Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/cipher: NewGCMWithNonceSize allows zero-length nonce #37118

Closed
katiehockman opened this issue Feb 7, 2020 · 10 comments
Closed

crypto/cipher: NewGCMWithNonceSize allows zero-length nonce #37118

katiehockman opened this issue Feb 7, 2020 · 10 comments
Assignees
Labels
Milestone

Comments

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Feb 7, 2020

cipher.NewGCMWithNonceSize allows for any nonce size, including one that is zero length. This is not allowed by NIST SP 800-38D and encrypting with such an IV leaks the authentication key.

NIST SP 800-38D:

The bit lengths of the input strings to the authenticated encryption function shall meet the
following requirements:
...
1 ≤ len(IV) ≤ 264-1

Allowing a zero-length nonce opens the package up to misuse, and there is never a valid reason to do this. It could be argued that cipher.NewGCMWithNonceSize isn't meant to be as safe, and the recommended approach is to use cipher.NewGCM, however this is a hardening measure that has no negative side effects, in my opinion.

cipher.NewGCMWithNonceSize docs:

Only use this function if you require compatibility with an existing cryptosystem that uses non-standard nonce lengths. All other users should use NewGCM, which is faster and more resistant to misuse.

/cc @FiloSottile

@katiehockman katiehockman added this to the Go1.15 milestone Feb 7, 2020
@katiehockman

This comment has been minimized.

Copy link
Member Author

@katiehockman katiehockman commented Feb 7, 2020

@FiloSottile suggested that we backport this fix as well.

@katiehockman katiehockman self-assigned this Feb 7, 2020
@katiehockman katiehockman added NeedsFix and removed NeedsDecision labels Feb 7, 2020
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Feb 7, 2020

Change https://golang.org/cl/218500 mentions this issue: crypto/cipher: require non-zero nonce size for NewGCMWithNonceSize

@gopherbot gopherbot closed this in 4e8badb Feb 24, 2020
@networkimprov

This comment has been minimized.

Copy link

@networkimprov networkimprov commented Feb 24, 2020

@gopherbot please open backport, at suggestion of @FiloSottile.

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Feb 24, 2020

Backport issue(s) opened: #37416 (for 1.14), #37417 (for 1.13), #37418 (for 1.12).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@networkimprov

This comment has been minimized.

Copy link

@networkimprov networkimprov commented Feb 24, 2020

@dmitshur, also needs 1.14 backport...

@dmitshur

This comment has been minimized.

Copy link
Member

@dmitshur dmitshur commented Feb 24, 2020

I'll repurpose the 1.12 one. It won't be getting this backport because 1.14 will be out by then, so it'll be too old.

@networkimprov

This comment has been minimized.

Copy link

@networkimprov networkimprov commented Feb 24, 2020

Backport issue for 1.12 is now #37418

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Feb 24, 2020

Change https://golang.org/cl/220651 mentions this issue: [release-branch.go1.14] crypto/cipher: require non-zero nonce size for AES-GCM

gopherbot pushed a commit that referenced this issue Feb 24, 2020
…r AES-GCM

Also fix typo in crypto/cipher/gcm_test.go.

Updates #37118
Fixes #37416

Change-Id: I8544d1eeeb1f0336cebb977b8c5bfa5e4c5ad8c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/218500
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 4e8badb)
Reviewed-on: https://go-review.googlesource.com/c/go/+/220651
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Feb 24, 2020

Change https://golang.org/cl/220653 mentions this issue: [release-branch.go1.13] crypto/cipher: require non-zero nonce size for AES-GCM

@dmitshur

This comment has been minimized.

Copy link
Member

@dmitshur dmitshur commented Feb 25, 2020

/cc @dunhamsteve FYI.

gopherbot pushed a commit that referenced this issue Feb 26, 2020
…r AES-GCM

Also fix typo in crypto/cipher/gcm_test.go.

Updates #37118
Fixes #37417

Change-Id: I8544d1eeeb1f0336cebb977b8c5bfa5e4c5ad8c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/218500
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 4e8badb)
Reviewed-on: https://go-review.googlesource.com/c/go/+/220653
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.