fix GCM tls iv length check and aead tag length validation#416
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens AES-GCM/TLS fixed-IV handling and AEAD tag-length validation in wp_aes_aead.c, and adds unit tests to prevent regressions around oversized fixed-IV inputs and undersized authentication tags.
Changes:
- Add
wp_aead_tag_len_valid()and enforce algorithm-specific allowed tag sizes for GCM and CCM when settingOSSL_CIPHER_PARAM_AEAD_TAG. - Fix AES-GCM TLS fixed-IV length validation to reject oversized fixed-IV lengths (including those exceeding the configured IV length).
- Add new unit tests covering oversized GCM TLS fixed-IV inputs and undersized tag-length rejection for both GCM and CCM.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| test/unit.h | Declares new GCM/CCM regression tests. |
| test/unit.c | Registers the new tests in the unit test suite. |
| test/test_aestag.c | Implements new test cases for oversized TLS fixed-IV and undersized tag length rejection. |
| src/wp_aes_aead.c | Adds tag-length validation helper and tightens GCM TLS fixed-IV length checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
aececf4 to
4f8d057
Compare
ColtonWilley
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 4 total — 4 posted, 0 skipped
4 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Medium] GCM tag-length validation is stricter than OpenSSL on decrypt (interop divergence) —
src/wp_aes_aead.c:473-490, 522 - [Medium] New validation paths only partially exercised by tests —
test/test_aestag.c:1474-1485, 1559-1570, 1847-1858 - [Low] New helper omits WOLFPROV_ENTER/LEAVE tracing used by sibling functions —
src/wp_aes_aead.c:473-490 - [Low] Undersized-tag tests perform an unnecessary full encrypt preamble —
test/test_aestag.c:1511-1535, 1779-1820
Review generated by Skoll
…er than the iv buffer - validate aead tag length against algorithm's allowed sizes (gcm/ccm)
4f8d057 to
26827e9
Compare
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 1 total — 1 posted, 0 skipped
Posted findings
- [High] Tag length validation is bypassed when retrieving AEAD tags —
src/wp_aes_aead.c:522
Review generated by Skoll.
| @@ -488,6 +529,9 @@ static int wp_aead_set_param_tag(wp_AeadCtx* ctx, | |||
| if (ok && ((sz == 0) || ((p->data != NULL) && ctx->enc))) { | |||
There was a problem hiding this comment.
🟠 [High] Tag length validation is bypassed when retrieving AEAD tags
🚫 BLOCK
The PR adds wp_aead_tag_len_valid() and wires it only into the set-tag path. For encryption, applications choose the returned tag length through EVP_CTRL_AEAD_GET_TAG, which goes through wp_aead_get_ctx_params() and still accepts any nonzero sz <= ctx->tagLen. After a normal GCM encrypt, a caller can still request a 1-byte tag and the provider will return it, even though this PR is intended to reject tag sizes outside the algorithm's allowed set. The new tests only exercise EVP_CTRL_AEAD_SET_TAG on decrypt, so this public API path remains uncovered.
Recommendation: Apply wp_aead_tag_len_valid(ctx->mode, sz) in wp_aead_get_ctx_params() when handling OSSL_CIPHER_PARAM_AEAD_TAG, then extend the new tag-length tests to cover the get-tag/encryption path. Add regression tests that EVP_CTRL_AEAD_GET_TAG rejects invalid lengths such as 1, 5, and 11 bytes while accepting allowed lengths.
Fixes the gcm tls fixed-iv length check to properly reject oversized inputs and adds tag length validation against each algorithm's allowed sizes for GCM and CCM, in particular this last one was wrapped in a new function called wp_aead_tag_len_valid.