Enable dynamic AAD handling for AES-GCM by keeping the existing 4 KiB

static buffer and transparently spilling to a heap buffer that grows as
needed. All GCM paths now use the correct buffer and the heap is freed
on context teardown. The test suite is extended with large-AAD cases,
including a 128 KiB vector and a 2 K + 4 K + 64 K chunk sequence, to
exercise spill and realloc during both encryption and decryption.

Author: gasbytes

wolfssl-gnutls-wrapper/src/cipher.c

@@ -31,7 +31,7 @@ enum {
 /** Maximum AES key size. */
 #define MAX_AES_KEY_SIZE    AES_256_KEY_SIZE
 /** Maximum authentication data. */
-#define MAX_AUTH_DATA       1024
+#define MAX_AUTH_DATA       4096
 /** Maximum plaintext to encrypt for GCM  */
 #define MAX_AES_GCM_PLAINTEXT ((1ULL << 36) - 32)
 /** Maximum RSA-PSS signature size */
@@ -82,10 +82,14 @@ struct wolfssl_cipher_ctx {
     size_t iv_size;
 
     /* For GCM mode. */
-    /** Authentication data to use. */
-    unsigned char auth_data[MAX_AUTH_DATA];
-    /** Size of authentication data to use. */
+    /** Authentication data to use (static, maximum 4096 bytes). */
+    unsigned char auth_data_static[MAX_AUTH_DATA];
+    /** Authentication data to use (allocated dynamically). */
+    unsigned char *auth_data_heap;
+    /** Size of authentication data to use (static). */
     size_t auth_data_size;
+    /** Size of authentication data to use (heap). */
+    size_t auth_alloc;
     /** Calculated authentication tag. */
     unsigned char tag[GCM_TAG_SIZE];
     /** Size of calculated authentication tag. */
@@ -240,6 +244,7 @@ int wolfssl_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx,
     ctx->tag_set_ext = 0;
     ctx->algorithm = 0;
     ctx->data_size = 0;
+    ctx->auth_data_heap = NULL;
 
     ctx->algorithm = algorithm;
     ctx->mode = get_cipher_mode(algorithm);
@@ -671,12 +676,47 @@ int wolfssl_cipher_auth(void *_ctx, const void *auth_data,
         return GNUTLS_E_INVALID_REQUEST;
     }
 
-    /* Check authentication data will fit in cache. */
-    if (ctx->auth_data_size + auth_size > sizeof(ctx->auth_data)) {
-        WGW_ERROR("Auth data too big: %ld + %ld > %ld", ctx->auth_data_size,
-            auth_size, sizeof(ctx->auth_data));
-        return GNUTLS_E_SHORT_MEMORY_BUFFER;
-    }
+	/* Check authentication data will fit in the static cache,
+	 * switch to heap if it doesn't. */
+	if (ctx->auth_data_heap == NULL &&
+			ctx->auth_data_size + auth_size > sizeof(ctx->auth_data_static)) {
+		WGW_LOG("Auth data too big: %ld + %ld > %ld", ctx->auth_data_size,
+				auth_size, sizeof(ctx->auth_data_static));
+		WGW_LOG("Switching to dynamic allocation");
+
+		size_t new_sz = sizeof(ctx->auth_data_static);
+		while (new_sz < ctx->auth_data_size + auth_size)
+			new_sz *= 2;
+
+		ctx->auth_data_heap = gnutls_malloc(new_sz);
+		if (!ctx->auth_data_heap) {
+			WGW_ERROR("gnutls_malloc failed for auth_data_heap");
+			return GNUTLS_E_MEMORY_ERROR;
+		}
+		ctx->auth_alloc = new_sz;
+		XMEMCPY(ctx->auth_data_heap, ctx->auth_data_static,
+				ctx->auth_data_size);
+		WGW_LOG("Spilled AAD to heap (%zu bytes)", new_sz);
+	}
+
+	/* We are already storing in the heap, we check
+	 * if we need to grow it. */
+	if (ctx->auth_data_heap &&
+			ctx->auth_data_size + auth_size > ctx->auth_alloc) {
+		WGW_LOG("New auth data too big, reallocating");
+		size_t new_sz = ctx->auth_alloc;
+		while (new_sz < ctx->auth_data_size + auth_size)
+			new_sz *= 2;
+
+		unsigned char *p = gnutls_realloc(ctx->auth_data_heap, new_sz);
+		if (!p) {
+			WGW_ERROR("gnutls_realloc failed for auth_data_heap");
+			return GNUTLS_E_MEMORY_ERROR;
+		}
+		ctx->auth_data_heap = p;
+		ctx->auth_alloc     = new_sz;
+		WGW_LOG("Grew AAD heap to %zu bytes", new_sz);
+	}
 
