Wolfcrypt will use an AES encryption/decryption key schedule for a decryption/encryption operation without producing an error

[DrKatieL]

Version

latest

Description

Calling Wolfcrypt's wc_AesInit requires specifying either encryption or decryption, only one key expansion is made available, it's at an identical location in the AES context regardless of which option is selected, and no flag is set in the context denoting which key schedule is available. When calling wc_AesCbcEncrypt or wc_AesCbcDecrypt the call has no ability to verify that it's using the correct key expansion.

As AES is frequently called repeatedly with the same key in between key expansions. This can easily result in a user error where the incorrect schedule is used for an encrypt/decrypt call. Many libraries solve this issue by making one key expansion call that works for both encrypt/decrypt and then allowing the encrypt/decrypt call handle the choice. If Wolf does not wish to do this (for example, for space saving reasons) a flag should be added to the key schedule denoting if it's suitable for encryption or decryption and then checked when encrypt/decrypt is called.

Note: While the root cause of this issue is user error, the mistake is natural enough that WolfHSM's authors made it in their example code.

Note: I found this issue (and posted a sister bug report) in WolfHSM's AES CBC mode usage of Wolfcrypt. This is why I'm specifically mentioning CBC mode. The issue is not restricted to CBC mode but I have not check that it's valid for all modes/usages of AES WolfCrypt supports.