AES XTS: encrypt not handling in-place properly

Fix AES XTS in-place encrypt to work when ciphertext stealing.
2023-01-25 09:32:37 +10:00 · 2023-01-25 09:32:37 +10:00 · e9af0136b9
parent a21c3a3c89
commit e9af0136b9
2 changed files with 71 additions and 4 deletions
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -12014,8 +12014,17 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
                RESTORE_VECTOR_REGISTERS();
                return BUFFER_E;
            }
+            if (in != out) {
                XMEMCPY(out, buf, sz);
                XMEMCPY(buf, in, sz);
+            }
+            else {
+                byte buf2[AES_BLOCK_SIZE];
+
+                XMEMCPY(buf2, buf, sz);
+                XMEMCPY(buf, in, sz);
+                XMEMCPY(out, buf2, sz);
+            }

            xorbuf(buf, tmp, AES_BLOCK_SIZE);
            ret = wc_AesEncryptDirect(aes, out - AES_BLOCK_SIZE, buf);
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -8438,8 +8438,8 @@ static int aes_xts_128_test(void)
 #endif
    int aes_inited = 0;
    int ret = 0;
-    unsigned char buf[AES_BLOCK_SIZE * 2];
-    unsigned char cipher[AES_BLOCK_SIZE * 2];
+    unsigned char buf[AES_BLOCK_SIZE * 2 + 8];
+    unsigned char cipher[AES_BLOCK_SIZE * 2 + 8];

    /* 128 key tests */
    WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = {
@ -8497,6 +8497,31 @@ static int aes_xts_128_test(void)
        0xff, 0x8d, 0xbc, 0x1d, 0x9f, 0x7f, 0xc8, 0x22
    };

+    WOLFSSL_SMALL_STACK_STATIC unsigned char k3[] = {
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+    };
+    WOLFSSL_SMALL_STACK_STATIC unsigned char i3[] = {
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+    };
+    WOLFSSL_SMALL_STACK_STATIC unsigned char p3[] = {
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0xff, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
+    };
+    WOLFSSL_SMALL_STACK_STATIC unsigned char c3[] = {
+        0xA2, 0x07, 0x47, 0x76, 0x3F, 0xEC, 0x0C, 0x23,
+        0x1B, 0xD0, 0xBD, 0x46, 0x9A, 0x27, 0x38, 0x12,
+        0x95, 0x02, 0x3D, 0x5D, 0xC6, 0x94, 0x51, 0x36,
+        0xA0, 0x85, 0xD2, 0x69, 0x6E, 0x87, 0x0A, 0xBF,
+        0xB5, 0x5A, 0xDD, 0xCB, 0x80, 0xE0, 0xFC, 0xCD
+    };
+
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
    if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
        ERROR_OUT(-5417, out);
@ -8604,6 +8629,39 @@ static int aes_xts_128_test(void)
    if (XMEMCMP(p2, buf, sizeof(p2)))
        ERROR_OUT(-5416, out);

+    wc_AesXtsFree(aes);
+
+    /* Test ciphertext stealing in-place. */
+    XMEMCPY(buf, p3, sizeof(p3));
+    if (wc_AesXtsSetKey(aes, k3, sizeof(k3), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        ERROR_OUT(-5417, out);
+    else
+        aes_inited = 1;
+
+    ret = wc_AesXtsEncrypt(aes, buf, buf, sizeof(p3), i3, sizeof(i3));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        ERROR_OUT(-5418, out);
+    if (XMEMCMP(c3, buf, sizeof(c3)))
+        ERROR_OUT(-5419, out);
+
+    wc_AesXtsFree(aes);
+
+    if (wc_AesXtsSetKey(aes, k3, sizeof(k3), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        ERROR_OUT(-5420, out);
+    ret = wc_AesXtsDecrypt(aes, buf, buf, sizeof(c3), i3, sizeof(i3));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        ERROR_OUT(-5421, out);
+    if (XMEMCMP(p3, buf, sizeof(p3)))
+        ERROR_OUT(-5422, out);
+
  out:

    if (aes_inited)