     /* Streaming must be a multiple of block size except for last. */
     if ((ctx->auth_data_size % AES_BLOCK_SIZE) != 0) {
@@ -685,8 +725,11 @@ int wolfssl_cipher_auth(void *_ctx, const void *auth_data,
     }
 
     /* Store AAD for later use in encrypt/decrypt operations. */
-    XMEMCPY(ctx->auth_data + ctx->auth_data_size, auth_data, auth_size);
-    ctx->auth_data_size += auth_size;
+	unsigned char *dst = ctx->auth_data_heap ?
+		ctx->auth_data_heap : ctx->auth_data_static;
+
+	XMEMCPY(dst + ctx->auth_data_size, auth_data, auth_size);
+	ctx->auth_data_size += auth_size;
 
     WGW_LOG("AAD added successfully");
     return 0;
@@ -751,7 +794,7 @@ int wolfssl_cipher_encrypt(void *_ctx, const void *src, size_t src_size,
         unsigned char* ptr;
         unsigned char* encr;
 
-        WGW_LOG("Caching platintext");
+        WGW_LOG("Caching plaintext");
 
         ctx->enc = 1;
 
@@ -782,11 +825,13 @@ int wolfssl_cipher_encrypt(void *_ctx, const void *src, size_t src_size,
             WGW_ERROR("realloc of gmac data failed");
             return GNUTLS_E_INVALID_REQUEST;
         }
+		unsigned char *aad = ctx->auth_data_heap ?
+			ctx->auth_data_heap : ctx->auth_data_static;
 
         /* Do encryption with the data we have. */
         ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, encr,
             ctx->data, ctx->data_size, ctx->iv, ctx->iv_size,
-            ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+            ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
         if (ret != 0) {
             WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
             gnutls_free(encr);
@@ -894,7 +939,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         unsigned char* ptr;
         unsigned char* decr;
 
-        WGW_LOG("Caching platintext");
+        WGW_LOG("Caching plaintext");
 
         ctx->enc = 1;
 
@@ -922,14 +967,18 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         }
 
         WGW_LOG("wc_AesGcmDecrypt");
+
+        unsigned char *aad = ctx->auth_data_heap ?
+            ctx->auth_data_heap : ctx->auth_data_static;
+
         /* If caller hasn't set tag then we are creating it. */
         if (!ctx->tag_set_ext) {
             /* Encrypt the ciphertext to get the plaintext.
              * Tag will have been created on plaintext which is of no use.
              */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, decr, ctx->data,
                 ctx->data_size, ctx->iv, ctx->iv_size,
-                ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+                ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
                 gnutls_free(decr);
@@ -938,7 +987,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
             /* Encrypt the plaintext to create the tag. */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, decr, decr,
                 ctx->data_size, ctx->iv, ctx->iv_size,
-                ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+                ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
                 gnutls_free(decr);
@@ -950,7 +999,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         /* Do decryption with cipehtext, IV, authentication data and tag. */
         ret = wc_AesGcmDecrypt(&ctx->cipher.aes_ctx, decr,
             ctx->data, ctx->data_size, ctx->iv, ctx->iv_size,
-            ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+            ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
         if (ret != 0) {
             WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
             gnutls_free(decr);
@@ -1044,9 +1093,12 @@ void wolfssl_cipher_tag(void *_ctx, void *tag, size_t tag_size)
         if (ctx->mode == GCM) {
             WGW_LOG("wc_AesGcmEncrypt");
 
+            unsigned char *aad = ctx->auth_data_heap ?
+                ctx->auth_data_heap : ctx->auth_data_static;
+
             /* Do authentication with no plaintext. */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, NULL, NULL, 0, ctx->iv,
-                ctx->iv_size, ctx->tag, ctx->tag_size, ctx->auth_data,
+                ctx->iv_size, ctx->tag, ctx->tag_size, aad,
                 ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
@@ -1264,6 +1316,9 @@ void wolfssl_cipher_deinit(void *_ctx)
         ctx->initialized = 0;
         ctx->enc_initialized = 0;
         ctx->dec_initialized = 0;
+        if (ctx->auth_data_heap) {
+            gnutls_free(ctx->auth_data_heap);
+        }
     }
 
     gnutls_free(ctx);

wolfssl-gnutls-wrapper/tests/test_aesgcm.c

@@ -266,6 +266,122 @@ static int test_aesgcm_aead(gnutls_cipher_algorithm_t cipher,
     return 0;
 }
 
+/* ----------- BIG-AAD STRESS TEST (≥ 100 kB) ---------------- */
+static int test_aesgcm_big_aad(size_t aad_len)
+{
+    int ret;
+    gnutls_cipher_hd_t hd;
+    unsigned char *aad  = NULL;
+    unsigned char pt[16]  = {0};          /* 1-block dummy plaintext   */
+    unsigned char tag[16] = {0};
+    unsigned char iv[12]  = {0};          /* 96-bit nonce             */
+
+    /* 128-bit zero key */
+    gnutls_datum_t key = { (unsigned char *)key_128, sizeof(key_128) };
+
+    /* allocate and fill the big AAD */
+    aad = gnutls_malloc(aad_len);
+    if (!aad) { perror("malloc"); return 1; }
+    for (size_t i = 0; i < aad_len; i++)
+        aad[i] = (unsigned char)(i & 0xFF);        /* deterministic pattern */
+
+    /* init AES-128-GCM context */
+    ret = gnutls_cipher_init(&hd, GNUTLS_CIPHER_AES_128_GCM, &key,
+                             &(gnutls_datum_t){ iv, sizeof(iv) });
+    if (ret < 0) { print_gnutls_error("cipher_init", ret); goto out; }
+
+    /* supply the giant AAD in a single call */
+    ret = gnutls_cipher_add_auth(hd, aad, aad_len);
+    if (ret < 0) { print_gnutls_error("add_auth", ret); goto out_free; }
+
+    /* encrypt the dummy plaintext (content is irrelevant here) */
+    ret = gnutls_cipher_encrypt(hd, pt, sizeof(pt));
+    if (ret < 0) { print_gnutls_error("encrypt", ret); goto out_free; }
+
+    /* force tag generation – this calls wc_AesGcmEncrypt/Decrypt under the hood */
+    ret = gnutls_cipher_tag(hd, tag, sizeof(tag));
+    if (ret < 0) { print_gnutls_error("tag", ret); goto out_free; }
+
+    printf("AES-GCM with %zu-byte AAD succeeded\n", aad_len);
+    ret = 0;
+
+out_free:
+    gnutls_cipher_deinit(hd);
+out:
+    gnutls_free(aad);
+    return ret;
+}
+
+/* --- encrypt-then-decrypt with huge AAD (spills + realloc both ways) ---- */
+static int test_aesgcm_big_aad_chunks_encdec(void)
+{
+    int ret;
+    gnutls_cipher_hd_t enc_hd = NULL, dec_hd = NULL;
+    unsigned char iv[12]   = {0};
+    unsigned char pt[16]   = {0};             /* dummy 16-byte plaintext */
+    unsigned char ct[16]   = {0};
