From aa9ffc5e98f1c375efb6787e12d6537da2e99327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 3 Sep 2013 16:19:22 +0200 Subject: [PATCH] Split tag handling out of cipher_finish() --- include/polarssl/cipher.h | 35 +++++++++--- library/cipher.c | 73 ++++++++++++++++--------- library/pkcs12.c | 5 +- library/pkcs5.c | 5 +- programs/aes/crypt_and_hash.c | 4 +- tests/suites/test_suite_cipher.function | 20 +++---- 6 files changed, 88 insertions(+), 54 deletions(-) diff --git a/include/polarssl/cipher.h b/include/polarssl/cipher.h index 7dea1e214..dc5a41ca3 100644 --- a/include/polarssl/cipher.h +++ b/include/polarssl/cipher.h @@ -519,11 +519,6 @@ int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ile * \param ctx Generic cipher context * \param output buffer to write data to. Needs block_size available. * \param olen length of the data written to the output buffer. - * \param tag Ignore by non-AEAD ciphers. For AEAD ciphers: - * - on encryption: buffer to write the tag; - * - on decryption: tag to verify. - * May be NULL if tag_len is zero. - * \param tag_len Length of the tag to write/check for AEAD ciphers. * * \returns 0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA if * parameter verification fails, @@ -533,8 +528,34 @@ int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ile * while decrypting or a cipher specific error code. */ int cipher_finish( cipher_context_t *ctx, - unsigned char *output, size_t *olen, - unsigned char *tag, size_t tag_len ); + unsigned char *output, size_t *olen ); + +/** + * \brief Write tag for AEAD ciphers. + * No effect for other ciphers. + * Must be called after cipher_finish(). + * + * \param tag buffer to write the tag + * \param tag_len Length of the tag to write + * + * \return 0 on success, or a specific error code. + */ +int cipher_write_tag( cipher_context_t *ctx, + unsigned char *tag, size_t tag_len ); + +/** + * \brief Check tag for AEAD ciphers. + * No effect for other ciphers. + * Calling time depends on the cipher: + * for GCM, must be called after cipher_finish(). + * + * \param tag Buffer holding the tag + * \param tag_len Length of the tag to check + * + * \return 0 on success, or a specific error code. + */ +int cipher_check_tag( cipher_context_t *ctx, + const unsigned char *tag, size_t tag_len ); /** * \brief Checkup routine diff --git a/library/cipher.c b/library/cipher.c index f8e2841d2..a90e2dcd9 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -777,8 +777,7 @@ static int get_no_padding( unsigned char *input, size_t input_len, } int cipher_finish( cipher_context_t *ctx, - unsigned char *output, size_t *olen, - unsigned char *tag, size_t tag_len ) + unsigned char *output, size_t *olen ) { int ret = 0; @@ -797,10 +796,6 @@ int cipher_finish( cipher_context_t *ctx, #if defined(POLARSSL_GCM_C) if( POLARSSL_MODE_GCM == ctx->cipher_info->mode ) { - unsigned char check_tag[16]; - size_t i; - int diff; - if( 0 != ( ret = gcm_update( ctx->cipher_ctx, ctx->unprocessed_len, ctx->unprocessed_data, output ) ) ) @@ -810,29 +805,8 @@ int cipher_finish( cipher_context_t *ctx, *olen += ctx->unprocessed_len; - if( 0 != ( ret = gcm_finish( ctx->cipher_ctx, check_tag, tag_len ) ) ) - return( ret ); - - /* On encryption, write the tag */ - if( POLARSSL_ENCRYPT == ctx->operation ) - { - if( tag_len != 0 ) - memcpy( tag, check_tag, tag_len ); - return( 0 ); - } - - /* On decryption, check the tag (in "constant-time") */ - for( diff = 0, i = 0; i < tag_len; i++ ) - diff |= tag[i] ^ check_tag[i]; - - if( diff != 0 ) - return( POLARSSL_ERR_GCM_AUTH_FAILED ); - return( 0 ); } -#else - ((void) tag); - ((void) tag_len); #endif if( POLARSSL_MODE_CBC == ctx->cipher_info->mode ) @@ -930,6 +904,51 @@ int cipher_set_padding_mode( cipher_context_t *ctx, cipher_padding_t mode ) return 0; } +int cipher_write_tag( cipher_context_t *ctx, + unsigned char *tag, size_t tag_len ) +{ + if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag ) + return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; + + if( POLARSSL_MODE_GCM != ctx->cipher_info->mode ) + return( 0 ); + + if( POLARSSL_ENCRYPT != ctx->operation ) + return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; + + return gcm_finish( ctx->cipher_ctx, tag, tag_len ); +} + +int cipher_check_tag( cipher_context_t *ctx, + const unsigned char *tag, size_t tag_len ) +{ + int ret; + unsigned char check_tag[16]; + size_t i; + int diff; + + if( NULL == ctx || NULL == ctx->cipher_info ) + return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; + + if( POLARSSL_MODE_GCM != ctx->cipher_info->mode ) + return( 0 ); + + if( POLARSSL_DECRYPT != ctx->operation || tag_len > sizeof( check_tag ) ) + return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; + + if( 0 != ( ret = gcm_finish( ctx->cipher_ctx, check_tag, tag_len ) ) ) + return( ret ); + + /* On decryption, check the tag (in "constant-time") */ + for( diff = 0, i = 0; i < tag_len; i++ ) + diff |= tag[i] ^ check_tag[i]; + + if( diff != 0 ) + return( POLARSSL_ERR_GCM_AUTH_FAILED ); + + return( 0 ); +} + #if defined(POLARSSL_SELF_TEST) #include diff --git a/library/pkcs12.c b/library/pkcs12.c index 98ebd8876..335af7ebf 100644 --- a/library/pkcs12.c +++ b/library/pkcs12.c @@ -196,11 +196,8 @@ int pkcs12_pbe( asn1_buf *pbe_params, int mode, goto exit; } - if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen, NULL, 0 ) ) - != 0 ) - { + if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) ret = POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH; - } exit: cipher_free_ctx( &cipher_ctx ); diff --git a/library/pkcs5.c b/library/pkcs5.c index a27d4fb04..0b9830dc6 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -199,11 +199,8 @@ int pkcs5_pbes2( asn1_buf *pbe_params, int mode, goto exit; } - if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen, NULL, 0 ) ) - != 0 ) - { + if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) ret = POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH; - } exit: md_free_ctx( &md_ctx ); diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index c46713d15..6caaad872 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -343,7 +343,7 @@ int main( int argc, char *argv[] ) } } - if( cipher_finish( &cipher_ctx, output, &olen, NULL, 0 ) != 0 ) + if( cipher_finish( &cipher_ctx, output, &olen ) != 0 ) { fprintf( stderr, "cipher_finish() returned error\n" ); goto exit; @@ -461,7 +461,7 @@ int main( int argc, char *argv[] ) /* * Write the final block of data */ - cipher_finish( &cipher_ctx, output, &olen, NULL, 0 ); + cipher_finish( &cipher_ctx, output, &olen ); if( fwrite( output, 1, olen, fout ) != olen ) { diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index aa82daae9..5d32bc3d1 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -76,10 +76,11 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, total_len < length && total_len + cipher_get_block_size( &ctx_enc ) > length ) ); - TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + outlen, &outlen, - tag, 16 ) ); + TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) ); total_len += outlen; + TEST_ASSERT( 0 == cipher_write_tag( &ctx_enc, tag, 16 ) ); + TEST_ASSERT( total_len == length || ( total_len % cipher_get_block_size( &ctx_enc ) == 0 && total_len > length && @@ -94,10 +95,11 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, total_len < length && total_len + cipher_get_block_size( &ctx_dec ) >= length ) ); - TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen, - tag, 16 ) ); + TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) ); total_len += outlen; + TEST_ASSERT( 0 == cipher_check_tag( &ctx_dec, tag, 16 ) ); + TEST_ASSERT( total_len == length ); TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) ); @@ -145,7 +147,7 @@ void enc_fail( int cipher_id, int pad_mode, int key_len, /* encode length number of bytes from inbuf */ TEST_ASSERT( 0 == cipher_update( &ctx, inbuf, length, encbuf, &outlen ) ); - TEST_ASSERT( ret == cipher_finish( &ctx, encbuf + outlen, &outlen, NULL, 0 ) ); + TEST_ASSERT( ret == cipher_finish( &ctx, encbuf + outlen, &outlen ) ); /* done */ TEST_ASSERT( 0 == cipher_free_ctx( &ctx ) ); @@ -192,7 +194,7 @@ void dec_empty_buf() TEST_ASSERT( 0 == cipher_update( &ctx_dec, encbuf, 0, decbuf, &outlen ) ); TEST_ASSERT( 0 == outlen ); TEST_ASSERT( POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED == cipher_finish( - &ctx_dec, decbuf + outlen, &outlen, NULL, 0 ) ); + &ctx_dec, decbuf + outlen, &outlen ) ); TEST_ASSERT( 0 == outlen ); TEST_ASSERT( 0 == cipher_free_ctx( &ctx_dec ) ); @@ -259,8 +261,7 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, totaloutlen < length && totaloutlen + cipher_get_block_size( &ctx_enc ) > length ) ); - TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + totaloutlen, &outlen, - NULL, 0 ) ); + TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + totaloutlen, &outlen ) ); totaloutlen += outlen; TEST_ASSERT( totaloutlen == length || ( totaloutlen % cipher_get_block_size( &ctx_enc ) == 0 && @@ -276,8 +277,7 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, totaloutlen < length && totaloutlen + cipher_get_block_size( &ctx_dec ) >= length ) ); - TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen, - NULL, 0 ) ); + TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) ); totaloutlen += outlen; TEST_ASSERT( totaloutlen == length );