Bug 1369353 - Reject zero-length GCM IVs r=franziskus
authorTim Taubert <ttaubert@mozilla.com>
Fri, 09 Jun 2017 15:00:41 +0200
changeset 13424 52737ed48f72360ca81380aebfecea63e561cd55
parent 13423 431af1a9435ad998883ed8d00a26f2b57b5167f8
child 13425 358f4a15869f7b2fd88c33e58352b1c6f9390efa
push id2239
push userttaubert@mozilla.com
push dateFri, 09 Jun 2017 13:02:20 +0000
reviewersfranziskus
bugs1369353
Bug 1369353 - Reject zero-length GCM IVs r=franziskus Differential Revision: https://nss-review.dev.mozaws.net/D340
gtests/common/gcm-vectors.h
gtests/common/util.h
gtests/freebl_gtest/freebl_util.h
gtests/freebl_gtest/ghash_unittest.cc
gtests/freebl_gtest/prng_kat_unittest.cc
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
gtests/pk11_gtest/pk11_gtest.gyp
lib/freebl/gcm.c
lib/freebl/intel-gcm-wrap.c
new file mode 100644
--- /dev/null
+++ b/gtests/common/gcm-vectors.h
@@ -0,0 +1,172 @@
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef gcm_vectors_h__
+#define gcm_vectors_h__
+
+#include <string>
+
+typedef struct gcm_kat_str {
+  std::string key;
+  std::string plaintext;
+  std::string additional_data;
+  std::string iv;
+  std::string hash_key;
+  std::string ghash;
+  std::string result;
+} gcm_kat_value;
+
+/*
+ * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ */
+const gcm_kat_value kGcmKatValues[] = {
+    {"00000000000000000000000000000000", "", "", "000000000000000000000000",
+     "66e94bd4ef8a2c3b884cfa59ca342b2e", "00000000000000000000000000000000",
+     "58e2fccefa7e3061367f1d57a4e7455a"},
+
+    {"00000000000000000000000000000000", "00000000000000000000000000000000", "",
+     "000000000000000000000000", "66e94bd4ef8a2c3b884cfa59ca342b2e",
+     "f38cbb1ad69223dcc3457ae5b6b0f885",
+     "0388dace60b6a392f328c2b971b2fe78ab6e47d42cec13bdf53a67b21257bddf"},
+
+    {"feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+     "", "cafebabefacedbaddecaf888", "b83b533708bf535d0aa6e52980d53b78",
+     "7f1b32b81b820d02614f8895ac1d4eac",
+     "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25"
+     "466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f59854d5c2af327cd64a62c"
+     "f35abd2ba6fab4"},
+
+    {"feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbaddecaf888",
+     "b83b533708bf535d0aa6e52980d53b78", "698e57f70e6ecc7fd9463b7260a9ae5f",
+     "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25"
+     "466931c7d8f6a5aac84aa051ba30b396a0aac973d58e0915bc94fbc3221a5db94fae95ae7"
+     "121a47"},
+
+    {"feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbad",
+     "b83b533708bf535d0aa6e52980d53b78", "df586bb4c249b92cb6922877e444d37b",
+     "61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e"
+     "49f24b22b097544d4896b424989b5e1ebac0f07c23f45983612d2e79e3b0785561be14aac"
+     "a2fccb"},
+
+    {"feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
+     "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c9515"
+     "6809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+     "b83b533708bf535d0aa6e52980d53b78", "1c5afe9760d3932f3c9a878aac3dc3de",
+     "8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4f"
+     "ba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5619cc5aefffe0bfa462af43c16"
+     "99d050"},
+
+    {"000000000000000000000000000000000000000000000000", "", "",
+     "000000000000000000000000", "aae06992acbf52a3e8f4a96ec9300bd7",
+     "00000000000000000000000000000000", "cd33b28ac773f74ba00ed1f312572435"},
+
+    {"000000000000000000000000000000000000000000000000",
+     "00000000000000000000000000000000", "", "000000000000000000000000",
+     "aae06992acbf52a3e8f4a96ec9300bd7", "e2c63f0ac44ad0e02efa05ab6743d4ce",
+     "98e7247c07f0fe411c267e4384b0f6002ff58d80033927ab8ef4d4587514f0fb"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+     "", "cafebabefacedbaddecaf888", "466923ec9ae682214f2c082badb39249",
+     "51110d40f6c8fff0eb1ae33445a889f0",
+     "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c"
+     "144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade2569924a7c8587336bfb1"
+     "18024db8674a14"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbaddecaf888",
+     "466923ec9ae682214f2c082badb39249", "ed2ce3062e4a8ec06db8b4c490e8a268",
+     "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c"
+     "144c525ac619d18c84a3f4718e2448b2fe324d9ccda27102519498e80f1478f37ba55bd6d"
