Impact
Due to an improperly initialized variable in the armv8_dec_aes_gcm_full() function, the computed AES-GCM authentication tag is believed to be of zero length and is thus not verified, instead the authentication is always reported as successful.
A man-in-the-middle could modify data (e.g. network packets) which would not be detected by the AES-GCM authentication mechanism. The resulting cleartext data corruption would be random as only the encrypted ciphertext can be modified. If AArch64cryptolib is used with e.g. IPsec, replay attacks (of unmodified encrypted data) might also be possible.
Patches
The problem is fixed in commit 86065c6
Workarounds
Use the alternate armv8_dec_aes_gcm_from_state() API where the authentication tag size is specified by the caller.
References
#5
Impact
Due to an improperly initialized variable in the armv8_dec_aes_gcm_full() function, the computed AES-GCM authentication tag is believed to be of zero length and is thus not verified, instead the authentication is always reported as successful.
A man-in-the-middle could modify data (e.g. network packets) which would not be detected by the AES-GCM authentication mechanism. The resulting cleartext data corruption would be random as only the encrypted ciphertext can be modified. If AArch64cryptolib is used with e.g. IPsec, replay attacks (of unmodified encrypted data) might also be possible.
Patches
The problem is fixed in commit 86065c6
Workarounds
Use the alternate armv8_dec_aes_gcm_from_state() API where the authentication tag size is specified by the caller.
References
#5