diff options
| author | Katie Hockman <katie@golang.org> | 2020-02-07 14:44:58 -0500 |
|---|---|---|
| committer | Katie Hockman <katie@golang.org> | 2020-02-26 15:49:20 +0000 |
| commit | 6f57b10549a4ee145d643714211c8f36590853de (patch) | |
| tree | 5a320a996addb24fba8944917c61f7e9f6127851 | |
| parent | a7acf9af07bdc288129fa5756768b41f312d05f4 (diff) | |
| download | go-6f57b10549a4ee145d643714211c8f36590853de.tar.gz go-6f57b10549a4ee145d643714211c8f36590853de.zip | |
[release-branch.go1.13] crypto/cipher: require non-zero nonce size for AES-GCM
Also fix typo in crypto/cipher/gcm_test.go.
Updates #37118
Fixes #37417
Change-Id: I8544d1eeeb1f0336cebb977b8c5bfa5e4c5ad8c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/218500
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 4e8badbbc2fe7854bb1c12a9ee42315b4d535051)
Reviewed-on: https://go-review.googlesource.com/c/go/+/220653
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
| -rw-r--r-- | src/crypto/cipher/gcm.go | 7 | ||||
| -rw-r--r-- | src/crypto/cipher/gcm_test.go | 19 |
2 files changed, 23 insertions, 3 deletions
diff --git a/src/crypto/cipher/gcm.go b/src/crypto/cipher/gcm.go index 73d78550f8..ba0af84a9d 100644 --- a/src/crypto/cipher/gcm.go +++ b/src/crypto/cipher/gcm.go @@ -86,7 +86,8 @@ func NewGCM(cipher Block) (AEAD, error) { } // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois -// Counter Mode, which accepts nonces of the given length. +// Counter Mode, which accepts nonces of the given length. The length must not +// be zero. // // Only use this function if you require compatibility with an existing // cryptosystem that uses non-standard nonce lengths. All other users should use @@ -112,6 +113,10 @@ func newGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, erro return nil, errors.New("cipher: incorrect tag size given to GCM") } + if nonceSize <= 0 { + return nil, errors.New("cipher: the nonce can't have zero length, or the security of the key will be immediately compromised") + } + if cipher, ok := cipher.(gcmAble); ok { return cipher.NewGCM(nonceSize, tagSize) } diff --git a/src/crypto/cipher/gcm_test.go b/src/crypto/cipher/gcm_test.go index 64d5cc0db4..0d53e471f9 100644 --- a/src/crypto/cipher/gcm_test.go +++ b/src/crypto/cipher/gcm_test.go @@ -217,6 +217,13 @@ var aesGCMTests = []struct { "2b9680b886b3efb7c6354b38c63b5373", "e2b7e5ed5ff27fc8664148f5a628a46dcbf2015184fffb82f2651c36", }, + { + "11754cd72aec309bf52f7687212e8957", + "", + "", + "", + "250327c674aaf477aef2675748cf6971", + }, } func TestAESGCM(t *testing.T) { @@ -234,14 +241,22 @@ func TestAESGCM(t *testing.T) { var aesgcm cipher.AEAD switch { - // Handle non-standard nonce sizes + // Handle non-standard tag sizes case tagSize != 16: aesgcm, err = cipher.NewGCMWithTagSize(aes, tagSize) if err != nil { t.Fatal(err) } - // Handle non-standard tag sizes + // Handle 0 nonce size (expect error and continue) + case len(nonce) == 0: + aesgcm, err = cipher.NewGCMWithNonceSize(aes, 0) + if err == nil { + t.Fatal("expected error for zero nonce size") + } + continue + + // Handle non-standard nonce sizes case len(nonce) != 12: aesgcm, err = cipher.NewGCMWithNonceSize(aes, len(nonce)) if err != nil { |