Google Git
Sign in
boringssl/boringssl.git/4a8c05ffe826c61d50fdf13483b35097168faa5c^!/./crypto/fipsmodule/aes/aes.c
commit
4a8c05ffe826c61d50fdf13483b35097168faa5c
[log]
author
David Benjamin <davidben@google.com>
Wed Apr 10 19:58:13 2019 -0500
committer
Adam Langley <agl@google.com>
Thu Apr 11 15:33:57 2019 +0000
tree
5ee35aace51c9e1a1ab5ec0c3a94b1b88b726a84
parent
31ef16ac2d2f450a9816c861ce3d9d6f270e1be0 [diff] [blame]
Check key sizes in AES_set_*_key.

AES_set_*_key used to call directly into aes_nohw_set_*_key which
gracefully handles some NULL parameters and invalid bit sizes. However,
we now enable optimized assembly implementations, not all of which
perform these checks. (vpaes does not.)

This is fine for the internal assembly functions themselves. Such checks
are better written in C than assembly, and the calling C code usually
already knows the key size. (Indeed aes_ctr_set_key already assumes the
assembly functions are infallible.) AES_set_*_key are public APIs,
however. The NULL check is silly, but we should handle length-like
checks in public APIs.

Change-Id: I259ae6b9811ceaa9dc5bd7173d5754ca7079cff8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35564
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/fipsmodule/aes/aes.c b/crypto/fipsmodule/aes/aes.c
index 8a1ca31..48d60ee 100644
--- a/crypto/fipsmodule/aes/aes.c
+++ b/crypto/fipsmodule/aes/aes.c

@@ -834,6 +834,9 @@
 }
 
 int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
+  if (bits != 128 && bits != 192 && bits != 256) {
+    return -2;
+  }
   if (hwaes_capable()) {
     return aes_hw_set_encrypt_key(key, bits, aeskey);
   } else if (vpaes_capable()) {
@@ -844,6 +847,9 @@
 }
 
 int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
+  if (bits != 128 && bits != 192 && bits != 256) {
+    return -2;
+  }
   if (hwaes_capable()) {
     return aes_hw_set_decrypt_key(key, bits, aeskey);
   } else if (vpaes_capable()) {