From f28a25a12107f81009bf4fa91e5a5aa5c56eb688 Mon Sep 17 00:00:00 2001
From: Konstantin Kroschewski <konstantin.kroschewski@silab.de>
Date: Thu, 14 Jul 2022 14:01:07 +0200
Subject: [PATCH] Resolve aes cmac token generation bug if input data is
 chunked

If the tc_cmac_update() function is called and fills the internal leftover cache completely, the following tc_cmac_final() call will produce a wrong token.

If the tc_cmac_update() is called with a data length which fills up the internal leftover cache completely, the leftover data will be processed instantly and is left empty. This is not the right behavior, because tc_cmac_final() requires that the last block is still in the leftover cache and not processed, because it need special treatment.

Bug reproduction code:

~~~c
#include "tinycrypt/cmac_mode.h"
#include "tinycrypt/aes.h"
#include "tinycrypt/utils.h"
#include "tinycrypt/constants.h"
#include <stdlib.h>
#include <stdio.h>

#define ASSERT_TRUE(cond) if (!(cond)) {printf("Test failed!\n"); return -1;}

const uint8_t testData[16] =
{
    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10
};

const uint8_t key[TC_AES_KEY_SIZE] =
{
    0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x12
};

uint8_t token1[TC_AES_BLOCK_SIZE];
uint8_t token2[TC_AES_BLOCK_SIZE];

int main()
{
    {
        struct tc_cmac_struct ctx;
        struct tc_aes_key_sched_struct sched;
        ASSERT_TRUE(tc_cmac_init(&ctx) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_setup(&ctx, key, &sched) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_update(&ctx, testData, sizeof(testData)) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_final(token1, &ctx) == TC_CRYPTO_SUCCESS);
    }

    {
        const size_t splitOffset = 8;
        struct tc_cmac_struct ctx;
        struct tc_aes_key_sched_struct sched;
        ASSERT_TRUE(tc_cmac_init(&ctx) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_setup(&ctx, key, &sched) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_update(&ctx, testData, splitOffset) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_update(&ctx, &testData[splitOffset] , TC_AES_BLOCK_SIZE - splitOffset) == TC_CRYPTO_SUCCESS);
        ASSERT_TRUE(tc_cmac_final(token2, &ctx) == TC_CRYPTO_SUCCESS);
    }

    ASSERT_TRUE(memcmp(token1, token2, TC_AES_BLOCK_SIZE) == 0); //will fail, tokens do not match

    printf("Test ok!\n");
}
~~~
---
 lib/source/cmac_mode.c |  4 ++--
 tests/test_cmac_mode.c | 48 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/lib/source/cmac_mode.c b/lib/source/cmac_mode.c
index 22adf20..ed51542 100644
--- a/lib/source/cmac_mode.c
+++ b/lib/source/cmac_mode.c
@@ -179,13 +179,13 @@ int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
 		/* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */
 		size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset;
 
-		if (data_length < remaining_space) {
+		if (data_length <= remaining_space) {
 			/* still not enough data to encrypt this time either */
 			_copy(&s->leftover[s->leftover_offset], data_length, data, data_length);
 			s->leftover_offset += data_length;
 			return TC_CRYPTO_SUCCESS;
 		}
-		/* leftover block is now full; encrypt it first */
+		/* leftover block is now full and there is addidional data; encrypt block first */
 		_copy(&s->leftover[s->leftover_offset],
 		      remaining_space,
 		      data,
diff --git a/tests/test_cmac_mode.c b/tests/test_cmac_mode.c
index dc757fe..4d23573 100644
--- a/tests/test_cmac_mode.c
+++ b/tests/test_cmac_mode.c
@@ -247,6 +247,47 @@ static int verify_cmac_512_bit_msg(TCCmacState_t s)
 	return result;
 }
 
+static int verify_cmac_chunked_512_bit_msg(TCCmacState_t s)
+{
+	int result = TC_PASS;
+
+	TC_PRINT("Performing CMAC test #6 (SP 800-38B test vector #4)\n");
+
+	const size_t chunkOffset = 60;
+
+	const uint8_t msg[64] = {
+		0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+		0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+		0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+		0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+		0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+		0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+		0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+		0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
+	};
+	const uint8_t tag[BUF_LEN] = {
+		0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+		0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
+	};
+	uint8_t Tag[BUF_LEN];
+
+	(void)tc_cmac_init(s);
+	(void)tc_cmac_update(s, msg, chunkOffset);
+	(void)tc_cmac_update(s, &msg[chunkOffset], sizeof(msg) - chunkOffset);
+	(void)tc_cmac_final(Tag, s);
+
+	if (memcmp(Tag, tag, BUF_LEN) != 0) {
+		TC_ERROR("%s: aes_cmac failed with chunked 512 bit msg\n", __func__);
+		show("aes_cmac failed with 512 bit msg =", msg, sizeof(msg));
+		show("expected Tag =", tag, sizeof(tag));
+		show("computed Tag =", Tag, sizeof(Tag));
+		return TC_FAIL;
+	}
+
+	TC_END_RESULT(result);
+	return result;
+}
+
 /*
  * Main task to test CMAC
  * effects:    returns 1 if all tests pass
@@ -303,6 +344,13 @@ int main(void)
 		TC_ERROR("CMAC test #5  (512 bit msg)failed.\n");
 		goto exitTest;
 	}
+	(void) tc_cmac_setup(&state, key, &sched);
+	result = verify_cmac_chunked_512_bit_msg(&state);
+	if (result == TC_FAIL) {
+		/* terminate test */
+		TC_ERROR("CMAC test #6  (chunked 512 bit msg)failed.\n");
+		goto exitTest;
+	}
 
 	TC_PRINT("All CMAC tests succeeded!\n");