TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-22 04:01:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,346 Commits 177 Branches 276 Tags
master
Commit Graph

146 Commits

Author SHA1 Message Date
Gilles Peskine
44765c4b9b Test invalid_padding against all-bits-one 
`SIZE_MAX` and `~(size_t) 0` are the same, but since the documentation says
"all-bits-one", write it that way in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-26 13:14:22 +02:00
Gilles Peskine
94e4e15748 Explain the near-duplication of test function for constant-flow tests 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-25 16:56:44 +02:00
Gilles Peskine
46ebc3a758 Note that the decrypted length is sensitive when there was padding 
The decrypted length reveals the amount of padding that was eliminated, and
thus reveals partial information about the last ciphertext block.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:15:07 +02:00
Gilles Peskine
6cb9f35d8c Switch legacy cipher to constant-time invalid padding reporting 
In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Gilles Peskine
155de2ab77 New function mbedtls_cipher_finish_padded 
New function `mbedtls_cipher_finish_padded()`, similar to
`mbedtls_cipher_finish()`, but reporting padding errors through a separate
output parameter. This makes it easier to avoid leaking the presence of a
padding error, especially through timing. Thus the new function is
recommended to defend against padding oracle attacks.

In this commit, implement this function naively, with timing that depends on
whether an error happened. A subsequent commit will make this function
constant-time.

Copy the test decrypt_test_vec and decrypt_test_vec_cf test cases into
variants that call `mbedtls_cipher_finish_padded()`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Gilles Peskine
2da5328406 Constant-flow tests for mbedtls_cipher_crypt 
Add some basic constant-flow tests for `mbedtls_cipher_crypt()`. We already
test auxiliary functions and functional behavior pretty thoroughly
elsewhere, so here just focus on the interesting cases for constant-flow
behavior with this specific function: encrypt, valid decrypt and
invalid-padding decrypt.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Gilles Peskine
df00d458a2 Constant-flow AES-CBC multipart decrypt tests 
The main goal is to validate that unpadding is constant-time, including
error reporting.

Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.

The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.

Same test data as the newly introduced functional tests.

    #!/usr/bin/env python3
    from Crypto.Cipher import AES

    KEYS = {
        128: bytes.fromhex("ffffffffe00000000000000000000000"),
        192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
        256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
    }
    IV = bytes.fromhex("00000000000000000000000000000000")

    def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
        depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
        plaintext = bytes.fromhex(padded_hex)
        plaintext_length = len(plaintext)
        if bits != 128:
            depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
        key = KEYS[bits]
        iv = IV
        result = '0'
        if mode == 'NONE':
            padding_description = 'no padding'
            assert padding_length == 0
        else:
            depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
            padding_description = mode
            if padding_length is None:
                result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
                plaintext_length = 0
            else:
                plaintext_length -= padding_length
        cipher = AES.new(key, AES.MODE_CBC, iv=iv)
        ciphertext = cipher.encrypt(plaintext)
        function = 'decrypt_test_vec'
        cf_maybe = ''
        if cf:
            function += '_cf'
            cf_maybe = 'CF '
            depends.append('HAVE_CONSTANT_TIME_AES')
        if note:
            note = f' ({note})'
        print(f'''\
    {cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
    depends_on:{':'.join(depends)}
    {function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
    ''')

    def emit_tests(cf):
        # Already existing tests
        decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
        decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
        decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)

        # New tests
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
        decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
        decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')

    emit_tests(True)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
David Horstmann
d75c4c2381 Remove unnecessary TEST_CF_PUBLIC macro call 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-03-28 17:16:27 +00:00
David Horstmann
5a5440e63a Update to the new name in usages as well 
Somehow the uses of the function were missed when renaming.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-03-28 10:57:45 +00:00
David Horstmann
d37e0c4639 Add constant-flow testing for PKCS7 padding 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-01-22 11:36:15 +00:00
Michael Schuster
b1e33fb707 Fix missing-prototype errors in tests/suites 
Signed-off-by: Michael Schuster <michael@schuster.ms>
 2024-08-06 12:09:13 +01:00
Andre Goddard Rosa
3711734a0a Add invalid padding_len check in get_pkcs_padding 
When trying to decrypt data with an invalid key, we found that `mbedtls`
returned `0x6200` (`-25088`), which means "_CIPHER - Input data contains
invalid padding and is rejected_" from `mbedtls_cipher_finish`, but it also
set the output len as `18446744073709551516`.

In case we detect an error with padding, we leave the output len zero'ed
and return `MBEDTLS_ERR_CIPHER_INVALID_PADDING`.

Here's a reference for the way `openssl` checks the padding length:
  - 1848c561ec/crypto/evp/evp_enc.c (L1023)
  - b554eef43b

So add a check ensuring output is set to the least-harmful value in the
error cases.

With the robustness fix:
`PASSED (125 suites, 26644 tests run)`

Without the robustness fix:
`FAILED (125 suites, 26644 tests run)`

Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
 2024-05-13 09:27:57 -05:00
Valerio Setti
9d9b4b547f test_suite_cipher: use TEST_ASSUME() to evaluate supported ciphers 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-25 12:03:36 +02:00
Valerio Setti
d3bdccc063 test_suite_cipher: successfully quit test if no cipher is supported 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-25 12:03:36 +02:00
Paul Elliott
3bda79ba9f Move initialisation in test to before first test 
Calling mbedtls_cipher_free() on a context that was not initialised
is dangerous, and this could happen if the first test in
check_set_padding() failed.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-10-18 15:09:09 +01:00
Valerio Setti
2f00b7a5da cipher: reset MBEDTLS_CIPHER_HAVE_AEAD to MBEDTLS_CIPHER_MODE_AEAD 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-17 11:43:34 +02:00
Valerio Setti
dcee98730b cipher_wrap: add VIA_LEGACY_OR_USE_PSA to new internal symbols 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-16 11:35:57 +02:00
Valerio Setti
596ef6c0b1 cipher: reset MBEDTLS_CIPHER_HAVE_AEAD_LEGACY to previous naming 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-16 11:26:08 +02:00
Valerio Setti
0521633559 cipher: fix guards in mbedtls_cipher_auth_[encrypt/decrypt]_ext() 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-16 11:22:21 +02:00
Valerio Setti
db1ca8fc33 cipher: keep MBEDTLS_CIPHER_HAVE symbols private 
This commit also improve the usage of these new symbols in
cipher_wrap code

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-12 10:39:54 +02:00
Waleed Elmelegy
f4e665101d Add more tests to check setting padding mode 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-21 14:04:35 +01:00
Waleed Elmelegy
6d2c5d5f5c Adjust cipher tests to new requirement of specifying padding mode 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-18 17:41:25 +01:00
Waleed Elmelegy
a7d206fce6 Check set_padding has been called in mbedtls_cipher_finish 
Check set_padding has been called in mbedtls_cipher_finish
in modes that require padding.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-12 13:39:36 +01:00
Dave Rodgman
730bbee226 Merge remote-tracking branch 'origin/development' into update-restricted-2023-08-30 2023-08-30 11:22:00 +01:00
Gilles Peskine
2387bdab0f Merge pull request #1038 from Mbed-TLS/development 
Merge development into development-restricted
 2023-07-21 15:40:36 +02:00
Tom Cosgrove
e4e9e7da58 For tests, rename TEST_BUFFERS_EQUAL() to TEST_MEMORY_COMPARE() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-07-21 11:45:25 +01:00
Tom Cosgrove
05b2a87ea0 For tests, rename TEST_CALLOC_OR_FAIL() to just TEST_CALLOC() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-07-21 11:32:25 +01:00
Tom Cosgrove
f9ffd11e7a For tests, rename ASSERT_ALLOC() to TEST_CALLOC_OR_FAIL() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-07-20 16:51:21 +01:00
Tom Cosgrove
65cd8519f7 For tests, rename ASSERT_COMPARE() to TEST_BUFFERS_EQUAL() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-07-20 16:51:15 +01:00
Dave Rodgman
9282d4f13a Don't directly access key_bitlen 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-06-24 11:07:40 +01:00
Gilles Peskine
4f4d4b2c40 Test consistency of cipher max-size macros 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-06-14 18:00:37 +02:00
Gilles Peskine
449bd8303e Switch to the new code style 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-01-11 14:50:10 +01:00
Dave Rodgman
f1419dbbe8 Merge pull request #6381 from tom-cosgrove-arm/pr2164 
mbedtls: fix possible false success in mbedtls_cipher_check_tag()
 2022-11-25 10:55:10 +00:00
Andrzej Kurek
ed05279e4f Comment fix 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-21 10:28:55 -04:00
Andrzej Kurek
8f26c8a0cf Fix a typo in test_suite_cipher 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-21 10:28:55 -04:00
Tom Cosgrove
edca207260 MBEDTLS_CIPHER_CHACHA20_POLY1305 is an mbedtls_cipher_type_t not an mbedtls_cipher_mode_t 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-10-14 12:10:40 +01:00
Tom Cosgrove
c621a6d38f Update tests to account for CIPHER_FEATURE_UNAVAILABLE on non-authenticated alg 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-30 17:15:54 +01:00
Przemek Stekiel
6f29a6c4b4 test_suite_cipher.function: always include aes.h 
It is done to have MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH macro available (used in tests)

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-27 15:04:14 +02:00
Tuvshinzaya Erdenekhuu
d5ebedffd0 Removed unused variable in cipher test 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu
6c68927948 Enabled invalid param test for cipher 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Przemek Stekiel
476d9c45b8 Use MBEDTLS_TEST_DEPRECATED only in tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-05-19 14:11:06 +02:00
Przemek Stekiel
e58ca8bb5e Add MBEDTLS_TEST_DEPRECATED dependency 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-05-13 15:48:41 +02:00
Przemek Stekiel
61922d1328 Fix mbedtls_cipher_setup_psa() dependencies in tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-05-12 13:51:51 +02:00
Thomas Daubney
5dcbc4d326 Changes name of iv_check to iv_len_validity 
Commit changes name of check_iv to
iv_len_validity as this seems to better describe
its functionality.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2022-02-17 21:30:25 +00:00
Thomas Daubney
3a066ec999 Initialise iv buffer before use 
Commit initialises the iv buffer before
it is passed to mbedtls_cipher_set_iv().

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2022-02-17 14:00:06 +00:00
Andrzej Kurek
b9fbc11e2c Dynamically allocate iv in dec_empty_buf tests 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-01-14 16:31:54 +01:00
Andrzej Kurek
63439eda62 Return an error for IV lengths other than 12 with ChaCha20+Poly1305 
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-01-14 16:31:54 +01:00
Andrzej Kurek
33ca6af8a3 Return an error for IV lengths other than 12 with ChaCha20 
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-01-14 16:31:54 +01:00
Gilles Peskine
dc8ecda46f Don't fail until everything is initialized 
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2021-12-10 14:28:31 +01:00
Paul Elliott
0cf7e38606 Add checked return to cipher setup 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2021-12-09 18:27:01 +00:00