Make aegis_mac() fallible

So that we can include additional checks, especially for weak states. Ideally, weak states should be checked after every update, but they would be especially bad when the cipher is used as a stream cipher. And in that case, checking for a weak state only at the end is sufficient.
2024-12-19 10:05:05 -07:00 · 2023-11-01 19:12:15 +01:00 · 2023-11-01 19:12:15 +01:00 · 1d03ea77fb
commit 1d03ea77fb
parent 72932a768f
2 changed files with 20 additions and 18 deletions
--- a/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h
+++ b/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h
@ -32,7 +32,7 @@ aegis128l_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const stat
    }
 }

-static void
+static int
 aegis128l_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state)
 {
    aes_block_t tmp;
@ -59,7 +59,9 @@ aegis128l_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_
        AES_BLOCK_STORE(mac + 16, tmp);
    } else {
        memset(mac, 0, maclen);
+        return -1;
    }
+    return 0;
 }

 static inline void
@ -170,9 +172,7 @@ encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size
        memcpy(c + i, dst, mlen % RATE);
    }

-    aegis128l_mac(mac, maclen, adlen, mlen, state);
-
-    return 0;
+    return aegis128l_mac(mac, maclen, adlen, mlen, state);
 }

 static int
@ -215,12 +215,13 @@ decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac,
    }

    COMPILER_ASSERT(sizeof computed_mac >= 32);
-    aegis128l_mac(computed_mac, maclen, adlen, mlen, state);
    ret = -1;
-    if (maclen == 16) {
-        ret = crypto_verify_16(computed_mac, mac);
-    } else if (maclen == 32) {
-        ret = crypto_verify_32(computed_mac, mac);
+    if (aegis128l_mac(computed_mac, maclen, adlen, mlen, state) == 0) {
+        if (maclen == 16) {
+            ret = crypto_verify_16(computed_mac, mac);
+        } else if (maclen == 32) {
+            ret = crypto_verify_32(computed_mac, mac);
+        }
    }
    if (ret != 0 && m != NULL) {
        memset(m, 0, mlen);
--- a/src/libsodium/crypto_aead/aegis256/aegis256_common.h
+++ b/src/libsodium/crypto_aead/aegis256/aegis256_common.h
@ -34,7 +34,7 @@ aegis256_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const state
    }
 }

-static void
+static int
 aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state)
 {
    aes_block_t tmp;
@ -59,7 +59,9 @@ aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t
        AES_BLOCK_STORE(mac + 16, tmp);
    } else {
        memset(mac, 0, maclen);
+        return -1;
    }
+    return 0;
 }

 static inline void
@ -155,9 +157,7 @@ encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size
        memcpy(c + i, dst, mlen % RATE);
    }

-    aegis256_mac(mac, maclen, adlen, mlen, state);
-
-    return 0;
+    return aegis256_mac(mac, maclen, adlen, mlen, state);
 }

 static int
@ -200,12 +200,13 @@ decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac,
    }

    COMPILER_ASSERT(sizeof computed_mac >= 32);
-    aegis256_mac(computed_mac, maclen, adlen, mlen, state);
    ret = -1;
-    if (maclen == 16) {
-        ret = crypto_verify_16(computed_mac, mac);
-    } else if (maclen == 32) {
-        ret = crypto_verify_32(computed_mac, mac);
+    if (aegis256_mac(computed_mac, maclen, adlen, mlen, state) == 0) {
+        if (maclen == 16) {
+            ret = crypto_verify_16(computed_mac, mac);
+        } else if (maclen == 32) {
+            ret = crypto_verify_32(computed_mac, mac);
+        }
    }
    if (ret != 0 && m != NULL) {
        memset(m, 0, mlen);