Skip to content

Commit

Permalink
gcm: disallow IV of length 0
Browse files Browse the repository at this point in the history
  • Loading branch information
hannesm committed Feb 26, 2020
1 parent 99ff492 commit af300cd
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 3 deletions.
3 changes: 2 additions & 1 deletion src/cipher_block.ml
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,8 @@ module Modes2 = struct
BE.set_uint64 _cs 0 a; BE.set_uint64 _cs 8 b; _cs

let counter ~hkey iv = match len iv with
| 12 -> let (w1, w2) = BE.(get_uint64 iv 0, BE.get_uint32 iv 8) in
| 0 -> invalid_arg "GCM: invalid IV of length 0"
| 12 -> let (w1, w2) = BE.get_uint64 iv 0, BE.get_uint32 iv 8 in
(w1, Int64.(shift_left (of_int32 w2) 32 |> add 1L))
| _ -> CTR.ctr_of_cstruct @@
GHASH.digesti ~key:hkey @@ iter2 iv (pack64s 0L (bits64 iv))
Expand Down
10 changes: 8 additions & 2 deletions src/mirage_crypto.mli
Original file line number Diff line number Diff line change
Expand Up @@ -390,11 +390,17 @@ module Cipher_block : sig
val encrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
(** [encrypt ~key ~iv ?adata msg] is the {{!result}[result]} containing
[msg] encrypted under [key], with [iv] as the initialization vector,
and the authentication tag computed over both [adata] and [msg]. *)
and the authentication tag computed over both [adata] and [msg].
@raise Invalid_argument if the length [iv] is 0.
*)

val decrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
(** [decrypt ~key ~iv ?adata msg] is the result containing the inversion
of [encrypt] and the same authentication tag. *)
of [encrypt] and the same authentication tag.
@raise Invalid_argument if the length [iv] is 0.
*)
end

(** {e Counter with CBC-MAC} mode. *)
Expand Down
23 changes: 23 additions & 0 deletions tests/test_cipher.ml
Original file line number Diff line number Diff line change
Expand Up @@ -391,11 +391,34 @@ let ccm_regressions =
test_case enc_dec_empty_message ;
]

let gcm_regressions =
let open Cipher_block.AES.GCM in
let msg = vx "000102030405060708090a0b0c0d0e0f" in
let key = of_secret msg
and iv = Cstruct.empty
in
let iv_zero_length_enc _ =
(* reported in https://github.com/mirleft/ocaml-nocrypto/issues/169 *)
assert_raises ~msg:"GCM with iv of length 0"
(Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0")
(fun () -> encrypt ~key ~iv msg)
and iv_zero_length_dec _ =
assert_raises ~msg:"GCM with iv of 0"
(Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0")
(fun () -> decrypt ~key ~iv msg)
in
[
test_case iv_zero_length_enc ;
test_case iv_zero_length_dec ;
]


let suite = [
"AES-ECB" >::: [ "SP 300-38A" >::: aes_ecb_cases ] ;
"AES-CBC" >::: [ "SP 300-38A" >::: aes_cbc_cases ] ;
"AES-CTR" >::: [ "SP 300-38A" >::: aes_ctr_cases; ] ;
"AES-GCM" >::: gcm_cases ;
"AES-CCM" >::: ccm_cases ;
"AES-CCM-REGRESSION" >::: ccm_regressions ;
"AES-GCM-REGRESSION" >::: gcm_regressions ;
]

0 comments on commit af300cd

Please sign in to comment.