From: Dmitry Eremin-Solenikov <[email protected]> Currently odp_crypto code will happily accept wrong tags, because the check for EVP_DecryptFinal_ex return code is incorrect. This function returns 0 if tag is incorrect, not < 0.
Signed-off-by: Dmitry Eremin-Solenikov <[email protected]> --- /** Email created from pull request 24 (lumag:crypto-dal) ** https://github.com/Linaro/odp/pull/24 ** Patch: https://github.com/Linaro/odp/pull/24.patch ** Base sha: 540490ddf3a1b3da4b80ed15fc874ccdfc49b60c ** Merge commit sha: d097dfa56ce6abf579ef39d07f3ac39d6badbc92 **/ platform/linux-generic/odp_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/linux-generic/odp_crypto.c b/platform/linux-generic/odp_crypto.c index a0f3f7e..78c3ac2 100644 --- a/platform/linux-generic/odp_crypto.c +++ b/platform/linux-generic/odp_crypto.c @@ -384,7 +384,7 @@ odp_crypto_alg_err_t aes_gcm_decrypt(odp_crypto_op_param_t *param, auth_len - (aad_tail - aad_head)); } - if (EVP_DecryptFinal_ex(ctx, cipherdata + cipher_len, &plain_len) < 0) + if (EVP_DecryptFinal_ex(ctx, cipherdata + cipher_len, &plain_len) <= 0) return ODP_CRYPTO_ALG_ERR_ICV_CHECK; return ODP_CRYPTO_ALG_ERR_NONE;
