File nss-GCM-ctr.patch of Package mozilla-nss.6304

NIST SP-800-38D specifies, that GCM is not safe after 2^39 - 256 bits with the
same IV. Return error, should this limit be reached.

bmo#1053127
bnc#892530

diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c
index 2212100..cf8e027 100644
--- a/nss/lib/freebl/gcm.c
+++ b/nss/lib/freebl/gcm.c
@@ -605,9 +605,15 @@ struct GCMContextStr {
     gcmHashContext ghash_context;
     CTRContext ctr_context;
     unsigned long tagBits;
+    unsigned long long gcm_iv_bytes;
     unsigned char tagKey[MAX_BLOCK_SIZE];
 };
 
+/* NIST SP-800-38D limits the use of GCM with a single IV to 2^39 - 256
+ * bits which translates to 2^32 - 2 128bit blocks or 2^36 - 32 bytes
+ */
+#define MAX_GCM_BYTES_PER_IV    ((1ULL << 36) - 32)
+
 GCMContext *
 GCM_CreateContext(void *context, freeblCipherFunc cipher,
                   const unsigned char *params, unsigned int blocksize)
@@ -677,6 +683,8 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
         goto loser;
     }
 
+    gcm->gcm_iv_bytes = MAX_GCM_BYTES_PER_IV;
+
     /* finally mix in the AAD data */
     rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen, blocksize);
     if (rv != SECSuccess) {
@@ -772,6 +780,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
     unsigned int tagBytes;
     unsigned int len;
 
+    /* bail out if this invocation requests processing more than what is
+     * considered to be a safe limit */
+    if (gcm->gcm_iv_bytes < (unsigned long long)inlen) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
     tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
     if (UINT_MAX - inlen < tagBytes) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
@@ -800,6 +815,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
         *outlen = 0;
         return SECFailure;
     };
+    gcm->gcm_iv_bytes -= inlen;
     *outlen += len;
     return SECSuccess;
 }
openSUSE Build Service is sponsored by