Add CallWithCoreDumpProtection to AES CMAC

PiperOrigin-RevId: 623403538
tink-crypto · Apr 10, 2024 · 62da0f3 · 62da0f3
1 parent 59d6a2b
commit 62da0f3
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 13 deletions.
diff --git a/cc/subtle/BUILD.bazel b/cc/subtle/BUILD.bazel
@@ -189,6 +189,7 @@ cc_library(
         ":subtle_util",
         "//:mac",
         "//internal:aes_util",
+        "//internal:call_with_core_dump_protection",
         "//internal:fips_utils",
         "//internal:ssl_unique_ptr",
         "//internal:util",

diff --git a/cc/subtle/CMakeLists.txt b/cc/subtle/CMakeLists.txt
@@ -180,6 +180,7 @@ tink_cc_library(
     crypto
     tink::core::mac
     tink::internal::aes_util
+    tink::internal::call_with_core_dump_protection
     tink::internal::fips_utils
     tink::internal::ssl_unique_ptr
     tink::internal::util

diff --git a/cc/subtle/aes_cmac_boringssl.cc b/cc/subtle/aes_cmac_boringssl.cc
@@ -28,6 +28,7 @@
 #include "openssl/cmac.h"
 #include "openssl/evp.h"
 #include "tink/internal/aes_util.h"
+#include "tink/internal/call_with_core_dump_protection.h"
 #include "tink/internal/fips_utils.h"
 #include "tink/internal/ssl_unique_ptr.h"
 #include "tink/internal/util.h"
@@ -84,16 +85,21 @@ util::StatusOr<std::string> AesCmacBoringSsl::ComputeMac(
     return cipher.status();
   }
   size_t len = 0;
-  const uint8_t* key_ptr = reinterpret_cast<const uint8_t*>(&key_[0]);
   const uint8_t* data_ptr = reinterpret_cast<const uint8_t*>(data.data());
   uint8_t* result_ptr = reinterpret_cast<uint8_t*>(&result[0]);
-  if (CMAC_Init(context.get(), key_ptr, key_.size(), *cipher, nullptr) <= 0 ||
-      CMAC_Update(context.get(), data_ptr, data.size()) <= 0 ||
-      CMAC_Final(context.get(), result_ptr, &len) == 0) {
+  bool res = internal::CallWithCoreDumpProtection([&]() {
+    if (CMAC_Init(context.get(), key_.data(), key_.size(), *cipher, nullptr) <=
+            0 ||
+        CMAC_Update(context.get(), data_ptr, data.size()) <= 0 ||
+        CMAC_Final(context.get(), result_ptr, &len) == 0) {
+      return false;
+    }
+    result.resize(tag_size_);
+    return true;
+  });
+  if (!res) {
     return util::Status(absl::StatusCode::kInternal, "Failed to compute CMAC");
   }
-
-  result.resize(tag_size_);
   return result;
 }
 
@@ -104,13 +110,15 @@ util::Status AesCmacBoringSsl::VerifyMac(absl::string_view mac,
                      "Incorrect tag size: expected %d, found %d", tag_size_,
                      mac.size());
   }
-  util::StatusOr<std::string> computed_mac = ComputeMac(data);
-  if (!computed_mac.ok()) return computed_mac.status();
-  if (CRYPTO_memcmp(computed_mac->data(), mac.data(), tag_size_) != 0) {
-    return util::Status(absl::StatusCode::kInvalidArgument,
-                        "CMAC verification failed");
-  }
-  return util::OkStatus();
+  return internal::CallWithCoreDumpProtection([&]() {
+    util::StatusOr<std::string> computed_mac = ComputeMac(data);
+    if (!computed_mac.ok()) return computed_mac.status();
+    if (CRYPTO_memcmp(computed_mac->data(), mac.data(), tag_size_) != 0) {
+      return util::Status(absl::StatusCode::kInvalidArgument,
+                          "CMAC verification failed");
+    }
+    return util::OkStatus();
+  });
 }
 
 }  // namespace subtle