diff --git a/ChangeLog.d/ssl_decrypt_buf-short_record.txt b/ChangeLog.d/ssl_decrypt_buf-short_record.txt new file mode 100644 index 0000000000..c2af1ec2a9 --- /dev/null +++ b/ChangeLog.d/ssl_decrypt_buf-short_record.txt @@ -0,0 +1,3 @@ +Security + * Fix a buffer overread when parsing short TLS application data records in + null-cipher cipher suites. Credit to OSS-Fuzz. diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c8ffc1ede2..2726cbc9d5 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1546,8 +1546,16 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { + if (rec->data_len < transform->maclen) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Record too short for MAC:" + " %" MBEDTLS_PRINTF_SIZET " < %" MBEDTLS_PRINTF_SIZET, + rec->data_len, transform->maclen)); + return MBEDTLS_ERR_SSL_INVALID_MAC; + } + /* The only supported stream cipher is "NULL", - * so there's nothing to do here.*/ + * so there's no encryption to do here.*/ } else #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ #if defined(MBEDTLS_GCM_C) || \ @@ -2010,7 +2018,7 @@ hmac_failed_etm_enabled: unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 }; unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 }; - /* If the initial value of padlen was such that + /* For CBC+MAC, If the initial value of padlen was such that * data_len < maclen + padlen + 1, then padlen * got reset to 1, and the initial check * data_len >= minlen + maclen + 1 @@ -2022,6 +2030,9 @@ hmac_failed_etm_enabled: * subtracted either padlen + 1 (if the padding was correct) * or 0 (if the padding was incorrect) since then, * hence data_len >= maclen in any case. + * + * For stream ciphers, we checked above that + * data_len >= maclen. */ rec->data_len -= transform->maclen; ssl_extract_add_data_from_record(add_data, &add_data_len, rec, diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 1f160c7eb0..ddbd6a39e1 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -516,6 +516,27 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, size_t cid0_len, size_t cid1_len); +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) +/** + * \param[in,out] record The record to prepare. + * It must contain the data to MAC at offset + * `record->data_offset`, of length + * `record->data_length`. + * On success, write the MAC immediately + * after the data and increment + * `record->data_length` accordingly. + * \param[in,out] transform_out The out transform, typically prepared by + * mbedtls_test_ssl_build_transforms(). + * Its HMAC context may be used. Other than that + * it is treated as an input parameter. + * + * \return 0 on success, an `MBEDTLS_ERR_xxx` error code + * or -1 on error. + */ +int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, + mbedtls_ssl_transform *transform_out); +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + /* * Populate a session structure for serialization tests. * Choose dummy values, mostly non-0 to distinguish from the init default. diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 9144d85ba5..5c305cb0a0 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1467,6 +1467,64 @@ cleanup: return ret; } +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) +int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, + mbedtls_ssl_transform *transform_out) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; +#endif + + /* Serialized version of record header for MAC purposes */ + unsigned char add_data[13]; + memcpy(add_data, record->ctr, 8); + add_data[8] = record->type; + add_data[9] = record->ver[0]; + add_data[10] = record->ver[1]; + add_data[11] = (record->data_len >> 8) & 0xff; + add_data[12] = (record->data_len >> 0) & 0xff; + + /* MAC with additional data */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t sign_mac_length = 0; + TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation, + transform_out->psa_mac_enc, + transform_out->psa_mac_alg)); + TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data, 13)); + TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, + record->buf + record->data_offset, + record->data_len)); + /* Use a temporary buffer for the MAC, because with the truncated HMAC + * extension, there might not be enough room in the record for the + * full-length MAC. */ + unsigned char mac[PSA_HASH_MAX_SIZE]; + TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation, + mac, sizeof(mac), + &sign_mac_length)); +#else + TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13)); + TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, + record->buf + record->data_offset, + record->data_len)); + /* Use a temporary buffer for the MAC, because with the truncated HMAC + * extension, there might not be enough room in the record for the + * full-length MAC. */ + unsigned char mac[MBEDTLS_MD_MAX_SIZE]; + TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac)); +#endif + memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen); + record->data_len += transform_out->maclen; + + return 0; + +exit: +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_mac_abort(&operation); +#endif + return -1; +} +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, int ticket_len, const char *crt_file) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 361c1606a7..af12f89591 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -2681,390 +2681,6 @@ Record crypt, little space, NULL cipher, 1.2, MD5, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0 -Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-1 - -Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-2 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=0 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=240 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:240 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=1 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=241 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:241 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=15 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15 - -Decrypt CBC !EtM, AES MD5 !trunc, padlen=255 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:255 - -Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-1 - -Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-2 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=0 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=240 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:240 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=1 