Disallow the use of zero length IVs in AES-GCM via

EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key.

Issue reported and fix tested by Guido Vranken.

ok beck, jsing

This commit adds a constant to a public header despite library lock,
as discussed with deraadt and sthen.

1 files changed, 11 insertions, 1 deletions

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 8fddeaaa40..e1b53c2ce7 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.39 2019/05/12 15:52:46 tb Exp $ */
+/* $OpenBSD: e_aes.c,v 1.40 2020/04/27 19:31:02 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -1441,6 +1441,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
         }
 
         memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+
+        if (nonce_len == 0) {
+                EVPerror(EVP_R_INVALID_IV_LENGTH);
+                return 0;
+        }
         CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
 
         if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
@@ -1487,6 +1492,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
         }
 
         memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+
+        if (nonce_len == 0) {
+                EVPerror(EVP_R_INVALID_IV_LENGTH);
+                return 0;
+        }
         CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
 
         if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))