move AES-CCM tag check into a local function

2020-04-28 14:46:06 -06:00 · 2020-04-28 14:46:06 -06:00 · b73e52f33f
commit b73e52f33f
parent c85a53c631
4 changed files with 26 additions and 9 deletions
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -6970,6 +6970,21 @@ int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
    return wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
 }

+
+/* Checks if the tag size is an accepted value based on RFC 3610 section 2
+ * returns 0 if tag size is ok
+ */
+int wc_AesCcmCheckTagSize(int sz)
+{
+    /* values here are from RFC 3610 section 2 */
+    if (sz != 4 && sz != 6 && sz != 8 && sz != 10 && sz != 12 && sz != 14
+            && sz != 16) {
+        WOLFSSL_MSG("Bad auth tag size AES-CCM");
+        return BAD_FUNC_ARG;
+    }
+    return 0;
+}
+
 #ifdef WOLFSSL_ARMASM
    /* implementation located in wolfcrypt/src/port/arm/armv8-aes.c */

@ -6996,11 +7011,7 @@ int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
            || authTag == NULL || nonceSz < 7 || nonceSz > 13)
        return BAD_FUNC_ARG;

-    /* sanity check on tag size */
-    if (authTagSz != 4 && authTagSz != 6 && authTagSz != 8 &&
-            authTagSz != 10 && authTagSz != 12 && authTagSz != 14 &&
-            authTagSz != 16) {
-        WOLFSSL_MSG("Bad auth tag size AES-CCM");
+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
        return BAD_FUNC_ARG;
    }

@ -7193,10 +7204,7 @@ int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
        return BAD_FUNC_ARG;

    /* sanity check on tag size */
-    if (authTagSz != 4 && authTagSz != 6 && authTagSz != 8 &&
-            authTagSz != 10 && authTagSz != 12 && authTagSz != 14 &&
-            authTagSz != 16) {
-        WOLFSSL_MSG("Bad auth tag size AES-CCM");
+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
        return BAD_FUNC_ARG;
    }

--- a/wolfcrypt/src/port/arm/armv8-aes.c
+++ b/wolfcrypt/src/port/arm/armv8-aes.c
@ -4438,6 +4438,10 @@ int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
            || authTag == NULL || nonceSz < 7 || nonceSz > 13)
        return BAD_FUNC_ARG;

+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
+        return BAD_FUNC_ARG;
+    }
+
    XMEMCPY(B+1, nonce, nonceSz);
    lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
    B[0] = (authInSz > 0 ? 64 : 0)
--- a/wolfcrypt/src/port/caam/caam_aes.c
+++ b/wolfcrypt/src/port/caam/caam_aes.c
@ -497,6 +497,10 @@ int  wc_AesCcmEncrypt(Aes* aes, byte* out,
        authTagSz > AES_BLOCK_SIZE)
        return BAD_FUNC_ARG;

+    if (wc_AesCcmCheckTagSize(authTagSz) != 0) {
+        return BAD_FUNC_ARG;
+    }
+
    if (wc_AesGetKeySize(aes, &keySz) != 0) {
         return BAD_FUNC_ARG;
    }
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@ -369,6 +369,7 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
                               word32 cSz, byte* s, word32 sSz);
 #endif /* HAVE_AESGCM */
 #ifdef HAVE_AESCCM
+ WOLFSSL_LOCAL int wc_AesCcmCheckTagSize(int sz);
 WOLFSSL_API int  wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz);
 WOLFSSL_API int  wc_AesCcmEncrypt(Aes* aes, byte* out,
                                   const byte* in, word32 inSz,