Generate good/bad padding programmatically

Compared to the previous approach of having the bad padding provided as input
to the testing function, this allows to test more kinds of incorrect data,
with less test cases in the .data file and more important no manually-generated
non-trivial data in the test case parameters, making it much easier to
complete the testing matrix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2020-07-07 10:43:37 +02:00
parent 0ac01a1c59
commit 527c1ff71a
2 changed files with 114 additions and 117 deletions

View File

@ -9374,101 +9374,21 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM
depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC
ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0
Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, good mac Decrypt CBC !EtM, AES SHA256 !trunc, 0, minpad
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":0 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0
Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, bad mac Decrypt CBC !EtM, AES SHA256 !trunc, 0, maxpad
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), good mac Decrypt CBC !EtM, AES SHA256 trunc, 0, minpad
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), bad mac Decrypt CBC !EtM, AES SHA256 trunc, 0, maxpad
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (len), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0E":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 1, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"10101010101010101010101010101010":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 2, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"30303030303030303030303030303030":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":0
Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen (len), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffE":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050505":0
Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"050505050505":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (len), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050504":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 1, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"060606060606":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 2, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"101010101010":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":0
Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), bad mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC
Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen (len), good mac
depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f4":MBEDTLS_ERR_SSL_INVALID_MAC
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE

View File

@ -3454,12 +3454,11 @@ exit:
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */
void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
int plaintext_len, int badmac, data_t *padding, int plaintext_len, int pad_long )
int exp_ret )
{ {
/* /*
* Test record decryption for CBC without EtM with possibly incorrect * Test record decryption for CBC without EtM, focused on the verification
* padding (provided as input) or MAC (generated by this function). * of padding and MAC.
* *
* Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently), * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently),
* but since the test framework doesn't support alternation in dependency * but since the test framework doesn't support alternation in dependency
@ -3467,12 +3466,14 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
*/ */
mbedtls_ssl_context ssl; /* ONLY for debugging */ mbedtls_ssl_context ssl; /* ONLY for debugging */
mbedtls_ssl_transform t0, t1; mbedtls_ssl_transform t0, t1;
mbedtls_record rec; mbedtls_record rec, rec_save;
unsigned char *buf = NULL; unsigned char *buf = NULL, *buf_save = NULL;
size_t buflen, olen = 0; size_t buflen, olen = 0;
const size_t rec_data_offset = 16; /* IV size */ size_t block_size, i;
unsigned char padlen;
unsigned char add_data[13]; unsigned char add_data[13];
unsigned char mac[MBEDTLS_MD_MAX_SIZE]; unsigned char mac[MBEDTLS_MD_MAX_SIZE];
int exp_ret;
mbedtls_ssl_init( &ssl ); mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 ); mbedtls_ssl_transform_init( &t0 );
@ -3484,12 +3485,21 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
MBEDTLS_SSL_MINOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 , 0 ) == 0 ); 0 , 0 ) == 0 );
/* Determine padding length */
block_size = t0.ivlen;
padlen = block_size - ( plaintext_len + t0.maclen + 1 ) % block_size;
if( padlen == block_size )
padlen = 0;
if( pad_long )
padlen += block_size * ( ( 255 - padlen ) / block_size );
/* Prepare a buffer for record data */ /* Prepare a buffer for record data */
buflen = rec_data_offset buflen = block_size
+ plaintext_len + plaintext_len
+ t0.maclen + t0.maclen
+ padding->len; + padlen + 1;
ASSERT_ALLOC( buf, buflen ); ASSERT_ALLOC( buf, buflen );
ASSERT_ALLOC( buf_save, buflen );
/* Prepare a dummy record header */ /* Prepare a dummy record header */
memset( rec.ctr, 0, sizeof( rec.ctr ) ); memset( rec.ctr, 0, sizeof( rec.ctr ) );
@ -3503,17 +3513,11 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
/* Prepare dummy record content */ /* Prepare dummy record content */
rec.buf = buf; rec.buf = buf;
rec.buf_len = buflen; rec.buf_len = buflen;
rec.data_offset = rec_data_offset; rec.data_offset = block_size;
rec.data_len = plaintext_len; rec.data_len = plaintext_len;
memset( rec.buf + rec.data_offset, 42, rec.data_len ); memset( rec.buf + rec.data_offset, 42, rec.data_len );
/* /* Serialized version of record header for MAC purposes */
* MAC, "pad" and encrypt - this near-duplicates the TLS 1.x non-EtM CBC
* code path of mbedtls_ssl_encrypt_buf(), but with user-provided padding,
* and possibly wrong HMAC. Also, without safety checks or CID support.
*/
/* MAC with additional data */
memcpy( add_data, rec.ctr, 8 ); memcpy( add_data, rec.ctr, 8 );
add_data[8] = rec.type; add_data[8] = rec.type;
add_data[9] = rec.ver[0]; add_data[9] = rec.ver[0];
@ -3521,6 +3525,15 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
add_data[11] = ( rec.data_len >> 8 ) & 0xff; add_data[11] = ( rec.data_len >> 8 ) & 0xff;
add_data[12] = ( rec.data_len >> 0 ) & 0xff; add_data[12] = ( rec.data_len >> 0 ) & 0xff;
/* Set dummy IV */
memset( t0.iv_enc, 0x55, t0.ivlen );
memcpy( rec.buf, t0.iv_enc, t0.ivlen );
/*
* Prepare a pre-encryption record (with MAC and padding), and save it.
*/
/* MAC with additional data */
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) ); TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc,
rec.buf + rec.data_offset, rec.buf + rec.data_offset,
@ -3530,18 +3543,18 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen ); memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen );
rec.data_len += t0.maclen; rec.data_len += t0.maclen;
/* Possibly falsify the MAC */ /* Pad */
rec.buf[rec.data_offset + rec.data_len - 1] ^= badmac; memset( rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1 );
rec.data_len += padlen + 1;
/* Append the user-provided padding */ /* Save correct pre-encryption record */
memcpy( rec.buf + rec.data_offset + rec.data_len, padding->x, padding->len ); rec_save = rec;
rec.data_len += padding->len; rec_save.buf = buf_save;
memcpy( buf_save, buf, buflen );
/* Set dummy IV and encrypt */
memset( t0.iv_enc, 0x55, t0.ivlen );
TEST_ASSERT( t0.ivlen == rec_data_offset );
memcpy( rec.buf, t0.iv_enc, rec_data_offset );
/*
* Encrypt and decrypt the correct record, expecting success
*/
TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
t0.iv_enc, t0.ivlen, t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len, rec.buf + rec.data_offset, rec.data_len,
@ -3549,16 +3562,80 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
rec.data_offset -= t0.ivlen; rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen; rec.data_len += t0.ivlen;
TEST_EQUAL( 0, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
/* /*
* Try to decrypt and check that we get the expected result * Modify each byte of the pre-encryption record before encrypting and
* decrypting it, expecting failure every time.
*/ */
TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); for( i = block_size; i < buflen; i++ )
{
test_set_step( i );
/* Restore correct pre-encryption record */
rec = rec_save;
rec.buf = buf;
memcpy( buf, buf_save, buflen );
/* Flip one bit of the data (could be plaintext, MAC or padding) */
rec.buf[i] ^= 0x01;
/* Encrypt */
TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len,
rec.buf + rec.data_offset, &olen ) );
rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen;
/* Decrypt and expect failure */
TEST_EQUAL( MBEDTLS_ERR_SSL_INVALID_MAC,
mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
}
/*
* Use larger values of the padding bytes - with small buffers, this tests
* the case where the announced padlen would be larger than the buffer
* (and before that, than the buffer minus the size of the MAC), to make
* sure our padding checking code does not perform any out-of-bounds reads
* in this case. (With larger buffers, ie when the plaintext is long or
* maximal length padding is used, this is less relevant but still doesn't
* hurt to test.)
*
* (Start the loop with correct padding, just to double-check that record
* saving did work, and that we're overwriting the correct bytes.)
*/
for( i = padlen; i <= 255; i++ )
{
test_set_step( i );
/* Restore correct pre-encryption record */
rec = rec_save;
rec.buf = buf;
memcpy( buf, buf_save, buflen );
/* Set padding bytes to new value */
memset( buf + buflen - padlen - 1, i, padlen + 1 );
/* Encrypt */
TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len,
rec.buf + rec.data_offset, &olen ) );
rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen;
/* Decrypt and expect failure except the first time */
exp_ret = ( i == padlen ) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
}
exit: exit:
mbedtls_ssl_free( &ssl ); mbedtls_ssl_free( &ssl );
mbedtls_ssl_transform_free( &t0 ); mbedtls_ssl_transform_free( &t0 );
mbedtls_ssl_transform_free( &t1 ); mbedtls_ssl_transform_free( &t1 );
mbedtls_free( buf ); mbedtls_free( buf );
mbedtls_free( buf_save );
} }
/* END_CASE */ /* END_CASE */