Skip to content

Commit

Permalink
Fix TLS 1.3 additionalData length check (golang-fips#134)
Browse files Browse the repository at this point in the history
  • Loading branch information
dagood authored Jan 9, 2024
1 parent db597f1 commit 66bdd79
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 11 deletions.
28 changes: 20 additions & 8 deletions aes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,12 +155,12 @@ func TestSealAndOpenTLS(t *testing.T) {
key := []byte("D249BF6DEC97B1EBD69BC4D6B3A3C49D")
tests := []struct {
name string
new func(c cipher.Block) (cipher.AEAD, error)
tls string
mask func(n *[12]byte)
}{
{"1.2", openssl.NewGCMTLS, nil},
{"1.3", openssl.NewGCMTLS13, nil},
{"1.3_masked", openssl.NewGCMTLS13, func(n *[12]byte) {
{"1.2", "1.2", nil},
{"1.3", "1.3", nil},
{"1.3_masked", "1.3", func(n *[12]byte) {
// Arbitrary mask in the high bits.
n[9] ^= 0x42
// Mask the very first bit. This makes sure that if Seal doesn't
Expand All @@ -175,7 +175,13 @@ func TestSealAndOpenTLS(t *testing.T) {
if err != nil {
t.Fatal(err)
}
gcm, err := tt.new(ci)
var gcm cipher.AEAD
switch tt.tls {
case "1.2":
gcm, err = openssl.NewGCMTLS(ci)
case "1.3":
gcm, err = openssl.NewGCMTLS13(ci)
}
if err != nil {
t.Fatal(err)
}
Expand All @@ -190,9 +196,15 @@ func TestSealAndOpenTLS(t *testing.T) {
}
}
plainText := []byte{0x01, 0x02, 0x03}
additionalData := make([]byte, 13)
additionalData[11] = byte(len(plainText) >> 8)
additionalData[12] = byte(len(plainText))
var additionalData []byte
switch tt.tls {
case "1.2":
additionalData = make([]byte, 13)
case "1.3":
additionalData = []byte{23, 3, 3, 0, 0}
}
additionalData[len(additionalData)-2] = byte(len(plainText) >> 8)
additionalData[len(additionalData)-1] = byte(len(plainText))
sealed := gcm.Seal(nil, nonce[:], plainText, additionalData)
assertPanic(t, func() {
gcm.Seal(nil, nonce[:], plainText, additionalData)
Expand Down
15 changes: 12 additions & 3 deletions cipher.go
Original file line number Diff line number Diff line change
Expand Up @@ -337,7 +337,14 @@ type cipherGCM struct {
const (
gcmTagSize = 16
gcmStandardNonceSize = 12
gcmTlsAddSize = 13
// TLS 1.2 additional data is constructed as:
//
// additional_data = seq_num(8) + TLSCompressed.type(1) + TLSCompressed.version(2) + TLSCompressed.length(2);
gcmTls12AddSize = 13
// TLS 1.3 additional data is constructed as:
//
// additional_data = TLSCiphertext.opaque_type(1) || TLSCiphertext.legacy_record_version(2) || TLSCiphertext.length(2)
gcmTls13AddSize = 5
gcmTlsFixedNonceSize = 4
)

Expand Down Expand Up @@ -404,8 +411,10 @@ func (g *cipherGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
panic("cipher: message too large for buffer")
}
if g.tls != cipherGCMTLSNone {
if len(additionalData) != gcmTlsAddSize {
panic("cipher: incorrect additional data length given to GCM TLS")
if g.tls == cipherGCMTLS12 && len(additionalData) != gcmTls12AddSize {
panic("cipher: incorrect additional data length given to GCM TLS 1.2")
} else if g.tls == cipherGCMTLS13 && len(additionalData) != gcmTls13AddSize {
panic("cipher: incorrect additional data length given to GCM TLS 1.3")
}
counter := binary.BigEndian.Uint64(nonce[gcmTlsFixedNonceSize:])
if g.tls == cipherGCMTLS13 {
Expand Down

0 comments on commit 66bdd79

Please sign in to comment.