Blob Blame History Raw

# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031218 0
# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
# Parent  f282556e6cc7715f5754aeaadda6f902590e7e38
Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D74801

diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -40,28 +40,35 @@ class Pkcs11ChaCha20Poly1305Test
     aead_params.ulNonceLen = iv_len;
     aead_params.pAAD = toUcharPtr(aad);
     aead_params.ulAADLen = aad_len;
     aead_params.ulTagLen = 16;
 
     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
                       sizeof(aead_params)};
 
-    // Encrypt with bad parameters.
+    // Encrypt with bad parameters (TagLen is too long).
     unsigned int encrypted_len = 0;
     std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
     aead_params.ulTagLen = 158072;
     SECStatus rv =
         PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
                      &encrypted_len, encrypted.size(), data, data_len);
     EXPECT_EQ(SECFailure, rv);
     EXPECT_EQ(0U, encrypted_len);
-    aead_params.ulTagLen = 16;
+
+    // Encrypt with bad parameters (TagLen is too short).
+    aead_params.ulTagLen = 2;
+    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+                      &encrypted_len, encrypted.size(), data, data_len);
+    EXPECT_EQ(SECFailure, rv);
+    EXPECT_EQ(0U, encrypted_len);
 
     // Encrypt.
+    aead_params.ulTagLen = 16;
     rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
                       &encrypted_len, encrypted.size(), data, data_len);
 
     // Return if encryption failure was expected due to invalid IV.
     // Without valid ciphertext, all further tests can be skipped.
     if (invalid_iv) {
       EXPECT_EQ(rv, SECFailure);
       EXPECT_EQ(0U, encrypted_len)
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
--- a/lib/freebl/chacha20poly1305.c
+++ b/lib/freebl/chacha20poly1305.c
@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
 {
 #ifdef NSS_DISABLE_CHACHAPOLY
     return SECFailure;
 #else
     if (keyLen != 32) {
         PORT_SetError(SEC_ERROR_BAD_KEY);
         return SECFailure;
     }
-    if (tagLen == 0 || tagLen > 16) {
+    if (tagLen != 16) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
 
     PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
     ctx->tagLen = tagLen;
 
     return SECSuccess;