Merge pull request #107 from golang-fips/dev/dagood/aes-overlap-compat

Fix AES Encrypt/Decrypt buffer overlap detection

Author: qmuntal

aes.go

@@ -138,16 +138,17 @@ func (c *aesCipher) finalize() {
 func (c *aesCipher) BlockSize() int { return aesBlockSize }
 
 func (c *aesCipher) Encrypt(dst, src []byte) {
-	if inexactOverlap(dst, src) {
-		panic("crypto/cipher: invalid buffer overlap")
-	}
 	if len(src) < aesBlockSize {
 		panic("crypto/aes: input not full block")
 	}
 	if len(dst) < aesBlockSize {
 		panic("crypto/aes: output not full block")
 	}
-
+	// Only check for overlap between the parts of src and dst that will actually be used.
+	// This matches Go standard library behavior.
+	if inexactOverlap(dst[:aesBlockSize], src[:aesBlockSize]) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
 	if c.enc_ctx == nil {
 		var err error
 		c.enc_ctx, err = newCipherCtx(c.kind, C.GO_AES_ENCRYPT, c.key, nil)
@@ -163,15 +164,17 @@ func (c *aesCipher) Encrypt(dst, src []byte) {
 }
 
 func (c *aesCipher) Decrypt(dst, src []byte) {
-	if inexactOverlap(dst, src) {
-		panic("crypto/cipher: invalid buffer overlap")
-	}
 	if len(src) < aesBlockSize {
 		panic("crypto/aes: input not full block")
 	}
 	if len(dst) < aesBlockSize {
 		panic("crypto/aes: output not full block")
 	}
+	// Only check for overlap between the parts of src and dst that will actually be used.
+	// This matches Go standard library behavior.
+	if inexactOverlap(dst[:aesBlockSize], src[:aesBlockSize]) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
 	if c.dec_ctx == nil {
 		var err error
 		c.dec_ctx, err = newCipherCtx(c.kind, C.GO_AES_DECRYPT, c.key, nil)

aes_test.go

@@ -429,6 +429,24 @@ func TestNewCTR(t *testing.T) {
 	}
 }
 
+func TestCipherEncryptDecryptSharedBuffer(t *testing.T) {
+	key := []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}
+	pt := []byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34}
+	c, err := NewAESCipher(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b := append(pt, make([]byte, len(pt))...)
+	// Keep b's length for the shared-buffer plaintext.
+	// This test verifies that Encrypt and Decrypt only check for overlap in the
+	// first block-length of the args, matching Go standard library behavior.
+	bPt := b
+	bCt := b[len(pt):]
+	c.Encrypt(bCt, bPt)
+	c.Decrypt(bPt, bCt)
+}
+
 func BenchmarkAES_Encrypt(b *testing.B) {
 	key := []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}
 	in := []byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34}