From 9f58c4b6e5cfaab2fcd67ef517c5398512a008fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Jun 2020 12:34:58 +0200 Subject: [PATCH 01/57] DHM: make drawing of blinding value a function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the next commit, we'll need to draw a second random value, in order to blind modular inversion. Having a function for that will avoid repetition. Signed-off-by: Manuel Pégourié-Gonnard --- library/dhm.c | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index 392ed0c15..6df40f13b 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -324,6 +324,32 @@ cleanup: return( 0 ); } +/* + * Pick a random R in the range [2, M) for blinding purposes + */ +static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + int ret, count; + + count = 0; + do + { + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) ); + + while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 ) + MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( R, 1 ) ); + + if( count++ > 10 ) + return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ); + } + while( mbedtls_mpi_cmp_int( R, 1 ) <= 0 ); + +cleanup: + return( ret ); +} + + /* * Use the blinding method and optimisation suggested in section 10 of: * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, @@ -333,7 +359,7 @@ cleanup: static int dhm_update_blinding( mbedtls_dhm_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - int ret, count; + int ret; /* * Don't use any blinding the first time a particular X is used, @@ -368,18 +394,7 @@ static int dhm_update_blinding( mbedtls_dhm_context *ctx, */ /* Vi = random( 2, P-1 ) */ - count = 0; - do - { - MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) ); - - while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 ) - MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) ); - - if( count++ > 10 ) - return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ); - } - while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 ); + MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) ); /* Vf = Vi^-X mod P */ MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) ); From af72167f40a97958a6157418cbd1fda29119b3f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Jun 2020 12:47:22 +0200 Subject: [PATCH 02/57] DHM: blind call to mpi_inv_mod() on secret value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/dhm.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index 6df40f13b..f9c55892a 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -360,6 +360,9 @@ static int dhm_update_blinding( mbedtls_dhm_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret; + mbedtls_mpi R; + + mbedtls_mpi_init( &R ); /* * Don't use any blinding the first time a particular X is used, @@ -396,11 +399,21 @@ static int dhm_update_blinding( mbedtls_dhm_context *ctx, /* Vi = random( 2, P-1 ) */ MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) ); - /* Vf = Vi^-X mod P */ - MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) ); + /* Vf = Vi^-X mod P + * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod), + * then elevate to the Xth power. */ + MBEDTLS_MPI_CHK( dhm_random_below( &R, &ctx->P, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vi, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vf, &ctx->P ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) ); cleanup: + mbedtls_mpi_free( &R ); + return( ret ); } From b3e3d79e1a2524b2d66d8c3c251ca099f2ce7abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 26 Jun 2020 11:03:19 +0200 Subject: [PATCH 03/57] RSA: remove redundant GCD call in prepare_blinding() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit inv_mod() already returns a specific error code if the value is not invertible, so no need to check in advance that it is. Also, this is a preparation for blinding the call to inv_mod(), which is made easier by avoiding the redundancy (otherwise the call to gcd() would need to be blinded too). Signed-off-by: Manuel Pégourié-Gonnard --- library/rsa.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 6c457468e..00b379c2b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -800,11 +800,14 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_RNG_FAILED ); MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) ); - } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 ); + + ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ); + if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) + goto cleanup; + + } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) /* Blinding value: Vi = Vf^(-e) mod N */ - MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); From 750d3c76cbc1071774a7efd75d578c4b798d7cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 26 Jun 2020 11:19:12 +0200 Subject: [PATCH 04/57] RSA: blind call to mpi_inv_mod() on secret value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/rsa.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 00b379c2b..782df036b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -782,6 +782,9 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret, count = 0; + mbedtls_mpi R; + + mbedtls_mpi_init( &R ); if( ctx->Vf.p != NULL ) { @@ -801,17 +804,32 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); - ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ); - if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) + /* Compute the Vf^1 as R * (R Vf)^-1 to avoid leaks from inv_mod. + * There's a negligible but non-zero probability that R is not + * invertible mod N, in that case we'd just loop one more time, + * just as if Vf itself wasn't invertible - no need to distinguish. */ + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); + + ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N ); + if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) + continue; + if( ret != 0 ) goto cleanup; - } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); + } while( 0 ); - /* Blinding value: Vi = Vf^(-e) mod N */ + /* Blinding value: Vi = Vf^(-e) mod N + * (Vi already contains Vf^-1 at this point) */ MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); cleanup: + mbedtls_mpi_free( &R ); + return( ret ); } From 34c1e7d0696a52f71801d6f196f75a6ac2bc8e6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 26 Jun 2020 11:33:41 +0200 Subject: [PATCH 05/57] Add ChangeLog entry for base blinding protection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/protect-base-blinding.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/protect-base-blinding.txt diff --git a/ChangeLog.d/protect-base-blinding.txt b/ChangeLog.d/protect-base-blinding.txt new file mode 100644 index 000000000..ca0600cee --- /dev/null +++ b/ChangeLog.d/protect-base-blinding.txt @@ -0,0 +1,6 @@ +Security + * Fix side channel in RSA private key operations and static (finite-field) + Diffie-Hellman. An adversary with precise enough timing and memory access + information (typically an untrusted operating system attacking a secure + enclave) could bypass an existing counter-measure (base blinding) and + potentially fully recover the private key. From 0ac01a1c596749da7f8e185ac4f949f03de46bf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Jul 2020 12:49:10 +0200 Subject: [PATCH 06/57] TLS: Add negative tests for non-EtM CBC decryption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 96 +++++++++++++++++++++++ tests/suites/test_suite_ssl.function | 110 +++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index d3158fd4c..1cafed958 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9374,6 +9374,102 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 +Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":0 + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (len), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0E":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 1, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"10101010101010101010101010101010":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 2, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"30303030303030303030303030303030":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":0 + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen (len), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffE":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050505":0 + +Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"050505050505":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (len), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050504":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 1, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"060606060606":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 2, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"101010101010":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":0 + +Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), bad mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC + +Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen (len), good mac +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f4":MBEDTLS_ERR_SSL_INVALID_MAC + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 5cf6e8bd7..7f64f2917 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3452,6 +3452,116 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ +void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, + int plaintext_len, int badmac, data_t *padding, + int exp_ret ) +{ + /* + * Test record decryption for CBC without EtM with possibly incorrect + * padding (provided as input) or MAC (generated by this function). + * + * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently), + * but since the test framework doesn't support alternation in dependency + * statements, just depend on TLS 1.2. + */ + mbedtls_ssl_context ssl; /* ONLY for debugging */ + mbedtls_ssl_transform t0, t1; + mbedtls_record rec; + unsigned char *buf = NULL; + size_t buflen, olen = 0; + const size_t rec_data_offset = 16; /* IV size */ + unsigned char add_data[13]; + unsigned char mac[MBEDTLS_MD_MAX_SIZE]; + + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_transform_init( &t0 ); + mbedtls_ssl_transform_init( &t1 ); + + /* Set up transforms with dummy keys */ + TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id, + 0, trunc_hmac, + MBEDTLS_SSL_MINOR_VERSION_3, + 0 , 0 ) == 0 ); + + /* Prepare a buffer for record data */ + buflen = rec_data_offset + + plaintext_len + + t0.maclen + + padding->len; + ASSERT_ALLOC( buf, buflen ); + + /* Prepare a dummy record header */ + memset( rec.ctr, 0, sizeof( rec.ctr ) ); + rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; + rec.ver[0] = MBEDTLS_SSL_MAJOR_VERSION_3; + rec.ver[1] = MBEDTLS_SSL_MINOR_VERSION_3; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + rec.cid_len = 0; +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + + /* Prepare dummy record content */ + rec.buf = buf; + rec.buf_len = buflen; + rec.data_offset = rec_data_offset; + rec.data_len = plaintext_len; + memset( rec.buf + rec.data_offset, 42, rec.data_len ); + + /* + * MAC, "pad" and encrypt - this near-duplicates the TLS 1.x non-EtM CBC + * code path of mbedtls_ssl_encrypt_buf(), but with user-provided padding, + * and possibly wrong HMAC. Also, without safety checks or CID support. + */ + + /* MAC with additional data */ + memcpy( add_data, rec.ctr, 8 ); + add_data[8] = rec.type; + add_data[9] = rec.ver[0]; + add_data[10] = rec.ver[1]; + add_data[11] = ( rec.data_len >> 8 ) & 0xff; + add_data[12] = ( rec.data_len >> 0 ) & 0xff; + + TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, + rec.buf + rec.data_offset, + rec.data_len ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_finish( &t0.md_ctx_enc, mac ) ); + + memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen ); + rec.data_len += t0.maclen; + + /* Possibly falsify the MAC */ + rec.buf[rec.data_offset + rec.data_len - 1] ^= badmac; + + /* Append the user-provided padding */ + memcpy( rec.buf + rec.data_offset + rec.data_len, padding->x, padding->len ); + rec.data_len += padding->len; + + /* Set dummy IV and encrypt */ + memset( t0.iv_enc, 0x55, t0.ivlen ); + TEST_ASSERT( t0.ivlen == rec_data_offset ); + memcpy( rec.buf, t0.iv_enc, rec_data_offset ); + + TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, + t0.iv_enc, t0.ivlen, + rec.buf + rec.data_offset, rec.data_len, + rec.buf + rec.data_offset, &olen ) ); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* + * Try to decrypt and check that we get the expected result + */ + TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + +exit: + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_transform_free( &t0 ); + mbedtls_ssl_transform_free( &t1 ); + mbedtls_free( buf ); +} +/* END_CASE */ + /* BEGIN_CASE */ void ssl_tls_prf( int type, data_t * secret, data_t * random, char *label, data_t *result_hex_str, int exp_ret ) From 527c1ff71a621e77c61bbe81d9e1b972faf568b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 7 Jul 2020 10:43:37 +0200 Subject: [PATCH 07/57] Generate good/bad padding programmatically MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Compared to the previous approach of having the bad padding provided as input to the testing function, this allows to test more kinds of incorrect data, with less test cases in the .data file and more important no manually-generated non-trivial data in the test case parameters, making it much easier to complete the testing matrix. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 96 ++----------------- tests/suites/test_suite_ssl.function | 135 +++++++++++++++++++++------ 2 files changed, 114 insertions(+), 117 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1cafed958..a61917d23 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9374,101 +9374,21 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, good mac +Decrypt CBC !EtM, AES SHA256 !trunc, 0, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, bad mac +Decrypt CBC !EtM, AES SHA256 !trunc, 0, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), good mac +Decrypt CBC !EtM, AES SHA256 trunc, 0, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), bad mac +Decrypt CBC !EtM, AES SHA256 trunc, 0, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0E":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 1, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"10101010101010101010101010101010":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 2, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"30303030303030303030303030303030":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":0 - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffE":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050505":0 - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"050505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050504":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 1, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"060606060606":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 2, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"101010101010":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":0 - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f4":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7f64f2917..4cefc8d7d 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3454,12 +3454,11 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, - int plaintext_len, int badmac, data_t *padding, - int exp_ret ) + int plaintext_len, int pad_long ) { /* - * Test record decryption for CBC without EtM with possibly incorrect - * padding (provided as input) or MAC (generated by this function). + * Test record decryption for CBC without EtM, focused on the verification + * of padding and MAC. * * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently), * but since the test framework doesn't support alternation in dependency @@ -3467,12 +3466,14 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, */ mbedtls_ssl_context ssl; /* ONLY for debugging */ mbedtls_ssl_transform t0, t1; - mbedtls_record rec; - unsigned char *buf = NULL; + mbedtls_record rec, rec_save; + unsigned char *buf = NULL, *buf_save = NULL; size_t buflen, olen = 0; - const size_t rec_data_offset = 16; /* IV size */ + size_t block_size, i; + unsigned char padlen; unsigned char add_data[13]; unsigned char mac[MBEDTLS_MD_MAX_SIZE]; + int exp_ret; mbedtls_ssl_init( &ssl ); mbedtls_ssl_transform_init( &t0 ); @@ -3484,12 +3485,21 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, MBEDTLS_SSL_MINOR_VERSION_3, 0 , 0 ) == 0 ); + /* Determine padding length */ + block_size = t0.ivlen; + padlen = block_size - ( plaintext_len + t0.maclen + 1 ) % block_size; + if( padlen == block_size ) + padlen = 0; + if( pad_long ) + padlen += block_size * ( ( 255 - padlen ) / block_size ); + /* Prepare a buffer for record data */ - buflen = rec_data_offset + buflen = block_size + plaintext_len + t0.maclen - + padding->len; + + padlen + 1; ASSERT_ALLOC( buf, buflen ); + ASSERT_ALLOC( buf_save, buflen ); /* Prepare a dummy record header */ memset( rec.ctr, 0, sizeof( rec.ctr ) ); @@ -3503,17 +3513,11 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, /* Prepare dummy record content */ rec.buf = buf; rec.buf_len = buflen; - rec.data_offset = rec_data_offset; + rec.data_offset = block_size; rec.data_len = plaintext_len; memset( rec.buf + rec.data_offset, 42, rec.data_len ); - /* - * MAC, "pad" and encrypt - this near-duplicates the TLS 1.x non-EtM CBC - * code path of mbedtls_ssl_encrypt_buf(), but with user-provided padding, - * and possibly wrong HMAC. Also, without safety checks or CID support. - */ - - /* MAC with additional data */ + /* Serialized version of record header for MAC purposes */ memcpy( add_data, rec.ctr, 8 ); add_data[8] = rec.type; add_data[9] = rec.ver[0]; @@ -3521,6 +3525,15 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, add_data[11] = ( rec.data_len >> 8 ) & 0xff; add_data[12] = ( rec.data_len >> 0 ) & 0xff; + /* Set dummy IV */ + memset( t0.iv_enc, 0x55, t0.ivlen ); + memcpy( rec.buf, t0.iv_enc, t0.ivlen ); + + /* + * Prepare a pre-encryption record (with MAC and padding), and save it. + */ + + /* MAC with additional data */ TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) ); TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, rec.buf + rec.data_offset, @@ -3530,18 +3543,18 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen ); rec.data_len += t0.maclen; - /* Possibly falsify the MAC */ - rec.buf[rec.data_offset + rec.data_len - 1] ^= badmac; + /* Pad */ + memset( rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1 ); + rec.data_len += padlen + 1; - /* Append the user-provided padding */ - memcpy( rec.buf + rec.data_offset + rec.data_len, padding->x, padding->len ); - rec.data_len += padding->len; - - /* Set dummy IV and encrypt */ - memset( t0.iv_enc, 0x55, t0.ivlen ); - TEST_ASSERT( t0.ivlen == rec_data_offset ); - memcpy( rec.buf, t0.iv_enc, rec_data_offset ); + /* Save correct pre-encryption record */ + rec_save = rec; + rec_save.buf = buf_save; + memcpy( buf_save, buf, buflen ); + /* + * Encrypt and decrypt the correct record, expecting success + */ TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, rec.data_len, @@ -3549,16 +3562,80 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, rec.data_offset -= t0.ivlen; rec.data_len += t0.ivlen; + TEST_EQUAL( 0, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + /* - * Try to decrypt and check that we get the expected result + * Modify each byte of the pre-encryption record before encrypting and + * decrypting it, expecting failure every time. */ - TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + for( i = block_size; i < buflen; i++ ) + { + test_set_step( i ); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy( buf, buf_save, buflen ); + + /* Flip one bit of the data (could be plaintext, MAC or padding) */ + rec.buf[i] ^= 0x01; + + /* Encrypt */ + TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, + t0.iv_enc, t0.ivlen, + rec.buf + rec.data_offset, rec.data_len, + rec.buf + rec.data_offset, &olen ) ); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure */ + TEST_EQUAL( MBEDTLS_ERR_SSL_INVALID_MAC, + mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + } + + /* + * Use larger values of the padding bytes - with small buffers, this tests + * the case where the announced padlen would be larger than the buffer + * (and before that, than the buffer minus the size of the MAC), to make + * sure our padding checking code does not perform any out-of-bounds reads + * in this case. (With larger buffers, ie when the plaintext is long or + * maximal length padding is used, this is less relevant but still doesn't + * hurt to test.) + * + * (Start the loop with correct padding, just to double-check that record + * saving did work, and that we're overwriting the correct bytes.) + */ + for( i = padlen; i <= 255; i++ ) + { + test_set_step( i ); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy( buf, buf_save, buflen ); + + /* Set padding bytes to new value */ + memset( buf + buflen - padlen - 1, i, padlen + 1 ); + + /* Encrypt */ + TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, + t0.iv_enc, t0.ivlen, + rec.buf + rec.data_offset, rec.data_len, + rec.buf + rec.data_offset, &olen ) ); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure except the first time */ + exp_ret = ( i == padlen ) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC; + TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + } exit: mbedtls_ssl_free( &ssl ); mbedtls_ssl_transform_free( &t0 ); mbedtls_ssl_transform_free( &t1 ); mbedtls_free( buf ); + mbedtls_free( buf_save ); } /* END_CASE */ From e79e3bb2da9693fa2d15fb2694aa6ba69f1c6360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 7 Jul 2020 11:02:59 +0200 Subject: [PATCH 08/57] Add test cases with various record sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - plaintext length = 0 or 1 - plaintext length + MAC length = -1 or 0 mod block_size (using the minimum plaintext length that works) Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index a61917d23..35df2b508 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9390,6 +9390,54 @@ Decrypt CBC !EtM, AES SHA256 trunc, 0, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1 +Decrypt CBC !EtM, AES SHA256 !trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1:0 + +Decrypt CBC !EtM, AES SHA256 !trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1:1 + +Decrypt CBC !EtM, AES SHA256 trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1:0 + +Decrypt CBC !EtM, AES SHA256 trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1:1 + +Decrypt CBC !EtM, AES SHA256 !trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15:0 + +Decrypt CBC !EtM, AES SHA256 !trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15:1 + +Decrypt CBC !EtM, AES SHA256 trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:5:0 + +Decrypt CBC !EtM, AES SHA256 trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:5:1 + +Decrypt CBC !EtM, AES SHA256 !trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:16:0 + +Decrypt CBC !EtM, AES SHA256 !trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:16:1 + +Decrypt CBC !EtM, AES SHA256 trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:6:0 + +Decrypt CBC !EtM, AES SHA256 trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:6:1 + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 7a1cb41ba2e6f9bb45dfb984b6a4fdf3338b35c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 7 Jul 2020 11:20:32 +0200 Subject: [PATCH 09/57] Add test cases with MD5, SHA1, SHA384 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All started from a copy of the SHA256 block and modified as follows: - for MD5, just s/SHA256/MD5/ - for SHA384, adapt the dependency line then