Skip to content

aes: Restrict AES-GCM to at least 1B tag length #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 26, 2025
Merged

aes: Restrict AES-GCM to at least 1B tag length #189

merged 2 commits into from
Mar 26, 2025

Conversation

@Jakuje
Copy link
Contributor

@Jakuje Jakuje commented Mar 25, 2025
edited by simo5
Loading

Description

The PKCS#11 specs says 0 is a valid tag length:

ulTagBits
length of authentication tag (output following cipher text) in bits.
Can be any value between 0 and 128.

From 6.13.5 AES GCM and CCM Mechanism parameters
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html#_Toc111203499

But OpenSSL's API requires that the tag is at least on byte when
decrypting data:

EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
Sets the expected tag to "taglen" bytes from "tag". The tag length
can only be set before specifying an IV. "taglen" must be between
1 and 16 (POLY1305_BLOCK_SIZE) inclusive. This call is only valid
when decrypting data.

When data is encrypted, it is still possible to not read the tag though,
but allowing not to set the tag when decrypting data would probably be
too error prone.

Checklist

  • [ ] Test suite updated with functionality tests
  • Test suite updated with negative tests
  • [ ] Documentation was updated
  • [ ] This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text

Jakuje added 2 commits March 25, 2025 17:29
@Jakuje
aes: Restrict AES-GCM to at least 1B tag length
4f83eae 
The PKCS#11 specs says 0 is a valid tag length:

> *ulTagBits*
> length of authentication tag (output following cipher text) in bits.
> Can be any value between 0 and 128.

From 6.13.5 AES GCM and CCM Mechanism parameters
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html#_Toc111203499

But OpenSSL's API requires that the tag is at least on byte when
decrypting data:

> EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
>   Sets the expected tag to "taglen" bytes from "tag".  The tag length
>   can only be set before specifying an IV.  "taglen" must be between
>   1 and 16 (POLY1305_BLOCK_SIZE) inclusive.  This call is only valid
>   when decrypting data.

When data is encrypted, it is still possible to not read the tag though,
but allowing not to set the tag when decrypting data would probably be
too error prone.

Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Test AES-GCM without tags
7bcfbbe 
This verifies both Encrypt and MessageEncrypt API that zero-length tags
are not accepted and the kryoptic returns non-generic error codes.

Signed-off-by: Jakub Jelen <[email protected]>
simo5
simo5 approved these changes Mar 26, 2025
View reviewed changes
Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@simo5 simo5 merged commit 5dcdd55 into latchset:main Mar 26, 2025
23 of 24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simo5 simo5 simo5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jakuje @simo5