TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-05-04 09:10:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
32,421 Commits 179 Branches 280 Tags
0bc29f6441561e21cda4aa2ffc3772691dc1166e
Commit Graph

47 Commits

Author SHA1 Message Date
Gilles Peskine
155de2ab77 New function mbedtls_cipher_finish_padded 
New function `mbedtls_cipher_finish_padded()`, similar to
`mbedtls_cipher_finish()`, but reporting padding errors through a separate
output parameter. This makes it easier to avoid leaking the presence of a
padding error, especially through timing. Thus the new function is
recommended to defend against padding oracle attacks.

In this commit, implement this function naively, with timing that depends on
whether an error happened. A subsequent commit will make this function
constant-time.

Copy the test decrypt_test_vec and decrypt_test_vec_cf test cases into
variants that call `mbedtls_cipher_finish_padded()`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Gilles Peskine
5ee94d52a6 More variety of CBC decrypt tests 
Have tests without padding, with valid PKCS7 padding and with several kinds
of invalid PKCS7 padding.

    #!/usr/bin/env python3
    from Crypto.Cipher import AES

    KEYS = {
        128: bytes.fromhex("ffffffffe00000000000000000000000"),
        192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
        256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
    }
    IV = bytes.fromhex("00000000000000000000000000000000")

    def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
        depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
        plaintext = bytes.fromhex(padded_hex)
        plaintext_length = len(plaintext)
        if bits != 128:
            depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
        key = KEYS[bits]
        iv = IV
        result = '0'
        if mode == 'NONE':
            padding_description = 'no padding'
            assert padding_length == 0
        else:
            depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
            padding_description = mode
            if padding_length is None:
                result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
                plaintext_length = 0
            else:
                plaintext_length -= padding_length
        cipher = AES.new(key, AES.MODE_CBC, iv=iv)
        ciphertext = cipher.encrypt(plaintext)
        function = 'decrypt_test_vec'
        cf_maybe = ''
        if cf:
            function += '_cf'
            cf_maybe = 'CF '
            depends.append('HAVE_CONSTANT_TIME_AES')
        if note:
            note = f' ({note})'
        print(f'''\
    {cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
    depends_on:{':'.join(depends)}
    {function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
    ''')

    def emit_tests(cf):
        # Already existing tests
        decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
        decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
        decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)

        # New tests
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
        decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
        decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
        decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
        decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
        decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
        decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
        decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')

    emit_tests(False)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Gilles Peskine
71ee919dbe More meaningful test case names 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-08 15:14:47 +02:00
Yanray Wang
b67b47425e Rename MBEDTLS_CIPHER_ENCRYPT_ONLY as MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-10-31 17:22:06 +08:00
Yanray Wang
aa01ee303a Merge remote-tracking branch 'origin/development' into support_cipher_encrypt_only 2023-10-16 17:38:32 +08:00
Waleed Elmelegy
3643947a1e Add correct dependencies for AES-192/256 cipher tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-21 16:22:15 +01:00
Waleed Elmelegy
f4e665101d Add more tests to check setting padding mode 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-21 14:04:35 +01:00
Waleed Elmelegy
6d2c5d5f5c Adjust cipher tests to new requirement of specifying padding mode 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-18 17:41:25 +01:00
Waleed Elmelegy
a7d206fce6 Check set_padding has been called in mbedtls_cipher_finish 
Check set_padding has been called in mbedtls_cipher_finish
in modes that require padding.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-12 13:39:36 +01:00
Yanray Wang
85c3023c60 AES-ECB: add CIPHER_ENCRYPT_ONLY dependency for DECRYPT test cases 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-09-01 17:35:58 +08:00
Yanray Wang
ecb6a02fa9 Add AES 128-bit key dependency for tests data 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-05-05 11:21:30 +08:00
Andrzej Kurek
ba970be142 Fix test dependencies for cases that are PSA-based 
These should be using PSA-type macros, not MBEDTLS_XXX_C.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-21 13:39:00 -04:00
Andrzej Kurek
d066c79d7e Add missing ECB requirements for PSA cipher aes tests 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-21 10:28:55 -04:00
Przemek Stekiel
476d9c45b8 Use MBEDTLS_TEST_DEPRECATED only in tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-05-19 14:11:06 +02:00
Przemek Stekiel
61922d1328 Fix mbedtls_cipher_setup_psa() dependencies in tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-05-12 13:51:51 +02:00
Mateusz Starzyk
10fad74a1f Extend CCM*-no-tag tests 
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
 2021-10-28 18:00:33 +02:00
Mateusz Starzyk
f257a6e8f8 Add CCM*-no-tag tests for the cipher module. 
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
 2021-10-27 16:27:44 +02:00
Przemyslaw Stekiel
86de1b76d8 Address review comments 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2021-09-29 19:50:07 +02:00
Przemyslaw Stekiel
8c4eb88fe3 test_suite_cipher: add tests for mbedtls_cipher_setup_psa() with ECB 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2021-09-29 12:38:40 +02:00
Andrzej Kurek
1b7a780e65 Increase test coverage by adding AES and CAMELLIA empty buffer tests 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2020-03-24 13:18:58 -04:00
k-stachowiak
d8727230f7 Add negative tests for empty buffer decoding for certain ciphers 2019-07-29 17:46:29 +02:00
k-stachowiak
2cd9051d5f Add decoding empty buffer test calls for cipher modes that benefit from this 2019-07-12 14:54:04 +02:00
Jaeden Amero
5ab80efa10 test: Check empty buffer decryption for chachapoly 
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
 2019-06-07 12:57:33 +01:00
Hanno Becker
58fc9aab54 Add AES-*-CBC test vectors for PSA-based cipher contexts 2018-11-22 16:33:01 +00:00
Ron Eldor
4e64e0b922 Fix after PR comments 
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
 2018-07-23 18:18:32 +01:00
Ron Eldor
7b01244b99 Add tests for mbedtls_cipher_crypt API 
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
 2018-07-23 18:02:09 +01:00
Jaeden Amero
c653990ed5 cipher: Add wrappers for AES-XTS 
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
 2018-06-13 12:13:56 +01:00
Jaeden Amero
9f52aebe2e tests: Fix name of 33 byte AES cipher tests 
We named the tests "32 bytes", but actually tested with 33 bytes. Fix the
mistake.
 2018-06-13 11:56:03 +01:00
Simon Butcher
33cb519cda Add decrypt tests to AES OFB Cipher module 
Adds additional tests for AES-128, AES-192, and AES-256, for OFB block mode, for
the cipher wrapper module.
 2018-06-11 14:03:22 +01:00
Simon Butcher
374bcd4255 Add to OFB cipher tests AES-192 and AES-256 OFB 2018-06-11 14:03:22 +01:00
Simon Butcher
8c0fd1e881 Add cipher abstraction and test cases for OFB block mode 
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
 2018-06-11 14:03:22 +01:00
Jethro Beekman
6c563fa7cd Add tests for "return plaintext data faster on unpadded decryption" 2018-03-27 19:25:35 -07:00
Simon Butcher
80cd444978 Adds missing dependency to AES special case tests 
Added MBEDTLS_AES_C to the AES cipher special behaviours test case.
 2016-08-25 15:42:28 +01:00
Paul Bakker
6a9c725652 Add Cipher layer corner case test coverage 2016-08-25 15:42:28 +01:00
Manuel Pégourié-Gonnard
2cf5a7c98e The Great Renaming 
A simple execution of tmp/invoke-rename.pl
 2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
4fee79b885 Fix some more depend issues 2013-09-20 10:58:59 +02:00
Manuel Pégourié-Gonnard
dd0f57f186 Check key size in cipher_setkey() 2013-09-18 14:34:32 +02:00
Manuel Pégourié-Gonnard
989ed38de2 Make CBC an option, step 2: cipher layer 2013-09-13 15:48:40 +02:00
Paul Bakker
5e0efa7ef5 Added POLARSSL_MODE_ECB to the cipher layer 2013-09-08 23:04:04 +02:00
Manuel Pégourié-Gonnard
8eccab5077 Add test vectors to the cipher test suite 
Ensures the selected cipher/mode/padding is actually used
and padding and tag are actually checked.
 2013-09-04 12:12:44 +02:00
Paul Bakker
dbd443dca6 Adapted .function files and .data files to new test framework 
Changes include:
 - Integers marked with '#' in the .function files.
 - Strings should have "" in .data files.
 - String comparison instead of preprocessor-like replace for e.g. '=='
 - Params and variables cannot have the same name in .function files
 2013-08-16 13:51:37 +02:00
Manuel Pégourié-Gonnard
ebdc413f44 Add 'no padding' mode 2013-08-14 14:02:48 +02:00
Manuel Pégourié-Gonnard
0e7d2c0f95 Add zero padding 2013-08-14 14:02:47 +02:00
Manuel Pégourié-Gonnard
8d4291b52a Add zeros-and-length (ANSI X.923) padding 2013-08-14 14:02:47 +02:00
Manuel Pégourié-Gonnard
679f9e90ad Add one-and-zeros (ISO/IEC 7816-4) padding 2013-08-14 14:02:47 +02:00
Manuel Pégourié-Gonnard
6c9789932e Adapt cipher tests to configurable padding 2013-08-14 14:02:47 +02:00
Paul Bakker
46c1794110 - Split cipher test suite into three different sets 
- Adapted test source code generation accordingly
 2011-07-13 14:54:54 +00:00