From 76749aea784cfec245390d0d6f0ab0a2d63ae90a Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Thu, 30 Jul 2020 16:41:25 +0200 Subject: [PATCH 01/41] Zeroize internal buffers and variables in PKCS and SHA Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions to erase sensitive data from memory. Checked all function for possible missing zeroisation in PKCS and SHA. Signed-off-by: gabor-mezei-arm --- .../zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt | 5 +++++ library/pkcs5.c | 4 ++++ library/sha1.c | 9 +++++++++ library/sha256.c | 6 ++++++ library/sha512.c | 6 ++++++ 5 files changed, 30 insertions(+) create mode 100644 ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt new file mode 100644 index 000000000..f8445615c --- /dev/null +++ b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt @@ -0,0 +1,5 @@ +Security + * Zeroising of local buffers and variables which are used for calculations + in mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() + functions to erase sensitive data from memory. Reported by + Johan Malmgren and Johan Uppman Bruce from Sectra. diff --git a/library/pkcs5.c b/library/pkcs5.c index fc5224883..049d27b17 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -290,6 +290,10 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, break; } + /* Zeroise buffers to clear sensitive data from memory. */ + mbedtls_platform_zeroize( work, MBEDTLS_MD_MAX_SIZE ); + mbedtls_platform_zeroize( md1, MBEDTLS_MD_MAX_SIZE ); + return( 0 ); } diff --git a/library/sha1.c b/library/sha1.c index 79bac6b24..c973455a7 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -285,6 +285,15 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, ctx->state[3] += D; ctx->state[4] += E; + /* Zeroise buffers and variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &B, sizeof( B ) ); + mbedtls_platform_zeroize( &C, sizeof( C ) ); + mbedtls_platform_zeroize( &D, sizeof( D ) ); + mbedtls_platform_zeroize( &E, sizeof( E ) ); + mbedtls_platform_zeroize( &W, sizeof( W ) ); + mbedtls_platform_zeroize( &temp, sizeof( temp ) ); + return( 0 ); } diff --git a/library/sha256.c b/library/sha256.c index d8ddda5be..0124fb72a 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -253,6 +253,12 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, for( i = 0; i < 8; i++ ) ctx->state[i] += A[i]; + /* Zeroise buffers and variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &W, sizeof( W ) ); + mbedtls_platform_zeroize( &temp1, sizeof( temp1 ) ); + mbedtls_platform_zeroize( &temp2, sizeof( temp2 ) ); + return( 0 ); } diff --git a/library/sha512.c b/library/sha512.c index 37fc96d05..08f4dd550 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -311,6 +311,12 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, for( i = 0; i < 8; i++ ) ctx->state[i] += A[i]; + /* Zeroise buffers and variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &W, sizeof( W ) ); + mbedtls_platform_zeroize( &temp1, sizeof( temp1 ) ); + mbedtls_platform_zeroize( &temp2, sizeof( temp2 ) ); + return( 0 ); } From 4553dd46d6f82daaef9146789f377e0a885b3011 Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Wed, 19 Aug 2020 14:01:03 +0200 Subject: [PATCH 02/41] Force cleanup before return Signed-off-by: gabor-mezei-arm --- library/pkcs5.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/library/pkcs5.c b/library/pkcs5.c index 049d27b17..37cca00fa 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -223,7 +223,7 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, unsigned int iteration_count, uint32_t key_length, unsigned char *output ) { - int ret, j; + int ret = 0, j; unsigned int i; unsigned char md1[MBEDTLS_MD_MAX_SIZE]; unsigned char work[MBEDTLS_MD_MAX_SIZE]; @@ -247,16 +247,16 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, // U1 ends up in work // if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 ) - return( ret ); + goto cleanup; if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 ) - return( ret ); + goto cleanup; if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 ) - return( ret ); + goto cleanup; if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 ) - return( ret ); + goto cleanup; memcpy( md1, work, md_size ); @@ -265,13 +265,13 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, // U2 ends up in md1 // if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 ) - return( ret ); + goto cleanup; if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 ) - return( ret ); + goto cleanup; if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 ) - return( ret ); + goto cleanup; // U1 xor U2 // @@ -290,11 +290,12 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, break; } +cleanup: /* Zeroise buffers to clear sensitive data from memory. */ mbedtls_platform_zeroize( work, MBEDTLS_MD_MAX_SIZE ); mbedtls_platform_zeroize( md1, MBEDTLS_MD_MAX_SIZE ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) From d1c98fcf5e04b8f6628ca951131aa1f7d67283de Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Wed, 19 Aug 2020 14:03:06 +0200 Subject: [PATCH 03/41] Zeroize internal buffers and variables in MD hashes Zeroising of local buffers and variables which are used for calculations in mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Checked all function for possible missing zeroisation in MD. Signed-off-by: gabor-mezei-arm --- ...oizations_of_sensitive_data_in_PKCS5_and_SHA.txt | 3 ++- library/md2.c | 3 +++ library/md4.c | 7 +++++++ library/md5.c | 7 +++++++ library/ripemd160.c | 13 +++++++++++++ 5 files changed, 32 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt index f8445615c..320bb0e86 100644 --- a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt +++ b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt @@ -1,5 +1,6 @@ Security * Zeroising of local buffers and variables which are used for calculations - in mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() + in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), + mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra. diff --git a/library/md2.c b/library/md2.c index afc6539e0..53248ad48 100644 --- a/library/md2.c +++ b/library/md2.c @@ -149,6 +149,9 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ) t = ctx->cksum[i]; } + /* Zeroise variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &t, sizeof( t ) ); + return( 0 ); } diff --git a/library/md4.c b/library/md4.c index beb42c954..0416df3d7 100644 --- a/library/md4.c +++ b/library/md4.c @@ -231,6 +231,13 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, ctx->state[2] += C; ctx->state[3] += D; + /* Zeroise variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &X, sizeof( X ) ); + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &B, sizeof( B ) ); + mbedtls_platform_zeroize( &C, sizeof( C ) ); + mbedtls_platform_zeroize( &D, sizeof( D ) ); + return( 0 ); } diff --git a/library/md5.c b/library/md5.c index c7b85d124..acd504e52 100644 --- a/library/md5.c +++ b/library/md5.c @@ -237,6 +237,13 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, ctx->state[2] += C; ctx->state[3] += D; + /* Zeroise variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &X, sizeof( X ) ); + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &B, sizeof( B ) ); + mbedtls_platform_zeroize( &C, sizeof( C ) ); + mbedtls_platform_zeroize( &D, sizeof( D ) ); + return( 0 ); } diff --git a/library/ripemd160.c b/library/ripemd160.c index a2ad32c2f..2ff864f93 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -300,6 +300,19 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, ctx->state[4] = ctx->state[0] + B + Cp; ctx->state[0] = C; + /* Zeroise variables to clear sensitive data from memory. */ + mbedtls_platform_zeroize( &A, sizeof( A ) ); + mbedtls_platform_zeroize( &B, sizeof( B ) ); + mbedtls_platform_zeroize( &C, sizeof( C ) ); + mbedtls_platform_zeroize( &D, sizeof( D ) ); + mbedtls_platform_zeroize( &E, sizeof( E ) ); + mbedtls_platform_zeroize( &Ap, sizeof( Ap ) ); + mbedtls_platform_zeroize( &Bp, sizeof( Bp ) ); + mbedtls_platform_zeroize( &Cp, sizeof( Cp ) ); + mbedtls_platform_zeroize( &Dp, sizeof( Dp ) ); + mbedtls_platform_zeroize( &Ep, sizeof( Ep ) ); + mbedtls_platform_zeroize( &X, sizeof( X ) ); + return( 0 ); } From b8513fa6acbe45414f1168f694072e656e2e1499 Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Mon, 24 Aug 2020 09:53:04 +0200 Subject: [PATCH 04/41] Initialize return variable to the appropriate error code The return variable is initilized to make the code more robust against glitch attacks. Signed-off-by: gabor-mezei-arm --- library/pkcs5.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/pkcs5.c b/library/pkcs5.c index 37cca00fa..82b63bc3a 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -223,7 +223,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, unsigned int iteration_count, uint32_t key_length, unsigned char *output ) { - int ret = 0, j; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int j; unsigned int i; unsigned char md1[MBEDTLS_MD_MAX_SIZE]; unsigned char work[MBEDTLS_MD_MAX_SIZE]; From 4cb56f83cbb20b00da4657dde7e86d0927a4cbe6 Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Tue, 25 Aug 2020 19:12:01 +0200 Subject: [PATCH 05/41] Put local variables and buffers in a struct This reduces the impact of the code size increase due to the addition of calls to mbedtls_platform_zeroize. Signed-off-by: gabor-mezei-arm --- library/md4.c | 155 ++++++++++++++-------------- library/md5.c | 197 ++++++++++++++++++----------------- library/ripemd160.c | 243 +++++++++++++++++++++----------------------- library/sha1.c | 233 +++++++++++++++++++++--------------------- library/sha256.c | 99 +++++++++++------- library/sha512.c | 74 ++++++++------ 6 files changed, 512 insertions(+), 489 deletions(-) diff --git a/library/md4.c b/library/md4.c index 0416df3d7..5546202b5 100644 --- a/library/md4.c +++ b/library/md4.c @@ -115,31 +115,34 @@ void mbedtls_md4_starts( mbedtls_md4_context *ctx ) int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ) { - uint32_t X[16], A, B, C, D; + struct + { + uint32_t X[16], A, B, C, D; + } local; - GET_UINT32_LE( X[ 0], data, 0 ); - GET_UINT32_LE( X[ 1], data, 4 ); - GET_UINT32_LE( X[ 2], data, 8 ); - GET_UINT32_LE( X[ 3], data, 12 ); - GET_UINT32_LE( X[ 4], data, 16 ); - GET_UINT32_LE( X[ 5], data, 20 ); - GET_UINT32_LE( X[ 6], data, 24 ); - GET_UINT32_LE( X[ 7], data, 28 ); - GET_UINT32_LE( X[ 8], data, 32 ); - GET_UINT32_LE( X[ 9], data, 36 ); - GET_UINT32_LE( X[10], data, 40 ); - GET_UINT32_LE( X[11], data, 44 ); - GET_UINT32_LE( X[12], data, 48 ); - GET_UINT32_LE( X[13], data, 52 ); - GET_UINT32_LE( X[14], data, 56 ); - GET_UINT32_LE( X[15], data, 60 ); + GET_UINT32_LE( local.X[ 0], data, 0 ); + GET_UINT32_LE( local.X[ 1], data, 4 ); + GET_UINT32_LE( local.X[ 2], data, 8 ); + GET_UINT32_LE( local.X[ 3], data, 12 ); + GET_UINT32_LE( local.X[ 4], data, 16 ); + GET_UINT32_LE( local.X[ 5], data, 20 ); + GET_UINT32_LE( local.X[ 6], data, 24 ); + GET_UINT32_LE( local.X[ 7], data, 28 ); + GET_UINT32_LE( local.X[ 8], data, 32 ); + GET_UINT32_LE( local.X[ 9], data, 36 ); + GET_UINT32_LE( local.X[10], data, 40 ); + GET_UINT32_LE( local.X[11], data, 44 ); + GET_UINT32_LE( local.X[12], data, 48 ); + GET_UINT32_LE( local.X[13], data, 52 ); + GET_UINT32_LE( local.X[14], data, 56 ); + GET_UINT32_LE( local.X[15], data, 60 ); #define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n)))) - A = ctx->state[0]; - B = ctx->state[1]; - C = ctx->state[2]; - D = ctx->state[3]; + local.A = ctx->state[0]; + local.B = ctx->state[1]; + local.C = ctx->state[2]; + local.D = ctx->state[3]; #define F(x, y, z) (((x) & (y)) | ((~(x)) & (z))) #define P(a,b,c,d,x,s) \ @@ -150,22 +153,22 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, } while( 0 ) - P( A, B, C, D, X[ 0], 3 ); - P( D, A, B, C, X[ 1], 7 ); - P( C, D, A, B, X[ 2], 11 ); - P( B, C, D, A, X[ 3], 19 ); - P( A, B, C, D, X[ 4], 3 ); - P( D, A, B, C, X[ 5], 7 ); - P( C, D, A, B, X[ 6], 11 ); - P( B, C, D, A, X[ 7], 19 ); - P( A, B, C, D, X[ 8], 3 ); - P( D, A, B, C, X[ 9], 7 ); - P( C, D, A, B, X[10], 11 ); - P( B, C, D, A, X[11], 19 ); - P( A, B, C, D, X[12], 3 ); - P( D, A, B, C, X[13], 7 ); - P( C, D, A, B, X[14], 11 ); - P( B, C, D, A, X[15], 19 ); + P( local.A, local.B, local.C, local.D, local.X[ 0], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 1], 7 ); + P( local.C, local.D, local.A, local.B, local.X[ 2], 11 ); + P( local.B, local.C, local.D, local.A, local.X[ 3], 19 ); + P( local.A, local.B, local.C, local.D, local.X[ 4], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 5], 7 ); + P( local.C, local.D, local.A, local.B, local.X[ 6], 11 ); + P( local.B, local.C, local.D, local.A, local.X[ 7], 19 ); + P( local.A, local.B, local.C, local.D, local.X[ 8], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 9], 7 ); + P( local.C, local.D, local.A, local.B, local.X[10], 11 ); + P( local.B, local.C, local.D, local.A, local.X[11], 19 ); + P( local.A, local.B, local.C, local.D, local.X[12], 3 ); + P( local.D, local.A, local.B, local.C, local.X[13], 7 ); + P( local.C, local.D, local.A, local.B, local.X[14], 11 ); + P( local.B, local.C, local.D, local.A, local.X[15], 19 ); #undef P #undef F @@ -178,22 +181,22 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, (a) = S((a),(s)); \ } while( 0 ) - P( A, B, C, D, X[ 0], 3 ); - P( D, A, B, C, X[ 4], 5 ); - P( C, D, A, B, X[ 8], 9 ); - P( B, C, D, A, X[12], 13 ); - P( A, B, C, D, X[ 1], 3 ); - P( D, A, B, C, X[ 5], 5 ); - P( C, D, A, B, X[ 9], 9 ); - P( B, C, D, A, X[13], 13 ); - P( A, B, C, D, X[ 2], 3 ); - P( D, A, B, C, X[ 6], 5 ); - P( C, D, A, B, X[10], 9 ); - P( B, C, D, A, X[14], 13 ); - P( A, B, C, D, X[ 3], 3 ); - P( D, A, B, C, X[ 7], 5 ); - P( C, D, A, B, X[11], 9 ); - P( B, C, D, A, X[15], 13 ); + P( local.A, local.B, local.C, local.D, local.X[ 0], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 4], 5 ); + P( local.C, local.D, local.A, local.B, local.X[ 8], 9 ); + P( local.B, local.C, local.D, local.A, local.X[12], 13 ); + P( local.A, local.B, local.C, local.D, local.X[ 1], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 5], 5 ); + P( local.C, local.D, local.A, local.B, local.X[ 9], 9 ); + P( local.B, local.C, local.D, local.A, local.X[13], 13 ); + P( local.A, local.B, local.C, local.D, local.X[ 2], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 6], 5 ); + P( local.C, local.D, local.A, local.B, local.X[10], 9 ); + P( local.B, local.C, local.D, local.A, local.X[14], 13 ); + P( local.A, local.B, local.C, local.D, local.X[ 3], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 7], 5 ); + P( local.C, local.D, local.A, local.B, local.X[11], 9 ); + P( local.B, local.C, local.D, local.A, local.X[15], 13 ); #undef P #undef F @@ -206,37 +209,33 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, (a) = S((a),(s)); \ } while( 0 ) - P( A, B, C, D, X[ 0], 3 ); - P( D, A, B, C, X[ 8], 9 ); - P( C, D, A, B, X[ 4], 11 ); - P( B, C, D, A, X[12], 15 ); - P( A, B, C, D, X[ 2], 3 ); - P( D, A, B, C, X[10], 9 ); - P( C, D, A, B, X[ 6], 11 ); - P( B, C, D, A, X[14], 15 ); - P( A, B, C, D, X[ 1], 3 ); - P( D, A, B, C, X[ 9], 9 ); - P( C, D, A, B, X[ 5], 11 ); - P( B, C, D, A, X[13], 15 ); - P( A, B, C, D, X[ 3], 3 ); - P( D, A, B, C, X[11], 9 ); - P( C, D, A, B, X[ 7], 11 ); - P( B, C, D, A, X[15], 15 ); + P( local.A, local.B, local.C, local.D, local.X[ 0], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 8], 9 ); + P( local.C, local.D, local.A, local.B, local.X[ 4], 11 ); + P( local.B, local.C, local.D, local.A, local.X[12], 15 ); + P( local.A, local.B, local.C, local.D, local.X[ 2], 3 ); + P( local.D, local.A, local.B, local.C, local.X[10], 9 ); + P( local.C, local.D, local.A, local.B, local.X[ 6], 11 ); + P( local.B, local.C, local.D, local.A, local.X[14], 15 ); + P( local.A, local.B, local.C, local.D, local.X[ 1], 3 ); + P( local.D, local.A, local.B, local.C, local.X[ 9], 9 ); + P( local.C, local.D, local.A, local.B, local.X[ 5], 11 ); + P( local.B, local.C, local.D, local.A, local.X[13], 15 ); + P( local.A, local.B, local.C, local.D, local.X[ 3], 3 ); + P( local.D, local.A, local.B, local.C, local.X[11], 9 ); + P( local.C, local.D, local.A, local.B, local.X[ 7], 11 ); + P( local.B, local.C, local.D, local.A, local.X[15], 15 ); #undef F #undef P - ctx->state[0] += A; - ctx->state[1] += B; - ctx->state[2] += C; - ctx->state[3] += D; + ctx->state[0] += local.A; + ctx->state[1] += local.B; + ctx->state[2] += local.C; + ctx->state[3] += local.D; /* Zeroise variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &X, sizeof( X ) ); - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &B, sizeof( B ) ); - mbedtls_platform_zeroize( &C, sizeof( C ) ); - mbedtls_platform_zeroize( &D, sizeof( D ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } diff --git a/library/md5.c b/library/md5.c index acd504e52..f5d5f4c16 100644 --- a/library/md5.c +++ b/library/md5.c @@ -114,135 +114,134 @@ void mbedtls_md5_starts( mbedtls_md5_context *ctx ) int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ) { - uint32_t X[16], A, B, C, D; + struct + { + uint32_t X[16], A, B, C, D; + } local; - GET_UINT32_LE( X[ 0], data, 0 ); - GET_UINT32_LE( X[ 1], data, 4 ); - GET_UINT32_LE( X[ 2], data, 8 ); - GET_UINT32_LE( X[ 3], data, 12 ); - GET_UINT32_LE( X[ 4], data, 16 ); - GET_UINT32_LE( X[ 5], data, 20 ); - GET_UINT32_LE( X[ 6], data, 24 ); - GET_UINT32_LE( X[ 7], data, 28 ); - GET_UINT32_LE( X[ 8], data, 32 ); - GET_UINT32_LE( X[ 9], data, 36 ); - GET_UINT32_LE( X[10], data, 40 ); - GET_UINT32_LE( X[11], data, 44 ); - GET_UINT32_LE( X[12], data, 48 ); - GET_UINT32_LE( X[13], data, 52 ); - GET_UINT32_LE( X[14], data, 56 ); - GET_UINT32_LE( X[15], data, 60 ); + GET_UINT32_LE( local.X[ 0], data, 0 ); + GET_UINT32_LE( local.X[ 1], data, 4 ); + GET_UINT32_LE( local.X[ 2], data, 8 ); + GET_UINT32_LE( local.X[ 3], data, 12 ); + GET_UINT32_LE( local.X[ 4], data, 16 ); + GET_UINT32_LE( local.X[ 5], data, 20 ); + GET_UINT32_LE( local.X[ 6], data, 24 ); + GET_UINT32_LE( local.X[ 7], data, 28 ); + GET_UINT32_LE( local.X[ 8], data, 32 ); + GET_UINT32_LE( local.X[ 9], data, 36 ); + GET_UINT32_LE( local.X[10], data, 40 ); + GET_UINT32_LE( local.X[11], data, 44 ); + GET_UINT32_LE( local.X[12], data, 48 ); + GET_UINT32_LE( local.X[13], data, 52 ); + GET_UINT32_LE( local.X[14], data, 56 ); + GET_UINT32_LE( local.X[15], data, 60 ); #define S(x,n) \ ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) ) -#define P(a,b,c,d,k,s,t) \ - do \ - { \ - (a) += F((b),(c),(d)) + X[(k)] + (t); \ - (a) = S((a),(s)) + (b); \ +#define P(a,b,c,d,k,s,t) \ + do \ + { \ + (a) += F((b),(c),(d)) + local.X[(k)] + (t); \ + (a) = S((a),(s)) + (b); \ } while( 0 ) - A = ctx->state[0]; - B = ctx->state[1]; - C = ctx->state[2]; - D = ctx->state[3]; + local.A = ctx->state[0]; + local.B = ctx->state[1]; + local.C = ctx->state[2]; + local.D = ctx->state[3]; #define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) - P( A, B, C, D, 0, 7, 0xD76AA478 ); - P( D, A, B, C, 1, 12, 0xE8C7B756 ); - P( C, D, A, B, 2, 17, 0x242070DB ); - P( B, C, D, A, 3, 22, 0xC1BDCEEE ); - P( A, B, C, D, 4, 7, 0xF57C0FAF ); - P( D, A, B, C, 5, 12, 0x4787C62A ); - P( C, D, A, B, 6, 17, 0xA8304613 ); - P( B, C, D, A, 7, 22, 0xFD469501 ); - P( A, B, C, D, 8, 7, 0x698098D8 ); - P( D, A, B, C, 9, 12, 0x8B44F7AF ); - P( C, D, A, B, 10, 17, 0xFFFF5BB1 ); - P( B, C, D, A, 11, 22, 0x895CD7BE ); - P( A, B, C, D, 12, 7, 0x6B901122 ); - P( D, A, B, C, 13, 12, 0xFD987193 ); - P( C, D, A, B, 14, 17, 0xA679438E ); - P( B, C, D, A, 15, 22, 0x49B40821 ); + P( local.A, local.B, local.C, local.D, 0, 7, 0xD76AA478 ); + P( local.D, local.A, local.B, local.C, 1, 12, 0xE8C7B756 ); + P( local.C, local.D, local.A, local.B, 2, 17, 0x242070DB ); + P( local.B, local.C, local.D, local.A, 3, 22, 0xC1BDCEEE ); + P( local.A, local.B, local.C, local.D, 4, 7, 0xF57C0FAF ); + P( local.D, local.A, local.B, local.C, 5, 12, 0x4787C62A ); + P( local.C, local.D, local.A, local.B, 6, 17, 0xA8304613 ); + P( local.B, local.C, local.D, local.A, 7, 22, 0xFD469501 ); + P( local.A, local.B, local.C, local.D, 8, 7, 0x698098D8 ); + P( local.D, local.A, local.B, local.C, 9, 12, 0x8B44F7AF ); + P( local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1 ); + P( local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE ); + P( local.A, local.B, local.C, local.D, 12, 7, 0x6B901122 ); + P( local.D, local.A, local.B, local.C, 13, 12, 0xFD987193 ); + P( local.C, local.D, local.A, local.B, 14, 17, 0xA679438E ); + P( local.B, local.C, local.D, local.A, 15, 22, 0x49B40821 ); #undef F #define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y)))) - P( A, B, C, D, 1, 5, 0xF61E2562 ); - P( D, A, B, C, 6, 9, 0xC040B340 ); - P( C, D, A, B, 11, 14, 0x265E5A51 ); - P( B, C, D, A, 0, 20, 0xE9B6C7AA ); - P( A, B, C, D, 5, 5, 0xD62F105D ); - P( D, A, B, C, 10, 9, 0x02441453 ); - P( C, D, A, B, 15, 14, 0xD8A1E681 ); - P( B, C, D, A, 4, 20, 0xE7D3FBC8 ); - P( A, B, C, D, 9, 5, 0x21E1CDE6 ); - P( D, A, B, C, 14, 9, 0xC33707D6 ); - P( C, D, A, B, 3, 14, 0xF4D50D87 ); - P( B, C, D, A, 8, 20, 0x455A14ED ); - P( A, B, C, D, 13, 5, 0xA9E3E905 ); - P( D, A, B, C, 2, 9, 0xFCEFA3F8 ); - P( C, D, A, B, 7, 14, 0x676F02D9 ); - P( B, C, D, A, 12, 20, 0x8D2A4C8A ); + P( local.A, local.B, local.C, local.D, 1, 5, 0xF61E2562 ); + P( local.D, local.A, local.B, local.C, 6, 9, 0xC040B340 ); + P( local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51 ); + P( local.B, local.C, local.D, local.A, 0, 20, 0xE9B6C7AA ); + P( local.A, local.B, local.C, local.D, 5, 5, 0xD62F105D ); + P( local.D, local.A, local.B, local.C, 10, 9, 0x02441453 ); + P( local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681 ); + P( local.B, local.C, local.D, local.A, 4, 20, 0xE7D3FBC8 ); + P( local.A, local.B, local.C, local.D, 9, 5, 0x21E1CDE6 ); + P( local.D, local.A, local.B, local.C, 14, 9, 0xC33707D6 ); + P( local.C, local.D, local.A, local.B, 3, 14, 0xF4D50D87 ); + P( local.B, local.C, local.D, local.A, 8, 20, 0x455A14ED ); + P( local.A, local.B, local.C, local.D, 13, 5, 0xA9E3E905 ); + P( local.D, local.A, local.B, local.C, 2, 9, 0xFCEFA3F8 ); + P( local.C, local.D, local.A, local.B, 7, 14, 0x676F02D9 ); + P( local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A ); #undef F #define F(x,y,z) ((x) ^ (y) ^ (z)) - P( A, B, C, D, 5, 4, 0xFFFA3942 ); - P( D, A, B, C, 8, 11, 0x8771F681 ); - P( C, D, A, B, 11, 16, 0x6D9D6122 ); - P( B, C, D, A, 14, 23, 0xFDE5380C ); - P( A, B, C, D, 1, 4, 0xA4BEEA44 ); - P( D, A, B, C, 4, 11, 0x4BDECFA9 ); - P( C, D, A, B, 7, 16, 0xF6BB4B60 ); - P( B, C, D, A, 10, 23, 0xBEBFBC70 ); - P( A, B, C, D, 13, 4, 0x289B7EC6 ); - P( D, A, B, C, 0, 11, 0xEAA127FA ); - P( C, D, A, B, 3, 16, 0xD4EF3085 ); - P( B, C, D, A, 6, 23, 0x04881D05 ); - P( A, B, C, D, 9, 4, 0xD9D4D039 ); - P( D, A, B, C, 12, 11, 0xE6DB99E5 ); - P( C, D, A, B, 15, 16, 0x1FA27CF8 ); - P( B, C, D, A, 2, 23, 0xC4AC5665 ); + P( local.A, local.B, local.C, local.D, 5, 4, 0xFFFA3942 ); + P( local.D, local.A, local.B, local.C, 8, 11, 0x8771F681 ); + P( local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122 ); + P( local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C ); + P( local.A, local.B, local.C, local.D, 1, 4, 0xA4BEEA44 ); + P( local.D, local.A, local.B, local.C, 4, 11, 0x4BDECFA9 ); + P( local.C, local.D, local.A, local.B, 7, 16, 0xF6BB4B60 ); + P( local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70 ); + P( local.A, local.B, local.C, local.D, 13, 4, 0x289B7EC6 ); + P( local.D, local.A, local.B, local.C, 0, 11, 0xEAA127FA ); + P( local.C, local.D, local.A, local.B, 3, 16, 0xD4EF3085 ); + P( local.B, local.C, local.D, local.A, 6, 23, 0x04881D05 ); + P( local.A, local.B, local.C, local.D, 9, 4, 0xD9D4D039 ); + P( local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5 ); + P( local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8 ); + P( local.B, local.C, local.D, local.A, 2, 23, 0xC4AC5665 ); #undef F #define F(x,y,z) ((y) ^ ((x) | ~(z))) - P( A, B, C, D, 0, 6, 0xF4292244 ); - P( D, A, B, C, 7, 10, 0x432AFF97 ); - P( C, D, A, B, 14, 15, 0xAB9423A7 ); - P( B, C, D, A, 5, 21, 0xFC93A039 ); - P( A, B, C, D, 12, 6, 0x655B59C3 ); - P( D, A, B, C, 3, 10, 0x8F0CCC92 ); - P( C, D, A, B, 10, 15, 0xFFEFF47D ); - P( B, C, D, A, 1, 21, 0x85845DD1 ); - P( A, B, C, D, 8, 6, 0x6FA87E4F ); - P( D, A, B, C, 15, 10, 0xFE2CE6E0 ); - P( C, D, A, B, 6, 15, 0xA3014314 ); - P( B, C, D, A, 13, 21, 0x4E0811A1 ); - P( A, B, C, D, 4, 6, 0xF7537E82 ); - P( D, A, B, C, 11, 10, 0xBD3AF235 ); - P( C, D, A, B, 2, 15, 0x2AD7D2BB ); - P( B, C, D, A, 9, 21, 0xEB86D391 ); + P( local.A, local.B, local.C, local.D, 0, 6, 0xF4292244 ); + P( local.D, local.A, local.B, local.C, 7, 10, 0x432AFF97 ); + P( local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7 ); + P( local.B, local.C, local.D, local.A, 5, 21, 0xFC93A039 ); + P( local.A, local.B, local.C, local.D, 12, 6, 0x655B59C3 ); + P( local.D, local.A, local.B, local.C, 3, 10, 0x8F0CCC92 ); + P( local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D ); + P( local.B, local.C, local.D, local.A, 1, 21, 0x85845DD1 ); + P( local.A, local.B, local.C, local.D, 8, 6, 0x6FA87E4F ); + P( local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0 ); + P( local.C, local.D, local.A, local.B, 6, 15, 0xA3014314 ); + P( local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1 ); + P( local.A, local.B, local.C, local.D, 4, 6, 0xF7537E82 ); + P( local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235 ); + P( local.C, local.D, local.A, local.B, 2, 15, 0x2AD7D2BB ); + P( local.B, local.C, local.D, local.A, 9, 21, 0xEB86D391 ); #undef F - ctx->state[0] += A; - ctx->state[1] += B; - ctx->state[2] += C; - ctx->state[3] += D; + ctx->state[0] += local.A; + ctx->state[1] += local.B; + ctx->state[2] += local.C; + ctx->state[3] += local.D; /* Zeroise variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &X, sizeof( X ) ); - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &B, sizeof( B ) ); - mbedtls_platform_zeroize( &C, sizeof( C ) ); - mbedtls_platform_zeroize( &D, sizeof( D ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } diff --git a/library/ripemd160.c b/library/ripemd160.c index 2ff864f93..4511445f6 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -119,30 +119,33 @@ void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ) int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned char data[64] ) { - uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16]; + struct + { + uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16]; + } local; - GET_UINT32_LE( X[ 0], data, 0 ); - GET_UINT32_LE( X[ 1], data, 4 ); - GET_UINT32_LE( X[ 2], data, 8 ); - GET_UINT32_LE( X[ 3], data, 12 ); - GET_UINT32_LE( X[ 4], data, 16 ); - GET_UINT32_LE( X[ 5], data, 20 ); - GET_UINT32_LE( X[ 6], data, 24 ); - GET_UINT32_LE( X[ 7], data, 28 ); - GET_UINT32_LE( X[ 8], data, 32 ); - GET_UINT32_LE( X[ 9], data, 36 ); - GET_UINT32_LE( X[10], data, 40 ); - GET_UINT32_LE( X[11], data, 44 ); - GET_UINT32_LE( X[12], data, 48 ); - GET_UINT32_LE( X[13], data, 52 ); - GET_UINT32_LE( X[14], data, 56 ); - GET_UINT32_LE( X[15], data, 60 ); + GET_UINT32_LE( local.X[ 0], data, 0 ); + GET_UINT32_LE( local.X[ 1], data, 4 ); + GET_UINT32_LE( local.X[ 2], data, 8 ); + GET_UINT32_LE( local.X[ 3], data, 12 ); + GET_UINT32_LE( local.X[ 4], data, 16 ); + GET_UINT32_LE( local.X[ 5], data, 20 ); + GET_UINT32_LE( local.X[ 6], data, 24 ); + GET_UINT32_LE( local.X[ 7], data, 28 ); + GET_UINT32_LE( local.X[ 8], data, 32 ); + GET_UINT32_LE( local.X[ 9], data, 36 ); + GET_UINT32_LE( local.X[10], data, 40 ); + GET_UINT32_LE( local.X[11], data, 44 ); + GET_UINT32_LE( local.X[12], data, 48 ); + GET_UINT32_LE( local.X[13], data, 52 ); + GET_UINT32_LE( local.X[14], data, 56 ); + GET_UINT32_LE( local.X[15], data, 60 ); - A = Ap = ctx->state[0]; - B = Bp = ctx->state[1]; - C = Cp = ctx->state[2]; - D = Dp = ctx->state[3]; - E = Ep = ctx->state[4]; + local.A = local.Ap = ctx->state[0]; + local.B = local.Bp = ctx->state[1]; + local.C = local.Cp = ctx->state[2]; + local.D = local.Dp = ctx->state[3]; + local.E = local.Ep = ctx->state[4]; #define F1( x, y, z ) ( (x) ^ (y) ^ (z) ) #define F2( x, y, z ) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) @@ -152,12 +155,12 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) ) -#define P( a, b, c, d, e, r, s, f, k ) \ - do \ - { \ - (a) += f( (b), (c), (d) ) + X[r] + (k); \ - (a) = S( (a), (s) ) + (e); \ - (c) = S( (c), 10 ); \ +#define P( a, b, c, d, e, r, s, f, k ) \ + do \ + { \ + (a) += f( (b), (c), (d) ) + local.X[r] + (k); \ + (a) = S( (a), (s) ) + (e); \ + (c) = S( (c), 10 ); \ } while( 0 ) #define P2( a, b, c, d, e, r, s, rp, sp ) \ @@ -172,22 +175,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define K 0x00000000 #define Fp F5 #define Kp 0x50A28BE6 - P2( A, B, C, D, E, 0, 11, 5, 8 ); - P2( E, A, B, C, D, 1, 14, 14, 9 ); - P2( D, E, A, B, C, 2, 15, 7, 9 ); - P2( C, D, E, A, B, 3, 12, 0, 11 ); - P2( B, C, D, E, A, 4, 5, 9, 13 ); - P2( A, B, C, D, E, 5, 8, 2, 15 ); - P2( E, A, B, C, D, 6, 7, 11, 15 ); - P2( D, E, A, B, C, 7, 9, 4, 5 ); - P2( C, D, E, A, B, 8, 11, 13, 7 ); - P2( B, C, D, E, A, 9, 13, 6, 7 ); - P2( A, B, C, D, E, 10, 14, 15, 8 ); - P2( E, A, B, C, D, 11, 15, 8, 11 ); - P2( D, E, A, B, C, 12, 6, 1, 14 ); - P2( C, D, E, A, B, 13, 7, 10, 14 ); - P2( B, C, D, E, A, 14, 9, 3, 12 ); - P2( A, B, C, D, E, 15, 8, 12, 6 ); + P2( local.A, local.B, local.C, local.D, local.E, 0, 11, 5, 8 ); + P2( local.E, local.A, local.B, local.C, local.D, 1, 14, 14, 9 ); + P2( local.D, local.E, local.A, local.B, local.C, 2, 15, 7, 9 ); + P2( local.C, local.D, local.E, local.A, local.B, 3, 12, 0, 11 ); + P2( local.B, local.C, local.D, local.E, local.A, 4, 5, 9, 13 ); + P2( local.A, local.B, local.C, local.D, local.E, 5, 8, 2, 15 ); + P2( local.E, local.A, local.B, local.C, local.D, 6, 7, 11, 15 ); + P2( local.D, local.E, local.A, local.B, local.C, 7, 9, 4, 5 ); + P2( local.C, local.D, local.E, local.A, local.B, 8, 11, 13, 7 ); + P2( local.B, local.C, local.D, local.E, local.A, 9, 13, 6, 7 ); + P2( local.A, local.B, local.C, local.D, local.E, 10, 14, 15, 8 ); + P2( local.E, local.A, local.B, local.C, local.D, 11, 15, 8, 11 ); + P2( local.D, local.E, local.A, local.B, local.C, 12, 6, 1, 14 ); + P2( local.C, local.D, local.E, local.A, local.B, 13, 7, 10, 14 ); + P2( local.B, local.C, local.D, local.E, local.A, 14, 9, 3, 12 ); + P2( local.A, local.B, local.C, local.D, local.E, 15, 8, 12, 6 ); #undef F #undef K #undef Fp @@ -197,22 +200,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define K 0x5A827999 #define Fp F4 #define Kp 0x5C4DD124 - P2( E, A, B, C, D, 7, 7, 6, 9 ); - P2( D, E, A, B, C, 4, 6, 11, 13 ); - P2( C, D, E, A, B, 13, 8, 3, 15 ); - P2( B, C, D, E, A, 1, 13, 7, 7 ); - P2( A, B, C, D, E, 10, 11, 0, 12 ); - P2( E, A, B, C, D, 6, 9, 13, 8 ); - P2( D, E, A, B, C, 15, 7, 5, 9 ); - P2( C, D, E, A, B, 3, 15, 10, 11 ); - P2( B, C, D, E, A, 12, 7, 14, 7 ); - P2( A, B, C, D, E, 0, 12, 15, 7 ); - P2( E, A, B, C, D, 9, 15, 8, 12 ); - P2( D, E, A, B, C, 5, 9, 12, 7 ); - P2( C, D, E, A, B, 2, 11, 4, 6 ); - P2( B, C, D, E, A, 14, 7, 9, 15 ); - P2( A, B, C, D, E, 11, 13, 1, 13 ); - P2( E, A, B, C, D, 8, 12, 2, 11 ); + P2( local.E, local.A, local.B, local.C, local.D, 7, 7, 6, 9 ); + P2( local.D, local.E, local.A, local.B, local.C, 4, 6, 11, 13 ); + P2( local.C, local.D, local.E, local.A, local.B, 13, 8, 3, 15 ); + P2( local.B, local.C, local.D, local.E, local.A, 1, 13, 7, 7 ); + P2( local.A, local.B, local.C, local.D, local.E, 10, 11, 0, 12 ); + P2( local.E, local.A, local.B, local.C, local.D, 6, 9, 13, 8 ); + P2( local.D, local.E, local.A, local.B, local.C, 15, 7, 5, 9 ); + P2( local.C, local.D, local.E, local.A, local.B, 3, 15, 10, 11 ); + P2( local.B, local.C, local.D, local.E, local.A, 12, 7, 14, 7 ); + P2( local.A, local.B, local.C, local.D, local.E, 0, 12, 15, 7 ); + P2( local.E, local.A, local.B, local.C, local.D, 9, 15, 8, 12 ); + P2( local.D, local.E, local.A, local.B, local.C, 5, 9, 12, 7 ); + P2( local.C, local.D, local.E, local.A, local.B, 2, 11, 4, 6 ); + P2( local.B, local.C, local.D, local.E, local.A, 14, 7, 9, 15 ); + P2( local.A, local.B, local.C, local.D, local.E, 11, 13, 1, 13 ); + P2( local.E, local.A, local.B, local.C, local.D, 8, 12, 2, 11 ); #undef F #undef K #undef Fp @@ -222,22 +225,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define K 0x6ED9EBA1 #define Fp F3 #define Kp 0x6D703EF3 - P2( D, E, A, B, C, 3, 11, 15, 9 ); - P2( C, D, E, A, B, 10, 13, 5, 7 ); - P2( B, C, D, E, A, 14, 6, 1, 15 ); - P2( A, B, C, D, E, 4, 7, 3, 11 ); - P2( E, A, B, C, D, 9, 14, 7, 8 ); - P2( D, E, A, B, C, 15, 9, 14, 6 ); - P2( C, D, E, A, B, 8, 13, 6, 6 ); - P2( B, C, D, E, A, 1, 15, 9, 14 ); - P2( A, B, C, D, E, 2, 14, 11, 12 ); - P2( E, A, B, C, D, 7, 8, 8, 13 ); - P2( D, E, A, B, C, 0, 13, 12, 5 ); - P2( C, D, E, A, B, 6, 6, 2, 14 ); - P2( B, C, D, E, A, 13, 5, 10, 13 ); - P2( A, B, C, D, E, 11, 12, 0, 13 ); - P2( E, A, B, C, D, 5, 7, 4, 7 ); - P2( D, E, A, B, C, 12, 5, 13, 5 ); + P2( local.D, local.E, local.A, local.B, local.C, 3, 11, 15, 9 ); + P2( local.C, local.D, local.E, local.A, local.B, 10, 13, 5, 7 ); + P2( local.B, local.C, local.D, local.E, local.A, 14, 6, 1, 15 ); + P2( local.A, local.B, local.C, local.D, local.E, 4, 7, 3, 11 ); + P2( local.E, local.A, local.B, local.C, local.D, 9, 14, 7, 8 ); + P2( local.D, local.E, local.A, local.B, local.C, 15, 9, 14, 6 ); + P2( local.C, local.D, local.E, local.A, local.B, 8, 13, 6, 6 ); + P2( local.B, local.C, local.D, local.E, local.A, 1, 15, 9, 14 ); + P2( local.A, local.B, local.C, local.D, local.E, 2, 14, 11, 12 ); + P2( local.E, local.A, local.B, local.C, local.D, 7, 8, 8, 13 ); + P2( local.D, local.E, local.A, local.B, local.C, 0, 13, 12, 5 ); + P2( local.C, local.D, local.E, local.A, local.B, 6, 6, 2, 14 ); + P2( local.B, local.C, local.D, local.E, local.A, 13, 5, 10, 13 ); + P2( local.A, local.B, local.C, local.D, local.E, 11, 12, 0, 13 ); + P2( local.E, local.A, local.B, local.C, local.D, 5, 7, 4, 7 ); + P2( local.D, local.E, local.A, local.B, local.C, 12, 5, 13, 5 ); #undef F #undef K #undef Fp @@ -247,22 +250,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define K 0x8F1BBCDC #define Fp F2 #define Kp 0x7A6D76E9 - P2( C, D, E, A, B, 1, 11, 8, 15 ); - P2( B, C, D, E, A, 9, 12, 6, 5 ); - P2( A, B, C, D, E, 11, 14, 4, 8 ); - P2( E, A, B, C, D, 10, 15, 1, 11 ); - P2( D, E, A, B, C, 0, 14, 3, 14 ); - P2( C, D, E, A, B, 8, 15, 11, 14 ); - P2( B, C, D, E, A, 12, 9, 15, 6 ); - P2( A, B, C, D, E, 4, 8, 0, 14 ); - P2( E, A, B, C, D, 13, 9, 5, 6 ); - P2( D, E, A, B, C, 3, 14, 12, 9 ); - P2( C, D, E, A, B, 7, 5, 2, 12 ); - P2( B, C, D, E, A, 15, 6, 13, 9 ); - P2( A, B, C, D, E, 14, 8, 9, 12 ); - P2( E, A, B, C, D, 5, 6, 7, 5 ); - P2( D, E, A, B, C, 6, 5, 10, 15 ); - P2( C, D, E, A, B, 2, 12, 14, 8 ); + P2( local.C, local.D, local.E, local.A, local.B, 1, 11, 8, 15 ); + P2( local.B, local.C, local.D, local.E, local.A, 9, 12, 6, 5 ); + P2( local.A, local.B, local.C, local.D, local.E, 11, 14, 4, 8 ); + P2( local.E, local.A, local.B, local.C, local.D, 10, 15, 1, 11 ); + P2( local.D, local.E, local.A, local.B, local.C, 0, 14, 3, 14 ); + P2( local.C, local.D, local.E, local.A, local.B, 8, 15, 11, 14 ); + P2( local.B, local.C, local.D, local.E, local.A, 12, 9, 15, 6 ); + P2( local.A, local.B, local.C, local.D, local.E, 4, 8, 0, 14 ); + P2( local.E, local.A, local.B, local.C, local.D, 13, 9, 5, 6 ); + P2( local.D, local.E, local.A, local.B, local.C, 3, 14, 12, 9 ); + P2( local.C, local.D, local.E, local.A, local.B, 7, 5, 2, 12 ); + P2( local.B, local.C, local.D, local.E, local.A, 15, 6, 13, 9 ); + P2( local.A, local.B, local.C, local.D, local.E, 14, 8, 9, 12 ); + P2( local.E, local.A, local.B, local.C, local.D, 5, 6, 7, 5 ); + P2( local.D, local.E, local.A, local.B, local.C, 6, 5, 10, 15 ); + P2( local.C, local.D, local.E, local.A, local.B, 2, 12, 14, 8 ); #undef F #undef K #undef Fp @@ -272,46 +275,36 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, #define K 0xA953FD4E #define Fp F1 #define Kp 0x00000000 - P2( B, C, D, E, A, 4, 9, 12, 8 ); - P2( A, B, C, D, E, 0, 15, 15, 5 ); - P2( E, A, B, C, D, 5, 5, 10, 12 ); - P2( D, E, A, B, C, 9, 11, 4, 9 ); - P2( C, D, E, A, B, 7, 6, 1, 12 ); - P2( B, C, D, E, A, 12, 8, 5, 5 ); - P2( A, B, C, D, E, 2, 13, 8, 14 ); - P2( E, A, B, C, D, 10, 12, 7, 6 ); - P2( D, E, A, B, C, 14, 5, 6, 8 ); - P2( C, D, E, A, B, 1, 12, 2, 13 ); - P2( B, C, D, E, A, 3, 13, 13, 6 ); - P2( A, B, C, D, E, 8, 14, 14, 5 ); - P2( E, A, B, C, D, 11, 11, 0, 15 ); - P2( D, E, A, B, C, 6, 8, 3, 13 ); - P2( C, D, E, A, B, 15, 5, 9, 11 ); - P2( B, C, D, E, A, 13, 6, 11, 11 ); + P2( local.B, local.C, local.D, local.E, local.A, 4, 9, 12, 8 ); + P2( local.A, local.B, local.C, local.D, local.E, 0, 15, 15, 5 ); + P2( local.E, local.A, local.B, local.C, local.D, 5, 5, 10, 12 ); + P2( local.D, local.E, local.A, local.B, local.C, 9, 11, 4, 9 ); + P2( local.C, local.D, local.E, local.A, local.B, 7, 6, 1, 12 ); + P2( local.B, local.C, local.D, local.E, local.A, 12, 8, 5, 5 ); + P2( local.A, local.B, local.C, local.D, local.E, 2, 13, 8, 14 ); + P2( local.E, local.A, local.B, local.C, local.D, 10, 12, 7, 6 ); + P2( local.D, local.E, local.A, local.B, local.C, 14, 5, 6, 8 ); + P2( local.C, local.D, local.E, local.A, local.B, 1, 12, 2, 13 ); + P2( local.B, local.C, local.D, local.E, local.A, 3, 13, 13, 6 ); + P2( local.A, local.B, local.C, local.D, local.E, 8, 14, 14, 5 ); + P2( local.E, local.A, local.B, local.C, local.D, 11, 11, 0, 15 ); + P2( local.D, local.E, local.A, local.B, local.C, 6, 8, 3, 13 ); + P2( local.C, local.D, local.E, local.A, local.B, 15, 5, 9, 11 ); + P2( local.B, local.C, local.D, local.E, local.A, 13, 6, 11, 11 ); #undef F #undef K #undef Fp #undef Kp - C = ctx->state[1] + C + Dp; - ctx->state[1] = ctx->state[2] + D + Ep; - ctx->state[2] = ctx->state[3] + E + Ap; - ctx->state[3] = ctx->state[4] + A + Bp; - ctx->state[4] = ctx->state[0] + B + Cp; - ctx->state[0] = C; + local.C = ctx->state[1] + local.C + local.Dp; + ctx->state[1] = ctx->state[2] + local.D + local.Ep; + ctx->state[2] = ctx->state[3] + local.E + local.Ap; + ctx->state[3] = ctx->state[4] + local.A + local.Bp; + ctx->state[4] = ctx->state[0] + local.B + local.Cp; + ctx->state[0] = local.C; /* Zeroise variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &B, sizeof( B ) ); - mbedtls_platform_zeroize( &C, sizeof( C ) ); - mbedtls_platform_zeroize( &D, sizeof( D ) ); - mbedtls_platform_zeroize( &E, sizeof( E ) ); - mbedtls_platform_zeroize( &Ap, sizeof( Ap ) ); - mbedtls_platform_zeroize( &Bp, sizeof( Bp ) ); - mbedtls_platform_zeroize( &Cp, sizeof( Cp ) ); - mbedtls_platform_zeroize( &Dp, sizeof( Dp ) ); - mbedtls_platform_zeroize( &Ep, sizeof( Ep ) ); - mbedtls_platform_zeroize( &X, sizeof( X ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } diff --git a/library/sha1.c b/library/sha1.c index c973455a7..84bbd551f 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -127,35 +127,40 @@ void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ) { - uint32_t temp, W[16], A, B, C, D, E; + struct + { + uint32_t temp, W[16], A, B, C, D, E; + } local; SHA1_VALIDATE_RET( ctx != NULL ); SHA1_VALIDATE_RET( (const unsigned char *)data != NULL ); - GET_UINT32_BE( W[ 0], data, 0 ); - GET_UINT32_BE( W[ 1], data, 4 ); - GET_UINT32_BE( W[ 2], data, 8 ); - GET_UINT32_BE( W[ 3], data, 12 ); - GET_UINT32_BE( W[ 4], data, 16 ); - GET_UINT32_BE( W[ 5], data, 20 ); - GET_UINT32_BE( W[ 6], data, 24 ); - GET_UINT32_BE( W[ 7], data, 28 ); - GET_UINT32_BE( W[ 8], data, 32 ); - GET_UINT32_BE( W[ 9], data, 36 ); - GET_UINT32_BE( W[10], data, 40 ); - GET_UINT32_BE( W[11], data, 44 ); - GET_UINT32_BE( W[12], data, 48 ); - GET_UINT32_BE( W[13], data, 52 ); - GET_UINT32_BE( W[14], data, 56 ); - GET_UINT32_BE( W[15], data, 60 ); + GET_UINT32_BE( local.W[ 0], data, 0 ); + GET_UINT32_BE( local.W[ 1], data, 4 ); + GET_UINT32_BE( local.W[ 2], data, 8 ); + GET_UINT32_BE( local.W[ 3], data, 12 ); + GET_UINT32_BE( local.W[ 4], data, 16 ); + GET_UINT32_BE( local.W[ 5], data, 20 ); + GET_UINT32_BE( local.W[ 6], data, 24 ); + GET_UINT32_BE( local.W[ 7], data, 28 ); + GET_UINT32_BE( local.W[ 8], data, 32 ); + GET_UINT32_BE( local.W[ 9], data, 36 ); + GET_UINT32_BE( local.W[10], data, 40 ); + GET_UINT32_BE( local.W[11], data, 44 ); + GET_UINT32_BE( local.W[12], data, 48 ); + GET_UINT32_BE( local.W[13], data, 52 ); + GET_UINT32_BE( local.W[14], data, 56 ); + GET_UINT32_BE( local.W[15], data, 60 ); #define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n)))) #define R(t) \ ( \ - temp = W[( (t) - 3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \ - W[( (t) - 14 ) & 0x0F] ^ W[ (t) & 0x0F], \ - ( W[(t) & 0x0F] = S(temp,1) ) \ + local.temp = local.W[( (t) - 3 ) & 0x0F] ^ \ + local.W[( (t) - 8 ) & 0x0F] ^ \ + local.W[( (t) - 14 ) & 0x0F] ^ \ + local.W[ (t) & 0x0F], \ + ( local.W[(t) & 0x0F] = S(local.temp,1) ) \ ) #define P(a,b,c,d,e,x) \ @@ -165,35 +170,35 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, (b) = S((b),30); \ } while( 0 ) - A = ctx->state[0]; - B = ctx->state[1]; - C = ctx->state[2]; - D = ctx->state[3]; - E = ctx->state[4]; + local.A = ctx->state[0]; + local.B = ctx->state[1]; + local.C = ctx->state[2]; + local.D = ctx->state[3]; + local.E = ctx->state[4]; #define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) #define K 0x5A827999 - P( A, B, C, D, E, W[0] ); - P( E, A, B, C, D, W[1] ); - P( D, E, A, B, C, W[2] ); - P( C, D, E, A, B, W[3] ); - P( B, C, D, E, A, W[4] ); - P( A, B, C, D, E, W[5] ); - P( E, A, B, C, D, W[6] ); - P( D, E, A, B, C, W[7] ); - P( C, D, E, A, B, W[8] ); - P( B, C, D, E, A, W[9] ); - P( A, B, C, D, E, W[10] ); - P( E, A, B, C, D, W[11] ); - P( D, E, A, B, C, W[12] ); - P( C, D, E, A, B, W[13] ); - P( B, C, D, E, A, W[14] ); - P( A, B, C, D, E, W[15] ); - P( E, A, B, C, D, R(16) ); - P( D, E, A, B, C, R(17) ); - P( C, D, E, A, B, R(18) ); - P( B, C, D, E, A, R(19) ); + P( local.A, local.B, local.C, local.D, local.E, local.W[0] ); + P( local.E, local.A, local.B, local.C, local.D, local.W[1] ); + P( local.D, local.E, local.A, local.B, local.C, local.W[2] ); + P( local.C, local.D, local.E, local.A, local.B, local.W[3] ); + P( local.B, local.C, local.D, local.E, local.A, local.W[4] ); + P( local.A, local.B, local.C, local.D, local.E, local.W[5] ); + P( local.E, local.A, local.B, local.C, local.D, local.W[6] ); + P( local.D, local.E, local.A, local.B, local.C, local.W[7] ); + P( local.C, local.D, local.E, local.A, local.B, local.W[8] ); + P( local.B, local.C, local.D, local.E, local.A, local.W[9] ); + P( local.A, local.B, local.C, local.D, local.E, local.W[10] ); + P( local.E, local.A, local.B, local.C, local.D, local.W[11] ); + P( local.D, local.E, local.A, local.B, local.C, local.W[12] ); + P( local.C, local.D, local.E, local.A, local.B, local.W[13] ); + P( local.B, local.C, local.D, local.E, local.A, local.W[14] ); + P( local.A, local.B, local.C, local.D, local.E, local.W[15] ); + P( local.E, local.A, local.B, local.C, local.D, R(16) ); + P( local.D, local.E, local.A, local.B, local.C, R(17) ); + P( local.C, local.D, local.E, local.A, local.B, R(18) ); + P( local.B, local.C, local.D, local.E, local.A, R(19) ); #undef K #undef F @@ -201,26 +206,26 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, #define F(x,y,z) ((x) ^ (y) ^ (z)) #define K 0x6ED9EBA1 - P( A, B, C, D, E, R(20) ); - P( E, A, B, C, D, R(21) ); - P( D, E, A, B, C, R(22) ); - P( C, D, E, A, B, R(23) ); - P( B, C, D, E, A, R(24) ); - P( A, B, C, D, E, R(25) ); - P( E, A, B, C, D, R(26) ); - P( D, E, A, B, C, R(27) ); - P( C, D, E, A, B, R(28) ); - P( B, C, D, E, A, R(29) ); - P( A, B, C, D, E, R(30) ); - P( E, A, B, C, D, R(31) ); - P( D, E, A, B, C, R(32) ); - P( C, D, E, A, B, R(33) ); - P( B, C, D, E, A, R(34) ); - P( A, B, C, D, E, R(35) ); - P( E, A, B, C, D, R(36) ); - P( D, E, A, B, C, R(37) ); - P( C, D, E, A, B, R(38) ); - P( B, C, D, E, A, R(39) ); + P( local.A, local.B, local.C, local.D, local.E, R(20) ); + P( local.E, local.A, local.B, local.C, local.D, R(21) ); + P( local.D, local.E, local.A, local.B, local.C, R(22) ); + P( local.C, local.D, local.E, local.A, local.B, R(23) ); + P( local.B, local.C, local.D, local.E, local.A, R(24) ); + P( local.A, local.B, local.C, local.D, local.E, R(25) ); + P( local.E, local.A, local.B, local.C, local.D, R(26) ); + P( local.D, local.E, local.A, local.B, local.C, R(27) ); + P( local.C, local.D, local.E, local.A, local.B, R(28) ); + P( local.B, local.C, local.D, local.E, local.A, R(29) ); + P( local.A, local.B, local.C, local.D, local.E, R(30) ); + P( local.E, local.A, local.B, local.C, local.D, R(31) ); + P( local.D, local.E, local.A, local.B, local.C, R(32) ); + P( local.C, local.D, local.E, local.A, local.B, R(33) ); + P( local.B, local.C, local.D, local.E, local.A, R(34) ); + P( local.A, local.B, local.C, local.D, local.E, R(35) ); + P( local.E, local.A, local.B, local.C, local.D, R(36) ); + P( local.D, local.E, local.A, local.B, local.C, R(37) ); + P( local.C, local.D, local.E, local.A, local.B, R(38) ); + P( local.B, local.C, local.D, local.E, local.A, R(39) ); #undef K #undef F @@ -228,26 +233,26 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, #define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) #define K 0x8F1BBCDC - P( A, B, C, D, E, R(40) ); - P( E, A, B, C, D, R(41) ); - P( D, E, A, B, C, R(42) ); - P( C, D, E, A, B, R(43) ); - P( B, C, D, E, A, R(44) ); - P( A, B, C, D, E, R(45) ); - P( E, A, B, C, D, R(46) ); - P( D, E, A, B, C, R(47) ); - P( C, D, E, A, B, R(48) ); - P( B, C, D, E, A, R(49) ); - P( A, B, C, D, E, R(50) ); - P( E, A, B, C, D, R(51) ); - P( D, E, A, B, C, R(52) ); - P( C, D, E, A, B, R(53) ); - P( B, C, D, E, A, R(54) ); - P( A, B, C, D, E, R(55) ); - P( E, A, B, C, D, R(56) ); - P( D, E, A, B, C, R(57) ); - P( C, D, E, A, B, R(58) ); - P( B, C, D, E, A, R(59) ); + P( local.A, local.B, local.C, local.D, local.E, R(40) ); + P( local.E, local.A, local.B, local.C, local.D, R(41) ); + P( local.D, local.E, local.A, local.B, local.C, R(42) ); + P( local.C, local.D, local.E, local.A, local.B, R(43) ); + P( local.B, local.C, local.D, local.E, local.A, R(44) ); + P( local.A, local.B, local.C, local.D, local.E, R(45) ); + P( local.E, local.A, local.B, local.C, local.D, R(46) ); + P( local.D, local.E, local.A, local.B, local.C, R(47) ); + P( local.C, local.D, local.E, local.A, local.B, R(48) ); + P( local.B, local.C, local.D, local.E, local.A, R(49) ); + P( local.A, local.B, local.C, local.D, local.E, R(50) ); + P( local.E, local.A, local.B, local.C, local.D, R(51) ); + P( local.D, local.E, local.A, local.B, local.C, R(52) ); + P( local.C, local.D, local.E, local.A, local.B, R(53) ); + P( local.B, local.C, local.D, local.E, local.A, R(54) ); + P( local.A, local.B, local.C, local.D, local.E, R(55) ); + P( local.E, local.A, local.B, local.C, local.D, R(56) ); + P( local.D, local.E, local.A, local.B, local.C, R(57) ); + P( local.C, local.D, local.E, local.A, local.B, R(58) ); + P( local.B, local.C, local.D, local.E, local.A, R(59) ); #undef K #undef F @@ -255,44 +260,38 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, #define F(x,y,z) ((x) ^ (y) ^ (z)) #define K 0xCA62C1D6 - P( A, B, C, D, E, R(60) ); - P( E, A, B, C, D, R(61) ); - P( D, E, A, B, C, R(62) ); - P( C, D, E, A, B, R(63) ); - P( B, C, D, E, A, R(64) ); - P( A, B, C, D, E, R(65) ); - P( E, A, B, C, D, R(66) ); - P( D, E, A, B, C, R(67) ); - P( C, D, E, A, B, R(68) ); - P( B, C, D, E, A, R(69) ); - P( A, B, C, D, E, R(70) ); - P( E, A, B, C, D, R(71) ); - P( D, E, A, B, C, R(72) ); - P( C, D, E, A, B, R(73) ); - P( B, C, D, E, A, R(74) ); - P( A, B, C, D, E, R(75) ); - P( E, A, B, C, D, R(76) ); - P( D, E, A, B, C, R(77) ); - P( C, D, E, A, B, R(78) ); - P( B, C, D, E, A, R(79) ); + P( local.A, local.B, local.C, local.D, local.E, R(60) ); + P( local.E, local.A, local.B, local.C, local.D, R(61) ); + P( local.D, local.E, local.A, local.B, local.C, R(62) ); + P( local.C, local.D, local.E, local.A, local.B, R(63) ); + P( local.B, local.C, local.D, local.E, local.A, R(64) ); + P( local.A, local.B, local.C, local.D, local.E, R(65) ); + P( local.E, local.A, local.B, local.C, local.D, R(66) ); + P( local.D, local.E, local.A, local.B, local.C, R(67) ); + P( local.C, local.D, local.E, local.A, local.B, R(68) ); + P( local.B, local.C, local.D, local.E, local.A, R(69) ); + P( local.A, local.B, local.C, local.D, local.E, R(70) ); + P( local.E, local.A, local.B, local.C, local.D, R(71) ); + P( local.D, local.E, local.A, local.B, local.C, R(72) ); + P( local.C, local.D, local.E, local.A, local.B, R(73) ); + P( local.B, local.C, local.D, local.E, local.A, R(74) ); + P( local.A, local.B, local.C, local.D, local.E, R(75) ); + P( local.E, local.A, local.B, local.C, local.D, R(76) ); + P( local.D, local.E, local.A, local.B, local.C, R(77) ); + P( local.C, local.D, local.E, local.A, local.B, R(78) ); + P( local.B, local.C, local.D, local.E, local.A, R(79) ); #undef K #undef F - ctx->state[0] += A; - ctx->state[1] += B; - ctx->state[2] += C; - ctx->state[3] += D; - ctx->state[4] += E; + ctx->state[0] += local.A; + ctx->state[1] += local.B; + ctx->state[2] += local.C; + ctx->state[3] += local.D; + ctx->state[4] += local.E; /* Zeroise buffers and variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &B, sizeof( B ) ); - mbedtls_platform_zeroize( &C, sizeof( C ) ); - mbedtls_platform_zeroize( &D, sizeof( D ) ); - mbedtls_platform_zeroize( &E, sizeof( E ) ); - mbedtls_platform_zeroize( &W, sizeof( W ) ); - mbedtls_platform_zeroize( &temp, sizeof( temp ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } diff --git a/library/sha256.c b/library/sha256.c index 0124fb72a..117436664 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -181,83 +181,104 @@ static const uint32_t K[] = #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) -#define R(t) \ - ( \ - W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \ - S0(W[(t) - 15]) + W[(t) - 16] \ +#define R(t) \ + ( \ + local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \ + S0(local.W[(t) - 15]) + local.W[(t) - 16] \ ) -#define P(a,b,c,d,e,f,g,h,x,K) \ - do \ - { \ - temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ - temp2 = S2(a) + F0((a),(b),(c)); \ - (d) += temp1; (h) = temp1 + temp2; \ +#define P(a,b,c,d,e,f,g,h,x,K) \ + do \ + { \ + local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ + local.temp2 = S2(a) + F0((a),(b),(c)); \ + (d) += local.temp1; (h) = local.temp1 + local.temp2; \ } while( 0 ) int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) { - uint32_t temp1, temp2, W[64]; - uint32_t A[8]; + struct + { + uint32_t temp1, temp2, W[64]; + uint32_t A[8]; + } local; + unsigned int i; SHA256_VALIDATE_RET( ctx != NULL ); SHA256_VALIDATE_RET( (const unsigned char *)data != NULL ); for( i = 0; i < 8; i++ ) - A[i] = ctx->state[i]; + local.A[i] = ctx->state[i]; #if defined(MBEDTLS_SHA256_SMALLER) for( i = 0; i < 64; i++ ) { if( i < 16 ) - GET_UINT32_BE( W[i], data, 4 * i ); + GET_UINT32_BE( local.W[i], data, 4 * i ); else R( i ); - P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); + P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], + local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); - temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; - A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; + local.temp1 = local.A[7]; local.A[7] = local.A[6]; + local.A[6] = local.A[5]; local.A[5] = local.A[4]; + local.A[4] = local.A[3]; local.A[3] = local.A[2]; + local.A[2] = local.A[1]; local.A[1] = local.A[0]; + local.A[0] = local.temp1; } #else /* MBEDTLS_SHA256_SMALLER */ for( i = 0; i < 16; i++ ) - GET_UINT32_BE( W[i], data, 4 * i ); + GET_UINT32_BE( local.W[i], data, 4 * i ); for( i = 0; i < 16; i += 8 ) { - P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); - P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); - P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); - P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); - P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); - P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); - P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); - P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); + P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], + local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] ); + P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], + local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] ); + P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], + local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] ); + P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], + local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] ); + P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], + local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] ); + P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], + local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] ); + P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], + local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] ); + P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], + local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] ); } for( i = 16; i < 64; i += 8 ) { - P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); - P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); - P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); - P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); - P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); - P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); - P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); - P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); + P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], + local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] ); + P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], + local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] ); + P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], + local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] ); + P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], + local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] ); + P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], + local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] ); + P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], + local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] ); + P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], + local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] ); + P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], + local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] ); } #endif /* MBEDTLS_SHA256_SMALLER */ for( i = 0; i < 8; i++ ) - ctx->state[i] += A[i]; + ctx->state[i] += local.A[i]; /* Zeroise buffers and variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &W, sizeof( W ) ); - mbedtls_platform_zeroize( &temp1, sizeof( temp1 ) ); - mbedtls_platform_zeroize( &temp2, sizeof( temp2 ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } diff --git a/library/sha512.c b/library/sha512.c index 08f4dd550..e08a2e3fa 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -234,8 +234,11 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ) { int i; - uint64_t temp1, temp2, W[80]; - uint64_t A[8]; + struct + { + uint64_t temp1, temp2, W[80]; + uint64_t A[8]; + } local; SHA512_VALIDATE_RET( ctx != NULL ); SHA512_VALIDATE_RET( (const unsigned char *)data != NULL ); @@ -252,70 +255,79 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) -#define P(a,b,c,d,e,f,g,h,x,K) \ - do \ - { \ - temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ - temp2 = S2(a) + F0((a),(b),(c)); \ - (d) += temp1; (h) = temp1 + temp2; \ +#define P(a,b,c,d,e,f,g,h,x,K) \ + do \ + { \ + local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ + local.temp2 = S2(a) + F0((a),(b),(c)); \ + (d) += local.temp1; (h) = local.temp1 + local.temp2; \ } while( 0 ) for( i = 0; i < 8; i++ ) - A[i] = ctx->state[i]; + local.A[i] = ctx->state[i]; #if defined(MBEDTLS_SHA512_SMALLER) for( i = 0; i < 80; i++ ) { if( i < 16 ) { - GET_UINT64_BE( W[i], data, i << 3 ); + GET_UINT64_BE( local.W[i], data, i << 3 ); } else { - W[i] = S1(W[i - 2]) + W[i - 7] + - S0(W[i - 15]) + W[i - 16]; + local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + + S0(local.W[i - 15]) + local.W[i - 16]; } - P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); + P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], + local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); - temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; - A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; + local.temp1 = local.A[7]; local.A[7] = local.A[6]; + local.A[6] = local.A[5]; local.A[5] = local.A[4]; + local.A[4] = local.A[3]; local.A[3] = local.A[2]; + local.A[2] = local.A[1]; local.A[1] = local.A[0]; + local.A[0] = local.temp1; } #else /* MBEDTLS_SHA512_SMALLER */ for( i = 0; i < 16; i++ ) { - GET_UINT64_BE( W[i], data, i << 3 ); + GET_UINT64_BE( local.W[i], data, i << 3 ); } for( ; i < 80; i++ ) { - W[i] = S1(W[i - 2]) + W[i - 7] + - S0(W[i - 15]) + W[i - 16]; + local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + + S0(local.W[i - 15]) + local.W[i - 16]; } i = 0; do { - P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); i++; - P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i], K[i] ); i++; - P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i], K[i] ); i++; - P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i], K[i] ); i++; - P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i], K[i] ); i++; - P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i], K[i] ); i++; - P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i], K[i] ); i++; - P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i], K[i] ); i++; + P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], + local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); i++; + P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], + local.A[4], local.A[5], local.A[6], local.W[i], K[i] ); i++; + P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], + local.A[3], local.A[4], local.A[5], local.W[i], K[i] ); i++; + P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], + local.A[2], local.A[3], local.A[4], local.W[i], K[i] ); i++; + P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], + local.A[1], local.A[2], local.A[3], local.W[i], K[i] ); i++; + P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], + local.A[0], local.A[1], local.A[2], local.W[i], K[i] ); i++; + P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], + local.A[7], local.A[0], local.A[1], local.W[i], K[i] ); i++; + P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], + local.A[6], local.A[7], local.A[0], local.W[i], K[i] ); i++; } while( i < 80 ); #endif /* MBEDTLS_SHA512_SMALLER */ for( i = 0; i < 8; i++ ) - ctx->state[i] += A[i]; + ctx->state[i] += local.A[i]; /* Zeroise buffers and variables to clear sensitive data from memory. */ - mbedtls_platform_zeroize( &A, sizeof( A ) ); - mbedtls_platform_zeroize( &W, sizeof( W ) ); - mbedtls_platform_zeroize( &temp1, sizeof( temp1 ) ); - mbedtls_platform_zeroize( &temp2, sizeof( temp2 ) ); + mbedtls_platform_zeroize( &local, sizeof( local ) ); return( 0 ); } From 3cb1e296a48fce2546c13264f619d0a199660377 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Nov 2020 15:37:20 +0100 Subject: [PATCH 06/41] Test mbedtls_mpi_fill_random Positive tests: test that the RNG has the expected size, given that we know how many leading zeros it has because we know how the function consumes bytes and when the test RNG produces null bytes. Negative tests: test that if the RNG is willing to emit less than the number of wanted bytes, the function fails. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_mpi.data | 42 ++++++++++++++++++++++++ tests/suites/test_suite_mpi.function | 48 ++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 202df1d29..3aebd6c7b 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -941,6 +941,48 @@ mbedtls_mpi_set_bit:16:"00":32:1:16:"0100000000":0 Test bit set (Invalid bit value) mbedtls_mpi_set_bit:16:"00":5:2:16:"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Fill random: 0 bytes +mpi_fill_random:0:0:0 + +Fill random: 1 byte, good +mpi_fill_random:1:1:0 + +Fill random: 2 bytes, good, no leading zero +mpi_fill_random:2:2:0 + +Fill random: 2 bytes, good, 1 leading zero +mpi_fill_random:2:256:0 + +Fill random: MAX_SIZE - 7, good +mpi_fill_random:MBEDTLS_MPI_MAX_SIZE - 7:MBEDTLS_MPI_MAX_SIZE - 7:0 + +Fill random: MAX_SIZE, good +mpi_fill_random:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE:0 + +Fill random: 1 byte, RNG failure +mpi_fill_random:1:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 2 bytes, RNG failure after 1 byte +mpi_fill_random:2:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 4 bytes, RNG failure after 3 bytes +mpi_fill_random:4:3:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 8 bytes, RNG failure after 7 bytes +mpi_fill_random:8:7:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 16 bytes, RNG failure after 1 bytes +mpi_fill_random:16:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 16 bytes, RNG failure after 8 bytes +mpi_fill_random:16:8:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: 16 bytes, RNG failure after 15 bytes +mpi_fill_random:16:15:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + +Fill random: MAX_SIZE bytes, RNG failure after MAX_SIZE-1 bytes +mpi_fill_random:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE-1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED + MPI Selftest depends_on:MBEDTLS_SELF_TEST mpi_selftest: diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index e54aaffe6..b3c5cbab3 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1,5 +1,6 @@ /* BEGIN_HEADER */ #include "mbedtls/bignum.h" +#include "mbedtls/entropy.h" typedef struct mbedtls_test_mpi_random { @@ -43,6 +44,22 @@ int mbedtls_test_mpi_miller_rabin_determinizer( void* state, return( 0 ); } + +/* Random generator that is told how many bytes to return. */ +static int f_rng_bytes_left( void *state, unsigned char *buf, size_t len ) +{ + size_t *bytes_left = state; + size_t i; + for( i = 0; i < len; i++ ) + { + if( *bytes_left == 0 ) + return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); + buf[i] = *bytes_left & 0xff; + --( *bytes_left ); + } + return( 0 ); +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -1308,6 +1325,37 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void mpi_fill_random( int wanted_bytes, int rng_bytes, int expected_ret ) +{ + mbedtls_mpi X; + int ret; + size_t bytes_left = rng_bytes; + mbedtls_mpi_init( &X ); + + ret = mbedtls_mpi_fill_random( &X, wanted_bytes, + f_rng_bytes_left, &bytes_left ); + TEST_ASSERT( ret == expected_ret ); + + if( expected_ret == 0 ) + { + /* mbedtls_mpi_fill_random is documented to use bytes from the RNG + * as a big-endian representation of the number. We know when + * our RNG function returns null bytes, so we know how many + * leading zero bytes the number has. */ + size_t leading_zeros = 0; + if( wanted_bytes > 0 && rng_bytes % 256 == 0 ) + leading_zeros = 1; + TEST_ASSERT( mbedtls_mpi_size( &X ) + leading_zeros == + (size_t) wanted_bytes ); + TEST_ASSERT( (int) bytes_left == rng_bytes - wanted_bytes ); + } + +exit: + mbedtls_mpi_free( &X ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void mpi_selftest( ) { From 436400eec3a772caf17b59850ac6adae2bded8fc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Nov 2020 16:15:14 +0100 Subject: [PATCH 07/41] Handle random generator failure in mbedtls_mpi_fill_random() Discuss the impact in a changelog entry. Signed-off-by: Gilles Peskine --- ChangeLog.d/mpi_fill_random-rng_failure.txt | 8 ++++++++ library/bignum.