Fix ArrayIndexOutOfBoundsException in AES-GCM/CCM with zero-length input, correct CCM arg sanitization

cconlon · cconlon · commit 72d960f6c168 · 2025-09-03T10:41:56.000-06:00
diff --git a/jni/jni_aesccm.c b/jni/jni_aesccm.c
@@ -192,14 +192,14 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_AesCcm_wc_1AesCcmEncrypt
         authInSz = (*env)->GetArrayLength(env, authInArr);
     }
 
-    /* authIn can be null */
-    if (in == NULL || inLen == 0 || nonce == NULL || nonceSz == 0 ||
-        authTag == NULL || authTagSz == 0) {
+    /* in can be NULL if inLen is 0 - case with only AAD to gen tag */
+    if ((inLen != 0 && in == NULL) || nonce == NULL || authTag == NULL ||
+         nonceSz < 7 || nonceSz > 13 || authTagSz > WC_AES_BLOCK_SIZE) {
         ret = BAD_FUNC_ARG;
     }
 
     /* Allocate new buffer to hold ciphertext */
-    if (ret == 0) {
+    if (ret == 0 && inLen > 0) {
         out = (byte*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if (out == NULL) {
             ret = MEMORY_E;
@@ -325,12 +325,13 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_AesCcm_wc_1AesCcmDecrypt
         authInSz = (*env)->GetArrayLength(env, authInArr);
     }
 
-    if (in == NULL || inLen == 0 || nonce == NULL || nonceSz == 0 ||
-        authTag == NULL || authTagSz == 0) {
+    /* in can be NULL if inLen is 0 - case with only AAD to verify tag */
+    if ((inLen != 0 && in == NULL) || nonce == NULL || authTag == NULL ||
+        nonceSz < 7 || nonceSz > 13 || authTagSz > WC_AES_BLOCK_SIZE) {
         ret = BAD_FUNC_ARG;
     }
 
-    if (ret == 0) {
+    if (ret == 0 && inLen > 0) {
         out = (byte*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if (out == NULL) {
             ret = MEMORY_E;
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptCipher.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptCipher.java
@@ -1061,6 +1061,15 @@ private byte[] wolfCryptFinal(byte[] input, int inputOffset, int len)
                         tmpOut = totalOut;
                     }
                     else {
+                        /* Case where input is only the authentication tag,
+                         * zero-length plaintext */
+                        if (tmpIn.length < this.gcmTagLen) {
+                            throw new AEADBadTagException(
+                                "Input too short for GCM tag, got " +
+                                tmpIn.length + " bytes, need at least " +
+                                this.gcmTagLen);
+                        }
+
                         /* Get auth tag from end of ciphertext */
                         byte[] tag = Arrays.copyOfRange(tmpIn,
                                         tmpIn.length - this.gcmTagLen,
@@ -1099,6 +1108,15 @@ else if (cipherMode == CipherMode.WC_CCM) {
                         tmpOut = totalOut;
                     }
                     else {
+                        /* Case where input is only the authentication tag,
+                         * zero-length plaintext */
+                        if (tmpIn.length < this.gcmTagLen) {
+                            throw new AEADBadTagException(
+                                "Input too short for CCM tag, got " +
+                                tmpIn.length + " bytes, need at least " +
+                                this.gcmTagLen);
+                        }
+
                         /* Get auth tag from end of ciphertext */
                         byte[] tag = Arrays.copyOfRange(tmpIn,
                                         tmpIn.length - this.gcmTagLen,
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptCipherTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptCipherTest.java
@@ -6918,5 +6918,102 @@ public void testPKCS5PaddingDecryptBehavior()
         assertArrayEquals("Decrypted result should match original plaintext",
                          plaintext, fullResult);
     }
+
+    /*
+     * Test AES-GCM and AES-CCM with zero-length plaintext.
+     */
+    @Test
+    public void testAesGcmCcmZeroLengthPlaintext()
+        throws NoSuchAlgorithmException, NoSuchProviderException,
+               NoSuchPaddingException, InvalidKeyException,
+               InvalidAlgorithmParameterException,
+               IllegalBlockSizeException, BadPaddingException {
+
+        /* Test AES-GCM with zero-length plaintext */
+        if (enabledJCEAlgos.contains("AES/GCM/NoPadding")) {
+            byte[] key = new byte[16];
+            byte[] iv = new byte[12];
+            byte[] aad = new byte[100];
+
+            secureRandom.nextBytes(key);
+            secureRandom.nextBytes(iv);
+            for (int i = 0; i < aad.length; i++) {
+                aad[i] = (byte) (i % 256);
+            }
+
+            /* Test zero-length plaintext */
+            byte[] plaintext = new byte[0];
+
+            /* Encrypt */
+            Cipher encCipher =
+                Cipher.getInstance("AES/GCM/NoPadding", jceProvider);
+            GCMParameterSpec gcmSpec = new GCMParameterSpec(128, iv);
+            encCipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "AES"),
+                gcmSpec);
+            encCipher.updateAAD(aad);
+            byte[] ciphertext = encCipher.doFinal(plaintext);
+
+            /* Should have only the authentication tag (16 bytes) */
+            assertEquals("GCM ciphertext should be tag length only",
+                16, ciphertext.length);
+
+            /* Decrypt */
+            Cipher decCipher =
+                Cipher.getInstance("AES/GCM/NoPadding", jceProvider);
+            decCipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key, "AES"),
+                gcmSpec);
+            decCipher.updateAAD(aad);
+            byte[] decrypted = decCipher.doFinal(ciphertext);
+
+            /* Should decrypt to zero-length plaintext */
+            assertEquals("Decrypted plaintext should be zero length",
+                0, decrypted.length);
+            assertArrayEquals("Decrypted should match original plaintext",
+                plaintext, decrypted);
+        }
+
+        /* Test AES-CCM with zero-length plaintext */
+        if (enabledJCEAlgos.contains("AES/CCM/NoPadding")) {
+            byte[] key = new byte[16];
+            byte[] nonce = new byte[11]; /* 88-bit nonce for CCM */
+            byte[] aad = new byte[50];
+
+            secureRandom.nextBytes(key);
+            secureRandom.nextBytes(nonce);
+            for (int i = 0; i < aad.length; i++) {
+                aad[i] = (byte) (i % 256);
+            }
+
+            /* Test zero-length plaintext */
+            byte[] plaintext = new byte[0];
+
+            /* Encrypt */
+            Cipher encCipher =
+                Cipher.getInstance("AES/CCM/NoPadding", jceProvider);
+            GCMParameterSpec ccmSpec = new GCMParameterSpec(128, nonce);
+            encCipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "AES"),
+                ccmSpec);
+            encCipher.updateAAD(aad);
+            byte[] ciphertext = encCipher.doFinal(plaintext);
+
+            /* Should have only the authentication tag (16 bytes) */
+            assertEquals("CCM ciphertext should be tag length only",
+                16, ciphertext.length);
+
+            /* Decrypt */
+            Cipher decCipher =
+                Cipher.getInstance("AES/CCM/NoPadding", jceProvider);
+            decCipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key, "AES"),
+                ccmSpec);
+            decCipher.updateAAD(aad);
+            byte[] decrypted = decCipher.doFinal(ciphertext);
+
+            /* Should decrypt to zero-length plaintext */
+            assertEquals("Decrypted plaintext should be zero length",
+                0, decrypted.length);
+            assertArrayEquals("Decrypted should match original plaintext",
+                plaintext, decrypted);
+        }
+    }
 }
 
diff --git a/src/test/java/com/wolfssl/wolfcrypt/test/AesCcmTest.java b/src/test/java/com/wolfssl/wolfcrypt/test/AesCcmTest.java
@@ -257,12 +257,11 @@ public void testAesCcm128() throws WolfCryptException {
         plain = dec.decrypt(cipher, iv3, tag, a3);
         assertArrayEquals(p3, plain);
 
-        /* bad encrypt arguments: null input */
+        /* success case: null input with aad */
         try {
             enc.encrypt(null, iv3, tag, a3);
-            fail("encrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("encrypt() with null input should pass");
         }
 
         /* bad encrypt arguments: null iv */
@@ -281,12 +280,11 @@ public void testAesCcm128() throws WolfCryptException {
             /* expected */
         }
 
-        /* bad decrypt arguments: null input */
+        /* success case: null input, valid AAD and tag */
         try {
             enc.decrypt(null, iv3, tag, a3);
-            fail("decrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("decrypt() with null input should pass");
         }
 
         /* bad decrypt arguments: null iv */
@@ -336,12 +334,11 @@ public void testAesCcm192() throws WolfCryptException {
         assertNotNull(plain);
         assertArrayEquals(p2, plain);
 
-        /* bad encrypt arguments: null input */
+        /* success case: null input, but with AAD */
         try {
             enc.encrypt(null, iv2, tag, a2);
-            fail("encrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("encrypt() with null input should pass");
         }
 
         /* bad encrypt arguments: null iv */
@@ -360,12 +357,11 @@ public void testAesCcm192() throws WolfCryptException {
             /* expected */
         }
 
-        /* bad decrypt arguments: null input */
+        /* success case: null input, valid AAD and tag */
         try {
             enc.decrypt(null, iv2, tag, a2);
-            fail("decrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("decrypt() with null input should pass");
         }
 
         /* bad decrypt arguments: null iv */
@@ -415,12 +411,11 @@ public void testAesCcm256() throws WolfCryptException {
         assertNotNull(plain);
         assertArrayEquals(p1, plain);
 
-        /* bad encrypt arguments: null input */
+        /* success case: null input, but with AAD */
         try {
             enc.encrypt(null, iv1, tag, a1);
-            fail("encrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("encrypt() with null input should pass");
         }
 
         /* bad encrypt arguments: null iv */
@@ -439,12 +434,11 @@ public void testAesCcm256() throws WolfCryptException {
             /* expected */
         }
 
-        /* bad decrypt arguments: null input */
+        /* success case: null input, valid AAD and tag */
         try {
             enc.decrypt(null, iv1, tag, a1);
-            fail("decrypt() with null input should fail");
         } catch (WolfCryptException e) {
-            /* expected */
+            fail("decrypt() with null input should pass");
         }
 
         /* bad decrypt arguments: null iv */
