cipher: add restriction on CCM tag length under FIPS mode

This change prohibits any use of tag length other than 4, 6, 8, 10, 12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with SP800-38C A.1. While use of tag lengths smaller than 8 bytes is not recommended, we simply allow 4 and 6 bytes tags for now. Signed-off-by: Daiki Ueno <ueno@gnu.org>
author: Daiki Ueno <ueno@gnu.org> 2022-10-21 15:48:39 +0900
committer: Daiki Ueno <ueno@gnu.org> 2022-10-25 08:59:23 +0900
commit: 26b2caef673aba8bfd10db3b1b8117f941c18e58 (patch)
tree: 41611802e54080f794b3af46b5b45d48258d0eaa /lib/accelerated
parent: acc7a7a0492f0153a61e510f45f3a55175e404d7 (diff)
download: gnutls-26b2caef673aba8bfd10db3b1b8117f941c18e58.tar.gz
2 files changed, 78 insertions, 0 deletions
diff --git a/lib/accelerated/aarch64/aes-ccm-aarch64.c b/lib/accelerated/aarch64/aes-ccm-aarch64.c
index a2ba259e99..b415d4ddfb 100644
--- a/lib/accelerated/aarch64/aes-ccm-aarch64.c
+++ b/lib/accelerated/aarch64/aes-ccm-aarch64.c
@@ -36,6 +36,7 @@
 #include <byteswap.h>
 #include <nettle/ccm.h>
 #include <aes-aarch64.h>
+#include <fips.h>
 
 typedef struct ccm_aarch64_aes_ctx {
 	AES_KEY key;
@@ -103,6 +104,25 @@ aes_ccm_aead_encrypt(void *_ctx,
 	if (unlikely(encr_size < plain_size + tag_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
+	 * and 128.
+	 */
+	switch (tag_size) {
+	case 4: case 6:
+		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
+		 * under sufficient restriction. We simply allow those for now.
+		 */
+		FALLTHROUGH;
+	case 8: case 10: case 12: case 14: case 16:
+		break;
+	default:
+		if (_gnutls_fips_mode_enabled()) {
+			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+		break;
+	}
+
 	ccm_encrypt_message(&ctx->key, aarch64_aes_encrypt,
 			    nonce_size, nonce,
 			    auth_size, auth,
@@ -129,6 +149,25 @@ aes_ccm_aead_decrypt(void *_ctx,
 	if (unlikely(plain_size < encr_size - tag_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
+	 * and 128.
+	 */
+	switch (tag_size) {
+	case 4: case 6:
+		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
+		 * under sufficient restriction. We simply allow those for now.
+		 */
+		FALLTHROUGH;
+	case 8: case 10: case 12: case 14: case 16:
+		break;
+	default:
+		if (_gnutls_fips_mode_enabled()) {
+			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+		break;
+	}
+
 	ret = ccm_decrypt_message(&ctx->key, aarch64_aes_encrypt,
 				  nonce_size, nonce,
 				  auth_size, auth,
diff --git a/lib/accelerated/x86/aes-ccm-x86-aesni.c b/lib/accelerated/x86/aes-ccm-x86-aesni.c
index 701c0f992a..9ebbdd7b2a 100644
--- a/lib/accelerated/x86/aes-ccm-x86-aesni.c
+++ b/lib/accelerated/x86/aes-ccm-x86-aesni.c
@@ -37,6 +37,7 @@
 #include <byteswap.h>
 #include <nettle/ccm.h>
 #include <aes-x86.h>
+#include <fips.h>
 
 typedef struct ccm_x86_aes_ctx {
 	AES_KEY key;
@@ -95,6 +96,25 @@ aes_ccm_aead_encrypt(void *_ctx,
 	if (unlikely(encr_size < plain_size + tag_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
+	 * and 128.
+	 */
+	switch (tag_size) {
+	case 4: case 6:
+		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
+		 * under sufficient restriction. We simply allow those for now.
+		 */
+		FALLTHROUGH;
+	case 8: case 10: case 12: case 14: case 16:
+		break;
+	default:
+		if (_gnutls_fips_mode_enabled()) {
+			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+		break;
+	}
+
 	ccm_encrypt_message(&ctx->key, x86_aes_encrypt,
 			    nonce_size, nonce,
 			    auth_size, auth,
@@ -121,6 +141,25 @@ aes_ccm_aead_decrypt(void *_ctx,
 	if (unlikely(plain_size < encr_size - tag_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
+	 * and 128.
+	 */
+	switch (tag_size) {
+	case 4: case 6:
+		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
+		 * under sufficient restriction. We simply allow those for now.
+		 */
+		FALLTHROUGH;
+	case 8: case 10: case 12: case 14: case 16:
+		break;
+	default:
+		if (_gnutls_fips_mode_enabled()) {
+			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+		break;
+	}
+
 	ret = ccm_decrypt_message(&ctx->key, x86_aes_encrypt,
 				  nonce_size, nonce,
 				  auth_size, auth,
author	Daiki Ueno <ueno@gnu.org>	2022-10-21 15:48:39 +0900
committer	Daiki Ueno <ueno@gnu.org>	2022-10-25 08:59:23 +0900
commit	26b2caef673aba8bfd10db3b1b8117f941c18e58 (patch)
tree	41611802e54080f794b3af46b5b45d48258d0eaa /lib/accelerated
parent	acc7a7a0492f0153a61e510f45f3a55175e404d7 (diff)
download	gnutls-26b2caef673aba8bfd10db3b1b8117f941c18e58.tar.gz