diff options
| author | Adam Langley <agl@golang.org> | 2016-09-01 16:00:25 -0700 |
|---|---|---|
| committer | Adam Langley <agl@golang.org> | 2016-09-02 16:23:15 +0000 |
| commit | 210ac4d5e0fea2bfd4287b0865104bdaaeaffe05 (patch) | |
| tree | 19241ed2fc2df67ec806d20021a48bc668caee9a /src | |
| parent | 03cff2e115277951108d3e00298ae1cb0b0b7fb6 (diff) | |
| download | go-210ac4d5e0fea2bfd4287b0865104bdaaeaffe05.tar.xz | |
crypto/cipher: enforce message size limits for GCM.
The maximum input plaintext for GCM is 64GiB - 64. Since the GCM
interface is one-shot, it's very hard to hit this in Go (one would need
a 64GiB buffer in memory), but we should still enforce this limit.
Thanks to Quan Nguyen for pointing it out.
Change-Id: Icced47bf8d4d5dfbefa165cf13e893205c9577b8
Reviewed-on: https://go-review.googlesource.com/28410
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/aes/aes_gcm.go | 7 | ||||
| -rw-r--r-- | src/crypto/cipher/gcm.go | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/src/crypto/aes/aes_gcm.go b/src/crypto/aes/aes_gcm.go index a894a68293..5e2de02710 100644 --- a/src/crypto/aes/aes_gcm.go +++ b/src/crypto/aes/aes_gcm.go @@ -99,6 +99,9 @@ func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte { if len(nonce) != g.nonceSize { panic("cipher: incorrect nonce length given to GCM") } + if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize { + panic("cipher: message too large for GCM") + } var counter, tagMask [gcmBlockSize]byte @@ -137,6 +140,10 @@ func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { if len(ciphertext) < gcmTagSize { return nil, errOpen } + if uint64(len(ciphertext)) > ((1<<32)-2)*BlockSize+gcmTagSize { + return nil, errOpen + } + tag := ciphertext[len(ciphertext)-gcmTagSize:] ciphertext = ciphertext[:len(ciphertext)-gcmTagSize] diff --git a/src/crypto/cipher/gcm.go b/src/crypto/cipher/gcm.go index 3868d7123a..cfc5769a80 100644 --- a/src/crypto/cipher/gcm.go +++ b/src/crypto/cipher/gcm.go @@ -135,6 +135,10 @@ func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte { if len(nonce) != g.nonceSize { panic("cipher: incorrect nonce length given to GCM") } + if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) { + panic("cipher: message too large for GCM") + } + ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize) var counter, tagMask [gcmBlockSize]byte @@ -159,6 +163,10 @@ func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { if len(ciphertext) < gcmTagSize { return nil, errOpen } + if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+gcmTagSize { + return nil, errOpen + } + tag := ciphertext[len(ciphertext)-gcmTagSize:] ciphertext = ciphertext[:len(ciphertext)-gcmTagSize] |