From 89d469cdb4c576ceb74008ede2345879245d0f4a Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 22 Jun 2021 16:24:28 +0200 Subject: [PATCH 01/52] Move working variables to ccm context structure Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 10 +++++ library/ccm.c | 98 +++++++++++++++++++++---------------------- 2 files changed, 58 insertions(+), 50 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index b3adecc4f..2b9909e1a 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -77,6 +77,16 @@ extern "C" { typedef struct mbedtls_ccm_context { mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ + unsigned char MBEDTLS_PRIVATE(b)[16]; /*!< The B working buffer */ + unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ + unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ + unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ + size_t MBEDTLS_PRIVATE(plaintext_len); /*!< The counter buffer */ + int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: + #MBEDTLS_CCM_ENCRYPT or + #MBEDTLS_CCM_DECRYPT or + #MBEDTLS_CCM_STAR_ENCRYPT or + #MBEDTLS_CCM_STAR_DECRYPT. */ } mbedtls_ccm_context; diff --git a/library/ccm.c b/library/ccm.c index 424ee77b6..686eda543 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -117,11 +117,11 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) * Update the CBC-MAC state in y using a block in b * (Always using b as the source helps the compiler optimise a bit better.) */ -#define UPDATE_CBC_MAC \ - for( i = 0; i < 16; i++ ) \ - y[i] ^= b[i]; \ - \ - if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \ +#define UPDATE_CBC_MAC \ + for( i = 0; i < 16; i++ ) \ + ctx->y[i] ^= ctx->b[i]; \ + \ + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) \ return( ret ); /* @@ -130,16 +130,16 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) * This avoids allocating one more 16 bytes buffer while allowing src == dst. */ #define CTR_CRYPT( dst, src, len ) \ - do \ - { \ - if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \ - 16, b, &olen ) ) != 0 ) \ - { \ - return( ret ); \ - } \ - \ - for( i = 0; i < (len); i++ ) \ - (dst)[i] = (src)[i] ^ b[i]; \ + do \ + { \ + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, \ + 16, ctx->b, &olen ) ) != 0 ) \ + { \ + return( ret ); \ + } \ + \ + for( i = 0; i < (len); i++ ) \ + (dst)[i] = (src)[i] ^ ctx->b[i]; \ } while( 0 ) /* @@ -153,14 +153,12 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; - unsigned char q; size_t len_left, olen; - unsigned char b[16]; - unsigned char y[16]; - unsigned char ctr[16]; const unsigned char *src; unsigned char *dst; + ctx->mode = mode; + /* * Check length requirements: SP800-38C A.1 * Additional requirement: a < 2^16 - 2^8 to simplify the code. @@ -178,7 +176,7 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, if( add_len >= 0xFF00 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - q = 16 - 1 - (unsigned char) iv_len; + ctx->q = 16 - 1 - (unsigned char) iv_len; /* * First block B_0: @@ -192,22 +190,22 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, * 5 .. 3 (t - 2) / 2 * 2 .. 0 q - 1 */ - b[0] = 0; - b[0] |= ( add_len > 0 ) << 6; - b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; - b[0] |= q - 1; + ctx->b[0] = 0; + ctx->b[0] |= ( add_len > 0 ) << 6; + ctx->b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; + ctx->b[0] |= ctx->q - 1; - memcpy( b + 1, iv, iv_len ); + memcpy( ctx->b + 1, iv, iv_len ); - for( i = 0, len_left = length; i < q; i++, len_left >>= 8 ) - b[15-i] = (unsigned char)( len_left & 0xFF ); + for( i = 0, len_left = length; i < ctx->q; i++, len_left >>= 8 ) + ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); if( len_left > 0 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); /* Start CBC-MAC with first block */ - memset( y, 0, 16 ); + memset( ctx->y, 0, 16 ); UPDATE_CBC_MAC; /* @@ -220,12 +218,12 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, len_left = add_len; src = add; - memset( b, 0, 16 ); - b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); - b[1] = (unsigned char)( ( add_len ) & 0xFF ); + memset( ctx->b, 0, 16 ); + ctx->b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); + ctx->b[1] = (unsigned char)( ( add_len ) & 0xFF ); use_len = len_left < 16 - 2 ? len_left : 16 - 2; - memcpy( b + 2, src, use_len ); + memcpy( ctx->b + 2, src, use_len ); len_left -= use_len; src += use_len; @@ -235,8 +233,8 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, { use_len = len_left > 16 ? 16 : len_left; - memset( b, 0, 16 ); - memcpy( b, src, use_len ); + memset( ctx->b, 0, 16 ); + memcpy( ctx->b, src, use_len ); UPDATE_CBC_MAC; len_left -= use_len; @@ -254,10 +252,10 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, * 7 .. 3 0 * 2 .. 0 q - 1 */ - ctr[0] = q - 1; - memcpy( ctr + 1, iv, iv_len ); - memset( ctr + 1 + iv_len, 0, q ); - ctr[15] = 1; + ctx->ctr[0] = ctx->q - 1; + memcpy( ctx->ctr + 1, iv, iv_len ); + memset( ctx->ctr + 1 + iv_len, 0, ctx->q ); + ctx->ctr[15] = 1; /* * Authenticate and {en,de}crypt the message. @@ -273,19 +271,19 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, { size_t use_len = len_left > 16 ? 16 : len_left; - if( mode == CCM_ENCRYPT ) + if( ctx->mode == CCM_ENCRYPT ) { - memset( b, 0, 16 ); - memcpy( b, src, use_len ); + memset( ctx->b, 0, 16 ); + memcpy( ctx->b, src, use_len ); UPDATE_CBC_MAC; } CTR_CRYPT( dst, src, use_len ); - if( mode == CCM_DECRYPT ) + if( ctx->mode == CCM_DECRYPT ) { - memset( b, 0, 16 ); - memcpy( b, dst, use_len ); + memset( ctx->b, 0, 16 ); + memcpy( ctx->b, dst, use_len ); UPDATE_CBC_MAC; } @@ -297,19 +295,19 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, * Increment counter. * No need to check for overflow thanks to the length check above. */ - for( i = 0; i < q; i++ ) - if( ++ctr[15-i] != 0 ) + for( i = 0; i < ctx->q; i++ ) + if( ++(ctx->ctr)[15-i] != 0 ) break; } /* * Authentication: reset counter and crypt/mask internal tag */ - for( i = 0; i < q; i++ ) - ctr[15-i] = 0; + for( i = 0; i < ctx->q; i++ ) + ctx->ctr[15-i] = 0; - CTR_CRYPT( y, y, 16 ); - memcpy( tag, y, tag_len ); + CTR_CRYPT( ctx->y, ctx->y, 16 ); + memcpy( tag, ctx->y, tag_len ); return( 0 ); } From 793692cbcb296042cc1d5a35b39536e8dc59cdbf Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 22 Jun 2021 20:34:20 +0200 Subject: [PATCH 02/52] Split ccm_auth function. Move logic to ccm_starts, ccm_set_lengths, ccm_update_ad, ccm_update and ccm_finish Use separate variable to track context state. Encode first block only if both mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() were called. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 3 + library/ccm.c | 225 ++++++++++++++++++++++++++++++++---------- 2 files changed, 178 insertions(+), 50 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 2b9909e1a..f9f8000fb 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -87,6 +87,9 @@ typedef struct mbedtls_ccm_context #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or #MBEDTLS_CCM_STAR_DECRYPT. */ + int MBEDTLS_PRIVATE(state); /*!< Working value holding context's + state. Used for chunked data + input */ } mbedtls_ccm_context; diff --git a/library/ccm.c b/library/ccm.c index 686eda543..a2ca98600 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -142,22 +142,105 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) (dst)[i] = (src)[i] ^ ctx->b[i]; \ } while( 0 ) -/* - * Authenticated encryption or decryption - */ -static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, - const unsigned char *iv, size_t iv_len, - const unsigned char *add, size_t add_len, - const unsigned char *input, unsigned char *output, - unsigned char *tag, size_t tag_len ) +#define CCM_STATE__CLEAR 0 +#define CCM_STATE__STARTED 0x0001 +#define CCM_STATE__LENGHTS_SET 0x0002 + +static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) { + ctx->state = CCM_STATE__CLEAR; + memset( ctx->b, 0, 16); + memset( ctx->y, 0, 16); + memset( ctx->ctr, 0, 16); +} + +static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t len_left, olen; - const unsigned char *src; - unsigned char *dst; + + /* length calulcation can be done only after both + * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed + */ + if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGHTS_SET) ) + return 0; + + /* + * First block B_0: + * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() + * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() + * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() + */ + for( i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8 ) + ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); + + if( len_left > 0 ) + return( MBEDTLS_ERR_CCM_BAD_INPUT ); + + /* Start CBC-MAC with first block*/ + UPDATE_CBC_MAC; + + return (0); +} + +int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, + int mode, + const unsigned char *iv, + size_t iv_len ) +{ + int ret; + + /* Also implies q is within bounds */ + if( iv_len < 7 || iv_len > 13 ) + return( MBEDTLS_ERR_CCM_BAD_INPUT ); ctx->mode = mode; + ctx->q = 16 - 1 - (unsigned char) iv_len; + + /* + * Prepare counter block for encryption: + * 0 .. 0 flags + * 1 .. iv_len nonce (aka iv) + * iv_len+1 .. 15 counter (initially 1) + * + * With flags as (bits): + * 7 .. 3 0 + * 2 .. 0 q - 1 + */ + memset( ctx->ctr, 0, 16); + ctx->ctr[0] = ctx->q - 1; + memcpy( ctx->ctr + 1, iv, iv_len ); + memset( ctx->ctr + 1 + iv_len, 0, ctx->q ); + ctx->ctr[15] = 1; + + /* + * First block B_0: + * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() + * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() + * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() + * + * With flags as (bits): + * 7 0 + * 6 add present? - set by: mbedtls_ccm_set_lengths() + * 5 .. 3 (t - 2) / 2 - set by: mbedtls_ccm_set_lengths() + * 2 .. 0 q - 1 - set by: mbedtls_ccm_starts() + */ + ctx->b[0] |= ctx->q - 1; + + memcpy( ctx->b + 1, iv, iv_len ); + + ctx->state |= CCM_STATE__STARTED; + ret = mbedtls_ccm_calculate_first_block(ctx); + + return ret; +} + +int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, + size_t total_ad_len, + size_t plaintext_len, + size_t tag_len ) +{ + int ret; /* * Check length requirements: SP800-38C A.1 @@ -169,44 +252,40 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - /* Also implies q is within bounds */ - if( iv_len < 7 || iv_len > 13 ) + if( total_ad_len >= 0xFF00 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - if( add_len >= 0xFF00 ) - return( MBEDTLS_ERR_CCM_BAD_INPUT ); - - ctx->q = 16 - 1 - (unsigned char) iv_len; - /* * First block B_0: - * 0 .. 0 flags - * 1 .. iv_len nonce (aka iv) - * iv_len+1 .. 15 length + * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() + * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() + * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() * * With flags as (bits): * 7 0 - * 6 add present? - * 5 .. 3 (t - 2) / 2 - * 2 .. 0 q - 1 + * 6 add present? - set by: mbedtls_ccm_set_lengths() + * 5 .. 3 (t - 2) / 2 - set by: mbedtls_ccm_set_lengths() + * 2 .. 0 q - 1 - set by: mbedtls_ccm_starts() */ - ctx->b[0] = 0; - ctx->b[0] |= ( add_len > 0 ) << 6; + ctx->b[0] |= ( total_ad_len > 0 ) << 6; ctx->b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; - ctx->b[0] |= ctx->q - 1; - memcpy( ctx->b + 1, iv, iv_len ); + ctx->plaintext_len = plaintext_len; - for( i = 0, len_left = length; i < ctx->q; i++, len_left >>= 8 ) - ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); + ctx->state |= CCM_STATE__LENGHTS_SET; + ret = mbedtls_ccm_calculate_first_block(ctx); - if( len_left > 0 ) - return( MBEDTLS_ERR_CCM_BAD_INPUT ); + return ret; +} - - /* Start CBC-MAC with first block */ - memset( ctx->y, 0, 16 ); - UPDATE_CBC_MAC; +int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, + const unsigned char *add, + size_t add_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char i; + size_t len_left, olen; + const unsigned char *src; /* * If there is additional data, update CBC-MAC with @@ -242,20 +321,24 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, } } - /* - * Prepare counter block for encryption: - * 0 .. 0 flags - * 1 .. iv_len nonce (aka iv) - * iv_len+1 .. 15 counter (initially 1) - * - * With flags as (bits): - * 7 .. 3 0 - * 2 .. 0 q - 1 - */ - ctx->ctr[0] = ctx->q - 1; - memcpy( ctx->ctr + 1, iv, iv_len ); - memset( ctx->ctr + 1 + iv_len, 0, ctx->q ); - ctx->ctr[15] = 1; + return (0); +} + +int mbedtls_ccm_update( mbedtls_ccm_context *ctx, + const unsigned char *input, size_t input_len, + unsigned char *output, size_t output_size, + size_t *output_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char i; + size_t len_left, olen; + const unsigned char *src; + unsigned char *dst; + + if( output_size < input_len ) + return( MBEDTLS_ERR_CCM_BAD_INPUT ); + CCM_VALIDATE_RET( output_length != NULL ); + *output_len = input_len; /* * Authenticate and {en,de}crypt the message. @@ -263,7 +346,7 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, * The only difference between encryption and decryption is * the respective order of authentication and {en,de}cryption. */ - len_left = length; + len_left = input_len; src = input; dst = output; @@ -300,6 +383,16 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, break; } + return (0); +} + +int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, + unsigned char *tag, size_t tag_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char i; + size_t olen; + /* * Authentication: reset counter and crypt/mask internal tag */ @@ -308,6 +401,38 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, CTR_CRYPT( ctx->y, ctx->y, 16 ); memcpy( tag, ctx->y, tag_len ); + mbedtls_ccm_clear_state(ctx); + + return( 0 ); +} + +/* + * Authenticated encryption or decryption + */ +static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + unsigned char *tag, size_t tag_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t olen; + + if( ( ret = mbedtls_ccm_starts( ctx, mode, iv, iv_len ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ccm_set_lengths( ctx, add_len, length, tag_len ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ccm_update_ad( ctx, add, add_len ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ccm_update( ctx, input, length, + output, length, &olen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ccm_finish( ctx, tag, tag_len ) ) != 0 ) + return( ret ); return( 0 ); } From 88c4d624f80582d7b242912ce65c37cc8382f39c Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 5 Jul 2021 17:09:16 +0200 Subject: [PATCH 03/52] Clear context state if previous operation failed. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index a2ca98600..34531a416 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -122,7 +122,10 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) ctx->y[i] ^= ctx->b[i]; \ \ if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) \ - return( ret ); + { \ + ctx->state |= CCM_STATE__ERROR; \ + return( ret ); \ + } \ /* * Encrypt or decrypt a partial block with CTR @@ -135,6 +138,7 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, \ 16, ctx->b, &olen ) ) != 0 ) \ { \ + ctx->state |= CCM_STATE__ERROR; \ return( ret ); \ } \ \ @@ -145,6 +149,7 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) #define CCM_STATE__CLEAR 0 #define CCM_STATE__STARTED 0x0001 #define CCM_STATE__LENGHTS_SET 0x0002 +#define CCM_STATE__ERROR 0x0004 static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) { ctx->state = CCM_STATE__CLEAR; @@ -175,7 +180,10 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); if( len_left > 0 ) + { + ctx->state |= CCM_STATE__ERROR; return( MBEDTLS_ERR_CCM_BAD_INPUT ); + } /* Start CBC-MAC with first block*/ UPDATE_CBC_MAC; @@ -188,12 +196,15 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, const unsigned char *iv, size_t iv_len ) { - int ret; - /* Also implies q is within bounds */ if( iv_len < 7 || iv_len > 13 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); + if( ctx->state & CCM_STATE__ERROR ) + { + mbedtls_ccm_clear_state(ctx); + } + ctx->mode = mode; ctx->q = 16 - 1 - (unsigned char) iv_len; @@ -230,9 +241,7 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, memcpy( ctx->b + 1, iv, iv_len ); ctx->state |= CCM_STATE__STARTED; - ret = mbedtls_ccm_calculate_first_block(ctx); - - return ret; + return mbedtls_ccm_calculate_first_block(ctx); } int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, @@ -240,8 +249,6 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, size_t plaintext_len, size_t tag_len ) { - int ret; - /* * Check length requirements: SP800-38C A.1 * Additional requirement: a < 2^16 - 2^8 to simplify the code. @@ -255,6 +262,11 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, if( total_ad_len >= 0xFF00 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); + if( ctx->state & CCM_STATE__ERROR ) + { + mbedtls_ccm_clear_state(ctx); + } + /* * First block B_0: * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() @@ -273,9 +285,7 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, ctx->plaintext_len = plaintext_len; ctx->state |= CCM_STATE__LENGHTS_SET; - ret = mbedtls_ccm_calculate_first_block(ctx); - - return ret; + return mbedtls_ccm_calculate_first_block(ctx); } int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, From eb2ca96d69e564385f4830e0fb32bc2714375544 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 6 Jul 2021 12:45:11 +0200 Subject: [PATCH 04/52] Store set lenghts in ccm context. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 5 ++++- library/ccm.c | 45 +++++++++++++++---------------------------- 2 files changed, 20 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index f9f8000fb..813959be0 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -81,7 +81,10 @@ typedef struct mbedtls_ccm_context unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ - size_t MBEDTLS_PRIVATE(plaintext_len); /*!< The counter buffer */ + size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */ + size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */ + size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ + size_t MBEDTLS_PRIVATE(processed); /*!< How many bytes of input data were processed (chunked input) */ int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: #MBEDTLS_CCM_ENCRYPT or #MBEDTLS_CCM_DECRYPT or diff --git a/library/ccm.c b/library/ccm.c index 34531a416..36b1e9158 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -172,10 +172,20 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) /* * First block B_0: - * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() + * 0 .. 0 flags * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() - * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() + * iv_len+1 .. 15 length + * + * With flags as (bits): + * 7 0 + * 6 add present? + * 5 .. 3 (t - 2) / 2 + * 2 .. 0 q - 1 */ + ctx->b[0] |= ( ctx->add_len > 0 ) << 6; + ctx->b[0] |= ( ( ctx->tag_len - 2 ) / 2 ) << 3; + ctx->b[0] |= ctx->q - 1; + for( i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8 ) ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); @@ -225,19 +235,8 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, ctx->ctr[15] = 1; /* - * First block B_0: - * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() - * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() - * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() - * - * With flags as (bits): - * 7 0 - * 6 add present? - set by: mbedtls_ccm_set_lengths() - * 5 .. 3 (t - 2) / 2 - set by: mbedtls_ccm_set_lengths() - * 2 .. 0 q - 1 - set by: mbedtls_ccm_starts() + * See mbedtls_ccm_calculate_first_block() for B block layout description */ - ctx->b[0] |= ctx->q - 1; - memcpy( ctx->b + 1, iv, iv_len ); ctx->state |= CCM_STATE__STARTED; @@ -267,22 +266,10 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, mbedtls_ccm_clear_state(ctx); } - /* - * First block B_0: - * 0 .. 0 flags - set by: mbedtls_ccm_starts() and mbedtls_ccm_set_lenghts() - * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() - * iv_len+1 .. 15 length - set by: mbedtls_ccm_calculate_first_block() - * - * With flags as (bits): - * 7 0 - * 6 add present? - set by: mbedtls_ccm_set_lengths() - * 5 .. 3 (t - 2) / 2 - set by: mbedtls_ccm_set_lengths() - * 2 .. 0 q - 1 - set by: mbedtls_ccm_starts() - */ - ctx->b[0] |= ( total_ad_len > 0 ) << 6; - ctx->b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; - ctx->plaintext_len = plaintext_len; + ctx->add_len = total_ad_len; + ctx->tag_len = tag_len; + ctx->processed = 0; ctx->state |= CCM_STATE__LENGHTS_SET; return mbedtls_ccm_calculate_first_block(ctx); From 33392450b75dac7a45c523f67b1ea6b7bcd43e4c Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 6 Jul 2021 15:38:35 +0200 Subject: [PATCH 05/52] Add chunked auth data support Signed-off-by: Mateusz Starzyk --- library/ccm.c | 59 ++++++++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 36b1e9158..0a886a0e1 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -281,43 +281,44 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; - size_t len_left, olen; - const unsigned char *src; + size_t olen, use_len, offset; - /* - * If there is additional data, update CBC-MAC with - * add_len, add, 0 (padding to a block boundary) - */ - if( add_len > 0 ) + if( ctx->add_len > 0 && add_len > 0) { - size_t use_len; - len_left = add_len; - src = add; - - memset( ctx->b, 0, 16 ); - ctx->b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); - ctx->b[1] = (unsigned char)( ( add_len ) & 0xFF ); - - use_len = len_left < 16 - 2 ? len_left : 16 - 2; - memcpy( ctx->b + 2, src, use_len ); - len_left -= use_len; - src += use_len; - - UPDATE_CBC_MAC; - - while( len_left > 0 ) + if( ctx->processed == 0 ) { - use_len = len_left > 16 ? 16 : len_left; - memset( ctx->b, 0, 16 ); - memcpy( ctx->b, src, use_len ); - UPDATE_CBC_MAC; + ctx->b[0] = (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF ); + ctx->b[1] = (unsigned char)( ( ctx->add_len ) & 0xFF ); - len_left -= use_len; - src += use_len; + ctx->processed += 2; + } + + while( add_len > 0 ) + { + offset = ctx->processed % 16; + + use_len = 16 - offset; + + if( use_len > add_len ) + use_len = add_len; + + memcpy( ctx->b + offset, add, use_len ); + ctx->processed += use_len; + add_len -= use_len; + add += use_len; + + if( use_len + offset == 16 || ctx->processed - 2 == ctx->add_len ) + { + UPDATE_CBC_MAC; + memset( ctx->b, 0, 16 ); + } } } + if( ctx->processed - 2 == ctx->add_len ) + ctx->processed = 0; // prepare for mbedtls_ccm_update() + return (0); } From 2ad7d8e1ffcaa1b431db6e994206798987ea779e Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 7 Jul 2021 11:05:45 +0200 Subject: [PATCH 06/52] Replace CCM_CRYPT macro with a more versatile static function. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 59 ++++++++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 0a886a0e1..ae5fa3425 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -108,14 +108,11 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); } -/* - * Macros for common operations. - * Results in smaller compiled code than static inline functions. - */ - /* * Update the CBC-MAC state in y using a block in b * (Always using b as the source helps the compiler optimise a bit better.) + * + * Macro results in smaller compiled code than static inline functions. */ #define UPDATE_CBC_MAC \ for( i = 0; i < 16; i++ ) \ @@ -127,30 +124,37 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) return( ret ); \ } \ -/* - * Encrypt or decrypt a partial block with CTR - * Warning: using b for temporary storage! src and dst must not be b! - * This avoids allocating one more 16 bytes buffer while allowing src == dst. - */ -#define CTR_CRYPT( dst, src, len ) \ - do \ - { \ - if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, \ - 16, ctx->b, &olen ) ) != 0 ) \ - { \ - ctx->state |= CCM_STATE__ERROR; \ - return( ret ); \ - } \ - \ - for( i = 0; i < (len); i++ ) \ - (dst)[i] = (src)[i] ^ ctx->b[i]; \ - } while( 0 ) - #define CCM_STATE__CLEAR 0 #define CCM_STATE__STARTED 0x0001 #define CCM_STATE__LENGHTS_SET 0x0002 #define CCM_STATE__ERROR 0x0004 +/* + * Encrypt or decrypt a partial block with CTR + */ +static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx, + size_t offset, size_t use_len, + const unsigned char *input, + unsigned char *output ) +{ + size_t i; + size_t olen = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char tmp_buf[16] = {0}; + + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, + &olen ) ) != 0 ) + { + ctx->state |= CCM_STATE__ERROR; \ + return ret; + } + + for( i = 0; i < use_len; i++ ) + output[i] = input[i] ^ tmp_buf[offset + i]; + + return ret; +} + static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) { ctx->state = CCM_STATE__CLEAR; memset( ctx->b, 0, 16); @@ -359,7 +363,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, UPDATE_CBC_MAC; } - CTR_CRYPT( dst, src, use_len ); + mbedtls_ccm_crypt( ctx, 0, use_len, src, dst ); if( ctx->mode == CCM_DECRYPT ) { @@ -389,7 +393,6 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; - size_t olen; /* * Authentication: reset counter and crypt/mask internal tag @@ -397,7 +400,9 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, for( i = 0; i < ctx->q; i++ ) ctx->ctr[15-i] = 0; - CTR_CRYPT( ctx->y, ctx->y, 16 ); + ret = mbedtls_ccm_crypt( ctx, 0, 16, ctx->y, ctx->y ); + if( ret != 0 ) + return ret; memcpy( tag, ctx->y, tag_len ); mbedtls_ccm_clear_state(ctx); From 6a15bcf61be1e6691c9209a0ecc4a32f63e248ae Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 7 Jul 2021 13:41:30 +0200 Subject: [PATCH 07/52] Add support for chunked plaintext/cyphertext input. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 96 ++++++++++++++++++++++++++++----------------------- 1 file changed, 52 insertions(+), 44 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index ae5fa3425..4b1b499ad 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -333,59 +333,67 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; - size_t len_left, olen; - const unsigned char *src; - unsigned char *dst; + size_t use_len, offset, olen; if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); CCM_VALIDATE_RET( output_length != NULL ); *output_len = input_len; - /* - * Authenticate and {en,de}crypt the message. - * - * The only difference between encryption and decryption is - * the respective order of authentication and {en,de}cryption. - */ - len_left = input_len; - src = input; - dst = output; - - while( len_left > 0 ) + if( ctx->processed == 0 ) { - size_t use_len = len_left > 16 ? 16 : len_left; - - if( ctx->mode == CCM_ENCRYPT ) - { - memset( ctx->b, 0, 16 ); - memcpy( ctx->b, src, use_len ); - UPDATE_CBC_MAC; - } - - mbedtls_ccm_crypt( ctx, 0, use_len, src, dst ); - - if( ctx->mode == CCM_DECRYPT ) - { - memset( ctx->b, 0, 16 ); - memcpy( ctx->b, dst, use_len ); - UPDATE_CBC_MAC; - } - - dst += use_len; - src += use_len; - len_left -= use_len; - - /* - * Increment counter. - * No need to check for overflow thanks to the length check above. - */ - for( i = 0; i < ctx->q; i++ ) - if( ++(ctx->ctr)[15-i] != 0 ) - break; + memset( ctx->b, 0, 16 ); } - return (0); + while ( input_len > 0 ) + { + offset = ctx->processed % 16; + + use_len = 16 - offset; + + if( use_len > input_len ) + use_len = input_len; + + ctx->processed += use_len; + memcpy( ctx->b + offset, input, use_len ); + + if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) + { + if( ctx->mode == CCM_ENCRYPT ) + { + UPDATE_CBC_MAC; + ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); + if( ret != 0 ) + return ret; + memset( ctx->b, 0, 16 ); + } + + if( ctx->mode == CCM_DECRYPT ) + { + ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); + if( ret != 0 ) + return ret; + memset( ctx->b, 0, 16 ); + memcpy( ctx->b, output, use_len ); + UPDATE_CBC_MAC; + memset( ctx->b, 0, 16 ); + } + + input_len -= use_len; + input += use_len; + output += use_len; + + /* + * Increment counter. + * No need to check for overflow thanks to the length check above. + */ + for( i = 0; i < ctx->q; i++ ) + if( ++(ctx->ctr)[15-i] != 0 ) + break; + } + } + + return 0; } int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, From 05e92d67bbe15f30c9ad74c123362e1701125dad Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 9 Jul 2021 12:44:07 +0200 Subject: [PATCH 08/52] Fix crypt mode configuration. Validate parameters in chunked input functions. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 107 ++++++++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 47 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 4b1b499ad..4f7ebfa82 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -52,8 +52,6 @@ #define CCM_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#define CCM_ENCRYPT 0 -#define CCM_DECRYPT 1 /* * Initialize context @@ -174,6 +172,10 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGHTS_SET) ) return 0; + if( ctx->tag_len == 0 && \ + ( ctx->mode == MBEDTLS_CCM_ENCRYPT || ctx->mode == MBEDTLS_CCM_DECRYPT ) ) + return( MBEDTLS_ERR_CCM_BAD_INPUT ); + /* * First block B_0: * 0 .. 0 flags @@ -210,6 +212,13 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, const unsigned char *iv, size_t iv_len ) { + CCM_VALIDATE_RET( ctx != NULL ); + CCM_VALIDATE_RET( iv != NULL ); + CCM_VALIDATE_RET( mode == MBEDTLS_CCM_DECRYPT || \ + mode == MBEDTLS_CCM_STAR_DECRYPT || \ + mode == MBEDTLS_CCM_ENCRYPT || \ + mode == MBEDTLS_CCM_STAR_ENCRYPT ); + /* Also implies q is within bounds */ if( iv_len < 7 || iv_len > 13 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); @@ -252,6 +261,8 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, size_t plaintext_len, size_t tag_len ) { + CCM_VALIDATE_RET( ctx != NULL ); + /* * Check length requirements: SP800-38C A.1 * Additional requirement: a < 2^16 - 2^8 to simplify the code. @@ -283,6 +294,8 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, const unsigned char *add, size_t add_len ) { + CCM_VALIDATE_RET( ctx->add_len == 0 || add != NULL ); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t olen, use_len, offset; @@ -331,6 +344,9 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char *output, size_t output_size, size_t *output_len ) { + CCM_VALIDATE_RET( ctx->plaintext_len == 0 || input != NULL ); + CCM_VALIDATE_RET( ctx->plaintext_len == 0 || output != NULL ); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t use_len, offset, olen; @@ -359,7 +375,8 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) { - if( ctx->mode == CCM_ENCRYPT ) + if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT ) { UPDATE_CBC_MAC; ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); @@ -368,7 +385,8 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, memset( ctx->b, 0, 16 ); } - if( ctx->mode == CCM_DECRYPT ) + if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) { ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); if( ret != 0 ) @@ -402,6 +420,7 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; + CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); /* * Authentication: reset counter and crypt/mask internal tag */ @@ -457,13 +476,7 @@ int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, const unsigned char *input, unsigned char *output, unsigned char *tag, size_t tag_len ) { - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( iv != NULL ); - CCM_VALIDATE_RET( add_len == 0 || add != NULL ); - CCM_VALIDATE_RET( length == 0 || input != NULL ); - CCM_VALIDATE_RET( length == 0 || output != NULL ); - CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); - return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, + return( ccm_auth_crypt( ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len, add, add_len, input, output, tag, tag_len ) ); } @@ -473,17 +486,25 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, const unsigned char *input, unsigned char *output, unsigned char *tag, size_t tag_len ) { - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( iv != NULL ); - CCM_VALIDATE_RET( add_len == 0 || add != NULL ); - CCM_VALIDATE_RET( length == 0 || input != NULL ); - CCM_VALIDATE_RET( length == 0 || output != NULL ); - CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); - if( tag_len == 0 ) - return( MBEDTLS_ERR_CCM_BAD_INPUT ); + return( ccm_auth_crypt( ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len, + add, add_len, input, output, tag, tag_len ) ); +} - return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add, - add_len, input, output, tag, tag_len ) ); +static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned char *tag2, size_t tag_len) +{ + unsigned char i; + int diff; + + /* Check tag in "constant-time" */ + for( diff = 0, i = 0; i < tag_len; i++ ) + diff |= tag1[i] ^ tag2[i]; + + if( diff != 0 ) + { + return( MBEDTLS_ERR_CCM_AUTH_FAILED ); + } + + return( 0 ); } /* @@ -497,31 +518,18 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char check_tag[16]; - unsigned char i; - int diff; - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( iv != NULL ); - CCM_VALIDATE_RET( add_len == 0 || add != NULL ); - CCM_VALIDATE_RET( length == 0 || input != NULL ); - CCM_VALIDATE_RET( length == 0 || output != NULL ); - CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); - - if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, + if( ( ret = ccm_auth_crypt( ctx, MBEDTLS_CCM_STAR_DECRYPT, length, iv, iv_len, add, add_len, input, output, check_tag, tag_len ) ) != 0 ) { return( ret ); } - /* Check tag in "constant-time" */ - for( diff = 0, i = 0; i < tag_len; i++ ) - diff |= tag[i] ^ check_tag[i]; - - if( diff != 0 ) + if( ( ret = mbedtls_ccm_compare_tags( tag, check_tag, tag_len ) ) != 0 ) { mbedtls_platform_zeroize( output, length ); - return( MBEDTLS_ERR_CCM_AUTH_FAILED ); + return( ret ); } return( 0 ); @@ -533,18 +541,23 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, const unsigned char *input, unsigned char *output, const unsigned char *tag, size_t tag_len ) { - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( iv != NULL ); - CCM_VALIDATE_RET( add_len == 0 || add != NULL ); - CCM_VALIDATE_RET( length == 0 || input != NULL ); - CCM_VALIDATE_RET( length == 0 || output != NULL ); - CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char check_tag[16]; - if( tag_len == 0 ) - return( MBEDTLS_ERR_CCM_BAD_INPUT ); + if( ( ret = ccm_auth_crypt( ctx, MBEDTLS_CCM_DECRYPT, length, + iv, iv_len, add, add_len, + input, output, check_tag, tag_len ) ) != 0 ) + { + return( ret ); + } - return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add, - add_len, input, output, tag, tag_len ) ); + if( ( ret = mbedtls_ccm_compare_tags( tag, check_tag, tag_len ) ) != 0 ) + { + mbedtls_platform_zeroize( output, length ); + return( ret ); + } + + return( 0 ); } #endif /* !MBEDTLS_CCM_ALT */ From 20bac2fbe4ac0e002f4e622634cd858925c258c7 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 12 Jul 2021 14:52:44 +0200 Subject: [PATCH 09/52] Fix chunked ccm update. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 71 ++++++++++++++++++++++++++++----------------------- 1 file changed, 39 insertions(+), 32 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 4f7ebfa82..5450e408c 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -373,42 +373,49 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, ctx->processed += use_len; memcpy( ctx->b + offset, input, use_len ); + if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT ) + { + if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) + { + UPDATE_CBC_MAC; + } + ret = mbedtls_ccm_crypt( ctx, offset, use_len, ctx->b + offset, output ); + if( ret != 0 ) + return ret; + } + + if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) + { + ret = mbedtls_ccm_crypt( ctx, offset, use_len, ctx->b + offset, output ); + if( ret != 0 ) + return ret; + + for( i = 0; i < use_len; i++ ) + ctx->y[i + offset] ^= output[i]; + + if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) + { + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) + { + ctx->state |= CCM_STATE__ERROR; + return( ret ); + } + } + } + if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) { - if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \ - ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT ) - { - UPDATE_CBC_MAC; - ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); - if( ret != 0 ) - return ret; - memset( ctx->b, 0, 16 ); - } - - if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ - ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) - { - ret = mbedtls_ccm_crypt( ctx, 0, use_len, ctx->b, output ); - if( ret != 0 ) - return ret; - memset( ctx->b, 0, 16 ); - memcpy( ctx->b, output, use_len ); - UPDATE_CBC_MAC; - memset( ctx->b, 0, 16 ); - } - - input_len -= use_len; - input += use_len; - output += use_len; - - /* - * Increment counter. - * No need to check for overflow thanks to the length check above. - */ for( i = 0; i < ctx->q; i++ ) - if( ++(ctx->ctr)[15-i] != 0 ) - break; + if( ++(ctx->ctr)[15-i] != 0 ) + break; + memset( ctx->b, 0, 16 ); } + + input_len -= use_len; + input += use_len; + output += use_len; } return 0; From 25a3dfe7dd3ba598b79e70d1d407081810dec8a1 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 12 Jul 2021 14:53:45 +0200 Subject: [PATCH 10/52] Add multipart tests for ccm suite. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 114 +++++++++++++++++++++++++-- 1 file changed, 108 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 840583c5c..77ecf689b 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -1,5 +1,64 @@ /* BEGIN_HEADER */ #include "mbedtls/ccm.h" + +/* Use the multipart interface to process the encrypted data in two parts + * and check that the output matches the expected output. + * The context must have been set up with the key. */ +static int check_multipart( mbedtls_ccm_context *ctx, + int mode, + const data_t *iv, + const data_t *add, + const data_t *input, + const data_t *expected_output, + const data_t *tag, + size_t n1, + size_t n1_add) +{ + int ok = 0; + uint8_t *output = NULL; + size_t n2 = input->len - n1; + size_t n2_add = add->len - n1_add; + size_t olen; + + /* Sanity checks on the test data */ + TEST_ASSERT( n1 <= input->len ); + TEST_ASSERT( n1_add <= add->len ); + TEST_EQUAL( input->len, expected_output->len ); + TEST_EQUAL( 0, mbedtls_ccm_starts( ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( ctx, add->len, input->len, tag->len ) ); + TEST_EQUAL( 0, mbedtls_ccm_update_ad( ctx, add->x, n1_add) ); + TEST_EQUAL( 0, mbedtls_ccm_update_ad( ctx, add->x + n1_add, n2_add ) ); + + /* Allocate a tight buffer for each update call. This way, if the function + * tries to write beyond the advertised required buffer size, this will + * count as an overflow for memory sanitizers and static checkers. */ + ASSERT_ALLOC( output, n1 ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_ccm_update( ctx, input->x, n1, output, n1, &olen ) ); + TEST_EQUAL( n1, olen ); + ASSERT_COMPARE( output, olen, expected_output->x, n1 ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, n2 ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_ccm_update( ctx, input->x + n1, n2, output, n2, &olen ) ); + TEST_EQUAL( n2, olen ); + ASSERT_COMPARE( output, olen, expected_output->x + n1, n2 ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_ccm_finish( ctx, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + mbedtls_free( output ); + output = NULL; + + ok = 1; +exit: + mbedtls_free( output ); + return( ok ); +} /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -123,6 +182,7 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key, { mbedtls_ccm_context ctx; size_t tag_len; + size_t n1, n1_add; uint8_t * msg_n_tag = (uint8_t *)malloc( result->len + 2 ); mbedtls_ccm_init( &ctx ); @@ -143,6 +203,25 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key, /* Check we didn't write past the end */ TEST_ASSERT( msg_n_tag[result->len] == 0 && msg_n_tag[result->len + 1] == 0 ); + const data_t encrypted_expected = { .x = result->x, + .len = msg->len }; + const data_t tag_expected = { .x = result->x + msg->len, + .len = tag_len }; + + for( n1 = 0; n1 <= msg->len; n1 += 1 ) + { + for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_CCM_ENCRYPT, + iv, add, msg, + &encrypted_expected, + &tag_expected, + n1, n1_add ) ) + goto exit; + } + } + exit: mbedtls_ccm_free( &ctx ); free( msg_n_tag ); @@ -157,6 +236,7 @@ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, { unsigned char tag[16]; mbedtls_ccm_context ctx; + size_t n1, n1_add; mbedtls_ccm_init( &ctx ); @@ -165,28 +245,50 @@ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, msg->len -= tag_len; memcpy( tag, msg->x + msg->len, tag_len ); + uint8_t * io_msg = (uint8_t *)malloc( msg->len + 2 ); + memset( io_msg, 0, msg->len + 2 ); + memcpy( io_msg, msg->x, msg->len ); + TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 ); /* Test with input == output */ TEST_ASSERT( mbedtls_ccm_auth_decrypt( &ctx, msg->len, iv->x, iv->len, add->x, add->len, - msg->x, msg->x, msg->x + msg->len, tag_len ) == result ); + io_msg, io_msg, tag, tag_len ) == result ); + + /* Check we didn't write past the end */ + TEST_ASSERT( io_msg[msg->len] == 0 && io_msg[msg->len + 1] == 0 ); if( result == 0 ) { - TEST_ASSERT( memcmp( msg->x, expected_msg->x, expected_msg->len ) == 0 ); + TEST_ASSERT( memcmp( io_msg, expected_msg->x, expected_msg->len ) == 0 ); + + const data_t tag_expected = { .x = tag, + .len = tag_len }; + + for( n1 = 0; n1 <= msg->len; n1 += 1 ) + { + for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_CCM_DECRYPT, + iv, add, msg, + expected_msg, + &tag_expected, + n1, n1_add ) ) + goto exit; + } + } } else { size_t i; for( i = 0; i < msg->len; i++ ) - TEST_ASSERT( msg->x[i] == 0 ); + TEST_ASSERT( io_msg[i] == 0 ); } - /* Check we didn't write past the end (where the original tag is) */ - TEST_ASSERT( memcmp( msg->x + msg->len, tag, tag_len ) == 0 ); - exit: + free(io_msg); mbedtls_ccm_free( &ctx ); } /* END_CASE */ From 663055f78464a27f9470ed04142eb975554cf4ec Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 12 Jul 2021 19:13:52 +0200 Subject: [PATCH 11/52] Remove UPDATE_CBC macro and working b buffer. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 1 - library/ccm.c | 74 +++++++++++++++++++------------------------ 2 files changed, 33 insertions(+), 42 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 813959be0..72dfd3d6c 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -77,7 +77,6 @@ extern "C" { typedef struct mbedtls_ccm_context { mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ - unsigned char MBEDTLS_PRIVATE(b)[16]; /*!< The B working buffer */ unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ diff --git a/library/ccm.c b/library/ccm.c index 5450e408c..399a936e9 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -106,22 +106,6 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); } -/* - * Update the CBC-MAC state in y using a block in b - * (Always using b as the source helps the compiler optimise a bit better.) - * - * Macro results in smaller compiled code than static inline functions. - */ -#define UPDATE_CBC_MAC \ - for( i = 0; i < 16; i++ ) \ - ctx->y[i] ^= ctx->b[i]; \ - \ - if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) \ - { \ - ctx->state |= CCM_STATE__ERROR; \ - return( ret ); \ - } \ - #define CCM_STATE__CLEAR 0 #define CCM_STATE__STARTED 0x0001 #define CCM_STATE__LENGHTS_SET 0x0002 @@ -155,7 +139,6 @@ static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx, static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) { ctx->state = CCM_STATE__CLEAR; - memset( ctx->b, 0, 16); memset( ctx->y, 0, 16); memset( ctx->ctr, 0, 16); } @@ -177,7 +160,7 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) return( MBEDTLS_ERR_CCM_BAD_INPUT ); /* - * First block B_0: + * First block: * 0 .. 0 flags * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() * iv_len+1 .. 15 length @@ -188,12 +171,12 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) * 5 .. 3 (t - 2) / 2 * 2 .. 0 q - 1 */ - ctx->b[0] |= ( ctx->add_len > 0 ) << 6; - ctx->b[0] |= ( ( ctx->tag_len - 2 ) / 2 ) << 3; - ctx->b[0] |= ctx->q - 1; + ctx->y[0] |= ( ctx->add_len > 0 ) << 6; + ctx->y[0] |= ( ( ctx->tag_len - 2 ) / 2 ) << 3; + ctx->y[0] |= ctx->q - 1; for( i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8 ) - ctx->b[15-i] = (unsigned char)( len_left & 0xFF ); + ctx->y[15-i] = (unsigned char)( len_left & 0xFF ); if( len_left > 0 ) { @@ -202,7 +185,11 @@ static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) } /* Start CBC-MAC with first block*/ - UPDATE_CBC_MAC; + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) + { + ctx->state |= CCM_STATE__ERROR; + return( ret ); + } return (0); } @@ -248,9 +235,9 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, ctx->ctr[15] = 1; /* - * See mbedtls_ccm_calculate_first_block() for B block layout description + * See mbedtls_ccm_calculate_first_block() for block layout description */ - memcpy( ctx->b + 1, iv, iv_len ); + memcpy( ctx->y + 1, iv, iv_len ); ctx->state |= CCM_STATE__STARTED; return mbedtls_ccm_calculate_first_block(ctx); @@ -304,9 +291,8 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, { if( ctx->processed == 0 ) { - memset( ctx->b, 0, 16 ); - ctx->b[0] = (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF ); - ctx->b[1] = (unsigned char)( ( ctx->add_len ) & 0xFF ); + ctx->y[0] ^= (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF ); + ctx->y[1] ^= (unsigned char)( ( ctx->add_len ) & 0xFF ); ctx->processed += 2; } @@ -320,15 +306,20 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, if( use_len > add_len ) use_len = add_len; - memcpy( ctx->b + offset, add, use_len ); + for( i = 0; i < use_len; i++ ) + ctx->y[i + offset] ^= add[i]; + ctx->processed += use_len; add_len -= use_len; add += use_len; if( use_len + offset == 16 || ctx->processed - 2 == ctx->add_len ) { - UPDATE_CBC_MAC; - memset( ctx->b, 0, 16 ); + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) + { + ctx->state |= CCM_STATE__ERROR; + return( ret ); + } } } } @@ -356,11 +347,6 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, CCM_VALIDATE_RET( output_length != NULL ); *output_len = input_len; - if( ctx->processed == 0 ) - { - memset( ctx->b, 0, 16 ); - } - while ( input_len > 0 ) { offset = ctx->processed % 16; @@ -371,16 +357,23 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, use_len = input_len; ctx->processed += use_len; - memcpy( ctx->b + offset, input, use_len ); if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \ ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT ) { + for( i = 0; i < use_len; i++ ) + ctx->y[i + offset] ^= input[i]; + if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) { - UPDATE_CBC_MAC; + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) + { + ctx->state |= CCM_STATE__ERROR; + return( ret ); + } } - ret = mbedtls_ccm_crypt( ctx, offset, use_len, ctx->b + offset, output ); + + ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output ); if( ret != 0 ) return ret; } @@ -388,7 +381,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) { - ret = mbedtls_ccm_crypt( ctx, offset, use_len, ctx->b + offset, output ); + ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output ); if( ret != 0 ) return ret; @@ -410,7 +403,6 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, for( i = 0; i < ctx->q; i++ ) if( ++(ctx->ctr)[15-i] != 0 ) break; - memset( ctx->b, 0, 16 ); } input_len -= use_len; From 29ec75b34e9f34aac91524308966b0631f9c05b5 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 13 Jul 2021 12:26:17 +0200 Subject: [PATCH 12/52] Add multipart testing to CCM* tests. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 52 ++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 77ecf689b..72c707ea0 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -304,6 +304,7 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id, unsigned char result[50]; mbedtls_ccm_context ctx; size_t iv_len, tag_len; + size_t n1, n1_add; int ret; mbedtls_ccm_init( &ctx ); @@ -338,6 +339,31 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id, TEST_ASSERT( result[expected_result->len] == 0 && result[expected_result->len + 1] == 0 ); + if( ret == 0 ) + { + const data_t iv_data = { .x = iv, + .len = iv_len }; + + const data_t encrypted_expected = { .x = expected_result->x, + .len = msg->len }; + const data_t tag_expected = { .x = expected_result->x + msg->len, + .len = tag_len }; + + for( n1 = 0; n1 <= msg->len; n1 += 1 ) + { + for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_CCM_STAR_ENCRYPT, + &iv_data, add, msg, + &encrypted_expected, + &tag_expected, + n1, n1_add ) ) + goto exit; + } + } + } + exit: mbedtls_ccm_free( &ctx ); } @@ -354,6 +380,7 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id, unsigned char result[50]; mbedtls_ccm_context ctx; size_t iv_len, tag_len; + size_t n1, n1_add; int ret; mbedtls_ccm_init( &ctx ); @@ -389,6 +416,31 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id, TEST_EQUAL( result[msg->len], '+' ); TEST_EQUAL( result[msg->len + 1], '+' ); + if( ret == 0 ) + { + msg->len -= tag_len; + + const data_t iv_data = { .x = iv, + .len = iv_len }; + + const data_t tag_expected = { .x = msg->x + msg->len, + .len = tag_len }; + + for( n1 = 0; n1 <= msg->len; n1 += 1 ) + { + for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_CCM_STAR_DECRYPT, + &iv_data, add, msg, + expected_result, + &tag_expected, + n1, n1_add ) ) + goto exit; + } + } + } + exit: mbedtls_ccm_free( &ctx ); } From 27a1bef89d6b238473751f48a66335a7d2850aad Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 13 Jul 2021 15:33:19 +0200 Subject: [PATCH 13/52] Tidy up test functions. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 216 ++++++++++++++------------- 1 file changed, 114 insertions(+), 102 deletions(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 72c707ea0..25cc49b8d 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -48,7 +48,10 @@ static int check_multipart( mbedtls_ccm_context *ctx, mbedtls_free( output ); output = NULL; - ASSERT_ALLOC( output, tag->len ); + if( tag->len == 0 ) + ASSERT_ALLOC( output, 16 ); + else + ASSERT_ALLOC( output, tag->len ); TEST_EQUAL( 0, mbedtls_ccm_finish( ctx, output, tag->len ) ); ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); mbedtls_free( output ); @@ -181,32 +184,34 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key, data_t * add, data_t * result ) { mbedtls_ccm_context ctx; - size_t tag_len; size_t n1, n1_add; - uint8_t * msg_n_tag = (uint8_t *)malloc( result->len + 2 ); + uint8_t* io_msg_buf = NULL; + uint8_t* tag_buf = NULL; + const size_t expected_tag_len = result->len - msg->len; + const uint8_t* expected_tag = result->x + msg->len; + + /* Prepare input/output message buffer */ + ASSERT_ALLOC( io_msg_buf, msg->len ); + if( msg->len != 0 ) + memcpy( io_msg_buf, msg->x, msg->len ); + + /* Prepare tag buffer */ + ASSERT_ALLOC( tag_buf, expected_tag_len ); mbedtls_ccm_init( &ctx ); - - memset( msg_n_tag, 0, result->len + 2 ); - memcpy( msg_n_tag, msg->x, msg->len ); - - tag_len = result->len - msg->len; - - TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 ); - + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); /* Test with input == output */ - TEST_ASSERT( mbedtls_ccm_encrypt_and_tag( &ctx, msg->len, iv->x, iv->len, add->x, add->len, - msg_n_tag, msg_n_tag, msg_n_tag + msg->len, tag_len ) == 0 ); + TEST_EQUAL( mbedtls_ccm_encrypt_and_tag( &ctx, msg->len, iv->x, iv->len, add->x, add->len, + io_msg_buf, io_msg_buf, tag_buf, expected_tag_len ), 0); - TEST_ASSERT( memcmp( msg_n_tag, result->x, result->len ) == 0 ); - - /* Check we didn't write past the end */ - TEST_ASSERT( msg_n_tag[result->len] == 0 && msg_n_tag[result->len + 1] == 0 ); + ASSERT_COMPARE( io_msg_buf, msg->len, result->x, msg->len ); + ASSERT_COMPARE( tag_buf, expected_tag_len, expected_tag, expected_tag_len ); + /* Prepare data_t structers for multipart testing */ const data_t encrypted_expected = { .x = result->x, .len = msg->len }; - const data_t tag_expected = { .x = result->x + msg->len, - .len = tag_len }; + const data_t tag_expected = { .x = (uint8_t*) expected_tag, /* cast to conform with data_t x type */ + .len = expected_tag_len }; for( n1 = 0; n1 <= msg->len; n1 += 1 ) { @@ -224,54 +229,53 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key, exit: mbedtls_ccm_free( &ctx ); - free( msg_n_tag ); + mbedtls_free( io_msg_buf ); + mbedtls_free( tag_buf ); } /* END_CASE */ /* BEGIN_CASE */ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, data_t * msg, data_t * iv, - data_t * add, int tag_len, int result, + data_t * add, int expected_tag_len, int result, data_t * expected_msg ) { - unsigned char tag[16]; mbedtls_ccm_context ctx; size_t n1, n1_add; + const size_t expected_msg_len = msg->len - expected_tag_len; + const uint8_t* expected_tag = msg->x + expected_msg_len; + + /* Prepare input/output message buffer */ + uint8_t* io_msg_buf = NULL; + ASSERT_ALLOC( io_msg_buf, expected_msg_len ); + if( expected_msg_len ) + memcpy( io_msg_buf, msg->x, expected_msg_len ); + mbedtls_ccm_init( &ctx ); - - memset( tag, 0x00, sizeof( tag ) ); - - msg->len -= tag_len; - memcpy( tag, msg->x + msg->len, tag_len ); - - uint8_t * io_msg = (uint8_t *)malloc( msg->len + 2 ); - memset( io_msg, 0, msg->len + 2 ); - memcpy( io_msg, msg->x, msg->len ); - - TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 ); - + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); /* Test with input == output */ - TEST_ASSERT( mbedtls_ccm_auth_decrypt( &ctx, msg->len, iv->x, iv->len, add->x, add->len, - io_msg, io_msg, tag, tag_len ) == result ); - - /* Check we didn't write past the end */ - TEST_ASSERT( io_msg[msg->len] == 0 && io_msg[msg->len + 1] == 0 ); + TEST_EQUAL( mbedtls_ccm_auth_decrypt( &ctx, expected_msg_len, iv->x, iv->len, add->x, add->len, + io_msg_buf, io_msg_buf, expected_tag, expected_tag_len ), result ); if( result == 0 ) { - TEST_ASSERT( memcmp( io_msg, expected_msg->x, expected_msg->len ) == 0 ); + ASSERT_COMPARE( io_msg_buf, expected_msg_len, expected_msg->x, expected_msg_len ); - const data_t tag_expected = { .x = tag, - .len = tag_len }; + /* Prepare data_t structers for multipart testing */ + const data_t encrypted = { .x = msg->x, + .len = expected_msg_len }; - for( n1 = 0; n1 <= msg->len; n1 += 1 ) + const data_t tag_expected = { .x = (uint8_t*) expected_tag, + .len = expected_tag_len }; + + for( n1 = 0; n1 <= expected_msg_len; n1 += 1 ) { for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) { mbedtls_test_set_step( n1 * 10000 + n1_add ); if( !check_multipart( &ctx, MBEDTLS_CCM_DECRYPT, - iv, add, msg, + iv, add, &encrypted, expected_msg, &tag_expected, n1, n1_add ) ) @@ -283,12 +287,12 @@ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, { size_t i; - for( i = 0; i < msg->len; i++ ) - TEST_ASSERT( io_msg[i] == 0 ); + for( i = 0; i < expected_msg_len; i++ ) + TEST_EQUAL( io_msg_buf[i], 0 ); } exit: - free(io_msg); + mbedtls_free(io_msg_buf); mbedtls_ccm_free( &ctx ); } /* END_CASE */ @@ -301,21 +305,32 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id, data_t *expected_result, int output_ret ) { unsigned char iv[13]; - unsigned char result[50]; mbedtls_ccm_context ctx; - size_t iv_len, tag_len; + size_t iv_len, expected_tag_len; size_t n1, n1_add; - int ret; + uint8_t* io_msg_buf = NULL; + uint8_t* tag_buf = NULL; - mbedtls_ccm_init( &ctx ); - - memset( result, 0x00, sizeof( result ) ); + const uint8_t* expected_tag = expected_result->x + msg->len; + /* Calculate tag length */ if( sec_level % 4 == 0) - tag_len = 0; + expected_tag_len = 0; else - tag_len = 1 << ( sec_level % 4 + 1); + expected_tag_len = 1 << ( sec_level % 4 + 1); + /* Prepare input/output message buffer */ + ASSERT_ALLOC( io_msg_buf, msg->len ); + if( msg->len ) + memcpy( io_msg_buf, msg->x, msg->len ); + + /* Prepare tag buffer */ + if( expected_tag_len == 0 ) + ASSERT_ALLOC( tag_buf, 16 ); + else + ASSERT_ALLOC( tag_buf, expected_tag_len ); + + /* Calculate iv */ TEST_ASSERT( source_address->len == 8 ); TEST_ASSERT( frame_counter->len == 4 ); memcpy( iv, source_address->x, source_address->len ); @@ -323,31 +338,26 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id, iv[source_address->len + frame_counter->len] = sec_level; iv_len = sizeof( iv ); - TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, - key->x, key->len * 8 ) == 0 ); + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, + key->x, key->len * 8 ), 0 ); + /* Test with input == output */ + TEST_EQUAL( mbedtls_ccm_star_encrypt_and_tag( &ctx, msg->len, iv, iv_len, + add->x, add->len, io_msg_buf, + io_msg_buf, tag_buf, expected_tag_len), output_ret ); - ret = mbedtls_ccm_star_encrypt_and_tag( &ctx, msg->len, iv, iv_len, - add->x, add->len, msg->x, - result, result + msg->len, tag_len ); + ASSERT_COMPARE( io_msg_buf, msg->len, expected_result->x, msg->len ); + ASSERT_COMPARE( tag_buf, expected_tag_len, expected_tag, expected_tag_len ); - TEST_ASSERT( ret == output_ret ); - - TEST_ASSERT( memcmp( result, - expected_result->x, expected_result->len ) == 0 ); - - /* Check we didn't write past the end */ - TEST_ASSERT( result[expected_result->len] == 0 && - result[expected_result->len + 1] == 0 ); - - if( ret == 0 ) + if( output_ret == 0 ) { const data_t iv_data = { .x = iv, .len = iv_len }; const data_t encrypted_expected = { .x = expected_result->x, .len = msg->len }; - const data_t tag_expected = { .x = expected_result->x + msg->len, - .len = tag_len }; + const data_t tag_expected = { .x = (uint8_t*)expected_tag, + .len = expected_tag_len }; for( n1 = 0; n1 <= msg->len; n1 += 1 ) { @@ -366,6 +376,8 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id, exit: mbedtls_ccm_free( &ctx ); + mbedtls_free( io_msg_buf ); + mbedtls_free( tag_buf ); } /* END_CASE */ @@ -377,22 +389,27 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id, data_t *expected_result, int output_ret ) { unsigned char iv[13]; - unsigned char result[50]; mbedtls_ccm_context ctx; - size_t iv_len, tag_len; + size_t iv_len, expected_tag_len; size_t n1, n1_add; - int ret; - - mbedtls_ccm_init( &ctx ); - - memset( iv, 0x00, sizeof( iv ) ); - memset( result, '+', sizeof( result ) ); + /* Calculate tag length */ if( sec_level % 4 == 0) - tag_len = 0; + expected_tag_len = 0; else - tag_len = 1 << ( sec_level % 4 + 1); + expected_tag_len = 1 << ( sec_level % 4 + 1); + const size_t expected_msg_len = msg->len - expected_tag_len; + const uint8_t* expected_tag = msg->x + expected_msg_len; + + /* Prepare input/output message buffer */ + uint8_t* io_msg_buf = NULL; + ASSERT_ALLOC( io_msg_buf, expected_msg_len ); + if( expected_msg_len ) + memcpy( io_msg_buf, msg->x, expected_msg_len ); + + /* Calculate iv */ + memset( iv, 0x00, sizeof( iv ) ); TEST_ASSERT( source_address->len == 8 ); TEST_ASSERT( frame_counter->len == 4 ); memcpy( iv, source_address->x, source_address->len ); @@ -400,39 +417,33 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id, iv[source_address->len + frame_counter->len] = sec_level; iv_len = sizeof( iv ); + mbedtls_ccm_init( &ctx ); TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 ); + /* Test with input == output */ + TEST_EQUAL( mbedtls_ccm_star_auth_decrypt( &ctx, expected_msg_len, iv, iv_len, + add->x, add->len, io_msg_buf, io_msg_buf, + expected_tag, expected_tag_len ), output_ret ); - ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg->len - tag_len, iv, iv_len, - add->x, add->len, msg->x, result, - msg->x + msg->len - tag_len, tag_len ); + ASSERT_COMPARE( io_msg_buf, expected_msg_len, expected_result->x, expected_msg_len ); - TEST_ASSERT( ret == output_ret ); - - TEST_ASSERT( memcmp( result, expected_result->x, - expected_result->len ) == 0 ); - - /* Check we didn't write past the end (where the original tag is) */ - TEST_ASSERT( ( msg->len + 2 ) <= sizeof( result ) ); - TEST_EQUAL( result[msg->len], '+' ); - TEST_EQUAL( result[msg->len + 1], '+' ); - - if( ret == 0 ) + if( output_ret == 0 ) { - msg->len -= tag_len; - const data_t iv_data = { .x = iv, .len = iv_len }; - const data_t tag_expected = { .x = msg->x + msg->len, - .len = tag_len }; + const data_t encrypted = { .x = msg->x, + .len = expected_msg_len} ; - for( n1 = 0; n1 <= msg->len; n1 += 1 ) + const data_t tag_expected = { .x = (uint8_t*) expected_tag, + .len = expected_tag_len }; + + for( n1 = 0; n1 <= expected_msg_len; n1 += 1 ) { for( n1_add = 0; n1_add <= add->len; n1_add += 1 ) { mbedtls_test_set_step( n1 * 10000 + n1_add ); if( !check_multipart( &ctx, MBEDTLS_CCM_STAR_DECRYPT, - &iv_data, add, msg, + &iv_data, add, &encrypted, expected_result, &tag_expected, n1, n1_add ) ) @@ -443,5 +454,6 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id, exit: mbedtls_ccm_free( &ctx ); + mbedtls_free( io_msg_buf ); } /* END_CASE */ From de7a83da0d571e97364dbf9fd3571d1fd316a2a0 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 14 Jul 2021 12:39:14 +0200 Subject: [PATCH 14/52] Add changelog for chunked CCM implementation. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/chunked_ccm.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ChangeLog.d/chunked_ccm.txt diff --git a/ChangeLog.d/chunked_ccm.txt b/ChangeLog.d/chunked_ccm.txt new file mode 100644 index 000000000..4e3065f90 --- /dev/null +++ b/ChangeLog.d/chunked_ccm.txt @@ -0,0 +1,8 @@ +Changes + * Implement multi-part CCM API. + The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(), + mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish() + were introduced in mbedTLS 3.0 release, however their implementation was + postponed util now. + Implemented functions support chunked data input for both CCM and CCM* + algorithms. From 4df9ac4882b467c2bd06eec87c144cf024c0f0af Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 13:47:23 +0200 Subject: [PATCH 15/52] Reorganize ccm context structure. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 72dfd3d6c..c903e68fd 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -76,19 +76,19 @@ extern "C" { */ typedef struct mbedtls_ccm_context { - mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ - unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */ size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */ size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ size_t MBEDTLS_PRIVATE(processed); /*!< How many bytes of input data were processed (chunked input) */ - int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: - #MBEDTLS_CCM_ENCRYPT or - #MBEDTLS_CCM_DECRYPT or - #MBEDTLS_CCM_STAR_ENCRYPT or - #MBEDTLS_CCM_STAR_DECRYPT. */ + unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ + unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: + #MBEDTLS_CCM_ENCRYPT or + #MBEDTLS_CCM_DECRYPT or + #MBEDTLS_CCM_STAR_ENCRYPT or + #MBEDTLS_CCM_STAR_DECRYPT. */ int MBEDTLS_PRIVATE(state); /*!< Working value holding context's state. Used for chunked data input */ From a9cbdfbb349a3bed44ad7241472e938e944278f5 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 13:49:54 +0200 Subject: [PATCH 16/52] Replace ccm status flags with bitshifts. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 399a936e9..be1671c04 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -107,9 +107,9 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) } #define CCM_STATE__CLEAR 0 -#define CCM_STATE__STARTED 0x0001 -#define CCM_STATE__LENGHTS_SET 0x0002 -#define CCM_STATE__ERROR 0x0004 +#define CCM_STATE__STARTED (1 << 0) +#define CCM_STATE__LENGHTS_SET (1 << 1) +#define CCM_STATE__ERROR (1 << 2) /* * Encrypt or decrypt a partial block with CTR From c52220d775aba3a30a1a64035aacb448cb6e58d3 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 13:54:55 +0200 Subject: [PATCH 17/52] Clear temporary buffer after block crypt operation. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ccm.c b/library/ccm.c index be1671c04..425872dc3 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -127,13 +127,15 @@ static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx, if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen ) ) != 0 ) { - ctx->state |= CCM_STATE__ERROR; \ + ctx->state |= CCM_STATE__ERROR; + mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf)); return ret; } for( i = 0; i < use_len; i++ ) output[i] = input[i] ^ tmp_buf[offset + i]; + mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf)); return ret; } From ca9dc8d1d742b5e5f193c5b8f70709fe3c043ee4 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 14:03:53 +0200 Subject: [PATCH 18/52] Rename ccm_calculate_first_block function. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 425872dc3..d8c65b552 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -145,7 +145,7 @@ static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) { memset( ctx->ctr, 0, 16); } -static int mbedtls_ccm_calculate_first_block(mbedtls_ccm_context *ctx) +static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; @@ -237,12 +237,12 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, ctx->ctr[15] = 1; /* - * See mbedtls_ccm_calculate_first_block() for block layout description + * See ccm_calculate_first_block_if_ready() for block layout description */ memcpy( ctx->y + 1, iv, iv_len ); ctx->state |= CCM_STATE__STARTED; - return mbedtls_ccm_calculate_first_block(ctx); + return ccm_calculate_first_block_if_ready(ctx); } int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, @@ -276,7 +276,7 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, ctx->processed = 0; ctx->state |= CCM_STATE__LENGHTS_SET; - return mbedtls_ccm_calculate_first_block(ctx); + return ccm_calculate_first_block_if_ready(ctx); } int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, From 5d97601e81af90dc92bc9577d2515f7849a25837 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 14:12:30 +0200 Subject: [PATCH 19/52] Remove ccm input validation. VALIDATE and VALIDATE_RET macros are obsolete. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index d8c65b552..80a795fc1 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -47,18 +47,12 @@ #if !defined(MBEDTLS_CCM_ALT) -#define CCM_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT ) -#define CCM_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - /* * Initialize context */ void mbedtls_ccm_init( mbedtls_ccm_context *ctx ) { - CCM_VALIDATE( ctx != NULL ); memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); } @@ -70,9 +64,6 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_cipher_info_t *cipher_info; - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( key != NULL ); - cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); if( cipher_info == NULL ) @@ -201,13 +192,6 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, const unsigned char *iv, size_t iv_len ) { - CCM_VALIDATE_RET( ctx != NULL ); - CCM_VALIDATE_RET( iv != NULL ); - CCM_VALIDATE_RET( mode == MBEDTLS_CCM_DECRYPT || \ - mode == MBEDTLS_CCM_STAR_DECRYPT || \ - mode == MBEDTLS_CCM_ENCRYPT || \ - mode == MBEDTLS_CCM_STAR_ENCRYPT ); - /* Also implies q is within bounds */ if( iv_len < 7 || iv_len > 13 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); @@ -250,8 +234,6 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, size_t plaintext_len, size_t tag_len ) { - CCM_VALIDATE_RET( ctx != NULL ); - /* * Check length requirements: SP800-38C A.1 * Additional requirement: a < 2^16 - 2^8 to simplify the code. @@ -283,8 +265,6 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, const unsigned char *add, size_t add_len ) { - CCM_VALIDATE_RET( ctx->add_len == 0 || add != NULL ); - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t olen, use_len, offset; @@ -337,16 +317,12 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char *output, size_t output_size, size_t *output_len ) { - CCM_VALIDATE_RET( ctx->plaintext_len == 0 || input != NULL ); - CCM_VALIDATE_RET( ctx->plaintext_len == 0 || output != NULL ); - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t use_len, offset, olen; if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - CCM_VALIDATE_RET( output_length != NULL ); *output_len = input_len; while ( input_len > 0 ) @@ -421,7 +397,6 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; - CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); /* * Authentication: reset counter and crypt/mask internal tag */ From 2d5652aceed0a4d3a15d949baae6cbc939ce4d75 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 27 Jul 2021 16:07:54 +0200 Subject: [PATCH 20/52] Move ccm error state handling. Remove error clearing from ccm_starts() and ccm_set_lengths(). Add error check in ccm_update_ad(), ccm_update() and ccm_finish(). Signed-off-by: Mateusz Starzyk --- library/ccm.