nettle: check nonce length in aead_{encrypt,decrypt}

This adds a missing check on the maximum IV length in aead_encrypt and
aead_decrypt, to the Nettle crypto backend.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index 46e1277dd26c02160bbc0762b0ccaacb589c4883..32e75356fc929e586a373e7fd513cf74ffea4c77 100644 (file)
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -1291,9 +1291,18 @@ static int wrap_nettle_cipher_aead_encrypt(void *_ctx, const void *nonce,
 
        if (ctx->cipher->aead_encrypt == NULL) {
                /* proper AEAD cipher */
+               unsigned max_iv;
+
                if (encr_size < plain_size + tag_size)
                        return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+               max_iv = ctx->cipher->max_iv_size;
+               if (max_iv == 0)
+                       max_iv = MAX_CIPHER_BLOCK_SIZE;
+
+               if (nonce_size > max_iv)
+                       return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
                ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce);
                ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth);
 
@@ -1360,6 +1369,14 @@ static int wrap_nettle_cipher_aead_decrypt(void *_ctx, const void *nonce,
        if (ctx->cipher->aead_decrypt == NULL) {
                /* proper AEAD cipher */
                uint8_t tag[MAX_HASH_SIZE];
+               unsigned max_iv;
+
+               max_iv = ctx->cipher->max_iv_size;
+               if (max_iv == 0)
+                       max_iv = MAX_CIPHER_BLOCK_SIZE;
+
+               if (nonce_size > max_iv)
+                       return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
                ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce);
                ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth);