[fix] Fix nonce/IV length validation for block cipher modes (#99)

Enhance security by enforcing proper nonce/IV lengths:
- Block ciphers (CBC/CFB) now require nonce length equal to block size
- Zero-length nonces rejected to prevent Botan's all-zero nonce fallback
- OCB mode validates nonce length must be less than block size (1-15 bytes for AES)
- Add comprehensive tests for nonce validation (zero-length, incorrect, correct)

This prevents accidental use of insecure nonce configurations while maintaining
backward compatibility with properly-sized all-zero IVs for legacy use cases.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Yasser Aziza <yasser.aziza@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: yaziza

src/main/java/net/randombit/botan/seckey/block/BotanBlockCipher.java

@@ -193,9 +193,20 @@ private boolean isWithoutPadding() {
     return PaddingAlgorithm.NO_PADDING == padding;
   }
 
+  /**
+   * Validates the nonce/IV length for block cipher modes.
+   *
+   * <p>Zero-length nonce are not allowed since Botan will interpret them as all-zero nonce,
+   * which is a security risk for CBC/CFB modes. If an all-zero nonce is needed for legacy
+   * reasons, use a properly-sized byte array filled with zeros (e.g., {@code byte[16]} for AES)
+   * instead of a zero-length array.
+   *
+   * @param nonceLength the length of the nonce/IV in bytes
+   * @return {@code true} if the nonce length is valid, {@code false} otherwise
+   */
   @Override
   protected boolean isValidNonceLength(int nonceLength) {
-    return true;
+    return nonceLength == engineGetBlockSize();
   }
 
   /** AES-CBC cipher implementation. */

src/main/java/net/randombit/botan/seckey/block/aead/BotanAeadCipher.java

@@ -72,7 +72,7 @@ protected java.security.AlgorithmParameters engineGetParameters() {
         parameters.init(new AeadParameterSpec(tLen, iv));
 
       } catch (java.security.NoSuchAlgorithmException
-               | java.security.spec.InvalidParameterSpecException e) {
+          | java.security.spec.InvalidParameterSpecException e) {
         parameters = null;
       }
     }
@@ -356,7 +356,14 @@ protected String getBotanCipherName(int keySize) {
 
     @Override
     protected boolean isValidNonceLength(int nonceLength) {
-      return nonceLength != 0 && nonceLength < 16;
+      if (nonceLength == 0) {
+        return false;
+      }
+      if (engineGetBlockSize() == 16) {
+        return nonceLength < 16;
+      } else {
+        return nonceLength < (engineGetBlockSize() - 1);
+      }
     }
 
     @Override

src/test/java/net/randombit/botan/seckey/block/BotanBlockCipherTest.java

@@ -795,4 +795,81 @@ void testUpdateWithOffsetDoesNotCopyExtraData() throws Exception {
 
     LOG.info("SUCCESS: update correctly processes only inputLen bytes even with buffered data");
   }
+
+  @ParameterizedTest
+  @CsvFileSource(
+      resources = {"/seckey/block/cbc_no_padding.csv", "/seckey/block/cfb_no_padding.csv"},
+      numLinesToSkip = 1)
+  @DisplayName("Test zero-length nonce is rejected")
+  public void testZeroLengthNonceRejected(String algorithm, int blockSize, int keySize)
+      throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance(algorithm, BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[keySize], algorithm);
+    final IvParameterSpec zeroLengthIv = new IvParameterSpec(new byte[0]);
+
+    // Extract base cipher name (e.g., "AES" from "AES/CBC/NoPadding")
+    String baseCipherName = algorithm.substring(0, algorithm.indexOf('/'));
+
+    final Exception exception =
+        assertThrows(
+            java.security.InvalidAlgorithmParameterException.class,
+            () -> cipher.init(Cipher.ENCRYPT_MODE, key, zeroLengthIv));
+
+    assertEquals(
+        String.format("Nonce with length 0 not allowed for algorithm %s", baseCipherName),
+        exception.getMessage(),
+        "Zero-length nonce should be rejected for " + algorithm);
+  }
+
+  @ParameterizedTest
+  @CsvFileSource(
+      resources = {"/seckey/block/cbc_no_padding.csv", "/seckey/block/cfb_no_padding.csv"},
+      numLinesToSkip = 1)
+  @DisplayName("Test incorrect nonce length is rejected")
+  public void testIncorrectNonceLengthRejected(String algorithm, int blockSize, int keySize)
+      throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance(algorithm, BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[keySize], algorithm);
+
+    // Use wrong nonce length (blockSize + 1 instead of blockSize)
+    final IvParameterSpec wrongLengthIv = new IvParameterSpec(new byte[blockSize + 1]);
+
+    // Extract base cipher name (e.g., "AES" from "AES/CBC/NoPadding")
+    String baseCipherName = algorithm.substring(0, algorithm.indexOf('/'));
+
+    final Exception exception =
+        assertThrows(
+            java.security.InvalidAlgorithmParameterException.class,
+            () -> cipher.init(Cipher.ENCRYPT_MODE, key, wrongLengthIv));
+
+    assertEquals(
+        String.format(
+            "Nonce with length %d not allowed for algorithm %s", blockSize + 1, baseCipherName),
+        exception.getMessage(),
+        "Incorrect nonce length should be rejected for " + algorithm);
+  }
+
+  @ParameterizedTest
+  @CsvFileSource(
+      resources = {"/seckey/block/cbc_no_padding.csv", "/seckey/block/cfb_no_padding.csv"},
+      numLinesToSkip = 1)
+  @DisplayName("Test correct nonce length is accepted")
+  public void testCorrectNonceLengthAccepted(String algorithm, int blockSize, int keySize)
+      throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance(algorithm, BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[keySize], algorithm);
+    final IvParameterSpec correctLengthIv = new IvParameterSpec(new byte[blockSize]);
+
+    // This should not throw an exception
+    cipher.init(Cipher.ENCRYPT_MODE, key, correctLengthIv);
+
+    // Verify cipher is properly initialized by encrypting some data
+    byte[] plaintext = new byte[blockSize];
+    byte[] ciphertext = cipher.doFinal(plaintext);
+
+    assertEquals(
+        blockSize,
+        ciphertext.length,
+        "Encryption should succeed with correct nonce length for " + algorithm);
+  }
 }

src/test/java/net/randombit/botan/seckey/block/aead/BotanAeadCipherTest.java

@@ -1302,4 +1302,87 @@ public void testAeadParameterSpecAADMismatch() throws GeneralSecurityException {
         "Decryption should fail with wrong AAD");
     LOG.info("SUCCESS: AAD mismatch properly detected");
   }
+
+  @Test
+  @DisplayName("Test OCB zero-length nonce is rejected")
+  public void testOcbZeroLengthNonceRejected() throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance("AES/OCB/NoPadding", BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
+    final AeadParameterSpec zeroLengthNonce = new AeadParameterSpec(128, new byte[0]);
+
+    final Exception exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> cipher.init(Cipher.ENCRYPT_MODE, key, zeroLengthNonce));
+
+    assertEquals(
+        "Nonce with length 0 not allowed for algorithm AES",
+        exception.getMessage(),
+        "Zero-length nonce should be rejected for OCB");
+  }
+
+  @Test
+  @DisplayName("Test OCB nonce length equal to block size is rejected")
+  public void testOcbBlockSizeNonceRejected() throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance("AES/OCB/NoPadding", BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
+    // OCB requires nonce < block size, so 16-byte nonce should be rejected for AES
+    final AeadParameterSpec blockSizeNonce = new AeadParameterSpec(128, new byte[16]);
+
+    final Exception exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> cipher.init(Cipher.ENCRYPT_MODE, key, blockSizeNonce));
+
+    assertEquals(
+        "Nonce with length 16 not allowed for algorithm AES",
+        exception.getMessage(),
+        "Nonce length equal to block size should be rejected for OCB");
+  }
+
+  @Test
+  @DisplayName("Test OCB nonce length greater than block size is rejected")
+  public void testOcbTooLongNonceRejected() throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance("AES/OCB/NoPadding", BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
+    // OCB requires nonce < block size, so 20-byte nonce should be rejected for AES
+    final AeadParameterSpec tooLongNonce = new AeadParameterSpec(128, new byte[20]);
+
+    final Exception exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> cipher.init(Cipher.ENCRYPT_MODE, key, tooLongNonce));
+
+    assertEquals(
+        "Nonce with length 20 not allowed for algorithm AES",
+        exception.getMessage(),
+        "Nonce length greater than block size should be rejected for OCB");
+  }
+
+  @Test
+  @DisplayName("Test OCB valid nonce lengths are accepted")
+  public void testOcbValidNonceLengthsAccepted() throws GeneralSecurityException {
+    final Cipher cipher = Cipher.getInstance("AES/OCB/NoPadding", BotanProvider.NAME);
+    final SecretKeySpec key = new SecretKeySpec(new byte[16], "AES");
+
+    // Test various valid nonce lengths (1-15 bytes for AES with 16-byte block size)
+    int[] validLengths = {1, 8, 12, 15};
+
+    for (int length : validLengths) {
+      final AeadParameterSpec validNonce = new AeadParameterSpec(128, new byte[length]);
+
+      // This should not throw an exception
+      cipher.init(Cipher.ENCRYPT_MODE, key, validNonce);
+
+      // Verify cipher is properly initialized by encrypting some data
+      byte[] plaintext = "Test message".getBytes();
+      byte[] ciphertext = cipher.doFinal(plaintext);
+
+      // Ciphertext should be plaintext + tag (16 bytes for 128-bit tag)
+      assertEquals(
+          plaintext.length + 16,
+          ciphertext.length,
+          "Encryption should succeed with nonce length " + length + " for OCB");
+    }
+  }
 }