Possible memory corruption / leak in mbedtls AES implementation (iv)
Posted: Thu Mar 04, 2021 7:54 pm
Hi,
I found a bug in the implementation of AES under mbedtls (block implementation).
When encrypting something using CBC by calling mbedtls_aes_crypt_cbc, you are actually calling esp_aes_crypt_cbc.
Notice that the function expects the initialization vector to be given as unsigned char iv[16] (so not a pointer).
However, while encrypting, at line 251, the IV argument memory block (which is referenced at line 210 by uint32_t *iv_words = (uint32_t *)iv; ), is rewritten with newly calculated values of the output words.
This makes the memory contents of the given argument "iv" to change to those values, so when you try to work with the variable after calling mbedtls_aes_crypt_cbc() you'll be surprised that it does not have the initial value.
This shouldn't happen as the IV contents shouldn't change, even more when the argument is not a pointer.
PS: I saw that there is an alternative DMA implementation for mbedtls, however I don't know when it's used.
Including "mbedtls/aes.h" links to the function metioned above (block implementation).
Hope it helps,
Thanks,
A.
I found a bug in the implementation of AES under mbedtls (block implementation).
When encrypting something using CBC by calling mbedtls_aes_crypt_cbc, you are actually calling esp_aes_crypt_cbc.
Notice that the function expects the initialization vector to be given as unsigned char iv[16] (so not a pointer).
However, while encrypting, at line 251, the IV argument memory block (which is referenced at line 210 by uint32_t *iv_words = (uint32_t *)iv; ), is rewritten with newly calculated values of the output words.
This makes the memory contents of the given argument "iv" to change to those values, so when you try to work with the variable after calling mbedtls_aes_crypt_cbc() you'll be surprised that it does not have the initial value.
This shouldn't happen as the IV contents shouldn't change, even more when the argument is not a pointer.
PS: I saw that there is an alternative DMA implementation for mbedtls, however I don't know when it's used.
Including "mbedtls/aes.h" links to the function metioned above (block implementation).
Hope it helps,
Thanks,
A.