commit daea26f70fcb66788f1f3ca2f6d9e13445389596
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Aug 21 14:02:45 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Thu Sep 20 11:58:22 2018 +0200
tree 52e07b92a4edba86dbd09103f9b2f7aff5f0d49d
parent 81ba4abb02936516da93c9ec05a74d3748efb055

Correct and simplify block-based cipher modes

OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index dfbb680..66a6feb 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1220,28 +1220,26 @@
 
     if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
     {
-        if( PSA_ALG_IS_BLOCK_CIPHER( alg ) )
-        {
-            alg &= ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
-        }
-
         switch( alg )
         {
-            case PSA_ALG_STREAM_CIPHER_BASE:
+            case PSA_ALG_ARC4:
                 mode = MBEDTLS_MODE_STREAM;
                 break;
-            case PSA_ALG_CBC_BASE:
-                mode = MBEDTLS_MODE_CBC;
-                break;
-            case PSA_ALG_CFB_BASE:
-                mode = MBEDTLS_MODE_CFB;
-                break;
-            case PSA_ALG_OFB_BASE:
-                mode = MBEDTLS_MODE_OFB;
-                break;
             case PSA_ALG_CTR:
                 mode = MBEDTLS_MODE_CTR;
                 break;
+            case PSA_ALG_CFB:
+                mode = MBEDTLS_MODE_CFB;
+                break;
+            case PSA_ALG_OFB:
+                mode = MBEDTLS_MODE_OFB;
+                break;
+            case PSA_ALG_CBC_NO_PADDING:
+                mode = MBEDTLS_MODE_CBC;
+                break;
+            case PSA_ALG_CBC_PKCS7:
+                mode = MBEDTLS_MODE_CBC;
+                break;
             case PSA_ALG_CCM:
                 mode = MBEDTLS_MODE_CCM;
                 break;
@@ -2419,37 +2417,32 @@
     }
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-    if( ( alg & ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK ) == PSA_ALG_CBC_BASE )
+    switch( alg )
     {
-        psa_algorithm_t padding_mode = alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
-        mbedtls_cipher_padding_t mode;
-
-        switch ( padding_mode )
-        {
-            case PSA_ALG_BLOCK_CIPHER_PAD_PKCS7:
-                mode = MBEDTLS_PADDING_PKCS7;
-                break;
-            case PSA_ALG_BLOCK_CIPHER_PAD_NONE:
-                mode = MBEDTLS_PADDING_NONE;
-                break;
-            default:
-                psa_cipher_abort( operation );
-                return( PSA_ERROR_INVALID_ARGUMENT );
-        }
-        ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, mode );
-        if( ret != 0 )
-        {
-            psa_cipher_abort( operation );
-            return( mbedtls_to_psa_error( ret ) );
-        }
+        case PSA_ALG_CBC_NO_PADDING:
+            ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
+                                                   MBEDTLS_PADDING_NONE );
+            break;
+        case PSA_ALG_CBC_PKCS7:
+            ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
+                                                   MBEDTLS_PADDING_PKCS7 );
+            break;
+        default:
+            /* The algorithm doesn't involve padding. */
+            ret = 0;
+            break;
+    }
+    if( ret != 0 )
+    {
+        psa_cipher_abort( operation );
+        return( mbedtls_to_psa_error( ret ) );
     }
 #endif //MBEDTLS_CIPHER_MODE_WITH_PADDING
 
     operation->key_set = 1;
-    operation->block_size = ( PSA_ALG_IS_BLOCK_CIPHER( alg ) ?
-                              PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) :
-                              1 );
-    if( PSA_ALG_IS_BLOCK_CIPHER( alg ) || alg == PSA_ALG_CTR )
+    operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 :
+                              PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) );
+    if( alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG )
     {
         operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type );
     }
@@ -2541,7 +2534,7 @@
     psa_status_t status;
     int ret;
     size_t expected_output_size;
-    if( PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
+    if( ! PSA_ALG_IS_STREAM_CIPHER( operation->alg ) )
     {
         /* Take the unprocessed partial block left over from previous
          * update calls, if any, plus the input to this call. Remove
@@ -2590,24 +2583,13 @@
         status = PSA_ERROR_BAD_STATE;
         goto error;
     }
+
     if( operation->ctx.cipher.operation == MBEDTLS_ENCRYPT &&
-        PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
+        operation->alg == PSA_ALG_CBC_NO_PADDING &&
+        operation->ctx.cipher.unprocessed_len != 0 )
     {
-        psa_algorithm_t padding_mode =
-            operation->alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
-        if( operation->ctx.cipher.unprocessed_len >= operation->block_size )
-        {
-            status = PSA_ERROR_TAMPERING_DETECTED;
+            status = PSA_ERROR_INVALID_ARGUMENT;
             goto error;
-        }
-        if( padding_mode == PSA_ALG_BLOCK_CIPHER_PAD_NONE )
-        {
-            if( operation->ctx.cipher.unprocessed_len != 0 )
-            {
-                status = PSA_ERROR_INVALID_ARGUMENT;
-                goto error;
-            }
-        }
     }
 
     cipher_ret = mbedtls_cipher_finish( &operation->ctx.cipher,