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=241 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:241 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=15 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:15 - -Decrypt CBC !EtM, AES SHA1 !trunc, padlen=255 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:255 - -Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-1 - -Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-2 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=0 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=240 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:240 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=1 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=241 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:241 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=15 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15 - -Decrypt CBC !EtM, AES SHA256 !trunc, padlen=255 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:255 - -Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-1 - -Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-2 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=0 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=240 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:240 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=1 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=241 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:241 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=15 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15 - -Decrypt CBC !EtM, AES SHA384 !trunc, padlen=255 -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:255 - -Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-1 - -Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-2 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=0 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=240 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:240 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=1 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=241 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:241 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=15 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15 - -Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=255 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:255 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=0 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=240 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:240 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=1 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=241 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:241 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=15 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:15 - -Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=255 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:255 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=0 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=240 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:240 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=1 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=241 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:241 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=15 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15 - -Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=255 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:255 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=0 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=240 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:240 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=1 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=241 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:241 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=15 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15 - -Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=255 -depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:255 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-1 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-2 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=0 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=240 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:240 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=1 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=241 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:241 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=15 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15 - -Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=255 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:255 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=0 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=240 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:240 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=1 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=241 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:241 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=15 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:15 - -Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=255 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:255 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=0 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=240 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:240 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=1 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=241 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:241 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=15 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15 - -Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=255 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:255 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, minpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, maxpad -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=0 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=240 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:240 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=1 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=241 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:241 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=15 