[gnutls-devel] GnuTLS | Draft: AES-GCM buffer size checks, accelerated implementations and ASAN (!1521)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Jan 24 17:48:11 CET 2022



Alexander Sosedkin created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1521

Project:Branches: asosedkin/gnutls:aes-gcm-sizes to gnutls/gnutls:master
Author:   Alexander Sosedkin




A run with ASAN on and hardware acceleration off has caught a write past the buffer boundary in `test-ciphers-api`.

The issue was twofold:
1. The accelerated implementations in `lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c` have ignored the destination plaintext buffer lengths.
2. The test that intended to trigger an error by passing a zero-length plaintext buffer was also passing the wrong ciphertext length, caught a different kind of error in return, but didn't check the exact error value.

This MR intends to:
1. Add missing output buffer length checks.
2. Fix the test to trigger and check for the error it was intended to catch.
3. Ideally enable hardware acceleration in CI ASAN jobs.

## Checklist
 * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [ ] Code modified for feature
 * [ ] Test suite updated with functionality tests
 * [ ] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)
 * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1521
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220124/4ca6844c/attachment-0001.html>


More information about the Gnutls-devel mailing list