Merge pull request #78 from ColtonWilley/wp_fix_aes_gcm_stream_iv

SparkiDev · web-flow · commit 41b5f6071851 · 2025-03-05T08:23:56.000+10:00
Fix AES-GCM stream IV handling for openSSH flow
diff --git a/src/wp_aes_aead.c b/src/wp_aes_aead.c
@@ -819,8 +819,7 @@ static int wp_aesgcm_get_rand_iv(wp_AeadCtx* ctx, unsigned char* out,
     #ifdef WOLFSSL_AESGCM_STREAM
         int rc;
 
-        rc = wc_AesGcmEncryptInit_ex(&ctx->aes, NULL, 0, ctx->iv,
-            (word32)ctx->ivLen);
+        rc = wc_AesGcmInit(&ctx->aes, NULL, 0, ctx->iv, ctx->ivLen);
         if (rc != 0) {
             ok = 0;
         }
@@ -967,23 +966,27 @@ static int wp_aesgcm_einit(wp_AeadCtx* ctx, const unsigned char *key,
     if (ok) {
         int rc;
 
-        if (ivLen == 0) {
-            if (key != NULL) {
-                rc = wc_AesGcmSetKey(aes, key, (word32)keyLen);
-                if (rc != 0) {
-                    ok = 0;
-                }
-            }
-        }
-        else {
-            rc = wc_AesGcmEncryptInit(aes, key, (word32)keyLen, iv, (word32)ivLen);
-            if (rc != 0) {
+        if (iv != NULL) {
+            if (ivLen == 0) {
                 ok = 0;
             }
             if (ok) {
                 XMEMCPY(ctx->iv, iv, ivLen);
                 ctx->ivState = IV_STATE_BUFFERED;
                 ctx->ivSet = 0;
+                ctx->ivLen = ivLen;
+            }
+        }
+        if ((ivLen == 0) && (key != NULL)) {
+            rc = wc_AesGcmSetKey(aes, key, (word32)keyLen);
+            if (rc != 0) {
+                ok = 0;
+            }
+        }
+        else if (key != NULL) {
+            rc = wc_AesGcmEncryptInit(aes, key, (word32)keyLen, iv, (word32)ivLen);
+            if (rc != 0) {
+                ok = 0;
             }
         }
     }
@@ -1041,8 +1044,10 @@ static int wp_aesgcm_dinit(wp_AeadCtx *ctx, const unsigned char *key,
         ok = 0;
     }
 #ifdef WOLFSSL_AESGCM_STREAM
-    if (ok && (wc_AesGcmDecryptInit(aes, key, (word32)keyLen, iv, (word32)ivLen) != 0)) {
-        ok = 0;
+    if (ok && key != NULL) {
+        if (wc_AesGcmDecryptInit(aes, key, (word32)keyLen, iv, (word32)ivLen) != 0) {
+            ok = 0;
+        }
     }
     if (ok) {
         XMEMCPY(ctx->iv, iv, ivLen);
@@ -1181,6 +1186,7 @@ static int wp_aesgcm_stream_update(wp_AeadCtx *ctx, unsigned char *out,
     int ok = 1;
     int done = 0;
     size_t oLen = 0;
+    int rc;
 
     if (ctx->tlsAadLen != UNINITIALISED_SIZET) {
         ok = wp_aesgcm_tls_cipher(ctx, out, outLen, in, inLen);
@@ -1192,7 +1198,17 @@ static int wp_aesgcm_stream_update(wp_AeadCtx *ctx, unsigned char *out,
     }
 
     if ((!done) && ok) {
-        int rc;
+        if (ctx->ivState == IV_STATE_BUFFERED) {
+            rc = wc_AesGcmInit(&ctx->aes, NULL, 0, ctx->iv, ctx->ivLen);
+            if (rc != 0) {
+                ok = 0;
+            }
+
+            ctx->ivState = IV_STATE_COPIED;
+        }
+    }
+
+    if ((!done) && ok) {
         const unsigned char* aad = NULL;
         size_t aadLen = 0;
 
@@ -1465,11 +1481,13 @@ static int wp_aesgcm_cipher(wp_AeadCtx *ctx, unsigned char *out,
         ok = 0;
     }
     if (ok) {
-        ok = wp_aesgcm_stream_update(ctx, out, outLen, outSize, in, inLen);
-    }
-    if (ok) {
-        ok = wp_aesgcm_stream_final(ctx, out + *outLen, &finalLen,
-            outSize - *outLen);
+        if (in != NULL) {
+            ok = wp_aesgcm_stream_update(ctx, out, outLen, outSize, in, inLen);
+        }
+        else {
+            ok = wp_aesgcm_stream_final(ctx, out + *outLen, &finalLen,
+                outSize - *outLen);
+        }
     }
     if (ok) {
         *outLen += finalLen;
diff --git a/test/test_aestag.c b/test/test_aestag.c
@@ -363,6 +363,105 @@ static int test_aes_tag_fixed_enc(const EVP_CIPHER *cipher,
     return err;
 }
 