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15 - -Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=255 -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 -ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255 - SSL TLS 1.3 Key schedule: Secret evolution #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Initial secret to Early Secret diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 915d104350..335f734374 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1464,235 +1464,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ -void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac, - int length_selector) -{ - /* - * Test record decryption for CBC without EtM, focused on the verification - * of padding and MAC. - * - * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since - * the test framework doesn't support alternation in dependency statements, - * just depend on AES. - * - * The length_selector argument is interpreted as follows: - * - if it's -1, the plaintext length is 0 and minimal padding is applied - * - if it's -2, the plaintext length is 0 and maximal padding is applied - * - otherwise it must be in [0, 255] and is padding_length from RFC 5246: - * it's the length of the rest of the padding, that is, excluding the - * byte that encodes the length. The minimal non-zero plaintext length - * that gives this padding_length is automatically selected. - */ - mbedtls_ssl_context ssl; /* ONLY for debugging */ - mbedtls_ssl_transform t0, t1; - mbedtls_record rec, rec_save; - unsigned char *buf = NULL, *buf_save = NULL; - size_t buflen, olen = 0; - size_t plaintext_len, block_size, i; - unsigned char padlen; /* excluding the padding_length byte */ - unsigned char add_data[13]; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; - size_t sign_mac_length = 0; - unsigned char mac[PSA_HASH_MAX_SIZE]; -#else - unsigned char mac[MBEDTLS_MD_MAX_SIZE]; -#endif - int exp_ret; - int ret; - const unsigned char pad_max_len = 255; /* Per the standard */ - - mbedtls_ssl_init(&ssl); - mbedtls_ssl_transform_init(&t0); - mbedtls_ssl_transform_init(&t1); - MD_OR_USE_PSA_INIT(); - - /* Set up transforms with dummy keys */ - ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, - 0, trunc_hmac, - MBEDTLS_SSL_VERSION_TLS1_2, - 0, 0); - - TEST_ASSERT(ret == 0); - - /* Determine padding/plaintext length */ - TEST_ASSERT(length_selector >= -2 && length_selector <= 255); - block_size = t0.ivlen; - if (length_selector < 0) { - plaintext_len = 0; - - /* Minimal padding - * The +1 is for the padding_length byte, not counted in padlen. */ - padlen = block_size - (t0.maclen + 1) % block_size; - - /* Maximal padding? */ - if (length_selector == -2) { - padlen += block_size * ((pad_max_len - padlen) / block_size); - } - } else { - padlen = length_selector; - - /* Minimal non-zero plaintext_length giving desired padding. - * The +1 is for the padding_length byte, not counted in padlen. */ - plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size; - } - - /* Prepare a buffer for record data */ - buflen = block_size - + plaintext_len - + t0.maclen - + padlen + 1; - TEST_CALLOC(buf, buflen); - TEST_CALLOC(buf_save, buflen); - - /* Prepare a dummy record header */ - memset(rec.ctr, 0, sizeof(rec.ctr)); - rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; - mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_VERSION_TLS1_2); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - rec.cid_len = 0; -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - - /* Prepare dummy record content */ - rec.buf = buf; - rec.buf_len = buflen; - rec.data_offset = block_size; - rec.data_len = plaintext_len; - memset(rec.buf + rec.data_offset, 42, rec.data_len); - - /* Serialized version of record header for MAC purposes */ - memcpy(add_data, rec.ctr, 8); - add_data[8] = rec.type; - add_data[9] = rec.ver[0]; - add_data[10] = rec.ver[1]; - add_data[11] = (rec.data_len >> 8) & 0xff; - add_data[12] = (rec.data_len >> 0) & 0xff; - - /* Set dummy IV */ - memset(t0.iv_enc, 0x55, t0.ivlen); - memcpy(rec.buf, t0.iv_enc, t0.ivlen); - - /* - * Prepare a pre-encryption record (with MAC and padding), and save it. - */ - - /* MAC with additional data */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) - TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation, - t0.psa_mac_enc, - t0.psa_mac_alg)); - TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data, 13)); - TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, - rec.buf + rec.data_offset, - rec.data_len)); - TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation, - mac, sizeof(mac), - &sign_mac_length)); -#else - TEST_EQUAL(0, mbedtls_md_hmac_update(&t0.md_ctx_enc, add_data, 13)); - TEST_EQUAL(0, mbedtls_md_hmac_update(&t0.md_ctx_enc, - rec.buf + rec.data_offset, - rec.data_len)); - TEST_EQUAL(0, mbedtls_md_hmac_finish(&t0.md_ctx_enc, mac)); -#endif - - memcpy(rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen); - rec.data_len += t0.maclen; - - /* Pad */ - memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1); - rec.data_len += padlen + 1; - - /* Save correct pre-encryption record */ - rec_save = rec; - rec_save.buf = buf_save; - memcpy(buf_save, buf, buflen); - - /* - * Encrypt and decrypt the correct record, expecting success - */ - TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( - &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, - rec.data_len, rec.buf + rec.data_offset, &olen)); - rec.data_offset -= t0.ivlen; - rec.data_len += t0.ivlen; - - TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); - - /* - * Modify each byte of the pre-encryption record before encrypting and - * decrypting it, expecting failure every time. - */ - for (i = block_size; i < buflen; i++) { - mbedtls_test_set_step(i); - - /* Restore correct pre-encryption record */ - rec = rec_save; - rec.buf = buf; - memcpy(buf, buf_save, buflen); - - /* Corrupt one byte of the data (could be plaintext, MAC or padding) */ - rec.buf[i] ^= 0x01; - - /* Encrypt */ - TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( - &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, - rec.data_len, rec.buf + rec.data_offset, &olen)); - rec.data_offset -= t0.ivlen; - rec.data_len += t0.ivlen; - - /* Decrypt and expect failure */ - TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC, - mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); - } - - /* - * Use larger values of the padding bytes - with small