diff --git a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt new file mode 100644 index 000000000000..39e03b93ba22 --- /dev/null +++ b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes + long. Credit to Cryptofuzz. Fixes #9314. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 02554d1d4b6f..8100afc471fd 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4631,11 +4631,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, goto exit; } - if (alg == PSA_ALG_CCM_STAR_NO_TAG && - input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto exit; - } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { + if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 4f29a7aaed6b..32c727444452 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2412,9 +2412,9 @@ PSA symmetric decrypt: AES-CBC-nopad, input too short (5 bytes) depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT -PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes) +PSA symmetric decrypt: CCM*-no-tag, input too short (12 bytes) depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES -cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"2a2a2a2a2a2a2a2a":PSA_ERROR_INVALID_ARGUMENT +cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"0102030405060708090a0b0c":"":PSA_ERROR_INVALID_ARGUMENT PSA symmetric decrypt: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT @@ -2464,10 +2464,26 @@ PSA symmetric decrypt: 3-key 3DES-ECB, 8 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"817ca7d69b80d86a":"c78e2b38139610e3" -PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15 +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 24 bytes depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697" +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 23 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad6" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 3 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e":"a16a2e" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 2 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe":"a16a" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 0 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"":"" + PSA symmetric decrypt: ChaCha20, RFC7539 keystream depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 # Keystream from RFC 7539 ยง2.4.2, with an extra 64-byte output block prepended