+     "27618c"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbad",
+     "466923ec9ae682214f2c082badb39249", "1e6a133806607858ee80eaf237064089",
+     "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9"
+     "a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f765dcc57fcf623a24094fcca40d"
+     "3533f8"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
+     "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c9515"
+     "6809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+     "466923ec9ae682214f2c082badb39249", "82567fb0b4cc371801eadec005968e94",
+     "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012a"
+     "f34ddd9e2f037589b292db3e67c036745fa22e7e9b7373bdcf566ff291c25bbb8568fc3d3"
+     "76a6d9"},
+
+    {"0000000000000000000000000000000000000000000000000000000000000000", "", "",
+     "000000000000000000000000", "dc95c078a2408989ad48a21492842087",
+     "00000000000000000000000000000000", "530f8afbc74536b9a963b4f1c4cb738b"},
+
+    {"0000000000000000000000000000000000000000000000000000000000000000",
+     "00000000000000000000000000000000", "", "000000000000000000000000",
+     "dc95c078a2408989ad48a21492842087", "83de425c5edc5d498f382c441041ca92",
+     "cea7403d4d606b6e074ec5d3baf39d18d0d1c8a799996bf0265b98b5d48ab919"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+     "", "cafebabefacedbaddecaf888", "acbef20579b4b8ebce889bac8732dad7",
+     "4db870d37cb75fcb46097c36230d1612",
+     "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e485"
+     "90dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015adb094dac5d93471bdec"
+     "1a502270e3cc6c"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbaddecaf888",
+     "acbef20579b4b8ebce889bac8732dad7", "8bd0c4d8aacd391e67cca447e8c38f65",
+     "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e485"
+     "90dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f66276fc6ece0f4e1768cddf8853bb"
+     "2d551b"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2", "cafebabefacedbad",
+     "acbef20579b4b8ebce889bac8732dad7", "75a34288b8c68f811c52b2e9a2f97f63",
+     "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33"
+     "934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f3a337dbf46a792c45e454913fe"
+     "2ea8f2"},
+
+    {"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+     "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c959"
+     "56809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
+     "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c9515"
+     "6809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+     "acbef20579b4b8ebce889bac8732dad7", "d5ffcf6fc5ac4d69722187421a7f170b",
+     "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b78"
+     "0f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3fa44a8266ee1c8eb0c8b5d4cf5a"
+     "e9f19a"},
+
+    /* Extra, non-NIST, test case to test 64-bit binary multiplication carry
+     * correctness. This is a GHASH-only test. */
+    {"", "", "", "", "0000000000000000fcefef64ffc4766c",
+     "3561e34e52d8b598f9937982512fff27",
+     "0000000000000000ffcef9ebbffdbd8b00000000000000000000000000000000"}};
+
+#endif  // gcm_vectors_h__
new file mode 100644
--- /dev/null
+++ b/gtests/common/util.h
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef util_h__
+#define util_h__
+
+#include <cassert>
+#include <vector>
+
+std::vector<uint8_t> hex_string_to_bytes(std::string s) {
+  std::vector<uint8_t> bytes;
+  for (size_t i = 0; i < s.length(); i += 2) {
+    bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
+  }
+  return bytes;
+}
+
+#endif  // util_h__
deleted file mode 100644
--- a/gtests/freebl_gtest/freebl_util.h
+++ /dev/null
@@ -1,16 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this file,
-// You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#include <stdint.h>
-#include <string>
-#include <vector>
-
-std::vector<uint8_t> hex_string_to_bytes(std::string s) {
-  std::vector<uint8_t> bytes;
-  assert(s.length() % 2 == 0);
-  for (size_t i = 0; i < s.length(); i += 2) {
-    bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
-  }
-  return bytes;
-}
--- a/gtests/freebl_gtest/ghash_unittest.cc
+++ b/gtests/freebl_gtest/ghash_unittest.cc
@@ -1,138 +1,31 @@
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this file,
 // You can obtain one at http://mozilla.org/MPL/2.0/.
 
+#include "gcm-vectors.h"
 #include "gtest/gtest.h"
+#include "util.h"
 
-#include "freebl_util.h"
 #include "gcm.h"
 
 namespace nss_test {
 
-typedef struct ghash_kat_str {
-  std::string hash_key;
-  std::string additional_data;
-  std::string cipher_text;
-  std::string result;
-} ghash_kat_value;
-
-/*
- * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
- */
-const ghash_kat_value kKatValues[] = {
-    {"66e94bd4ef8a2c3b884cfa59ca342b2e", "", "",
-     "00000000000000000000000000000000"},
-
-    {"66e94bd4ef8a2c3b884cfa59ca342b2e", "", "0388dace60b6a392f328c2b971b2fe78",
-     "f38cbb1ad69223dcc3457ae5b6b0f885"},
-
-    {"b83b533708bf535d0aa6e52980d53b78", "",
-     "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25"
-     "4"
-     "66931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985",
-     "7f1b32b81b820d02614f8895ac1d4eac"},
-
-    {"b83b533708bf535d0aa6e52980d53b78",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25"
-     "4"
-     "66931c7d8f6a5aac84aa051ba30b396a0aac973d58e091",
-     "698e57f70e6ecc7fd9463b7260a9ae5f"},
-
-    {"b83b533708bf535d0aa6e52980d53b78",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e"
-     "4"
-     "9f24b22b097544d4896b424989b5e1ebac0f07c23f4598",
-     "df586bb4c249b92cb6922877e444d37b"},
-
-    {"b83b533708bf535d0aa6e52980d53b78",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4f"
-     "b"
-     "a43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5",
-     "1c5afe9760d3932f3c9a878aac3dc3de"},
-
-    {"aae06992acbf52a3e8f4a96ec9300bd7", "", "98e7247c07f0fe411c267e4384b0f600",
-     "e2c63f0ac44ad0e02efa05ab6743d4ce"},
-
-    {"466923ec9ae682214f2c082badb39249", "",
-     "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c"
-     "1"
-     "44c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256",
-     "51110d40f6c8fff0eb1ae33445a889f0"},
-
-    {"466923ec9ae682214f2c082badb39249",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c"
-     "1"
-     "44c525ac619d18c84a3f4718e2448b2fe324d9ccda2710",
-     "ed2ce3062e4a8ec06db8b4c490e8a268"},
-
-    {"466923ec9ae682214f2c082badb39249",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9"
-     "a"
-     "471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7",
-     "1e6a133806607858ee80eaf237064089"},
-
-    {"466923ec9ae682214f2c082badb39249",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012a"
-     "f"
-     "34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b",
-     "82567fb0b4cc371801eadec005968e94"},
-
-    {"dc95c078a2408989ad48a21492842087", "", "cea7403d4d606b6e074ec5d3baf39d18",
-     "83de425c5edc5d498f382c441041ca92"},
-
-    {"acbef20579b4b8ebce889bac8732dad7", "",
-     "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e485"
-     "9"
-     "0dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad",
-     "4db870d37cb75fcb46097c36230d1612"},
-
-    {"acbef20579b4b8ebce889bac8732dad7",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e485"
-     "9"
-     "0dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662",
-     "8bd0c4d8aacd391e67cca447e8c38f65"},
-
-    {"acbef20579b4b8ebce889bac8732dad7",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33"
-     "9"
-     "34a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f",
-     "75a34288b8c68f811c52b2e9a2f97f63"},
-
-    {"acbef20579b4b8ebce889bac8732dad7",
-     "feedfacedeadbeeffeedfacedeadbeefabaddad2",
-     "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b78"
-     "0"
-     "f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f",
-     "d5ffcf6fc5ac4d69722187421a7f170b"},
-
-    /* Extra, non-nist, test case to test 64-bit binary multiplication carry
-     * correctness. */
-    {"0000000000000000fcefef64ffc4766c", "", "0000000000000000ffcef9ebbffdbd8b",
-     "3561e34e52d8b598f9937982512fff27"}};
-
-class GHashTest : public ::testing::TestWithParam<ghash_kat_value> {
+class GHashTest : public ::testing::TestWithParam<gcm_kat_value> {
  protected:
-  void TestGHash(const ghash_kat_value val, bool sw) {
+  void TestGHash(const gcm_kat_value val, bool sw) {
     // Read test data.
     std::vector<uint8_t> hash_key = hex_string_to_bytes(val.hash_key);
     ASSERT_EQ(16UL, hash_key.size());
     std::vector<uint8_t> additional_data =
         hex_string_to_bytes(val.additional_data);
-    std::vector<uint8_t> cipher_text = hex_string_to_bytes(val.cipher_text);
-    std::vector<uint8_t> expected = hex_string_to_bytes(val.result);
+    std::vector<uint8_t> result = hex_string_to_bytes(val.result);
+    std::vector<uint8_t> cipher_text(result.begin(), result.end() - 16);
+    std::vector<uint8_t> expected = hex_string_to_bytes(val.ghash);
     ASSERT_EQ(16UL, expected.size());
 
     // Prepare context.
     gcmHashContext ghashCtx;
     ASSERT_EQ(SECSuccess, gcmHash_InitContext(&ghashCtx, hash_key.data(), sw));
 
     // Hash additional_data, cipher_text.
     gcmHash_Reset(&ghashCtx,
@@ -152,11 +45,11 @@ class GHashTest : public ::testing::Test
 };
 
 #ifdef NSS_X86_OR_X64
 TEST_P(GHashTest, KAT_X86_HW) { TestGHash(GetParam(), false); }
 #endif
 TEST_P(GHashTest, KAT_Sftw) { TestGHash(GetParam(), true); }
 
 INSTANTIATE_TEST_CASE_P(NISTTestVector, GHashTest,
-                        ::testing::ValuesIn(kKatValues));
+                        ::testing::ValuesIn(kGcmKatValues));
 
 }  // nss_test
--- a/gtests/freebl_gtest/prng_kat_unittest.cc
+++ b/gtests/freebl_gtest/prng_kat_unittest.cc
@@ -6,19 +6,19 @@
 #include "nss.h"
 #include "ssl.h"
 
 #include <cstdlib>
 #include <fstream>
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
+#include "util.h"
 
 #include "blapi.h"
-#include "freebl_util.h"
 
 namespace nss_test {
 
 typedef struct PRNGTestValuesStr {
   std::vector<uint8_t> entropy;
   std::vector<uint8_t> nonce;
   std::vector<uint8_t> personal;
   std::vector<uint8_t> expected_result;
new file mode 100644
--- /dev/null
+++ b/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
@@ -0,0 +1,135 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+#include "secerr.h"
+#include "sechash.h"
+
+#include "scoped_ptrs.h"
+
+#include "gcm-vectors.h"
+#include "gtest/gtest.h"
+#include "util.h"
+
+namespace nss_test {
+
+class Pkcs11AesGcmTest : public ::testing::TestWithParam<gcm_kat_value> {
+ protected:
+  void RunTest(const gcm_kat_value val) {
+    std::vector<uint8_t> key = hex_string_to_bytes(val.key);
+    std::vector<uint8_t> iv = hex_string_to_bytes(val.iv);
+    std::vector<uint8_t> plaintext = hex_string_to_bytes(val.plaintext);
+    std::vector<uint8_t> aad = hex_string_to_bytes(val.additional_data);
+    std::vector<uint8_t> result = hex_string_to_bytes(val.result);
+
+    // Ignore GHASH-only vectors.
+    if (key.empty()) {
+      return;
+    }
+
+    // Prepare AEAD params.
+    CK_GCM_PARAMS gcmParams;
+    gcmParams.pIv = iv.data();
+    gcmParams.ulIvLen = iv.size();
+    gcmParams.pAAD = aad.data();
+    gcmParams.ulAADLen = aad.size();
+    gcmParams.ulTagBits = 128;
+
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&gcmParams),
+                      sizeof(gcmParams)};
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    SECItem keyItem = {siBuffer, key.data(),
+                       static_cast<unsigned int>(key.size())};
+
+    // Import key.
+    ScopedPK11SymKey symKey(PK11_ImportSymKey(
+        slot.get(), mech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, nullptr));
+    EXPECT_TRUE(!!symKey);
+
+    // Encrypt.
+    unsigned int outputLen = 0;
+    std::vector<uint8_t> output(plaintext.size() + gcmParams.ulTagBits / 8);
+    SECStatus rv =
+        PK11_Encrypt(symKey.get(), mech, &params, output.data(), &outputLen,
+                     output.size(), plaintext.data(), plaintext.size());
+    EXPECT_EQ(rv, SECSuccess);
+    ASSERT_EQ(outputLen, output.size());
+
+    // Check ciphertext and tag.
+    EXPECT_EQ(result, output);
+
+    // Decrypt.
+    unsigned int decryptedLen = 0;
+    // The PK11 AES API is stupid, it expects an explicit IV and thus wants
+    // a block more of available output memory.
+    std::vector<uint8_t> decrypted(output.size());
+    rv =
+        PK11_Decrypt(symKey.get(), mech, &params, decrypted.data(),
+                     &decryptedLen, decrypted.size(), output.data(), outputLen);
+    EXPECT_EQ(rv, SECSuccess);
+    ASSERT_EQ(decryptedLen, plaintext.size());
+
+    // Check the plaintext.
+    EXPECT_EQ(plaintext,
+              std::vector<uint8_t>(decrypted.begin(),
+                                   decrypted.begin() + decryptedLen));
+  }
+
+  SECStatus EncryptWithIV(std::vector<uint8_t>& iv) {
+    // Generate a random key.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ScopedPK11SymKey symKey(
+        PK11_KeyGen(slot.get(), mech, nullptr, 16, nullptr));
+    EXPECT_TRUE(!!symKey);
+
+    std::vector<uint8_t> data(17);
+    std::vector<uint8_t> output(33);
+    std::vector<uint8_t> aad(0);
+
+    // Prepare AEAD params.
+    CK_GCM_PARAMS gcmParams;
+    gcmParams.pIv = iv.data();
+    gcmParams.ulIvLen = iv.size();
+    gcmParams.pAAD = aad.data();
+    gcmParams.ulAADLen = aad.size();
+    gcmParams.ulTagBits = 128;
+
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&gcmParams),
+                      sizeof(gcmParams)};
+
+    // Try to encrypt.
+    unsigned int outputLen = 0;
+    return PK11_Encrypt(symKey.get(), mech, &params, output.data(), &outputLen,
+                        output.size(), data.data(), data.size());
+  }
+
+  const CK_MECHANISM_TYPE mech = CKM_AES_GCM;
+};
+
+TEST_P(Pkcs11AesGcmTest, TestVectors) { RunTest(GetParam()); }
+
+INSTANTIATE_TEST_CASE_P(NISTTestVector, Pkcs11AesGcmTest,
+                        ::testing::ValuesIn(kGcmKatValues));
+
+TEST_F(Pkcs11AesGcmTest, ZeroLengthIV) {
+  std::vector<uint8_t> iv(0);
+  EXPECT_EQ(EncryptWithIV(iv), SECFailure);
+}
+
+TEST_F(Pkcs11AesGcmTest, AllZeroIV) {
+  std::vector<uint8_t> iv(16, 0);
+  EXPECT_EQ(EncryptWithIV(iv), SECSuccess);
+}
+
+TEST_F(Pkcs11AesGcmTest, TwelveByteZeroIV) {
+  std::vector<uint8_t> iv(12, 0);
+  EXPECT_EQ(EncryptWithIV(iv), SECSuccess);
+}
+
+}  // namespace nss_test
--- a/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/gtests/pk11_gtest/pk11_gtest.gyp
@@ -7,16 +7,17 @@
     '../common/gtest.gypi',
   ],
   'targets': [
     {
       'target_name': 'pk11_gtest',
       'type': 'executable',
       'sources': [
         'pk11_aeskeywrap_unittest.cc',
+        'pk11_aes_gcm_unittest.cc',
         'pk11_chacha20poly1305_unittest.cc',
         'pk11_curve25519_unittest.cc',
         'pk11_ecdsa_unittest.cc',
         'pk11_pbkdf2_unittest.cc',
         'pk11_prf_unittest.cc',
         'pk11_prng_unittest.cc',
         'pk11_rsapss_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
--- a/lib/freebl/gcm.c
+++ b/lib/freebl/gcm.c
@@ -582,19 +582,22 @@ GCM_CreateContext(void *context, freeblC
     CK_AES_CTR_PARAMS ctrParams;
     SECStatus rv;
 #ifdef DISABLE_HW_GCM
     const PRBool sw = PR_TRUE;
 #else
     const PRBool sw = PR_FALSE;
 #endif
 
+    if (gcmParams->ulIvLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
     gcm = PORT_ZNew(GCMContext);
     if (gcm == NULL) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
         return NULL;
     }
     /* aligned_alloc is C11 so we have to do it the old way. */
     ghash = PORT_ZAlloc(sizeof(gcmHashContext) + 15);
     if (ghash == NULL) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
     }
--- a/lib/freebl/intel-gcm-wrap.c
+++ b/lib/freebl/intel-gcm-wrap.c
@@ -53,18 +53,21 @@ intel_AES_GCM_CreateContext(void *contex
     unsigned long AAD_whole_len = gcmParams->ulAADLen & (~0xful);
     unsigned int AAD_remainder_len = gcmParams->ulAADLen & 0xful;
 
     __m128i BSWAP_MASK = _mm_setr_epi8(15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0);
     __m128i ONE = _mm_set_epi32(0, 0, 0, 1);
     unsigned int j;
     SECStatus rv;
 
+    if (gcmParams->ulIvLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
     gcm = PORT_ZNew(intel_AES_GCMContext);
-
     if (gcm == NULL) {
         return NULL;
     }
 
     /* initialize context fields */
     gcm->aes_context = aes;
     gcm->tagBits = gcmParams->ulTagBits;
     gcm->Alen = 0;