From 1d03ea77fb91a16225969228cc63d74910a67733 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 1 Nov 2023 19:12:15 +0100 Subject: [PATCH] Make aegis_mac() fallible So that we can include additional checks, especially for weak states. Ideally, weak states should be checked after every update, but they would be especially bad when the cipher is used as a stream cipher. And in that case, checking for a weak state only at the end is sufficient. --- .../crypto_aead/aegis128l/aegis128l_common.h | 19 ++++++++++--------- .../crypto_aead/aegis256/aegis256_common.h | 19 ++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h b/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h index 7a130b0c..1683d76f 100644 --- a/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h +++ b/src/libsodium/crypto_aead/aegis128l/aegis128l_common.h @@ -32,7 +32,7 @@ aegis128l_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const stat } } -static void +static int aegis128l_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state) { aes_block_t tmp; @@ -59,7 +59,9 @@ aegis128l_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_ AES_BLOCK_STORE(mac + 16, tmp); } else { memset(mac, 0, maclen); + return -1; } + return 0; } static inline void @@ -170,9 +172,7 @@ encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size memcpy(c + i, dst, mlen % RATE); } - aegis128l_mac(mac, maclen, adlen, mlen, state); - - return 0; + return aegis128l_mac(mac, maclen, adlen, mlen, state); } static int @@ -215,12 +215,13 @@ decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, } COMPILER_ASSERT(sizeof computed_mac >= 32); - aegis128l_mac(computed_mac, maclen, adlen, mlen, state); ret = -1; - if (maclen == 16) { - ret = crypto_verify_16(computed_mac, mac); - } else if (maclen == 32) { - ret = crypto_verify_32(computed_mac, mac); + if (aegis128l_mac(computed_mac, maclen, adlen, mlen, state) == 0) { + if (maclen == 16) { + ret = crypto_verify_16(computed_mac, mac); + } else if (maclen == 32) { + ret = crypto_verify_32(computed_mac, mac); + } } if (ret != 0 && m != NULL) { memset(m, 0, mlen); diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_common.h b/src/libsodium/crypto_aead/aegis256/aegis256_common.h index 5a486f2c..17c2c415 100644 --- a/src/libsodium/crypto_aead/aegis256/aegis256_common.h +++ b/src/libsodium/crypto_aead/aegis256/aegis256_common.h @@ -34,7 +34,7 @@ aegis256_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const state } } -static void +static int aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state) { aes_block_t tmp; @@ -59,7 +59,9 @@ aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t AES_BLOCK_STORE(mac + 16, tmp); } else { memset(mac, 0, maclen); + return -1; } + return 0; } static inline void @@ -155,9 +157,7 @@ encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size memcpy(c + i, dst, mlen % RATE); } - aegis256_mac(mac, maclen, adlen, mlen, state); - - return 0; + return aegis256_mac(mac, maclen, adlen, mlen, state); } static int @@ -200,12 +200,13 @@ decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, } COMPILER_ASSERT(sizeof computed_mac >= 32); - aegis256_mac(computed_mac, maclen, adlen, mlen, state); ret = -1; - if (maclen == 16) { - ret = crypto_verify_16(computed_mac, mac); - } else if (maclen == 32) { - ret = crypto_verify_32(computed_mac, mac); + if (aegis256_mac(computed_mac, maclen, adlen, mlen, state) == 0) { + if (maclen == 16) { + ret = crypto_verify_16(computed_mac, mac); + } else if (maclen == 32) { + ret = crypto_verify_32(computed_mac, mac); + } } if (ret != 0 && m != NULL) { memset(m, 0, mlen);