diff --git a/goopenssl.h b/goopenssl.h index dc2ce35c..7f1263c5 100644 --- a/goopenssl.h +++ b/goopenssl.h @@ -144,12 +144,40 @@ go_openssl_EVP_CIPHER_CTX_open_wrapper(const GO_EVP_CIPHER_CTX_PTR ctx, const unsigned char *aad, int aad_len, const unsigned char *tag) { - if (in_len == 0) in = (const unsigned char *)""; + if (in_len == 0) { + in = (const unsigned char *)""; + // When the caller only wants to verify authenticated additional data + // (AAD), no output buffer is technically needed as there is no data to + // decrypt. Unfortunately, AAD is specified by calling EVP_DecryptUpdate + // with out set to NULL, so decrypting a zero-length input with a NULL + // output buffer looks to OpenSSL like specifying an additional + // (zero-length) chunk of AAD. This is effectively a no-op and + // verification will proceed as expected, except for OpenSSL 1.0.2 in + // FIPS mode. It will fail to verify unless EVP_DecryptUpdate is called + // at least once with a non-NULL output buffer. OpenSSL will not + // dereference the output buffer when the input length is zero, so set + // it to an arbitrary non-NULL pointer to satisfy OpenSSL. + // + // While a stack-allocated buffer could be used, that would risk a + // buffer overflow which would then smash the stack if OpenSSL + // unexpectedly dereferenced it. Instead pass a value which would + // trigger a segfault if dereferenced on any modern platform where a + // NULL-pointer dereference would also segfault. + if (out == NULL) out = (unsigned char *)1; + } if (aad_len == 0) aad = (const unsigned char *)""; if (go_openssl_EVP_CipherInit_ex(ctx, NULL, NULL, NULL, nonce, GO_AES_DECRYPT) != 1) return 0; + // OpenSSL 1.0.x FIPS Object Module 2.0 versions below 2.0.5 require that + // the tag be set before the ciphertext, otherwise EVP_DecryptUpdate returns + // an error. At least one extant commercially-supported, FIPS validated + // build of OpenSSL 1.0.2 uses FIPS module version 2.0.1. Set the tag first + // to maximize compatibility with all OpenSSL version combinations. + if (go_openssl_EVP_CIPHER_CTX_ctrl(ctx, GO_EVP_CTRL_GCM_SET_TAG, 16, (unsigned char *)(tag)) != 1) + return 0; + int discard_len, out_len; if (go_openssl_EVP_DecryptUpdate(ctx, NULL, &discard_len, aad, aad_len) != 1 || go_openssl_EVP_DecryptUpdate(ctx, out, &out_len, in, in_len) != 1) @@ -157,9 +185,6 @@ go_openssl_EVP_CIPHER_CTX_open_wrapper(const GO_EVP_CIPHER_CTX_PTR ctx, return 0; } - if (go_openssl_EVP_CIPHER_CTX_ctrl(ctx, GO_EVP_CTRL_GCM_SET_TAG, 16, (unsigned char *)(tag)) != 1) - return 0; - if (go_openssl_EVP_DecryptFinal_ex(ctx, out + out_len, &discard_len) != 1) return 0;