Harden AEAD and IES modes, PEM writer, and GCM/CCM parameter handling#124
Merged
Conversation
…ey generation - ParameterUtilities now decodes GCM/CCM ASN.1 parameters into AeadParameters via AES OID stem matching. Asn1CipherBuilderWithKey uses GeneratorUtilities, honors keySize, and registers GCM/CCM OIDs for key generation. Includes AES-CCM NIST OIDs, deprecates CipherKeyGeneratorFactory, and adds tests.
…ded tests Expand AeadTestUtilities with TestReset, TestOutputSizes, and TestBufferSizeChecks so EAX, OCB, and CCM share the same AEAD test harness used elsewhere in the suite. EAX and OCB now reject encryption re-initialization when the same nonce is reused with an unchanged or explicitly reused key, matching the existing GCM guard. ParametersWithIV init paths also reject non-key inner parameters when a key is supplied. OCB reset no longer clears the L subkey table; the table is rebuilt only on successful init after the nonce guard passes. CCM decrypt verifies the MAC against plaintext held in a private buffer and only copies to the caller output after authentication succeeds, avoiding exposure of unverified plaintext on tag failure. Tests cover nonce-reuse rejection, AEAD reset/output-size/buffer checks, CCM boundary limits, fresh cipher instances where re-init would fail, CCM offset handling, and unverified-plaintext-on-failure behavior. OCB failure messages use GetMac() consistently.
Fix a cross-message MAC forgery in static-key stream IES by always deriving the MAC key from a fixed KDF prefix and the keystream from the remainder, instead of the legacy message-length-dependent layout. Verify the MAC before block-cipher DoFinal to avoid distinguishable padding failures, align the invalid-MAC message in both IES engines, and document the static-key many-time-pad risk. Reject PEM header names and values containing CR/LF on write to prevent header injection. Add ECIES forgery regression coverage, update the stream static vector, and add a PEM writer test for rejected header line breaks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR bundles four related crypto-library improvements: GCM/CCM ASN.1 parameter decoding and key generation, AEAD nonce-reuse guards and test harness expansion, IES stream-mode KDF hardening with PEM header injection prevention, and a small test cleanup.
Changes
GCM/CCM parameter handling and key generation
ParameterUtilitiesdecodes GCM/CCM ASN.1 parameters intoAeadParametersvia AES OID stem matchingAsn1CipherBuilderWithKeyusesGeneratorUtilities, honorskeySize, and registers GCM/CCM OIDs for key generationCipherKeyGeneratorFactoryAsn1CipherBuilderWithKeyTestsandParameterUtilitiesTestsAEAD hardening (EAX, OCB, CCM)
AeadTestUtilitieswithTestReset,TestOutputSizes, andTestBufferSizeChecksso EAX, OCB, and CCM share the same AEAD test harness used elsewhereParametersWithIVinit paths reject non-key inner parameters when a key is suppliedGetMac()consistentlyIES engine and PEM writer
DoFinalto avoid distinguishable padding failures (CBC padding-oracle mitigation)Invalid MAC.)TestHeaderLineBreakRejected