cipher: Avoid NULL-segv in GCM mode if a key has not been set.
authorWerner Koch <wk@gnupg.org>
Wed, 23 Mar 2016 13:13:18 +0000 (14:13 +0100)
committerWerner Koch <wk@gnupg.org>
Wed, 23 Mar 2016 13:16:12 +0000 (14:16 +0100)
* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
has been initialized.
(_gcry_cipher_gcm_decrypt): Ditto.
(_gcry_cipher_gcm_authenticate): Ditto.
(_gcry_cipher_gcm_initiv): Ditto.
(_gcry_cipher_gcm_tag): Ditto.
--

Avoid a crash if certain functions are used before setkey.

Reported-by: Peter Wu <peter@lekensteyn.nl>
  One crash is not fixed, that is the crash when setkey is not invoked
  before using the GCM ciphers (introduced in the 1.7.0 cycle). Either
  these functions should check that the key is present, or they should
  initialize the ghash table earlier. Affected functions:

    _gcry_cipher_gcm_encrypt
    _gcry_cipher_gcm_decrypt
    _gcry_cipher_gcm_authenticate
    _gcry_cipher_gcm_initiv
    (via _gcry_cipher_gcm_setiv)
    _gcry_cipher_gcm_tag
    (via _gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag)

Regression-due-to: 4a0795af021305f9240f23626a3796157db46bd7
Signed-off-by: Werner Koch <wk@gnupg.org>
cipher/cipher-gcm.c

index 5e9dec4..712641e 100644 (file)
@@ -535,7 +535,9 @@ _gcry_cipher_gcm_encrypt (gcry_cipher_hd_t c,
     return GPG_ERR_BUFFER_TOO_SHORT;
   if (c->u_mode.gcm.datalen_over_limits)
     return GPG_ERR_INV_LENGTH;
-  if (c->marks.tag || c->u_mode.gcm.ghash_data_finalized)
+  if (c->marks.tag
+      || c->u_mode.gcm.ghash_data_finalized
+      || !c->u_mode.gcm.ghash_fn)
     return GPG_ERR_INV_STATE;
 
   if (!c->marks.iv)
@@ -581,7 +583,9 @@ _gcry_cipher_gcm_decrypt (gcry_cipher_hd_t c,
     return GPG_ERR_BUFFER_TOO_SHORT;
   if (c->u_mode.gcm.datalen_over_limits)
     return GPG_ERR_INV_LENGTH;
-  if (c->marks.tag || c->u_mode.gcm.ghash_data_finalized)
+  if (c->marks.tag
+      || c->u_mode.gcm.ghash_data_finalized
+      || !c->u_mode.gcm.ghash_fn)
     return GPG_ERR_INV_STATE;
 
   if (!c->marks.iv)
@@ -617,8 +621,10 @@ _gcry_cipher_gcm_authenticate (gcry_cipher_hd_t c,
     return GPG_ERR_CIPHER_ALGO;
   if (c->u_mode.gcm.datalen_over_limits)
     return GPG_ERR_INV_LENGTH;
-  if (c->marks.tag || c->u_mode.gcm.ghash_aad_finalized ||
-      c->u_mode.gcm.ghash_data_finalized)
+  if (c->marks.tag
+      || c->u_mode.gcm.ghash_aad_finalized
+      || c->u_mode.gcm.ghash_data_finalized
+      || !c->u_mode.gcm.ghash_fn)
     return GPG_ERR_INV_STATE;
 
   if (!c->marks.iv)
@@ -666,6 +672,9 @@ _gcry_cipher_gcm_initiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
       u32 iv_bytes[2] = {0, 0};
       u32 bitlengths[2][2];
 
+      if (!c->u_mode.gcm.ghash_fn)
+        return GPG_ERR_INV_STATE;
+
       memset(c->u_ctr.ctr, 0, GCRY_GCM_BLOCK_LEN);
 
       gcm_bytecounter_add(iv_bytes, ivlen);
@@ -773,6 +782,9 @@ _gcry_cipher_gcm_tag (gcry_cipher_hd_t c,
     {
       u32 bitlengths[2][2];
 
+      if (!c->u_mode.gcm.ghash_fn)
+        return GPG_ERR_INV_STATE;
+
       /* aad length */
       bitlengths[0][1] = be_bswap32(c->u_mode.gcm.aadlen[0] << 3);
       bitlengths[0][0] = be_bswap32((c->u_mode.gcm.aadlen[0] >> 29) |