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/mpi_fill_random-rng_failure.txt diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt new file mode 100644 index 000000000..8addf180c --- /dev/null +++ b/ChangeLog.d/mpi_fill_random-rng_failure.txt @@ -0,0 +1,8 @@ +Security + * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), + which is how most uses of randomization in asymmetric cryptography + (including key generation, intermediate value randomization and blinding) + are implemented. This could cause failures or the silent use of non-random + values. A random generator can fail if it needs reseeding and cannot not + obtain entropy, or due to an internal failure (which, for Mbed TLS's own + CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). diff --git a/library/bignum.c b/library/bignum.c index 9325632b4..1f99ca7be 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2391,7 +2391,7 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) ); Xp = (unsigned char*) X->p; - f_rng( p_rng, Xp + overhead, size ); + MBEDTLS_MPI_CHK( f_rng( p_rng, Xp + overhead, size ) ); mpi_bigendian_to_host( X->p, limbs ); From ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 24 Nov 2020 17:30:18 +0000 Subject: [PATCH 08/41] Add tag check to cert algorithm check Add missing tag check for algorithm parameters when comparing the signature in the description part of the cert against the actual signature whilst loading a certificate. This was found by a certificate (created by fuzzing) that openssl would not verify, but mbedtls would. Regression test added (one of the client certs modified accordingly) Signed-off-by: Paul Elliott --- .../x509-add-tag-check-to-algorithm-params | 11 +++++++++++ library/x509_crt.c | 1 + tests/data_files/Makefile | 6 +++++- tests/data_files/cli-rsa-sha256-badalg.crt.der | Bin 0 -> 835 bytes tests/suites/test_suite_x509parse.data | 4 ++++ 5 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/x509-add-tag-check-to-algorithm-params create mode 100644 tests/data_files/cli-rsa-sha256-badalg.crt.der diff --git a/ChangeLog.d/x509-add-tag-check-to-algorithm-params b/ChangeLog.d/x509-add-tag-check-to-algorithm-params new file mode 100644 index 000000000..f2c72b0ec --- /dev/null +++ b/ChangeLog.d/x509-add-tag-check-to-algorithm-params @@ -0,0 +1,11 @@ +Security + * Fix a compliance issue whereby we were not checking the tag on the + algorithm parameters (only the size) when comparing the signature in the + description part of the cert to the real signature. This meant that a + NULL algorithm parameters entry would look identical to an array of REAL + (size zero) to the library and thus the certificate would be considered + valid. However, if the parameters do not match in *any* way then the + certificate should be considered invalid, and indeed OpenSSL marks these + certs as invalid when mbedtls did not. + Many thanks to guidovranken who found this issue via differential fuzzing + and reported it in #3629. diff --git a/library/x509_crt.c b/library/x509_crt.c index fcc2ed21e..690d99d95 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1304,6 +1304,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, if( crt->sig_oid.len != sig_oid2.len || memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 || + sig_params1.tag != sig_params2.tag || sig_params1.len != sig_params2.len || ( sig_params1.len != 0 && memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 40c22f53b..4c0920f39 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -206,7 +206,11 @@ cli-rsa-sha256.crt.der: cli-rsa-sha256.crt $(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER all_final += cli-rsa-sha256.crt.der - cli-rsa.key.der: $(cli_crt_key_file_rsa) +cli-rsa-sha256-badalg.crt.der: cli-rsa-sha256.crt.der + hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D01010B0500/06092A864886F70D01010B0900/2" | xxd -r -p > $@ +all_final += cli-rsa-sha256-badalg.crt.der + +cli-rsa.key.der: $(cli_crt_key_file_rsa) $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += cli-rsa.key.der diff --git a/tests/data_files/cli-rsa-sha256-badalg.crt.der b/tests/data_files/cli-rsa-sha256-badalg.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..c40ba2a44b4c7a6d511eb40815cd9be1729619ce GIT binary patch literal 835 zcmXqLVzxJEVp3ng%*4pV#K>a6%f_kI=F#?@mywa1mBGN;klTQhjX9KsO_<5g$57CK zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4J{3f3=IrTOiT>SqQrTP zkhumn1PzxmkboF22shk0Co?s#M8U|QiBSpJwT!F`%uS5^3_x)%rY1&4h7%=6&g}fT zweqFwO_78RwYw*O%9fjNyq34W%O))K=^dAwXVO~Pul`Wq;AMItc^+4u^!8gH>Q=ww z5t!WODPi(?h1R9;uX8kMIOHyy2Ilpoed0q1Az+3q% z;eIPWuXuau!9jyU10#d0m%njb2=jOA`xO7vHhp4;fu7T*`?bHH@|6F7V|bvVfB&KS zQ)_b+ul3&S&g#p5F#Cr<*qP0J!lKViSkjKa`)S6PHT4_kEVlG7sf9mIE!n90;Ga#m zDNFjU2mWQPf9n63Wp90XR+l-+Z?i4K`SoQBGQ*m)F0HuoJfQH|Rx{Re*4*k7PmcWc zxvCh?#LURRxY*ag8ytbM!YoV%3=Yrt-hG+jIQyf8+q?<^%;eBSV~e{?&V$dI3qA ziOk<;ojG|Rw!vKC#I4SwD_JLsUp&FP=~`xyU)?*_k`$9|mMJl(J|{Ny`A)d;;D_s! zCL1Qt6}#MJeSd7<8`Jsy{pqBx&tdxO#f{yB8HCp<{aShJ#NW&1sqZ4Dlsx(BzfgVI zhKt;rZ-{NXo}R3Gr~0A9&0h7l(n{~|n+ZNT!N7O?<*^+%yzNaL|Noih>0jGt@19{S z-t5A^epw{fN~6<}|L(@;bt~;?oFF!li={H@zcpC^Ry|n!Cxzsm>0;Z==`%5~%Hn?y~*Z!27Na9QbN29Ig$@$X( Db~{is literal 0 HcmV?d00001 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 1b0316eb8..d368ef4f4 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2644,6 +2644,10 @@ X509 File parse (trailing spaces, OK) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C x509parse_crt_file:"data_files/server7_trailing_space.crt":0 +X509 File parse (Algorithm Params Tag mismatch) +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +x509parse_crt_file:"data_files/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH + X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 From 9246d041500b96fb0694cbda1d833e420696827e Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Wed, 25 Nov 2020 15:12:39 +0000 Subject: [PATCH 09/41] Fix potential DoS by limiting number sizes in exponentiation Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before performing a time expensive operation (modular exponentiation). This prevents a potential DoS from Diffie-Hellman computations with extremely large key sizes. Signed-off-by: Chris Jones --- library/bignum.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 9325632b4..9a70ccdf1 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2115,6 +2115,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, if( mbedtls_mpi_cmp_int( E, 0 ) < 0 ) return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS || + mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS ) + return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + /* * Init temps and window size */ From 0c5875fd0c42d9a8ceda6f290cada6d641da1bae Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 26 Nov 2020 11:21:53 +0000 Subject: [PATCH 10/41] Test that overly large Diffie-Hellman keys are rejected Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size larger than MBEDTLS_MPI_MAX_SIZE. Add a test case to ensure that Diffie-Hellman operations fail when using a key size larger than MBEDTLS_MPI_MAX_SIZE. Signed-off-by: Chris Jones --- tests/suites/test_suite_dhm.data | 3 +++ tests/suites/test_suite_mpi.data | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data index 4e884f465..351ec840a 100644 --- a/tests/suites/test_suite_dhm.data +++ b/tests/suites/test_suite_dhm.data @@ -22,6 +22,9 @@ dhm_do_dhm:10:"3":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED Diffie-Hellman zero modulus dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA +Diffie-Hellman huge modulus +dhm_do_dhm:16:"50000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70d01010505003045310b3009060355040e130241553113301106035504080c0a536f6d654853746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3134303732333230353034305a170d3137303432323230353034305a3045310b3009060355042e130241553113301106035574080c0a136f6d652d53746174653121301f06035504050c18496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d003081890281816602ffffff9e000000000000020000bf1400000000000100000000000000feffef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e1e1e001e1e1e1e1e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000000000000000000000000040ffd0100010000160000000000000000000000000000ff00000008000000000000000000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70dc9784adc17e9e82f4cadccc1747090a92f8ca6840c0f404db671d219301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d0101010500038201160303005b02000057030367c6699151ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a2009fc99a2066310db7315864fc99a2066320db73058a3ff7f00001758e942d4abb2cdc64e9bb43ddc87c03db1b28d17e02cb23":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA + Diffie-Hellman load parameters from file [#1] dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 202df1d29..90b7330a8 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -691,9 +691,12 @@ mbedtls_mpi_exp_mod:10:"-23":10:"13":10:"29":10:"":10:"5":0 Base test mbedtls_mpi_exp_mod #5 (Negative exponent) mbedtls_mpi_exp_mod:10:"23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Base test mbedtls_mpi_exp_mod #7 (Negative base + exponent) +Base test mbedtls_mpi_exp_mod #6 (Negative base + exponent) mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Base test mbedtls_mpi_exp_mod #7 (Huge exponent) +mbedtls_mpi_exp_mod:10:"23":16:"50000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70d01010505003045310b3009060355040e130241553113301106035504080c0a536f6d654853746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3134303732333230353034305a170d3137303432323230353034305a3045310b3009060355042e130241553113301106035574080c0a136f6d652d53746174653121301f06035504050c18496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d003081890281816602ffffff9e000000000000020000bf1400000000000100000000000000feffef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e1e1e001e1e1e1e1e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000000000000000000000000040ffd0100010000160000000000000000000000000000ff00000008000000000000000000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70dc9784adc17e9e82f4cadccc1747090a92f8ca6840c0f404db671d219301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d0101010500038201160303005b02000057030367c6699151ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a2009fc99a2066310db7315864fc99a2066320db73058a3ff7f00001758e942d4abb2cdc64e9bb43ddc87c03db1b28d17e02cb23":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA + Test mbedtls_mpi_exp_mod #1 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 From 16187a21bed2895747fdcdd4d03ebdcbd66f4e0b Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Mon, 30 Nov 2020 11:16:48 +0000 Subject: [PATCH 11/41] Add ChangeLog entry for modular exponentiation size limit Signed-off-by: Chris Jones --- ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt new file mode 100644 index 000000000..982b7bc2c --- /dev/null +++ b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt @@ -0,0 +1,4 @@ +Security + * Limit the size of calculations performed by mbedtls_mpi_exp_mod to + MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when + generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. \ No newline at end of file From d10b331574f7c9349adfe185997a4ec2288845e3 Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Wed, 2 Dec 2020 10:41:50 +0000 Subject: [PATCH 12/41] Test that overly large Diffie-Hellman keys are rejected Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size. Adds test cases to ensure that Diffie-Hellman will fail to make a key pair (using `mbedtls_dhm_make_public`) when the prime modulus is greater than `MBEDTLS_MPI_MAX_SIZE` in size. Signed-off-by: Chris Jones --- tests/suites/test_suite_dhm.data | 7 +++++-- tests/suites/test_suite_dhm.function | 30 +++++++++++++++++++++++++++ tests/suites/test_suite_mpi.data | 13 ++++++++++-- tests/suites/test_suite_mpi.function | 31 ++++++++++++++++++++++++++++ 4 files changed, 77 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data index 351ec840a..c4795b6d3 100644 --- a/tests/suites/test_suite_dhm.data +++ b/tests/suites/test_suite_dhm.data @@ -22,8 +22,11 @@ dhm_do_dhm:10:"3":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED Diffie-Hellman zero modulus dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA -Diffie-Hellman huge modulus -dhm_do_dhm:16:"50000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70d01010505003045310b3009060355040e130241553113301106035504080c0a536f6d654853746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3134303732333230353034305a170d3137303432323230353034305a3045310b3009060355042e130241553113301106035574080c0a136f6d652d53746174653121301f06035504050c18496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d003081890281816602ffffff9e000000000000020000bf1400000000000100000000000000feffef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e1e1e001e1e1e1e1e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000000000000000000000000040ffd0100010000160000000000000000000000000000ff00000008000000000000000000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70dc9784adc17e9e82f4cadccc1747090a92f8ca6840c0f404db671d219301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d0101010500038201160303005b02000057030367c6699151ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a2009fc99a2066310db7315864fc99a2066320db73058a3ff7f00001758e942d4abb2cdc64e9bb43ddc87c03db1b28d17e02cb23":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Diffie-Hellman MPI_MAX_SIZE modulus +dhm_make_public:MBEDTLS_MPI_MAX_SIZE:10:"5":0 + +Diffie-Hellman MPI_MAX_SIZE + 1 modulus +dhm_make_public:MBEDTLS_MPI_MAX_SIZE + 1:10:"5":MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA Diffie-Hellman load parameters from file [#1] dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function index 0a5c61757..1726b9eb7 100644 --- a/tests/suites/test_suite_dhm.function +++ b/tests/suites/test_suite_dhm.function @@ -223,6 +223,36 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void dhm_make_public( int P_bytes, int radix_G, char *input_G, int result ) +{ + mbedtls_mpi P, G; + mbedtls_dhm_context ctx; + unsigned char output[MBEDTLS_MPI_MAX_SIZE]; + + mbedtls_mpi_init( &P ); + mbedtls_mpi_init( &G ); + mbedtls_dhm_init( &ctx ); + + TEST_ASSERT( mbedtls_mpi_lset( &P, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_shift_l( &P, ( P_bytes * 8 ) - 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_set_bit( &P, 0, 1 ) == 0 ); + + TEST_ASSERT( mbedtls_mpi_read_string( &G, radix_G, input_G ) == 0 ); + + TEST_ASSERT( mbedtls_dhm_set_group( &ctx, &P, &G ) == 0 ); + TEST_ASSERT( mbedtls_dhm_make_public( &ctx, (int) mbedtls_mpi_size( &P ), + output, sizeof(output), + &mbedtls_test_rnd_pseudo_rand, + NULL ) == result ); + +exit: + mbedtls_mpi_free( &P ); + mbedtls_mpi_free( &G ); + mbedtls_dhm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ void dhm_file( char * filename, char * p, char * g, int len ) { diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 90b7330a8..aa6e0529b 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -694,8 +694,17 @@ mbedtls_mpi_exp_mod:10:"23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_IN Base test mbedtls_mpi_exp_mod #6 (Negative base + exponent) mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Base test mbedtls_mpi_exp_mod #7 (Huge exponent) -mbedtls_mpi_exp_mod:10:"23":16:"50000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70d01010505003045310b3009060355040e130241553113301106035504080c0a536f6d654853746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3134303732333230353034305a170d3137303432323230353034305a3045310b3009060355042e130241553113301106035574080c0a136f6d652d53746174653121301f06035504050c18496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d003081890281816602ffffff9e000000000000020000bf1400000000000100000000000000feffef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e1e1e001e1e1e1e1e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000000000000000000000000040ffd0100010000160000000000000000000000000000ff00000008000000000000000000000000000000000000000000000000000000000000000000000100014e4c3111300f060355040a13086f53534c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052b810400224ee06ec30e5753333958e280a8000000809539c2885280afd66aab21ddb8d31c6e58b8cae8b2698ef341ad29c3b45f75a7476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f00476fd5192955699a533b20b4661660341e00000040000000160000000000001604149d316d202449023f2bcb78b519bc7fffc9cbfb357c316e0603cdcdcdcd0ba34677b8b3be2c3633023100fdbfff7b67df9d7b7f7f000000000001000400000000000000506f6c617253530000000000000000000000000000000000000000110000f6de000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c323536193017060000004f000000000000000000000005000000000000000000000000001603030039020000350303cf02020244e8786d95de3d020202e101f2f34e75c8b70a610e44c1000000000000008400000d00a30000ff60010001000016000016030102660b00026200025f00025c30820258308201c1a003020102020900fbb04c2eab109b0c300d06092a864886f70dc9784adc17e9e82f4cadccc1747090a92f8ca6840c0f404db671d219301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d0101010500038201160303005b02000057030367c6699151ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a2009fc99a2066310db7315864fc99a2066320db73058a3ff7f00001758e942d4abb2cdc64e9bb43ddc87c03db1b28d17e02cb23":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Base test mbedtls_mpi_exp_mod #7 (MAX_SIZE exponent) +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:2:10:"":0 + +Base test mbedtls_mpi_exp_mod #8 (MAX_SIZE + 1 exponent) +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:2:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA + +Base test mbedtls_mpi_exp_mod #9 (MAX_SIZE modulus) +mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE:10:"":0 + +Base test mbedtls_mpi_exp_mod #10 (MAX_SIZE + 1 modulus) +mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod #1 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index e54aaffe6..97107c211 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1164,6 +1164,37 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void mbedtls_mpi_exp_mod_size( int A_bytes, int E_bytes, int N_bytes, + int radix_RR, char * input_RR, int div_result ) +{ + mbedtls_mpi A, E, N, RR, Z; + mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); + mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &Z ); + + TEST_ASSERT( mbedtls_mpi_lset( &A, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_lset( &E, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_lset( &N, 1 ) == 0 ); + + TEST_ASSERT( mbedtls_mpi_shift_l( &A, ( A_bytes * 8 ) - 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_shift_l( &E, ( E_bytes * 8 ) - 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_shift_l( &N, ( N_bytes * 8 ) - 1 ) == 0 ); + + TEST_ASSERT( mbedtls_mpi_set_bit( &A, 0, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_set_bit( &E, 0, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_set_bit( &N, 0, 1 ) == 0 ); + + if( strlen( input_RR ) ) + TEST_ASSERT( mbedtls_mpi_read_string( &RR, radix_RR, input_RR ) == 0 ); + + TEST_ASSERT( mbedtls_mpi_exp_mod( &Z, &A, &E, &N, &RR ) == div_result ); + +exit: + mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); + mbedtls_mpi_free( &RR ); mbedtls_mpi_free( &Z ); +} +/* END_CASE */ + /* BEGIN_CASE */ void mbedtls_mpi_inv_mod( int radix_X, char * input_X, int radix_Y, char * input_Y, int radix_A, char * input_A, From 3ba84d5bd67513c7839cfad9eaf21e05cae1f461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 20 Nov 2020 10:17:20 +0100 Subject: [PATCH 13/41] Improve documentation of cipher_auth_xxcrypt() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Document constraints on buffers/pointers NULLability explicitly. - Simplify terminology around IV/nonce: all AEADs implemented so far call that a nonce. Keep the parameter names (iv, iv_len) to avoid having to change the code (or having different names in the header and C files). - Align documentation to the code regarding parameter constraints: the documentation said the for ciphers with fixed nonce/tag length, the iv_len/tag_len arguments were ignored, while the code enforced them to be the expected value. This is more consistent with what's done with GCM/CCM, which for tag_len for example accept more than one value, but from a relatively small set, and will return errors for values outside that set. Accepting a single value is a particular case of that (the set of acceptable value only has one element). Don't document behaviour with NIST KW as we're about to change that. Note: this function is currently only defined if at least one of GCM, CCM or ChachaPoly is enabled, even though it's supposed to handle NIST KW as well. No need to fix this as the function will soon no longer support NIST KW. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/cipher.h | 80 +++++++++++++++++++++++++--------------- 1 file changed, 50 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 8827e0b79..43bc1e270 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -862,25 +862,35 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, * * \param ctx The generic cipher context. This must be initialized and * bound to a key. - * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. - * This must be a readable buffer of at least \p iv_len - * Bytes. - * \param iv_len The IV length for ciphers with variable-size IV. - * This parameter is discarded by ciphers with fixed-size IV. + * \param iv The nonce to use. This must be a readable buffer of + * at least \p iv_len Bytes and must not be \c NULL. + * \param iv_len The length of the nonce. This must satisfy the + * constraints imposed by the AEAD cipher used. * \param ad The additional data to authenticate. This must be a - * readable buffer of at least \p ad_len Bytes. + * readable buffer of at least \p ad_len Bytes, and may + * be \c NULL is \p ad_len is \c 0. * \param ad_len The length of \p ad. * \param input The buffer holding the input data. This must be a - * readable buffer of at least \p ilen Bytes. + * readable buffer of at least \p ilen Bytes, and may be + * \c NULL if \p ilen is \c 0. * \param ilen The length of the input data. - * \param output The buffer for the output data. This must be able to - * hold at least \p ilen Bytes. - * \param olen The length of the output data, to be updated with the - * actual number of Bytes written. This must not be - * \c NULL. + * \param output The buffer for the output data. This must be a + * writable buffer of at least \p ilen Bytes, and must + * not be \c NULL. + * \param olen This will be filled with the actual number of Bytes + * written to the \p output buffer. This must point to a + * writable object of type \c size_t. * \param tag The buffer for the authentication tag. This must be a - * writable buffer of at least \p tag_len Bytes. - * \param tag_len The desired length of the authentication tag. + * writable buffer of at least \p tag_len Bytes. See note + * below regarding restrictions with PSA-based contexts. + * \param tag_len The desired length of the authentication tag. This + * must match the constraints imposed by the AEAD cipher + * used, and in particuler must not be \c 0. + * + * \note If the context is based on PSA (that is, it was set up + * with mbedtls_cipher_setup_psa()), then it is required + * that \c tag == output + ilen. That is, the tag must be + * appended to the ciphertext as recommended by RFC 5116. * * \return \c 0 on success. * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -903,25 +913,35 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, * * \param ctx The generic cipher context. This must be initialized and * and bound to a key. - * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. - * This must be a readable buffer of at least \p iv_len - * Bytes. - * \param iv_len The IV length for ciphers with variable-size IV. - * This parameter is discarded by ciphers with fixed-size IV. - * \param ad The additional data to be authenticated. This must be a - * readable buffer of at least \p ad_len Bytes. + * \param iv The nonce to use. This must be a readable buffer of + * at least \p iv_len Bytes and must not be \c NULL. + * \param iv_len The length of the nonce. This must satisfy the + * constraints imposed by the AEAD cipher used. + * \param ad The additional data to authenticate. This must be a + * readable buffer of at least \p ad_len Bytes, and may + * be \c NULL is \p ad_len is \c 0. * \param ad_len The length of \p ad. * \param input The buffer holding the input data. This must be a - * readable buffer of at least \p ilen Bytes. + * readable buffer of at least \p ilen Bytes, and may be + * \c NULL if \p ilen is \c 0. * \param ilen The length of the input data. - * \param output The buffer for the output data. - * This must be able to hold at least \p ilen Bytes. - * \param olen The length of the output data, to be updated with the - * actual number of Bytes written. This must not be - * \c NULL. - * \param tag The buffer holding the authentication tag. This must be - * a readable buffer of at least \p tag_len Bytes. - * \param tag_len The length of the authentication tag. + * \param output The buffer for the output data. This must be a + * writable buffer of at least \p ilen Bytes, and must + * not be \c NULL. + * \param olen This will be filled with the actual number of Bytes + * written to the \p output buffer. This must point to a + * writable object of type \c size_t. + * \param tag The buffer for the authentication tag. This must be a + * readable buffer of at least \p tag_len Bytes. See note + * below regarding restrictions with PSA-based contexts. + * \param tag_len The length of the authentication tag. This must match + * the constraints imposed by the AEAD cipher used, and in + * particular must not be \c 0. + * + * \note If the context is based on PSA (that is, it was set up + * with mbedtls_cipher_setup_psa()), then it is required + * that \c tag == input + len. That is, the tag must be + * appended to the ciphertext as recommended by RFC 5116. * * \return \c 0 on success. * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on From 9cc079db7a4f55cd7ad56e8af2c28ce0396710f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Nov 2020 12:57:47 +0100 Subject: [PATCH 14/41] Declare cipher_auth_{en,de}crypt_ext() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Work in progress: next steps are to implement and test it. Compared to the existing non-ext version: - to separate tag parameter - explicit output_len parameter Also, this version will retain support for NIST_KW (hence documents it), while the non-ext version will lose it in a few commits. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/cipher.h | 108 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 43bc1e270..49b8b5e9e 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -957,6 +957,114 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *tag, size_t tag_len ); #endif /* MBEDTLS_CIPHER_MODE_AEAD */ +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) +/** + * \brief The autenticated encryption (AEAD/NIST_KW) function. + * + * \note For AEAD modes, the tag will be appended to the + * ciphertext, as recommended by RFC 5116. + * (NIST_KW doesn't have a separate tag.) + * + * \param ctx The generic cipher context. This must be initialized and + * bound to a key. + * \param iv The nonce to use. This must be a readable buffer of + * at least \p iv_len Bytes and may be \c NULL if \p + * iv_len is \c 0. + * \param iv_len The length of the nonce. For AEAD ciphers, this must satisfy the + * constraints imposed by the cipher used. For NIST_KW, + * this must be \c 0. + * \param ad The additional data to authenticate. This must be a + * readable buffer of at least \p ad_len Bytes, and may + * be \c NULL is \p ad_len is \c 0. + * \param ad_len The length of \p ad. For NIST_KW, this must be \c 0. + * \param input The buffer holding the input data. This must be a + * readable buffer of at least \p ilen Bytes, and may be + * \c NULL if \p ilen is \c 0. + * \param ilen The length of the input data. + * \param output The buffer for the output data. This must be a + * writable buffer of at least \p output_len Bytes, and + * must not be \c NULL. + * \param output_len The length of the \p output buffer in Bytes. For AEAD + * ciphers, this must be at least \p ilen + \p tag_len. + * For NIST_KW, this must be at least \p ilen + 8 + * (rounded up to a multiple of 8 if KWP is used); + * \p ilen + 15 is always a safe value. + * \param olen This will be filled with the actual number of Bytes + * written to the \p output buffer. This must point to a + * writable object of type \c size_t. + * \param tag_len The desired length of the authentication tag. For AEAD + * ciphers, this must match the constraints imposed by + * the cipher used, and in particuler must not be \c 0. + * For NIST_KW, this must be \c 0. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + * parameter-verification failure. + * \return A cipher-specific error code on failure. + */ +int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t output_len, + size_t *olen, size_t tag_len ); + +/** + * \brief The autenticated encryption (AEAD/NIST_KW) function. + * + * \note If the data is not authentic, then the output buffer + * is zeroed out to prevent the unauthentic plaintext being + * used, making this interface safer. + * + * \note For AEAD modes, the tag must be appended to the + * ciphertext, as recommended by RFC 5116. + * (NIST_KW doesn't have a separate tag.) + * + * \param ctx The generic cipher context. This must be initialized and + * and bound to a key. + * \param iv The nonce to use. This must be a readable buffer of + * at least \p iv_len Bytes and may be \c NULL if \p + * iv_len is \c 0. + * \param iv_len The length of the nonce. For AEAD ciphers, this must satisfy the + * constraints imposed by the cipher used. For NIST_KW, + * this must be \c 0. + * \param ad The additional data to authenticate. This must be a + * readable buffer of at least \p ad_len Bytes, and may + * be \c NULL is \p ad_len is \c 0. + * \param ad_len The length of \p ad. For NIST_KW, this must be \c 0. + * \param input The buffer holding the input data. This must be a + * readable buffer of at least \p ilen Bytes, and may be + * \c NULL if \p ilen is \c 0. + * \param ilen The length of the input data. For AEAD ciphers this + * must be at least \p tag_len. For NIST_KW this must be + * at least \c 8. + * \param output The buffer for the output data. This must be a + * writable buffer of at least \p output_len Bytes, and + * may be \c NULL if \p output_len is \c 0. + * \param output_len The length of the \p output buffer in Bytes. For AEAD + * ciphers, this must be at least \p ilen - \p tag_len. + * For NIST_KW, this must be at least \p ilen - 8. + * \param olen This will be filled with the actual number of Bytes + * written to the \p output buffer. This must point to a + * writable object of type \c size_t. + * \param tag_len The actual length of the authentication tag. For AEAD + * ciphers, this must match the constraints imposed by + * the cipher used, and in particuler must not be \c 0. + * For NIST_KW, this must be \c 0. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on + * parameter-verification failure. + * \return #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic. + * \return A cipher-specific error code on failure. + */ +int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t output_len, + size_t *olen, size_t tag_len ); +#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ #ifdef __cplusplus } #endif From faddf98bea37e78f505e15fa85509282a038498b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Nov 2020 13:39:47 +0100 Subject: [PATCH 15/41] Implement cipher_auth_{en,de}crypt_ext() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Work in progress: next step is to test it! Extract the part that is common with non-ext version to a new internal function. (We can't just use the non-ext version for that, as it's going to be deprecated.) Currently the NIST_KW part is somewhat duplicated between the ext and non-ext versions, but that's OK because it will soon be removed from the non-ext version. Signed-off-by: Manuel Pégourié-Gonnard --- library/cipher.c | 206 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 169 insertions(+), 37 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 853eeec20..20e1e7b3a 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1288,23 +1288,16 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, #if defined(MBEDTLS_CIPHER_MODE_AEAD) /* - * Packet-oriented encryption for AEAD modes + * Packet-oriented encryption for AEAD modes: internal function shared by + * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). */ -int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, +static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, unsigned char *tag, size_t tag_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); - CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); - CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); - #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ctx->psa_enabled == 1 ) { @@ -1370,44 +1363,21 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, ilen, iv, ad, ad_len, input, output, tag ) ); } #endif /* MBEDTLS_CHACHAPOLY_C */ -#if defined(MBEDTLS_NIST_KW_C) - if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || - MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) - { - mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? - MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; - - /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */ - if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) - { - return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - } - - return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) ); - } -#endif /* MBEDTLS_NIST_KW_C */ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } /* - * Packet-oriented decryption for AEAD modes + * Packet-oriented encryption for AEAD modes: internal function shared by + * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). */ -int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, +static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, const unsigned char *tag, size_t tag_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); - CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); - CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); - #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ctx->psa_enabled == 1 ) { @@ -1495,6 +1465,68 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, return( ret ); } #endif /* MBEDTLS_CHACHAPOLY_C */ + + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); +} + +/* + * Packet-oriented encryption for AEAD modes: public function. + */ +int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t *olen, + unsigned char *tag, size_t tag_len ) +{ + CIPHER_VALIDATE_RET( ctx != NULL ); + CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); + CIPHER_VALIDATE_RET( output != NULL ); + CIPHER_VALIDATE_RET( olen != NULL ); + CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); + +#if defined(MBEDTLS_NIST_KW_C) + if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || + MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) + { + mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? + MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; + + /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */ + if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) + { + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + } + + return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) ); + } +#endif /* MBEDTLS_NIST_KW_C */ + + return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, + input, ilen, output, olen, + tag, tag_len ) ); +} + +/* + * Packet-oriented decryption for AEAD modes: public function. + */ +int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t *olen, + const unsigned char *tag, size_t tag_len ) +{ + CIPHER_VALIDATE_RET( ctx != NULL ); + CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); + CIPHER_VALIDATE_RET( output != NULL ); + CIPHER_VALIDATE_RET( olen != NULL ); + CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); + #if defined(MBEDTLS_NIST_KW_C) if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) @@ -1512,8 +1544,108 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, } #endif /* MBEDTLS_NIST_KW_C */ - return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); + return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, + input, ilen, output, olen, + tag, tag_len ) ); } #endif /* MBEDTLS_CIPHER_MODE_AEAD */ +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) +/* + * Packet-oriented encryption for AEAD/NIST_KW: public function. + */ +int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t output_len, + size_t *olen, size_t tag_len ) +{ + CIPHER_VALIDATE_RET( ctx != NULL ); + CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); + CIPHER_VALIDATE_RET( output != NULL ); + CIPHER_VALIDATE_RET( olen != NULL ); + +#if defined(MBEDTLS_NIST_KW_C) + if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || + MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) + { + mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? + MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; + + /* There is no iv, tag or ad associated with KW and KWP, + * so these length should be 0 as documented. */ + if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + + return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, + output, olen, output_len ) ); + } +#endif /* MBEDTLS_NIST_KW_C */ + +#if defined(MBEDTLS_CIPHER_MODE_AEAD) + /* AEAD case: check length before passing on to shared function */ + if( output_len < ilen + tag_len ) + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + + int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, + input, ilen, output, olen, + output + ilen, tag_len ); + *olen += tag_len; + return( ret ); +#else + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); +#endif /* MBEDTLS_CIPHER_MODE_AEAD */ +} + +/* + * Packet-oriented decryption for AEAD/NIST_KW: public function. + */ +int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, + const unsigned char *iv, size_t iv_len, + const unsigned char *ad, size_t ad_len, + const unsigned char *input, size_t ilen, + unsigned char *output, size_t output_len, + size_t *olen, size_t tag_len ) +{ + CIPHER_VALIDATE_RET( ctx != NULL ); + CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); + CIPHER_VALIDATE_RET( output_len == 0 || output != NULL ); + CIPHER_VALIDATE_RET( olen != NULL ); + +#if defined(MBEDTLS_NIST_KW_C) + if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || + MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) + { + mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? + MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; + + /* There is no iv, tag or ad associated with KW and KWP, + * so these length should be 0 as documented. */ + if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + + return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, + output, olen, output_len ) ); + } +#endif /* MBEDTLS_NIST_KW_C */ + +#if defined(MBEDTLS_CIPHER_MODE_AEAD) + /* AEAD case: check length before passing on to shared function */ + if( ilen < tag_len || output_len < ilen - tag_len ) + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + + return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, + input, ilen - tag_len, output, olen, + input + ilen - tag_len, tag_len ) ); +#else + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); +#endif /* MBEDTLS_CIPHER_MODE_AEAD */ +} +#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ + #endif /* MBEDTLS_CIPHER_C */ From a03f56fe8fb8cc72fc42106993c7679aab2efe1d Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Wed, 2 Dec 2020 16:27:42 +0000 Subject: [PATCH 16/41] Extend exponentiation test coverage Add two further boundary tests for cases where both the exponent and modulus to `mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long. Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.data | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index aa6e0529b..18082330a 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -706,6 +706,12 @@ mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE:10:"":0 Base test mbedtls_mpi_exp_mod #10 (MAX_SIZE + 1 modulus) mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Base test mbedtls_mpi_exp_mod #11 (MAX_SIZE exponent and modulus) +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE:10:"":0 + +Base test mbedtls_mpi_exp_mod #12 (MAX_SIZE + 1 exponent and modulus) +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA + Test mbedtls_mpi_exp_mod #1 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 From 4c1a1006df81091a37996b18f59236d1afa9d98a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 26 Nov 2020 10:22:50 +0100 Subject: [PATCH 17/41] Improve comments/structure of auth_crypt test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want to test both sets of functions (ext and non-ext) in turn, so goto exit is not really and option. Also, separate setting up the context (which is going to be the same for both ext and non-ext functions) from setting up the buffers (which will vary). Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 149 ++++++++++++++---------- 1 file changed, 90 insertions(+), 59 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index ea1e9ada5..dc3bf3b21 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -13,6 +13,10 @@ #include "test/psa_crypto_helpers.h" #endif +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) +#define MBEDTLS_CIPHER_AUTH_CRYPT +#endif + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -959,15 +963,17 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_AEAD */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, data_t * ad, data_t * cipher, data_t * tag, char * result, data_t * clear, int use_psa ) { - /* Takes an AEAD ciphertext + tag and performs a pair - * of AEAD decryption and AEAD encryption. It checks that + /* + * Take an AEAD ciphertext + tag and perform a pair + * of AEAD decryption and AEAD encryption. Check that * this results in the expected plaintext, and that - * decryption and encryption are inverse to one another. */ + * decryption and encryption are inverse to one another. + */ int ret; unsigned char output[300]; /* Temporary buffer for results of @@ -984,31 +990,27 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, mbedtls_cipher_init( &ctx ); memset( output, 0xFF, sizeof( output ) ); - /* Prepare context */ -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - (void) use_psa; + /* Initialize PSA Crypto */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( use_psa == 1 ) + PSA_ASSERT( psa_crypto_init( ) ); #else + (void) use_psa; +#endif + + /* + * Prepare context for decryption + */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) if( use_psa == 1 ) { - PSA_ASSERT( psa_crypto_init( ) ); - - /* PSA requires that the tag immediately follows the ciphertext. */ - tmp_cipher = mbedtls_calloc( 1, cipher->len + tag->len ); - TEST_ASSERT( tmp_cipher != NULL ); - tmp_tag = tmp_cipher + cipher->len; - - memcpy( tmp_cipher, cipher->x, cipher->len ); - memcpy( tmp_tag, tag->x, tag->len ); - TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, mbedtls_cipher_info_from_type( cipher_id ), tag->len ) ); } else -#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { - tmp_tag = tag->x; - tmp_cipher = cipher->x; TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, mbedtls_cipher_info_from_type( cipher_id ) ) ); } @@ -1016,7 +1018,30 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT ) ); - /* decode buffer and check tag->x */ + /* + * Prepare buffers/pointers for decryption + */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( use_psa == 1 ) + { + /* PSA requires that the tag immediately follows the ciphertext. */ + tmp_cipher = mbedtls_calloc( 1, cipher->len + tag->len ); + TEST_ASSERT( tmp_cipher != NULL ); + tmp_tag = tmp_cipher + cipher->len; + + memcpy( tmp_cipher, cipher->x, cipher->len ); + memcpy( tmp_tag, tag->x, tag->len ); + } + else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + { + tmp_tag = tag->x; + tmp_cipher = cipher->x; + } + + /* + * Authenticate and decrypt, and check result + */ /* Sanity check that we don't use overly long inputs. */ TEST_ASSERT( sizeof( output ) >= cipher->len ); @@ -1029,48 +1054,54 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, if( strcmp( result, "FAIL" ) == 0 ) { TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); - goto exit; - } - - /* otherwise, make sure it was decrypted properly */ - TEST_ASSERT( ret == 0 ); - - TEST_ASSERT( outlen == clear->len ); - TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 ); - - /* then encrypt the clear->x and make sure we get the same ciphertext and tag->x */ - mbedtls_cipher_free( &ctx ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( use_psa == 1 ) - { - TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, - mbedtls_cipher_info_from_type( cipher_id ), - tag->len ) ); } else -#endif { - TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, - mbedtls_cipher_info_from_type( cipher_id ) ) ); + /* otherwise, make sure it was decrypted properly */ + TEST_ASSERT( ret == 0 ); + + TEST_ASSERT( outlen == clear->len ); + TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 ); + + /* + * Prepare context for encryption + */ + mbedtls_cipher_free( &ctx ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( use_psa == 1 ) + { + TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, + mbedtls_cipher_info_from_type( cipher_id ), + tag->len ) ); + } + else +#endif + { + TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, + mbedtls_cipher_info_from_type( cipher_id ) ) ); + } + TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, + MBEDTLS_ENCRYPT ) ); + + /* + * Encrypt and check the result + */ + memset( output, 0xFF, sizeof( output ) ); + outlen = 0; + + /* Sanity check that we don't use overly long inputs. */ + TEST_ASSERT( sizeof( output ) >= clear->len + tag->len ); + + output_tag = output + clear->len; + ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len, + clear->x, clear->len, output, &outlen, + output_tag, tag->len ); + TEST_ASSERT( ret == 0 ); + + TEST_ASSERT( outlen == cipher->len ); + TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); + TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); } - TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, - MBEDTLS_ENCRYPT ) ); - - memset( output, 0xFF, sizeof( output ) ); - outlen = 0; - - /* Sanity check that we don't use overly long inputs. */ - TEST_ASSERT( sizeof( output ) >= clear->len + tag->len ); - - output_tag = output + clear->len; - ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len, - clear->x, clear->len, output, &outlen, - output_tag, tag->len ); - TEST_ASSERT( ret == 0 ); - - TEST_ASSERT( outlen == cipher->len ); - TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); - TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); exit: From 89a8fe50fe6d07f434e28cf505ee378acb7cf8e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 27 Nov 2020 09:32:55 +0100 Subject: [PATCH 18/41] Extract helper function for repeated test code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 76 ++++++++++++++----------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index dc3bf3b21..a40bfb5f2 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -17,6 +17,46 @@ #define MBEDTLS_CIPHER_AUTH_CRYPT #endif +#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) +/* Helper for resetting key/direction + * + * The documentation doesn't explicitly say whether calling + * mbedtls_cipher_setkey() twice is allowed or not. This currently works with + * the default software implementation, but only by accident. It isn't + * guaranteed to work with new ciphers or with alternative implementations of + * individual ciphers, and it doesn't work with the PSA wrappers. So don't do + * it, and instead start with a fresh context. + */ +static void cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, + int use_psa, size_t tag_len, const data_t *key, int direction ) +{ + mbedtls_cipher_free( ctx ); + mbedtls_cipher_init( ctx ); + +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + (void) use_psa; + (void) tag_len; +#else + if( use_psa == 1 ) + { + TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( ctx, + mbedtls_cipher_info_from_type( cipher_id ), + tag_len ) ); + } + else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + { + TEST_ASSERT( 0 == mbedtls_cipher_setup( ctx, + mbedtls_cipher_info_from_type( cipher_id ) ) ); + } + + TEST_ASSERT( 0 == mbedtls_cipher_setkey( ctx, key->x, 8 * key->len, + direction ) ); +exit: + ; +} +#endif /* MBEDTLS_CIPHER_AUTH_CRYPT */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -1001,22 +1041,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, /* * Prepare context for decryption */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( use_psa == 1 ) - { - TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, - mbedtls_cipher_info_from_type( cipher_id ), - tag->len ) ); - } - else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - { - TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, - mbedtls_cipher_info_from_type( cipher_id ) ) ); - } - - TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, - MBEDTLS_DECRYPT ) ); + cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_DECRYPT ); /* * Prepare buffers/pointers for decryption @@ -1066,22 +1092,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, /* * Prepare context for encryption */ - mbedtls_cipher_free( &ctx ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( use_psa == 1 ) - { - TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, - mbedtls_cipher_info_from_type( cipher_id ), - tag->len ) ); - } - else -#endif - { - TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, - mbedtls_cipher_info_from_type( cipher_id ) ) ); - } - TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, - MBEDTLS_ENCRYPT ) ); + cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_ENCRYPT ); /* * Encrypt and check the result From 53f10e70fda847ef8c4c80cb6877c83e58c03891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 30 Nov 2020 10:17:01 +0100 Subject: [PATCH 19/41] Test cipher_auth_{en,de}crypt_ext() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 168 ++++++++++++++++++++++-- 1 file changed, 157 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index a40bfb5f2..7ea1a14a2 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1013,9 +1013,15 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, * of AEAD decryption and AEAD encryption. Check that * this results in the expected plaintext, and that * decryption and encryption are inverse to one another. + * + * Do that twice: + * - once with legacy functions auth_decrypt/auth_encrypt + * - once with new functions auth_decrypt_ext/auth_encrypt_ext + * This allows testing both without duplicating test cases. */ int ret; + int using_nist_kw, using_nist_kw_padding; unsigned char output[300]; /* Temporary buffer for results of * encryption and decryption. */ unsigned char *output_tag = NULL; /* Temporary buffer for tag in the @@ -1027,6 +1033,13 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, unsigned char *tmp_tag = NULL; unsigned char *tmp_cipher = NULL; + unsigned char *cipher_plus_tag = NULL; + size_t cipher_plus_tag_len; + unsigned char *decrypt_buf = NULL; + size_t decrypt_buf_len = 0; + unsigned char *encrypt_buf = NULL; + size_t encrypt_buf_len = 0; + mbedtls_cipher_init( &ctx ); memset( output, 0xFF, sizeof( output ) ); @@ -1038,6 +1051,17 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, (void) use_psa; #endif + /* + * Are we using NIST_KW? with padding? + */ + using_nist_kw_padding = cipher_id == MBEDTLS_CIPHER_AES_128_KWP || + cipher_id == MBEDTLS_CIPHER_AES_192_KWP || + cipher_id == MBEDTLS_CIPHER_AES_256_KWP; + using_nist_kw = cipher_id == MBEDTLS_CIPHER_AES_128_KW || + cipher_id == MBEDTLS_CIPHER_AES_192_KW || + cipher_id == MBEDTLS_CIPHER_AES_256_KW || + using_nist_kw_padding; + /* * Prepare context for decryption */ @@ -1045,24 +1069,146 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, MBEDTLS_DECRYPT ); /* - * Prepare buffers/pointers for decryption + * prepare buffer for decryption + * (we need the tag appended to the ciphertext) + */ + cipher_plus_tag_len = cipher->len + tag->len; + ASSERT_ALLOC( cipher_plus_tag, cipher_plus_tag_len ); + memcpy( cipher_plus_tag, cipher->x, cipher->len ); + memcpy( cipher_plus_tag + cipher->len, tag->x, tag->len ); + + /* + * Compute length of output buffer according to the documentation + */ + if( using_nist_kw ) + decrypt_buf_len = cipher_plus_tag_len - 8; + else + decrypt_buf_len = cipher_plus_tag_len - tag->len; + + + /* + * Try decrypting to a buffer that's 1B too small + */ + if( decrypt_buf_len != 0 ) + { + ASSERT_ALLOC( decrypt_buf, decrypt_buf_len - 1 ); + + outlen = 0; + ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len, + ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len, + decrypt_buf, decrypt_buf_len - 1, &outlen, tag->len ); + TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + + mbedtls_free( decrypt_buf ); + decrypt_buf = NULL; + } + + /* + * Authenticate and decrypt, and check result + */ + ASSERT_ALLOC( decrypt_buf, decrypt_buf_len ); + + outlen = 0; + ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len, + ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len, + decrypt_buf, decrypt_buf_len, &outlen, tag->len ); + + if( strcmp( result, "FAIL" ) == 0 ) + { + TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); + } + else + { + TEST_ASSERT( ret == 0 ); + + TEST_ASSERT( outlen == clear->len ); + if( clear->len != 0 ) + TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); + } + + /* Free this, but keep cipher_plus_tag for legacy function with PSA */ + mbedtls_free( decrypt_buf ); + decrypt_buf = NULL; + + /* + * Encrypt back if test data was authentic + */ + if( strcmp( result, "FAIL" ) != 0 ) + { + /* prepare context for encryption */ + cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_ENCRYPT ); + + /* + * Compute size of output buffer according to documentation + */ + if( using_nist_kw ) + { + encrypt_buf_len = clear->len + 8; + if( using_nist_kw_padding && encrypt_buf_len % 8 != 0 ) + encrypt_buf_len += 8 - encrypt_buf_len % 8; + } + else + { + encrypt_buf_len = clear->len + tag->len; + } + + /* + * Try encrypting with an output buffer that's 1B too small + */ + ASSERT_ALLOC( encrypt_buf, encrypt_buf_len - 1 ); + + outlen = 0; + ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len, + ad->x, ad->len, clear->x, clear->len, + encrypt_buf, encrypt_buf_len - 1, &outlen, tag->len ); + TEST_ASSERT( ret != 0 ); + + mbedtls_free( encrypt_buf ); + encrypt_buf = NULL; + + /* + * Encrypt and check the result + */ + ASSERT_ALLOC( encrypt_buf, encrypt_buf_len ); + + outlen = 0; + ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len, + ad->x, ad->len, clear->x, clear->len, + encrypt_buf, encrypt_buf_len, &outlen, tag->len ); + TEST_ASSERT( ret == 0 ); + + TEST_ASSERT( outlen == cipher->len + tag->len ); + TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 ); + TEST_ASSERT( memcmp( encrypt_buf + cipher->len, + tag->x, tag->len ) == 0 ); + + mbedtls_free( encrypt_buf ); + encrypt_buf = NULL; + } + + /* + * Prepare context for decryption + */ + cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_DECRYPT ); + + /* + * Prepare pointers for decryption */ #if defined(MBEDTLS_USE_PSA_CRYPTO) if( use_psa == 1 ) { - /* PSA requires that the tag immediately follows the ciphertext. */ - tmp_cipher = mbedtls_calloc( 1, cipher->len + tag->len ); - TEST_ASSERT( tmp_cipher != NULL ); + /* PSA requires that the tag immediately follows the ciphertext. + * Fortunately, we already have that from testing the new API. */ + tmp_cipher = cipher_plus_tag; tmp_tag = tmp_cipher + cipher->len; - - memcpy( tmp_cipher, cipher->x, cipher->len ); - memcpy( tmp_tag, tag->x, tag->len ); } else #endif /* MBEDTLS_USE_PSA_CRYPTO */ { - tmp_tag = tag->x; tmp_cipher = cipher->x; + tmp_tag = tag->x; } /* @@ -1118,13 +1264,13 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, exit: mbedtls_cipher_free( &ctx ); + mbedtls_free( decrypt_buf ); + mbedtls_free( encrypt_buf ); + mbedtls_free( cipher_plus_tag ); #if defined(MBEDTLS_USE_PSA_CRYPTO) if( use_psa == 1 ) - { - mbedtls_free( tmp_cipher ); PSA_DONE( ); - } #endif /* MBEDTLS_USE_PSA_CRYPTO */ } /* END_CASE */ From f2ffbc43878c971235253f815f3d1ce61012c92c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Dec 2020 09:57:55 +0100 Subject: [PATCH 20/41] Stop supporting NIST_KW in cipher_auth_xxcrypt() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/cipher.h | 30 ++++++++++++-------- library/cipher.c | 28 ++++++------------- tests/suites/test_suite_cipher.function | 37 ++++++++++++++++++------- 3 files changed, 54 insertions(+), 41 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 49b8b5e9e..24524c5c3 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -858,10 +858,14 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, #if defined(MBEDTLS_CIPHER_MODE_AEAD) /** - * \brief The generic autenticated encryption (AEAD) function. + * \brief The generic authenticated encryption (AEAD) function. + * + * \note This function only supports AEAD algorithms, not key + * wrapping algorithms such as NIST_KW; for this, see + * mbedtls_cipher_auth_encrypt_ext(). * * \param ctx The generic cipher context. This must be initialized and - * bound to a key. + * bound to a key associated with an AEAD algorithm. * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and must not be \c NULL. * \param iv_len The length of the nonce. This must satisfy the @@ -885,7 +889,7 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, * below regarding restrictions with PSA-based contexts. * \param tag_len The desired length of the authentication tag. This * must match the constraints imposed by the AEAD cipher - * used, and in particuler must not be \c 0. + * used, and in particular must not be \c 0. * * \note If the context is based on PSA (that is, it was set up * with mbedtls_cipher_setup_psa()), then it is required @@ -905,14 +909,18 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len ); /** - * \brief The generic autenticated decryption (AEAD) function. + * \brief The generic authenticated decryption (AEAD) function. + * + * \note This function only supports AEAD algorithms, not key + * wrapping algorithms such as NIST_KW; for this, see + * mbedtls_cipher_auth_encrypt_ext(). * * \note If the data is not authentic, then the output buffer * is zeroed out to prevent the unauthentic plaintext being * used, making this interface safer. * * \param ctx The generic cipher context. This must be initialized and - * and bound to a key. + * bound to a key associated with an AEAD algorithm. * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and must not be \c NULL. * \param iv_len The length of the nonce. This must satisfy the @@ -959,14 +967,14 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) /** - * \brief The autenticated encryption (AEAD/NIST_KW) function. + * \brief The authenticated encryption (AEAD/NIST_KW) function. * * \note For AEAD modes, the tag will be appended to the * ciphertext, as recommended by RFC 5116. * (NIST_KW doesn't have a separate tag.) * * \param ctx The generic cipher context. This must be initialized and - * bound to a key. + * bound to a key, with an AEAD algorithm or NIST_KW. * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and may be \c NULL if \p * iv_len is \c 0. @@ -994,7 +1002,7 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, * writable object of type \c size_t. * \param tag_len The desired length of the authentication tag. For AEAD * ciphers, this must match the constraints imposed by - * the cipher used, and in particuler must not be \c 0. + * the cipher used, and in particular must not be \c 0. * For NIST_KW, this must be \c 0. * * \return \c 0 on success. @@ -1010,7 +1018,7 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, size_t *olen, size_t tag_len ); /** - * \brief The autenticated encryption (AEAD/NIST_KW) function. + * \brief The authenticated encryption (AEAD/NIST_KW) function. * * \note If the data is not authentic, then the output buffer * is zeroed out to prevent the unauthentic plaintext being @@ -1021,7 +1029,7 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, * (NIST_KW doesn't have a separate tag.) * * \param ctx The generic cipher context. This must be initialized and - * and bound to a key. + * bound to a key, with an AEAD algorithm or NIST_KW. * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and may be \c NULL if \p * iv_len is \c 0. @@ -1049,7 +1057,7 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, * writable object of type \c size_t. * \param tag_len The actual length of the authentication tag. For AEAD * ciphers, this must match the constraints imposed by - * the cipher used, and in particuler must not be \c 0. + * the cipher used, and in particular must not be \c 0. * For NIST_KW, this must be \c 0. * * \return \c 0 on success. diff --git a/library/cipher.c b/library/cipher.c index 20e1e7b3a..47dafa4aa 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1491,16 +1491,10 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) { - mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? - MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; - - /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */ - if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) - { - return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - } - - return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) ); + /* NIST_KW is not supported because we used to document the wrong size + * of the output buffer, so people should move to the _ext API, + * which has an explicit argument for buffer size. */ + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_NIST_KW_C */ @@ -1531,16 +1525,10 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) { - mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? - MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; - - /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */ - if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) - { - return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - } - - return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) ); + /* NIST_KW is not supported because we used to document the wrong size + * of the output buffer, so people should move to the _ext API, + * which has an explicit argument for buffer size. */ + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_NIST_KW_C */ diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 7ea1a14a2..543ccf6fd 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1222,22 +1222,31 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, tmp_cipher, cipher->len, output, &outlen, tmp_tag, tag->len ); - /* make sure the message is rejected if it should be */ - if( strcmp( result, "FAIL" ) == 0 ) + if( using_nist_kw ) { + /* NIST_KW with legacy API */ + TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); + } + else if( strcmp( result, "FAIL" ) == 0 ) + { + /* unauthentic message */ TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); } else { - /* otherwise, make sure it was decrypted properly */ + /* authentic message: is the plaintext correct? */ TEST_ASSERT( ret == 0 ); TEST_ASSERT( outlen == clear->len ); TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 ); + } - /* - * Prepare context for encryption - */ + /* + * Encrypt back if test data was authentic + */ + if( strcmp( result, "FAIL" ) != 0 ) + { + /* prepare context for encryption */ cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, MBEDTLS_ENCRYPT ); @@ -1254,11 +1263,19 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len, clear->x, clear->len, output, &outlen, output_tag, tag->len ); - TEST_ASSERT( ret == 0 ); - TEST_ASSERT( outlen == cipher->len ); - TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); - TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); + if( using_nist_kw ) + { + TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); + } + else + { + TEST_ASSERT( ret == 0 ); + + TEST_ASSERT( outlen == cipher->len ); + TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); + TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); + } } exit: From 513c2433178276b3e902e1133923eb5d194c15af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Dec 2020 10:34:57 +0100 Subject: [PATCH 21/41] Deprecate mbedtls_cipher_auth_xxcrypt() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This temporarily breaks all.sh '*deprecated*' (deprecated functions still used in the library), which will be fix in the next commit. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/cipher.h | 20 +++++++++++-- library/cipher.c | 2 ++ tests/suites/test_suite_cipher.function | 39 +++++++++++++++++++------ 3 files changed, 49 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 24524c5c3..9ae2f0609 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -857,9 +857,17 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen ); #if defined(MBEDTLS_CIPHER_MODE_AEAD) +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif /* MBEDTLS_DEPRECATED_WARNING */ /** * \brief The generic authenticated encryption (AEAD) function. * + * \deprecated Superseded by mbedtls_cipher_auth_encrypt_ext(). + * * \note This function only supports AEAD algorithms, not key * wrapping algorithms such as NIST_KW; for this, see * mbedtls_cipher_auth_encrypt_ext(). @@ -906,14 +914,17 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, - unsigned char *tag, size_t tag_len ); + unsigned char *tag, size_t tag_len ) + MBEDTLS_DEPRECATED; /** * \brief The generic authenticated decryption (AEAD) function. * + * \deprecated Superseded by mbedtls_cipher_auth_decrypt_ext(). + * * \note This function only supports AEAD algorithms, not key * wrapping algorithms such as NIST_KW; for this, see - * mbedtls_cipher_auth_encrypt_ext(). + * mbedtls_cipher_auth_decrypt_ext(). * * \note If the data is not authentic, then the output buffer * is zeroed out to prevent the unauthentic plaintext being @@ -962,7 +973,10 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, - const unsigned char *tag, size_t tag_len ); + const unsigned char *tag, size_t tag_len ) + MBEDTLS_DEPRECATED; +#undef MBEDTLS_DEPRECATED +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */ #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) diff --git a/library/cipher.c b/library/cipher.c index 47dafa4aa..44cba34bc 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1469,6 +1469,7 @@ static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /* * Packet-oriented encryption for AEAD modes: public function. */ @@ -1536,6 +1537,7 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, input, ilen, output, olen, tag, tag_len ) ); } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */ #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 543ccf6fd..3b6d1e307 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1022,17 +1022,10 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, int ret; int using_nist_kw, using_nist_kw_padding; - unsigned char output[300]; /* Temporary buffer for results of - * encryption and decryption. */ - unsigned char *output_tag = NULL; /* Temporary buffer for tag in the - * encryption step. */ mbedtls_cipher_context_t ctx; size_t outlen; - unsigned char *tmp_tag = NULL; - unsigned char *tmp_cipher = NULL; - unsigned char *cipher_plus_tag = NULL; size_t cipher_plus_tag_len; unsigned char *decrypt_buf = NULL; @@ -1040,8 +1033,19 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, unsigned char *encrypt_buf = NULL; size_t encrypt_buf_len = 0; - mbedtls_cipher_init( &ctx ); +#if !defined(MBEDTLS_DEPRECATED_WARNING) && \ + !defined(MBEDTLS_DEPRECATED_REMOVED) + unsigned char output[300]; /* Temporary buffer for results of + * encryption and decryption. */ + unsigned char *output_tag = NULL; /* Temporary buffer for tag in the + * encryption step. */ + unsigned char *tmp_tag = NULL; + unsigned char *tmp_cipher = NULL; + memset( output, 0xFF, sizeof( output ) ); +#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ + + mbedtls_cipher_init( &ctx ); /* Initialize PSA Crypto */ #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1062,6 +1066,12 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, cipher_id == MBEDTLS_CIPHER_AES_256_KW || using_nist_kw_padding; + /**************************************************************** + * * + * Part 1: non-deprecated API * + * * + ****************************************************************/ + /* * Prepare context for decryption */ @@ -1126,7 +1136,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); } - /* Free this, but keep cipher_plus_tag for legacy function with PSA */ + /* Free this, but keep cipher_plus_tag for deprecated function with PSA */ mbedtls_free( decrypt_buf ); decrypt_buf = NULL; @@ -1187,6 +1197,15 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, encrypt_buf = NULL; } + /**************************************************************** + * * + * Part 2: deprecated API * + * * + ****************************************************************/ + +#if !defined(MBEDTLS_DEPRECATED_WARNING) && \ + !defined(MBEDTLS_DEPRECATED_REMOVED) + /* * Prepare context for decryption */ @@ -1278,6 +1297,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, } } +#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ + exit: mbedtls_cipher_free( &ctx ); From f5cf71e14adab82533a7d8cd12cbdb998948d2d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Dec 2020 11:43:40 +0100 Subject: [PATCH 22/41] Stop using deprecated functions in the library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit all.sh -k '*deprecated*' now passes again Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 22 +++++++++++----------- library/ssl_ticket.c | 23 ++++++++++------------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index bdf882d87..597494ead 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -850,20 +850,21 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Encrypt and authenticate */ - if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, + if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc, iv, transform->ivlen, - add_data, add_data_len, /* add data */ - data, rec->data_len, /* source */ - data, &rec->data_len, /* destination */ - data + rec->data_len, transform->taglen ) ) != 0 ) + add_data, add_data_len, + data, rec->data_len, /* src */ + data, rec->buf_len - (data - rec->buf), /* dst */ + &rec->data_len, + transform->taglen ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); return( ret ); } MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", - data + rec->data_len, transform->taglen ); + data + rec->data_len - transform->taglen, + transform->taglen ); /* Account for authentication tag. */ - rec->data_len += transform->taglen; post_avail -= transform->taglen; /* @@ -1420,12 +1421,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* * Decrypt and authenticate */ - if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec, + if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec, iv, transform->ivlen, add_data, add_data_len, - data, rec->data_len, - data, &olen, - data + rec->data_len, + data, rec->data_len + transform->taglen, /* src */ + data, rec->buf_len - (data - rec->buf), &olen, /* dst */ transform->taglen ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index e3e802315..626d137cc 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -209,7 +209,6 @@ int mbedtls_ssl_ticket_write( void *p_ticket, unsigned char *iv = start + TICKET_KEY_NAME_BYTES; unsigned char *state_len_bytes = iv + TICKET_IV_BYTES; unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES; - unsigned char *tag; size_t clear_len, ciph_len; *tlen = 0; @@ -250,23 +249,23 @@ int mbedtls_ssl_ticket_write( void *p_ticket, state_len_bytes[1] = ( clear_len ) & 0xff; /* Encrypt and authenticate */ - tag = state + clear_len; - if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx, + if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx, iv, TICKET_IV_BYTES, /* Additional data: key name, IV and length */ key_name, TICKET_ADD_DATA_LEN, - state, clear_len, state, &ciph_len, - tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) + state, clear_len, + state, end - state, &ciph_len, + TICKET_AUTH_TAG_BYTES ) ) != 0 ) { goto cleanup; } - if( ciph_len != clear_len ) + if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES ) { ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; goto cleanup; } - *tlen = TICKET_MIN_LEN + ciph_len; + *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES; cleanup: #if defined(MBEDTLS_THREADING_C) @@ -308,7 +307,6 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, unsigned char *iv = buf + TICKET_KEY_NAME_BYTES; unsigned char *enc_len_p = iv + TICKET_IV_BYTES; unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES; - unsigned char *tag; size_t enc_len, clear_len; if( ctx == NULL || ctx->f_rng == NULL ) @@ -326,7 +324,6 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, goto cleanup; enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; - tag = ticket + enc_len; if( len != TICKET_MIN_LEN + enc_len ) { @@ -344,13 +341,13 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, } /* Decrypt and authenticate */ - if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, + if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx, iv, TICKET_IV_BYTES, /* Additional data: key name, IV and length */ key_name, TICKET_ADD_DATA_LEN, - ticket, enc_len, - ticket, &clear_len, - tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) + ticket, enc_len + TICKET_AUTH_TAG_BYTES, + ticket, enc_len, &clear_len, + TICKET_AUTH_TAG_BYTES ) ) != 0 ) { if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) ret = MBEDTLS_ERR_SSL_INVALID_MAC; From 9b2a78966f94032869c8cff1d522a3e09f0f5a5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 3 Dec 2020 11:09:46 +0100 Subject: [PATCH 23/41] Use exact-size buffers for testing auth_xxcrypt() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 58 ++++++++++++++++--------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 3b6d1e307..0aa2ad8c0 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1035,14 +1035,9 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, #if !defined(MBEDTLS_DEPRECATED_WARNING) && \ !defined(MBEDTLS_DEPRECATED_REMOVED) - unsigned char output[300]; /* Temporary buffer for results of - * encryption and decryption. */ - unsigned char *output_tag = NULL; /* Temporary buffer for tag in the - * encryption step. */ unsigned char *tmp_tag = NULL; unsigned char *tmp_cipher = NULL; - - memset( output, 0xFF, sizeof( output ) ); + unsigned char *tag_buf = NULL; #endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ mbedtls_cipher_init( &ctx ); @@ -1234,11 +1229,11 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, * Authenticate and decrypt, and check result */ - /* Sanity check that we don't use overly long inputs. */ - TEST_ASSERT( sizeof( output ) >= cipher->len ); - + /* We can't pass a NULL output buffer to this funciton */ + ASSERT_ALLOC( decrypt_buf, cipher->len ? cipher->len : 1 ); + outlen = 0; ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len, - tmp_cipher, cipher->len, output, &outlen, + tmp_cipher, cipher->len, decrypt_buf, &outlen, tmp_tag, tag->len ); if( using_nist_kw ) @@ -1257,9 +1252,14 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( ret == 0 ); TEST_ASSERT( outlen == clear->len ); - TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 ); + TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); } + mbedtls_free( decrypt_buf ); + decrypt_buf = NULL; + mbedtls_free( cipher_plus_tag ); + cipher_plus_tag = NULL; + /* * Encrypt back if test data was authentic */ @@ -1269,19 +1269,31 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, MBEDTLS_ENCRYPT ); + /* prepare buffers for encryption */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( use_psa ) + { + ASSERT_ALLOC( cipher_plus_tag, cipher->len + tag->len ); + tmp_cipher = cipher_plus_tag; + tmp_tag = cipher_plus_tag + cipher->len; + } + else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + { + /* can't pass a NULL output buffer to this function */ + ASSERT_ALLOC( encrypt_buf, cipher->len ? cipher->len : 1 ); + ASSERT_ALLOC( tag_buf, tag->len ); + tmp_cipher = encrypt_buf; + tmp_tag = tag_buf; + } + /* * Encrypt and check the result */ - memset( output, 0xFF, sizeof( output ) ); outlen = 0; - - /* Sanity check that we don't use overly long inputs. */ - TEST_ASSERT( sizeof( output ) >= clear->len + tag->len ); - - output_tag = output + clear->len; ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len, - clear->x, clear->len, output, &outlen, - output_tag, tag->len ); + clear->x, clear->len, tmp_cipher, &outlen, + tmp_tag, tag->len ); if( using_nist_kw ) { @@ -1292,8 +1304,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( ret == 0 ); TEST_ASSERT( outlen == cipher->len ); - TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); - TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); + TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 ); + TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 ); } } @@ -1305,6 +1317,10 @@ exit: mbedtls_free( decrypt_buf ); mbedtls_free( encrypt_buf ); mbedtls_free( cipher_plus_tag ); +#if !defined(MBEDTLS_DEPRECATED_WARNING) && \ + !defined(MBEDTLS_DEPRECATED_REMOVED) + mbedtls_free( tag_buf ); +#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_USE_PSA_CRYPTO) if( use_psa == 1 ) From 86796bc8a59f8fc9930ba4722feb5a8aaddef9d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 3 Dec 2020 11:29:22 +0100 Subject: [PATCH 24/41] Add check_param test for cipher_auth_xxcrypt_ext() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 102 ++++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 0aa2ad8c0..0fcbd3749 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -529,6 +529,108 @@ void cipher_invalid_param_conditional( ) NULL, valid_size ) ); #endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */ +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) + /* mbedtls_cipher_auth_encrypt_ext */ + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( NULL, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( &valid_ctx, + NULL, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( &valid_ctx, + valid_buffer, valid_size, + NULL, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + NULL, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + NULL, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_encrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, NULL, + valid_size ) ); + + /* mbedtls_cipher_auth_decrypt_ext */ + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( NULL, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( &valid_ctx, + NULL, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( &valid_ctx, + valid_buffer, valid_size, + NULL, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + NULL, valid_size, + valid_buffer, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + NULL, valid_size, &size_t_var, + valid_size ) ); + TEST_INVALID_PARAM_RET( + MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, + mbedtls_cipher_auth_decrypt_ext( &valid_ctx, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, + valid_buffer, valid_size, NULL, + valid_size ) ); +#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ + /* mbedtls_cipher_free() */ TEST_VALID_PARAM( mbedtls_cipher_free( NULL ) ); exit: From f215ef82aff029b376c1a10535fa6c7baccf12aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 3 Dec 2020 12:33:31 +0100 Subject: [PATCH 25/41] Test that auth_decrypt{,_ext}() zeroize on failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The documentation says it does, so it should be tested. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_cipher.function | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 0fcbd3749..b77d3696f 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -55,6 +55,19 @@ static void cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, exit: ; } + +/* + * Check if a buffer is all-0 bytes: + * return 1 if it is, + * 0 if it isn't. + */ +int buffer_is_all_zero( const uint8_t *buf, size_t size ) +{ + for( size_t i = 0; i < size; i++ ) + if( buf[i] != 0 ) + return 0; + return 1; +} #endif /* MBEDTLS_CIPHER_AUTH_CRYPT */ /* END_HEADER */ @@ -1223,6 +1236,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, if( strcmp( result, "FAIL" ) == 0 ) { TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); + TEST_ASSERT( buffer_is_all_zero( decrypt_buf, decrypt_buf_len ) ); } else { @@ -1347,6 +1361,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, { /* unauthentic message */ TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); + TEST_ASSERT( buffer_is_all_zero( decrypt_buf, cipher->len ) ); } else { From aa850cdfdc6c19f6cd96cf68d55cc0b1c9e9ef09 Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 11:35:41 +0000 Subject: [PATCH 26/41] Reword test cases Reword test cases to be easier to read and understand. Adds comments to better explain what the test is doing. Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.data | 12 ++++++------ tests/suites/test_suite_mpi.function | 19 +++++++++++-------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 18082330a..1c0661f4e 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -694,22 +694,22 @@ mbedtls_mpi_exp_mod:10:"23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_IN Base test mbedtls_mpi_exp_mod #6 (Negative base + exponent) mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Base test mbedtls_mpi_exp_mod #7 (MAX_SIZE exponent) +Test mbedtls_mpi_exp_mod: MAX_SIZE exponent mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:2:10:"":0 -Base test mbedtls_mpi_exp_mod #8 (MAX_SIZE + 1 exponent) +Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:2:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Base test mbedtls_mpi_exp_mod #9 (MAX_SIZE modulus) +Test mbedtls_mpi_exp_mod: MAX_SIZE modulus mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE:10:"":0 -Base test mbedtls_mpi_exp_mod #10 (MAX_SIZE + 1 modulus) +Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 modulus mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Base test mbedtls_mpi_exp_mod #11 (MAX_SIZE exponent and modulus) +Test mbedtls_mpi_exp_mod: MAX_SIZE exponent and modulus mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE:10:"":0 -Base test mbedtls_mpi_exp_mod #12 (MAX_SIZE + 1 exponent and modulus) +Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent and modulus mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod #1 diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 97107c211..6f305e9cf 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1166,28 +1166,31 @@ exit: /* BEGIN_CASE */ void mbedtls_mpi_exp_mod_size( int A_bytes, int E_bytes, int N_bytes, - int radix_RR, char * input_RR, int div_result ) + int radix_RR, char * input_RR, int exp_result ) { mbedtls_mpi A, E, N, RR, Z; mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &Z ); + /* Set A to 2^(A_bytes - 1) + 1 */ TEST_ASSERT( mbedtls_mpi_lset( &A, 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_lset( &E, 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_lset( &N, 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_shift_l( &A, ( A_bytes * 8 ) - 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_shift_l( &E, ( E_bytes * 8 ) - 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_shift_l( &N, ( N_bytes * 8 ) - 1 ) == 0 ); - TEST_ASSERT( mbedtls_mpi_set_bit( &A, 0, 1 ) == 0 ); + + /* Set E to 2^(E_bytes - 1) + 1 */ + TEST_ASSERT( mbedtls_mpi_lset( &E, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_shift_l( &E, ( E_bytes * 8 ) - 1 ) == 0 ); TEST_ASSERT( mbedtls_mpi_set_bit( &E, 0, 1 ) == 0 ); + + /* Set N to 2^(N_bytes - 1) + 1 */ + TEST_ASSERT( mbedtls_mpi_lset( &N, 1 ) == 0 ); + TEST_ASSERT( mbedtls_mpi_shift_l( &N, ( N_bytes * 8 ) - 1 ) == 0 ); TEST_ASSERT( mbedtls_mpi_set_bit( &N, 0, 1 ) == 0 ); if( strlen( input_RR ) ) TEST_ASSERT( mbedtls_mpi_read_string( &RR, radix_RR, input_RR ) == 0 ); - TEST_ASSERT( mbedtls_mpi_exp_mod( &Z, &A, &E, &N, &RR ) == div_result ); + TEST_ASSERT( mbedtls_mpi_exp_mod( &Z, &A, &E, &N, &RR ) == exp_result ); exit: mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); From e146bdcff9ea79896a07cec30508c98f3466b258 Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 11:52:40 +0000 Subject: [PATCH 27/41] Fix cases where exponentiation was not fully tested In two test cases, the exponentiation computation was not being fully tested as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the case A is reduced to 0 and therefore the result of the computation will always be 0. This fixes that issue and therefore increases the test coverage to ensure different computations are actually being run. Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 1c0661f4e..e01e995ab 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -695,10 +695,10 @@ Base test mbedtls_mpi_exp_mod #6 (Negative base + exponent) mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod: MAX_SIZE exponent -mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:2:10:"":0 +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:10:10:"":0 Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent -mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:2:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:10:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod: MAX_SIZE modulus mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE:10:"":0 From 6df90523e179173baeb841aea40eda17d6a1dab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 3 Dec 2020 13:00:58 +0100 Subject: [PATCH 28/41] Add ChangeLog entries for auth_crypt changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/cipher-auth-crypt-nist-kw.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 ChangeLog.d/cipher-auth-crypt-nist-kw.txt diff --git a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt new file mode 100644 index 000000000..63519a126 --- /dev/null +++ b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt @@ -0,0 +1,22 @@ +API changes + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, + as they have no way to check if the output buffer is large enough. + Please use mbedtls_cipher_auth_encrypt_ext() and + mbedtls_cipher_auth_decrypt_ext() instead. + +Security + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() would write past the minimum documented + size of the output buffer when used with NIST_KW. As a result, code using + those functions as documented with NIST_KW could have a buffer overwrite + of up to 15 bytes, with consequences ranging up to arbitrary code + execution depending on the location of the output buffer. + +New deprecations + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() are deprecated in favour of the new + functions mbedtls_cipher_auth_encrypt_ext() and + mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, + these new functions always append the tag to the ciphertext, and include + the tag in the ciphertext length. From 4592bd8982961ec466915c98f70eb569764b668a Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 14:24:33 +0000 Subject: [PATCH 29/41] Fix broken testing on numbers that may be greater than MPI_MAX_SIZE Previously `mbedtls_mpi_exp_mod` was tested with values that were over `MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only taken when the exponent is large enough however, on builds where `MBEDTLS_MPI_MAX_SIZE` is under the size of these test values. This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to safely test (notably this is the case in config-thread.h). Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.function | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 6f305e9cf..f44db7022 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1,6 +1,10 @@ /* BEGIN_HEADER */ #include "mbedtls/bignum.h" +#if MBEDTLS_MPI_MAX_BITS > 256 +#define MPI_MAX_BITS_LARGER_THAN_256 +#endif + typedef struct mbedtls_test_mpi_random { data_t *data; @@ -1132,7 +1136,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MPI_MAX_BITS_LARGER_THAN_256 */ void mbedtls_mpi_exp_mod( int radix_A, char * input_A, int radix_E, char * input_E, int radix_N, char * input_N, int radix_RR, char * input_RR, int radix_X, From 7c430305e36e5a56eaaa06cfa2035b4493b86dac Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 15:22:25 +0000 Subject: [PATCH 30/41] Move dependancy to specific test cases Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables previous tests that were turned off accidentally. Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.data | 2 ++ tests/suites/test_suite_mpi.function | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index e01e995ab..a8fc104a1 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -713,12 +713,14 @@ Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent and modulus mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod #1 +depends_on:MPI_MAX_BITS_LARGER_THAN_256 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 Test mbedtls_mpi_exp_mod (Negative base) [#1] mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"1":0 Test mbedtls_mpi_exp_mod (Negative base) [#2] +depends_on:MPI_MAX_BITS_LARGER_THAN_256 mbedtls_mpi_exp_mod:16:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":16:"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":16:"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":16:"":16:"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0 Base test GCD #1 diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index f44db7022..a16e4db17 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1136,7 +1136,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MPI_MAX_BITS_LARGER_THAN_256 */ +/* BEGIN_CASE */ void mbedtls_mpi_exp_mod( int radix_A, char * input_A, int radix_E, char * input_E, int radix_N, char * input_N, int radix_RR, char * input_RR, int radix_X, From add99487848f9d3f5e437a4a3013a348fc1ec41b Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 15:45:29 +0000 Subject: [PATCH 31/41] Fix whitespace in changelog entry Extra whitespace and a missing newline at end of file was causing an error with `check_files.py`. Signed-off-by: Chris Jones --- ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt index 982b7bc2c..2ba98d541 100644 --- a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt +++ b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt @@ -1,4 +1,4 @@ Security - * Limit the size of calculations performed by mbedtls_mpi_exp_mod to - MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when - generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. \ No newline at end of file + * Limit the size of calculations performed by mbedtls_mpi_exp_mod to + MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when + generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. From e64a46f4662f7d3d2ab0f9426be9f7ef3d00f25e Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Thu, 3 Dec 2020 17:44:03 +0000 Subject: [PATCH 32/41] Fix exponentiation tests with `MBEDTLS_MPI_MAX_BITS` larger than 256 Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256 but smaller than the test that was running (792 bits) the test would fail incorrectly. Signed-off-by: Chris Jones --- tests/suites/test_suite_mpi.data | 4 ++-- tests/suites/test_suite_mpi.function | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index a8fc104a1..d8f582df6 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -713,14 +713,14 @@ Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent and modulus mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_exp_mod #1 -depends_on:MPI_MAX_BITS_LARGER_THAN_256 +depends_on:MPI_MAX_BITS_LARGER_THAN_792 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 Test mbedtls_mpi_exp_mod (Negative base) [#1] mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"1":0 Test mbedtls_mpi_exp_mod (Negative base) [#2] -depends_on:MPI_MAX_BITS_LARGER_THAN_256 +depends_on:MPI_MAX_BITS_LARGER_THAN_792 mbedtls_mpi_exp_mod:16:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":16:"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":16:"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":16:"":16:"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0 Base test GCD #1 diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index a16e4db17..4fb447f9c 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -1,8 +1,8 @@ /* BEGIN_HEADER */ #include "mbedtls/bignum.h" -#if MBEDTLS_MPI_MAX_BITS > 256 -#define MPI_MAX_BITS_LARGER_THAN_256 +#if MBEDTLS_MPI_MAX_BITS > 792 +#define MPI_MAX_BITS_LARGER_THAN_792 #endif typedef struct mbedtls_test_mpi_random From b23e31d86ac58d160d1a236da4120d02800740c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Dec 2020 09:57:35 +0100 Subject: [PATCH 33/41] Minor documentation/comment fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit typos, overlong lines Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/cipher.h | 12 ++++++------ tests/suites/test_suite_cipher.function | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 9ae2f0609..1cafa6ec2 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -992,9 +992,9 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and may be \c NULL if \p * iv_len is \c 0. - * \param iv_len The length of the nonce. For AEAD ciphers, this must satisfy the - * constraints imposed by the cipher used. For NIST_KW, - * this must be \c 0. + * \param iv_len The length of the nonce. For AEAD ciphers, this must + * satisfy the constraints imposed by the cipher used. + * For NIST_KW, this must be \c 0. * \param ad The additional data to authenticate. This must be a * readable buffer of at least \p ad_len Bytes, and may * be \c NULL is \p ad_len is \c 0. @@ -1047,9 +1047,9 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, * \param iv The nonce to use. This must be a readable buffer of * at least \p iv_len Bytes and may be \c NULL if \p * iv_len is \c 0. - * \param iv_len The length of the nonce. For AEAD ciphers, this must satisfy the - * constraints imposed by the cipher used. For NIST_KW, - * this must be \c 0. + * \param iv_len The length of the nonce. For AEAD ciphers, this must + * satisfy the constraints imposed by the cipher used. + * For NIST_KW, this must be \c 0. * \param ad The additional data to authenticate. This must be a * readable buffer of at least \p ad_len Bytes, and may * be \c NULL is \p ad_len is \c 0. diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index b77d3696f..47a763cc8 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1345,7 +1345,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, * Authenticate and decrypt, and check result */ - /* We can't pass a NULL output buffer to this funciton */ + /* We can't pass a NULL output buffer to this function */ ASSERT_ALLOC( decrypt_buf, cipher->len ? cipher->len : 1 ); outlen = 0; ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len, From 70edd689a8cc774e6359ebee982e0c8bcd504453 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 3 Dec 2020 20:27:27 +0100 Subject: [PATCH 34/41] cipher_auth_xxcrypt(): fix some null pointer handling Make sure that if a buffer is allowed to be empty, a null pointer is accepted if the buffer length is 0. This was already the case for most but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}. Make sure to pass NULL for an empty buffer in the tests. Signed-off-by: Gilles Peskine --- library/cipher.c | 16 ++++++++-------- tests/suites/test_suite_cipher.function | 19 ++++++++++++++----- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 44cba34bc..cf45446f7 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1313,7 +1313,7 @@ static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx, /* PSA Crypto API always writes the authentication tag * at the end of the encrypted message. */ - if( tag != output + ilen ) + if( output == NULL || tag != output + ilen ) return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); status = psa_aead_encrypt( cipher_psa->slot, @@ -1393,7 +1393,7 @@ static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, /* PSA Crypto API always writes the authentication tag * at the end of the encrypted message. */ - if( tag != input + ilen ) + if( input == NULL || tag != input + ilen ) return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); status = psa_aead_decrypt( cipher_psa->slot, @@ -1481,10 +1481,10 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len ) { CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); CIPHER_VALIDATE_RET( olen != NULL ); CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); @@ -1515,10 +1515,10 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *tag, size_t tag_len ) { CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); + CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); CIPHER_VALIDATE_RET( olen != NULL ); CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); @@ -1552,7 +1552,7 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, size_t *olen, size_t tag_len ) { CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); CIPHER_VALIDATE_RET( output != NULL ); @@ -1601,7 +1601,7 @@ int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, size_t *olen, size_t tag_len ) { CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv != NULL ); + CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); CIPHER_VALIDATE_RET( output_len == 0 || output != NULL ); diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 47a763cc8..ffe328458 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1155,6 +1155,16 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, unsigned char *tag_buf = NULL; #endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ + /* Null pointers are documented as valid for inputs of length 0. + * The test framework passes non-null pointers, so set them to NULL. + * key, cipher and tag can't be empty. */ + if( iv->len == 0 ) + iv->x = NULL; + if( ad->len == 0 ) + ad->x = NULL; + if( clear->len == 0 ) + clear->x = NULL; + mbedtls_cipher_init( &ctx ); /* Initialize PSA Crypto */ @@ -1345,8 +1355,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, * Authenticate and decrypt, and check result */ - /* We can't pass a NULL output buffer to this function */ - ASSERT_ALLOC( decrypt_buf, cipher->len ? cipher->len : 1 ); + ASSERT_ALLOC( decrypt_buf, cipher->len ); outlen = 0; ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len, tmp_cipher, cipher->len, decrypt_buf, &outlen, @@ -1397,8 +1406,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, else #endif /* MBEDTLS_USE_PSA_CRYPTO */ { - /* can't pass a NULL output buffer to this function */ - ASSERT_ALLOC( encrypt_buf, cipher->len ? cipher->len : 1 ); + ASSERT_ALLOC( encrypt_buf, cipher->len ); ASSERT_ALLOC( tag_buf, tag->len ); tmp_cipher = encrypt_buf; tmp_tag = tag_buf; @@ -1421,7 +1429,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( ret == 0 ); TEST_ASSERT( outlen == cipher->len ); - TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 ); + if( cipher->len != 0 ) + TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 ); TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 ); } } From a2971ea62cfdd930ec89ab99f00800550d50398b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 3 Dec 2020 20:36:02 +0100 Subject: [PATCH 35/41] Simplify some buffer comparisons in tests Signed-off-by: Gilles Peskine --- tests/suites/test_suite_cipher.function | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index ffe328458..5e9a1e3f2 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1251,10 +1251,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, else { TEST_ASSERT( ret == 0 ); - - TEST_ASSERT( outlen == clear->len ); - if( clear->len != 0 ) - TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); + ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len ); } /* Free this, but keep cipher_plus_tag for deprecated function with PSA */ @@ -1376,9 +1373,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, { /* authentic message: is the plaintext correct? */ TEST_ASSERT( ret == 0 ); - - TEST_ASSERT( outlen == clear->len ); - TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); + ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len ); } mbedtls_free( decrypt_buf ); From 8a3d2348596d3972eb57a759bce1f6c799dc4066 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 3 Dec 2020 21:06:15 +0100 Subject: [PATCH 36/41] Fail the test case immediately if cipher_reset_key fails Signed-off-by: Gilles Peskine --- tests/suites/test_suite_cipher.function | 26 +++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 5e9a1e3f2..1d98f3db0 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -27,7 +27,7 @@ * individual ciphers, and it doesn't work with the PSA wrappers. So don't do * it, and instead start with a fresh context. */ -static void cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, +static int cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, int use_psa, size_t tag_len, const data_t *key, int direction ) { mbedtls_cipher_free( ctx ); @@ -52,8 +52,10 @@ static void cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, TEST_ASSERT( 0 == mbedtls_cipher_setkey( ctx, key->x, 8 * key->len, direction ) ); + return( 1 ); + exit: - ; + return( 0 ); } /* @@ -1195,8 +1197,9 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, /* * Prepare context for decryption */ - cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, - MBEDTLS_DECRYPT ); + if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_DECRYPT ) ) + goto exit; /* * prepare buffer for decryption @@ -1264,8 +1267,9 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, if( strcmp( result, "FAIL" ) != 0 ) { /* prepare context for encryption */ - cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, - MBEDTLS_ENCRYPT ); + if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_ENCRYPT ) ) + goto exit; /* * Compute size of output buffer according to documentation @@ -1327,8 +1331,9 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, /* * Prepare context for decryption */ - cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, - MBEDTLS_DECRYPT ); + if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_DECRYPT ) ) + goto exit; /* * Prepare pointers for decryption @@ -1387,8 +1392,9 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, if( strcmp( result, "FAIL" ) != 0 ) { /* prepare context for encryption */ - cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, - MBEDTLS_ENCRYPT ); + if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, + MBEDTLS_ENCRYPT ) ) + goto exit; /* prepare buffers for encryption */ #if defined(MBEDTLS_USE_PSA_CRYPTO) From e09aeb4923f17449be7b8cda9a998e5c31ba273c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 4 Dec 2020 00:31:09 +0100 Subject: [PATCH 37/41] Remove redundant NIST_KW checks in cipher_auth_xxcrypt() The internal functions mbedtls_cipher_aead_{encrypt,decrypt} reject unsupported algorithms, so there's no need for an additional check in the legacy wrappers. Signed-off-by: Gilles Peskine --- library/cipher.c | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index cf45446f7..503109253 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1488,17 +1488,6 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, CIPHER_VALIDATE_RET( olen != NULL ); CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); -#if defined(MBEDTLS_NIST_KW_C) - if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || - MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) - { - /* NIST_KW is not supported because we used to document the wrong size - * of the output buffer, so people should move to the _ext API, - * which has an explicit argument for buffer size. */ - return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); - } -#endif /* MBEDTLS_NIST_KW_C */ - return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, input, ilen, output, olen, tag, tag_len ) ); @@ -1522,17 +1511,6 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, CIPHER_VALIDATE_RET( olen != NULL ); CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); -#if defined(MBEDTLS_NIST_KW_C) - if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || - MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) - { - /* NIST_KW is not supported because we used to document the wrong size - * of the output buffer, so people should move to the _ext API, - * which has an explicit argument for buffer size. */ - return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); - } -#endif /* MBEDTLS_NIST_KW_C */ - return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, input, ilen, output, olen, tag, tag_len ) ); From a56d3d9e758e27ba529ea6be561dc716bf5d3ce3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 4 Dec 2020 00:47:07 +0100 Subject: [PATCH 38/41] cipher_auth_xxcrypt_ext: Make NIST_KW case more robust Don't invoke classic NIST_KW in case PSA gains support for NIST_KW. Signed-off-by: Gilles Peskine --- library/cipher.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 503109253..119e79600 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1537,8 +1537,12 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, CIPHER_VALIDATE_RET( olen != NULL ); #if defined(MBEDTLS_NIST_KW_C) - if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || - MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) + if( +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ctx->psa_enabled == 0 && +#endif + ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || + MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) { mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; @@ -1586,8 +1590,12 @@ int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, CIPHER_VALIDATE_RET( olen != NULL ); #if defined(MBEDTLS_NIST_KW_C) - if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || - MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) + if( +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ctx->psa_enabled == 0 && +#endif + ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || + MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) { mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; From 4e0a4d444d44d6722fd2e71fcdc4703365dd2ea2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 4 Dec 2020 00:48:14 +0100 Subject: [PATCH 39/41] Clarifying comment Signed-off-by: Gilles Peskine --- library/cipher.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 119e79600..ee365a185 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1471,7 +1471,7 @@ static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, #if !defined(MBEDTLS_DEPRECATED_REMOVED) /* - * Packet-oriented encryption for AEAD modes: public function. + * Packet-oriented encryption for AEAD modes: public legacy function. */ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, @@ -1494,7 +1494,7 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, } /* - * Packet-oriented decryption for AEAD modes: public function. + * Packet-oriented decryption for AEAD modes: public legacy function. */ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, From 841b6fa97fa3221ea8f1ce31f99c3673ba8940e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Dec 2020 10:42:21 +0100 Subject: [PATCH 40/41] Fix unused param warnings in auth_xxcrypt_ext() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/cipher.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/cipher.c b/library/cipher.c index ee365a185..457f8f660 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1552,6 +1552,9 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + (void) iv; + (void) ad; + return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, output_len ) ); } @@ -1605,6 +1608,9 @@ int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + (void) iv; + (void) ad; + return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, output_len ) ); } From 22a191199df8487ef1470785529c16d187802310 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Dec 2020 14:26:07 +0100 Subject: [PATCH 41/41] NIST_KW in cipher: credit the reporter This issue was found by Guido Vranken's Cryptofuzz running on the OSS-Fuzz platform. Fix #3665 Signed-off-by: Gilles Peskine --- ChangeLog.d/cipher-auth-crypt-nist-kw.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt index 63519a126..fd18e859a 100644 --- a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt +++ b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt @@ -3,7 +3,8 @@ API changes mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, as they have no way to check if the output buffer is large enough. Please use mbedtls_cipher_auth_encrypt_ext() and - mbedtls_cipher_auth_decrypt_ext() instead. + mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and + Cryptofuzz. Fixes #3665. Security * The functions mbedtls_cipher_auth_encrypt() and