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 80a795fc1..1247f8d37 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -118,7 +118,7 @@ static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx, if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen ) ) != 0 ) { - ctx->state |= CCM_STATE__ERROR; + ctx->state |= CCM_STATE__ERROR; mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf)); return ret; } @@ -196,11 +196,6 @@ int mbedtls_ccm_starts( mbedtls_ccm_context *ctx, if( iv_len < 7 || iv_len > 13 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - if( ctx->state & CCM_STATE__ERROR ) - { - mbedtls_ccm_clear_state(ctx); - } - ctx->mode = mode; ctx->q = 16 - 1 - (unsigned char) iv_len; @@ -247,11 +242,6 @@ int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx, if( total_ad_len >= 0xFF00 ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); - if( ctx->state & CCM_STATE__ERROR ) - { - mbedtls_ccm_clear_state(ctx); - } - ctx->plaintext_len = plaintext_len; ctx->add_len = total_ad_len; ctx->tag_len = tag_len; @@ -269,6 +259,11 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, unsigned char i; size_t olen, use_len, offset; + if( ctx->state & CCM_STATE__ERROR ) + { + return ret; + } + if( ctx->add_len > 0 && add_len > 0) { if( ctx->processed == 0 ) @@ -321,6 +316,11 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char i; size_t use_len, offset, olen; + if( ctx->state & CCM_STATE__ERROR ) + { + return ret; + } + if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); *output_len = input_len; @@ -397,6 +397,11 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; + if( ctx->state & CCM_STATE__ERROR ) + { + return ret; + } + /* * Authentication: reset counter and crypt/mask internal tag */ From 36d3b89c84a46726eba6040b945724ec78bfffee Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 28 Jul 2021 14:14:58 +0200 Subject: [PATCH 21/52] Verify input data lengths. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 1247f8d37..a6ba77435 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -100,7 +100,8 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) #define CCM_STATE__CLEAR 0 #define CCM_STATE__STARTED (1 << 0) #define CCM_STATE__LENGHTS_SET (1 << 1) -#define CCM_STATE__ERROR (1 << 2) +#define CCM_STATE__AUTH_DATA_FINISHED (1 << 2) +#define CCM_STATE__ERROR (1 << 4) /* * Encrypt or decrypt a partial block with CTR @@ -264,15 +265,29 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, return ret; } - if( ctx->add_len > 0 && add_len > 0) + if( ctx->add_len > 0 && add_len > 0 ) { + if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) + { + return ret; + } + if( ctx->processed == 0 ) { + if ( add_len > ctx->add_len ) + { + return MBEDTLS_ERR_CCM_BAD_INPUT; + } + ctx->y[0] ^= (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF ); ctx->y[1] ^= (unsigned char)( ( ctx->add_len ) & 0xFF ); ctx->processed += 2; } + else if ( ctx->processed - 2 + add_len > ctx->add_len ) + { + return MBEDTLS_ERR_CCM_BAD_INPUT; + } while( add_len > 0 ) { @@ -299,10 +314,13 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, } } } - } - if( ctx->processed - 2 == ctx->add_len ) - ctx->processed = 0; // prepare for mbedtls_ccm_update() + if( ctx->processed - 2 == ctx->add_len ) + { + ctx->state |= CCM_STATE__AUTH_DATA_FINISHED; + ctx->processed = 0; // prepare for mbedtls_ccm_update() + } + } return (0); } @@ -321,6 +339,11 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, return ret; } + if( ctx->processed + input_len > ctx->plaintext_len ) + { + return MBEDTLS_ERR_CCM_BAD_INPUT; + } + if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); *output_len = input_len; @@ -402,6 +425,16 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, return ret; } + if( ctx->add_len > 0 && !( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) ) + { + return ret; + } + + if( ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len ) + { + return ret; + } + /* * Authentication: reset counter and crypt/mask internal tag */ From 22f7a35ca4de9bca49aa2e994eaa87460b3abe77 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 28 Jul 2021 15:08:47 +0200 Subject: [PATCH 22/52] Do not use output buffer for internal XOR during decryption. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 2 ++ library/ccm.c | 56 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 47 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index c903e68fd..06aa6a888 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -61,6 +61,8 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /** Authenticated decryption failed. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F +/** Memory allocation failed */ +#define MBEDTLS_ERR_CCM_ALLOC_FAILED -0x0011 #ifdef __cplusplus extern "C" { diff --git a/library/ccm.c b/library/ccm.c index a6ba77435..3663a769d 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -36,14 +36,17 @@ #include -#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else +#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) #include #define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ +#include +#define mbedtls_calloc calloc +#define mbedtls_free free +#endif /* MBEDTLS_PLATFORM_C */ #if !defined(MBEDTLS_CCM_ALT) @@ -330,13 +333,16 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char *output, size_t output_size, size_t *output_len ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int ret; unsigned char i; size_t use_len, offset, olen; + const size_t local_output_len = input_len; + unsigned char* local_output = NULL; + if( ctx->state & CCM_STATE__ERROR ) { - return ret; + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } if( ctx->processed + input_len > ctx->plaintext_len ) @@ -344,10 +350,24 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, return MBEDTLS_ERR_CCM_BAD_INPUT; } + /* Local output is used for decryption only. */ + if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) + { + local_output = mbedtls_calloc( local_output_len, sizeof( *local_output) ); + if( local_output == NULL ) + { + ctx->state |= CCM_STATE__ERROR; + return MBEDTLS_ERR_CCM_ALLOC_FAILED; + } + } + if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); *output_len = input_len; + ret = 0; + while ( input_len > 0 ) { offset = ctx->processed % 16; @@ -370,31 +390,37 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) { ctx->state |= CCM_STATE__ERROR; - return( ret ); + goto exit; } } ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output ); if( ret != 0 ) - return ret; + goto exit; } if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) { - ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output ); + /* Write decrypted data to local_output to avoid using output variable as + * input in the XOR operation for Y. + */ + ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, local_output ); if( ret != 0 ) - return ret; + goto exit; for( i = 0; i < use_len; i++ ) - ctx->y[i + offset] ^= output[i]; + ctx->y[i + offset] ^= local_output[i]; + + memcpy( output, local_output, use_len ); + mbedtls_platform_zeroize( local_output, local_output_len ); if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) { if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) { ctx->state |= CCM_STATE__ERROR; - return( ret ); + goto exit; } } } @@ -411,7 +437,15 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, output += use_len; } - return 0; +exit: + if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) + { + mbedtls_platform_zeroize( local_output, local_output_len ); + mbedtls_free( local_output ); + } + + return ret; } int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, From eb395c00c9253aa6552128d0da1e05002df30aa1 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 28 Jul 2021 15:10:54 +0200 Subject: [PATCH 23/52] Move 'Authenticated decryption' comment. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 3663a769d..51cee939f 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -538,6 +538,9 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, add, add_len, input, output, tag, tag_len ) ); } +/* + * Authenticated decryption + */ static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned char *tag2, size_t tag_len) { unsigned char i; @@ -555,9 +558,6 @@ static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned ch return( 0 ); } -/* - * Authenticated decryption - */ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, From 1bda9451ef395c35b99255625fc647287e4ecc8e Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 28 Jul 2021 15:21:46 +0200 Subject: [PATCH 24/52] Factor out common code from ccm decrypt functions. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 51cee939f..a14e025de 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -558,16 +558,16 @@ static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned ch return( 0 ); } -int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, - const unsigned char *iv, size_t iv_len, - const unsigned char *add, size_t add_len, - const unsigned char *input, unsigned char *output, - const unsigned char *tag, size_t tag_len ) +static int ccm_auth_decrypt( mbedtls_ccm_context *ctx, int mode, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + const unsigned char *tag, size_t tag_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char check_tag[16]; - if( ( ret = ccm_auth_crypt( ctx, MBEDTLS_CCM_STAR_DECRYPT, length, + if( ( ret = ccm_auth_crypt( ctx, mode, length, iv, iv_len, add, add_len, input, output, check_tag, tag_len ) ) != 0 ) { @@ -583,29 +583,26 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, return( 0 ); } +int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + const unsigned char *tag, size_t tag_len ) +{ + return ccm_auth_decrypt( ctx, MBEDTLS_CCM_STAR_DECRYPT, length, + iv, iv_len, add, add_len, + input, output, tag, tag_len ); +} + int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, const unsigned char *tag, size_t tag_len ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char check_tag[16]; - - if( ( ret = ccm_auth_crypt( ctx, MBEDTLS_CCM_DECRYPT, length, - iv, iv_len, add, add_len, - input, output, check_tag, tag_len ) ) != 0 ) - { - return( ret ); - } - - if( ( ret = mbedtls_ccm_compare_tags( tag, check_tag, tag_len ) ) != 0 ) - { - mbedtls_platform_zeroize( output, length ); - return( ret ); - } - - return( 0 ); + return ccm_auth_decrypt( ctx, MBEDTLS_CCM_DECRYPT, length, + iv, iv_len, add, add_len, + input, output, tag, tag_len ); } #endif /* !MBEDTLS_CCM_ALT */ From c8bdf36a728989cab1b81f0dbcd856f75ea4fdda Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 28 Jul 2021 15:39:51 +0200 Subject: [PATCH 25/52] Validate tag pointer in ccm function. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 3 ++- tests/suites/test_suite_ccm.function | 5 +---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index a14e025de..af26de8d4 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -478,7 +478,8 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, ret = mbedtls_ccm_crypt( ctx, 0, 16, ctx->y, ctx->y ); if( ret != 0 ) return ret; - memcpy( tag, ctx->y, tag_len ); + if( tag != NULL ) + memcpy( tag, ctx->y, tag_len ); mbedtls_ccm_clear_state(ctx); return( 0 ); diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 25cc49b8d..21f0699b4 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -48,10 +48,7 @@ static int check_multipart( mbedtls_ccm_context *ctx, mbedtls_free( output ); output = NULL; - if( tag->len == 0 ) - ASSERT_ALLOC( output, 16 ); - else - ASSERT_ALLOC( output, tag->len ); + ASSERT_ALLOC( output, tag->len ); TEST_EQUAL( 0, mbedtls_ccm_finish( ctx, output, tag->len ) ); ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); mbedtls_free( output ); From 87889069477435c8f5cfd2a13db6f62df08cf233 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 29 Jul 2021 14:08:18 +0200 Subject: [PATCH 26/52] Add CCM test for edge cases. Cover: - not calling auth data update - not calling cipher text update - exceeding configured auth data length - exceeding configured cipher text length Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 64 +++++++++++++++ tests/suites/test_suite_ccm.function | 111 +++++++++++++++++++++++++++ 2 files changed, 175 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index a14d4be25..382d2180f 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1517,3 +1517,67 @@ mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FD CCM-Camellia encrypt and tag RFC 5528 #24 depends_on:MBEDTLS_CAMELLIA_C mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966945F1FCEA7E11BEE6A2F" + +CCM encrypt, skip auth NIST VADT AES-128 (P=24, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" + +CCM* encrypt, skip auth NIST VADT AES-128 (P=24, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" + +CCM decrypt, skip auth NIST DVPT AES-192 (P=24, N=7, A=0, T=4) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" + +CCM* decrypt, skip auth NIST DVPT AES-192 (P=24, N=7, A=0, T=4) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" + +CCM encrypt, skip cipher NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" + +CCM* encrypt, skip cipher NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" + +CCM decrypt, skip cipher NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" + +CCM* decrypt, skip cipher NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" + +CCM encrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM encrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM decrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM decrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* encrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* encrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* decrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* decrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 21f0699b4..347f18977 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -454,3 +454,114 @@ exit: mbedtls_free( io_msg_buf ); } /* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_skip_auth( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * result, data_t * tag ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + /* Sanity checks on the test data */ + TEST_EQUAL( msg->len, result->len ); + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 0, msg->len, tag->len ) ); + + ASSERT_ALLOC( output, result->len ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, result->len, &olen ) ); + TEST_EQUAL( result->len, olen ); + ASSERT_COMPARE( output, olen, result->x, result->len ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_ccm_finish( &ctx, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + mbedtls_free( output ); + output = NULL; + +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_skip_cipher( int cipher_id, int mode, + data_t * key, data_t * iv, data_t* add, + data_t * tag ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, tag->len ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_ccm_finish( &ctx, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + mbedtls_free( output ); + output = NULL; + +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_overflow_auth( int cipher_id, int mode, + data_t * key, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for msg length and tag length. They are not a part of this test + // set half of auth data length to provoke an overflow + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len / 2, 16, 16 ) ); + + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); +exit: + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_overflow_cipher( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded value for tag length. It is a not a part of this test + // set half of msg length to provoke an overflow + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len / 2, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, msg->len ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \ + mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) ); +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ From ceb5bc6150877c658f3572cb74448b8a343229b4 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 30 Jul 2021 14:36:22 +0200 Subject: [PATCH 27/52] Fix typos. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 347f18977..39e0b0b53 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -204,7 +204,7 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key, ASSERT_COMPARE( io_msg_buf, msg->len, result->x, msg->len ); ASSERT_COMPARE( tag_buf, expected_tag_len, expected_tag, expected_tag_len ); - /* Prepare data_t structers for multipart testing */ + /* Prepare data_t structures for multipart testing */ const data_t encrypted_expected = { .x = result->x, .len = msg->len }; const data_t tag_expected = { .x = (uint8_t*) expected_tag, /* cast to conform with data_t x type */ @@ -259,7 +259,7 @@ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, { ASSERT_COMPARE( io_msg_buf, expected_msg_len, expected_msg->x, expected_msg_len ); - /* Prepare data_t structers for multipart testing */ + /* Prepare data_t structures for multipart testing */ const data_t encrypted = { .x = msg->x, .len = expected_msg_len }; From c562788068ed9186807aa2c857954f925dd9644d Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 2 Aug 2021 11:49:58 +0200 Subject: [PATCH 28/52] Fix local buffer allocation conditions. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index af26de8d4..20e9414ac 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -351,8 +351,9 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, } /* Local output is used for decryption only. */ - if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ - ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) + if( local_output_len > 0 && \ + ( ctx->mode == MBEDTLS_CCM_DECRYPT || \ + ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) ) { local_output = mbedtls_calloc( local_output_len, sizeof( *local_output) ); if( local_output == NULL ) From f337850738ca8d77dd0d31514fdb451381f6bd38 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 11:32:11 +0200 Subject: [PATCH 29/52] Use const size buffer for local output in CCM decryption. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 2 -- library/ccm.c | 28 +++------------------------- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 06aa6a888..c903e68fd 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -61,8 +61,6 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /** Authenticated decryption failed. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F -/** Memory allocation failed */ -#define MBEDTLS_ERR_CCM_ALLOC_FAILED -0x0011 #ifdef __cplusplus extern "C" { diff --git a/library/ccm.c b/library/ccm.c index 20e9414ac..13582d2a0 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -43,9 +43,6 @@ #include #define mbedtls_printf printf #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ -#include -#define mbedtls_calloc calloc -#define mbedtls_free free #endif /* MBEDTLS_PLATFORM_C */ #if !defined(MBEDTLS_CCM_ALT) @@ -337,8 +334,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char i; size_t use_len, offset, olen; - const size_t local_output_len = input_len; - unsigned char* local_output = NULL; + unsigned char local_output[16]; if( ctx->state & CCM_STATE__ERROR ) { @@ -350,19 +346,6 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, return MBEDTLS_ERR_CCM_BAD_INPUT; } - /* Local output is used for decryption only. */ - if( local_output_len > 0 && \ - ( ctx->mode == MBEDTLS_CCM_DECRYPT || \ - ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) ) - { - local_output = mbedtls_calloc( local_output_len, sizeof( *local_output) ); - if( local_output == NULL ) - { - ctx->state |= CCM_STATE__ERROR; - return MBEDTLS_ERR_CCM_ALLOC_FAILED; - } - } - if( output_size < input_len ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); *output_len = input_len; @@ -414,7 +397,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, ctx->y[i + offset] ^= local_output[i]; memcpy( output, local_output, use_len ); - mbedtls_platform_zeroize( local_output, local_output_len ); + mbedtls_platform_zeroize( local_output, 16 ); if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len ) { @@ -439,12 +422,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, } exit: - if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ - ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) - { - mbedtls_platform_zeroize( local_output, local_output_len ); - mbedtls_free( local_output ); - } + mbedtls_platform_zeroize( local_output, 16 ); return ret; } From 4f2dd8aada0f75717db1ff9c0139de71f93a0321 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 15:37:47 +0200 Subject: [PATCH 30/52] Fix errors returned by CCM functions. Add new error code for calling functions in wrong order. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 2 ++ library/ccm.c | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index c903e68fd..d47841439 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -61,6 +61,8 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /** Authenticated decryption failed. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F +/** CCM functions called in the wrong sequence. */ +#define MBEDTLS_ERR_CCM_BAD_SEQUENCE -0x0011 #ifdef __cplusplus extern "C" { diff --git a/library/ccm.c b/library/ccm.c index 13582d2a0..33c631a87 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -269,7 +269,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, { if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) { - return ret; + return MBEDTLS_ERR_CCM_BAD_SEQUENCE; } if( ctx->processed == 0 ) @@ -430,22 +430,22 @@ exit: int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, unsigned char *tag, size_t tag_len ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int ret; unsigned char i; if( ctx->state & CCM_STATE__ERROR ) { - return ret; + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } if( ctx->add_len > 0 && !( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) ) { - return ret; + return MBEDTLS_ERR_CCM_BAD_SEQUENCE; } if( ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len ) { - return ret; + return MBEDTLS_ERR_CCM_BAD_SEQUENCE; } /* From 62d22f9782dd68876353feb23889210ebb9a7efc Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 15:53:41 +0200 Subject: [PATCH 31/52] Use additional state in CCM to track auth data input. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 33c631a87..7574bdcf6 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -100,7 +100,8 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) #define CCM_STATE__CLEAR 0 #define CCM_STATE__STARTED (1 << 0) #define CCM_STATE__LENGHTS_SET (1 << 1) -#define CCM_STATE__AUTH_DATA_FINISHED (1 << 2) +#define CCM_STATE__AUTH_DATA_STARTED (1 << 2) +#define CCM_STATE__AUTH_DATA_FINISHED (1 << 3) #define CCM_STATE__ERROR (1 << 4) /* @@ -272,7 +273,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, return MBEDTLS_ERR_CCM_BAD_SEQUENCE; } - if( ctx->processed == 0 ) + if( !(ctx->state & CCM_STATE__AUTH_DATA_STARTED) ) { if ( add_len > ctx->add_len ) { @@ -282,17 +283,17 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, ctx->y[0] ^= (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF ); ctx->y[1] ^= (unsigned char)( ( ctx->add_len ) & 0xFF ); - ctx->processed += 2; + ctx->state |= CCM_STATE__AUTH_DATA_STARTED; } - else if ( ctx->processed - 2 + add_len > ctx->add_len ) + else if ( ctx->processed + add_len > ctx->add_len ) { return MBEDTLS_ERR_CCM_BAD_INPUT; } while( add_len > 0 ) { - offset = ctx->processed % 16; - + offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1] + * holding total auth data length */ use_len = 16 - offset; if( use_len > add_len ) @@ -305,7 +306,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, add_len -= use_len; add += use_len; - if( use_len + offset == 16 || ctx->processed - 2 == ctx->add_len ) + if( use_len + offset == 16 || ctx->processed == ctx->add_len ) { if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 ) { @@ -315,7 +316,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, } } - if( ctx->processed - 2 == ctx->add_len ) + if( ctx->processed == ctx->add_len ) { ctx->state |= CCM_STATE__AUTH_DATA_FINISHED; ctx->processed = 0; // prepare for mbedtls_ccm_update() From b73c3ec1bc5f8e885421af5352a6f57455900137 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 15:55:38 +0200 Subject: [PATCH 32/52] Restore MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED as default ret. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 7574bdcf6..b7c8f6d4d 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -331,7 +331,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, unsigned char *output, size_t output_size, size_t *output_len ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; size_t use_len, offset, olen; @@ -431,7 +431,7 @@ exit: int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, unsigned char *tag, size_t tag_len ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char i; if( ctx->state & CCM_STATE__ERROR ) From a42f9537b53411effa79b0b14591f131ee2a2ebc Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 16:00:24 +0200 Subject: [PATCH 33/52] Improve documentation for CCM's `processed` variable. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index d47841439..8aacfce55 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -84,7 +84,12 @@ typedef struct mbedtls_ccm_context size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */ size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */ size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ - size_t MBEDTLS_PRIVATE(processed); /*!< How many bytes of input data were processed (chunked input) */ + size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data + were processed (chunked input). + Used indepenedantly for both auth data + and plaintext/ciphertext. + This variable is set to zero after + auth data input is finished. */ unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: #MBEDTLS_CCM_ENCRYPT or From 2f1754916c7a478f44aa430d086412925fd6b35e Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 16:05:14 +0200 Subject: [PATCH 34/52] Improve comment on local_output. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ccm.c b/library/ccm.c index b7c8f6d4d..1e88f9067 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -387,7 +387,10 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, if( ctx->mode == MBEDTLS_CCM_DECRYPT || \ ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) { - /* Write decrypted data to local_output to avoid using output variable as + /* Since output may be in shared memory, we cannot be sure that + * it will contain what we wrote to it. Therefore, we should avoid using + * it as input to any operations. + * Write decrypted data to local_output to avoid using output variable as * input in the XOR operation for Y. */ ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, local_output ); From bccbf88bc3843f36a851ab6c7a02cd5c46129456 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 9 Aug 2021 16:12:46 +0200 Subject: [PATCH 35/52] Rename CCM test functions. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 64 ++++++++++++++-------------- tests/suites/test_suite_ccm.function | 8 ++-- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 382d2180f..ff92e5fd7 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1518,66 +1518,66 @@ CCM-Camellia encrypt and tag RFC 5528 #24 depends_on:MBEDTLS_CAMELLIA_C mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966945F1FCEA7E11BEE6A2F" -CCM encrypt, skip auth NIST VADT AES-128 (P=24, N=13, A=0, T=16) +CCM encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" -CCM* encrypt, skip auth NIST VADT AES-128 (P=24, N=13, A=0, T=16) +CCM* encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" -CCM decrypt, skip auth NIST DVPT AES-192 (P=24, N=7, A=0, T=4) +CCM decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" -CCM* decrypt, skip auth NIST DVPT AES-192 (P=24, N=7, A=0, T=4) +CCM* decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" -CCM encrypt, skip cipher NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) +CCM encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" -CCM* encrypt, skip cipher NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) +CCM* encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" -CCM decrypt, skip cipher NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) +CCM decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" -CCM* decrypt, skip cipher NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) +CCM* decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_skip_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" -CCM encrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM encrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM decrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM decrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM* encrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM* encrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM* decrypt, overflow auth NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_auth:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" -CCM* decrypt, overflow cipher NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_cipher:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 39e0b0b53..028ab896e 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -456,7 +456,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mbedtls_ccm_skip_auth( int cipher_id, int mode, +void mbedtls_ccm_skip_ad( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, data_t * result, data_t * tag ) { @@ -493,7 +493,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mbedtls_ccm_skip_cipher( int cipher_id, int mode, +void mbedtls_ccm_skip_update( int cipher_id, int mode, data_t * key, data_t * iv, data_t* add, data_t * tag ) { @@ -520,7 +520,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mbedtls_ccm_overflow_auth( int cipher_id, int mode, +void mbedtls_ccm_overflow_ad( int cipher_id, int mode, data_t * key, data_t * iv, data_t * add ) { @@ -540,7 +540,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mbedtls_ccm_overflow_cipher( int cipher_id, int mode, +void mbedtls_ccm_overflow_update( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, data_t * add ) { From f442de69ebb3aa5db2d642382a0b7b9604937ef3 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 10 Aug 2021 13:36:43 +0200 Subject: [PATCH 36/52] Add tests for CCM corner cases. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 64 ++++++++++++++++ tests/suites/test_suite_ccm.function | 108 +++++++++++++++++++++++++++ 2 files changed, 172 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index ff92e5fd7..5d23e6a74 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1554,30 +1554,94 @@ CCM encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM encrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM encrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM encrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM encrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM decrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM decrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM decrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM decrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM* encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM* encrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* encrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM* encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM* encrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* encrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM* decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +CCM* decrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* decrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + CCM* decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* decrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM* decrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 028ab896e..74893bb29 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -539,6 +539,53 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void mbedtls_ccm_incomplete_ad( int cipher_id, int mode, + data_t * key, data_t * iv, data_t* add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for msg length and tag length. They are not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len/2) ); + + ASSERT_ALLOC( output, 16 ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + + +/* BEGIN_CASE */ +void mbedtls_ccm_full_ad_and_overflow( int cipher_id, int mode, + data_t * key, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for msg length and tag length. They are not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 16, 16 ) ); + + // pass full auth data + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + // pass 1 extra byte + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_update_ad( &ctx, add->x, 1) ); +exit: + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE */ void mbedtls_ccm_overflow_update( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, @@ -565,3 +612,64 @@ exit: mbedtls_ccm_free( &ctx ); } /* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_incomplete_update( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded value for tag length. It is not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, msg->len ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len/2, output, msg->len, &olen ) ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, 16 ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_ccm_full_update_and_overflow( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded value for tag length. It is a not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, msg->len ); + // pass full text + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) ); + // pass 1 extra byte + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \ + mbedtls_ccm_update( &ctx, msg->x, 1, output, 1, &olen ) ); +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ From 8fb1754e1ab4408fad3496abe52fdc61fb0d0e81 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 10 Aug 2021 13:45:19 +0200 Subject: [PATCH 37/52] Add short description for CCM test functions. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 74893bb29..d9c397c68 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -455,6 +455,7 @@ exit: } /* END_CASE */ +/* Skip auth data, provide full text */ /* BEGIN_CASE */ void mbedtls_ccm_skip_ad( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, @@ -492,6 +493,7 @@ exit: } /* END_CASE */ +/* Provide auth data, skip full text */ /* BEGIN_CASE */ void mbedtls_ccm_skip_update( int cipher_id, int mode, data_t * key, data_t * iv, data_t* add, @@ -519,6 +521,7 @@ exit: } /* END_CASE */ +/* Provide too much auth data */ /* BEGIN_CASE */ void mbedtls_ccm_overflow_ad( int cipher_id, int mode, data_t * key, data_t * iv, @@ -539,6 +542,7 @@ exit: } /* END_CASE */ +/* Provide incomplete auth data and finish */ /* BEGIN_CASE */ void mbedtls_ccm_incomplete_ad( int cipher_id, int mode, data_t * key, data_t * iv, data_t* add ) @@ -563,7 +567,8 @@ exit: } /* END_CASE */ - +/* Provide complete auth data on first update_ad. + * Provide unexpected auth data on second update_ad */ /* BEGIN_CASE */ void mbedtls_ccm_full_ad_and_overflow( int cipher_id, int mode, data_t * key, data_t * iv, @@ -586,6 +591,7 @@ exit: } /* END_CASE */ +/* Provide too much plaintext/ciphertext */ /* BEGIN_CASE */ void mbedtls_ccm_overflow_update( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, @@ -613,6 +619,7 @@ exit: } /* END_CASE */ +/* Provide incomplete plaintext/ciphertext and finish */ /* BEGIN_CASE */ void mbedtls_ccm_incomplete_update( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, @@ -645,6 +652,8 @@ exit: } /* END_CASE */ +/* Provide full plaintext/ciphertext of first update + * Provide unexpected plaintext/ciphertext on second update */ /* BEGIN_CASE */ void mbedtls_ccm_full_update_and_overflow( int cipher_id, int mode, data_t * key, data_t * msg, data_t * iv, From e0f5227550f7798aeff2ce2933d184aaa10fad89 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 10 Aug 2021 13:55:47 +0200 Subject: [PATCH 38/52] Add CCM test for calling finish without any input. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 12 ++++++++++++ tests/suites/test_suite_ccm.function | 24 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 5d23e6a74..91aa98bd4 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1645,3 +1645,15 @@ mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5 CCM* decrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" + +CCM encrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" + +CCM decrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" + +CCM* encrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" + +CCM* decrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index d9c397c68..48c4fe919 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -682,3 +682,27 @@ exit: mbedtls_ccm_free( &ctx ); } /* END_CASE */ + +/* Finish without passing any auth data or plaintext/ciphertext input */ +/* BEGIN_CASE */ +void mbedtls_ccm_instant_finish( int cipher_id, int mode, + data_t * key, data_t * iv ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for add length, msg length and tag length. + // They are not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 16, 16, 16 ) ); + + ASSERT_ALLOC( output, 16 ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ From 0dc86b5a2ac807deaa26fa6a7975ac1d5b4ec1d9 Mon Sep 17 00:00:00 2001 From: Archana Date: Wed, 14 Jul 2021 13:59:48 +0530 Subject: [PATCH 39/52] Remove dependency of builtin keys on storage The psa_open_key API depends on MBEDTLS_PSA_CRYPTO_STORAGE_C. This is unnecessary for builtin keys and so is fixed. Updated an open_fail test vector keeping with the same. Signed-off-by: Archana --- library/psa_crypto_slot_management.c | 7 ++++--- tests/suites/test_suite_psa_crypto_slot_management.data | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 4131e3cc4..32a6bb259 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -470,7 +470,8 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime ) psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) { -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \ + defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) psa_status_t status; psa_key_slot_t *slot; @@ -488,11 +489,11 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) return( psa_unlock_key_slot( slot ) ); -#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ +#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ (void) key; *handle = PSA_KEY_HANDLE_INIT; return( PSA_ERROR_NOT_SUPPORTED ); -#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ } psa_status_t psa_close_key( psa_key_handle_t handle ) diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data index 68b196d32..147773416 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.data +++ b/tests/suites/test_suite_psa_crypto_slot_management.data @@ -160,7 +160,7 @@ depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C create_fail:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX + 1:PSA_ERROR_INVALID_ARGUMENT Open not supported -depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C +depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C:!MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS open_fail:1:PSA_ERROR_NOT_SUPPORTED Create not supported From 3879c345ec95be0150b9d076b47a8f83edd250a4 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 23 Aug 2021 10:56:06 +0200 Subject: [PATCH 40/52] Fix typo in the changelog for chunked CCM. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/chunked_ccm.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/chunked_ccm.txt b/ChangeLog.d/chunked_ccm.txt index 4e3065f90..67faecca5 100644 --- a/ChangeLog.d/chunked_ccm.txt +++ b/ChangeLog.d/chunked_ccm.txt @@ -3,6 +3,6 @@ Changes The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(), mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish() were introduced in mbedTLS 3.0 release, however their implementation was - postponed util now. + postponed until now. Implemented functions support chunked data input for both CCM and CCM* algorithms. From e40ae6bbed2af4b792b1704359fac3b6669052de Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 1 Sep 2021 12:47:49 +0200 Subject: [PATCH 41/52] Fix typo Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 8aacfce55..c78af48e4 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -86,7 +86,7 @@ typedef struct mbedtls_ccm_context size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data were processed (chunked input). - Used indepenedantly for both auth data + Used independently for both auth data and plaintext/ciphertext. This variable is set to zero after auth data input is finished. */ From 7251eda6ff7106752eab172862cc74f476e2b049 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 1 Sep 2021 13:26:44 +0200 Subject: [PATCH 42/52] Replace BAD_SEQUENCE error with BAD_INPUT Signed-off-by: Mateusz Starzyk --- include/mbedtls/ccm.h | 2 -- library/ccm.c | 6 +++--- tests/suites/test_suite_ccm.function | 8 ++++---- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index c78af48e4..6f991fefb 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -61,8 +61,6 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /** Authenticated decryption failed. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F -/** CCM functions called in the wrong sequence. */ -#define MBEDTLS_ERR_CCM_BAD_SEQUENCE -0x0011 #ifdef __cplusplus extern "C" { diff --git a/library/ccm.c b/library/ccm.c index 0a904613e..d9d25cecd 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -270,7 +270,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, { if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) { - return MBEDTLS_ERR_CCM_BAD_SEQUENCE; + return MBEDTLS_ERR_CCM_BAD_INPUT; } if( !(ctx->state & CCM_STATE__AUTH_DATA_STARTED) ) @@ -444,12 +444,12 @@ int mbedtls_ccm_finish( mbedtls_ccm_context *ctx, if( ctx->add_len > 0 && !( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) ) { - return MBEDTLS_ERR_CCM_BAD_SEQUENCE; + return MBEDTLS_ERR_CCM_BAD_INPUT; } if( ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len ) { - return MBEDTLS_ERR_CCM_BAD_SEQUENCE; + return MBEDTLS_ERR_CCM_BAD_INPUT; } /* diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 48c4fe919..128bd86d9 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -559,7 +559,7 @@ void mbedtls_ccm_incomplete_ad( int cipher_id, int mode, TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len/2) ); ASSERT_ALLOC( output, 16 ); - TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) ); exit: mbedtls_free( output ); @@ -585,7 +585,7 @@ void mbedtls_ccm_full_ad_and_overflow( int cipher_id, int mode, // pass full auth data TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); // pass 1 extra byte - TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_update_ad( &ctx, add->x, 1) ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, 1) ); exit: mbedtls_ccm_free( &ctx ); } @@ -644,7 +644,7 @@ void mbedtls_ccm_incomplete_update( int cipher_id, int mode, output = NULL; ASSERT_ALLOC( output, 16 ); - TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) ); exit: mbedtls_free( output ); @@ -699,7 +699,7 @@ void mbedtls_ccm_instant_finish( int cipher_id, int mode, TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 16, 16, 16 ) ); ASSERT_ALLOC( output, 16 ); - TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_SEQUENCE, mbedtls_ccm_finish( &ctx, output, 16 ) ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) ); exit: mbedtls_free( output ); From 64f0b5f454092950fb4ddc5eff5b415a2bad71d7 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 2 Sep 2021 11:50:38 +0200 Subject: [PATCH 43/52] Return BAD_INPUT error for CCM context's erroneous state Signed-off-by: Mateusz Starzyk --- library/ccm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index d9d25cecd..ca95b8eeb 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -263,7 +263,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, if( ctx->state & CCM_STATE__ERROR ) { - return ret; + return MBEDTLS_ERR_CCM_BAD_INPUT; } if( ctx->add_len > 0 && add_len > 0 ) @@ -339,7 +339,7 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, if( ctx->state & CCM_STATE__ERROR ) { - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + return MBEDTLS_ERR_CCM_BAD_INPUT; } if( ctx->processed + input_len > ctx->plaintext_len ) From df2507301b12e9247cad8dbb94e5bee144ed8ec0 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 2 Sep 2021 12:36:02 +0200 Subject: [PATCH 44/52] Use AES-128 for multipart CCM corner cases tests Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 112 +++++++++++++++---------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 91aa98bd4..c8f635163 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1550,110 +1550,110 @@ CCM* decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5" -CCM encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM encrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM encrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM encrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM encrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM decrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM decrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM decrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM decrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* encrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* encrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* encrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* encrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* encrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* encrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* decrypt, overflow ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* decrypt, incomplete ad NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* decrypt, full ad and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" -CCM* decrypt, overflow update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* decrypt, incomplete update NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM* decrypt, full update and overflow NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) +CCM* decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C -mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181" +mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" -CCM encrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) -mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" +CCM encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" -CCM decrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) -mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" +CCM decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" -CCM* encrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) -mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" +CCM* encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" -CCM* decrypt, instant finish NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16) -mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"13501aebda19a9bf1b5ffaa42a" +CCM* decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" From 3050f054f23e1f1b8e23df6d7593aa97848e6159 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 2 Sep 2021 12:38:51 +0200 Subject: [PATCH 45/52] Subtract 1 from input in CCM's incomplete data tests Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.function | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 128bd86d9..57f13e3d8 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -533,8 +533,8 @@ void mbedtls_ccm_overflow_ad( int cipher_id, int mode, TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); // use hardcoded values for msg length and tag length. They are not a part of this test - // set half of auth data length to provoke an overflow - TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len / 2, 16, 16 ) ); + // subtract 1 from configured auth data length to provoke an overflow + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len - 1, 16, 16 ) ); TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); exit: @@ -556,7 +556,7 @@ void mbedtls_ccm_incomplete_ad( int cipher_id, int mode, // use hardcoded values for msg length and tag length. They are not a part of this test TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, 16 ) ); - TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len/2) ); + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len - 1) ); ASSERT_ALLOC( output, 16 ); TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) ); @@ -605,8 +605,8 @@ void mbedtls_ccm_overflow_update( int cipher_id, int mode, TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); // use hardcoded value for tag length. It is a not a part of this test - // set half of msg length to provoke an overflow - TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len / 2, 16 ) ); + // subtract 1 from configured msg length to provoke an overflow + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len - 1, 16 ) ); TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); @@ -639,7 +639,7 @@ void mbedtls_ccm_incomplete_update( int cipher_id, int mode, ASSERT_ALLOC( output, msg->len ); olen = 0xdeadbeef; - TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len/2, output, msg->len, &olen ) ); + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len - 1, output, msg->len, &olen ) ); mbedtls_free( output ); output = NULL; From cd975e4645bbf6057d0aff68866bb655a822b202 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 2 Sep 2021 13:25:19 +0200 Subject: [PATCH 46/52] Extend CCM corner cases tests. Add tests for passing incomplete input data in the first call and too much data in the second call. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 32 ++++++++++++ tests/suites/test_suite_ccm.function | 77 ++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index c8f635163..169a885f9 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1562,6 +1562,10 @@ CCM encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" +CCM encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" + CCM encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" @@ -1574,6 +1578,10 @@ CCM encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T= depends_on:MBEDTLS_AES_C mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" +CCM encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + CCM decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" @@ -1586,6 +1594,10 @@ CCM decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" +CCM decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" + CCM decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" @@ -1598,6 +1610,10 @@ CCM decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T= depends_on:MBEDTLS_AES_C mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" +CCM decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + CCM* encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" @@ -1614,6 +1630,10 @@ CCM* encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" +CCM* encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" + CCM* encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" @@ -1622,6 +1642,10 @@ CCM* encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T depends_on:MBEDTLS_AES_C mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" +CCM* encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + CCM* decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" @@ -1634,6 +1658,10 @@ CCM* decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" +CCM* decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6" + CCM* decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" @@ -1646,6 +1674,10 @@ CCM* decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T depends_on:MBEDTLS_AES_C mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" +CCM* decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + CCM encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 57f13e3d8..311ccc429 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -591,6 +591,41 @@ exit: } /* END_CASE */ +/* Provide incomplete auth data on first update_ad. + * Provide too much auth data on second update_ad */ +/* BEGIN_CASE */ +void mbedtls_ccm_incomplete_ad_and_overflow( int cipher_id, int mode, + data_t * key, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + + /* New auth buffer containing same data as original one, + * with added extra byte at the end */ + uint8_t* add_extended = NULL; + ASSERT_ALLOC( add_extended, add->len + 1 ); + if( add_extended ) + { + memcpy( add_extended, add->x, add->len ); + add_extended[add->len] = 0xAB; // some magic value + } + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for msg length and tag length. They are not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 16, 16 ) ); + + // pass incomplete auth data + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add_extended, add->len - 1) ); + // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add_extended + add->len - 1, 2) ); +exit: + mbedtls_free( add_extended ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + /* Provide too much plaintext/ciphertext */ /* BEGIN_CASE */ void mbedtls_ccm_overflow_update( int cipher_id, int mode, @@ -683,6 +718,48 @@ exit: } /* END_CASE */ +/* Provide incomplete plaintext/ciphertext of first update + * Provide too much plaintext/ciphertext on second update */ +/* BEGIN_CASE */ +void mbedtls_ccm_incomplete_update_overflow( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + /* New plaintext/ciphertext buffer containing same data as original one, + * with added extra byte at the end */ + uint8_t* msg_extended = NULL; + ASSERT_ALLOC( msg_extended, msg->len + 1 ); + if( msg_extended ) + { + memcpy( msg_extended, msg->x, msg->len ); + msg_extended[msg->len] = 0xAB; // some magic value + } + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded value for tag length. It is a not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, msg->len + 1 ); + // pass incomplete text + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg_extended, msg->len - 1, output, msg->len + 1, &olen ) ); + // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \ + mbedtls_ccm_update( &ctx, msg_extended + msg->len - 1, 2, output + msg->len - 1, 2, &olen ) ); +exit: + mbedtls_free( msg_extended ); + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + /* Finish without passing any auth data or plaintext/ciphertext input */ /* BEGIN_CASE */ void mbedtls_ccm_instant_finish( int cipher_id, int mode, From 5d7f6b1fd5ae89282d3cd0806a37dcfca14d06bc Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 2 Sep 2021 15:11:14 +0200 Subject: [PATCH 47/52] Remove rendundat ctx->add_len check. Signed-off-by: Mateusz Starzyk --- library/ccm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ccm.c b/library/ccm.c index ca95b8eeb..15efff79f 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -266,7 +266,7 @@ int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx, return MBEDTLS_ERR_CCM_BAD_INPUT; } - if( ctx->add_len > 0 && add_len > 0 ) + if( add_len > 0 ) { if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) { From efec38bb292f9c74050c3816443333eae7be5d5a Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 3 Sep 2021 11:59:26 +0200 Subject: [PATCH 48/52] Extend CCM corner cases tests. Add tests covering skipped update() or update_ad() for empty plaintext/ciphertext and empty auth data. Test vector for P=0, A=0 generated using python's cryptography.hazmat library. Python script used for test vector generation: ``` import os from cryptography.hazmat.primitives.ciphers.aead import AESCCM def encrypt(key, iv, plaintext, associated_data): key = bytes.fromhex(key) iv = bytes.fromhex(iv) plaintext = bytes.fromhex(plaintext) associated_data = bytes.fromhex(associated_data) aesccm = AESCCM(key) ct = aesccm.encrypt(iv, plaintext, associated_data) return ct.hex() def decrypt(key, associated_data, iv, ciphertext): key = bytes.fromhex(key) associated_data = bytes.fromhex(associated_data) iv = bytes.fromhex(iv) ciphertext = bytes.fromhex(ciphertext) aesccm = AESCCM(key) pt = aesccm.decrypt(iv, ciphertext, associated_data) return pt.hex() key = "54caf96ef6d448734700aadab50faf7a" plaintext = "" iv = "a3803e752ae849c910d8da36af" aad = "" encrypted = encrypt(key, iv, plaintext, aad) print(f"key: {key}") print(f"iv: {iv}") print(f"encrypted: {encrypted}") print("--------------------------------------") decrypted = decrypt( key, aad, iv, encrypted ) print(f"decrypted: {decrypted}") ``` Results: ``` key: 54caf96ef6d448734700aadab50faf7a iv: a3803e752ae849c910d8da36af encrypted: eba8347baa6d61f87b67c2dd7c6d2053 -------------------------------------- decrypted: ``` Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 169a885f9..05c20fd40 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -174,6 +174,10 @@ CCM encrypt and tag RFC 3610 #24 depends_on:MBEDTLS_AES_C mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"ABF21C0B02FEB88F856DF4A37381BCE3CC128517D4":"008D493B30AE8B3C9696766CFA":"6E37A6EF546D955D34AB6059":"F32905B88A641B04B9C9FFB58CC390900F3DA12AB16DCE9E82EFA16DA62059" +CCM encrypt and tag AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + CCM encrypt and tag NIST VTT AES-128 #1 (P=24, N=13, A=32, T=4) depends_on:MBEDTLS_AES_C mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"43b1a6bc8d0d22d6d1ca95c18593cca5":"a2b381c7d1545c408fe29817a21dc435a154c87256346b05":"9882578e750b9682c6ca7f8f86":"2084f3861c9ad0ccee7c63a7e05aece5db8b34bd8724cc06b4ca99a7f9c4914f":"cc69ed76985e0ed4c8365a72775e5a19bfccc71aeb116c85a8c74677" @@ -1518,6 +1522,22 @@ CCM-Camellia encrypt and tag RFC 5528 #24 depends_on:MBEDTLS_CAMELLIA_C mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966945F1FCEA7E11BEE6A2F" +CCM encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM* encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM* decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + CCM encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b" @@ -1534,6 +1554,22 @@ CCM* decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4) depends_on:MBEDTLS_AES_C mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54" +CCM encrypt, skip update AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM decrypt, skip update AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM* encrypt, skip update AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + +CCM* decrypt, skip update AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053" + CCM encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880" @@ -1689,3 +1725,15 @@ mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d3208 CCM* decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" + +CCM encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" + +CCM decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" + +CCM* encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" + +CCM* decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" From 83e4c1270a24c7a63ea1cb8f799478172ecdaa96 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 3 Sep 2021 14:07:21 +0200 Subject: [PATCH 49/52] Add CCM tests for passing unexpected input. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_ccm.data | 7 +++++ tests/suites/test_suite_ccm.function | 47 ++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 05c20fd40..591e0d906 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1737,3 +1737,10 @@ mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf CCM* decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" + +CCM pass unexpected auth data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +mbedtls_ccm_unexpected_ad::MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + +CCM encrypt, unexpected ciphertext/plaintext data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_unexpected_text:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 311ccc429..472be6454 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -542,6 +542,53 @@ exit: } /* END_CASE */ +/* Provide unexpected auth data */ +/* BEGIN_CASE */ +void mbedtls_ccm_unexpected_ad( int cipher_id, int mode, + data_t * key, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded values for msg length and tag length. They are not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 0, 16, 16 ) ); + + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); +exit: + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + +/* Provide unexpected plaintext/ciphertext data */ +/* BEGIN_CASE */ +void mbedtls_ccm_unexpected_text( int cipher_id, int mode, + data_t * key, data_t * msg, data_t * iv, + data_t * add ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + // use hardcoded value for tag length. It is not a part of this test + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, 16 ) ); + + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) ); + + ASSERT_ALLOC( output, msg->len ); + olen = 0xdeadbeef; + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) ); +exit: + mbedtls_free( output ); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + /* Provide incomplete auth data and finish */ /* BEGIN_CASE */ void mbedtls_ccm_incomplete_ad( int cipher_id, int mode, From d337fbc4cb1ded1d58a1c4fe92aa9988d68ec1f3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Sep 2021 00:13:05 +0200 Subject: [PATCH 50/52] x86_64 MULADDC assembly: add missing constraints about memory MULADDC_CORE reads from (%%rsi) and writes to (%%rdi). This fragment is repeated up to 16 times, and %%rsi and %%rdi are s and d on entry respectively. Hence the complete asm statement reads 16 64-bit words from memory starting at s, and writes 16 64-bit words starting at d. Without any declaration of modified memory, Clang 12 and Clang 13 generated non-working code for mbedtls_mpi_mod_exp. The constraints make the unit tests pass with Clang 12. Signed-off-by: Gilles Peskine --- ChangeLog.d/muladdc-amd64-memory.txt | 3 +++ library/bn_mul.h | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/muladdc-amd64-memory.txt diff --git a/ChangeLog.d/muladdc-amd64-memory.txt b/ChangeLog.d/muladdc-amd64-memory.txt new file mode 100644 index 000000000..1803e423d --- /dev/null +++ b/ChangeLog.d/muladdc-amd64-memory.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix missing constraints on x86_64 assembly code for bignum multiplication + that broke some bignum operations with (at least) Clang 12. Fixes #4786. diff --git a/library/bn_mul.h b/library/bn_mul.h index 6ddffc476..328e76500 100644 --- a/library/bn_mul.h +++ b/library/bn_mul.h @@ -225,9 +225,9 @@ "addq $8, %%rdi\n" #define MULADDC_STOP \ - : "+c" (c), "+D" (d), "+S" (s) \ - : "b" (b) \ - : "rax", "rdx", "r8" \ + : "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \ + : "b" (b), "m" (*(const uint64_t (*)[16]) s) \ + : "rax", "rdx", "r8" \ ); #endif /* AMD64 */ From 5b1df10470f901a8cc2855f74137959176e0f2e2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 15 Sep 2021 17:04:31 +0200 Subject: [PATCH 51/52] Update the list of issues fixed This had actually been reported multiple times. Signed-off-by: Gilles Peskine --- ChangeLog.d/muladdc-amd64-memory.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/muladdc-amd64-memory.txt b/ChangeLog.d/muladdc-amd64-memory.txt index 1803e423d..b83433167 100644 --- a/ChangeLog.d/muladdc-amd64-memory.txt +++ b/ChangeLog.d/muladdc-amd64-memory.txt @@ -1,3 +1,4 @@ Bugfix * Fix missing constraints on x86_64 assembly code for bignum multiplication - that broke some bignum operations with (at least) Clang 12. Fixes #4786. + that broke some bignum operations with (at least) Clang 12. + Fixes #4116, #4786, #4917. From 133740b74e0cbdb078c1194bf7271e413d645bf7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 Sep 2021 09:38:07 +0200 Subject: [PATCH 52/52] tests: Improve incomplete then overflow tests Signed-off-by: Ronald Cron --- tests/suites/test_suite_ccm.function | 34 ++++++++-------------------- 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 472be6454..e48b1f990 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -646,16 +646,10 @@ void mbedtls_ccm_incomplete_ad_and_overflow( int cipher_id, int mode, data_t * add ) { mbedtls_ccm_context ctx; + uint8_t add_second_buffer[2]; - /* New auth buffer containing same data as original one, - * with added extra byte at the end */ - uint8_t* add_extended = NULL; - ASSERT_ALLOC( add_extended, add->len + 1 ); - if( add_extended ) - { - memcpy( add_extended, add->x, add->len ); - add_extended[add->len] = 0xAB; // some magic value - } + add_second_buffer[0] = add->x[ add->len - 1 ]; + add_second_buffer[1] = 0xAB; // some magic value mbedtls_ccm_init( &ctx ); TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); @@ -664,11 +658,10 @@ void mbedtls_ccm_incomplete_ad_and_overflow( int cipher_id, int mode, TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 16, 16 ) ); // pass incomplete auth data - TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add_extended, add->len - 1) ); + TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len - 1) ); // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) - TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add_extended + add->len - 1, 2) ); + TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add_second_buffer, 2) ); exit: - mbedtls_free( add_extended ); mbedtls_ccm_free( &ctx ); } /* END_CASE */ @@ -775,16 +768,10 @@ void mbedtls_ccm_incomplete_update_overflow( int cipher_id, int mode, mbedtls_ccm_context ctx; uint8_t *output = NULL; size_t olen; + uint8_t msg_second_buffer[2]; - /* New plaintext/ciphertext buffer containing same data as original one, - * with added extra byte at the end */ - uint8_t* msg_extended = NULL; - ASSERT_ALLOC( msg_extended, msg->len + 1 ); - if( msg_extended ) - { - memcpy( msg_extended, msg->x, msg->len ); - msg_extended[msg->len] = 0xAB; // some magic value - } + msg_second_buffer[0] = msg->x[ msg->len - 1 ]; + msg_second_buffer[1] = 0xAB; // some magic value mbedtls_ccm_init( &ctx ); TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); @@ -796,12 +783,11 @@ void mbedtls_ccm_incomplete_update_overflow( int cipher_id, int mode, ASSERT_ALLOC( output, msg->len + 1 ); // pass incomplete text - TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg_extended, msg->len - 1, output, msg->len + 1, &olen ) ); + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len - 1, output, msg->len + 1, &olen ) ); // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \ - mbedtls_ccm_update( &ctx, msg_extended + msg->len - 1, 2, output + msg->len - 1, 2, &olen ) ); + mbedtls_ccm_update( &ctx, msg_second_buffer, 2, output + msg->len - 1, 2, &olen ) ); exit: - mbedtls_free( msg_extended ); mbedtls_free( output ); mbedtls_ccm_free( &ctx ); }