cipher: Do not keep and reuse the IV

Synss · Synss · commit 9e228eb97bfa · 2022-03-12T11:26:24.000+01:00
The original IV was used for subsequent calls to encrypt or decrypt, which yields wrong results for some cipher modes. Closes #58.
diff --git a/src/mbedtls/cipher/_cipher.pxd b/src/mbedtls/cipher/_cipher.pxd
@@ -90,21 +90,30 @@ cdef extern from "mbedtls/cipher.h" nogil:
         mbedtls_cipher_context_t* ctx,
         mbedtls_cipher_padding_t mode
     )
-    # mbedtls_cipher_set_iv
-
-    # mbedtls_cipher_reset
-    # mbedtls_cipher_update_ad
-    # mbedtls_cipher_update
-    # mbedtls_cipher_finish
+    int mbedtls_cipher_set_iv(
+        mbedtls_cipher_context_t* ctx,
+        const unsigned char *iv, size_t iv_len
+    )
+    int mbedtls_cipher_reset(mbedtls_cipher_context_t* ctx)
+    int mbedtls_cipher_update_ad(
+        mbedtls_cipher_context_t* ctx,
+        const unsigned char *ad, size_t ad_len)
+    int mbedtls_cipher_update(
+        mbedtls_cipher_context_t* ctx,
+        const unsigned char *input, size_t ilen,
+        unsigned char *output, size_t *olen)
+    int mbedtls_cipher_finish(
+        mbedtls_cipher_context_t* ctx,
+        unsigned char *output, size_t *olen)
 
     # mbedtls_cipher_write_tag
     # mbedtls_cipher_check_tag
 
-    int mbedtls_cipher_crypt(
-        mbedtls_cipher_context_t* ctx,
-        const unsigned char* iv, size_t iv_len,
-        const unsigned char* input, size_t ilen,
-        unsigned char* output, size_t* olen)
+    # int mbedtls_cipher_crypt(
+    #     mbedtls_cipher_context_t* ctx,
+    #     const unsigned char* iv, size_t iv_len,
+    #     const unsigned char* input, size_t ilen,
+    #     unsigned char* output, size_t* olen)
 
     int mbedtls_cipher_auth_encrypt(
         mbedtls_cipher_context_t* ctx,
@@ -127,20 +136,19 @@ cdef class _CipherBase:
     # Encapsulate two contexts to push the keys into mbedtls ASAP.
     cdef mbedtls_cipher_context_t _enc_ctx
     cdef mbedtls_cipher_context_t _dec_ctx
-    cdef const unsigned char[:] _iv
 
 
 cdef class Cipher(_CipherBase):
     cdef _crypt(
         self,
-        const unsigned char[:] iv,
+        mbedtls_cipher_context_t *ctx,
         const unsigned char[:] input,
-        const mbedtls_operation_t operation
     )
 
 
 cdef class AEADCipher(_CipherBase):
     cdef const unsigned char[:] _ad
+    cdef const unsigned char[:] _iv
     cdef _aead_encrypt(self,
                 const unsigned char[:] iv,
                 const unsigned char[:] ad,
diff --git a/src/mbedtls/cipher/_cipher.pyx b/src/mbedtls/cipher/_cipher.pyx
@@ -198,15 +198,18 @@ cdef class _CipherBase:
         _cipher.mbedtls_cipher_set_padding_mode(
             &self._dec_ctx, _cipher.MBEDTLS_PADDING_NONE)
 
-
         if key is not None:
             _exc.check_error(_cipher.mbedtls_cipher_setkey(
                 &self._enc_ctx, &key[0], 8 * key.size,
                 _cipher.MBEDTLS_ENCRYPT))
             _exc.check_error(_cipher.mbedtls_cipher_setkey(
                 &self._dec_ctx, &key[0], 8 * key.size,
                 _cipher.MBEDTLS_DECRYPT))
-        self._iv = iv
+
+        _exc.check_error(_cipher.mbedtls_cipher_set_iv(
+            &self._enc_ctx, &iv[0] if iv.size else NULL, iv.size))
+        _exc.check_error(_cipher.mbedtls_cipher_set_iv(
+            &self._dec_ctx, &iv[0] if iv.size else NULL, iv.size))
 
     def __cinit__(self):
         """Initialize a `cipher_context` (as NONE)."""
@@ -264,39 +267,35 @@ cdef class _CipherBase:
 
 
 cdef class Cipher(_CipherBase):
-    cdef _crypt(self, 
-                const unsigned char[:] iv,
-                const unsigned char[:] input,
-                const _cipher.mbedtls_operation_t operation):
-        """Generic all-in-one encryption/decryption."""
+    cdef _crypt(self,
+                _cipher.mbedtls_cipher_context_t *ctx,
+                const unsigned char[:] input):
         if input.size == 0:
             _exc.check_error(-0x6280)  # Raise full block expected error.
         cdef size_t olen
+        cdef size_t finish_olen
         cdef size_t sz = input.size + self.block_size
         cdef unsigned char* output = <unsigned char*>malloc(
             sz * sizeof(unsigned char))
         if not output:
             raise MemoryError()
         try:
-            # We can call `check_error` directly here because we return a
-            # python object.
-            err = _cipher.mbedtls_cipher_crypt(
-                &self._enc_ctx if operation is _cipher.MBEDTLS_ENCRYPT else
-                &self._dec_ctx,
-                &iv[0] if iv.size else NULL, iv.size,
-                &input[0], input.size, output, &olen)
+            _exc.check_error(_cipher.mbedtls_cipher_reset(ctx))
+            _exc.check_error(_cipher.mbedtls_cipher_update(
+                ctx, &input[0], input.size, output, &olen))
+            err = _cipher.mbedtls_cipher_finish(ctx, output + olen, &finish_olen)
             if err == -0x6280:
                 raise ValueError("expected a full block")
             _exc.check_error(err)
-            return output[:olen]
+            return output[:olen + finish_olen]
         finally:
             free(output)
 
     def encrypt(self, const unsigned char[:] message not None):
-        return self._crypt(self._iv, message, _cipher.MBEDTLS_ENCRYPT)
+        return self._crypt(&self._enc_ctx, message)
 
     def decrypt(self, const unsigned char[:] message not None):
-        return self._crypt(self._iv, message, _cipher.MBEDTLS_DECRYPT)
+        return self._crypt(&self._dec_ctx, message)
 
 
 cdef class AEADCipher(_CipherBase):
@@ -307,6 +306,7 @@ cdef class AEADCipher(_CipherBase):
                  const unsigned char[:] iv not None,
                  const unsigned char[:] ad not None):
         super().__init__(cipher_name, key, mode, iv)
+        self._iv = iv
         self._ad = ad
 
     cdef _aead_encrypt(self,
