From c9e7f6cc4791caccd0623fc02585e3e9b39d6965 Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 22 May 2024 14:02:08 +0000 Subject: Fix in-place decryption for EVP_chacha20_poly1305() Take the MAC before clobbering the input value on decryption. Fixes hangs during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA256. Found, issue pinpointed, and initial fix tested by Lucas Gabriel Vuotto: Let me take this opportunity to thank the HAProxy team for going out of their way to keep supporting LibreSSL. It's much appreciated. See https://github.com/haproxy/haproxy/issues/2569 tweak/ok jsing --- src/lib/libcrypto/evp/e_chacha20poly1305.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c index cc2e0157e6..816a8aa218 100644 --- a/src/lib/libcrypto/evp/e_chacha20poly1305.c +++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.35 2024/04/09 13:52:41 beck Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.36 2024/05/22 14:02:08 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing @@ -493,6 +493,8 @@ chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* Update with AD or plaintext/ciphertext. */ if (in != NULL) { + if (!ctx->encrypt || out == NULL) + CRYPTO_poly1305_update(&cpx->poly1305, in, len); if (out == NULL) { cpx->ad_len += len; cpx->in_ad = 1; @@ -502,8 +504,6 @@ chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } if (ctx->encrypt && out != NULL) CRYPTO_poly1305_update(&cpx->poly1305, out, len); - else - CRYPTO_poly1305_update(&cpx->poly1305, in, len); return len; } -- cgit v1.2.3-55-g6feb