diff options
| author | Yihong Wang <yh.wang@ibm.com> | 2018-05-15 23:34:28 -0700 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2018-05-30 23:16:52 +0200 |
| commit | a133883752af41ae20bcee8153bc52e8a4b522c8 (patch) | |
| tree | a60a1694879a51f3ce44886526b9b3f1a4e00514 /crypto/modes | |
| parent | 848113a30b431c2fe21ae8de2a366b9b6146fb92 (diff) | |
Reduce minimal out length in CRYPTO_128_unwrap_pad
In `aes_wrap_cipher()`, the minimal out buff length is `(inlen - 8)`.
Since it calls `CRYPTO_128_unwrap_pad()` underneath, it makes sense to
reduce the minimal out length in `CRYPTO_128_unwrap_pad()` to align to
its caller.
Signed-off-by: Yihong Wang <yh.wang@ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6266)
Diffstat (limited to 'crypto/modes')
| -rw-r--r-- | crypto/modes/wrap128.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c index 46809a0e74..5ebb517187 100644 --- a/crypto/modes/wrap128.c +++ b/crypto/modes/wrap128.c @@ -237,7 +237,7 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv, * * @param[in] key Key value. * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv. - * @param[out] out Plaintext. Minimal buffer length = inlen bytes. + * @param[out] out Plaintext. Minimal buffer length = (inlen - 8) bytes. * Input and output buffers can overlap if block function * supports that. * @param[in] in Ciphertext as n 64-bit blocks. @@ -267,7 +267,6 @@ size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv, if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX) return 0; - memmove(out, in, inlen); if (inlen == 16) { /* * Section 4.2 - special case in step 1: When n=1, the ciphertext @@ -275,14 +274,17 @@ size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv, * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] | * C[1]) */ - block(out, out, key); - memcpy(aiv, out, 8); + unsigned char buff[16]; + + block(in, buff, key); + memcpy(aiv, buff, 8); /* Remove AIV */ - memmove(out, out + 8, 8); + memcpy(out, buff + 8, 8); padded_len = 8; + OPENSSL_cleanse(buff, inlen); } else { padded_len = inlen - 8; - ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block); + ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block); if (padded_len != ret) { OPENSSL_cleanse(out, inlen); return 0; |