Skip to content

fix: ChaCha20-Poly1305 and XChaCha20-Poly1305 one-shot APIs allow empty plaintext #10252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MarkAtwood wants to merge 1 commit into
base: master
Choose a base branch
from
+9 −6
Open

fix: ChaCha20-Poly1305 and XChaCha20-Poly1305 one-shot APIs allow empty plaintext #10252

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions wolfcrypt/src/chacha20_poly1305.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,13 @@ int wc_ChaCha20Poly1305_Decrypt(
WC_DECLARE_VAR(aead, ChaChaPoly_Aead, 1, 0);
byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];

/* Validate function arguments */
/* Validate function arguments.
* outPlaintext may be NULL when inCiphertextLen is 0
* (authentication-only, no plaintext to decrypt). */
if (!inKey || !inIV ||
(inCiphertextLen > 0 && inCiphertext == NULL) ||
!inAuthTag ||
!outPlaintext)
(inCiphertextLen > 0 && !outPlaintext))
{
return BAD_FUNC_ARG;
}
Expand All @@ -119,7 +121,7 @@ int wc_ChaCha20Poly1305_Decrypt(
if (ret == 0)
ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag);

if (ret != 0) {
if (ret != 0 && inCiphertextLen > 0) {
/* zero plaintext on error */
ForceZero(outPlaintext, inCiphertextLen);
}
Expand Down Expand Up @@ -229,7 +231,8 @@ int wc_ChaCha20Poly1305_UpdateData(ChaChaPoly_Aead* aead,
{
int ret = 0;

if (aead == NULL || inData == NULL || outData == NULL) {
if (aead == NULL ||
(dataLen > 0 && (inData == NULL || outData == NULL))) {
return BAD_FUNC_ARG;
}
if (aead->state != CHACHA20_POLY1305_STATE_READY &&
Expand All @@ -249,7 +252,7 @@ int wc_ChaCha20Poly1305_UpdateData(ChaChaPoly_Aead* aead,
aead->state = CHACHA20_POLY1305_STATE_DATA;

/* Perform ChaCha20 encrypt/decrypt and Poly1305 auth calc */
if (ret == 0) {
if (ret == 0 && dataLen > 0) {
if (aead->isEncrypt) {
ret = wc_Chacha_Process(&aead->chacha, outData, inData, dataLen);
if (ret == 0)
Expand Down Expand Up @@ -401,7 +404,7 @@ static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot(
dst_len = src_len - (size_t)POLY1305_DIGEST_SIZE;
}

if ((dst == NULL) || (src == NULL)) {
if ((dst_len > 0 && dst == NULL) || (src == NULL)) {
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wc_XChaCha20Poly1305_crypt_oneshot() now allows dst == NULL for dst_len == 0, but still rejects src == NULL unconditionally. For consistency with the other APIs changed in this PR (which permit NULL input pointers when the corresponding length is 0), consider changing this to only require src != NULL when src_len > 0 (or when the function will actually read from src). This would make encrypting an empty plaintext (where src_len == 0) work even if callers pass src == NULL (common C convention for zero-length buffers).

Suggested change
if ((dst_len > 0 && dst == NULL) || (src == NULL)) {
if ((dst_len > 0 && dst == NULL) || (src_len > 0 && src == NULL)) {

Copilot uses AI. Check for mistakes.
ret = BAD_FUNC_ARG;
goto out;
}
Expand Down
Loading