Fix AES-GCM-SIV with huge inputs on 32-bit. The asm code is 64-bit only, so multipling a `size_t` by eight to get a number of bits is valid and the bounds on the inputs are checked accordingly. But on 32-bit, that calculation will overflow for huge inputs. Change-Id: I6d2171becd6b6259593b2aa80105d8cae1ec7ed4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65188 Reviewed-by: David Benjamin <davidben@google.com>

commit: a32596b0545d2f6192a6a1be2f8e2c7c4f0c8f44 [log] [tgz]
author: Adam Langley <agl@chromium.org> Tue Jan 09 05:44:46 2024 -0800
committer: Adam Langley <agl@google.com> Fri Jan 19 18:25:38 2024 +0000
tree: fcdfb43f90499a96c0c95ac4f141e514c9b607eb
parent: e5d6b2fbb45b5638cc9a4c98508748436cb07a44 [diff]
diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c
index 63deb05..c2bf993 100644
--- a/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/crypto/cipher_extra/e_aesgcmsiv.c

@@ -635,8 +635,8 @@
   }
 
   uint8_t length_block[16];
-  CRYPTO_store_u64_le(length_block, ad_len * 8);
-  CRYPTO_store_u64_le(length_block + 8, in_len * 8);
+  CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8);
+  CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8);
   CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block,
                                sizeof(length_block));
commit	a32596b0545d2f6192a6a1be2f8e2c7c4f0c8f44	[log] [tgz]
author	Adam Langley <agl@chromium.org>	Tue Jan 09 05:44:46 2024 -0800
committer	Adam Langley <agl@google.com>	Fri Jan 19 18:25:38 2024 +0000
tree	fcdfb43f90499a96c0c95ac4f141e514c9b607eb
parent	e5d6b2fbb45b5638cc9a4c98508748436cb07a44 [diff]