Fix AES-GCM-SIV with huge inputs on 32-bit.

The asm code is 64-bit only, so multipling a `size_t` by eight to get a number of bits is valid and the bounds on the inputs are checked accordingly. But on 32-bit, that calculation will overflow for huge inputs. Change-Id: I6d2171becd6b6259593b2aa80105d8cae1ec7ed4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65188 Reviewed-by: David Benjamin <davidben@google.com>
10 months ago · a32596b054
parent e5d6b2fbb4
commit a32596b054
1 changed files with 2 additions and 2 deletions
--- a/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/crypto/cipher_extra/e_aesgcmsiv.c
@ -635,8 +635,8 @@ static void gcm_siv_polyval(
  }

  uint8_t length_block[16];
-  CRYPTO_store_u64_le(length_block, ad_len * 8);
-  CRYPTO_store_u64_le(length_block + 8, in_len * 8);
+  CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8);
+  CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8);
  CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block,
                               sizeof(length_block));