s/SHA256/SHA384 - for SHA1, s/SHA256/SHA1/ then manually adapt the plaintext length for the cases with "!trunc, B-1" and "!trunc, B", as the MAC length (20) is not a multiple of the block size (16) for this hash Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 192 +++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 35df2b508..019c251de 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9374,6 +9374,134 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 +Decrypt CBC !EtM, AES MD5 !trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:0 + +Decrypt CBC !EtM, AES MD5 !trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:1 + +Decrypt CBC !EtM, AES MD5 trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:0 + +Decrypt CBC !EtM, AES MD5 trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:1 + +Decrypt CBC !EtM, AES MD5 !trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1:0 + +Decrypt CBC !EtM, AES MD5 !trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1:1 + +Decrypt CBC !EtM, AES MD5 trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1:0 + +Decrypt CBC !EtM, AES MD5 trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1:1 + +Decrypt CBC !EtM, AES MD5 !trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15:0 + +Decrypt CBC !EtM, AES MD5 !trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15:1 + +Decrypt CBC !EtM, AES MD5 trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:5:0 + +Decrypt CBC !EtM, AES MD5 trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:5:1 + +Decrypt CBC !EtM, AES MD5 !trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:16:0 + +Decrypt CBC !EtM, AES MD5 !trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:16:1 + +Decrypt CBC !EtM, AES MD5 trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:6:0 + +Decrypt CBC !EtM, AES MD5 trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:6:1 + +Decrypt CBC !EtM, AES SHA1 !trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:0 + +Decrypt CBC !EtM, AES SHA1 !trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:1 + +Decrypt CBC !EtM, AES SHA1 trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:0 + +Decrypt CBC !EtM, AES SHA1 trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:1 + +Decrypt CBC !EtM, AES SHA1 !trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1:0 + +Decrypt CBC !EtM, AES SHA1 !trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1:1 + +Decrypt CBC !EtM, AES SHA1 trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1:0 + +Decrypt CBC !EtM, AES SHA1 trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1:1 + +Decrypt CBC !EtM, AES SHA1 !trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:11:0 + +Decrypt CBC !EtM, AES SHA1 !trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:11:1 + +Decrypt CBC !EtM, AES SHA1 trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:5:0 + +Decrypt CBC !EtM, AES SHA1 trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:5:1 + +Decrypt CBC !EtM, AES SHA1 !trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:12:0 + +Decrypt CBC !EtM, AES SHA1 !trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:12:1 + +Decrypt CBC !EtM, AES SHA1 trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:6:0 + +Decrypt CBC !EtM, AES SHA1 trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:6:1 + Decrypt CBC !EtM, AES SHA256 !trunc, 0, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0 @@ -9438,6 +9566,70 @@ Decrypt CBC !EtM, AES SHA256 trunc, B, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:6:1 +Decrypt CBC !EtM, AES SHA384 !trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:0 + +Decrypt CBC !EtM, AES SHA384 !trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:1 + +Decrypt CBC !EtM, AES SHA384 trunc, 0, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:0 + +Decrypt CBC !EtM, AES SHA384 trunc, 0, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:1 + +Decrypt CBC !EtM, AES SHA384 !trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1:0 + +Decrypt CBC !EtM, AES SHA384 !trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1:1 + +Decrypt CBC !EtM, AES SHA384 trunc, 1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1:0 + +Decrypt CBC !EtM, AES SHA384 trunc, 1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1:1 + +Decrypt CBC !EtM, AES SHA384 !trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15:0 + +Decrypt CBC !EtM, AES SHA384 !trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15:1 + +Decrypt CBC !EtM, AES SHA384 trunc, B-1, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:5:0 + +Decrypt CBC !EtM, AES SHA384 trunc, B-1, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:5:1 + +Decrypt CBC !EtM, AES SHA384 !trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:16:0 + +Decrypt CBC !EtM, AES SHA384 !trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:16:1 + +Decrypt CBC !EtM, AES SHA384 trunc, B, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:6:0 + +Decrypt CBC !EtM, AES SHA384 trunc, B, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:6:1 + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 62af37d6162b2133576ce3f57d666ad2aa47d3ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 7 Jul 2020 11:40:38 +0200 Subject: [PATCH 10/57] Add tests with ARIA, Camellia, 3DES MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Started as copies of the AES block, then: - for ARIA, just s/AES/ARIA/ - for Camellia, just s/AES/Camellia/ - for 3DES, s/AES/3DES/ then s/3DES_128_CBC/DES_EDE3_CBC/ then manually subtract 8 to all plaintext lengths that were > 8. This accounts for the fact that the block size of DES is 8 not 16. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 768 +++++++++++++++++++++++++++++++ 1 file changed, 768 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 019c251de..180e76aac 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9630,6 +9630,774 @@ Decrypt CBC !EtM, AES SHA384 trunc, B, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:6:1 +Decrypt CBC !EtM, ARIA MD5 !trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:0 + +Decrypt CBC !EtM, ARIA MD5 !trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:1 + +Decrypt CBC !EtM, ARIA MD5 trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:0 + +Decrypt CBC !EtM, ARIA MD5 trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:1 + +Decrypt CBC !EtM, ARIA MD5 !trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1:0 + +Decrypt CBC !EtM, ARIA MD5 !trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1:1 + +Decrypt CBC !EtM, ARIA MD5 trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1:0 + +Decrypt CBC !EtM, ARIA MD5 trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1:1 + +Decrypt CBC !EtM, ARIA MD5 !trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15:0 + +Decrypt CBC !EtM, ARIA MD5 !trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15:1 + +Decrypt CBC !EtM, ARIA MD5 trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:5:0 + +Decrypt CBC !EtM, ARIA MD5 trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:5:1 + +Decrypt CBC !EtM, ARIA MD5 !trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:16:0 + +Decrypt CBC !EtM, ARIA MD5 !trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:16:1 + +Decrypt CBC !EtM, ARIA MD5 trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:6:0 + +Decrypt CBC !EtM, ARIA MD5 trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:6:1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:0 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:1 + +Decrypt CBC !EtM, ARIA SHA1 trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:0 + +Decrypt CBC !EtM, ARIA SHA1 trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1:0 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1:1 + +Decrypt CBC !EtM, ARIA SHA1 trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1:0 + +Decrypt CBC !EtM, ARIA SHA1 trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1:1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:11:0 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:11:1 + +Decrypt CBC !EtM, ARIA SHA1 trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:5:0 + +Decrypt CBC !EtM, ARIA SHA1 trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:5:1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:12:0 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:12:1 + +Decrypt CBC !EtM, ARIA SHA1 trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:6:0 + +Decrypt CBC !EtM, ARIA SHA1 trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:6:1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:0 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:1 + +Decrypt CBC !EtM, ARIA SHA256 trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:0 + +Decrypt CBC !EtM, ARIA SHA256 trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1:0 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1:1 + +Decrypt CBC !EtM, ARIA SHA256 trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1:0 + +Decrypt CBC !EtM, ARIA SHA256 trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1:1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15:0 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15:1 + +Decrypt CBC !EtM, ARIA SHA256 trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:5:0 + +Decrypt CBC !EtM, ARIA SHA256 trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:5:1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:16:0 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:16:1 + +Decrypt CBC !EtM, ARIA SHA256 trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:6:0 + +Decrypt CBC !EtM, ARIA SHA256 trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:6:1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:0 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:1 + +Decrypt CBC !EtM, ARIA SHA384 trunc, 0, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:0 + +Decrypt CBC !EtM, ARIA SHA384 trunc, 0, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1:0 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1:1 + +Decrypt CBC !EtM, ARIA SHA384 trunc, 1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1:0 + +Decrypt CBC !EtM, ARIA SHA384 trunc, 1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1:1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15:0 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15:1 + +Decrypt CBC !EtM, ARIA SHA384 trunc, B-1, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:5:0 + +Decrypt CBC !EtM, ARIA SHA384 trunc, B-1, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:5:1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:16:0 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:16:1 + +Decrypt CBC !EtM, ARIA SHA384 trunc, B, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:6:0 + +Decrypt CBC !EtM, ARIA SHA384 trunc, B, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:6:1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:0 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:1 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:0 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1:0 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1:1 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1:0 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1:1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15:0 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15:1 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:5:0 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:5:1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:16:0 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:16:1 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:6:0 + +Decrypt CBC !EtM, CAMELLIA MD5 trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:6:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:11:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:11:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:5:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:5:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:12:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:12:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:6:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:6:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:5:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:5:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:16:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:16:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:6:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:6:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 0, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 0, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B-1, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:5:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B-1, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:5:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:16:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:16:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:6:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:6:1 + +Decrypt CBC !EtM, 3DES MD5 !trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0:0 + +Decrypt CBC !EtM, 3DES MD5 !trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0:1 + +Decrypt CBC !EtM, 3DES MD5 trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0:0 + +Decrypt CBC !EtM, 3DES MD5 trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0:1 + +Decrypt CBC !EtM, 3DES MD5 !trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1:0 + +Decrypt CBC !EtM, 3DES MD5 !trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1:1 + +Decrypt CBC !EtM, 3DES MD5 trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1:0 + +Decrypt CBC !EtM, 3DES MD5 trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1:1 + +Decrypt CBC !EtM, 3DES MD5 !trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7:0 + +Decrypt CBC !EtM, 3DES MD5 !trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7:1 + +Decrypt CBC !EtM, 3DES MD5 trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:5:0 + +Decrypt CBC !EtM, 3DES MD5 trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:5:1 + +Decrypt CBC !EtM, 3DES MD5 !trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:8:0 + +Decrypt CBC !EtM, 3DES MD5 !trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:8:1 + +Decrypt CBC !EtM, 3DES MD5 trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:6:0 + +Decrypt CBC !EtM, 3DES MD5 trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:6:1 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0:0 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0:1 + +Decrypt CBC !EtM, 3DES SHA1 trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0:0 + +Decrypt CBC !EtM, 3DES SHA1 trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0:1 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1:0 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1:1 + +Decrypt CBC !EtM, 3DES SHA1 trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1:0 + +Decrypt CBC !EtM, 3DES SHA1 trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1:1 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:3:0 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:3:1 + +Decrypt CBC !EtM, 3DES SHA1 trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:5:0 + +Decrypt CBC !EtM, 3DES SHA1 trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:5:1 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:4:0 + +Decrypt CBC !EtM, 3DES SHA1 !trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:4:1 + +Decrypt CBC !EtM, 3DES SHA1 trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:6:0 + +Decrypt CBC !EtM, 3DES SHA1 trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:6:1 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0:0 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0:1 + +Decrypt CBC !EtM, 3DES SHA256 trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0:0 + +Decrypt CBC !EtM, 3DES SHA256 trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0:1 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1:0 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1:1 + +Decrypt CBC !EtM, 3DES SHA256 trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1:0 + +Decrypt CBC !EtM, 3DES SHA256 trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1:1 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7:0 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7:1 + +Decrypt CBC !EtM, 3DES SHA256 trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:5:0 + +Decrypt CBC !EtM, 3DES SHA256 trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:5:1 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:8:0 + +Decrypt CBC !EtM, 3DES SHA256 !trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:8:1 + +Decrypt CBC !EtM, 3DES SHA256 trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:6:0 + +Decrypt CBC !EtM, 3DES SHA256 trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:6:1 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0:0 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0:1 + +Decrypt CBC !EtM, 3DES SHA384 trunc, 0, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0:0 + +Decrypt CBC !EtM, 3DES SHA384 trunc, 0, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0:1 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1:0 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1:1 + +Decrypt CBC !EtM, 3DES SHA384 trunc, 1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1:0 + +Decrypt CBC !EtM, 3DES SHA384 trunc, 1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1:1 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7:0 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7:1 + +Decrypt CBC !EtM, 3DES SHA384 trunc, B-1, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:5:0 + +Decrypt CBC !EtM, 3DES SHA384 trunc, B-1, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:5:1 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:8:0 + +Decrypt CBC !EtM, 3DES SHA384 !trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:8:1 + +Decrypt CBC !EtM, 3DES SHA384 trunc, B, minpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:6:0 + +Decrypt CBC !EtM, 3DES SHA384 trunc, B, maxpad +depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:6:1 + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 913a204a33f0e8f97f93c46d8be13b092d90a50c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Jul 2020 10:02:41 +0200 Subject: [PATCH 11/57] Fix undeclared dependency of test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ssl_tranform structure lacks some members accessed by this function when CBC is not enabled. This was found by test-ref-configs.pl and all.sh test_when_no_ciphersuites_have_mac, so no need to add a new test. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 4cefc8d7d..40ab19d55 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3452,7 +3452,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, int plaintext_len, int pad_long ) { @@ -3461,8 +3461,9 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, * of padding and MAC. * * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently), - * but since the test framework doesn't support alternation in dependency - * statements, just depend on TLS 1.2. + * and either AES, ARIA, Camellia or DES, but since the test framework + * doesn't support alternation in dependency statements, just depend on + * TLS 1.2 and AES. */ mbedtls_ssl_context ssl; /* ONLY for debugging */ mbedtls_ssl_transform t0, t1; From 2df1f1f16f667f987d6f5fa6e1e66f1c59f3cfa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Jul 2020 12:11:39 +0200 Subject: [PATCH 12/57] Factor repeated preprocessor condition to a macro MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The condition is a complex and repeated a few times. There were already some inconsistencies in the repetitions as some of them forgot about DES. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl_internal.h | 14 +++++++++----- library/ssl_msg.c | 17 +++++------------ 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index c68038c7b..6bea84c34 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -146,12 +146,16 @@ #define MBEDTLS_SSL_COMPRESSION_ADD 0 #endif +#if defined(MBEDTLS_CIPHER_MODE_CBC) && \ + ( defined(MBEDTLS_AES_C) || \ + defined(MBEDTLS_CAMELLIA_C) || \ + defined(MBEDTLS_ARIA_C) || \ + defined(MBEDTLS_DES_C) ) +#define MBEDTLS_SSL_SOME_SUITES_USE_CBC +#endif + #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ - ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || \ - defined(MBEDTLS_CAMELLIA_C) || \ - defined(MBEDTLS_ARIA_C) || \ - defined(MBEDTLS_DES_C) ) ) + defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) #define MBEDTLS_SSL_SOME_MODES_USE_MAC #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d32afac56..083814cfe 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -609,10 +609,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, /* The PRNG is used for dynamic IV generation that's used * for CBC transformations in TLS 1.1 and TLS 1.2. */ -#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || \ - defined(MBEDTLS_ARIA_C) || \ - defined(MBEDTLS_CAMELLIA_C) ) && \ +#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ) ((void) f_rng); ((void) p_rng); @@ -910,8 +907,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, } else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ -#if defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) if( mode == MBEDTLS_MODE_CBC ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1050,8 +1046,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ } else -#endif /* MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -1239,8 +1234,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ -#if defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) if( mode == MBEDTLS_MODE_CBC ) { size_t minlen = 0; @@ -1493,8 +1487,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, rec->data_len -= padlen; } else -#endif /* MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); From 045f094c815d3fcca45b87f65e7735c6de301f50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 2 Jul 2020 11:34:02 +0200 Subject: [PATCH 13/57] Add dummy constant-flow HMAC function with tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dummy implementation is not constant-flow at all for now, it's just here as a starting point and a support for developing the tests and putting the infrastructure in place. Depending on the implementation strategy, there might be various corner cases depending on where the lengths fall relative to block boundaries. So it seems safer to just test all possible lengths in a given range than to use only a few randomly-chosen values. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_invasive.h | 78 +++++++++++++++++++++++ library/ssl_msg.c | 28 +++++++++ tests/suites/test_suite_ssl.data | 16 +++++ tests/suites/test_suite_ssl.function | 93 ++++++++++++++++++++++++++++ visualc/VS2010/mbedTLS.vcxproj | 1 + 5 files changed, 216 insertions(+) create mode 100644 library/ssl_invasive.h diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h new file mode 100644 index 000000000..9697a91b2 --- /dev/null +++ b/library/ssl_invasive.h @@ -0,0 +1,78 @@ +/** + * \file ssl_invasive.h + * + * \brief SSL module: interfaces for invasive testing only. + * + * The interfaces in this file are intended for testing purposes only. + * They SHOULD NOT be made available in library integrations except when + * building the library for testing. + */ +/* + * Copyright (C) 2020, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_SSL_INVASIVE_H +#define MBEDTLS_SSL_INVASIVE_H + +#include "common.h" +#include "mbedtls/md.h" + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ + ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) | \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) ) +/** \brief Compute the HMAC of variable-length data with constant flow. + * + * This function computes the HMAC of the concatenation of \p add_data and \p + * data, and does with a code flow and memory access pattern that does not + * depend on \p data_len_secret, but only on \p min_data_len and \p + * max_data_len. In particular, this function always reads exactly \p + * max_data_len bytes from \p data. + * + * \param ctx The HMAC context. It must have keys configured + * with mbedtls_md_hmac_starts(). It is reset using + * mbedtls_md_hmac_reset() after the computation is + * complete to prepare for the next computation. + * \param add_data The additional data prepended to \p data. This + * must point to a readable buffer of \p add_data_len + * bytes. + * \param add_data_len The length of \p add_data in bytes. + * \param data The data appended to \p add_data. This must point + * to a readable buffer of \p max_data_len bytes. + * \param data_len_secret The length of the data to process in \p data. + * This must be no less than \p min_data_len and no + * greated than \p max_data_len. + * \param min_data_len The minimal length of \p data in bytes. + * \param max_data_len The maximal length of \p data in bytes. + * \param output The HMAC will be written here. This must point to + * a writeable buffer of sufficient size to hold the + * HMAC value. + * + * \retval 0 + * Success. + * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED + * The hardware accelerator failed. + */ +int mbedtls_ssl_cf_hmac( + mbedtls_md_context_t *ctx, + const unsigned char *add_data, size_t add_data_len, + const unsigned char *data, size_t data_len_secret, + size_t min_data_len, size_t max_data_len, + unsigned char *output ); +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ + +#endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 083814cfe..7f233cd9f 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -47,6 +47,8 @@ #include "mbedtls/platform_util.h" #include "mbedtls/version.h" +#include "ssl_invasive.h" + #include #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1064,6 +1066,32 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( 0 ); } +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ + ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) ) +/* + * Compute HMAC of variable-length data with constant flow. + */ +int mbedtls_ssl_cf_hmac( + mbedtls_md_context_t *ctx, + const unsigned char *add_data, size_t add_data_len, + const unsigned char *data, size_t data_len_secret, + size_t min_data_len, size_t max_data_len, + unsigned char *output ) +{ + /* WORK IN PROGRESS - THIS IS NOT CONSTANT FLOW AT ALL */ + (void) min_data_len; + (void) max_data_len; + mbedtls_md_hmac_update( ctx, add_data, add_data_len ); + mbedtls_md_hmac_update( ctx, data, data_len_secret ); + mbedtls_md_hmac_finish( ctx, output ); + mbedtls_md_hmac_reset( ctx ); + + return( 0 ); +} +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ + int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, mbedtls_record *rec ) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index d3158fd4c..35364861a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9504,3 +9504,19 @@ ssl_serialize_session_load_buf_size:42:"data_files/server5.crt" Session serialization, load buffer size: large ticket, cert depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt" + +Constant-flow HMAC: MD5 +depends_on:MBEDTLS_MD5_C +ssl_cf_hmac:MBEDTLS_MD_MD5 + +Constant-flow HMAC: SHA1 +depends_on:MBEDTLS_SHA1_C +ssl_cf_hmac:MBEDTLS_MD_SHA1 + +Constant-flow HMAC: SHA256 +depends_on:MBEDTLS_SHA256_C +ssl_cf_hmac:MBEDTLS_MD_SHA256 + +Constant-flow HMAC: SHA384 +depends_on:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 +ssl_cf_hmac:MBEDTLS_MD_SHA384 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 5cf6e8bd7..711d2d1f0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -7,6 +7,8 @@ #include #include +#include + typedef struct log_pattern { const char *pattern; @@ -4050,3 +4052,94 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, goto exit; } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ +void ssl_cf_hmac( int hash ) +{ + /* + * Test the function mbedtls_ssl_cf_hmac() against a reference + * implementation. + * + * Note: the dependency is actually on TLS 1.0-1.2 and (AES or ARIA or + * Camellia or DES), but since the test framework doesn't support + * alternation in dependencies, just depend on the most common. + */ + mbedtls_md_context_t ctx, ref_ctx; + const mbedtls_md_info_t *md_info; + size_t out_len, block_size; + size_t min_in_len, in_len, max_in_len, i; + /* TLS additional data is 13 bytes (hence the "lucky 13" name) */ + unsigned char add_data[13]; + unsigned char ref_out[MBEDTLS_MD_MAX_SIZE]; + unsigned char *data = NULL; + unsigned char *out = NULL; + unsigned char rec_num = 0; + + mbedtls_md_init( &ctx ); + mbedtls_md_init( &ref_ctx ); + + md_info = mbedtls_md_info_from_type( hash ); + TEST_ASSERT( md_info != NULL ); + out_len = mbedtls_md_get_size( md_info ); + TEST_ASSERT( out_len != 0 ); + block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64; + + /* Use allocated out buffer to catch overwrites */ + ASSERT_ALLOC( out, out_len ); + + /* Set up contexts with the given hash and a dummy key */ + TEST_EQUAL( 0, mbedtls_md_setup( &ctx, md_info, 1 ) ); + TEST_EQUAL( 0, mbedtls_md_setup( &ref_ctx, md_info, 1 ) ); + memset( ref_out, 42, sizeof( ref_out ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) ); + memset( ref_out, 0, sizeof( ref_out ) ); + + /* + * Test all possible lengths up to a point. The difference between + * max_in_len and min_in_len is at most 255, and make sure they both vary + * by at least one block size. + */ + for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ ) + { + /* Use allocated in buffer to catch overreads */ + ASSERT_ALLOC( data, max_in_len != 0 ? max_in_len : 1 ); + + min_in_len = max_in_len > 255 ? max_in_len - 255 : 0; + for( in_len = min_in_len; in_len <= max_in_len; in_len++ ) + { + /* Set up dummy data and add_data */ + rec_num++; + memset( add_data, rec_num, sizeof( add_data ) ); + for( i = 0; i < in_len; i++ ) + data[i] = ( i & 0xff ) ^ rec_num; + + /* Get the function's result */ + TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ), + data, in_len, + min_in_len, max_in_len, + out ) ); + + /* Compute the reference result */ + TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data, + sizeof( add_data ) ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, data, in_len ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_finish( &ref_ctx, ref_out ) ); + TEST_EQUAL( 0, mbedtls_md_hmac_reset( &ref_ctx ) ); + + /* Compare */ + ASSERT_COMPARE( out, out_len, ref_out, out_len ); + } + + mbedtls_free( data ); + data = NULL; + } + +exit: + mbedtls_md_free( &ref_ctx ); + mbedtls_md_free( &ctx ); + + mbedtls_free( data ); + mbedtls_free( out ); +} +/* END_CASE */ diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 4422b7a2d..15eb6b583 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -245,6 +245,7 @@ + From 8aa29e382fc799bd26d4c384d866adcb01c5d714 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 7 Jul 2020 12:30:39 +0200 Subject: [PATCH 14/57] Use existing implementation of cf_hmac() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then call cf_hmac() from there. This makes the new cf_hmac() function used, opening the door for making it static in the next commit. It also validates that its interface works for using it in ssl_decrypt_buf(). Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 167 +++++++++++++++++++++++----------------------- 1 file changed, 82 insertions(+), 85 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 7f233cd9f..3c1a01e42 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -322,7 +322,7 @@ int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; defined(MBEDTLS_SSL_PROTO_TLS1_2) ) /* This function makes sure every byte in the memory region is accessed * (in ascending addresses order) */ -static void ssl_read_memory( unsigned char *p, size_t len ) +static void ssl_read_memory( const unsigned char *p, size_t len ) { unsigned char acc = 0; volatile unsigned char force; @@ -1080,12 +1080,83 @@ int mbedtls_ssl_cf_hmac( size_t min_data_len, size_t max_data_len, unsigned char *output ) { - /* WORK IN PROGRESS - THIS IS NOT CONSTANT FLOW AT ALL */ - (void) min_data_len; - (void) max_data_len; + /* WORK IN PROGRESS - THIS IS ONLY PSEUDO-CONTANT-TIME */ + + /* + * Process MAC and always update for padlen afterwards to make + * total time independent of padlen. + * + * Known timing attacks: + * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) + * + * To compensate for different timings for the MAC calculation + * depending on how much padding was removed (which is determined + * by padlen), process extra_run more blocks through the hash + * function. + * + * The formula in the paper is + * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 ) + * where L1 is the size of the header plus the decrypted message + * plus CBC padding and L2 is the size of the header plus the + * decrypted message. This is for an underlying hash function + * with 64-byte blocks. + * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values + * correctly. We round down instead of up, so -56 is the correct + * value for our calculations instead of -55. + * + * Repeat the formula rather than defining a block_size variable. + * This avoids requiring division by a variable at runtime + * (which would be marginally less efficient and would require + * linking an extra division function in some builds). + */ + size_t j, extra_run = 0; + /* This size is enough to server either as input to + * md_process() or as output to md_finish() */ + unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE]; + + memset( tmp, 0, sizeof( tmp ) ); + + switch( mbedtls_md_get_type( ctx->md_info ) ) + { +#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \ +defined(MBEDTLS_SHA256_C) + case MBEDTLS_MD_MD5: + case MBEDTLS_MD_SHA1: + case MBEDTLS_MD_SHA256: + /* 8 bytes of message size, 64-byte compression blocks */ + extra_run = ( add_data_len + max_data_len + 8 ) / 64 - + ( add_data_len + data_len_secret + 8 ) / 64; + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_MD_SHA384: + /* 16 bytes of message size, 128-byte compression blocks */ + extra_run = ( add_data_len + max_data_len + 16 ) / 128 - + ( add_data_len + data_len_secret + 16 ) / 128; + break; +#endif + default: + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + mbedtls_md_hmac_update( ctx, add_data, add_data_len ); mbedtls_md_hmac_update( ctx, data, data_len_secret ); + /* Make sure we access everything even when padlen > 0. This + * makes the synchronisation requirements for just-in-time + * Prime+Probe attacks much tighter and hopefully impractical. */ + ssl_read_memory( data + min_data_len, max_data_len - min_data_len ); mbedtls_md_hmac_finish( ctx, output ); + + /* Dummy calls to compression function. + * Call mbedtls_md_process at least once due to cache attacks + * that observe whether md_process() was called of not. + * Respect the usual start-(process|update)-finish sequence for + * the sake of hardware accelerators that might require it. */ + mbedtls_md_starts( ctx ); + for( j = 0; j < extra_run + 1; j++ ) + mbedtls_md_process( ctx, tmp ); + mbedtls_md_finish( ctx, tmp ); + mbedtls_md_hmac_reset( ctx ); return( 0 ); @@ -1567,38 +1638,6 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, defined(MBEDTLS_SSL_PROTO_TLS1_2) if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) { - /* - * Process MAC and always update for padlen afterwards to make - * total time independent of padlen. - * - * Known timing attacks: - * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) - * - * To compensate for different timings for the MAC calculation - * depending on how much padding was removed (which is determined - * by padlen), process extra_run more blocks through the hash - * function. - * - * The formula in the paper is - * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 ) - * where L1 is the size of the header plus the decrypted message - * plus CBC padding and L2 is the size of the header plus the - * decrypted message. This is for an underlying hash function - * with 64-byte blocks. - * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values - * correctly. We round down instead of up, so -56 is the correct - * value for our calculations instead of -55. - * - * Repeat the formula rather than defining a block_size variable. - * This avoids requiring division by a variable at runtime - * (which would be marginally less efficient and would require - * linking an extra division function in some builds). - */ - size_t j, extra_run = 0; - /* This size is enough to server either as input to - * md_process() or as output to md_finish() */ - unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE]; - /* * The next two sizes are the minimum and maximum values of * in_msglen over all padlen values. @@ -1612,58 +1651,16 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; - memset( tmp, 0, sizeof( tmp ) ); - - switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) ) + ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, + add_data, add_data_len, + data, rec->data_len, min_len, max_len, + mac_expect ); + if( ret != 0 ) { -#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \ - defined(MBEDTLS_SHA256_C) - case MBEDTLS_MD_MD5: - case MBEDTLS_MD_SHA1: - case MBEDTLS_MD_SHA256: - /* 8 bytes of message size, 64-byte compression blocks */ - extra_run = - ( add_data_len + rec->data_len + padlen + 8 ) / 64 - - ( add_data_len + rec->data_len + 8 ) / 64; - break; -#endif -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_MD_SHA384: - /* 16 bytes of message size, 128-byte compression blocks */ - extra_run = - ( add_data_len + rec->data_len + padlen + 16 ) / 128 - - ( add_data_len + rec->data_len + 16 ) / 128; - break; -#endif - default: - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); + return( ret ); } - extra_run &= correct * 0xFF; - - mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, - add_data_len ); - mbedtls_md_hmac_update( &transform->md_ctx_dec, data, - rec->data_len ); - /* Make sure we access everything even when padlen > 0. This - * makes the synchronisation requirements for just-in-time - * Prime+Probe attacks much tighter and hopefully impractical. */ - ssl_read_memory( data + rec->data_len, padlen ); - mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); - - /* Dummy calls to compression function. - * Call mbedtls_md_process at least once due to cache attacks - * that observe whether md_process() was called of not. - * Respect the usual start-(process|update)-finish sequence for - * the sake of hardware accelerators that might require it. */ - mbedtls_md_starts( &transform->md_ctx_dec ); - for( j = 0; j < extra_run + 1; j++ ) - mbedtls_md_process( &transform->md_ctx_dec, tmp ); - mbedtls_md_finish( &transform->md_ctx_dec, tmp ); - - mbedtls_md_hmac_reset( &transform->md_ctx_dec ); - /* Make sure we access all the memory that could contain the MAC, * before we check it in the next code block. This makes the * synchronisation requirements for just-in-time Prime+Probe From 65a6fa3e2669cb02af5399d0f60b5bed3e62a9be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Jul 2020 09:52:17 +0200 Subject: [PATCH 15/57] Make cf_hmac() STATIC_TESTABLE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test function now depends on MBEDTLS_TEST_HOOKS, which is enabled by config.py full, and since there are already components in all.sh exercising the full config, this test function is sill exercised even with this new dependency. Since this is the first time a test function depends on MBEDTLS_TEST_HOOKS, fix a bug in check-names.sh that wasn't apparent so far: headers from library/*.h were not considered when looking for macro definitions. This became apparent because MBEDTLS_STATIC_TESTABLE is defined in library/common.h and started being used in library/ssl_msg.c, so was flagged as a likely typo. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_invasive.h | 5 +++-- library/ssl_msg.c | 2 +- tests/scripts/check-names.sh | 1 + tests/scripts/list-macros.sh | 1 + tests/suites/test_suite_ssl.function | 2 +- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index 9697a91b2..f40f0d4f5 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -31,7 +31,8 @@ #include "common.h" #include "mbedtls/md.h" -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ +#if defined(MBEDTLS_TEST_HOOKS) && \ + defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) | \ defined(MBEDTLS_SSL_PROTO_TLS1_2) ) @@ -73,6 +74,6 @@ int mbedtls_ssl_cf_hmac( const unsigned char *data, size_t data_len_secret, size_t min_data_len, size_t max_data_len, unsigned char *output ); -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ +#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ #endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3c1a01e42..d77b65843 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1073,7 +1073,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, /* * Compute HMAC of variable-length data with constant flow. */ -int mbedtls_ssl_cf_hmac( +MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, size_t data_len_secret, diff --git a/tests/scripts/check-names.sh b/tests/scripts/check-names.sh index e2019ccad..1a8253c80 100755 --- a/tests/scripts/check-names.sh +++ b/tests/scripts/check-names.sh @@ -98,6 +98,7 @@ done printf "Likely typos: " sort -u actual-macros enum-consts > _caps HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h' ) +HEADERS="$HEADERS library/*.h" HEADERS="$HEADERS 3rdparty/everest/include/everest/everest.h 3rdparty/everest/include/everest/x25519.h" LIBRARY="$( ls library/*.c )" LIBRARY="$LIBRARY 3rdparty/everest/library/everest.c 3rdparty/everest/library/x25519.c" diff --git a/tests/scripts/list-macros.sh b/tests/scripts/list-macros.sh index 786aef925..cf6afc5a0 100755 --- a/tests/scripts/list-macros.sh +++ b/tests/scripts/list-macros.sh @@ -25,6 +25,7 @@ if [ -d include/mbedtls ]; then :; else fi HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h' ) +HEADERS="$HEADERS library/*.h" HEADERS="$HEADERS 3rdparty/everest/include/everest/everest.h 3rdparty/everest/include/everest/x25519.h" sed -n -e 's/.*#define \([a-zA-Z0-9_]*\).*/\1/p' $HEADERS \ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 711d2d1f0..a0e72dd38 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4053,7 +4053,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_TEST_HOOKS */ void ssl_cf_hmac( int hash ) { /* From 6240defd17f23c636db24caf36a4ebf975585ecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Jul 2020 09:35:54 +0200 Subject: [PATCH 16/57] Add MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This option allows to test the constant-flow nature of selected code, using MemSan and the fundamental observation behind ctgrind that the set of operations allowed on undefined memory by dynamic analysers is the same as the set of operations allowed on secret data to avoid leaking it to a local attacker via side channels, namely, any operation except branching and dereferencing. (This isn't the full story, as on some CPUs some instructions have variable execution depending on the inputs, most notably division and on some cores multiplication. However, testing that no branch or memory access depends on secret data is already a good start.) Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 10 ++++++ include/mbedtls/config.h | 13 ++++++++ library/version_features.c | 3 ++ programs/test/query_config.c | 8 +++++ scripts/config.py | 1 + tests/include/test/constant_flow.h | 51 ++++++++++++++++++++++++++++++ tests/scripts/all.sh | 12 +++++++ visualc/VS2010/mbedTLS.vcxproj | 1 + 8 files changed, 99 insertions(+) create mode 100644 tests/include/test/constant_flow.h diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index f2148a8b5..15cc21b64 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -186,6 +186,16 @@ #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites" #endif +#if defined(__has_feature) +#if __has_feature(memory_sanitizer) +#define MBEDTLS_HAS_MEMSAN +#endif +#endif +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN) +#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer" +#endif +#undef MBEDTLS_HAS_MEMSAN + #if defined(MBEDTLS_TEST_NULL_ENTROPY) && \ ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) ) #error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e00c546e5..124c597b6 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1906,6 +1906,19 @@ */ //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +/** + * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN + * + * Enable testing of the constant-flow nature of some sensitive functions with + * clang's MemorySanitizer. This causes some existing tests to also test + * non-functional properties of the code under test. + * + * This setting requires compiling with clang -fsanitize=memory. + * + * Uncomment to enable testing of the constant-flow nature of seletected code. + */ +//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN + /** * \def MBEDTLS_TEST_HOOKS * diff --git a/library/version_features.c b/library/version_features.c index 64e9e86db..2470d8d1d 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -557,6 +557,9 @@ static const char * const features[] = { #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH", #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN", +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ #if defined(MBEDTLS_TEST_HOOKS) "MBEDTLS_TEST_HOOKS", #endif /* MBEDTLS_TEST_HOOKS */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 98b065bfe..23dc51512 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1538,6 +1538,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + if( strcmp( "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN ); + return( 0 ); + } +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ + #if defined(MBEDTLS_TEST_HOOKS) if( strcmp( "MBEDTLS_TEST_HOOKS", config ) == 0 ) { diff --git a/scripts/config.py b/scripts/config.py index 3d297dc3d..793e9dfa7 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -194,6 +194,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_SHA512_NO_SHA384', # removes a feature 'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions) + 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS 'MBEDTLS_ZLIB_SUPPORT', # build dependency (libz) diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h new file mode 100644 index 000000000..98bee7e48 --- /dev/null +++ b/tests/include/test/constant_flow.h @@ -0,0 +1,51 @@ +/** + * \file constant_flow.h + * + * \brief This file contains tools to ensure tested code has constant flow. + */ + +/* + * Copyright (C) 2020, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef TEST_CONSTANT_FLOW_H +#define TEST_CONSTANT_FLOW_H + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) +#include + +/* Use macros to avoid messing up with origin tracking */ +#define TEST_CF_SECRET __msan_allocated_memory +// void __msan_allocated_memory(const volatile void* data, size_t size); +#define TEST_CF_PUBLIC __msan_unpoison +// void __msan_unpoison(const volatile void *a, size_t size); + +#else /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ + +#define TEST_CF_SECRET(ptr, size) +#define TEST_CF_PUBLIC(ptr, size) + +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ + +#endif /* TEST_CONSTANT_FLOW_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ec61d1962..9c9247f8f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1074,6 +1074,18 @@ component_test_full_cmake_clang () { if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } +component_test_memsan_constant_flow () { + msg "build: cmake memsan, full config with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN + scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . + make + + msg "test: main suites (memsan constant flow)" + make test +} + component_test_default_no_deprecated () { # Test that removing the deprecated features from the default # configuration leaves something consistent. diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 15eb6b583..578289f17 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -232,6 +232,7 @@ + From a321413807927d6e295cec8677733bbde6aeec34 Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Wed, 15 Jul 2020 10:55:00 +0200 Subject: [PATCH 17/57] Zeroising of plaintext buffers to erase unused application data from memory Signed-off-by: gabor-mezei-arm --- ChangeLog.d/zeroising_of_plaintext_buffer.txt | 4 ++++ library/ssl_msg.c | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 ChangeLog.d/zeroising_of_plaintext_buffer.txt diff --git a/ChangeLog.d/zeroising_of_plaintext_buffer.txt b/ChangeLog.d/zeroising_of_plaintext_buffer.txt new file mode 100644 index 000000000..d7dee29a4 --- /dev/null +++ b/ChangeLog.d/zeroising_of_plaintext_buffer.txt @@ -0,0 +1,4 @@ +Security + * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused + application data from memory. Reported in #689 by + Johan Uppman Bruce of Sectra. \ No newline at end of file diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d32afac56..be1733680 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5581,6 +5581,10 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) memcpy( buf, ssl->in_offt, n ); ssl->in_msglen -= n; + /* Zeroising the plaintext buffer to erase unused application data + from the memory. */ + mbedtls_platform_zeroize( ssl->in_offt, n ); + if( ssl->in_msglen == 0 ) { /* all bytes consumed */ From e288ec06515c80ef4c8d9048683d8d296d97a99d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 16 Jul 2020 09:23:30 +0200 Subject: [PATCH 18/57] Fix memory leak on error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/rsa.