Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FFI: botan_cipher_get_update_granularity() returns 17 #4090

Closed
ni4 opened this issue Jun 1, 2024 · 2 comments · Fixed by #4122
Closed

FFI: botan_cipher_get_update_granularity() returns 17 #4090

ni4 opened this issue Jun 1, 2024 · 2 comments · Fixed by #4122
Assignees
@reneme
Labels
bug
Milestone
Botan 3.5.0

Comments

@ni4
Copy link

ni4 commented Jun 1, 2024

....which is quite unlogical if application relies on this value.
Root of this is in the ffi_choose_update_size() function and the fact that mode.update_granularity() returns 1.
@randombit randombit added the bug label Jun 1, 2024
@reneme reneme self-assigned this Jun 3, 2024
@reneme reneme added this to the Botan 3.5.0 milestone Jun 3, 2024
@reneme
Copy link
Collaborator

reneme commented Jun 3, 2024

I confirm!

This is true for the decryption of some AEAD modes. On the C++ level, some report a minimum_final_size() (of the tag length) and an update granularity of 1; notably ChaChaPoly, EAX, SIV and CCM. As a result, ffi_choose_update_size() produces 17.
Also surprising: for GCM it reports 32 (due to both update granularity and minimum final size reporting 16 and ffi_choose_update_size() rounding up "17" to the next multiple of "update granularity").

Note that botan_cipher_get_ideal_update_granularity() (introduced in Botan 3.0) always reports reasonable values. However, documentation claims that "ideal granularity" is always a multiple of "update granularity", which obviously isn't the case for the configurations affected by this issue.

We should have caught that in #3951 already, but the tests that sanity-check the granularities aren't up to the job. Thanks a lot for scrutinizing this even before it gets released!

@reneme
Copy link
Collaborator

reneme commented Jun 3, 2024

@randombit I feel the safest fix for this is to let botan_cipher_get_update_granularity() pass-through whatever is returned by Cipher_Mode::update_granularity() (see #4094). This would remove the bug-prone logic in ffi_choose_update_size(). Functionally, it should be just fine after the changes in #3951 -- most notably the BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE handling added there.

Nevertheless, one could make a case about semver: Users that rely on the old behavior with the sufficiently sized update granularity, might trip over this. When updating to 3.5.0, they would either need to switch to botan_cipher_get_IDEAL_update_granularity() or handle BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE properly.

As an alternative to #4094, we could extend the logic in ffi_choose_update_size() to scale the minimal update granularity to ensure ideal granularity is a multiple of it. My gut tells me, that this will just make it more error-prone, though: e.g. when Cipher_Mode's update granularity is equal to its ideal granularity.

@reneme reneme mentioned this issue Jun 4, 2024
Closed
@reneme reneme mentioned this issue Jun 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reneme reneme

Labels
bug
Projects
None yet
Milestone
Botan 3.5.0
Development

Successfully merging a pull request may close this issue.

FIX: Better scaling for botan_cipher_get_update_granularity() Rohde-Schwarz/botan
3 participants
@randombit @reneme @ni4