diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 67cab25e0..60b9857b1 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -292,10 +292,16 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, * defined by a data unit number. The data unit number must be * provided by \p iv. * + * NIST SP 800-38E limits the maximum size of a data unit to 2^20 + * AES blocks. If the data unit is larger than this, this function + * returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH. + * * \param ctx The AES XTS context to use for AES XTS operations. * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or * #MBEDTLS_AES_DECRYPT. - * \param length The length of a data unit in bytes. + * \param length The length of a data unit in bytes. This can be any + * length between 16 bytes and 2^24 bytes inclusive + * (between 1 and 2^20 block cipher blocks). * \param iv The address of the data unit encoded as an array of 16 * bytes in little-endian format. For disk encryption, this * is typically the index of the block device sector that @@ -309,7 +315,8 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, * * \return \c 0 on success. * \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is - * smaller than an AES block in size (16 bytes). + * smaller than an AES block in size (16 bytes) or if \p + * length is larger than 2^20 blocks (16 MiB). */ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, int mode, diff --git a/library/aes.c b/library/aes.c index 2dc600cf8..2b64387a9 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1158,6 +1158,9 @@ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, if( length < 16 ) return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); + /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */ + if( length > ( 1 << 20 ) * 16 ) + return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );