From e9af0136b9d7ae25a1cb61e7ac26fdd98f03bfd5 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Wed, 25 Jan 2023 09:32:37 +1000 Subject: [PATCH] AES XTS: encrypt not handling in-place properly Fix AES XTS in-place encrypt to work when ciphertext stealing. --- wolfcrypt/src/aes.c | 13 +++++++-- wolfcrypt/test/test.c | 62 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 71 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 43fa5a8c2..48f531a0c 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -12014,8 +12014,17 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz, RESTORE_VECTOR_REGISTERS(); return BUFFER_E; } - XMEMCPY(out, buf, sz); - XMEMCPY(buf, in, sz); + if (in != out) { + XMEMCPY(out, buf, sz); + XMEMCPY(buf, in, sz); + } + else { + byte buf2[AES_BLOCK_SIZE]; + + XMEMCPY(buf2, buf, sz); + XMEMCPY(buf, in, sz); + XMEMCPY(out, buf2, sz); + } xorbuf(buf, tmp, AES_BLOCK_SIZE); ret = wc_AesEncryptDirect(aes, out - AES_BLOCK_SIZE, buf); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 1c5e31792..6eed31da9 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -8438,8 +8438,8 @@ static int aes_xts_128_test(void) #endif int aes_inited = 0; int ret = 0; - unsigned char buf[AES_BLOCK_SIZE * 2]; - unsigned char cipher[AES_BLOCK_SIZE * 2]; + unsigned char buf[AES_BLOCK_SIZE * 2 + 8]; + unsigned char cipher[AES_BLOCK_SIZE * 2 + 8]; /* 128 key tests */ WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = { @@ -8497,6 +8497,31 @@ static int aes_xts_128_test(void) 0xff, 0x8d, 0xbc, 0x1d, 0x9f, 0x7f, 0xc8, 0x22 }; + WOLFSSL_SMALL_STACK_STATIC unsigned char k3[] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + }; + WOLFSSL_SMALL_STACK_STATIC unsigned char i3[] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + }; + WOLFSSL_SMALL_STACK_STATIC unsigned char p3[] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0xff, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 + }; + WOLFSSL_SMALL_STACK_STATIC unsigned char c3[] = { + 0xA2, 0x07, 0x47, 0x76, 0x3F, 0xEC, 0x0C, 0x23, + 0x1B, 0xD0, 0xBD, 0x46, 0x9A, 0x27, 0x38, 0x12, + 0x95, 0x02, 0x3D, 0x5D, 0xC6, 0x94, 0x51, 0x36, + 0xA0, 0x85, 0xD2, 0x69, 0x6E, 0x87, 0x0A, 0xBF, + 0xB5, 0x5A, 0xDD, 0xCB, 0x80, 0xE0, 0xFC, 0xCD + }; + #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL) ERROR_OUT(-5417, out); @@ -8604,6 +8629,39 @@ static int aes_xts_128_test(void) if (XMEMCMP(p2, buf, sizeof(p2))) ERROR_OUT(-5416, out); + wc_AesXtsFree(aes); + + /* Test ciphertext stealing in-place. */ + XMEMCPY(buf, p3, sizeof(p3)); + if (wc_AesXtsSetKey(aes, k3, sizeof(k3), AES_ENCRYPTION, + HEAP_HINT, devId) != 0) + ERROR_OUT(-5417, out); + else + aes_inited = 1; + + ret = wc_AesXtsEncrypt(aes, buf, buf, sizeof(p3), i3, sizeof(i3)); +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE); +#endif + if (ret != 0) + ERROR_OUT(-5418, out); + if (XMEMCMP(c3, buf, sizeof(c3))) + ERROR_OUT(-5419, out); + + wc_AesXtsFree(aes); + + if (wc_AesXtsSetKey(aes, k3, sizeof(k3), AES_DECRYPTION, + HEAP_HINT, devId) != 0) + ERROR_OUT(-5420, out); + ret = wc_AesXtsDecrypt(aes, buf, buf, sizeof(c3), i3, sizeof(i3)); +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE); +#endif + if (ret != 0) + ERROR_OUT(-5421, out); + if (XMEMCMP(p3, buf, sizeof(p3))) + ERROR_OUT(-5422, out); + out: if (aes_inited)