armv8_dec_aes_gcm_full never sets tag_byte_length

[milinjpatel]

In the armv8_dec_aes_gcm_full, cipher_constants_t variable cc is declared. In the declaration, only the mode field is initialized to one of the function arguments. The tag_byte_length field is never explicitly set to a value. Looking through the call stack for armv8_dec_aes_gcm_full revealed that tag_byte_length is never set anywhere when that function is called. On line 2088 of AArch64cryptolib_aes_gcm.c, the tag_byte_length is used in some if conditions to do the actual authentication tag checking. Based on how cc is declared and that tag_byte_length is never set explicitly, the length will just be 0. None of the if conditions will be hit so no authentication tag checking occurs. The mismatch variable is initialized to 0 so the function returns that the authentication tag is good but in reality, the tag was never checked.

I also noticed that the tests provided don't cover armv8_dec_aes_gcm_full.

[WonderfulVoid]

Hi. Thanks for finding this. I will take a closer look at the source code and make necessary corrections. It sounds like a bad bug.

[WonderfulVoid]

I am waiting for a CVE number that I requested. Otherwise we are all set.

[WonderfulVoid]

The problem should be solved as described in the security advisory https://github.com/ARM-software/AArch64cryptolib/security/advisories/GHSA-47c6-7x5x-r74g. I am planning to change the armv8_dec_aes_gcm_full() definition so that the tag size is a user-defined parameter but this will be an incompatible change.

[milinjpatel]

That seems reasonable. I made the same change locally when I was testing.