From 2beb5f302a9ebe313fe1b93d43ec4add7bb9f9d0 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Fri, 17 Sep 2021 16:40:22 +0800 Subject: [PATCH 1/8] bugfix: if the len of iv is not 96-bit, ghash is used to compute y0. An initialization vector IV can have any number of bits between 1 and 2^64. So it should be filled to the lower 64-bit in the last step when computing ghash. Signed-off-by: openluopworld --- library/gcm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index 910646b281..b575c8f316 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t i; const unsigned char *p; size_t use_len, olen = 0; + size_t iv_bits; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); @@ -278,7 +279,9 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - MBEDTLS_PUT_UINT32_BE( iv_len * 8, work_buf, 12 ); + iv_bits = iv_len << 3; + MBEDTLS_PUT_UINT32_BE( (iv_bits >> 32), work_buf, 8 ); + MBEDTLS_PUT_UINT32_BE( iv_bits, work_buf, 12 ); p = iv; while( iv_len > 0 ) From 6c8183f0c92c953d421289d22b75de76c2ab5347 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Fri, 17 Sep 2021 22:15:49 +0800 Subject: [PATCH 2/8] bugfix: if the len of iv is not 96-bit, ghash is used to compute y0. An initialization vector IV can have any number of bits between 1 and 2^64. So it should be filled to the lower 64-bit in the last step when computing ghash. Signed-off-by: openluopworld --- library/gcm.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index b575c8f316..0810fd2205 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -254,7 +254,6 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t i; const unsigned char *p; size_t use_len, olen = 0; - size_t iv_bits; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); @@ -279,9 +278,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - iv_bits = iv_len << 3; - MBEDTLS_PUT_UINT32_BE( (iv_bits >> 32), work_buf, 8 ); - MBEDTLS_PUT_UINT32_BE( iv_bits, work_buf, 12 ); + MBEDTLS_PUT_UINT32_BE( iv_len >> 29, work_buf, 8 ); + MBEDTLS_PUT_UINT32_BE( iv_len << 3, work_buf, 12 ); p = iv; while( iv_len > 0 ) From 08fd463ee45a0332f469a6de5acc977a50672999 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Sun, 19 Sep 2021 11:18:04 +0800 Subject: [PATCH 3/8] bugfix: if the len of iv is not 96-bit, y0 can be calculated incorrectly An initialization vector IV can have any number of bits between 1 and 2^64. So it should be filled to the lower 64-bit in the last step when computing ghash. Signed-off-by: openluopworld --- library/gcm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index 0810fd2205..e1c1c7d518 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -278,8 +278,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - MBEDTLS_PUT_UINT32_BE( iv_len >> 29, work_buf, 8 ); - MBEDTLS_PUT_UINT32_BE( iv_len << 3, work_buf, 12 ); + MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 ); p = iv; while( iv_len > 0 ) From eb009232c0233ebca6d6b706593a16684f1180d9 Mon Sep 17 00:00:00 2001 From: LuoPeng Date: Wed, 22 Sep 2021 23:51:19 +0800 Subject: [PATCH 4/8] Update library/gcm.c Co-authored-by: davidhorstmann-arm <70948878+davidhorstmann-arm@users.noreply.github.com> Signed-off-by: openluopworld --- library/gcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index e1c1c7d518..0e402dd8ca 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -278,7 +278,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 ); + MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 ); p = iv; while( iv_len > 0 ) From eab65acca45c6287799877aaed0c30341687f330 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Wed, 22 Sep 2021 23:59:42 +0800 Subject: [PATCH 5/8] bugfix: if the len of iv is not 96-bit, y0 can be calculated incorrectly. An initialization vector IV can have any number of bits between 1 and 2^64. So it should be filled to the lower 64-bit in the last step when computing ghash. Signed-off-by: openluopworld --- library/gcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index 0e402dd8ca..4c0a44e413 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t i; const unsigned char *p; size_t use_len, olen = 0; + uint64_t iv_bits; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); @@ -278,7 +279,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - MBEDTLS_PUT_UINT64_BE( iv_len * 8, work_buf, 8 ); + iv_bits = (uint64_t)iv_len * 8; + MBEDTLS_PUT_UINT64_BE( iv_bits, work_buf, 8 ); p = iv; while( iv_len > 0 ) From 78521966b0fce063229398e1b589efe9e969f173 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Tue, 12 Oct 2021 18:15:06 +0800 Subject: [PATCH 6/8] changelog for #4950 Signed-off-by: openluopworld --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index ebf8a36add..a9fecb8e15 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Bugfix + * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. + * Fix #4950. + = Mbed TLS 3.0.0 branch released 2021-07-07 API changes From 506752299b4f1961efe81558a2a5309f2a97c08c Mon Sep 17 00:00:00 2001 From: openluopworld Date: Tue, 12 Oct 2021 18:38:50 +0800 Subject: [PATCH 7/8] add changelog file for #4950 Signed-off-by: openluopworld --- ChangeLog | 6 ------ ChangeLog.d/bugfix-for-gcm-long-iv-size.txt | 4 ++++ 2 files changed, 4 insertions(+), 6 deletions(-) create mode 100644 ChangeLog.d/bugfix-for-gcm-long-iv-size.txt diff --git a/ChangeLog b/ChangeLog index a9fecb8e15..ebf8a36add 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,5 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx - -Bugfix - * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. - * Fix #4950. - = Mbed TLS 3.0.0 branch released 2021-07-07 API changes diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt new file mode 100644 index 0000000000..0e2e5117ec --- /dev/null +++ b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. + * Fix #4950. + From 151ccb297766b6263cdce69f8ca0b785b5323499 Mon Sep 17 00:00:00 2001 From: openluopworld Date: Wed, 13 Oct 2021 00:23:30 +0800 Subject: [PATCH 8/8] update changelog for #4884 Signed-off-by: openluopworld --- ChangeLog.d/bugfix-for-gcm-long-iv-size.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt index 0e2e5117ec..c04c4aa182 100644 --- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt +++ b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt @@ -1,4 +1,4 @@ Bugfix * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. - * Fix #4950. + * Fix #4884.