Fixes

Author: larseggert

src/aead.rs

@@ -99,7 +99,8 @@ mod recprot {
     /// # Safety
     ///
     /// `output`, `tag`, and `input` must be valid for `output_max`, `TAG_LEN`, and `input_len`
-    /// bytes respectively.
+    /// bytes respectively. `output` and `input` may fully overlap (in-place operation); `tag`
+    /// must not overlap with the `output` region.
     #[expect(
         clippy::too_many_arguments,
         reason = "Thin wrapper over a 14-argument C function."
@@ -121,7 +122,7 @@ mod recprot {
             PK11_AEADOp(
                 **ctx,
                 CK_GENERATOR_FUNCTION::from(CKG_NO_GENERATE),
-                0,
+                super::c_int_len(super::NONCE_LEN - super::COUNTER_LEN)?,
                 nonce.as_mut_ptr(),
                 super::c_int_len(super::NONCE_LEN)?,
                 aad.as_ptr(),
@@ -208,7 +209,12 @@ mod recprot {
             input: &[u8],
             output: &'a mut [u8],
         ) -> Res<&'a [u8]> {
-            if output.len() < input.len() + super::TAG_LEN {
+            if output.len()
+                < input
+                    .len()
+                    .checked_add(super::TAG_LEN)
+                    .ok_or(Error::IntegerOverflow)?
+            {
                 return Err(Error::from(SEC_ERROR_BAD_DATA));
             }
             let out_len = unsafe {
@@ -225,7 +231,7 @@ mod recprot {
                 )
             }?;
             debug_assert_eq!(out_len, input.len());
-            Ok(&output[..input.len() + super::TAG_LEN])
+            Ok(&output[..out_len + super::TAG_LEN])
         }
 
         /// Encrypt plaintext in place with associated data.
@@ -275,15 +281,17 @@ mod recprot {
             if output.len() < ct_len {
                 return Err(Error::from(SEC_ERROR_BAD_DATA));
             }
+            let mut tag = [0u8; super::TAG_LEN];
+            tag.copy_from_slice(&input[ct_len..]);
             let out_len = unsafe {
                 aead_op(
                     &self.ctx_decrypt,
                     &self.nonce_base,
                     count,
                     aad,
                     output.as_mut_ptr(),
-                    ct_len,
-                    input.as_ptr().add(ct_len).cast_mut(),
+                    output.len(),
+                    tag.as_mut_ptr(),
                     input.as_ptr(),
                     ct_len,
                 )
@@ -309,7 +317,7 @@ mod recprot {
                     count,
                     aad,
                     data_ptr,
-                    ct_len,
+                    data.len(),
                     data_ptr.add(ct_len),
                     data_ptr.cast_const(),
                     ct_len,

tests/aead.rs

@@ -9,7 +9,10 @@
 
 use nss_rs::{
     RecordProtection,
-    constants::{Cipher, TLS_AES_128_GCM_SHA256, TLS_VERSION_1_3},
+    constants::{
+        Cipher, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,
+        TLS_VERSION_1_3,
+    },
     hkdf,
 };
 use test_fixture::fixture_init;
@@ -149,3 +152,25 @@ fn encrypt_decrypt_in_place() {
     assert_eq!(decrypted_len, plaintext.len());
     assert_eq!(&buffer[..decrypted_len], plaintext);
 }
+
+fn roundtrip(cipher: Cipher) {
+    let aead = make_aead(cipher);
+    let mut buf = &mut [0u8; 1024][..];
+
+    let ct = aead.encrypt(42, AAD, PLAINTEXT, &mut buf).expect("encrypt");
+    let pt_buf = &mut [0u8; 1024][..];
+    let pt = aead
+        .decrypt(42, AAD, ct, &mut pt_buf[..ct.len()])
+        .expect("decrypt");
+    assert_eq!(pt, PLAINTEXT);
+}
+
+#[test]
+fn roundtrip_aes256() {
+    roundtrip(TLS_AES_256_GCM_SHA384);
+}
+
+#[test]
+fn roundtrip_chacha20() {
+    roundtrip(TLS_CHACHA20_POLY1305_SHA256);
+}