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/rsa.c b/library/rsa.c index 782df036b..1f53708b2 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -800,7 +800,10 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, /* Unblinding value: Vf = random number, invertible mod N */ do { if( count++ > 10 ) - return( MBEDTLS_ERR_RSA_RNG_FAILED ); + { + ret = MBEDTLS_ERR_RSA_RNG_FAILED; + goto cleanup; + } MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); From 4adc04a8a3a27874213c0ccb04a14514ea5a0ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 16 Jul 2020 10:00:48 +0200 Subject: [PATCH 19/57] Give a constant a name in test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 40ab19d55..36023dd0b 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3475,6 +3475,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, unsigned char add_data[13]; unsigned char mac[MBEDTLS_MD_MAX_SIZE]; int exp_ret; + const unsigned char pad_max_len = 255; /* Per the standard */ mbedtls_ssl_init( &ssl ); mbedtls_ssl_transform_init( &t0 ); @@ -3492,7 +3493,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, if( padlen == block_size ) padlen = 0; if( pad_long ) - padlen += block_size * ( ( 255 - padlen ) / block_size ); + padlen += block_size * ( ( pad_max_len - padlen ) / block_size ); /* Prepare a buffer for record data */ buflen = block_size @@ -3606,7 +3607,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, * (Start the loop with correct padding, just to double-check that record * saving did work, and that we're overwriting the correct bytes.) */ - for( i = padlen; i <= 255; i++ ) + for( i = padlen; i <= pad_max_len; i++ ) { test_set_step( i ); From 3c57ccd7776ad17ebbe031633bb6ac1af4017a05 Mon Sep 17 00:00:00 2001 From: gabor-mezei-arm Date: Thu, 16 Jul 2020 10:19:18 +0200 Subject: [PATCH 20/57] Add missing newline Signed-off-by: gabor-mezei-arm --- ChangeLog.d/zeroising_of_plaintext_buffer.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/zeroising_of_plaintext_buffer.txt b/ChangeLog.d/zeroising_of_plaintext_buffer.txt index d7dee29a4..f618beb91 100644 --- a/ChangeLog.d/zeroising_of_plaintext_buffer.txt +++ b/ChangeLog.d/zeroising_of_plaintext_buffer.txt @@ -1,4 +1,4 @@ Security * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by - Johan Uppman Bruce of Sectra. \ No newline at end of file + Johan Uppman Bruce of Sectra. From 7868396e78fdf761f0e7fce231aff4d4c30899a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 16 Jul 2020 09:48:54 +0200 Subject: [PATCH 21/57] Clarify some comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/rsa.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 1f53708b2..e6f863b00 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -807,25 +807,27 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); - /* Compute the Vf^1 as R * (R Vf)^-1 to avoid leaks from inv_mod. - * There's a negligible but non-zero probability that R is not - * invertible mod N, in that case we'd just loop one more time, - * just as if Vf itself wasn't invertible - no need to distinguish. */ + /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); + /* At this point, Vi is invertible mod N if and only if both Vf and R + * are invertible mod N. If one of them isn't, we don't need to know + * which one, we just loop and choose new values for both of them. + * (Each iteration succeeds with overwhelming probability.) */ ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N ); if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) continue; if( ret != 0 ) goto cleanup; + /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); } while( 0 ); - /* Blinding value: Vi = Vf^(-e) mod N + /* Blinding value: Vi = Vf^(-e) mod N * (Vi already contains Vf^-1 at this point) */ MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); From b2281e1cf02455b1675ab66f6345bb0e6b726466 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 16 Jul 2020 18:18:22 +0200 Subject: [PATCH 22/57] x509parse_crl: more negative test cases Add a few more negative test cases for mbedtls_x509_crl_parse. The test data is manually adapted from the existing positive test case "X509 CRL ASN1 (TBSCertList, sig present)" which decomposes as 305c 3047 tbsCertList TBSCertList 020100 version INTEGER OPTIONAL 300d signatureAlgorithm AlgorithmIdentifier 06092a864886f70d01010e 0500 300f issuer Name 310d300b0603550403130441424344 170c303930313031303030303030 thisUpdate Time 3014 revokedCertificates 3012 entry 1 8202abcd userCertificate CertificateSerialNumber 170c303831323331323335393539 revocationDate Time 300d signatureAlgorithm AlgorithmIdentifier 06092a864886f70d01010e 0500 03020001 signatureValue BIT STRING Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 32 ++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d5f538b22..cb530c729 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2104,6 +2104,38 @@ X509 CRL ASN1 (TBSCertList, sig present, len mismatch) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +X509 CRL ASN1 (TBSCertList, signatureValue missing) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, signatureAlgorithm missing) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"30493047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, single empty entry at end) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"30373035020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030023000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, good entry then empty entry at end) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"304b3049020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301630128202abcd170c3038313233313233353935393000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, missing time in entry) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"304e3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, missing time in entry at end) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"303b3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA + +X509 CRL ASN1 (TBSCertList, invalid tag for time in entry) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CRL ASN1 (TBSCertList, invalid tag for serial) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128402abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + X509 CRL ASN1 (TBSCertList, sig present) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0 From 5dd5a491dab7c344621a46d68b58d347ed224074 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 16 Jul 2020 18:26:29 +0200 Subject: [PATCH 23/57] x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag In the entries (mbedtls_x509_crl_entry values) on the list constructed by mbedtls_x509_crl_parse_der(), set entry->raw.tag to (SEQUENCE | CONSTRUCTED) rather than to the tag of the first ASN.1 element of the entry (which happens to be the tag of the serial number, so INTEGER or INTEGER | CONTEXT_SPECIFIC). This is doesn't really matter in practice (and in particular the value is never used in Mbed TLS itself), and isn't documented, but at least it's consistent with how mbedtls_x509_buf is normally used. The primary importance of this change is that the old code tried to access the tag of the first element of the entry even when the entry happened to be empty. If the entry was empty and not followed by anything else in the CRL, this could cause a read 1 byte after the end of the buffer containing the CRL. The test case "X509 CRL ASN1 (TBSCertList, single empty entry at end)" hit the problematic buffer overflow, which is detected with ASan. Credit to OSS-Fuzz for detecting the problem. Signed-off-by: Gilles Peskine --- ChangeLog.d/x509parse_crl-empty_entry.txt | 4 ++++ library/x509_crl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/x509parse_crl-empty_entry.txt diff --git a/ChangeLog.d/x509parse_crl-empty_entry.txt b/ChangeLog.d/x509parse_crl-empty_entry.txt new file mode 100644 index 000000000..483abb10a --- /dev/null +++ b/ChangeLog.d/x509parse_crl-empty_entry.txt @@ -0,0 +1,4 @@ +Security + * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). + Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine + for pinpointing the problematic code. diff --git a/library/x509_crl.c b/library/x509_crl.c index 371c446be..67eb5c1a1 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -259,13 +259,13 @@ static int x509_get_entries( unsigned char **p, size_t len2; const unsigned char *end2; + cur_entry->raw.tag = **p; if( ( ret = mbedtls_asn1_get_tag( p, end, &len2, MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) { return( ret ); } - cur_entry->raw.tag = **p; cur_entry->raw.p = *p; cur_entry->raw.len = len2; end2 = *p + len2; From 864abbff4eb3b54bc1cdf2713a607c8d3478baee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 Jul 2020 10:37:14 +0200 Subject: [PATCH 24/57] Rework how lengths are expressed in CBC test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is hopefully more readable in the .data file. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.data | 1025 +++++++++++++------------- tests/suites/test_suite_ssl.function | 38 +- 2 files changed, 543 insertions(+), 520 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 180e76aac..50bf49d60 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9374,1029 +9374,1030 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 -Decrypt CBC !EtM, AES MD5 !trunc, 0, minpad +Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-1 -Decrypt CBC !EtM, AES MD5 !trunc, 0, maxpad +Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-2 -Decrypt CBC !EtM, AES MD5 trunc, 0, minpad +Decrypt CBC !EtM, AES MD5 trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:-1 -Decrypt CBC !EtM, AES MD5 trunc, 0, maxpad +Decrypt CBC !EtM, AES MD5 trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:-2 -Decrypt CBC !EtM, AES MD5 !trunc, 1, minpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0 -Decrypt CBC !EtM, AES MD5 !trunc, 1, maxpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:240 -Decrypt CBC !EtM, AES MD5 trunc, 1, minpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0 -Decrypt CBC !EtM, AES MD5 trunc, 1, maxpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:240 -Decrypt CBC !EtM, AES MD5 !trunc, B-1, minpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1 -Decrypt CBC !EtM, AES MD5 !trunc, B-1, maxpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:241 -Decrypt CBC !EtM, AES MD5 trunc, B-1, minpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1 -Decrypt CBC !EtM, AES MD5 trunc, B-1, maxpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:241 -Decrypt CBC !EtM, AES MD5 !trunc, B, minpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15 -Decrypt CBC !EtM, AES MD5 !trunc, B, maxpad +Decrypt CBC !EtM, AES MD5 !trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:255 -Decrypt CBC !EtM, AES MD5 trunc, B, minpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:15 -Decrypt CBC !EtM, AES MD5 trunc, B, maxpad +Decrypt CBC !EtM, AES MD5 trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:255 -Decrypt CBC !EtM, AES SHA1 !trunc, 0, minpad +Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-1 -Decrypt CBC !EtM, AES SHA1 !trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-2 -Decrypt CBC !EtM, AES SHA1 trunc, 0, minpad +Decrypt CBC !EtM, AES SHA1 trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:-1 -Decrypt CBC !EtM, AES SHA1 trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA1 trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:-2 -Decrypt CBC !EtM, AES SHA1 !trunc, 1, minpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0 -Decrypt CBC !EtM, AES SHA1 !trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:240 -Decrypt CBC !EtM, AES SHA1 trunc, 1, minpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0 -Decrypt CBC !EtM, AES SHA1 trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:240 -Decrypt CBC !EtM, AES SHA1 !trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:11:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1 -Decrypt CBC !EtM, AES SHA1 !trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:11:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:241 -Decrypt CBC !EtM, AES SHA1 trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1 -Decrypt CBC !EtM, AES SHA1 trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:241 -Decrypt CBC !EtM, AES SHA1 !trunc, B, minpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:12:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:15 -Decrypt CBC !EtM, AES SHA1 !trunc, B, maxpad +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:12:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:255 -Decrypt CBC !EtM, AES SHA1 trunc, B, minpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:15 -Decrypt CBC !EtM, AES SHA1 trunc, B, maxpad +Decrypt CBC !EtM, AES SHA1 trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:255 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, minpad +Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-1 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-2 -Decrypt CBC !EtM, AES SHA256 trunc, 0, minpad +Decrypt CBC !EtM, AES SHA256 trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:-1 -Decrypt CBC !EtM, AES SHA256 trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA256 trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:-2 -Decrypt CBC !EtM, AES SHA256 !trunc, 1, minpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:240 -Decrypt CBC !EtM, AES SHA256 trunc, 1, minpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0 -Decrypt CBC !EtM, AES SHA256 trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:240 -Decrypt CBC !EtM, AES SHA256 !trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1 -Decrypt CBC !EtM, AES SHA256 !trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:241 -Decrypt CBC !EtM, AES SHA256 trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1 -Decrypt CBC !EtM, AES SHA256 trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:241 -Decrypt CBC !EtM, AES SHA256 !trunc, B, minpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15 -Decrypt CBC !EtM, AES SHA256 !trunc, B, maxpad +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:255 -Decrypt CBC !EtM, AES SHA256 trunc, B, minpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:15 -Decrypt CBC !EtM, AES SHA256 trunc, B, maxpad +Decrypt CBC !EtM, AES SHA256 trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:255 -Decrypt CBC !EtM, AES SHA384 !trunc, 0, minpad +Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-1 -Decrypt CBC !EtM, AES SHA384 !trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-2 -Decrypt CBC !EtM, AES SHA384 trunc, 0, minpad +Decrypt CBC !EtM, AES SHA384 trunc, empty plaintext, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:-1 -Decrypt CBC !EtM, AES SHA384 trunc, 0, maxpad +Decrypt CBC !EtM, AES SHA384 trunc, empty plaintext, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:-2 -Decrypt CBC !EtM, AES SHA384 !trunc, 1, minpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0 -Decrypt CBC !EtM, AES SHA384 !trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:240 -Decrypt CBC !EtM, AES SHA384 trunc, 1, minpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=0 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0 -Decrypt CBC !EtM, AES SHA384 trunc, 1, maxpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=240 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:240 -Decrypt CBC !EtM, AES SHA384 !trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1 -Decrypt CBC !EtM, AES SHA384 !trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:241 -Decrypt CBC !EtM, AES SHA384 trunc, B-1, minpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=1 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1 -Decrypt CBC !EtM, AES SHA384 trunc, B-1, maxpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=241 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:241 -Decrypt CBC !EtM, AES SHA384 !trunc, B, minpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15 -Decrypt CBC !EtM, AES SHA384 !trunc, B, maxpad +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:255 -Decrypt CBC !EtM, AES SHA384 trunc, B, minpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=15 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:15 -Decrypt CBC !EtM, AES SHA384 trunc, B, maxpad +Decrypt CBC !EtM, AES SHA384 trunc, padlen=255 depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:255 -Decrypt CBC !EtM, ARIA MD5 !trunc, 0, minpad +Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-1 -Decrypt CBC !EtM, ARIA MD5 !trunc, 0, maxpad +Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-2 -Decrypt CBC !EtM, ARIA MD5 trunc, 0, minpad +Decrypt CBC !EtM, ARIA MD5 trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:-1 -Decrypt CBC !EtM, ARIA MD5 trunc, 0, maxpad +Decrypt CBC !EtM, ARIA MD5 trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:-2 -Decrypt CBC !EtM, ARIA MD5 !trunc, 1, minpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0 -Decrypt CBC !EtM, ARIA MD5 !trunc, 1, maxpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:240 -Decrypt CBC !EtM, ARIA MD5 trunc, 1, minpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0 -Decrypt CBC !EtM, ARIA MD5 trunc, 1, maxpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:240 -Decrypt CBC !EtM, ARIA MD5 !trunc, B-1, minpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1 -Decrypt CBC !EtM, ARIA MD5 !trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:241 -Decrypt CBC !EtM, ARIA MD5 trunc, B-1, minpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1 -Decrypt CBC !EtM, ARIA MD5 trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:241 -Decrypt CBC !EtM, ARIA MD5 !trunc, B, minpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15 -Decrypt CBC !EtM, ARIA MD5 !trunc, B, maxpad +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:255 -Decrypt CBC !EtM, ARIA MD5 trunc, B, minpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:15 -Decrypt CBC !EtM, ARIA MD5 trunc, B, maxpad +Decrypt CBC !EtM, ARIA MD5 trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:255 -Decrypt CBC !EtM, ARIA SHA1 !trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 -Decrypt CBC !EtM, ARIA SHA1 !trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 -Decrypt CBC !EtM, ARIA SHA1 trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA1 trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:-1 -Decrypt CBC !EtM, ARIA SHA1 trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA1 trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:-2 -Decrypt CBC !EtM, ARIA SHA1 !trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0 -Decrypt CBC !EtM, ARIA SHA1 !trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:240 -Decrypt CBC !EtM, ARIA SHA1 trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0 -Decrypt CBC !EtM, ARIA SHA1 trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:240 -Decrypt CBC !EtM, ARIA SHA1 !trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:11:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1 -Decrypt CBC !EtM, ARIA SHA1 !trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:11:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:241 -Decrypt CBC !EtM, ARIA SHA1 trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1 -Decrypt CBC !EtM, ARIA SHA1 trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:241 -Decrypt CBC !EtM, ARIA SHA1 !trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:12:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:15 -Decrypt CBC !EtM, ARIA SHA1 !trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:12:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:255 -Decrypt CBC !EtM, ARIA SHA1 trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:15 -Decrypt CBC !EtM, ARIA SHA1 trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:255 -Decrypt CBC !EtM, ARIA SHA256 !trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 -Decrypt CBC !EtM, ARIA SHA256 !trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 -Decrypt CBC !EtM, ARIA SHA256 trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA256 trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:-1 -Decrypt CBC !EtM, ARIA SHA256 trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA256 trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:-2 -Decrypt CBC !EtM, ARIA SHA256 !trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0 -Decrypt CBC !EtM, ARIA SHA256 !trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:240 -Decrypt CBC !EtM, ARIA SHA256 trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0 -Decrypt CBC !EtM, ARIA SHA256 trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:240 -Decrypt CBC !EtM, ARIA SHA256 !trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1 -Decrypt CBC !EtM, ARIA SHA256 !trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:241 -Decrypt CBC !EtM, ARIA SHA256 trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1 -Decrypt CBC !EtM, ARIA SHA256 trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:241 -Decrypt CBC !EtM, ARIA SHA256 !trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15 -Decrypt CBC !EtM, ARIA SHA256 !trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:255 -Decrypt CBC !EtM, ARIA SHA256 trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:15 -Decrypt CBC !EtM, ARIA SHA256 trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:255 -Decrypt CBC !EtM, ARIA SHA384 !trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 -Decrypt CBC !EtM, ARIA SHA384 !trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 -Decrypt CBC !EtM, ARIA SHA384 trunc, 0, minpad +Decrypt CBC !EtM, ARIA SHA384 trunc, empty plaintext, minpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:-1 -Decrypt CBC !EtM, ARIA SHA384 trunc, 0, maxpad +Decrypt CBC !EtM, ARIA SHA384 trunc, empty plaintext, maxpad depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:-2 -Decrypt CBC !EtM, ARIA SHA384 !trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0 -Decrypt CBC !EtM, ARIA SHA384 !trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:240 -Decrypt CBC !EtM, ARIA SHA384 trunc, 1, minpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=0 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0 -Decrypt CBC !EtM, ARIA SHA384 trunc, 1, maxpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=240 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:240 -Decrypt CBC !EtM, ARIA SHA384 !trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1 -Decrypt CBC !EtM, ARIA SHA384 !trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:241 -Decrypt CBC !EtM, ARIA SHA384 trunc, B-1, minpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=1 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1 -Decrypt CBC !EtM, ARIA SHA384 trunc, B-1, maxpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=241 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:241 -Decrypt CBC !EtM, ARIA SHA384 !trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15 -Decrypt CBC !EtM, ARIA SHA384 !trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:255 -Decrypt CBC !EtM, ARIA SHA384 trunc, B, minpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=15 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:15 -Decrypt CBC !EtM, ARIA SHA384 trunc, B, maxpad +Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=255 depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:255 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-1 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-2 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:-1 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:-2 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:240 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:240 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:241 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:241 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15 -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:255 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:15 -Decrypt CBC !EtM, CAMELLIA MD5 trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:255 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:-1 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:-2 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:240 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:240 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:11:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:11:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:241 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:241 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:12:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:15 -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:12:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:255 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:15 -Decrypt CBC !EtM, CAMELLIA SHA1 trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:255 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:-1 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:-2 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:240 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:240 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:241 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:241 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15 -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:255 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:15 -Decrypt CBC !EtM, CAMELLIA SHA256 trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:255 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 0, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, empty plaintext, minpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:-1 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 0, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, empty plaintext, maxpad depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:-2 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:240 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 1, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=0 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, 1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=240 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:240 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:241 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B-1, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=1 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B-1, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=241 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:241 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:16:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15 -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:16:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B, minpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=15 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:15 -Decrypt CBC !EtM, CAMELLIA SHA384 trunc, B, maxpad +Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=255 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:255 -Decrypt CBC !EtM, 3DES MD5 !trunc, 0, minpad +Decrypt CBC !EtM, 3DES MD5 !trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:-1 -Decrypt CBC !EtM, 3DES MD5 !trunc, 0, maxpad +Decrypt CBC !EtM, 3DES MD5 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:-2 -Decrypt CBC !EtM, 3DES MD5 trunc, 0, minpad +Decrypt CBC !EtM, 3DES MD5 trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:-1 -Decrypt CBC !EtM, 3DES MD5 trunc, 0, maxpad +Decrypt CBC !EtM, 3DES MD5 trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:-2 -Decrypt CBC !EtM, 3DES MD5 !trunc, 1, minpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0 -Decrypt CBC !EtM, 3DES MD5 !trunc, 1, maxpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:248 -Decrypt CBC !EtM, 3DES MD5 trunc, 1, minpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0 -Decrypt CBC !EtM, 3DES MD5 trunc, 1, maxpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:248 -Decrypt CBC !EtM, 3DES MD5 !trunc, B-1, minpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1 -Decrypt CBC !EtM, 3DES MD5 !trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:249 -Decrypt CBC !EtM, 3DES MD5 trunc, B-1, minpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1 -Decrypt CBC !EtM, 3DES MD5 trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:249 -Decrypt CBC !EtM, 3DES MD5 !trunc, B, minpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:8:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7 -Decrypt CBC !EtM, 3DES MD5 !trunc, B, maxpad +Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:8:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:255 -Decrypt CBC !EtM, 3DES MD5 trunc, B, minpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:7 -Decrypt CBC !EtM, 3DES MD5 trunc, B, maxpad +Decrypt CBC !EtM, 3DES MD5 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:255 -Decrypt CBC !EtM, 3DES SHA1 !trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:-1 -Decrypt CBC !EtM, 3DES SHA1 !trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:-2 -Decrypt CBC !EtM, 3DES SHA1 trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA1 trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:-1 -Decrypt CBC !EtM, 3DES SHA1 trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA1 trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:-2 -Decrypt CBC !EtM, 3DES SHA1 !trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0 -Decrypt CBC !EtM, 3DES SHA1 !trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:248 -Decrypt CBC !EtM, 3DES SHA1 trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0 -Decrypt CBC !EtM, 3DES SHA1 trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:248 -Decrypt CBC !EtM, 3DES SHA1 !trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:3:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1 -Decrypt CBC !EtM, 3DES SHA1 !trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:3:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:249 -Decrypt CBC !EtM, 3DES SHA1 trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1 -Decrypt CBC !EtM, 3DES SHA1 trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:249 -Decrypt CBC !EtM, 3DES SHA1 !trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:4:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:7 -Decrypt CBC !EtM, 3DES SHA1 !trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:4:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:255 -Decrypt CBC !EtM, 3DES SHA1 trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:7 -Decrypt CBC !EtM, 3DES SHA1 trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:255 -Decrypt CBC !EtM, 3DES SHA256 !trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:-1 -Decrypt CBC !EtM, 3DES SHA256 !trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:-2 -Decrypt CBC !EtM, 3DES SHA256 trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA256 trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:-1 -Decrypt CBC !EtM, 3DES SHA256 trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA256 trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:-2 -Decrypt CBC !EtM, 3DES SHA256 !trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0 -Decrypt CBC !EtM, 3DES SHA256 !trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:248 -Decrypt CBC !EtM, 3DES SHA256 trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0 -Decrypt CBC !EtM, 3DES SHA256 trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:248 -Decrypt CBC !EtM, 3DES SHA256 !trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1 -Decrypt CBC !EtM, 3DES SHA256 !trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:249 -Decrypt CBC !EtM, 3DES SHA256 trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1 -Decrypt CBC !EtM, 3DES SHA256 trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:249 -Decrypt CBC !EtM, 3DES SHA256 !trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:8:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7 -Decrypt CBC !EtM, 3DES SHA256 !trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:8:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:255 -Decrypt CBC !EtM, 3DES SHA256 trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:7 -Decrypt CBC !EtM, 3DES SHA256 trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:255 -Decrypt CBC !EtM, 3DES SHA384 !trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:-1 -Decrypt CBC !EtM, 3DES SHA384 !trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:-2 -Decrypt CBC !EtM, 3DES SHA384 trunc, 0, minpad +Decrypt CBC !EtM, 3DES SHA384 trunc, empty plaintext, minpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:-1 -Decrypt CBC !EtM, 3DES SHA384 trunc, 0, maxpad +Decrypt CBC !EtM, 3DES SHA384 trunc, empty plaintext, maxpad depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:-2 -Decrypt CBC !EtM, 3DES SHA384 !trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0 -Decrypt CBC !EtM, 3DES SHA384 !trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:248 -Decrypt CBC !EtM, 3DES SHA384 trunc, 1, minpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=0 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0 -Decrypt CBC !EtM, 3DES SHA384 trunc, 1, maxpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=248 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:248 -Decrypt CBC !EtM, 3DES SHA384 !trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1 -Decrypt CBC !EtM, 3DES SHA384 !trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:249 -Decrypt CBC !EtM, 3DES SHA384 trunc, B-1, minpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=1 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:5:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1 -Decrypt CBC !EtM, 3DES SHA384 trunc, B-1, maxpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=249 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:5:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:249 -Decrypt CBC !EtM, 3DES SHA384 !trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:8:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7 -Decrypt CBC !EtM, 3DES SHA384 !trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:8:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:255 -Decrypt CBC !EtM, 3DES SHA384 trunc, B, minpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=7 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:6:0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:7 -Decrypt CBC !EtM, 3DES SHA384 trunc, B, maxpad +Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:6:1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:255 + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 36023dd0b..0847e75c9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3454,7 +3454,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, - int plaintext_len, int pad_long ) + int length_selector ) { /* * Test record decryption for CBC without EtM, focused on the verification @@ -3464,13 +3464,21 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, * and either AES, ARIA, Camellia or DES, but since the test framework * doesn't support alternation in dependency statements, just depend on * TLS 1.2 and AES. + * + * The length_selector argument is interpreted as follows: + * - if it's -1, the plaintext length is 0 and minimal padding is applied + * - if it's -2, the plaintext length is 0 and maximal padding is applied + * - otherwise it must be in [0, 255] and is padding_length from RFC 5246: + * it's the length of the rest of the padding, that is, excluding the + * byte that encodes the length. The minimal non-zero plaintext length + * that gives this padding_length is automatically selected. */ mbedtls_ssl_context ssl; /* ONLY for debugging */ mbedtls_ssl_transform t0, t1; mbedtls_record rec, rec_save; unsigned char *buf = NULL, *buf_save = NULL; size_t buflen, olen = 0; - size_t block_size, i; + size_t plaintext_len, block_size, i; unsigned char padlen; unsigned char add_data[13]; unsigned char mac[MBEDTLS_MD_MAX_SIZE]; @@ -3487,13 +3495,27 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, MBEDTLS_SSL_MINOR_VERSION_3, 0 , 0 ) == 0 ); - /* Determine padding length */ + /* Determine padding/plaintext length */ + TEST_ASSERT( length_selector >= -2 && length_selector <= 255 ); block_size = t0.ivlen; - padlen = block_size - ( plaintext_len + t0.maclen + 1 ) % block_size; - if( padlen == block_size ) - padlen = 0; - if( pad_long ) - padlen += block_size * ( ( pad_max_len - padlen ) / block_size ); + if( length_selector < 0 ) + { + plaintext_len = 0; + + /* Minimal padding */ + padlen = block_size - ( t0.maclen + 1 ) % block_size; + + /* Maximal padding? */ + if( length_selector == -2 ) + padlen += block_size * ( ( pad_max_len - padlen ) / block_size ); + } + else + { + padlen = length_selector; + + /* Minimal non-zero plaintext_length givin desired padding */ + plaintext_len = block_size - ( padlen + t0.maclen + 1 ) % block_size; + } /* Prepare a buffer for record data */ buflen = block_size From b51f04466f9fc84dd041c342900dfe5c7801e450 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 Jul 2020 10:40:25 +0200 Subject: [PATCH 25/57] Fix misleading comment in test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Everything works at the byte level, not bit level. Flipping the lsb is just one convenient way to corrupt a byte, but don't really care about individual bits. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 0847e75c9..0d2520e74 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3601,7 +3601,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, rec.buf = buf; memcpy( buf, buf_save, buflen ); - /* Flip one bit of the data (could be plaintext, MAC or padding) */ + /* Corrupt one byte of the data (could be plaintext, MAC or padding) */ rec.buf[i] ^= 0x01; /* Encrypt */ From 9670a59230def4d2a433fe81e9f5029fa71062a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Jul 2020 10:21:46 +0200 Subject: [PATCH 26/57] Start testing cf_hmac() for constant flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently this breaks all.sh component test_memsan_constant_flow, just as expected, as the current implementation is not constant flow. This will be fixed in the next commit. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a0e72dd38..a7f544574 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -9,6 +9,8 @@ #include +#include + typedef struct log_pattern { const char *pattern; @@ -4115,10 +4117,13 @@ void ssl_cf_hmac( int hash ) data[i] = ( i & 0xff ) ^ rec_num; /* Get the function's result */ + TEST_CF_SECRET( &in_len, sizeof( in_len ) ); TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ), data, in_len, min_in_len, max_in_len, out ) ); + TEST_CF_PUBLIC( &in_len, sizeof( in_len ) ); + TEST_CF_PUBLIC( out, out_len ); /* Compute the reference result */ TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data, From 7a8b1e6b7136702941b6da5fe75ca4673f402130 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 15 Jul 2020 11:52:14 +0200 Subject: [PATCH 27/57] Implement cf_hmac() actually with constant flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 151 ++++++++++++++++++++++++++-------------------- 1 file changed, 86 insertions(+), 65 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d77b65843..9b4d1dbc7 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1070,8 +1070,53 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_2) ) +/* + * Constant-flow conditional memcpy: + * - if c1 == c2, equivalent to memcpy(dst, src, len), + * - otherwise, a no-op, + * but with execution flow independent of the values of c1 and c2. + * + * Use only bit operations to avoid branches that could be used by some + * compilers on some platforms to translate comparison operators. + */ +static void mbedtls_ssl_cf_memcpy_if_eq(unsigned char *dst, + const unsigned char *src, + size_t len, + size_t c1, size_t c2 ) +{ + /* diff = 0 if c1 == c2, non-zero otherwise */ + const size_t diff = c1 ^ c2; + + /* MSVC has a warning about unary minus on unsigned integer types, + * but this is well-defined and precisely what we want to do here. */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + + /* diff_msb's most significant bit is bit equal to c1 != c2 */ + const size_t diff_msb = ( diff | -diff ); + + /* diff1 = c1 != c2 */ + const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); + + /* mask = c1 != c2 ? 0xff : 0x00 */ + unsigned char mask = (unsigned char) -diff1; + +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif + + /* dst[i] = c1 != c2 ? dst[i] : src[i] */ + for( size_t i = 0; i < len; i++ ) + dst[i] = ( dst[i] & mask ) | ( src[i] & ~mask ); +} + /* * Compute HMAC of variable-length data with constant flow. + * + * Only works with MD-5, SHA-1, SHA-256 and SHA-384. + * (Otherwise, computation of block_size needs to be adapted.) */ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( mbedtls_md_context_t *ctx, @@ -1080,85 +1125,61 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( size_t min_data_len, size_t max_data_len, unsigned char *output ) { - /* WORK IN PROGRESS - THIS IS ONLY PSEUDO-CONTANT-TIME */ - /* - * Process MAC and always update for padlen afterwards to make - * total time independent of padlen. + * This function breaks the HMAC abstraction and uses the md_clone() + * extension to the MD API in order to get constant-flow behaviour. * - * Known timing attacks: - * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) + * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means + * concatenation, and okey/ikey is the XOR of the key with some fix bit + * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. * - * To compensate for different timings for the MAC calculation - * depending on how much padding was removed (which is determined - * by padlen), process extra_run more blocks through the hash - * function. + * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to + * minlen, then cloning the context, and for each byte up to maxlen + * finishing up the hash computation, keeping only the correct result. * - * The formula in the paper is - * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 ) - * where L1 is the size of the header plus the decrypted message - * plus CBC padding and L2 is the size of the header plus the - * decrypted message. This is for an underlying hash function - * with 64-byte blocks. - * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values - * correctly. We round down instead of up, so -56 is the correct - * value for our calculations instead of -55. - * - * Repeat the formula rather than defining a block_size variable. - * This avoids requiring division by a variable at runtime - * (which would be marginally less efficient and would require - * linking an extra division function in some builds). + * Then we only need to compute HASH(okey + inner_hash) and we're done. */ - size_t j, extra_run = 0; - /* This size is enough to server either as input to - * md_process() or as output to md_finish() */ - unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE]; + const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); + const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; + const unsigned char * const ikey = (unsigned char *) ctx->hmac_ctx; + const unsigned char * const okey = ikey + block_size; + const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); - memset( tmp, 0, sizeof( tmp ) ); + unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; + mbedtls_md_context_t aux; + size_t offset; - switch( mbedtls_md_get_type( ctx->md_info ) ) + mbedtls_md_init( &aux ); + mbedtls_md_setup( &aux, ctx->md_info, 0 ); + + /* After hmac_start() of hmac_reset(), ikey has already been hashed, + * so we can start directly with the message */ + mbedtls_md_update( ctx, add_data, add_data_len ); + mbedtls_md_update( ctx, data, min_data_len ); + + /* For each possible length, compute the hash up to that point */ + for( offset = min_data_len; offset <= max_data_len; offset++ ) { -#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \ -defined(MBEDTLS_SHA256_C) - case MBEDTLS_MD_MD5: - case MBEDTLS_MD_SHA1: - case MBEDTLS_MD_SHA256: - /* 8 bytes of message size, 64-byte compression blocks */ - extra_run = ( add_data_len + max_data_len + 8 ) / 64 - - ( add_data_len + data_len_secret + 8 ) / 64; - break; -#endif -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_MD_SHA384: - /* 16 bytes of message size, 128-byte compression blocks */ - extra_run = ( add_data_len + max_data_len + 16 ) / 128 - - ( add_data_len + data_len_secret + 16 ) / 128; - break; -#endif - default: - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + mbedtls_md_clone( &aux, ctx ); + mbedtls_md_finish( &aux, aux_out ); + /* Keep only the correct inner_hash in the output buffer */ + mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, + offset, data_len_secret ); + + if( offset < max_data_len ) + mbedtls_md_update( ctx, data + offset, 1 ); } - mbedtls_md_hmac_update( ctx, add_data, add_data_len ); - mbedtls_md_hmac_update( ctx, data, data_len_secret ); - /* Make sure we access everything even when padlen > 0. This - * makes the synchronisation requirements for just-in-time - * Prime+Probe attacks much tighter and hopefully impractical. */ - ssl_read_memory( data + min_data_len, max_data_len - min_data_len ); - mbedtls_md_hmac_finish( ctx, output ); - - /* Dummy calls to compression function. - * Call mbedtls_md_process at least once due to cache attacks - * that observe whether md_process() was called of not. - * Respect the usual start-(process|update)-finish sequence for - * the sake of hardware accelerators that might require it. */ + /* Now compute HASH(okey + inner_hash) */ mbedtls_md_starts( ctx ); - for( j = 0; j < extra_run + 1; j++ ) - mbedtls_md_process( ctx, tmp ); - mbedtls_md_finish( ctx, tmp ); + mbedtls_md_update( ctx, okey, block_size ); + mbedtls_md_update( ctx, output, hash_size ); + mbedtls_md_finish( ctx, output ); + /* Done, get ready for next time */ mbedtls_md_hmac_reset( ctx ); + mbedtls_md_free( &aux ); return( 0 ); } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ From ed0e86428d166d1cf6bc06b5b19a530f7e8dbc97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 Jul 2020 11:20:30 +0200 Subject: [PATCH 28/57] Factor repeated condition to its own macro MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl_internal.h | 8 ++++++++ library/ssl_invasive.h | 7 ++----- library/ssl_msg.c | 7 ++----- tests/suites/test_suite_ssl.function | 6 +----- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 6bea84c34..61ac46417 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -154,6 +154,14 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_CBC #endif +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ + ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) ) +#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC +#endif + + #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) #define MBEDTLS_SSL_SOME_MODES_USE_MAC diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index f40f0d4f5..49ee83f26 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -32,10 +32,7 @@ #include "mbedtls/md.h" #if defined(MBEDTLS_TEST_HOOKS) && \ - defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) | \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) ) + defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) /** \brief Compute the HMAC of variable-length data with constant flow. * * This function computes the HMAC of the concatenation of \p add_data and \p @@ -74,6 +71,6 @@ int mbedtls_ssl_cf_hmac( const unsigned char *data, size_t data_len_secret, size_t min_data_len, size_t max_data_len, unsigned char *output ); -#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ +#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ #endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9b4d1dbc7..086db8842 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1066,10 +1066,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( 0 ); } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) ) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) /* * Constant-flow conditional memcpy: * - if c1 == c2, equivalent to memcpy(dst, src, len), @@ -1182,7 +1179,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( mbedtls_md_free( &aux ); return( 0 ); } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC && TLS 1.0-1.2 */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a7f544574..ebb9a1a57 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4055,16 +4055,12 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_TEST_HOOKS */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */ void ssl_cf_hmac( int hash ) { /* * Test the function mbedtls_ssl_cf_hmac() against a reference * implementation. - * - * Note: the dependency is actually on TLS 1.0-1.2 and (AES or ARIA or - * Camellia or DES), but since the test framework doesn't support - * alternation in dependencies, just depend on the most common. */ mbedtls_md_context_t ctx, ref_ctx; const mbedtls_md_info_t *md_info; From ca8287cbaf78a6277c934d7493ee8acfd5a797ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 10:29:39 +0200 Subject: [PATCH 29/57] Use test_set_step() in loop in cf_hmac test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We only have a single integer available for two nested loops, but the loop sizes are small enough compared to the integer's range that we can encode both indexes. Since the integer is displayed in decimal in case of errors, use a power of 10 to pack the two indexes together. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ebb9a1a57..602dc36d5 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4100,12 +4100,16 @@ void ssl_cf_hmac( int hash ) */ for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ ) { + test_set_step( max_in_len * 10000 ); + /* Use allocated in buffer to catch overreads */ ASSERT_ALLOC( data, max_in_len != 0 ? max_in_len : 1 ); min_in_len = max_in_len > 255 ? max_in_len - 255 : 0; for( in_len = min_in_len; in_len <= max_in_len; in_len++ ) { + test_set_step( max_in_len * 10000 + in_len ); + /* Set up dummy data and add_data */ rec_num++; memset( add_data, rec_num, sizeof( add_data ) ); From c3219006ff5b6c2f2c05c01319147f91e67590cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 10:32:52 +0200 Subject: [PATCH 30/57] Fix suboptimal use of ASSER_ALLOC() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing a length of 0 to it is perfectly acceptable, the macro was designed to handle it correctly. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 602dc36d5..5f301b5b6 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4103,7 +4103,7 @@ void ssl_cf_hmac( int hash ) test_set_step( max_in_len * 10000 ); /* Use allocated in buffer to catch overreads */ - ASSERT_ALLOC( data, max_in_len != 0 ? max_in_len : 1 ); + ASSERT_ALLOC( data, max_in_len ); min_in_len = max_in_len > 255 ? max_in_len - 255 : 0; for( in_len = min_in_len; in_len <= max_in_len; in_len++ ) From baccf803ad3b2e7a335092b1d74510d4db310ecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 10:37:27 +0200 Subject: [PATCH 31/57] Improve some comments and internal documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_invasive.h | 8 +++++--- library/ssl_msg.c | 4 +++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index 49ee83f26..2a8d6b52d 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -42,9 +42,11 @@ * max_data_len bytes from \p data. * * \param ctx The HMAC context. It must have keys configured - * with mbedtls_md_hmac_starts(). It is reset using - * mbedtls_md_hmac_reset() after the computation is - * complete to prepare for the next computation. + * with mbedtls_md_hmac_starts() and use one of the + * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. + * It is reset using mbedtls_md_hmac_reset() after + * the computation is complete to prepare for the + * next computation. * \param add_data The additional data prepended to \p data. This * must point to a readable buffer of \p add_data_len * bytes. diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 086db8842..3d6203ce1 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1127,7 +1127,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( * extension to the MD API in order to get constant-flow behaviour. * * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means - * concatenation, and okey/ikey is the XOR of the key with some fix bit + * concatenation, and okey/ikey are the XOR of the key with some fixed bit * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. * * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to @@ -1137,6 +1137,8 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( * Then we only need to compute HASH(okey + inner_hash) and we're done. */ const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); + /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5, + * all of which have the same block size except SHA-384. */ const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; const unsigned char * const ikey = (unsigned char *) ctx->hmac_ctx; const unsigned char * const okey = ikey + block_size; From 9713e13e689a747d0a531990b13aef92573b2a5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 10:40:31 +0200 Subject: [PATCH 32/57] Remove unnecessary cast MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is C, not C++, casts between void * and other pointer types are free. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3d6203ce1..e8f561637 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1140,7 +1140,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5, * all of which have the same block size except SHA-384. */ const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; - const unsigned char * const ikey = (unsigned char *) ctx->hmac_ctx; + const unsigned char * const ikey = ctx->hmac_ctx; const unsigned char * const okey = ikey + block_size; const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); From 44c9fdde6e796e8f3a05133e180ebde4ee22af48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 10:48:47 +0200 Subject: [PATCH 33/57] Check errors from the MD layer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Could be out-of-memory for some functions, accelerator issues for others. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index e8f561637..fefbd863b 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1147,39 +1147,51 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; mbedtls_md_context_t aux; size_t offset; + int ret; mbedtls_md_init( &aux ); - mbedtls_md_setup( &aux, ctx->md_info, 0 ); + +#define MD_CHK( func_call ) \ + do { \ + ret = (func_call); \ + if( ret != 0 ) \ + goto cleanup; \ + } while( 0 ) + + MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); /* After hmac_start() of hmac_reset(), ikey has already been hashed, * so we can start directly with the message */ - mbedtls_md_update( ctx, add_data, add_data_len ); - mbedtls_md_update( ctx, data, min_data_len ); + MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); + MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); /* For each possible length, compute the hash up to that point */ for( offset = min_data_len; offset <= max_data_len; offset++ ) { - mbedtls_md_clone( &aux, ctx ); - mbedtls_md_finish( &aux, aux_out ); + MD_CHK( mbedtls_md_clone( &aux, ctx ) ); + MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); /* Keep only the correct inner_hash in the output buffer */ mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, offset, data_len_secret ); if( offset < max_data_len ) - mbedtls_md_update( ctx, data + offset, 1 ); + MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); } /* Now compute HASH(okey + inner_hash) */ - mbedtls_md_starts( ctx ); - mbedtls_md_update( ctx, okey, block_size ); - mbedtls_md_update( ctx, output, hash_size ); - mbedtls_md_finish( ctx, output ); + MD_CHK( mbedtls_md_starts( ctx ) ); + MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); + MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); + MD_CHK( mbedtls_md_finish( ctx, output ) ); /* Done, get ready for next time */ - mbedtls_md_hmac_reset( ctx ); + MD_CHK( mbedtls_md_hmac_reset( ctx ) ); +#undef MD_CHK + +cleanup: mbedtls_md_free( &aux ); - return( 0 ); + return( ret ); } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ From e55653f085a7dc411a9865c97d92f61b52ad1692 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 11:42:57 +0200 Subject: [PATCH 34/57] Improve comments about padlen convention MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The convention from the TLS RFC is a bit unusual, so even if the test function's introductory comment mentions that we're taking the RFC's definition, it doesn't hurt to repeat it in crucial places. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 0d2520e74..cbc660cc3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3479,7 +3479,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, unsigned char *buf = NULL, *buf_save = NULL; size_t buflen, olen = 0; size_t plaintext_len, block_size, i; - unsigned char padlen; + unsigned char padlen; /* excluding the padding_length byte */ unsigned char add_data[13]; unsigned char mac[MBEDTLS_MD_MAX_SIZE]; int exp_ret; @@ -3502,7 +3502,8 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, { plaintext_len = 0; - /* Minimal padding */ + /* Minimal padding + * The +1 is for the padding_length byte, not counted in padlen. */ padlen = block_size - ( t0.maclen + 1 ) % block_size; /* Maximal padding? */ @@ -3513,7 +3514,8 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, { padlen = length_selector; - /* Minimal non-zero plaintext_length givin desired padding */ + /* Minimal non-zero plaintext_length giving desired padding. + * The +1 is for the padding_length byte, not counted in padlen. */ plaintext_len = block_size - ( padlen + t0.maclen + 1 ) % block_size; } From 0b2112d30459df36b297d36452a8928fc450b6e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 11:09:28 +0200 Subject: [PATCH 35/57] Add comment on memsan + constant-flow testing --- tests/scripts/all.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9c9247f8f..0a7c441f3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1075,14 +1075,20 @@ component_test_full_cmake_clang () { } component_test_memsan_constant_flow () { - msg "build: cmake memsan, full config with constant flow testing" + # This tests both (1) accesses to undefined memory, and (2) branches or + # memory access depending on secret values. To distinguish between those: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? + # - or alternatively, change the build type to MemSanDbg, which enables + # origin tracking and nicer stack traces (which are useful for debugging + # anyway), and check if the origin was TEST_CF_SECRET() or something else. + msg "build: cmake MSan (clang), full config with constant flow testing" scripts/config.py full scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . make - msg "test: main suites (memsan constant flow)" + msg "test: main suites (Msan + constant flow)" make test } From e0765f35d53814dc3cf36303e0759022d0830ff1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jul 2020 12:22:51 +0200 Subject: [PATCH 36/57] Use int ret = MBEDTLS_ERROR_CORRUPTION_DETECTED; idiom Co-authored-by: Gilles Peskine --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index fefbd863b..ae4882db6 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1147,7 +1147,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; mbedtls_md_context_t aux; size_t offset; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_init( &aux ); From 390fb4ff34e4584a2faccedec64196babe7bb724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jul 2020 11:08:40 +0200 Subject: [PATCH 37/57] Fix typos in comments Co-authored-by: Janos Follath --- include/mbedtls/config.h | 2 +- library/ssl_invasive.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 124c597b6..91d54cadf 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1915,7 +1915,7 @@ * * This setting requires compiling with clang -fsanitize=memory. * - * Uncomment to enable testing of the constant-flow nature of seletected code. + * Uncomment to enable testing of the constant-flow nature of selected code. */ //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index 2a8d6b52d..f04b81668 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -55,11 +55,11 @@ * to a readable buffer of \p max_data_len bytes. * \param data_len_secret The length of the data to process in \p data. * This must be no less than \p min_data_len and no - * greated than \p max_data_len. + * greater than \p max_data_len. * \param min_data_len The minimal length of \p data in bytes. * \param max_data_len The maximal length of \p data in bytes. * \param output The HMAC will be written here. This must point to - * a writeable buffer of sufficient size to hold the + * a writable buffer of sufficient size to hold the * HMAC value. * * \retval 0 From e747843903b145d2247305c4cba00b1042d2ab9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jul 2020 11:09:22 +0200 Subject: [PATCH 38/57] Fix a whitespace issue Co-authored-by: Janos Follath --- library/ssl_msg.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index ae4882db6..4be9c6253 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1076,10 +1076,10 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Use only bit operations to avoid branches that could be used by some * compilers on some platforms to translate comparison operators. */ -static void mbedtls_ssl_cf_memcpy_if_eq(unsigned char *dst, - const unsigned char *src, - size_t len, - size_t c1, size_t c2 ) +static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, + const unsigned char *src, + size_t len, + size_t c1, size_t c2 ) { /* diff = 0 if c1 == c2, non-zero otherwise */ const size_t diff = c1 ^ c2; From f009542747da1feecf81737e07bed3c73930ae7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jul 2020 11:13:01 +0200 Subject: [PATCH 39/57] Add missing const for consistency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 4be9c6253..32c1b873d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1091,14 +1091,14 @@ static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, #pragma warning( disable : 4146 ) #endif - /* diff_msb's most significant bit is bit equal to c1 != c2 */ + /* diff_msb's most significant bit is equal to c1 != c2 */ const size_t diff_msb = ( diff | -diff ); /* diff1 = c1 != c2 */ const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); /* mask = c1 != c2 ? 0xff : 0x00 */ - unsigned char mask = (unsigned char) -diff1; + const unsigned char mask = (unsigned char) -diff1; #if defined(_MSC_VER) #pragma warning( pop ) From 05579c4094200e68582831a168d7abf3d939acc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 31 Jul 2020 12:53:39 +0200 Subject: [PATCH 40/57] Add comments clarifying differences between macros MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl_internal.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 61ac46417..6f7b45823 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -146,6 +146,7 @@ #define MBEDTLS_SSL_COMPRESSION_ADD 0 #endif +/* This macro determines whether CBC is supported. */ #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ ( defined(MBEDTLS_AES_C) || \ defined(MBEDTLS_CAMELLIA_C) || \ @@ -154,6 +155,8 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_CBC #endif +/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as + * opposed to the very different CBC construct used in SSLv3) is supported. */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ @@ -161,7 +164,6 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC #endif - #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) #define MBEDTLS_SSL_SOME_MODES_USE_MAC From 8ff863b9928e30fb92ab3ec69ebe0891e801110b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 31 Jul 2020 12:59:34 +0200 Subject: [PATCH 41/57] Add warning about test-only config.h option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/config.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 91d54cadf..3bb631f19 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1915,6 +1915,9 @@ * * This setting requires compiling with clang -fsanitize=memory. * + * \warning This macro is only used for extended testing; it is not considered + * part of the library's API, so it may change or disappear at any time. + * * Uncomment to enable testing of the constant-flow nature of selected code. */ //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN From 210bea38f36757035b5005b8d48394fa3ec8a180 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Aug 2020 16:05:35 +0200 Subject: [PATCH 42/57] Add the decomposition of the base case as a comment Put the base good case first, then the bad cases derived from it. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index cb530c729..49ff073e8 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2104,6 +2104,28 @@ X509 CRL ASN1 (TBSCertList, sig present, len mismatch) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +# 305c +# 3047 tbsCertList TBSCertList +# 020100 version INTEGER OPTIONAL +# 300d signatureAlgorithm AlgorithmIdentifi +# 06092a864886f70d01010e +# 0500 +# 300f issuer Name +# 310d300b0603550403130441424344 +# 170c303930313031303030303030 thisUpdate Time +# 3014 revokedCertificates +# 3012 entry 1 +# 8202abcd userCertificate CertificateSerialNum +# 170c303831323331323335393539 revocationDate Time +# 300d signatureAlgorithm AlgorithmIdentifi +# 06092a864886f70d01010e +# 0500 +# 03020001 signatureValue BIT STRING +# The subsequent TBSCertList negative tests remove or modify some elements. +X509 CRL ASN1 (TBSCertList, sig present) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C +x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0 + X509 CRL ASN1 (TBSCertList, signatureValue missing) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA @@ -2136,10 +2158,6 @@ X509 CRL ASN1 (TBSCertList, invalid tag for serial) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128402abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -X509 CRL ASN1 (TBSCertList, sig present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0 - X509 CRL ASN1 (TBSCertList, no entries) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using \: RSA with SHA-224\n":0 From 3c31afaca685fc7182b8d61433e69e423a0ef68a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2020 12:08:54 +0200 Subject: [PATCH 43/57] Use temporary buffer to hold the peer's HMAC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This paves the way for a constant-flow implementation of HMAC checking, by making sure that the comparison happens at a constant address. The missing step is obviously to copy the HMAC from the secret offset to this temporary buffer with constant flow, which will be done in the next few commits. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c4cdf21ba..e90e59993 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1637,6 +1637,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, if( auth_done == 0 ) { unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; + unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD]; /* If the initial value of padlen was such that * data_len < maclen + padlen + 1, then padlen @@ -1663,6 +1664,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, data, rec->data_len, rec->ctr, rec->type, mac_expect ); + memcpy( mac_peer, data + rec->data_len, transform->maclen ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -1699,6 +1701,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * attacks much tighter and hopefully impractical. */ ssl_read_memory( data + min_len, max_len - min_len + transform->maclen ); + memcpy( mac_peer, data + rec->data_len, transform->maclen ); } else #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ @@ -1710,10 +1713,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_SSL_DEBUG_ALL) MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); #endif - if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect, + if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect, transform->maclen ) != 0 ) { #if defined(MBEDTLS_SSL_DEBUG_ALL) From 7fe2c5f086770a0f90ec5c15cc85880f3751568d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 18 Aug 2020 12:02:54 +0200 Subject: [PATCH 44/57] Add mbedtls_ssl_cf_memcpy_offset() with tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The tests are supposed to be failing now (in all.sh component test_memsan_constant_flow), but they don't as apparently MemSan doesn't complain when the src argument of memcpy() is uninitialized, see https://github.com/google/sanitizers/issues/1296 The next commit will add an option to test constant flow with valgrind, which will hopefully correctly flag the current non-constant-flow implementation. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_invasive.h | 24 ++++++++++++++++++++ library/ssl_msg.c | 31 +++++++++++++++++++------- tests/suites/test_suite_ssl.data | 12 ++++++++++ tests/suites/test_suite_ssl.function | 33 ++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 8 deletions(-) diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index f04b81668..60b62094e 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -73,6 +73,30 @@ int mbedtls_ssl_cf_hmac( const unsigned char *data, size_t data_len_secret, size_t min_data_len, size_t max_data_len, unsigned char *output ); + +/** \brief Copy data from a secret position with constant flow. + * + * This function copies \p len bytes from \p src_base + \p offset_secret to \p + * dst, with a code flow and memory access pattern that does not depend on \p + * offset_secret, but only on \p offset_min, \p offset_max and \p len. + * + * \param dst The destination buffer. This must point to a writable + * buffer of at least \p len bytes. + * \param src_base The base of the source buffer. This must point to a + * readable buffer of at least \p offset_max + \p len + * bytes. + * \param offset_secret The offset in the source buffer from which to copy. + * This must be no less than \p offset_min and no greater + * than \p offset_max. + * \param offset_min The minimal value of \p offset_secret. + * \param offset_max The maximal value of \p offset_secret. + * \param len The number of bytes to copy. + */ +void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst, + const unsigned char *src_base, + size_t offset_secret, + size_t offset_min, size_t offset_max, + size_t len ); #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ #endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index e90e59993..5dc8012ba 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1193,6 +1193,24 @@ cleanup: mbedtls_md_free( &aux ); return( ret ); } + +/* + * Constant-flow memcpy from variable position in buffer. + * - functionally equivalent to memcpy(dst, src + offset_secret, len) + * - but with execution flow independant from the value of offset_secret. + */ +MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( + unsigned char *dst, + const unsigned char *src_base, + size_t offset_secret, + size_t offset_min, size_t offset_max, + size_t len ) +{ + /* WIP - THIS IS NOT ACTUALLY CONSTANT-FLOW! + * This is just to be able to write tests and check they work. */ + ssl_read_memory( src_base + offset_min, offset_max - offset_min + len ); + memcpy( dst, src_base + offset_secret, len ); +} #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, @@ -1674,7 +1692,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, { /* * The next two sizes are the minimum and maximum values of - * in_msglen over all padlen values. + * data_len over all padlen values. * * They're independent of padlen, since we previously did * data_len -= padlen. @@ -1695,13 +1713,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( ret ); } - /* Make sure we access all the memory that could contain the MAC, - * before we check it in the next code block. This makes the - * synchronisation requirements for just-in-time Prime+Probe - * attacks much tighter and hopefully impractical. */ - ssl_read_memory( data + min_len, - max_len - min_len + transform->maclen ); - memcpy( mac_peer, data + rec->data_len, transform->maclen ); + mbedtls_ssl_cf_memcpy_offset( mac_peer, data, + rec->data_len, + min_len, max_len, + transform->maclen ); } else #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 3afa39a2b..1b7919104 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10545,3 +10545,15 @@ ssl_cf_hmac:MBEDTLS_MD_SHA256 Constant-flow HMAC: SHA384 depends_on:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 ssl_cf_hmac:MBEDTLS_MD_SHA384 + +# these are the numbers we'd get with an empty plaintext and truncated HMAC +Constant-flow memcpy from offset: small +ssl_cf_memcpy_offset:0:5:10 + +# we could get this with 255-bytes plaintext and untruncated SHA-256 +Constant-flow memcpy from offset: medium +ssl_cf_memcpy_offset:0:255:32 + +# we could get this with 255-bytes plaintext and untruncated SHA-384 +Constant-flow memcpy from offset: large +ssl_cf_memcpy_offset:100:339:48 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f7c9be051..7c4f865e9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4361,3 +4361,36 @@ exit: mbedtls_free( out ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */ +void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len ) +{ + unsigned char *dst = NULL; + unsigned char *src = NULL; + size_t src_len = offset_max + len; + size_t secret; + + ASSERT_ALLOC( dst, len ); + ASSERT_ALLOC( src, src_len ); + + /* Fill src in a way that we can detect if we copied the right bytes */ + mbedtls_test_rnd_std_rand( NULL, src, src_len ); + + for( secret = offset_min; secret <= (size_t) offset_max; secret++ ) + { + test_set_step( (int) secret ); + + TEST_CF_SECRET( &secret, sizeof( secret ) ); + mbedtls_ssl_cf_memcpy_offset( dst, src, secret, + offset_min, offset_max, len ); + TEST_CF_PUBLIC( &secret, sizeof( secret ) ); + TEST_CF_PUBLIC( dst, len ); + + ASSERT_COMPARE( dst, len, src + secret, len ); + } + +exit: + mbedtls_free( dst ); + mbedtls_free( src ); +} +/* END_CASE */ From feb0396d20593ea557835657d04f449bc52d4557 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 20 Aug 2020 09:59:33 +0200 Subject: [PATCH 45/57] Fix memory leak in test_suite_x509write with PSA crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The documentation of mbedtls_pk_wrap_as_opaque is quite clear: * \param handle Output: a PSA key handle. * It's the caller's responsibility to call * psa_destroy_key() on that handle after calling * mbedtls_pk_free() on the PK context. But the test failed to call psa_destroy_key(). While at it, also use PSA_DONE(): it ensures that if we fail to destroy the key, we'll get an explicit error message about it without the need for valgrind. This is a preliminary to adding a valgrind-based test for constant-flow code: we need to make sure the rest of the tests are fully valgrind-clean, which they weren't. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_x509write.function | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index be9e0ae52..b205b74d7 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -5,12 +5,20 @@ #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/rsa.h" + #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#include "test/psa_crypto_helpers.h" +#define PSA_INIT( ) PSA_ASSERT( psa_crypto_init( ) ) +#else +/* Define empty macros so that we can use them in the preamble and teardown + * of every test function that uses PSA conditionally based on + * MBEDTLS_USE_PSA_CRYPTO. */ +#define PSA_INIT( ) ( (void) 0 ) +#define PSA_DONE( ) ( (void) 0 ) #endif - #if defined(MBEDTLS_RSA_C) int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, @@ -156,7 +164,7 @@ void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; mbedtls_test_rnd_pseudo_info rnd_info; - psa_crypto_init(); + PSA_INIT( ); memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type ); @@ -184,9 +192,12 @@ void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, buf[pem_len] = '\0'; TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); + exit: mbedtls_x509write_csr_free( &req ); mbedtls_pk_free( &key ); + psa_destroy_key( slot ); + PSA_DONE( ); } /* END_CASE */ From 73afa37507dbb6ec76fbed2e21a9305fbb1d6c09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 19 Aug 2020 10:27:38 +0200 Subject: [PATCH 46/57] Add option to test constant-flow with valgrind MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the new component in all.sh fails because mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on purpose to be able to verify that the new test works. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/config.h | 17 ++++++++++++++ library/version_features.c | 3 +++ programs/test/query_config.c | 8 +++++++ scripts/config.py | 1 + tests/include/test/constant_flow.h | 36 ++++++++++++++++++++++++++++-- tests/scripts/all.sh | 22 ++++++++++++++++++ 6 files changed, 85 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 5eceea1bc..6337258dc 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1924,6 +1924,23 @@ */ //#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +/** + * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND + * + * Enable testing of the constant-flow nature of some sensitive functions with + * valgrind's memcheck tool. This causes some existing tests to also test + * non-functional properties of the code under test. + * + * This setting requires valgrind headers for building, and is only useful for + * testing if the tests suites are run with valgrind's memcheck. + * + * \warning This macro is only used for extended testing; it is not considered + * part of the library's API, so it may change or disappear at any time. + * + * Uncomment to enable testing of the constant-flow nature of selected code. + */ +//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND + /** * \def MBEDTLS_TEST_HOOKS * diff --git a/library/version_features.c b/library/version_features.c index 2470d8d1d..16719a6eb 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -560,6 +560,9 @@ static const char * const features[] = { #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN", #endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) + "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND", +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */ #if defined(MBEDTLS_TEST_HOOKS) "MBEDTLS_TEST_HOOKS", #endif /* MBEDTLS_TEST_HOOKS */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 23dc51512..c242ab511 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1546,6 +1546,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) + if( strcmp( "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND ); + return( 0 ); + } +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */ + #if defined(MBEDTLS_TEST_HOOKS) if( strcmp( "MBEDTLS_TEST_HOOKS", config ) == 0 ) { diff --git a/scripts/config.py b/scripts/config.py index 793e9dfa7..37a2475e6 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -195,6 +195,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_SHA512_NO_SHA384', # removes a feature 'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions) 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) + 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) 'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS 'MBEDTLS_ZLIB_SUPPORT', # build dependency (libz) diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h index 98bee7e48..9307a2513 100644 --- a/tests/include/test/constant_flow.h +++ b/tests/include/test/constant_flow.h @@ -32,6 +32,28 @@ #include MBEDTLS_CONFIG_FILE #endif +/* + * This file defines the two macros + * + * #define TEST_CF_SECRET(ptr, size) + * #define TEST_CF_PUBLIC(ptr, size) + * + * that can be used in tests to mark a memory area as secret (no branch or + * memory access should depend on it) or public (default, only needs to be + * marked explicitly when it was derived from secret data). + * + * Arguments: + * - ptr: a pointer to the memory area to be marked + * - size: the size in bytes of the memory area + * + * Implementation: + * The basic idea is that of ctgrind : we can + * re-use tools that were designed for checking use of uninitialized memory. + * This file contains two implementations: one based on MemorySanitizer, the + * other on valgrind's memcheck. If none of them is enabled, dummy macros that + * do nothing are defined for convenience. + */ + #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) #include @@ -41,11 +63,21 @@ #define TEST_CF_PUBLIC __msan_unpoison // void __msan_unpoison(const volatile void *a, size_t size); -#else /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ +#elif defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) +#include + +#define TEST_CF_SECRET VALGRIND_MAKE_MEM_UNDEFINED +// VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr, _qzz_len) +#define TEST_CF_PUBLIC VALGRIND_MAKE_MEM_DEFINED +// VALGRIND_MAKE_MEM_DEFINED(_qzz_addr, _qzz_len) + +#else /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN || + MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */ #define TEST_CF_SECRET(ptr, size) #define TEST_CF_PUBLIC(ptr, size) -#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */ +#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN || + MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */ #endif /* TEST_CONSTANT_FLOW_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6cc0cf806..caeb2fe79 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1111,6 +1111,28 @@ component_test_memsan_constant_flow () { make test } +component_test_valgrind_constant_flow () { + # This tests both (1) everything that valgrind's memcheck usually checks + # (heap buffer overflows, use of uninitialized memory, use-after-free, + # etc.) and (2) branches or memory access depending on secret values, + # which will be reported as uninitialized memory. To distinguish between + # secret and actually uninitialized: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? + # - or alternatively, build with debug info and manually run the offending + # test suite with valgrind --track-origins=yes, then check if the origin + # was TEST_CF_SECRET() or something else. + msg "build: cmake release GCC, full config with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND + cmake -D CMAKE_BUILD_TYPE:String=Release . + make + + # this only shows a summary of the results (how many of each type) + # details are left in Testing//DynamicAnalysis.xml + msg "test: main suites (valgrind + constant flow)" + make memcheck +} + component_test_default_no_deprecated () { # Test that removing the deprecated features from the default # configuration leaves something consistent. From de1cf2c5e1df1206f02633581eea3e86c3d7d985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 19 Aug 2020 12:35:30 +0200 Subject: [PATCH 47/57] Make mbedtls_ssl_cf_memcpy_offset() constant-flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit all.sh component test_valgrind_constant_flow is now passing. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 5dc8012ba..0de53204b 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -314,27 +314,6 @@ int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ -/* The function below is only used in the Lucky 13 counter-measure in - * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */ -#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) ) -/* This function makes sure every byte in the memory region is accessed - * (in ascending addresses order) */ -static void ssl_read_memory( const unsigned char *p, size_t len ) -{ - unsigned char acc = 0; - volatile unsigned char force; - - for( ; len != 0; p++, len-- ) - acc ^= *p; - - force = acc; - (void) force; -} -#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */ - /* * Encryption/decryption functions */ @@ -1206,10 +1185,13 @@ MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( size_t offset_min, size_t offset_max, size_t len ) { - /* WIP - THIS IS NOT ACTUALLY CONSTANT-FLOW! - * This is just to be able to write tests and check they work. */ - ssl_read_memory( src_base + offset_min, offset_max - offset_min + len ); - memcpy( dst, src_base + offset_secret, len ); + size_t offset; + + for( offset = offset_min; offset <= offset_max; offset++ ) + { + mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, + offset, offset_secret ); + } } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ From 53d216081cf97b90d2cfdf06f9802680c0e8a05a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 20 Aug 2020 12:17:05 +0200 Subject: [PATCH 48/57] Add a ChangeLog entry for local Lucky13 variant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/local-lucky13.txt | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ChangeLog.d/local-lucky13.txt diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt new file mode 100644 index 000000000..5a3eed0ba --- /dev/null +++ b/ChangeLog.d/local-lucky13.txt @@ -0,0 +1,9 @@ +Security + * Fix a local timing side channel vulnerability in (D)TLS record decryption + when using a CBC ciphersuites without the Encrypt-then-Mac extension. In + those circumstances, a local attacker able to observe the state of the + cache could use well-chosen functions to measure the exact computation + time of the HMAC, and follow up with the usual range of Lucky 13 attacks, + including plaintext recovery and key recovery. Found and reported by Tuba + Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + (University of Florida) and Dave Tian (Purdue University). From 50118144c6446f5837fdcf9a2ee078d7c976bf68 Mon Sep 17 00:00:00 2001 From: Dan Handley Date: Thu, 20 Aug 2020 11:20:12 +0100 Subject: [PATCH 49/57] Update remaining copyright notices to use Linux Foundation guidance Update copyright notices to newly added files since merge of original PR #3546 "Update copyright notices to use Linux Foundation guidance". Generated using the same script. Signed-off-by: Dan Handley --- library/ssl_invasive.h | 4 +--- tests/include/test/constant_flow.h | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index f04b81668..cfe9b8d44 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -8,7 +8,7 @@ * building the library for testing. */ /* - * Copyright (C) 2020, ARM Limited, All Rights Reserved + * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -22,8 +22,6 @@ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_SSL_INVASIVE_H #define MBEDTLS_SSL_INVASIVE_H diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h index 98bee7e48..18daa4cc1 100644 --- a/tests/include/test/constant_flow.h +++ b/tests/include/test/constant_flow.h @@ -5,7 +5,7 @@ */ /* - * Copyright (C) 2020, ARM Limited, All Rights Reserved + * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +19,6 @@ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) */ #ifndef TEST_CONSTANT_FLOW_H From 8a79b9b68c3e30bd9654fe74d0ee48ef2062f7a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 24 Aug 2020 10:29:30 +0200 Subject: [PATCH 50/57] Fix "unused function" warning in some configs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_x509write.function | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index b205b74d7..de6a1064b 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -6,7 +6,13 @@ #include "mbedtls/oid.h" #include "mbedtls/rsa.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) +/* These are the same depends as the test function x509_crs_check_opaque(), + * the only function using PSA here. Using a weaker condition would result in + * warnings about the static functions defined in psa_crypto_helpers.h being + * unused. */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_PEM_WRITE_C) && \ + defined(MBEDTLS_X509_CSR_WRITE_C) #include "psa/crypto.h" #include "mbedtls/psa_util.h" #include "test/psa_crypto_helpers.h" @@ -17,7 +23,7 @@ * MBEDTLS_USE_PSA_CRYPTO. */ #define PSA_INIT( ) ( (void) 0 ) #define PSA_DONE( ) ( (void) 0 ) -#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ #if defined(MBEDTLS_RSA_C) int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen, From dd00bfce34434bf43ff4d7cb144cda7c146c3427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 24 Aug 2020 12:58:36 +0200 Subject: [PATCH 51/57] Improve comments on constant-flow testing in config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/config.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6337258dc..ca9527dbf 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1913,9 +1913,10 @@ * * Enable testing of the constant-flow nature of some sensitive functions with * clang's MemorySanitizer. This causes some existing tests to also test - * non-functional properties of the code under test. + * this non-functional property of the code under test. * - * This setting requires compiling with clang -fsanitize=memory. + * This setting requires compiling with clang -fsanitize=memory. The test + * suites can then be run normally. * * \warning This macro is only used for extended testing; it is not considered * part of the library's API, so it may change or disappear at any time. @@ -1929,10 +1930,12 @@ * * Enable testing of the constant-flow nature of some sensitive functions with * valgrind's memcheck tool. This causes some existing tests to also test - * non-functional properties of the code under test. + * this non-functional property of the code under test. * * This setting requires valgrind headers for building, and is only useful for - * testing if the tests suites are run with valgrind's memcheck. + * testing if the tests suites are run with valgrind's memcheck. This can be + * done for an individual test suite with 'valgrind ./test_suite_xxx', or when + * using CMake, this can be done for all test suites with 'make memcheck'. * * \warning This macro is only used for extended testing; it is not considered * part of the library's API, so it may change or disappear at any time. From ba6fc9796a9f4da88af8952a2d18053c7d8c6ba2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 24 Aug 2020 12:59:55 +0200 Subject: [PATCH 52/57] Fix a typo in a comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 0de53204b..01822668c 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1176,7 +1176,7 @@ cleanup: /* * Constant-flow memcpy from variable position in buffer. * - functionally equivalent to memcpy(dst, src + offset_secret, len) - * - but with execution flow independant from the value of offset_secret. + * - but with execution flow independent from the value of offset_secret. */ MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst, From 04b7488411ee602e986cdb07a217e59e9ae046bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Aug 2020 10:45:51 +0200 Subject: [PATCH 53/57] Fix potential use of uninitialised variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If any of the TEST_ASSERT()s that are before the call to mbedtls_pk_warp_as_opaque() failed, when reaching the exit label psa_destroy_key() would be called with an uninitialized argument. Found by Clang. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_x509write.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index de6a1064b..31d60009d 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -161,7 +161,7 @@ void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, int cert_type ) { mbedtls_pk_context key; - psa_key_handle_t slot; + psa_key_handle_t slot = 0; psa_algorithm_t md_alg_psa; mbedtls_x509write_csr req; unsigned char buf[4096]; From 8f18d08fae10a80c9cc6580f5cfea1821791dcda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Aug 2020 10:10:11 +0200 Subject: [PATCH 54/57] Clarify that the Lucky 13 fix is quite general MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/local-lucky13.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt index 5a3eed0ba..adf493abe 100644 --- a/ChangeLog.d/local-lucky13.txt +++ b/ChangeLog.d/local-lucky13.txt @@ -1,9 +1,11 @@ Security - * Fix a local timing side channel vulnerability in (D)TLS record decryption - when using a CBC ciphersuites without the Encrypt-then-Mac extension. In - those circumstances, a local attacker able to observe the state of the - cache could use well-chosen functions to measure the exact computation - time of the HMAC, and follow up with the usual range of Lucky 13 attacks, - including plaintext recovery and key recovery. Found and reported by Tuba - Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + * In (D)TLS record decryption, when using a CBC ciphersuites without the + Encrypt-then-Mac extension, use constant code flow memory access patterns + to extract and check the MAC. This is an improvement to the existing + countermeasure against Lucky 13 attacks. The previous countermeasure was + effective against network-based attackers, but less so against local + attackers. The new countermeasure defends against local attackers, even + if they have access to fine-grained measurements. In particular, this + fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, + Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University). From c18a7b8466964bf713bf9e9b0fb09bc6cb2d865e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 Aug 2020 14:49:16 +0100 Subject: [PATCH 55/57] Assemble ChangeLog Executed scripts/assemble_changelog.py. Signed-off-by: Janos Follath --- ChangeLog | 111 ++++++++++++++++++ ChangeLog.d/bugfix_PR3452.txt | 3 - .../build_with_only_montgomery_curves.txt | 6 - ChangeLog.d/cmake-install.txt | 3 - ChangeLog.d/copyright.txt | 6 - ChangeLog.d/crl-revocationDate.txt | 11 -- .../do_not_persist_volatile_external_keys.txt | 4 - ChangeLog.d/e2k-support.txt | 5 - ChangeLog.d/format-signedness.txt | 3 - ChangeLog.d/local-lucky13.txt | 11 -- ChangeLog.d/md_setup-leak.txt | 3 - ChangeLog.d/netbsd-rand-arc4random_buf.txt | 3 - ChangeLog.d/protect-base-blinding.txt | 6 - ChangeLog.d/psa_curve25519_key_support.txt | 9 -- .../psa_curve25519_public_key_import.txt | 3 - ChangeLog.d/psa_ecc_dh_macros.txt | 9 -- .../pw_protected_key_file_ssl_clisrv2.txt | 8 -- ChangeLog.d/stdout-macro.txt | 3 - .../undef_assert_before_defining_it.txt | 3 - ChangeLog.d/x509-verify-non-dns-san.txt | 11 -- ChangeLog.d/x509parse_crl-empty_entry.txt | 4 - ChangeLog.d/x509write_csr_heap_alloc.txt | 4 - ChangeLog.d/zeroising_of_plaintext_buffer.txt | 4 - 23 files changed, 111 insertions(+), 122 deletions(-) delete mode 100644 ChangeLog.d/bugfix_PR3452.txt delete mode 100644 ChangeLog.d/build_with_only_montgomery_curves.txt delete mode 100644 ChangeLog.d/cmake-install.txt delete mode 100644 ChangeLog.d/copyright.txt delete mode 100644 ChangeLog.d/crl-revocationDate.txt delete mode 100644 ChangeLog.d/do_not_persist_volatile_external_keys.txt delete mode 100644 ChangeLog.d/e2k-support.txt delete mode 100644 ChangeLog.d/format-signedness.txt delete mode 100644 ChangeLog.d/local-lucky13.txt delete mode 100644 ChangeLog.d/md_setup-leak.txt delete mode 100644 ChangeLog.d/netbsd-rand-arc4random_buf.txt delete mode 100644 ChangeLog.d/protect-base-blinding.txt delete mode 100644 ChangeLog.d/psa_curve25519_key_support.txt delete mode 100644 ChangeLog.d/psa_curve25519_public_key_import.txt delete mode 100644 ChangeLog.d/psa_ecc_dh_macros.txt delete mode 100644 ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt delete mode 100644 ChangeLog.d/stdout-macro.txt delete mode 100644 ChangeLog.d/undef_assert_before_defining_it.txt delete mode 100644 ChangeLog.d/x509-verify-non-dns-san.txt delete mode 100644 ChangeLog.d/x509parse_crl-empty_entry.txt delete mode 100644 ChangeLog.d/x509write_csr_heap_alloc.txt delete mode 100644 ChangeLog.d/zeroising_of_plaintext_buffer.txt diff --git a/ChangeLog b/ChangeLog index 32853ce43..1c6e41467 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,116 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +API changes + * In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to + psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0. + Rename associated macros as well: + PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx + PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx + PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY + PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY + +Default behavior changes + * Stop storing persistent information about externally stored keys created + through PSA Crypto with a volatile lifetime. Reported in #3288 and + contributed by Steven Cooreman in #3382. + +Features + * The new function mbedtls_ecp_write_key() exports private ECC keys back to + a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key(). + * Support building on e2k (Elbrus) architecture: correctly enable + -Wformat-signedness, and fix the code that causes signed-one-bit-field + and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) + . + +Security + * Fix a vulnerability in the verification of X.509 certificates when + matching the expected common name (the cn argument of + mbedtls_x509_crt_verify()) with the actual certificate name: when the + subjecAltName extension is present, the expected name was compared to any + name in that extension regardless of its type. This means that an + attacker could for example impersonate a 4-bytes or 16-byte domain by + getting a certificate for the corresponding IPv4 or IPv6 (this would + require the attacker to control that IP address, though). Similar attacks + using other subjectAltName name types might be possible. Found and + reported by kFYatek in #3498. + * When checking X.509 CRLs, a certificate was only considered as revoked if + its revocationDate was in the past according to the local clock if + available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, + certificates were never considered as revoked. On builds with + MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for + example, an untrusted OS attacking a secure enclave) could prevent + revocation of certificates via CRLs. Fixed by no longer checking the + revocationDate field, in accordance with RFC 5280. Reported by + yuemonangong in #3340. Reported independently and fixed by + Raoul Strackx and Jethro Beekman in #3433. + * In (D)TLS record decryption, when using a CBC ciphersuites without the + Encrypt-then-Mac extension, use constant code flow memory access patterns + to extract and check the MAC. This is an improvement to the existing + countermeasure against Lucky 13 attacks. The previous countermeasure was + effective against network-based attackers, but less so against local + attackers. The new countermeasure defends against local attackers, even + if they have access to fine-grained measurements. In particular, this + fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, + Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + (University of Florida) and Dave Tian (Purdue University). + * Fix side channel in RSA private key operations and static (finite-field) + Diffie-Hellman. An adversary with precise enough timing and memory access + information (typically an untrusted operating system attacking a secure + enclave) could bypass an existing counter-measure (base blinding) and + potentially fully recover the private key. + * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). + Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine + for pinpointing the problematic code. + * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused + application data from memory. Reported in #689 by + Johan Uppman Bruce of Sectra. + +Bugfix + * Library files installed after a CMake build no longer have execute + permission. + * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined. + Reported in #3451 and fix contributed in #3452 by okhowang. + * Fix the endianness of Curve25519 keys imported/exported through the PSA + APIs. psa_import_key and psa_export_key will now correctly expect/output + Montgomery keys in little-endian as defined by RFC7748. Contributed by + Steven Cooreman in #3425. + * Fix build errors when the only enabled elliptic curves are Montgomery + curves. Raised by signpainter in #941 and by Taiki-San in #1412. This + also fixes missing declarations reported by Steven Cooreman in #1147. + * Fix self-test failure when the only enabled short Weierstrass elliptic + curve is secp192k1. Fixes #2017. + * PSA key import will now correctly import a Curve25519/Curve448 public key + instead of erroring out. Contributed by Steven Cooreman in #3492. + * Use arc4random_buf on NetBSD instead of rand implementation with cyclical + lower bits. Fix contributed in #3540. + * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory + conditions. Reported and fix suggested by Guido Vranken in #3486. + * Fix bug in redirection of unit test outputs on platforms where stdout is + defined as a macro. First reported in #2311 and fix contributed in #3528. + +Changes + * Only pass -Wformat-signedness to versions of GCC that support it. Reported + in #3478 and fix contributed in #3479 by okhowang. + * Reduce the stack consumption of mbedtls_x509write_csr_der() which + previously could lead to stack overflow on constrained devices. + Contributed by Doru Gucea and Simon Leet in #3464. + * Undefine the ASSERT macro before defining it locally, in case it is defined + in a platform header. Contributed by Abdelatif Guettouche in #3557. + * Update copyright notices to use Linux Foundation guidance. As a result, + the copyright of contributors other than Arm is now acknowledged, and the + years of publishing are no longer tracked in the source files. This also + eliminates the need for the lines declaring the files to be part of + MbedTLS. Fixes #3457. + * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 + example applications which allows to provide a password for the key file + specified through the existing key_file argument. This allows the use of + these applications with password-protected key files. Analogously but for + ssl_server2 only, add the command line parameter key_pwd2 which allows to + set a password for the key file provided through the existing key_file2 + argument. + = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes diff --git a/ChangeLog.d/bugfix_PR3452.txt b/ChangeLog.d/bugfix_PR3452.txt deleted file mode 100644 index acf593eb8..000000000 --- a/ChangeLog.d/bugfix_PR3452.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined. - Reported in #3451 and fix contributed in #3452 by okhowang. diff --git a/ChangeLog.d/build_with_only_montgomery_curves.txt b/ChangeLog.d/build_with_only_montgomery_curves.txt deleted file mode 100644 index d4ec7c56c..000000000 --- a/ChangeLog.d/build_with_only_montgomery_curves.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix build errors when the only enabled elliptic curves are Montgomery - curves. Raised by signpainter in #941 and by Taiki-San in #1412. This - also fixes missing declarations reported by Steven Cooreman in #1147. - * Fix self-test failure when the only enabled short Weierstrass elliptic - curve is secp192k1. Fixes #2017. diff --git a/ChangeLog.d/cmake-install.txt b/ChangeLog.d/cmake-install.txt deleted file mode 100644 index 1bcec4aa9..000000000 --- a/ChangeLog.d/cmake-install.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Library files installed after a CMake build no longer have execute - permission. diff --git a/ChangeLog.d/copyright.txt b/ChangeLog.d/copyright.txt deleted file mode 100644 index aefc6bc7e..000000000 --- a/ChangeLog.d/copyright.txt +++ /dev/null @@ -1,6 +0,0 @@ -Changes - * Update copyright notices to use Linux Foundation guidance. As a result, - the copyright of contributors other than Arm is now acknowledged, and the - years of publishing are no longer tracked in the source files. This also - eliminates the need for the lines declaring the files to be part of - MbedTLS. Fixes #3457. diff --git a/ChangeLog.d/crl-revocationDate.txt b/ChangeLog.d/crl-revocationDate.txt deleted file mode 100644 index a8ad53216..000000000 --- a/ChangeLog.d/crl-revocationDate.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * When checking X.509 CRLs, a certificate was only considered as revoked if - its revocationDate was in the past according to the local clock if - available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, - certificates were never considered as revoked. On builds with - MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for - example, an untrusted OS attacking a secure enclave) could prevent - revocation of certificates via CRLs. Fixed by no longer checking the - revocationDate field, in accordance with RFC 5280. Reported by - yuemonangong in #3340. Reported independently and fixed by - Raoul Strackx and Jethro Beekman in #3433. diff --git a/ChangeLog.d/do_not_persist_volatile_external_keys.txt b/ChangeLog.d/do_not_persist_volatile_external_keys.txt deleted file mode 100644 index b27292c90..000000000 --- a/ChangeLog.d/do_not_persist_volatile_external_keys.txt +++ /dev/null @@ -1,4 +0,0 @@ -Default behavior changes - * Stop storing persistent information about externally stored keys created - through PSA Crypto with a volatile lifetime. Reported in #3288 and - contributed by Steven Cooreman in #3382. diff --git a/ChangeLog.d/e2k-support.txt b/ChangeLog.d/e2k-support.txt deleted file mode 100644 index 023b1888e..000000000 --- a/ChangeLog.d/e2k-support.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Support building on e2k (Elbrus) architecture: correctly enable - -Wformat-signedness, and fix the code that causes signed-one-bit-field - and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) - . diff --git a/ChangeLog.d/format-signedness.txt b/ChangeLog.d/format-signedness.txt deleted file mode 100644 index ee1ee4bb3..000000000 --- a/ChangeLog.d/format-signedness.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Only pass -Wformat-signedness to versions of GCC that support it. Reported - in #3478 and fix contributed in #3479 by okhowang. diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt deleted file mode 100644 index adf493abe..000000000 --- a/ChangeLog.d/local-lucky13.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * In (D)TLS record decryption, when using a CBC ciphersuites without the - Encrypt-then-Mac extension, use constant code flow memory access patterns - to extract and check the MAC. This is an improvement to the existing - countermeasure against Lucky 13 attacks. The previous countermeasure was - effective against network-based attackers, but less so against local - attackers. The new countermeasure defends against local attackers, even - if they have access to fine-grained measurements. In particular, this - fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, - Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler - (University of Florida) and Dave Tian (Purdue University). diff --git a/ChangeLog.d/md_setup-leak.txt b/ChangeLog.d/md_setup-leak.txt deleted file mode 100644 index 5111d8ef8..000000000 --- a/ChangeLog.d/md_setup-leak.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory - conditions. Reported and fix suggested by Guido Vranken in #3486. diff --git a/ChangeLog.d/netbsd-rand-arc4random_buf.txt b/ChangeLog.d/netbsd-rand-arc4random_buf.txt deleted file mode 100644 index 8539d1f5e..000000000 --- a/ChangeLog.d/netbsd-rand-arc4random_buf.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Use arc4random_buf on NetBSD instead of rand implementation with cyclical - lower bits. Fix contributed in #3540. diff --git a/ChangeLog.d/protect-base-blinding.txt b/ChangeLog.d/protect-base-blinding.txt deleted file mode 100644 index ca0600cee..000000000 --- a/ChangeLog.d/protect-base-blinding.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix side channel in RSA private key operations and static (finite-field) - Diffie-Hellman. An adversary with precise enough timing and memory access - information (typically an untrusted operating system attacking a secure - enclave) could bypass an existing counter-measure (base blinding) and - potentially fully recover the private key. diff --git a/ChangeLog.d/psa_curve25519_key_support.txt b/ChangeLog.d/psa_curve25519_key_support.txt deleted file mode 100644 index 954ca0ff4..000000000 --- a/ChangeLog.d/psa_curve25519_key_support.txt +++ /dev/null @@ -1,9 +0,0 @@ -Features - * The new function mbedtls_ecp_write_key() exports private ECC keys back to - a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key(). - -Bugfix - * Fix the endianness of Curve25519 keys imported/exported through the PSA - APIs. psa_import_key and psa_export_key will now correctly expect/output - Montgomery keys in little-endian as defined by RFC7748. Contributed by - Steven Cooreman in #3425. diff --git a/ChangeLog.d/psa_curve25519_public_key_import.txt b/ChangeLog.d/psa_curve25519_public_key_import.txt deleted file mode 100644 index 2ea11e2c8..000000000 --- a/ChangeLog.d/psa_curve25519_public_key_import.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * PSA key import will now correctly import a Curve25519/Curve448 public key - instead of erroring out. Contributed by Steven Cooreman in #3492. diff --git a/ChangeLog.d/psa_ecc_dh_macros.txt b/ChangeLog.d/psa_ecc_dh_macros.txt deleted file mode 100644 index 033f3d8ae..000000000 --- a/ChangeLog.d/psa_ecc_dh_macros.txt +++ /dev/null @@ -1,9 +0,0 @@ -API changes - * In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to - psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0. - Rename associated macros as well: - PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx - PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx - PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY - PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY - diff --git a/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt b/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt deleted file mode 100644 index ad1ad3038..000000000 --- a/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt +++ /dev/null @@ -1,8 +0,0 @@ -Changes - * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 - example applications which allows to provide a password for the key file - specified through the existing key_file argument. This allows the use of - these applications with password-protected key files. Analogously but for - ssl_server2 only, add the command line parameter key_pwd2 which allows to - set a password for the key file provided through the existing key_file2 - argument. diff --git a/ChangeLog.d/stdout-macro.txt b/ChangeLog.d/stdout-macro.txt deleted file mode 100644 index 94562404a..000000000 --- a/ChangeLog.d/stdout-macro.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix bug in redirection of unit test outputs on platforms where stdout is - defined as a macro. First reported in #2311 and fix contributed in #3528. diff --git a/ChangeLog.d/undef_assert_before_defining_it.txt b/ChangeLog.d/undef_assert_before_defining_it.txt deleted file mode 100644 index 74a20188c..000000000 --- a/ChangeLog.d/undef_assert_before_defining_it.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Undefine the ASSERT macro before defining it locally, in case it is defined - in a platform header. Contributed by Abdelatif Guettouche in #3557. diff --git a/ChangeLog.d/x509-verify-non-dns-san.txt b/ChangeLog.d/x509-verify-non-dns-san.txt deleted file mode 100644 index 0cd81b385..000000000 --- a/ChangeLog.d/x509-verify-non-dns-san.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * Fix a vulnerability in the verification of X.509 certificates when - matching the expected common name (the cn argument of - mbedtls_x509_crt_verify()) with the actual certificate name: when the - subjecAltName extension is present, the expected name was compared to any - name in that extension regardless of its type. This means that an - attacker could for example impersonate a 4-bytes or 16-byte domain by - getting a certificate for the corresponding IPv4 or IPv6 (this would - require the attacker to control that IP address, though). Similar attacks - using other subjectAltName name types might be possible. Found and - reported by kFYatek in #3498. diff --git a/ChangeLog.d/x509parse_crl-empty_entry.txt b/ChangeLog.d/x509parse_crl-empty_entry.txt deleted file mode 100644 index 483abb10a..000000000 --- a/ChangeLog.d/x509parse_crl-empty_entry.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). - Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine - for pinpointing the problematic code. diff --git a/ChangeLog.d/x509write_csr_heap_alloc.txt b/ChangeLog.d/x509write_csr_heap_alloc.txt deleted file mode 100644 index abce20c4d..000000000 --- a/ChangeLog.d/x509write_csr_heap_alloc.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Reduce the stack consumption of mbedtls_x509write_csr_der() which - previously could lead to stack overflow on constrained devices. - Contributed by Doru Gucea and Simon Leet in #3464. diff --git a/ChangeLog.d/zeroising_of_plaintext_buffer.txt b/ChangeLog.d/zeroising_of_plaintext_buffer.txt deleted file mode 100644 index f618beb91..000000000 --- a/ChangeLog.d/zeroising_of_plaintext_buffer.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused - application data from memory. Reported in #689 by - Johan Uppman Bruce of Sectra. From 17ffc5da8d030aa3dca7a98e643eb4c69d492c9a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 Aug 2020 15:22:45 +0100 Subject: [PATCH 56/57] Bump version to Mbed TLS 2.24.0 Executed "./scripts/bump_version.sh --version 2.24.0" Signed-off-by: Janos Follath --- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- tests/suites/test_suite_version.data | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 1bb6f3702..c13b27951 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -22,7 +22,7 @@ */ /** - * @mainpage mbed TLS v2.23.0 source code documentation + * @mainpage mbed TLS v2.24.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index e89021a21..bf33dabc7 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.23.0" +PROJECT_NAME = "mbed TLS v2.24.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index d62d3124e..665a283e1 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -37,7 +37,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 23 +#define MBEDTLS_VERSION_MINOR 24 #define MBEDTLS_VERSION_PATCH 0 /** @@ -45,9 +45,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02170000 -#define MBEDTLS_VERSION_STRING "2.23.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.23.0" +#define MBEDTLS_VERSION_NUMBER 0x02180000 +#define MBEDTLS_VERSION_STRING "2.24.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.24.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1bdc59ec1..33e2cfc85 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -178,15 +178,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.23.0 SOVERSION 5) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.24.0 SOVERSION 5) target_link_libraries(mbedcrypto ${libs}) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.23.0 SOVERSION 1) + set_target_properties(mbedx509 PROPERTIES VERSION 2.24.0 SOVERSION 1) target_link_libraries(mbedx509 ${libs} mbedcrypto) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.23.0 SOVERSION 13) + set_target_properties(mbedtls PROPERTIES VERSION 2.24.0 SOVERSION 13) target_link_libraries(mbedtls ${libs} mbedx509) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 846ebb731..bb2624636 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.23.0" +check_compiletime_version:"2.24.0" Check runtime library version -check_runtime_version:"2.23.0" +check_runtime_version:"2.24.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 From 6012f0ee5b3a3553a434b1a70100a172bb95cfb7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 Aug 2020 15:32:10 +0100 Subject: [PATCH 57/57] Finalize ChangeLog Fix alignment where necessary and update ChangeLog header. Signed-off-by: Janos Follath --- ChangeLog | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1c6e41467..594c3cf4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.24.0 branch released 2020-09-01 API changes - * In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to - psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0. + * In the PSA API, rename the types of elliptic curve and Diffie-Hellman + group families to psa_ecc_family_t and psa_dh_family_t, in line with the + PSA Crypto API specification version 1.0.0. Rename associated macros as well: PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx @@ -70,7 +71,8 @@ Security Bugfix * Library files installed after a CMake build no longer have execute permission. - * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined. + * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol + redefinition if the function is inlined. Reported in #3451 and fix contributed in #3452 by okhowang. * Fix the endianness of Curve25519 keys imported/exported through the PSA APIs. psa_import_key and psa_export_key will now correctly expect/output