Disallow the use of zero length IVs in AES-GCM via

EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key.

Issue reported and fix tested by Guido Vranken.

ok beck, jsing

This commit adds a constant to a public header despite library lock,
as discussed with deraadt and sthen.

lib/libcrypto/evp/e_aes.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.39 2019/05/12 15:52:46 tb Exp $ */
+/* $OpenBSD: e_aes.c,v 1.40 2020/04/27 19:31:02 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
  *
@@ -1441,6 +1441,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
  }
 
  memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+
+ if (nonce_len == 0) {
+ EVPerror(EVP_R_INVALID_IV_LENGTH);
+ return 0;
+ }
  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
 
  if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
@@ -1487,6 +1492,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
  }
 
  memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+
+ if (nonce_len == 0) {
+ EVPerror(EVP_R_INVALID_IV_LENGTH);
+ return 0;
+ }
  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
 
  if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))

lib/libcrypto/evp/evp.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.78 2019/10/24 15:43:09 jsing Exp $ */
+/* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1507,6 +1507,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_INPUT_NOT_INITIALIZED 111
 #define EVP_R_INVALID_DIGEST 152
 #define EVP_R_INVALID_FIPS_MODE 168
+#define EVP_R_INVALID_IV_LENGTH 194
 #define EVP_R_INVALID_KEY_LENGTH 130
 #define EVP_R_INVALID_OPERATION 148
 #define EVP_R_IV_TOO_LARGE 102

lib/libcrypto/evp/evp_err.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_err.c,v 1.25 2019/03/18 05:34:29 tb Exp $ */
+/* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
  *
@@ -111,6 +111,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = {
  {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"},
  {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"},
  {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"},
+ {ERR_REASON(EVP_R_INVALID_IV_LENGTH) , "invalid iv length"},
  {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"},
  {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"},
  {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"},