Skip to content

fix GCM tls iv length check and aead tag length validation#416

Open
gasbytes wants to merge 1 commit into
wolfSSL:masterfrom
gasbytes:wp-aes-aead-fixes
Open

fix GCM tls iv length check and aead tag length validation#416
gasbytes wants to merge 1 commit into
wolfSSL:masterfrom
gasbytes:wp-aes-aead-fixes

Conversation

@gasbytes

Copy link
Copy Markdown
Contributor

Fixes the gcm tls fixed-iv length check to properly reject oversized inputs and adds tag length validation against each algorithm's allowed sizes for GCM and CCM, in particular this last one was wrapped in a new function called wp_aead_tag_len_valid.

@gasbytes gasbytes self-assigned this Jun 25, 2026
Copilot AI review requested due to automatic review settings June 25, 2026 16:41

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens AES-GCM/TLS fixed-IV handling and AEAD tag-length validation in wp_aes_aead.c, and adds unit tests to prevent regressions around oversized fixed-IV inputs and undersized authentication tags.

Changes:

  • Add wp_aead_tag_len_valid() and enforce algorithm-specific allowed tag sizes for GCM and CCM when setting OSSL_CIPHER_PARAM_AEAD_TAG.
  • Fix AES-GCM TLS fixed-IV length validation to reject oversized fixed-IV lengths (including those exceeding the configured IV length).
  • Add new unit tests covering oversized GCM TLS fixed-IV inputs and undersized tag-length rejection for both GCM and CCM.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
test/unit.h Declares new GCM/CCM regression tests.
test/unit.c Registers the new tests in the unit test suite.
test/test_aestag.c Implements new test cases for oversized TLS fixed-IV and undersized tag length rejection.
src/wp_aes_aead.c Adds tag-length validation helper and tightens GCM TLS fixed-IV length checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wp_aes_aead.c
Comment thread test/test_aestag.c Outdated
@gasbytes gasbytes force-pushed the wp-aes-aead-fixes branch from aececf4 to 4f8d057 Compare June 25, 2026 17:03
@gasbytes gasbytes marked this pull request as ready for review June 25, 2026 17:18
@gasbytes gasbytes assigned ColtonWilley and unassigned gasbytes Jun 25, 2026
@gasbytes gasbytes requested a review from ColtonWilley June 25, 2026 18:16

@ColtonWilley ColtonWilley left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 4 total — 4 posted, 0 skipped
4 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Medium] GCM tag-length validation is stricter than OpenSSL on decrypt (interop divergence)src/wp_aes_aead.c:473-490, 522
  • [Medium] New validation paths only partially exercised by teststest/test_aestag.c:1474-1485, 1559-1570, 1847-1858
  • [Low] New helper omits WOLFPROV_ENTER/LEAVE tracing used by sibling functionssrc/wp_aes_aead.c:473-490
  • [Low] Undersized-tag tests perform an unnecessary full encrypt preambletest/test_aestag.c:1511-1535, 1779-1820

Review generated by Skoll

Comment thread src/wp_aes_aead.c
Comment thread test/test_aestag.c Outdated
Comment thread src/wp_aes_aead.c
Comment thread test/test_aestag.c Outdated
…er than the iv buffer

- validate aead tag length against algorithm's allowed sizes (gcm/ccm)
@gasbytes gasbytes force-pushed the wp-aes-aead-fixes branch from 4f8d057 to 26827e9 Compare July 9, 2026 13:02

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 1 total — 1 posted, 0 skipped

Posted findings

  • [High] Tag length validation is bypassed when retrieving AEAD tagssrc/wp_aes_aead.c:522

Review generated by Skoll.

Comment thread src/wp_aes_aead.c
@@ -488,6 +529,9 @@ static int wp_aead_set_param_tag(wp_AeadCtx* ctx,
if (ok && ((sz == 0) || ((p->data != NULL) && ctx->enc))) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [High] Tag length validation is bypassed when retrieving AEAD tags
🚫 BLOCK

The PR adds wp_aead_tag_len_valid() and wires it only into the set-tag path. For encryption, applications choose the returned tag length through EVP_CTRL_AEAD_GET_TAG, which goes through wp_aead_get_ctx_params() and still accepts any nonzero sz <= ctx->tagLen. After a normal GCM encrypt, a caller can still request a 1-byte tag and the provider will return it, even though this PR is intended to reject tag sizes outside the algorithm's allowed set. The new tests only exercise EVP_CTRL_AEAD_SET_TAG on decrypt, so this public API path remains uncovered.

Recommendation: Apply wp_aead_tag_len_valid(ctx->mode, sz) in wp_aead_get_ctx_params() when handling OSSL_CIPHER_PARAM_AEAD_TAG, then extend the new tag-length tests to cover the get-tag/encryption path. Add regression tests that EVP_CTRL_AEAD_GET_TAG rejects invalid lengths such as 1, 5, and 11 bytes while accepting allowed lengths.

@ColtonWilley ColtonWilley added the ci:all PR OSP toggle: run all label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci:all PR OSP toggle: run all

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants