From d14f0dd0aa560c1c4c1ffbea19af4276bceb036c Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 22 May 2024 14:02:08 +0000 Subject: [PATCH] Fix in-place decryption for EVP_chacha20_poly1305() Take the MAC before clobbering the input value on decryption. Fixes hangs during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA256. Found, issue pinpointed, and initial fix tested by Lucas Gabriel Vuotto: Let me take this opportunity to thank the HAProxy team for going out of their way to keep supporting LibreSSL. It's much appreciated. See https://github.com/haproxy/haproxy/issues/2569 tweak/ok jsing --- lib/libcrypto/evp/e_chacha20poly1305.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/libcrypto/evp/e_chacha20poly1305.c b/lib/libcrypto/evp/e_chacha20poly1305.c index cc2e0157e68..816a8aa2182 100644 --- a/lib/libcrypto/evp/e_chacha20poly1305.c +++ b/lib/libcrypto/evp/e_chacha20poly1305.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.35 2024/04/09 13:52:41 beck Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.36 2024/05/22 14:02:08 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing @@ -493,6 +493,8 @@ chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* Update with AD or plaintext/ciphertext. */ if (in != NULL) { + if (!ctx->encrypt || out == NULL) + CRYPTO_poly1305_update(&cpx->poly1305, in, len); if (out == NULL) { cpx->ad_len += len; cpx->in_ad = 1; @@ -502,8 +504,6 @@ chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } if (ctx->encrypt && out != NULL) CRYPTO_poly1305_update(&cpx->poly1305, out, len); - else - CRYPTO_poly1305_update(&cpx->poly1305, in, len); return len; } -- 2.20.1