Skip to content

Harden AEAD and IES modes, PEM writer, and GCM/CCM parameter handling#124

Merged
Xor-el merged 4 commits into
masterfrom
enhancement/some-refactorings
Jun 30, 2026
Merged

Harden AEAD and IES modes, PEM writer, and GCM/CCM parameter handling#124
Xor-el merged 4 commits into
masterfrom
enhancement/some-refactorings

Conversation

@Xor-el

@Xor-el Xor-el commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Summary

This PR bundles four related crypto-library improvements: GCM/CCM ASN.1 parameter decoding and key generation, AEAD nonce-reuse guards and test harness expansion, IES stream-mode KDF hardening with PEM header injection prevention, and a small test cleanup.

Changes

GCM/CCM parameter handling and key generation

  • ParameterUtilities decodes GCM/CCM ASN.1 parameters into AeadParameters via AES OID stem matching
  • Asn1CipherBuilderWithKey uses GeneratorUtilities, honors keySize, and registers GCM/CCM OIDs for key generation
  • Adds AES-CCM NIST OIDs
  • Deprecates CipherKeyGeneratorFactory
  • Adds Asn1CipherBuilderWithKeyTests and ParameterUtilitiesTests

AEAD hardening (EAX, OCB, CCM)

  • Expands AeadTestUtilities with TestReset, TestOutputSizes, and TestBufferSizeChecks so EAX, OCB, and CCM share the same AEAD test harness used elsewhere
  • EAX and OCB reject encryption re-initialization when the same nonce is reused with an unchanged or explicitly reused key (matching the existing GCM guard)
  • ParametersWithIV init paths reject non-key inner parameters when a key is supplied
  • OCB reset no longer clears the L subkey table; the table is rebuilt only on successful init after the nonce guard passes
  • CCM decrypt verifies the MAC against plaintext in a private buffer and only copies to caller output after authentication succeeds, avoiding exposure of unverified plaintext on tag failure
  • OCB failure messages use GetMac() consistently

IES engine and PEM writer

  • Fixes a cross-message MAC forgery in static-key stream IES by always deriving the MAC key from a fixed KDF prefix and the keystream from the remainder
  • Verifies the MAC before block-cipher DoFinal to avoid distinguishable padding failures (CBC padding-oracle mitigation)
  • Aligns the invalid-MAC message in both IES engines (Invalid MAC.)
  • Documents the static-key many-time-pad risk on stream-mode init
  • Rejects PEM header names and values containing CR/LF on write to prevent header injection
  • Adds ECIES forgery regression coverage, updates the stream static vector, and adds TestHeaderLineBreakRejected

Xor-el added 4 commits June 30, 2026 14:38
…ey generation

- ParameterUtilities now decodes GCM/CCM ASN.1 parameters into AeadParameters via AES OID stem matching. Asn1CipherBuilderWithKey uses GeneratorUtilities, honors keySize, and registers GCM/CCM OIDs for key generation. Includes AES-CCM NIST OIDs, deprecates CipherKeyGeneratorFactory, and adds tests.
…ded tests

Expand AeadTestUtilities with TestReset, TestOutputSizes, and
TestBufferSizeChecks so EAX, OCB, and CCM share the same AEAD test
harness used elsewhere in the suite.

EAX and OCB now reject encryption re-initialization when the same
nonce is reused with an unchanged or explicitly reused key, matching
the existing GCM guard. ParametersWithIV init paths also reject
non-key inner parameters when a key is supplied.

OCB reset no longer clears the L subkey table; the table is rebuilt
only on successful init after the nonce guard passes.

CCM decrypt verifies the MAC against plaintext held in a private buffer
and only copies to the caller output after authentication succeeds,
avoiding exposure of unverified plaintext on tag failure.

Tests cover nonce-reuse rejection, AEAD reset/output-size/buffer checks,
CCM boundary limits, fresh cipher instances where re-init would fail,
CCM offset handling, and unverified-plaintext-on-failure behavior.
OCB failure messages use GetMac() consistently.
Fix a cross-message MAC forgery in static-key stream IES by always
deriving the MAC key from a fixed KDF prefix and the keystream from the
remainder, instead of the legacy message-length-dependent layout. Verify
the MAC before block-cipher DoFinal to avoid distinguishable padding
failures, align the invalid-MAC message in both IES engines, and document
the static-key many-time-pad risk.
Reject PEM header names and values containing CR/LF on write to prevent
header injection.
Add ECIES forgery regression coverage, update the stream static vector,
and add a PEM writer test for rejected header line breaks.
@Xor-el Xor-el merged commit f1fc80f into master Jun 30, 2026
24 checks passed
@Xor-el Xor-el deleted the enhancement/some-refactorings branch June 30, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant