Google Git
Sign in
boringssl/boringssl/a32596b0545d2f6192a6a1be2f8e2c7c4f0c8f44^!/.
commit
a32596b0545d2f6192a6a1be2f8e2c7c4f0c8f44
[log]
author
Adam Langley <agl@chromium.org>
Tue Jan 09 05:44:46 2024 -0800
committer
Adam Langley <agl@google.com>
Fri Jan 19 18:25:38 2024 +0000
tree
fcdfb43f90499a96c0c95ac4f141e514c9b607eb
parent
e5d6b2fbb45b5638cc9a4c98508748436cb07a44 [diff]
Fix AES-GCM-SIV with huge inputs on 32-bit.

The asm code is 64-bit only, so multipling a `size_t` by eight to get a
number of bits is valid and the bounds on the inputs are checked
accordingly. But on 32-bit, that calculation will overflow for huge
inputs.

Change-Id: I6d2171becd6b6259593b2aa80105d8cae1ec7ed4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65188
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c
index 63deb05..c2bf993 100644
--- a/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/crypto/cipher_extra/e_aesgcmsiv.c

@@ -635,8 +635,8 @@
   }
 
   uint8_t length_block[16];
-  CRYPTO_store_u64_le(length_block, ad_len * 8);
-  CRYPTO_store_u64_le(length_block + 8, in_len * 8);
+  CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8);
+  CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8);
   CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block,
                                sizeof(length_block));