From d2e872faf40ec034c148466318f43b3ba4799127 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 5 Jul 2017 15:37:04 -0700 Subject: [PATCH] Test that overflowing AEAD ciphertext length is handled. Change-Id: I683481b12e66966729297466748f1869de0b913b Reviewed-on: https://boringssl-review.googlesource.com/17584 Commit-Queue: Adam Langley Commit-Queue: David Benjamin Reviewed-by: David Benjamin CQ-Verified: CQ bot account: commit-bot@chromium.org --- crypto/cipher_extra/aead_test.cc | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc index cce432c5..949c8002 100644 --- a/crypto/cipher_extra/aead_test.cc +++ b/crypto/cipher_extra/aead_test.cc @@ -580,6 +580,31 @@ TEST_P(PerAEADTest, UnalignedInput) { Bytes(out + 1, out_len)); } +TEST_P(PerAEADTest, Overflow) { + alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH]; + OPENSSL_memset(key, 'K', sizeof(key)); + + bssl::ScopedEVP_AEAD_CTX ctx; + const size_t max_tag_len = EVP_AEAD_max_tag_len(aead()); + ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(ctx.get(), aead(), key, + EVP_AEAD_key_length(aead()), + max_tag_len, evp_aead_seal)); + + uint8_t plaintext[1] = {0}; + uint8_t ciphertext[1024] = {0}; + size_t ciphertext_len; + // The AEAD must not overflow when calculating the ciphertext length. + ASSERT_FALSE(EVP_AEAD_CTX_seal( + ctx.get(), ciphertext, &ciphertext_len, sizeof(ciphertext), nullptr, 0, + plaintext, std::numeric_limits::max() - max_tag_len + 1, nullptr, + 0)); + ERR_clear_error(); + + // (Can't test the scatter interface because it'll attempt to zero the output + // buffer on error and the primary output buffer is implicitly the same size + // as the input.) +} + // Test that EVP_aead_aes_128_gcm and EVP_aead_aes_256_gcm reject empty nonces. // AES-GCM is not defined for those. TEST(AEADTest, AESGCMEmptyNonce) {