From 2f61f102169e4d6652c9b82246353cd276366809 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 27 Jun 2022 11:14:50 +0900
Subject: [PATCH] cipher: limit plaintext length supplied to AES-GCM
According to SP800-38D 5.2.1.1, input data length of AES-GCM
encryption function must be less than or equal to 2^39-256 bits.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
NEWS | 3 +
lib/accelerated/aarch64/aes-aarch64.h | 15 ++++
lib/accelerated/aarch64/aes-gcm-aarch64.c | 9 +++
lib/accelerated/x86/aes-gcm-padlock.c | 29 ++++---
lib/accelerated/x86/aes-gcm-x86-aesni.c | 30 +++++---
lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c | 9 +++
lib/accelerated/x86/aes-gcm-x86-pclmul.c | 9 +++
lib/accelerated/x86/aes-gcm-x86-ssse3.c | 30 +++++---
lib/accelerated/x86/aes-x86.h | 15 ++++
lib/nettle/cipher.c | 41 ++++++++++
tests/slow/cipher-api-test.c | 79 ++++++++++++++++++++
11 files changed, 240 insertions(+), 29 deletions(-)
diff --git a/lib/accelerated/aarch64/aes-aarch64.h b/lib/accelerated/aarch64/aes-aarch64.h
index 692d8620d7..0e64f4ed8d 100644
--- a/lib/accelerated/aarch64/aes-aarch64.h
+++ b/lib/accelerated/aarch64/aes-aarch64.h
@@ -20,6 +20,21 @@ typedef struct {
if (s != 16 && s != 24 && s != 32) \
return GNUTLS_E_INVALID_REQUEST
+#include <intprops.h>
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+ size_t sum;
+
+ if (!INT_ADD_OK(*counter, size, &sum) ||
+ sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ *counter = sum;
+
+ return 0;
+}
+
int aes_v8_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
int aes_v8_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
void aes_v8_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c
index 901bd9f60f..be1e69c784 100644
--- a/lib/accelerated/aarch64/aes-gcm-aarch64.c
+++ b/lib/accelerated/aarch64/aes-gcm-aarch64.c
@@ -62,6 +62,7 @@ struct aes_gcm_ctx {
struct gcm128_context gcm;
unsigned finished;
unsigned auth_finished;
+ size_t rekey_counter;
};
void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
ctx->gcm.H.u[1] = bswap_64(ctx->gcm.H.u[1]);
gcm_init_v8(ctx->gcm.Htable, ctx->gcm.H.u);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -141,6 +143,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
ctx->finished = 0;
ctx->auth_finished = 0;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -229,6 +232,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
int exp_blocks = blocks * GCM_BLOCK_SIZE;
int rest = src_size - (exp_blocks);
uint32_t counter;
+ int ret;
if (unlikely(ctx->finished))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -236,6 +240,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
if (blocks > 0) {
ctr32_encrypt_blocks(src, dst,
blocks,
diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c
index a9c7441d65..739883ab1b 100644
--- a/lib/accelerated/x86/aes-gcm-padlock.c
+++ b/lib/accelerated/x86/aes-gcm-padlock.c
@@ -43,7 +43,10 @@
* Actually padlock doesn't include GCM mode. We just use
* the ECB part of padlock and nettle for everything else.
