Closed Bug 1566601 Opened 5 years ago Closed 5 years ago

AES-KW implementation allows shorter-than-permissible inputs

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

Details

(Keywords: csectype-other, sec-audit)

Attachments

(1 file)

Bug 1566601 - Add Wycheproof test vectors for AES-KW r=jcj
47 bytes, text/x-phabricator-request
Details | Review

NSS implementation of AES key wrap permits inputs that are too short (per-RFC 3394). The input to Wrap is n 64-bit blocks, and "The only restriction the key wrap algorithm places on n is that n be at least two".

NSS checks against 0 but will allow a single block input.

CC'ing Bob for any FIPS concerns.

This was discovered by :mbirghan during Wycheproof test integration.

Keywords: csectype-other, sec-audit
OS: Unspecified → All
Hardware: Unspecified → All
Attachment #9079845 - Attachment description: Bug 1566601 - Require at least two 64-bit blocks of input for AES key wrap, add wycheproof tests r=jcj → Bug 1566601 - Add Wycheproof test vectors for AES-KW r=jcj

https://hg.mozilla.org/projects/nss/rev/89aa19677e37b98e7725ccf491940c6cbb042296

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.46
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: