Closed Bug 1566601 Opened 2 years ago Closed 2 years ago

AES-KW implementation allows shorter-than-permissible inputs

Categories

(NSS :: Libraries, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

Details

(Keywords: csectype-other, sec-audit)

Attachments

(1 file)

NSS implementation of AES key wrap permits inputs that are too short (per-RFC 3394). The input to Wrap is n 64-bit blocks, and "The only restriction the key wrap algorithm places on n is that n be at least two".

NSS checks against 0 but will allow a single block input.

CC'ing Bob for any FIPS concerns.

This was discovered by :mbirghan during Wycheproof test integration.

OS: Unspecified → All
Hardware: Unspecified → All
Attachment #9079845 - Attachment description: Bug 1566601 - Require at least two 64-bit blocks of input for AES key wrap, add wycheproof tests r=jcj → Bug 1566601 - Add Wycheproof test vectors for AES-KW r=jcj
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.46
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.