACHA_BLK_SIZE; tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE; @@ -274,11 +271,14 @@ static int chacha20_poly1305_aead_cipher(PROV_CIPHER_CTX *bctx, DECLARE_IS_ENDIAN; if (!ctx->mac_inited) { -#if !defined(OPENSSL_SMALL_FOOTPRINT) if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL) { + if (inl != plen + POLY1305_BLOCK_SIZE) + return 0; +#if !defined(OPENSSL_SMALL_FOOTPRINT) return chacha20_poly1305_tls_cipher(bctx, out, outl, in, inl); - } #endif + } + ctx->chacha.counter[0] = 0; ChaCha20_ctr32(ctx->chacha.buf, zero, CHACHA_BLK_SIZE, ctx->chacha.key.d, ctx->chacha.counter); @@ -375,6 +375,8 @@ static int chacha20_poly1305_aead_cipher(PROV_CIPHER_CTX *bctx, memset(out - plen, 0, plen); goto err; } + /* Strip the tag */ + inl -= POLY1305_BLOCK_SIZE; } } else if (!bctx->enc) { -- GitLab