[release-branch.go1.14] crypto/cipher: require non-zero nonce size for AES-GCM

Also fix typo in crypto/cipher/gcm_test.go.

Updates #37118
Fixes #37416

Change-Id: I8544d1eeeb1f0336cebb977b8c5bfa5e4c5ad8c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/218500
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 4e8badbbc2fe7854bb1c12a9ee42315b4d535051)
Reviewed-on: https://go-review.googlesource.com/c/go/+/220651
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>

diff --git a/src/crypto/cipher/gcm.go b/src/crypto/cipher/gcm.go
index 73d78550f897b8a951e480210692646b9b952451..ba0af84a9d09d6c7966476796c83f6a6bd53928b 100644 (file)
--- a/src/crypto/cipher/gcm.go
+++ b/src/crypto/cipher/gcm.go
@@ -86,7 +86,8 @@ func NewGCM(cipher Block) (AEAD, error) {
 }
 
 // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
-// Counter Mode, which accepts nonces of the given length.
+// Counter Mode, which accepts nonces of the given length. The length must not
+// be zero.
 //
 // Only use this function if you require compatibility with an existing
 // cryptosystem that uses non-standard nonce lengths. All other users should use
@@ -112,6 +113,10 @@ func newGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, erro
                return nil, errors.New("cipher: incorrect tag size given to GCM")
        }
 
+       if nonceSize <= 0 {
+               return nil, errors.New("cipher: the nonce can't have zero length, or the security of the key will be immediately compromised")
+       }
+
        if cipher, ok := cipher.(gcmAble); ok {
                return cipher.NewGCM(nonceSize, tagSize)
        }

diff --git a/src/crypto/cipher/gcm_test.go b/src/crypto/cipher/gcm_test.go
index 64d5cc0db4fd9ff5d88054038a2cf610403f015b..0d53e471f95836467bf773e7d2fef0cee7c0af83 100644 (file)
--- a/src/crypto/cipher/gcm_test.go
+++ b/src/crypto/cipher/gcm_test.go
@@ -217,6 +217,13 @@ var aesGCMTests = []struct {
                "2b9680b886b3efb7c6354b38c63b5373",
                "e2b7e5ed5ff27fc8664148f5a628a46dcbf2015184fffb82f2651c36",
        },
+       {
+               "11754cd72aec309bf52f7687212e8957",
+               "",
+               "",
+               "",
+               "250327c674aaf477aef2675748cf6971",
+       },
 }
 
 func TestAESGCM(t *testing.T) {
@@ -234,14 +241,22 @@ func TestAESGCM(t *testing.T) {
 
                var aesgcm cipher.AEAD
                switch {
-               // Handle non-standard nonce sizes
+               // Handle non-standard tag sizes
                case tagSize != 16:
                        aesgcm, err = cipher.NewGCMWithTagSize(aes, tagSize)
                        if err != nil {
                                t.Fatal(err)
                        }
 
-               // Handle non-standard tag sizes
+               // Handle 0 nonce size (expect error and continue)
+               case len(nonce) == 0:
+                       aesgcm, err = cipher.NewGCMWithNonceSize(aes, 0)
+                       if err == nil {
+                               t.Fatal("expected error for zero nonce size")
+                       }
+                       continue
+
+               // Handle non-standard nonce sizes
                case len(nonce) != 12:
                        aesgcm, err = cipher.NewGCMWithNonceSize(aes, len(nonce))
                        if err != nil {