Revision - a5170a8 - Add Missing Error Messages for AES-OCB Tag Length Validation – ENEA Mirror of the Software Heritage archive

Revision a5170a8249d01e4e9cf5890b49ff6623637df09b authored by erbsland-dev on 10 September 2024, 19:24:59 UTC, committed by Tomas Mraz on 13 September 2024, 08:13:16 UTC

Add Missing Error Messages for AES-OCB Tag Length Validation

Related to #8331
Addressing found issues by adding specific error messages to improve
feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG`
parameter in the AES-OCB algorithm.

- Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag
  length exceeds the maximum tag length of the algorithm.
- Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag
  length in the context does not match a custom tag length provided as
  a parameter.
- Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an
  invalid pointer is passed in encryption mode.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25425)

(cherry picked from commit 645edf50f0274448174d9739543bf01b1708b2f5)

1 parent 5cd025c

Files
Changes

Permalinks

core_algorithm.c

/*
 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/core.h>
#include <openssl/core_dispatch.h>
#include "internal/core.h"
#include "internal/property.h"
#include "internal/provider.h"

struct algorithm_data_st {
    OSSL_LIB_CTX *libctx;
    int operation_id;            /* May be zero for finding them all */
    int (*pre)(OSSL_PROVIDER *, int operation_id, int no_store, void *data,
               int *result);
    int (*reserve_store)(int no_store, void *data);
    void (*fn)(OSSL_PROVIDER *, const OSSL_ALGORITHM *, int no_store,
               void *data);
    int (*unreserve_store)(void *data);
    int (*post)(OSSL_PROVIDER *, int operation_id, int no_store, void *data,
                int *result);
    void *data;
};

/*
 * Process one OSSL_ALGORITHM array, for the operation |cur_operation|,
 * by constructing methods for all its implementations and adding those
 * to the appropriate method store.
 * Which method store is appropriate is given by |no_store| ("permanent"
 * if 0, temporary if 1) and other data in |data->data|.
 *
 * Returns:
 * -1 to quit adding algorithm implementations immediately
 * 0 if not successful, but adding should continue
 * 1 if successful so far, and adding should continue
 */
static int algorithm_do_map(OSSL_PROVIDER *provider, const OSSL_ALGORITHM *map,
                            int cur_operation, int no_store, void *cbdata)
{
    struct algorithm_data_st *data = cbdata;
    int ret = 0;

    if (!data->reserve_store(no_store, data->data))
        /* Error, bail out! */
        return -1;

    /* Do we fulfill pre-conditions? */
    if (data->pre == NULL) {
        /* If there is no pre-condition function, assume "yes" */
        ret = 1;
    } else if (!data->pre(provider, cur_operation, no_store, data->data,
                          &ret)) {
        /* Error, bail out! */
        ret = -1;
        goto end;
    }

    /*
     * If pre-condition not fulfilled don't add this set of implementations,
     * but do continue with the next.  This simply means that another thread
     * got to it first.
     */
    if (ret == 0) {
        ret = 1;
        goto end;
    }

    if (map != NULL) {
        const OSSL_ALGORITHM *thismap;

        for (thismap = map; thismap->algorithm_names != NULL; thismap++)
            data->fn(provider, thismap, no_store, data->data);
    }

    /* Do we fulfill post-conditions? */
    if (data->post == NULL) {
        /* If there is no post-condition function, assume "yes" */
        ret = 1;
    } else if (!data->post(provider, cur_operation, no_store, data->data,
                           &ret)) {
        /* Error, bail out! */
        ret = -1;
    }

 end:
    data->unreserve_store(data->data);

    return ret;
}

/*
 * Given a provider, process one operation given by |data->operation_id|, or
 * if that's zero, process all known operations.
 * For each such operation, query the associated OSSL_ALGORITHM array from
 * the provider, then process that array with |algorithm_do_map()|.
 */
static int algorithm_do_this(OSSL_PROVIDER *provider, void *cbdata)
{
    struct algorithm_data_st *data = cbdata;
    int first_operation = 1;
    int last_operation = OSSL_OP__HIGHEST;
    int cur_operation;
    int ok = 1;

    if (data->operation_id != 0)
        first_operation = last_operation = data->operation_id;

    for (cur_operation = first_operation;
         cur_operation <= last_operation;
         cur_operation++) {
        int no_store = 0;        /* Assume caching is ok */
        const OSSL_ALGORITHM *map = NULL;
        int ret = 0;

        map = ossl_provider_query_operation(provider, cur_operation,
                                            &no_store);
        ret = algorithm_do_map(provider, map, cur_operation, no_store, data);
        ossl_provider_unquery_operation(provider, cur_operation, map);

        if (ret < 0)
            /* Hard error, bail out immediately! */
            return 0;

        /* If post-condition not fulfilled, set general failure */
        if (!ret)
            ok = 0;
    }

    return ok;
}

void ossl_algorithm_do_all(OSSL_LIB_CTX *libctx, int operation_id,
                           OSSL_PROVIDER *provider,
                           int (*pre)(OSSL_PROVIDER *, int operation_id,
                                      int no_store, void *data, int *result),
                           int (*reserve_store)(int no_store, void *data),
                           void (*fn)(OSSL_PROVIDER *provider,
                                      const OSSL_ALGORITHM *algo,
                                      int no_store, void *data),
                           int (*unreserve_store)(void *data),
                           int (*post)(OSSL_PROVIDER *, int operation_id,
                                       int no_store, void *data, int *result),
                           void *data)
{
    struct algorithm_data_st cbdata = { 0, };

    cbdata.libctx = libctx;
    cbdata.operation_id = operation_id;
    cbdata.pre = pre;
    cbdata.reserve_store = reserve_store;
    cbdata.fn = fn;
    cbdata.unreserve_store = unreserve_store;
    cbdata.post = post;
    cbdata.data = data;

    if (provider == NULL) {
        ossl_provider_doall_activated(libctx, algorithm_do_this, &cbdata);
    } else {
        OSSL_LIB_CTX *libctx2 = ossl_provider_libctx(provider);

        /*
         * If a provider is given, its library context MUST match the library
         * context we're passed.  If this turns out not to be true, there is
         * a programming error in the functions up the call stack.
         */
        if (!ossl_assert(ossl_lib_ctx_get_concrete(libctx)
                         == ossl_lib_ctx_get_concrete(libctx2)))
            return;

        cbdata.libctx = libctx2;
        algorithm_do_this(provider, &cbdata);
    }
}

char *ossl_algorithm_get1_first_name(const OSSL_ALGORITHM *algo)
{
    const char *first_name_end = NULL;
    size_t first_name_len = 0;
    char *ret;

    if (algo->algorithm_names == NULL)
        return NULL;

    first_name_end = strchr(algo->algorithm_names, ':');
    if (first_name_end == NULL)
        first_name_len = strlen(algo->algorithm_names);
    else
        first_name_len = first_name_end - algo->algorithm_names;

    ret = OPENSSL_strndup(algo->algorithm_names, first_name_len);
    return ret;
}

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...