You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is more of a question than a bug. Is there a reason the OpenSSL FIPS version does not support the 192 key size for GCM?
The boringcrypto version of aes.go defines the newGCM() func as:
func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
var aead *C.GO_EVP_AEAD
switch len(c.key) * 8 {
case 128:
if tls {
aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
} else {
aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
}
case 256:
if tls {
aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
} else {
aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
}
default:
// Fall back to standard library for GCM with non-standard key size.
return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize)
}
g := &aesGCM{aead: aead}
if C._goboringcrypto_EVP_AEAD_CTX_init(&g.ctx, aead, (*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.size_t(len(c.key)), C.GO_EVP_AEAD_DEFAULT_TAG_LENGTH, nil) == 0 {
return nil, fail("EVP_AEAD_CTX_init")
}
// Note: Because of the finalizer, any time g.ctx is passed to cgo,
// that call must be followed by a call to runtime.KeepAlive(g),
// to make sure g is not collected (and finalized) before the cgo
// call returns.
runtime.SetFinalizer(g, (*aesGCM).finalize)
if g.NonceSize() != gcmStandardNonceSize {
panic("boringcrypto: internal confusion about nonce size")
}
if g.Overhead() != gcmTagSize {
panic("boringcrypto: internal confusion about tag size")
}
return g, nil
}
When the OpenSSL patch is applied, this func gets converted to:
func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
keyLen := len(c.key) * 8
if keyLen != 128 && keyLen != 256 {
// Return error for GCM with non-standard key size.
return nil, fail("GCM invoked with non-standard key size")
}
g := &aesGCM{key: c.key, tls: tls}
if g.NonceSize() != gcmStandardNonceSize {
panic("boringcrypto: internal confusion about nonce size")
}
if g.Overhead() != gcmTagSize {
panic("boringcrypto: internal confusion about tag size")
}
return g, nil
}
Note that if 192 key size is used, the former falls back to the standard implementation, but the latter just throws back an error. From what I've read, 192 key size is recognized and compliant with FIPS. Is there any particular reason this is not supported here?
The text was updated successfully, but these errors were encountered:
This is more of a question than a bug. Is there a reason the OpenSSL FIPS version does not support the 192 key size for GCM?
The boringcrypto version of
aes.godefines thenewGCM()func as:When the OpenSSL patch is applied, this func gets converted to:
Note that if 192 key size is used, the former falls back to the standard implementation, but the latter just throws back an error. From what I've read, 192 key size is recognized and compliant with FIPS. Is there any particular reason this is not supported here?
The text was updated successfully, but these errors were encountered: