commit e2e613c269a6bb3d7c0271150fff48d11fdbbace
author David Benjamin <davidben@google.com> Sun Nov 27 19:48:18 2022 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Dec 13 18:29:24 2022 +0000
tree 3bfd4163b163534ed37f9bbf6dcc525da46df53d
parent 1740ff90a7da10408e6175b516946b392ec8f11f

Explicitly warn about streaming AEADs with EVP_CIPHER_CTX.

We already tell people not to use these APIs, but some do anyway. Those
that do should be warned about the streaming implications.

Change-Id: I67a9e1bb94aec2217b7c53849ec676b1c3dddb3c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55392
Reviewed-by: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

include/openssl/cipher.h

diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index b1876e0..0e52ac8 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -449,6 +449,12 @@
 // These AEADs are deprecated AES-GCM implementations that set
 // |EVP_CIPH_FLAG_CUSTOM_CIPHER|. Use |EVP_aead_aes_128_gcm| and
 // |EVP_aead_aes_256_gcm| instead.
+//
+// WARNING: Although these APIs allow streaming an individual AES-GCM operation,
+// this is not secure. Until calling |EVP_DecryptFinal_ex|, the tag has not yet
+// been checked and output released by |EVP_DecryptUpdate| is unauthenticated
+// and easily manipulated by attackers. Callers must buffer the output and may
+// not act on it until the entire operation is complete.
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_gcm(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_gcm(void);