[release-branch.go1.14] crypto/cipher: require non-zero nonce size for AES-GCM

katiehockman · dmitshur · commit f63e55b54171 · 2020-02-24T20:07:06.000Z
Also fix typo in crypto/cipher/gcm_test.go. Updates #37118 Fixes #37416 Change-Id: I8544d1eeeb1f0336cebb977b8c5bfa5e4c5ad8c7 Reviewed-on: https://go-review.googlesource.com/c/go/+/218500 Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit 4e8badb) Reviewed-on: https://go-review.googlesource.com/c/go/+/220651 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>
diff --git a/src/crypto/cipher/gcm.go b/src/crypto/cipher/gcm.go
@@ -86,7 +86,8 @@ func NewGCM(cipher Block) (AEAD, error) {
 }
 
 // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
-// Counter Mode, which accepts nonces of the given length.
+// Counter Mode, which accepts nonces of the given length. The length must not
+// be zero.
 //
 // Only use this function if you require compatibility with an existing
 // cryptosystem that uses non-standard nonce lengths. All other users should use
@@ -112,6 +113,10 @@ func newGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, erro
 		return nil, errors.New("cipher: incorrect tag size given to GCM")
 	}
 
+	if nonceSize <= 0 {
+		return nil, errors.New("cipher: the nonce can't have zero length, or the security of the key will be immediately compromised")
+	}
+
 	if cipher, ok := cipher.(gcmAble); ok {
 		return cipher.NewGCM(nonceSize, tagSize)
 	}
diff --git a/src/crypto/cipher/gcm_test.go b/src/crypto/cipher/gcm_test.go
@@ -217,6 +217,13 @@ var aesGCMTests = []struct {
 		"2b9680b886b3efb7c6354b38c63b5373",
 		"e2b7e5ed5ff27fc8664148f5a628a46dcbf2015184fffb82f2651c36",
 	},
+	{
+		"11754cd72aec309bf52f7687212e8957",
+		"",
+		"",
+		"",
+		"250327c674aaf477aef2675748cf6971",
+	},
 }
 
 func TestAESGCM(t *testing.T) {
@@ -234,14 +241,22 @@ func TestAESGCM(t *testing.T) {
 
 		var aesgcm cipher.AEAD
 		switch {
-		// Handle non-standard nonce sizes
+		// Handle non-standard tag sizes
 		case tagSize != 16:
 			aesgcm, err = cipher.NewGCMWithTagSize(aes, tagSize)
 			if err != nil {
 				t.Fatal(err)
 			}
 
-		// Handle non-standard tag sizes
+		// Handle 0 nonce size (expect error and continue)
+		case len(nonce) == 0:
+			aesgcm, err = cipher.NewGCMWithNonceSize(aes, 0)
+			if err == nil {
+				t.Fatal("expected error for zero nonce size")
+			}
+			continue
+
+		// Handle non-standard nonce sizes
 		case len(nonce) != 12:
 			aesgcm, err = cipher.NewGCMWithNonceSize(aes, len(nonce))
 			if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,8 @@ func NewGCM(cipher Block) (AEAD, error) {`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois`
`89`		`-// Counter Mode, which accepts nonces of the given length.`
	`89`	`+// Counter Mode, which accepts nonces of the given length. The length must not`
	`90`	`+// be zero.`
`90`	`91`	`//`
`91`	`92`	`// Only use this function if you require compatibility with an existing`
`92`	`93`	`// cryptosystem that uses non-standard nonce lengths. All other users should use`
`@@ -112,6 +113,10 @@ func newGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, erro`
`112`	`113`	`return nil, errors.New("cipher: incorrect tag size given to GCM")`
`113`	`114`	`}`
`114`	`115`
	`116`	`+ if nonceSize <= 0 {`
	`117`	`+ return nil, errors.New("cipher: the nonce can't have zero length, or the security of the key will be immediately compromised")`
	`118`	`+ }`
	`119`	`+`
`115`	`120`	`if cipher, ok := cipher.(gcmAble); ok {`
`116`	`121`	`return cipher.NewGCM(nonceSize, tagSize)`
`117`	`122`	`}`