Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: FFI botan_cipher_update() for SIV and CCM #3971

Merged
merged 6 commits into from
Apr 5, 2024
Merged

FIX: FFI botan_cipher_update() for SIV and CCM #3971

merged 6 commits into from
Apr 5, 2024

Conversation

reneme
Copy link
Collaborator

@reneme reneme commented Apr 4, 2024

Pull Request Dependencies

Description

As mentioned, the FFI function botan_cipher_update() failed to properly handle cipher modes that produce output only after finalizing an input stream.

With this patch, the function does not erroneously copy the input buffer into the output buffer anymore. As the copy happened from a zero-length byte vector, this might even be undefined behavior. Note that I didn't fix the potentially surprising fact that botan_cipher_update() refuses to consume any input data if no equally sized output buffer is available.

This adapts the test originally introduced in #3951 to be able to work with the existing implementation of botan_cipher_update(). It acts as a regression test for the described behavior. Here, no performance improvements are applied to botan_cipher_update(). Given that 3.4.0 is just around the corner, I thought it would be useful to create a minimal fix for the detected issue to be able to postpone the performance improvement until after the release.

@reneme
add FFI API botan_cipher_requires_entire_message()
615a02c
@reneme
Update python module cipher methods
0b57394
@reneme
Update FFI_VERSION to next release date
98834c9
@reneme
add graceful exception handling to python test
b77e151
@reneme
TEST: explicitly test ChaCha20Poly via FFI
1e26185
@reneme
FIX: Don't write verbatim input data into output buffer
92a2c01 
This happened for cipher modes that do not generate any output
before they are finalized. The FFI adapter botan_cipher_update()
failed to check the number of bytes generated by an update() call,
and simply assumed that it would generate as many output bytes as
it received input bytes.
@reneme reneme added the bug label Apr 4, 2024
@reneme reneme added this to the Botan 3.4.0 milestone Apr 4, 2024
@reneme reneme requested a review from randombit April 4, 2024 19:31
@reneme reneme self-assigned this Apr 4, 2024
@reneme reneme mentioned this pull request Apr 4, 2024
Merged
@coveralls
Copy link

Coverage Status

coverage: 92.092% (+0.01%) from 92.08%
when pulling 92a2c01 on fix/ffi_cipher_update_for_SIV_CCM
into b059347 on master.

@reneme reneme merged commit e07c6ca into master Apr 5, 2024
43 checks passed
@reneme reneme deleted the fix/ffi_cipher_update_for_SIV_CCM branch April 5, 2024 07:58
@reneme reneme mentioned this pull request Apr 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randombit randombit randombit approved these changes

Assignees

@reneme reneme

Labels
bug
Projects
None yet
Milestone
Botan 3.4.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@reneme @coveralls @randombit