+    unsigned char tag[16]  = {0};
+    gnutls_datum_t key = { (unsigned char *)key_128, sizeof(key_128) };
+
+    /* three AAD chunks: 2 KiB (stay static) + 4 KiB (spill) + 64 KiB (realloc) */
+    const size_t c1 = 2048, c2 = 4096, c3 = 65536;
+    unsigned char *aad1 = gnutls_malloc(c1);
+    unsigned char *aad2 = gnutls_malloc(c2);
+    unsigned char *aad3 = gnutls_malloc(c3);
+    if (!aad1 || !aad2 || !aad3) { perror("malloc"); return 1; }
+    memset(aad1, 0x11, c1); memset(aad2, 0x22, c2); memset(aad3, 0x33, c3);
+
+    /* ---------- ENCRYPT ---------- */
+    ret = gnutls_cipher_init(&enc_hd, GNUTLS_CIPHER_AES_128_GCM,
+                             &key, &(gnutls_datum_t){ iv, sizeof(iv) });
+    if (ret < 0) { print_gnutls_error("enc init", ret); goto out; }
+
+    if ((ret = gnutls_cipher_add_auth(enc_hd, aad1, c1)) < 0 ||
+        (ret = gnutls_cipher_add_auth(enc_hd, aad2, c2)) < 0 ||
+        (ret = gnutls_cipher_add_auth(enc_hd, aad3, c3)) < 0) {
+        print_gnutls_error("enc add_auth", ret); goto out;
+    }
+
+    if ((ret = gnutls_cipher_encrypt(enc_hd, pt, sizeof(pt))) < 0) {
+        print_gnutls_error("encrypt", ret); goto out;
+    }
+    memcpy(ct, pt, sizeof(ct));           /* ciphertext now in ct */
+
+    if ((ret = gnutls_cipher_tag(enc_hd, tag, sizeof(tag))) < 0) {
+        print_gnutls_error("get tag", ret); goto out;
+    }
+    gnutls_cipher_deinit(enc_hd); enc_hd = NULL;
+
+    /* ---------- DECRYPT (same huge AAD pattern) ---------- */
+    ret = gnutls_cipher_init(&dec_hd, GNUTLS_CIPHER_AES_128_GCM,
+                             &key, &(gnutls_datum_t){ iv, sizeof(iv) });
+    if (ret < 0) { print_gnutls_error("dec init", ret); goto out; }
+
+    if ((ret = gnutls_cipher_add_auth(dec_hd, aad1, c1)) < 0 ||
+        (ret = gnutls_cipher_add_auth(dec_hd, aad2, c2)) < 0 ||
+        (ret = gnutls_cipher_add_auth(dec_hd, aad3, c3)) < 0) {
+        print_gnutls_error("dec add_auth", ret); goto out;
+    }
+
+    if ((ret = gnutls_cipher_tag(dec_hd, tag, sizeof(tag))) < 0) {
+        print_gnutls_error("set tag", ret); goto out;
+    }
+
+    if ((ret = gnutls_cipher_decrypt(dec_hd, ct, sizeof(ct))) < 0) {
+        print_gnutls_error("decrypt", ret); goto out;
+    }
+
+    gnutls_cipher_deinit(dec_hd); dec_hd = NULL;
+    printf("Encrypt + decrypt spill/realloc test succeeded\n");
+    ret = 0;
+
+out:
+    if (enc_hd) gnutls_cipher_deinit(enc_hd);
+    if (dec_hd) gnutls_cipher_deinit(dec_hd);
+    gnutls_free(aad1); gnutls_free(aad2); gnutls_free(aad3);
+    return ret;
+}
+
 int main(void) {
     int ret;
 
@@ -300,6 +416,12 @@ int main(void) {
         ret = test_aesgcm_aead(GNUTLS_CIPHER_AES_256_GCM, key_256,
             sizeof(key_256), ciphertext_256_data, sizeof(ciphertext_256_data));
     }
+	if (ret == 0) {
+		ret = test_aesgcm_big_aad(131072);
+	}
+	if (ret == 0) {
+		ret = test_aesgcm_big_aad_chunks_encdec();
+	}
     if (ret == 0) {
         printf("Test completed.\n");
     }