Merge pull request #728 from mpg/ct-varlen-hmac-2.16

[Backport 2.16] Add constant-flow variable-length HMAC function
This commit is contained in:
Manuel Pégourié-Gonnard 2020-08-10 12:40:49 +02:00 committed by GitHub
commit f1ef89586b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 391 additions and 90 deletions

View File

@ -199,6 +199,16 @@
#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
#endif
#if defined(__has_feature)
#if __has_feature(memory_sanitizer)
#define MBEDTLS_HAS_MEMSAN
#endif
#endif
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN)
#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
#endif
#undef MBEDTLS_HAS_MEMSAN
#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"

View File

@ -551,6 +551,22 @@
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
* \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
*
* Enable testing of the constant-flow nature of some sensitive functions with
* clang's MemorySanitizer. This causes some existing tests to also test
* non-functional properties of the code under test.
*
* This setting requires compiling with clang -fsanitize=memory.
*
* \warning This macro is only used for extended testing; it is not considered
* part of the library's API, so it may change or disappear at any time.
*
* Uncomment to enable testing of the constant-flow nature of selected code.
*/
//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
/**
* \def MBEDTLS_TEST_NULL_ENTROPY
*

View File

@ -152,6 +152,24 @@
#define MBEDTLS_SSL_RETRANS_WAITING 2
#define MBEDTLS_SSL_RETRANS_FINISHED 3
/* This macro determines whether CBC is supported. */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_AES_C) || \
defined(MBEDTLS_CAMELLIA_C) || \
defined(MBEDTLS_ARIA_C) || \
defined(MBEDTLS_DES_C) )
#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
#endif
/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
* opposed to the very different CBC construct used in SSLv3) is supported. */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
( defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2) )
#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
#endif
/*
* Allow extra bytes for record, authentication and encryption overhead:
* counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
@ -843,6 +861,49 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
/** \brief Compute the HMAC of variable-length data with constant flow.
*
* This function computes the HMAC of the concatenation of \p add_data and \p
* data, and does with a code flow and memory access pattern that does not
* depend on \p data_len_secret, but only on \p min_data_len and \p
* max_data_len. In particular, this function always reads exactly \p
* max_data_len bytes from \p data.
*
* \param ctx The HMAC context. It must have keys configured
* with mbedtls_md_hmac_starts() and use one of the
* following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
* It is reset using mbedtls_md_hmac_reset() after
* the computation is complete to prepare for the
* next computation.
* \param add_data The additional data prepended to \p data. This
* must point to a readable buffer of \p add_data_len
* bytes.
* \param add_data_len The length of \p add_data in bytes.
* \param data The data appended to \p add_data. This must point
* to a readable buffer of \p max_data_len bytes.
* \param data_len_secret The length of the data to process in \p data.
* This must be no less than \p min_data_len and no
* greater than \p max_data_len.
* \param min_data_len The minimal length of \p data in bytes.
* \param max_data_len The maximal length of \p data in bytes.
* \param output The HMAC will be written here. This must point to
* a writable buffer of sufficient size to hold the
* HMAC value.
*
* \retval 0
* Success.
* \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
* The hardware accelerator failed.
*/
int mbedtls_ssl_cf_hmac(
mbedtls_md_context_t *ctx,
const unsigned char *add_data, size_t add_data_len,
const unsigned char *data, size_t data_len_secret,
size_t min_data_len, size_t max_data_len,
unsigned char *output );
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
#ifdef __cplusplus
}
#endif

View File

@ -1433,8 +1433,7 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx,
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
( defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
#define SSL_SOME_MODES_USE_MAC
#endif
@ -1446,7 +1445,7 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx,
defined(MBEDTLS_SSL_PROTO_TLS1_2) )
/* This function makes sure every byte in the memory region is accessed
* (in ascending addresses order) */
static void ssl_read_memory( unsigned char *p, size_t len )
static void ssl_read_memory( const unsigned char *p, size_t len )
{
unsigned char acc = 0;
volatile unsigned char force;
@ -1669,8 +1668,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
}
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
int ret;
@ -1789,8 +1787,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
}
else
#endif /* MBEDTLS_CIPHER_MODE_CBC &&
( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -1808,6 +1805,136 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
return( 0 );
}
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
/*
* Constant-flow conditional memcpy:
* - if c1 == c2, equivalent to memcpy(dst, src, len),
* - otherwise, a no-op,
* but with execution flow independent of the values of c1 and c2.
*
* Use only bit operations to avoid branches that could be used by some
* compilers on some platforms to translate comparison operators.
*/
static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
const unsigned char *src,
size_t len,
size_t c1, size_t c2 )
{
/* diff = 0 if c1 == c2, non-zero otherwise */
const size_t diff = c1 ^ c2;
/* MSVC has a warning about unary minus on unsigned integer types,
* but this is well-defined and precisely what we want to do here. */
#if defined(_MSC_VER)
#pragma warning( push )
#pragma warning( disable : 4146 )
#endif
/* diff_msb's most significant bit is equal to c1 != c2 */
const size_t diff_msb = ( diff | -diff );
/* diff1 = c1 != c2 */
const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
/* mask = c1 != c2 ? 0xff : 0x00 */
const unsigned char mask = (unsigned char) -diff1;
#if defined(_MSC_VER)
#pragma warning( pop )
#endif
/* dst[i] = c1 != c2 ? dst[i] : src[i] */
size_t i;
for( i = 0; i < len; i++ )
dst[i] = ( dst[i] & mask ) | ( src[i] & ~mask );
}
/*
* Compute HMAC of variable-length data with constant flow.
*
* Only works with MD-5, SHA-1, SHA-256 and SHA-384.
* (Otherwise, computation of block_size needs to be adapted.)
*/
int mbedtls_ssl_cf_hmac(
mbedtls_md_context_t *ctx,
const unsigned char *add_data, size_t add_data_len,
const unsigned char *data, size_t data_len_secret,
size_t min_data_len, size_t max_data_len,
unsigned char *output )
{
/*
* This function breaks the HMAC abstraction and uses the md_clone()
* extension to the MD API in order to get constant-flow behaviour.
*
* HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
* concatenation, and okey/ikey are the XOR of the key with some fixed bit
* patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
*
* We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
* minlen, then cloning the context, and for each byte up to maxlen
* finishing up the hash computation, keeping only the correct result.
*
* Then we only need to compute HASH(okey + inner_hash) and we're done.
*/
const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
/* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
* all of which have the same block size except SHA-384. */
const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
const unsigned char * const ikey = ctx->hmac_ctx;
const unsigned char * const okey = ikey + block_size;
const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_context_t aux;
size_t offset;
int ret;
mbedtls_md_init( &aux );
#define MD_CHK( func_call ) \
do { \
ret = (func_call); \
if( ret != 0 ) \
goto cleanup; \
} while( 0 )
MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
/* After hmac_start() of hmac_reset(), ikey has already been hashed,
* so we can start directly with the message */
MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
/* For each possible length, compute the hash up to that point */
for( offset = min_data_len; offset <= max_data_len; offset++ )
{
MD_CHK( mbedtls_md_clone( &aux, ctx ) );
MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
/* Keep only the correct inner_hash in the output buffer */
mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
offset, data_len_secret );
if( offset < max_data_len )
MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
}
/* Now compute HASH(okey + inner_hash) */
MD_CHK( mbedtls_md_starts( ctx ) );
MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
MD_CHK( mbedtls_md_finish( ctx, output ) );
/* Done, get ready for next time */
MD_CHK( mbedtls_md_hmac_reset( ctx ) );
#undef MD_CHK
cleanup:
mbedtls_md_free( &aux );
return( ret );
}
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
{
mbedtls_cipher_mode_t mode;
@ -1962,8 +2089,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
}
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
/*
@ -2176,8 +2302,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
ssl->in_msglen -= padlen;
}
else
#endif /* MBEDTLS_CIPHER_MODE_CBC &&
( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -2217,34 +2342,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
{
/*
* Process MAC and always update for padlen afterwards to make
* total time independent of padlen.
*
* Known timing attacks:
* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
*
* To compensate for different timings for the MAC calculation
* depending on how much padding was removed (which is determined
* by padlen), process extra_run more blocks through the hash
* function.
*
* The formula in the paper is
* extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
* where L1 is the size of the header plus the decrypted message
* plus CBC padding and L2 is the size of the header plus the
* decrypted message. This is for an underlying hash function
* with 64-byte blocks.
* We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
* correctly. We round down instead of up, so -56 is the correct
* value for our calculations instead of -55.
*
* Repeat the formula rather than defining a block_size variable.
* This avoids requiring division by a variable at runtime
* (which would be marginally less efficient and would require
* linking an extra division function in some builds).
*/
size_t j, extra_run = 0;
int ret;
unsigned char add_data[13];
/*
* The next two sizes are the minimum and maximum values of
@ -2259,60 +2358,21 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
const size_t max_len = ssl->in_msglen + padlen;
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
switch( ssl->transform_in->ciphersuite_info->mac )
memcpy( add_data + 0, ssl->in_ctr, 8 );
memcpy( add_data + 8, ssl->in_hdr, 3 );
memcpy( add_data + 11, ssl->in_len, 2 );
ret = mbedtls_ssl_cf_hmac( &ssl->transform_in->md_ctx_dec,
add_data, sizeof( add_data ),
ssl->in_msg, ssl->in_msglen,
min_len, max_len,
mac_expect );
if( ret != 0 )
{
#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_MD5:
case MBEDTLS_MD_SHA1:
case MBEDTLS_MD_SHA256:
/* 8 bytes of message size, 64-byte compression blocks */
extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
( 13 + ssl->in_msglen + 8 ) / 64;
break;
#endif
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA384:
/* 16 bytes of message size, 128-byte compression blocks */
extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
( 13 + ssl->in_msglen + 16 ) / 128;
break;
#endif
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
return( ret );
}
extra_run &= correct * 0xFF;
mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen );
/* Make sure we access everything even when padlen > 0. This
* makes the synchronisation requirements for just-in-time
* Prime+Probe attacks much tighter and hopefully impractical. */
ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
/* Dummy calls to compression function.
* Call mbedtls_md_process at least once due to cache attacks
* that observe whether md_process() was called of not.
* Respect the usual start-(process|update)-finish sequence for
* the sake of hardware accelerators that might require it. */
mbedtls_md_starts( &ssl->transform_in->md_ctx_dec );
for( j = 0; j < extra_run + 1; j++ )
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
{
/* The switch statement above already checks that we're using
* one of MD-5, SHA-1, SHA-256 or SHA-384. */
unsigned char tmp[384 / 8];
mbedtls_md_finish( &ssl->transform_in->md_ctx_dec, tmp );
}
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
/* Make sure we access all the memory that could contain the MAC,
* before we check it in the next code block. This makes the
* synchronisation requirements for just-in-time Prime+Probe

View File

@ -279,6 +279,9 @@ static const char *features[] = {
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
"MBEDTLS_ECP_NORMALIZE_MXZ_ALT",
#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
"MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN",
#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
"MBEDTLS_TEST_NULL_ENTROPY",
#endif /* MBEDTLS_TEST_NULL_ENTROPY */

View File

@ -741,6 +741,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
if( strcmp( "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN );
return( 0 );
}
#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
if( strcmp( "MBEDTLS_TEST_NULL_ENTROPY", config ) == 0 )
{

View File

@ -128,6 +128,7 @@ MBEDTLS_REMOVE_3DES_CIPHERSUITES
MBEDTLS_REMOVE_ARC4_CIPHERSUITES
MBEDTLS_RSA_NO_CRT
MBEDTLS_SSL_HW_RECORD_ACCEL
MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
MBEDTLS_TEST_NULL_ENTROPY
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_ZLIB_SUPPORT

View File

@ -1031,6 +1031,24 @@ component_test_full_cmake_clang () {
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
component_test_memsan_constant_flow () {
# This tests both (1) accesses to undefined memory, and (2) branches or
# memory access depending on secret values. To distinguish between those:
# - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
# - or alternatively, change the build type to MemSanDbg, which enables
# origin tracking and nicer stack traces (which are useful for debugging
# anyway), and check if the origin was TEST_CF_SECRET() or something else.
msg "build: cmake MSan (clang), full config with constant flow testing"
scripts/config.pl full
scripts/config.pl set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
scripts/config.pl unset MBEDTLS_AESNI_C # memsan doesn't grok asm
CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
make
msg "test: main suites (Msan + constant flow)"
make test
}
component_test_default_no_deprecated () {
# Test that removing the deprecated features from the default
# configuration leaves something consistent.

View File

@ -46,6 +46,22 @@ typedef UINT32 uint32_t;
#include <strings.h>
#endif
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
#include <sanitizer/msan_interface.h>
/* Use macros to avoid messing up with origin tracking */
#define TEST_CF_SECRET __msan_allocated_memory
// void __msan_allocated_memory(const volatile void* data, size_t size);
#define TEST_CF_PUBLIC __msan_unpoison
// void __msan_unpoison(const volatile void *a, size_t size);
#else /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
#define TEST_CF_SECRET(ptr, size)
#define TEST_CF_PUBLIC(ptr, size)
#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
/* Type for Hex parameters */
typedef struct data_tag
{

View File

@ -57,3 +57,19 @@ ssl_dtls_replay:"abcd12340000abcd12340100":"abcd123400ff":0
SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice
ssl_set_hostname_twice:"server0":"server1"
Constant-flow HMAC: MD5
depends_on:MBEDTLS_MD5_C
ssl_cf_hmac:MBEDTLS_MD_MD5
Constant-flow HMAC: SHA1
depends_on:MBEDTLS_SHA1_C
ssl_cf_hmac:MBEDTLS_MD_SHA1
Constant-flow HMAC: SHA256
depends_on:MBEDTLS_SHA256_C
ssl_cf_hmac:MBEDTLS_MD_SHA256
Constant-flow HMAC: SHA384
depends_on:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
ssl_cf_hmac:MBEDTLS_MD_SHA384

View File

@ -52,3 +52,95 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
mbedtls_ssl_free( &ssl );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
void ssl_cf_hmac( int hash )
{
/*
* Test the function mbedtls_ssl_cf_hmac() against a reference
* implementation.
*/
mbedtls_md_context_t ctx, ref_ctx;
const mbedtls_md_info_t *md_info;
size_t out_len, block_size;
size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
unsigned char add_data[13];
unsigned char ref_out[MBEDTLS_MD_MAX_SIZE];
unsigned char *data = NULL;
unsigned char *out = NULL;
unsigned char rec_num = 0;
mbedtls_md_init( &ctx );
mbedtls_md_init( &ref_ctx );
md_info = mbedtls_md_info_from_type( hash );
TEST_ASSERT( md_info != NULL );
out_len = mbedtls_md_get_size( md_info );
TEST_ASSERT( out_len != 0 );
block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
/* Use allocated out buffer to catch overwrites */
out = mbedtls_calloc( 1, out_len );
TEST_ASSERT( out != NULL );
/* Set up contexts with the given hash and a dummy key */
TEST_ASSERT( 0 == mbedtls_md_setup( &ctx, md_info, 1 ) );
TEST_ASSERT( 0 == mbedtls_md_setup( &ref_ctx, md_info, 1 ) );
memset( ref_out, 42, sizeof( ref_out ) );
TEST_ASSERT( 0 == mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) );
TEST_ASSERT( 0 == mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) );
memset( ref_out, 0, sizeof( ref_out ) );
/*
* Test all possible lengths up to a point. The difference between
* max_in_len and min_in_len is at most 255, and make sure they both vary
* by at least one block size.
*/
for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ )
{
/* Use allocated in buffer to catch overreads */
data = mbedtls_calloc( 1, max_in_len );
TEST_ASSERT( data != NULL || max_in_len == 0 );
min_in_len = max_in_len > 255 ? max_in_len - 255 : 0;
for( in_len = min_in_len; in_len <= max_in_len; in_len++ )
{
/* Set up dummy data and add_data */
rec_num++;
memset( add_data, rec_num, sizeof( add_data ) );
for( i = 0; i < in_len; i++ )
data[i] = ( i & 0xff ) ^ rec_num;
/* Get the function's result */
TEST_CF_SECRET( &in_len, sizeof( in_len ) );
TEST_ASSERT( 0 == mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ),
data, in_len,
min_in_len, max_in_len,
out ) );
TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
TEST_CF_PUBLIC( out, out_len );
/* Compute the reference result */
TEST_ASSERT( 0 == mbedtls_md_hmac_update( &ref_ctx, add_data,
sizeof( add_data ) ) );
TEST_ASSERT( 0 == mbedtls_md_hmac_update( &ref_ctx, data, in_len ) );
TEST_ASSERT( 0 == mbedtls_md_hmac_finish( &ref_ctx, ref_out ) );
TEST_ASSERT( 0 == mbedtls_md_hmac_reset( &ref_ctx ) );
/* Compare */
TEST_ASSERT( 0 == memcmp( out, ref_out, out_len ) );
}
mbedtls_free( data );
data = NULL;
}
exit:
mbedtls_md_free( &ref_ctx );
mbedtls_md_free( &ctx );
mbedtls_free( data );
mbedtls_free( out );
}
/* END_CASE */