[openwrt/openwrt] openssl: fix AES-GCM-SIV and AES-SIV with zero-length messages
LEDE Commits
lede-commits at lists.infradead.org
Mon Dec 1 10:20:27 PST 2025
nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/2bc79783233c5d8612bfa5831cd334cab62b3e5e
commit 2bc79783233c5d8612bfa5831cd334cab62b3e5e
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Mon Dec 1 18:13:52 2025 +0000
openssl: fix AES-GCM-SIV and AES-SIV with zero-length messages
Fix the cipher implementation to avoid treating empty input as finalizer.
This issue is fixed in the openssl 3.6 branch, but the fix approach from
that branch is not suitable for 3.5, since the code is completely different.
Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
.../patches/010-fix-aes-gcm-siv-cipher.patch | 62 ++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/package/libs/openssl/patches/010-fix-aes-gcm-siv-cipher.patch b/package/libs/openssl/patches/010-fix-aes-gcm-siv-cipher.patch
new file mode 100644
index 0000000000..3baec89a1b
--- /dev/null
+++ b/package/libs/openssl/patches/010-fix-aes-gcm-siv-cipher.patch
@@ -0,0 +1,62 @@
+From: Felix Fietkau <nbd at nbd.name>
+Date: Mon, 1 Dec 2025 16:22:17 +0000
+Subject: [PATCH] providers/implementations/ciphers: fix AES-GCM-SIV and
+ AES-SIV with zero-length messages
+
+When ossl_aes_gcm_siv_cipher() or siv_cipher() is called with in=NULL
+for zero-length input, the hw->cipher function interprets this as a
+finalization request and calls the finish function instead of
+encrypt/decrypt. This causes the authentication tag to never be computed
+for zero-length messages, resulting in decryption verification failures.
+
+Fix this by substituting a static empty byte address when in is NULL,
+ensuring hw->cipher always receives a non-NULL pointer from Update calls
+and correctly routes to the encrypt/decrypt path.
+
+For AES-GCM-SIV, this is a different fix than upstream commit
+f1a4f0368b73 ("make aes-gcm-siv work with zero-length messages") which
+removed early-return and length checks that don't exist in 3.5.x.
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+
+---
+--- a/providers/implementations/ciphers/cipher_aes_gcm_siv.c
++++ b/providers/implementations/ciphers/cipher_aes_gcm_siv.c
+@@ -140,6 +140,7 @@ static int ossl_aes_gcm_siv_cipher(void
+ {
+ PROV_AES_GCM_SIV_CTX *ctx = (PROV_AES_GCM_SIV_CTX *)vctx;
+ int error = 0;
++ static const unsigned char empty;
+
+ if (!ossl_prov_is_running())
+ return 0;
+@@ -149,6 +150,9 @@ static int ossl_aes_gcm_siv_cipher(void
+ return 0;
+ }
+
++ if (in == NULL)
++ in = ∅
++
+ error |= !ctx->hw->cipher(ctx, out, in, inl);
+
+ if (outl != NULL && !error)
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
++++ b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -114,6 +114,7 @@ static int siv_cipher(void *vctx, unsign
+ size_t outsize, const unsigned char *in, size_t inl)
+ {
+ PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
++ static const unsigned char empty;
+
+ if (!ossl_prov_is_running())
+ return 0;
+@@ -123,6 +124,9 @@ static int siv_cipher(void *vctx, unsign
+ return 0;
+ }
+
++ if (in == NULL)
++ in = ∅
++
+ if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+ return 0;
+
More information about the lede-commits
mailing list