buffers, this tests - * the case where the announced padlen would be larger than the buffer - * (and before that, than the buffer minus the size of the MAC), to make - * sure our padding checking code does not perform any out-of-bounds reads - * in this case. (With larger buffers, ie when the plaintext is long or - * maximal length padding is used, this is less relevant but still doesn't - * hurt to test.) - * - * (Start the loop with correct padding, just to double-check that record - * saving did work, and that we're overwriting the correct bytes.) - */ - for (i = padlen; i <= pad_max_len; i++) { - mbedtls_test_set_step(i); - - /* Restore correct pre-encryption record */ - rec = rec_save; - rec.buf = buf; - memcpy(buf, buf_save, buflen); - - /* Set padding bytes to new value */ - memset(buf + buflen - padlen - 1, i, padlen + 1); - - /* Encrypt */ - TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( - &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, - rec.data_len, rec.buf + rec.data_offset, &olen)); - rec.data_offset -= t0.ivlen; - rec.data_len += t0.ivlen; - - /* Decrypt and expect failure except the first time */ - exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC; - TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); - } - -exit: - mbedtls_ssl_free(&ssl); - mbedtls_ssl_transform_free(&t0); - mbedtls_ssl_transform_free(&t1); - mbedtls_free(buf); - mbedtls_free(buf_save); - MD_OR_USE_PSA_DONE(); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ void ssl_tls13_hkdf_expand_label(int hash_alg, data_t *secret, diff --git a/tests/suites/test_suite_ssl_decrypt.function b/tests/suites/test_suite_ssl_decrypt.function new file mode 100644 index 0000000000..ad94a58394 --- /dev/null +++ b/tests/suites/test_suite_ssl_decrypt.function @@ -0,0 +1,312 @@ +/* BEGIN_HEADER */ +/* Testing of mbedtls_ssl_decrypt_buf() specifically, focusing on negative + * testing (using malformed inputs). */ + +#include +#include +#include + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_SSL_TLS_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CIPHER_NULL_CIPHER */ +void ssl_decrypt_null(int hash_id) +{ + mbedtls_ssl_transform transform_in, transform_out; + mbedtls_ssl_transform_init(&transform_in); + mbedtls_ssl_transform_init(&transform_out); + const mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; + const mbedtls_cipher_type_t cipher_type = MBEDTLS_CIPHER_NULL; + mbedtls_record rec_good = { + .ctr = { 0 }, + .type = MBEDTLS_SSL_MSG_APPLICATION_DATA, + .ver = { 0, 0 }, /* Will be set by a function call below */ + .buf = NULL, + .buf_len = 0, + .data_offset = 0, + .data_len = 0, +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + .cid_len = 0, + .cid = { 0 }, +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + }; + mbedtls_ssl_write_version(rec_good.ver, + MBEDTLS_SSL_TRANSPORT_STREAM, + version); + const char sample_plaintext[3] = "ABC"; + mbedtls_ssl_context ssl; + mbedtls_ssl_init(&ssl); + uint8_t *buf = NULL; + + MD_OR_USE_PSA_INIT(); + + TEST_EQUAL(mbedtls_test_ssl_build_transforms(&transform_in, &transform_out, + cipher_type, hash_id, 0, 0, + version, + 0, 0), 0); + + const size_t plaintext_length = sizeof(sample_plaintext); + rec_good.buf_len = plaintext_length + transform_in.maclen; + rec_good.data_len = plaintext_length; + TEST_CALLOC(rec_good.buf, rec_good.buf_len); + memcpy(rec_good.buf, sample_plaintext, plaintext_length); + TEST_EQUAL(mbedtls_test_ssl_prepare_record_mac(&rec_good, + &transform_out), 0); + + /* Good case */ + mbedtls_record rec = rec_good; + TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 0); + + /* Change any one byte of the plaintext or MAC. The MAC will be wrong. */ + TEST_CALLOC(buf, rec.buf_len); + for (size_t i = 0; i < rec.buf_len; i++) { + mbedtls_test_set_step(i); + rec = rec_good; + rec.buf = buf; + memcpy(buf, rec_good.buf, rec.buf_len); + buf[i] ^= 1; + TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), + MBEDTLS_ERR_SSL_INVALID_MAC); + } + mbedtls_free(buf); + buf = NULL; + + /* Shorter input buffer. Either the MAC will be wrong, or there isn't + * enough room for a MAC. */ + for (size_t n = 1; n < rec.buf_len; n++) { + mbedtls_test_set_step(n); + rec = rec_good; + TEST_CALLOC(buf, n); + rec.buf = buf; + rec.buf_len = n; + rec.data_len = n; + memcpy(buf, rec_good.buf, n); + TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), + MBEDTLS_ERR_SSL_INVALID_MAC); + mbedtls_free(buf); + buf = NULL; + } + + /* For robustness, check a 0-length buffer (non-null, then null). + * This should not reach mbedtls_ssl_decrypt_buf() as used in the library, + * so the exact error doesn't matter, but we don't want a crash. */ + { + const uint8_t buf1[1] = { 'a' }; + rec = rec_good; + /* We won't write to buf1[0] since it's out of range, so we can cast + * the const away. */ + rec.buf = (uint8_t *) buf1; + rec.buf_len = 0; + TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), + MBEDTLS_ERR_SSL_INTERNAL_ERROR); + } + rec = rec_good; + rec.buf = NULL; + rec.buf_len = 0; + TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), + MBEDTLS_ERR_SSL_INTERNAL_ERROR); + +exit: + mbedtls_ssl_transform_free(&transform_in); + mbedtls_ssl_transform_free(&transform_out); + mbedtls_free(rec_good.buf); + mbedtls_ssl_free(&ssl); + mbedtls_free(buf); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */ +void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac, + int length_selector) +{ + /* + * Test record decryption for CBC without EtM, focused on the verification + * of padding and MAC. + * + * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since + * the test framework doesn't support alternation in dependency statements, + * just depend on AES. + * + * The length_selector argument is interpreted as follows: + * - if it's -1, the plaintext length is 0 and minimal padding is applied + * - if it's -2, the plaintext length is 0 and maximal padding is applied + * - otherwise it must be in [0, 255] and is padding_length from RFC 5246: + * it's the length of the rest of the padding, that is, excluding the + * byte that encodes the length. The minimal non-zero plaintext length + * that gives this padding_length is automatically selected. + */ + mbedtls_ssl_context ssl; /* ONLY for debugging */ + mbedtls_ssl_transform t0, t1; + mbedtls_record rec, rec_save; + unsigned char *buf = NULL, *buf_save = NULL; + size_t buflen, olen = 0; + size_t plaintext_len, block_size, i; + unsigned char padlen; /* excluding the