Adds new monotonicity check

maddeleine · maddeleine · commit d656092340da · 2024-06-25T16:53:47.000-07:00
diff --git a/BUILDING.md b/BUILDING.md
@@ -20,7 +20,7 @@ If in doubt, use the most recent stable version of each build tool.
     `PERL_EXECUTABLE`.
     * To build without Perl (not recommended) see [this section.](#using-pre-generated-build-files)
 
-  * [Go](https://golang.org/dl/) 1.18 or later is required. If not found by
+  * [Go](https://golang.org/dl/) 1.20 or later is required. If not found by
     CMake, the go executable may be configured explicitly by setting
     `GO_EXECUTABLE`.
     * To build without Go (not recommended) see [this section.](#using-pre-generated-build-files)
diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc
@@ -1364,6 +1364,48 @@ TEST(AEADTest, TestGCMSIV256Change16Alignment) {
   free(encrypt_ctx_256);
 }
 
+TEST(AEADTest, TestMonotonicityCheck) {
+
+  static const uint8_t kEvpAeadCtxKey[32] = {0};
+
+  // Only the tls13() ciphers have monotonicity checks
+  struct {
+    const EVP_AEAD *cipher;
+    const size_t key_len;
+  } ctx[] = { { .cipher = EVP_aead_aes_128_gcm_tls13(), .key_len = 16},
+              { .cipher = EVP_aead_aes_256_gcm_tls13(), .key_len = 32} };
+
+  for (int i = 0; i < 2; i++) {
+    const EVP_AEAD *cipher = ctx[i].cipher;
+    EVP_AEAD_CTX *encrypt_ctx =
+      (EVP_AEAD_CTX *)malloc(sizeof(EVP_AEAD_CTX) + 8);
+    ASSERT_TRUE(encrypt_ctx);
+
+    EVP_AEAD_CTX_zero(encrypt_ctx);
+    ASSERT_TRUE(EVP_AEAD_CTX_init(encrypt_ctx, cipher, kEvpAeadCtxKey, ctx[i].key_len, 16, NULL))
+        << ERR_error_string(ERR_get_error(), NULL);
+
+    uint8_t nonce[12] = {0};
+    uint8_t last_byte = sizeof(nonce) - 1;
+    uint8_t plaintext[16] = {0};
+    uint8_t ciphertext[32] = {0};
+    size_t out_len = 0;
+
+    // Checks that sequence numbers are allowed to increment by more than one
+    // as long as monotonicity is preserved. Here the implicit IV is presumed
+    // to be a zero-filled array. That lets us update the nonce value directly
+    // with an increasing sequence number.
+    for (size_t sequence_num = 0; sequence_num <= 255; sequence_num+=10) {
+        nonce[last_byte] = sequence_num;
+        ASSERT_TRUE(EVP_AEAD_CTX_seal(encrypt_ctx, ciphertext, &out_len,
+                                    sizeof(ciphertext), nonce, sizeof(nonce), plaintext,
+                                    sizeof(plaintext), nullptr /* ad */, 0));
+    }
+
+    free(encrypt_ctx);
+  }
+}
+
 struct EvpAeadCtxSerdeTestParams {
   const char *name;
   const EVP_AEAD *cipher;
