New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECB MODE doesn't need IV #1091

Closed
ezdevelop opened this Issue Sep 14, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@ezdevelop

ezdevelop commented Sep 14, 2017

Bug

Here are the comments in the header file

* \note Some ciphers don't use IVs nor NONCE. For these
* ciphers, use iv = NULL and iv_len = 0.
*
* \returns 0 on success, or
* MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
* MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
* expected a full block but was not provided one, or
* MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
* while decrypting, or
* a cipher specific error code.
*/
int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen );

But the all-in-one function 'mbedtls_cipher_crypt' still check for IV data.

mbedtls/library/cipher.c

Lines 812 to 835 in 72ea31b

int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen )
{
int ret;
size_t finish_olen;
if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
return( ret );
if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
return( ret );
if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
return( ret );
if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
return( ret );
*olen += finish_olen;
return( 0 );
}

mbedtls/library/cipher.c

Lines 214 to 221 in 72ea31b

int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len )
{
size_t actual_iv_size;
if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );

@RonEld

This comment has been minimized.

Contributor

RonEld commented Sep 14, 2017

Hi @ezdevelop
Thank you for reporting this issue!
I believe you are correct in your analysis

@ciarmcom ciarmcom added the mirrored label Sep 14, 2017

@ciarmcom

This comment has been minimized.

Member

ciarmcom commented Sep 14, 2017

ARM Internal Ref: IOTSSL-1753

RonEld added a commit to RonEld/mbedtls that referenced this issue Sep 25, 2017

Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves ARMmbed#1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB

@RonEld RonEld referenced this issue Sep 25, 2017

Merged

Add tests for mbedtls_cipher_crypt API #1099

2 of 4 tasks complete

RonEld added a commit to RonEld/mbedtls that referenced this issue Jun 21, 2018

Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves ARMmbed#1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB

RonEld added a commit to RonEld/mbedtls that referenced this issue Jun 21, 2018

Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves ARMmbed#1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB

sbutcher-arm added a commit to RonEld/mbedtls that referenced this issue Jul 23, 2018

Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves ARMmbed#1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment