Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
mozilla-nss.2166
nss-GCM-ctr.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File nss-GCM-ctr.patch of Package mozilla-nss.2166
# HG changeset patch # Parent c2351189803767939aaa10b67164187b47017191 # Parent 105cb8f05f697c89781cddfc29c3e11890d20751 NIST SP-800-38D specifies, that GCM is not safe after 2^39 - 256 bits with the same IV. Return error, should this limit be reached. bmo#1053127 bnc#892530 diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c --- a/lib/freebl/gcm.c +++ b/lib/freebl/gcm.c @@ -603,19 +603,25 @@ gcmHash_Reset(gcmHashContext *ghash, con * Now implement the GCM using gcmHash and CTR * **************************************************************************/ /* state to handle the full GCM operation (hash and counter) */ struct GCMContextStr { gcmHashContext ghash_context; CTRContext ctr_context; unsigned long tagBits; + unsigned long long gcm_iv_bytes; unsigned char tagKey[MAX_BLOCK_SIZE]; }; +/* NIST SP-800-38D limits the use of GCM with a single IV to 2^39 - 256 + * bits which translates to 2^32 - 2 128bit blocks or 2^36 - 32 bytes + */ +#define MAX_GCM_BYTES_PER_IV ((1ULL << 36) - 32) + GCMContext * GCM_CreateContext(void *context, freeblCipherFunc cipher, const unsigned char *params, unsigned int blocksize) { GCMContext *gcm = NULL; gcmHashContext *ghash; unsigned char H[MAX_BLOCK_SIZE]; unsigned int tmp; @@ -675,16 +681,18 @@ GCM_CreateContext(void *context, freeblC /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with. * if this assumption changes, we would need to explicitly clear it here */ rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, blocksize, gcm->tagKey, blocksize, blocksize); if (rv != SECSuccess) { goto loser; } + gcm->gcm_iv_bytes = MAX_GCM_BYTES_PER_IV; + /* finally mix in the AAD data */ rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen, blocksize); if (rv != SECSuccess) { goto loser; } return gcm; @@ -771,16 +779,23 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig unsigned int *outlen, unsigned int maxout, const unsigned char *inbuf, unsigned int inlen, unsigned int blocksize) { SECStatus rv; unsigned int tagBytes; unsigned int len; + /* bail out if this invocation requests processing more than what is + * considered to be a safe limit */ + if (gcm->gcm_iv_bytes < (unsigned long long)inlen) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE; if (UINT_MAX - inlen < tagBytes) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } if (maxout < inlen + tagBytes) { *outlen = inlen + tagBytes; PORT_SetError(SEC_ERROR_OUTPUT_LEN); @@ -799,16 +814,17 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig return SECFailure; } rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen, blocksize); if (rv != SECSuccess) { PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */ *outlen = 0; return SECFailure; }; + gcm->gcm_iv_bytes -= inlen; *outlen += len; return SECSuccess; } /* * See The Galois/Counter Mode of Operation, McGrew and Viega. * GCM is basically counter mode with a specific initialization and * built in macing operation. NOTE: the only difference between Encrypt
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor