Google Git
Sign in
boringssl/boringssl/508f089340ef49c92894cf5bd07a6d7c45958b95^!/.
commit
508f089340ef49c92894cf5bd07a6d7c45958b95
[log]
author
Rudolf Polzer <rpolzer@google.com>
Wed May 27 04:01:20 2026 -0700
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu May 28 01:58:18 2026 -0700
tree
da87c46aee2a6b3c89123a078dfe1e9d0d1fa0c0
parent
f4e4cca43c9937758a8b73506ebe4b65beaa9def [diff]
Fix limits for AES-GCM-SIV.

We can't have the counter wrap, so the limit is 2^32 AES blocks, or
2^36 bytes.

The openv path has previously allowed for an extra block; this was
wrong, as in our code, the tag is considered separate.

Change-Id: I730028350e86aadda826b4c55f15e7326a6a6964
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/95930
Commit-Queue: Rudolf Polzer <rpolzer@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/cipher/e_aesgcmsiv.cc b/crypto/cipher/e_aesgcmsiv.cc
index 8ee9c68..781719f 100644
--- a/crypto/cipher/e_aesgcmsiv.cc
+++ b/crypto/cipher/e_aesgcmsiv.cc

@@ -972,7 +972,7 @@
 
   const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs);
   if (in_tag.size() != EVP_AEAD_AES_GCM_SIV_TAG_LEN ||
-      in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) {
+      in_len_64 > (UINT64_C(1) << 36)) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }