diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1cafed9581..a61917d23f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9374,101 +9374,21 @@ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, good mac +Decrypt CBC !EtM, AES SHA256 !trunc, 0, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":0 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good min pad, bad mac +Decrypt CBC !EtM, AES SHA256 !trunc, 0, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), good mac +Decrypt CBC !EtM, AES SHA256 trunc, 0, minpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0 -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (byte 0), bad mac +Decrypt CBC !EtM, AES SHA256 trunc, 0, maxpad depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"0E0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad min pad (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0E":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 1, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"10101010101010101010101010101010":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, overlong pad 2, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"30303030303030303030303030303030":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":0 - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, good maxlen pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:1:"fEffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 !trunc, 0, bad maxlen (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:0:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffE":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050505":0 - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good min pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"050505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"040505050505":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad min pad (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"050505050504":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 1, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"060606060606":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, overlong pad 2, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"101010101010":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":0 - -Decrypt CBC !EtM, AES SHA256 trunc, 0, good maxlen pad, bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen pad (byte 0), bad mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1:"E5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5":MBEDTLS_ERR_SSL_INVALID_MAC - -Decrypt CBC !EtM, AES SHA256 trunc, 0, bad maxlen (len), good mac -depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:0:"f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f4":MBEDTLS_ERR_SSL_INVALID_MAC +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:1 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7f64f2917d..4cefc8d7db 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3454,12 +3454,11 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, - int plaintext_len, int badmac, data_t *padding, - int exp_ret ) + int plaintext_len, int pad_long ) { /* - * Test record decryption for CBC without EtM with possibly incorrect - * padding (provided as input) or MAC (generated by this function). + * Test record decryption for CBC without EtM, focused on the verification + * of padding and MAC. * * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently), * but since the test framework doesn't support alternation in dependency @@ -3467,12 +3466,14 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, */ mbedtls_ssl_context ssl; /* ONLY for debugging */ mbedtls_ssl_transform t0, t1; - mbedtls_record rec; - unsigned char *buf = NULL; + mbedtls_record rec, rec_save; + unsigned char *buf = NULL, *buf_save = NULL; size_t buflen, olen = 0; - const size_t rec_data_offset = 16; /* IV size */ + size_t block_size, i; + unsigned char padlen; unsigned char add_data[13]; unsigned char mac[MBEDTLS_MD_MAX_SIZE]; + int exp_ret; mbedtls_ssl_init( &ssl ); mbedtls_ssl_transform_init( &t0 ); @@ -3484,12 +3485,21 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, MBEDTLS_SSL_MINOR_VERSION_3, 0 , 0 ) == 0 ); + /* Determine padding length */ + block_size = t0.ivlen; + padlen = block_size - ( plaintext_len + t0.maclen + 1 ) % block_size; + if( padlen == block_size ) + padlen = 0; + if( pad_long ) + padlen += block_size * ( ( 255 - padlen ) / block_size ); + /* Prepare a buffer for record data */ - buflen = rec_data_offset + buflen = block_size + plaintext_len + t0.maclen - + padding->len; + + padlen + 1; ASSERT_ALLOC( buf, buflen ); + ASSERT_ALLOC( buf_save, buflen ); /* Prepare a dummy record header */ memset( rec.ctr, 0, sizeof( rec.ctr ) ); @@ -3503,17 +3513,11 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, /* Prepare dummy record content */ rec.buf = buf; rec.buf_len = buflen; - rec.data_offset = rec_data_offset; + rec.data_offset = block_size; rec.data_len = plaintext_len; memset( rec.buf + rec.data_offset, 42, rec.data_len ); - /* - * MAC, "pad" and encrypt - this near-duplicates the TLS 1.x non-EtM CBC - * code path of mbedtls_ssl_encrypt_buf(), but with user-provided padding, - * and possibly wrong HMAC. Also, without safety checks or CID support. - */ - - /* MAC with additional data */ + /* Serialized version of record header for MAC purposes */ memcpy( add_data, rec.ctr, 8 ); add_data[8] = rec.type; add_data[9] = rec.ver[0]; @@ -3521,6 +3525,15 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, add_data[11] = ( rec.data_len >> 8 ) & 0xff; add_data[12] = ( rec.data_len >> 0 ) & 0xff; + /* Set dummy IV */ + memset( t0.iv_enc, 0x55, t0.ivlen ); + memcpy( rec.buf, t0.iv_enc, t0.ivlen ); + + /* + * Prepare a pre-encryption record (with MAC and padding), and save it. + */ + + /* MAC with additional data */ TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) ); TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, rec.buf + rec.data_offset, @@ -3530,18 +3543,18 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen ); rec.data_len += t0.maclen; - /* Possibly falsify the MAC */ - rec.buf[rec.data_offset + rec.data_len - 1] ^= badmac; + /* Pad */ + memset( rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1 ); + rec.data_len += padlen + 1; - /* Append the user-provided padding */ - memcpy( rec.buf + rec.data_offset + rec.data_len, padding->x, padding->len ); - rec.data_len += padding->len; - - /* Set dummy IV and encrypt */ - memset( t0.iv_enc, 0x55, t0.ivlen ); - TEST_ASSERT( t0.ivlen == rec_data_offset ); - memcpy( rec.buf, t0.iv_enc, rec_data_offset ); + /* Save correct pre-encryption record */ + rec_save = rec; + rec_save.buf = buf_save; + memcpy( buf_save, buf, buflen ); + /* + * Encrypt and decrypt the correct record, expecting success + */ TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, rec.data_len, @@ -3549,16 +3562,80 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac, rec.data_offset -= t0.ivlen; rec.data_len += t0.ivlen; + TEST_EQUAL( 0, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + /* - * Try to decrypt and check that we get the expected result + * Modify each byte of the pre-encryption record before encrypting and + * decrypting it, expecting failure every time. */ - TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + for( i = block_size; i < buflen; i++ ) + { + test_set_step( i ); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy( buf, buf_save, buflen ); + + /* Flip one bit of the data (could be plaintext, MAC or padding) */ + rec.buf[i] ^= 0x01; + + /* Encrypt */ + TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, + t0.iv_enc, t0.ivlen, + rec.buf + rec.data_offset, rec.data_len, + rec.buf + rec.data_offset, &olen ) ); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure */ + TEST_EQUAL( MBEDTLS_ERR_SSL_INVALID_MAC, + mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + } + + /* + * Use larger values of the padding bytes - with small buffers, this tests + * the case where the announced padlen would be larger than the buffer + * (and before that, than the buffer minus the size of the MAC), to make + * sure our padding checking code does not perform any out-of-bounds reads + * in this case. (With larger buffers, ie when the plaintext is long or + * maximal length padding is used, this is less relevant but still doesn't + * hurt to test.) + * + * (Start the loop with correct padding, just to double-check that record + * saving did work, and that we're overwriting the correct bytes.) + */ + for( i = padlen; i <= 255; i++ ) + { + test_set_step( i ); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy( buf, buf_save, buflen ); + + /* Set padding bytes to new value */ + memset( buf + buflen - padlen - 1, i, padlen + 1 ); + + /* Encrypt */ + TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc, + t0.iv_enc, t0.ivlen, + rec.buf + rec.data_offset, rec.data_len, + rec.buf + rec.data_offset, &olen ) ); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure except the first time */ + exp_ret = ( i == padlen ) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC; + TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) ); + } exit: mbedtls_ssl_free( &ssl ); mbedtls_ssl_transform_free( &t0 ); mbedtls_ssl_transform_free( &t1 ); mbedtls_free( buf ); + mbedtls_free( buf_save ); } /* END_CASE */