diff mbox series

[API-NEXT,v1,2/7] linux: crypto: fix checking of GCM tags

Message ID 1493953207-9115-3-git-send-email-odpbot@yandex.ru
State Superseded
Headers show
Series [API-NEXT,v1,1/7] linux: crypto: use auth_digest_len when calculating HMACs | expand

Commit Message

Github ODP bot May 5, 2017, 3 a.m. UTC
From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


Currently odp_crypto code will happily accept wrong tags, because the
check for EVP_DecryptFinal_ex return code is incorrect. This function
returns 0 if tag is incorrect, not < 0.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 24 (lumag:crypto-dal)
 ** https://github.com/Linaro/odp/pull/24
 ** Patch: https://github.com/Linaro/odp/pull/24.patch
 ** Base sha: 540490ddf3a1b3da4b80ed15fc874ccdfc49b60c
 ** Merge commit sha: d097dfa56ce6abf579ef39d07f3ac39d6badbc92
 **/
 platform/linux-generic/odp_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/platform/linux-generic/odp_crypto.c b/platform/linux-generic/odp_crypto.c
index a0f3f7e..78c3ac2 100644
--- a/platform/linux-generic/odp_crypto.c
+++ b/platform/linux-generic/odp_crypto.c
@@ -384,7 +384,7 @@  odp_crypto_alg_err_t aes_gcm_decrypt(odp_crypto_op_param_t *param,
 				  auth_len - (aad_tail - aad_head));
 	}
 
-	if (EVP_DecryptFinal_ex(ctx, cipherdata + cipher_len, &plain_len) < 0)
+	if (EVP_DecryptFinal_ex(ctx, cipherdata + cipher_len, &plain_len) <= 0)
 		return ODP_CRYPTO_ALG_ERR_ICV_CHECK;
 
 	return ODP_CRYPTO_ALG_ERR_NONE;