+static int test_aes_tag_enc_ossh(const EVP_CIPHER *cipher,
+    unsigned char *key, unsigned char *iv,
+    unsigned char *aad, unsigned char *msg, int len, unsigned char *enc,
+    unsigned char *tag)
+{
+    int err;
+    EVP_CIPHER_CTX *encCtx;
+    unsigned int tagLen = 16;
+    char lastiv[1];
+
+    /* Test encryption flow used by openSSH */
+    err = (encCtx = EVP_CIPHER_CTX_new()) == NULL;
+    if (err == 0) {
+       err = EVP_CipherInit(encCtx, cipher, NULL, iv, 1) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1,
+                                 iv) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CipherInit(encCtx, NULL, key, NULL, -1) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, 1,
+                                 lastiv) != 1;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(encCtx, NULL, aad, (int)strlen((char *)aad)) < 0;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(encCtx, enc, msg, len) < 0;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(encCtx, NULL, NULL, 0) < 0;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, tagLen,
+                                 tag) != 1;
+    }
+    if (err == 0) {
+        PRINT_BUFFER("Encrypted", enc, len);
+        PRINT_BUFFER("Tag", tag, 16);
+    }
+
+    EVP_CIPHER_CTX_free(encCtx);
+    return err;
+}
+
+static int test_aes_tag_dec_ossh(const EVP_CIPHER *cipher,
+    unsigned char *key, unsigned char *iv,
+    unsigned char *aad, unsigned char *msg, int len, unsigned char *enc,
+    unsigned char *tag, unsigned char *dec)
+{
+    int err;
+    EVP_CIPHER_CTX *decCtx;
+    unsigned int tagLen = 16;
+    char lastiv[1];
+
+    /* Test decryption flow used by openSSH */
+    err = (decCtx = EVP_CIPHER_CTX_new()) == NULL;
+    if (err == 0) {
+       err = EVP_CipherInit(decCtx, cipher, NULL, iv, 0) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1,
+                                 iv) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CipherInit(decCtx, NULL, key, NULL, -1) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, 1,
+                                 lastiv) != 1;
+    }
+    if (err == 0) {
+       err = EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, tagLen,
+                                 tag) != 1;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(decCtx, NULL, aad, (int)strlen((char *)aad)) < 0;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(decCtx, dec, enc, len) < 0;
+    }
+    if (err == 0) {
+       err = EVP_Cipher(decCtx, NULL, NULL, 0) < 0;
+    }
+    if (err == 0 && dec != NULL && msg != NULL) {
+        PRINT_BUFFER("Decrypted", dec, len);
+
+        if (memcmp(dec, msg, len) != 0) {
+            err = 1;
+        }
+    }
+
+    EVP_CIPHER_CTX_free(decCtx);
+    return err;
+}
+
 static int test_aes_tag_fixed(void *data, const char *cipher,
                               int keyLen, int ivFixedLen, int ivLen)
 {
@@ -418,6 +517,26 @@ static int test_aes_tag_fixed(void *data, const char *cipher,
         err = test_aes_tag_dec(ocipher, key, iv, ivLen, aad, msg,
                                sizeof(msg), enc, tag, dec, 0, 0);
     }
+    if (err == 0) {
+        PRINT_MSG("Encrypt with wolfprovider");
+        test_aes_tag_enc_ossh(wcipher, key, iv,
+                              aad, msg, sizeof(msg), enc, tag);
+    }
+    if (err == 0) {
+        PRINT_MSG("Decrypt with OpenSSL");
+        test_aes_tag_dec_ossh(ocipher, key, iv,
+                              aad, msg, sizeof(msg), enc, tag, dec);
+    }
+    if (err == 0) {
+        PRINT_MSG("Encrypt with OpenSSL");
+        test_aes_tag_enc_ossh(ocipher, key, iv,
+                              aad, msg, sizeof(msg), enc, tag);
+    }
+    if (err == 0) {
+        PRINT_MSG("Decrypt with wolfprovider");
+        test_aes_tag_dec_ossh(wcipher, key, iv,
+                              aad, msg, sizeof(msg), enc, tag, dec);
+    }
 
     EVP_CIPHER_free(wcipher);
     EVP_CIPHER_free(ocipher);
