Fix integer truncation in ppc_aes_gcm_crypt#30437
Closed
Scottcjn wants to merge 1 commit intoopenssl:masterfrom
Closed
Fix integer truncation in ppc_aes_gcm_crypt#30437Scottcjn wants to merge 1 commit intoopenssl:masterfrom
Scottcjn wants to merge 1 commit intoopenssl:masterfrom
Conversation
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial
paulidale
approved these changes
Mar 16, 2026
openssl-machine
added
the
approval: review pending
npajkovsky
approved these changes
Mar 16, 2026
openssl-machine
added
approval: done
This was referenced Mar 16, 2026
t8m
added
cla: trivial
Contributor
|
I'm okay with trivial too. |
Collaborator
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
t8m
added
approval: ready to merge
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437)
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437) (cherry picked from commit e443447)
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437) (cherry picked from commit e443447)
Member
|
Merged to the master, 4.0, 3.6, 3.5, 3.4 and 3.3 branches. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437) (cherry picked from commit e443447)
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437) (cherry picked from commit e443447)
openssl-machine
pushed a commit
that referenced
this pull request
Mar 17, 2026
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt return size_t, but their return values were stored in int variables, causing truncation on PPC64 where size_t is 64-bit. This could lead to incorrect results when processing inputs larger than 2GB via EVP_Cipher() which accepts unsigned int lengths. Change the types of s and ndone from int to size_t to match the function return type and the return type of ppc_aes_gcm_crypt itself. Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass, AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Tue Mar 17 09:44:33 2026 (Merged from #30437) (cherry picked from commit e443447)
Contributor
Author
|
Thank you to @paulidale, @npajkovsky, and @t8m for the reviews and merge. Honored to contribute to OpenSSL — this was our first contribution to the project and we're glad it strengthens the POWER8 AES-GCM path. Looking forward to contributing more. — Scott Boudreaux, Elyan Labs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In
ppc_aes_gcm_crypt(), the PPC64 assembly functionsppc_aes_gcm_encryptand
ppc_aes_gcm_decryptare declared as returningsize_t(64-bit on PPC64)in
include/crypto/aes_platform.h, but their return values are stored in localintvariables (sandndone), which are 32-bit signed.This causes silent truncation for inputs exceeding 2GB, which is reachable
through
EVP_Cipher()(takesunsigned intlength).Fixes #30381
Fix
Change the types of
sandndonefrominttosize_tto match thereturn type of the assembly functions and the return type of
ppc_aes_gcm_cryptitself.Testing
Built and tested on IBM POWER8 S824 (ppc64le, Ubuntu 20.04):
make test TESTS='test_evp test_evp_extra test_aes_wrap test_cipherlist'— all passCPUINFO: OPENSSL_ppccap=0x2e)CLA: trivial