*/
-struct gcm_padlock_aes_ctx GCM_CTX(struct padlock_ctx);
+struct gcm_padlock_aes_ctx {
+ struct GCM_CTX(struct padlock_ctx) inner;
+ size_t rekey_counter;
+};
static void padlock_aes_encrypt(const void *_ctx,
size_t length, uint8_t * dst,
@@ -78,7 +81,7 @@ static void padlock_aes256_set_encrypt_key(struct padlock_ctx *_ctx,
static void aes_gcm_deinit(void *_ctx)
{
- struct padlock_ctx *ctx = _ctx;
+ struct gcm_padlock_aes_ctx *ctx = _ctx;
zeroize_temp_key(ctx, sizeof(*ctx));
gnutls_free(ctx);
@@ -108,14 +111,15 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
struct gcm_padlock_aes_ctx *ctx = _ctx;
if (keysize == 16) {
- GCM_SET_KEY(ctx, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
key);
} else if (keysize == 32) {
- GCM_SET_KEY(ctx, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
key);
} else
return GNUTLS_E_INVALID_REQUEST;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -126,8 +130,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
if (iv_size != GCM_BLOCK_SIZE - 4)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- GCM_SET_IV(ctx, iv_size, iv);
+ GCM_SET_IV(&ctx->inner, iv_size, iv);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -136,11 +141,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
void *dst, size_t length)
{
struct gcm_padlock_aes_ctx *ctx = _ctx;
+ int ret;
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_ENCRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ GCM_ENCRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -154,7 +165,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(dst_size < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_DECRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
+ GCM_DECRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -162,7 +173,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
{
struct gcm_padlock_aes_ctx *ctx = _ctx;
- GCM_UPDATE(ctx, src_size, src);
+ GCM_UPDATE(&ctx->inner, src_size, src);
return 0;
}
@@ -171,7 +182,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
{
struct gcm_padlock_aes_ctx *ctx = _ctx;
- GCM_DIGEST(ctx, padlock_aes_encrypt, tagsize, tag);
+ GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tagsize, tag);
}
#include "aes-gcm-aead.h"
diff --git a/lib/accelerated/x86/aes-gcm-x86-aesni.c b/lib/accelerated/x86/aes-gcm-x86-aesni.c
index b0edaebfba..3be63ddd97 100644
--- a/lib/accelerated/x86/aes-gcm-x86-aesni.c
+++ b/lib/accelerated/x86/aes-gcm-x86-aesni.c
@@ -36,12 +36,14 @@
#include <x86-common.h>
#include <byteswap.h>
#include <nettle/gcm.h>
-#include <aes-x86.h>
/* GCM mode
* It is used when the CPU doesn't include the PCLMUL instructions.
*/
-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
+struct gcm_x86_aes_ctx {
+ struct GCM_CTX(AES_KEY) inner;
+ size_t rekey_counter;
+};
static void x86_aes_encrypt(const void *_ctx,
size_t length, uint8_t * dst,
@@ -101,17 +103,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t length)
struct gcm_x86_aes_ctx *ctx = _ctx;
if (length == 16) {
- GCM_SET_KEY(ctx, x86_aes128_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes128_set_encrypt_key, x86_aes_encrypt,
key);
} else if (length == 24) {
- GCM_SET_KEY(ctx, x86_aes192_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes192_set_encrypt_key, x86_aes_encrypt,
key);
} else if (length == 32) {
- GCM_SET_KEY(ctx, x86_aes256_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes256_set_encrypt_key, x86_aes_encrypt,
key);
} else
return GNUTLS_E_INVALID_REQUEST;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -122,8 +125,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
if (iv_size != GCM_BLOCK_SIZE - 4)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- GCM_SET_IV(ctx, iv_size, iv);
+ GCM_SET_IV(&ctx->inner, iv_size, iv);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -132,11 +136,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
void *dst, size_t length)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
+ int ret;
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -150,7 +160,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(dst_size < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+ GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -158,7 +168,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
- GCM_UPDATE(ctx, src_size, src);
+ GCM_UPDATE(&ctx->inner, src_size, src);
return 0;
}
@@ -167,7 +177,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
- GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
+ GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
}
static void aes_gcm_deinit(void *_ctx)
diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
index 21aef94440..fbefe432f4 100644
--- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
@@ -61,6 +61,7 @@ struct aes_gcm_ctx {
struct gcm128_context gcm;
unsigned finished;
unsigned auth_finished;
+ size_t rekey_counter;
};
void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
gcm_init_avx(ctx->gcm.Htable, ctx->gcm.H.u);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
ctx->finished = 0;
ctx->auth_finished = 0;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
int exp_blocks = blocks * GCM_BLOCK_SIZE;
int rest = src_size - (exp_blocks);
uint32_t counter;
+ int ret;
if (unlikely(ctx->finished))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
if (blocks > 0) {
aesni_ctr32_encrypt_blocks(src, dst,
blocks,
diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul.c b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
index e6b4990cbf..5385acbb6b 100644
--- a/lib/accelerated/x86/aes-gcm-x86-pclmul.c
+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
@@ -60,6 +60,7 @@ struct aes_gcm_ctx {
struct gcm128_context gcm;
unsigned finished;
unsigned auth_finished;
+ size_t rekey_counter;
};
void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
gcm_init_clmul(ctx->gcm.Htable, ctx->gcm.H.u);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
ctx->finished = 0;
ctx->auth_finished = 0;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
int exp_blocks = blocks * GCM_BLOCK_SIZE;
int rest = src_size - (exp_blocks);
uint32_t counter;
+ int ret;
if (unlikely(ctx->finished))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
if (blocks > 0) {
aesni_ctr32_encrypt_blocks(src, dst,
blocks,
diff --git a/lib/accelerated/x86/aes-gcm-x86-ssse3.c b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
index 7a2ac50869..f074cb1096 100644
--- a/lib/accelerated/x86/aes-gcm-x86-ssse3.c
+++ b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
@@ -36,13 +36,15 @@
#include <x86-common.h>
#include <byteswap.h>
#include <nettle/gcm.h>
-#include <aes-x86.h>
#include <assert.h>
/* GCM mode
* It is used when the CPU doesn't include the PCLMUL instructions.
