AEAD: EVP_CIPHER_CTX_iv_length is oblivious to EVP_CTRL_AEAD_SET_IVLEN

Question

AEAD: EVP_CIPHER_CTX_iv_length is oblivious to EVP_CTRL_AEAD_SET_IVLEN

jorangreef opened this issue 5 years ago · comments

For AEAD ciphers, EVP_CIPHER_CTX_iv_length() does not return the ctx's actual IV length, but the cipher's default IV length:

For example, changing a GCM cipher's IV length from 12 to 4 fails the assertion:

int iv_size = 4;
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, iv_size, NULL)
assert(EVP_CIPHER_CTX_iv_length(ctx) == iv_size);

Is this a bug? Or should the documentation make this clear?

Matt Caswell · Answer 1 · Mon Feb 25 2019 23:14:36 GMT+0800 (China Standard Time)

I'd see this as a documentation issue

unityGame775 · Answer 2 · Wed Jul 31 2019 18:53:32 GMT+0800 (China Standard Time)

Could you please comment more on this? Is it possible to change IV length with EVP_CTRL_AEAD_SET_IVLEN, or OPENSSL accept only 12-byte IVs?

Matt Caswell · Answer 3 · Wed Jul 31 2019 20:06:57 GMT+0800 (China Standard Time)

Yes it is possible to change the IV length with EVP_CTRL_AEAD_SET_IVLEN for those modes that support it (GCM, CCM and OCB).

The original issue mentioned by this PR is actually fixed in #9231. We should consider backporting it to 1.1.1 (@slontis).

Shane · Answer 4 · Wed Jul 31 2019 20:14:51 GMT+0800 (China Standard Time)

OK @mattcaswell - I will look at it tomorrow. We should fix this (It is currently just returning the default value in 1.1.1)

unityGame775 · Answer 5 · Wed Jul 31 2019 20:56:02 GMT+0800 (China Standard Time)

Just to check, on which version of OpenSSL it is possible to change the IVs for GCM mode?
Thanks a lot!

Matt Caswell · Answer 6 · Wed Jul 31 2019 21:00:42 GMT+0800 (China Standard Time)

EVP_CTRL_AEAD_SET_IVLEN exists since OpenSSL 1.1.0. In 1.0.2 you can use EVP_CTRL_GCM_SET_IVLEN to do the same job.

unityGame775 · Answer 7 · Wed Jul 31 2019 21:14:13 GMT+0800 (China Standard Time)

Could you please provide me any golden vector with 16-byte IV length? Because, my C model is not matching with OpenSSL GCM, it will be so helpful for me.

Matt Caswell · Answer 8 · Wed Jul 31 2019 21:22:49 GMT+0800 (China Standard Time)

Sorry...it doesn't look like we have one with that IV length in our test vectors.

Shane · Answer 9 · Thu Aug 01 2019 05:34:47 GMT+0800 (China Standard Time)

If you have a look at CRYPTO_gcm128_setiv() you will see that it does a bit more work when len !=12..

I would check if you get the same result for larger ones (since it should do a similiar operation) on iv blocks of size 16
e.g:

Cipher = aes-128-gcm
Key = feffe9928665731c6d6a8f9467308308
IV = 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
Tag = 619cc5aefffe0bfa462af43c1699d050
Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
Ciphertext = 8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5

Matt Caswell · Answer 10 · Tue Nov 05 2019 21:35:17 GMT+0800 (China Standard Time)

Fixed by #9499