Browse Source

configure.ac: add --enable-aescbc-length-checks and add it to --enable-all; api.c: fix expected error code in WOLFSSL_AES_CBC_LENGTH_CHECKS path of test_wc_AesCbcEncryptDecrypt(); aes.c: add explanatory comment on WOLFSSL_AES_CBC_LENGTH_CHECKS to top of file.

Daniel Pouzzner 3 years ago
parent
commit
5f6b618e71
2 changed files with 21 additions and 2 deletions
  1. 14 0
      configure.ac
  2. 7 2
      tests/api.c

+ 14 - 0
configure.ac

@@ -353,6 +353,7 @@ then
     test "$enable_aesctr" = "" && enable_aesctr=yes
     test "$enable_aesofb" = "" && enable_aesofb=yes
     test "$enable_aescfb" = "" && enable_aescfb=yes
+    test "$enable_aescbc_length_checks" = "" && enable_aescbc_length_checks=yes
     test "$enable_camellia" = "" && enable_camellia=yes
     test "$enable_ripemd" = "" && enable_ripemd=yes
     test "$enable_sha512" = "" && enable_sha512=yes
@@ -1288,6 +1289,18 @@ then
     AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"
 fi
 
+# AES-CBC length checks (checks that input lengths are multiples of block size)
+AC_ARG_ENABLE([aescbc_length_checks],
+    [AS_HELP_STRING([--enable-aescbc-length-checks],[Enable AES-CBC length validity checks (default: disabled)])],
+    [ ENABLED_AESCBC_LENGTH_CHECKS=$enableval ],
+    [ ENABLED_AESCBC_LENGTH_CHECKS=no ]
+    )
+
+if test "$ENABLED_AESCBC_LENGTH_CHECKS" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CBC_LENGTH_CHECKS"
+fi
+
 # leanpsk and leantls don't need gcm
 
 # AES-GCM
@@ -6505,6 +6518,7 @@ echo "   * ARC4:                       $ENABLED_ARC4"
 echo "   * AES:                        $ENABLED_AES"
 echo "   * AES-NI:                     $ENABLED_AESNI"
 echo "   * AES-CBC:                    $ENABLED_AESCBC"
+echo "   * AES-CBC length checks:      $ENABLED_AESCBC_LENGTH_CHECKS"
 echo "   * AES-GCM:                    $ENABLED_AESGCM"
 echo "   * AES-CCM:                    $ENABLED_AESCCM"
 echo "   * AES-CTR:                    $ENABLED_AESCTR"

+ 7 - 2
tests/api.c

@@ -19,6 +19,11 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* For AES-CBC, input lengths can optionally be validated to be a
+ * multiple of the block size, by defining WOLFSSL_AES_CBC_LENGTH_CHECKS,
+ * also available via the configure option --enable-aescbc-length-checks.
+ */
+
 
 /*----------------------------------------------------------------------------*
  | Includes
@@ -13155,7 +13160,7 @@ static int test_wc_AesCbcEncryptDecrypt (void)
         if (cbcE == 0) {
             cbcE = wc_AesCbcEncrypt(&aes, enc, vector, sizeof(vector) - 1);
         }
-        if (cbcE == BAD_ALIGN_E) {
+        if (cbcE == BAD_LENGTH_E) {
             cbcE = 0;
         } else {
             cbcE = WOLFSSL_FATAL_ERROR;
@@ -13190,7 +13195,7 @@ static int test_wc_AesCbcEncryptDecrypt (void)
             cbcD = wc_AesCbcDecrypt(&aes, dec, enc, AES_BLOCK_SIZE * 2 - 1);
         }
 #ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
-        if (cbcD == BAD_ALIGN_E) {
+        if (cbcD == BAD_LENGTH_E) {
             cbcD = 0;
         } else {
             cbcD = WOLFSSL_FATAL_ERROR;