*/
-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
+struct gcm_x86_aes_ctx {
+ struct GCM_CTX(AES_KEY) inner;
+ size_t rekey_counter;
+};
static void x86_aes_encrypt(const void *_ctx,
size_t length, uint8_t * dst,
@@ -110,17 +112,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
struct gcm_x86_aes_ctx *ctx = _ctx;
if (keysize == 16) {
- GCM_SET_KEY(ctx, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
key);
} else if (keysize == 24) {
- GCM_SET_KEY(ctx, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
key);
} else if (keysize == 32) {
- GCM_SET_KEY(ctx, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
+ GCM_SET_KEY(&ctx->inner, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
key);
} else
return GNUTLS_E_INVALID_REQUEST;
+ ctx->rekey_counter = 0;
return 0;
}
@@ -131,8 +134,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
if (iv_size != GCM_BLOCK_SIZE - 4)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- GCM_SET_IV(ctx, iv_size, iv);
+ GCM_SET_IV(&ctx->inner, iv_size, iv);
+ ctx->rekey_counter = 0;
return 0;
}
@@ -141,11 +145,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
void *dst, size_t length)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
+ int ret;
if (unlikely(length < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -159,7 +169,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
if (unlikely(dst_size < src_size))
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+ GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
return 0;
}
@@ -167,7 +177,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
- GCM_UPDATE(ctx, src_size, src);
+ GCM_UPDATE(&ctx->inner, src_size, src);
return 0;
}
@@ -176,7 +186,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
{
struct gcm_x86_aes_ctx *ctx = _ctx;
- GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
+ GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
}
static void aes_gcm_deinit(void *_ctx)
diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h
index 023b5f7be6..349d3d5d9c 100644
--- a/lib/accelerated/x86/aes-x86.h
+++ b/lib/accelerated/x86/aes-x86.h
@@ -22,6 +22,21 @@ typedef struct {
if (s != 16 && s != 24 && s != 32) \
return GNUTLS_E_INVALID_REQUEST
+#include <intprops.h>
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+ size_t sum;
+
+ if (!INT_ADD_OK(*counter, size, &sum) ||
+ sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ *counter = sum;
+
+ return 0;
+}
+
void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY * key, int enc);
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index ab4c46d2d0..b41862d1ea 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -63,6 +63,7 @@
#include <nettle/xts.h>
#include <nettle/siv-cmac.h>
#include <fips.h>
+#include <intprops.h>
struct nettle_cipher_ctx;
@@ -120,8 +121,23 @@ struct nettle_cipher_ctx {
unsigned iv_size;
bool enc;
+ size_t rekey_counter;
};
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+ size_t sum;
+
+ if (!INT_ADD_OK(*counter, size, &sum) ||
+ sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ *counter = sum;
+
+ return 0;
+}
+
static void
_stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
const uint8_t * src)
@@ -1133,6 +1149,16 @@ wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize)
else
ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key);
+ switch (ctx->cipher->algo) {
+ case GNUTLS_CIPHER_AES_128_GCM:
+ case GNUTLS_CIPHER_AES_192_GCM:
+ case GNUTLS_CIPHER_AES_256_GCM:
+ ctx->rekey_counter = 0;
+ break;
+ default:
+ break;
+ }
+
return 0;
}
@@ -1147,6 +1173,7 @@ wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size)
case GNUTLS_CIPHER_AES_192_GCM:
case GNUTLS_CIPHER_AES_256_GCM:
FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, "access to short GCM nonce size\n");
+ ctx->rekey_counter = 0;
