From 63439eda62e629a6d3e8f75087819ef5c8133015 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 1 Dec 2021 22:19:33 +0100 Subject: [PATCH] Return an error for IV lengths other than 12 with ChaCha20+Poly1305 The implementation was silently overwriting the IV length to 12 even though the caller passed a different value. Change the behavior to signal that a different length is not supported. Signed-off-by: Andrzej Kurek --- library/cipher.c | 5 +++++ .../suites/test_suite_cipher.chachapoly.data | 20 +++++++++++++++++++ tests/suites/test_suite_cipher.function | 14 ++++++++++--- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 39c105cfb..4c7ca3f57 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -399,6 +399,11 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); } } +#if defined(MBEDTLS_CHACHAPOLY_C) + if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 && + iv_len != 12 ) + return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); +#endif #endif #if defined(MBEDTLS_GCM_C) diff --git a/tests/suites/test_suite_cipher.chachapoly.data b/tests/suites/test_suite_cipher.chachapoly.data index 8c246adb4..908951a18 100644 --- a/tests/suites/test_suite_cipher.chachapoly.data +++ b/tests/suites/test_suite_cipher.chachapoly.data @@ -121,3 +121,23 @@ auth_crypt_tv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"1c9240a5eb55d38af333888604f6b5f0 Chacha20+Poly1305 RFC 7539 Test Vector #1 (streaming) depends_on:MBEDTLS_CHACHAPOLY_C decrypt_test_vec:MBEDTLS_CIPHER_CHACHA20_POLY1305:-1:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"f33388860000000000004e91":"eead9d67890cbb22392336fea1851f38":0:0 + +ChaCha20+Poly1305 IV Length 0 +depends_on:MBEDTLS_CHACHAPOLY_C +check_iv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA + +ChaCha20+Poly1305 IV Length 11 +depends_on:MBEDTLS_CHACHAPOLY_C +check_iv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":11:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA + +ChaCha20+Poly1305 IV Length 12 +depends_on:MBEDTLS_CHACHAPOLY_C +check_iv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":12:0 + +ChaCha20+Poly1305 IV Length 13 +depends_on:MBEDTLS_CHACHAPOLY_C +check_iv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":13:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA + +ChaCha20+Poly1305 IV Length 16 +depends_on:MBEDTLS_CHACHAPOLY_C +check_iv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":16:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index c837a69bd..2aa7303ac 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -442,7 +442,8 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ - else if( cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ) + else if( cipher_info->type == MBEDTLS_CIPHER_CHACHA20 || + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) iv_len = 12; else iv_len = sizeof(iv); @@ -571,6 +572,7 @@ void dec_empty_buf( int cipher, { unsigned char key[32]; unsigned char iv[16]; + size_t iv_len = sizeof(iv); mbedtls_cipher_context_t ctx_dec; const mbedtls_cipher_info_t *cipher_info; @@ -591,6 +593,11 @@ void dec_empty_buf( int cipher, /* Initialise context */ cipher_info = mbedtls_cipher_info_from_type( cipher ); TEST_ASSERT( NULL != cipher_info); + + if( cipher_info->type == MBEDTLS_CIPHER_CHACHA20 || + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) + iv_len = 12; + TEST_ASSERT( sizeof(key) * 8 >= cipher_info->key_bitlen ); TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) ); @@ -599,7 +606,7 @@ void dec_empty_buf( int cipher, key, cipher_info->key_bitlen, MBEDTLS_DECRYPT ) ); - TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, 16 ) ); + TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, iv_len ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); @@ -691,7 +698,8 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ - else if( cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ) + else if( cipher_info->type == MBEDTLS_CIPHER_CHACHA20 || + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) iv_len = 12; else iv_len = sizeof(iv);