Google Git
Sign in
boringssl/boringssl/f4e4cca43c9937758a8b73506ebe4b65beaa9def^!/.
commit
f4e4cca43c9937758a8b73506ebe4b65beaa9def
[log]
author
Rudolf Polzer <rpolzer@google.com>
Wed May 27 03:28:06 2026 -0700
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu May 28 01:15:51 2026 -0700
tree
60e97a9c3edb722b1bb7ce5c58e17d9a1503b4ec
parent
b657d18b460517e00ee01065ce10581a174534f5 [diff]
AES-CTR-HMAC: Apply the 64 GiB limit to open operations too.

Seal operations already enforced it; however we should not attempt to
decode invalid strings, as this AEAD's security properties do not hold
if the input is so large that the counter wraps.

Change-Id: Iac64747b09449e06b5c7093abe7a58126a6a6964
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/95927
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Rudolf Polzer <rpolzer@google.com>

diff --git a/crypto/cipher/e_aesctrhmac.cc b/crypto/cipher/e_aesctrhmac.cc
index 019d9e6..2bb1db6 100644
--- a/crypto/cipher/e_aesctrhmac.cc
+++ b/crypto/cipher/e_aesctrhmac.cc

@@ -221,6 +221,13 @@
     Span<const CRYPTO_IVEC> aadvecs) {
   const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =
       (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state;
+  const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs);
+
+  if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
+    // This input is so large it would overflow the 32-bit block counter.
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
 
   if (in_tag.size() != ctx->tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);