break;
case GNUTLS_CIPHER_SALSA20_256:
case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
@@ -1207,10 +1234,24 @@ wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, size_t plain_size,
void *encr, size_t encr_size)
{
struct nettle_cipher_ctx *ctx = _ctx;
+ int ret;
if (unlikely(ctx->cipher->encrypt == NULL))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ switch (ctx->cipher->algo) {
+ case GNUTLS_CIPHER_AES_128_GCM:
+ case GNUTLS_CIPHER_AES_192_GCM:
+ case GNUTLS_CIPHER_AES_256_GCM:
+ ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, plain_size);
+ if (ret < 0) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ break;
+ default:
+ break;
+ }
+
ctx->cipher->encrypt(ctx, plain_size, encr, plain);
return 0;
diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c
index fc880bcc9f..1d267ce312 100644
--- a/tests/slow/cipher-api-test.c
+++ b/tests/slow/cipher-api-test.c
@@ -21,6 +21,7 @@
*/
#include <config.h>
+#include <limits.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
@@ -48,6 +49,11 @@ int main(int argc, char **argv)
#include <assert.h>
#include <utils.h>
+#define AES_GCM_ENCRYPT_PLAINTEXT_MAX ((1ULL << 36) - 32)
+#if SIZE_MAX >= AES_GCM_ENCRYPT_PLAINTEXT_MAX
+#define TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE 1
+#endif
+
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "<%d>| %s", level, str);
@@ -401,6 +407,74 @@ static void test_aead_invalid_short_decrypt(int algo)
return;
}
+#ifdef TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
+/* Test whether an invalid call to gnutls_cipher_encrypt() with too
+ * long message is caught */
+static void test_aead_invalid_too_long_encrypt(int algo)
+{
+ int ret;
+ gnutls_cipher_hd_t ch;
+ uint8_t key16[64];
+ uint8_t iv16[32];
+ uint8_t data[128];
+ gnutls_datum_t key, iv;
+
+ if (algo != GNUTLS_CIPHER_AES_128_GCM &&
+ algo != GNUTLS_CIPHER_AES_192_GCM &&
+ algo != GNUTLS_CIPHER_AES_256_GCM) {
+ return;
+ }
+
+ key.data = key16;
+ key.size = gnutls_cipher_get_key_size(algo);
+ assert(key.size <= sizeof(key16));
+
+ iv.data = iv16;
+ iv.size = gnutls_cipher_get_iv_size(algo);
+ assert(iv.size <= sizeof(iv16));
+
+ memset(iv.data, 0xff, iv.size);
+ memset(key.data, 0xfe, key.size);
+ memset(data, 0xfa, sizeof(data));
+
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(4711);
+
+ ret = global_init();
+ if (ret < 0) {
+ fail("Cannot initialize library\n"); /*errcode 1 */
+ }
+
+ ret = gnutls_cipher_init(&ch, algo, &key, &iv);
+ if (ret < 0)
+ fail("gnutls_cipher_init failed\n"); /*errcode 1 */
+
+ /* Test exceeding AES-GCM plaintext limit */
+ ret = gnutls_cipher_encrypt(ch, data, sizeof(data));
+ if (ret < 0)
+ fail("could not encrypt data\n");
+
+ /* A few blocks larger than AES_GCM_ENCRYPT_PLAINTEXT_MAX combined with
+ * the previous call. Use NULL for PLAINTEXT so the access to the first
+ * block always results in page fault (in case the limit is not
+ * enforced).
+ */
+ ret = gnutls_cipher_encrypt(ch, NULL, AES_GCM_ENCRYPT_PLAINTEXT_MAX);
+ if (ret >= 0)
+ fail("succeeded in encrypting too long data\n");
+ if (ret != GNUTLS_E_INVALID_REQUEST)
+ fail("wrong kind of error on encrypting too long data,"
+ "%s instead of GNUTLS_E_INVALID_REQUEST\n",
+ gnutls_strerror_name(ret));
+
+ gnutls_cipher_deinit(ch);
+
+ gnutls_global_deinit();
+ return;
+}
+#endif
+
static void check_status(int status)
{
if (WEXITSTATUS(status) != 0 ||
@@ -464,6 +538,11 @@ void start(const char *name, int algo, unsigned aead)
success("trying %s: test_aead_invalid_short_decrypt\n", name);
fork_subtest(test_aead_invalid_short_decrypt, algo);
+
+#if TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
+ success("trying %s: test_aead_invalid_too_long_encrypt\n", name);
+ fork_subtest(test_aead_invalid_too_long_encrypt, algo);
+#endif
}
}
--
2.37.1