padding_length byte */ + int exp_ret; + int ret; + const unsigned char pad_max_len = 255; /* Per the standard */ + + mbedtls_ssl_init(&ssl); + mbedtls_ssl_transform_init(&t0); + mbedtls_ssl_transform_init(&t1); + MD_OR_USE_PSA_INIT(); + + /* Set up transforms with dummy keys */ + ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, + 0, trunc_hmac, + MBEDTLS_SSL_VERSION_TLS1_2, + 0, 0); + + TEST_ASSERT(ret == 0); + + /* Determine padding/plaintext length */ + TEST_ASSERT(length_selector >= -2 && length_selector <= 255); + block_size = t0.ivlen; + if (length_selector < 0) { + plaintext_len = 0; + + /* Minimal padding + * The +1 is for the padding_length byte, not counted in padlen. */ + padlen = block_size - (t0.maclen + 1) % block_size; + + /* Maximal padding? */ + if (length_selector == -2) { + padlen += block_size * ((pad_max_len - padlen) / block_size); + } + } else { + padlen = length_selector; + + /* Minimal non-zero plaintext_length giving desired padding. + * The +1 is for the padding_length byte, not counted in padlen. */ + plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size; + } + + /* Prepare a buffer for record data */ + buflen = block_size + + plaintext_len + + t0.maclen + + padlen + 1; + TEST_CALLOC(buf, buflen); + TEST_CALLOC(buf_save, buflen); + + /* Prepare a dummy record header */ + memset(rec.ctr, 0, sizeof(rec.ctr)); + rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; + mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_VERSION_TLS1_2); +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + rec.cid_len = 0; +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + + /* Prepare dummy record content */ + rec.buf = buf; + rec.buf_len = buflen; + rec.data_offset = block_size; + rec.data_len = plaintext_len; + memset(rec.buf + rec.data_offset, 42, rec.data_len); + + /* Set dummy IV */ + memset(t0.iv_enc, 0x55, t0.ivlen); + memcpy(rec.buf, t0.iv_enc, t0.ivlen); + + /* + * Prepare a pre-encryption record (with MAC and padding), and save it. + */ + TEST_EQUAL(0, mbedtls_test_ssl_prepare_record_mac(&rec, &t0)); + + /* Pad */ + memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1); + rec.data_len += padlen + 1; + + /* Save correct pre-encryption record */ + rec_save = rec; + rec_save.buf = buf_save; + memcpy(buf_save, buf, buflen); + + /* + * Encrypt and decrypt the correct record, expecting success + */ + TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( + &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, + rec.data_len, rec.buf + rec.data_offset, &olen)); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); + + /* + * Modify each byte of the pre-encryption record before encrypting and + * decrypting it, expecting failure every time. + */ + for (i = block_size; i < buflen; i++) { + mbedtls_test_set_step(i); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy(buf, buf_save, buflen); + + /* Corrupt one byte of the data (could be plaintext, MAC or padding) */ + rec.buf[i] ^= 0x01; + + /* Encrypt */ + TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( + &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, + rec.data_len, rec.buf + rec.data_offset, &olen)); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure */ + TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC, + mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); + } + + /* + * Use larger values of the padding bytes - with small buffers, this tests + * the case where the announced padlen would be larger than the buffer + * (and before that, than the buffer minus the size of the MAC), to make + * sure our padding checking code does not perform any out-of-bounds reads + * in this case. (With larger buffers, ie when the plaintext is long or + * maximal length padding is used, this is less relevant but still doesn't + * hurt to test.) + * + * (Start the loop with correct padding, just to double-check that record + * saving did work, and that we're overwriting the correct bytes.) + */ + for (i = padlen; i <= pad_max_len; i++) { + mbedtls_test_set_step(i); + + /* Restore correct pre-encryption record */ + rec = rec_save; + rec.buf = buf; + memcpy(buf, buf_save, buflen); + + /* Set padding bytes to new value */ + memset(buf + buflen - padlen - 1, i, padlen + 1); + + /* Encrypt */ + TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( + &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, + rec.data_len, rec.buf + rec.data_offset, &olen)); + rec.data_offset -= t0.ivlen; + rec.data_len += t0.ivlen; + + /* Decrypt and expect failure except the first time */ + exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC; + TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); + } + +exit: + mbedtls_ssl_free(&ssl); + mbedtls_ssl_transform_free(&t0); + mbedtls_ssl_transform_free(&t1); + mbedtls_free(buf); + mbedtls_free(buf_save); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_ssl_decrypt.misc.data b/tests/suites/test_suite_ssl_decrypt.misc.data new file mode 100644 index 0000000000..f663b262d1 --- /dev/null +++ b/tests/suites/test_suite_ssl_decrypt.misc.data @@ -0,0 +1,399 @@ +Decrypt null cipher, MD5 +depends_on:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_null:MBEDTLS_MD_MD5 + +Decrypt null cipher, SHA-1 +depends_on:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_null:MBEDTLS_MD_SHA1 + +Decrypt null cipher, SHA-256 +depends_on:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_null:MBEDTLS_MD_SHA256 + +Decrypt null cipher, SHA-384 +depends_on:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_null:MBEDTLS_MD_SHA384 + +Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-1 + +Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-2 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=0 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=240 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:240 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=1 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=241 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:241 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=15 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15 + +Decrypt CBC !EtM, AES MD5 !trunc, padlen=255 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:255 + +Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-1 + +Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-2 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=0 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=240 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:240 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=1 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=241 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:241 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=15 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:15 + +Decrypt CBC !EtM, AES SHA1 !trunc, padlen=255 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:255 + +Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-1 + +Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-2 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=0 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=240 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:240 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=1 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=241 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:241 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=15 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15 + +Decrypt CBC !EtM, AES SHA256 !trunc, padlen=255 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:255 + +Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-1 + +Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-2 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=0 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=240 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:240 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=1 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=241 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:241 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=15 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15 + +Decrypt CBC !EtM, AES SHA384 !trunc, padlen=255 +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:255 + +Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-1 + +Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-2 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=0 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=240 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:240 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=241 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:241 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=15 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15 + +Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=255 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:255 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=0 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=240 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:240 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=241 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:241 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=15 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:15 + +Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=255 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:255 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=0 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=240 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:240 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=241 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:241 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=15 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15 + +Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=255 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:255 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=0 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=240 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:240 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=241 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:241 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=15 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15 + +Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=255 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:255 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-2 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=0 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=240 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:240 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=241 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:241 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=15 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15 + +Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=255 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:255 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-2 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=0 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=240 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:240 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=241 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:241 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=15 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:15 + +Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=255 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:255 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-2 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=0 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=240 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:240 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=241 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:241 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=15 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15 + +Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=255 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:255 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, minpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, maxpad +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-2 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=0 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=240 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:240 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=241 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:241 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=15 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15 + +Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=255 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384 +ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255