From 5f6b618e71735906828208da8150e0741d6bc197 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 26 Mar 2021 14:04:25 -0500
Subject: [PATCH] configure.ac: add --enable-aescbc-length-checks and add it to
 --enable-all; api.c: fix expected error code in WOLFSSL_AES_CBC_LENGTH_CHECKS
 path of test_wc_AesCbcEncryptDecrypt(); aes.c: add explanatory comment on
 WOLFSSL_AES_CBC_LENGTH_CHECKS to top of file.

---
 configure.ac | 14 ++++++++++++++
 tests/api.c  |  9 +++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 23deefd52..36fcc6d19 100644
--- a/configure.ac
+++ b/configure.ac
@@ -353,6 +353,7 @@ then
     test "$enable_aesctr" = "" && enable_aesctr=yes
     test "$enable_aesofb" = "" && enable_aesofb=yes
     test "$enable_aescfb" = "" && enable_aescfb=yes
+    test "$enable_aescbc_length_checks" = "" && enable_aescbc_length_checks=yes
     test "$enable_camellia" = "" && enable_camellia=yes
     test "$enable_ripemd" = "" && enable_ripemd=yes
     test "$enable_sha512" = "" && enable_sha512=yes
@@ -1288,6 +1289,18 @@ then
     AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"
 fi
 
+# AES-CBC length checks (checks that input lengths are multiples of block size)
+AC_ARG_ENABLE([aescbc_length_checks],
+    [AS_HELP_STRING([--enable-aescbc-length-checks],[Enable AES-CBC length validity checks (default: disabled)])],
+    [ ENABLED_AESCBC_LENGTH_CHECKS=$enableval ],
+    [ ENABLED_AESCBC_LENGTH_CHECKS=no ]
+    )
+
+if test "$ENABLED_AESCBC_LENGTH_CHECKS" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CBC_LENGTH_CHECKS"
+fi
+
 # leanpsk and leantls don't need gcm
 
 # AES-GCM
@@ -6505,6 +6518,7 @@ echo "   * ARC4:                       $ENABLED_ARC4"
 echo "   * AES:                        $ENABLED_AES"
 echo "   * AES-NI:                     $ENABLED_AESNI"
 echo "   * AES-CBC:                    $ENABLED_AESCBC"
+echo "   * AES-CBC length checks:      $ENABLED_AESCBC_LENGTH_CHECKS"
 echo "   * AES-GCM:                    $ENABLED_AESGCM"
 echo "   * AES-CCM:                    $ENABLED_AESCCM"
 echo "   * AES-CTR:                    $ENABLED_AESCTR"
diff --git a/tests/api.c b/tests/api.c
index 735ce602c..832146c9e 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -19,6 +19,11 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* For AES-CBC, input lengths can optionally be validated to be a
+ * multiple of the block size, by defining WOLFSSL_AES_CBC_LENGTH_CHECKS,
+ * also available via the configure option --enable-aescbc-length-checks.
+ */
+
 
 /*----------------------------------------------------------------------------*
  | Includes
@@ -13155,7 +13160,7 @@ static int test_wc_AesCbcEncryptDecrypt (void)
         if (cbcE == 0) {
             cbcE = wc_AesCbcEncrypt(&aes, enc, vector, sizeof(vector) - 1);
         }
-        if (cbcE == BAD_ALIGN_E) {
+        if (cbcE == BAD_LENGTH_E) {
             cbcE = 0;
         } else {
             cbcE = WOLFSSL_FATAL_ERROR;
@@ -13190,7 +13195,7 @@ static int test_wc_AesCbcEncryptDecrypt (void)
             cbcD = wc_AesCbcDecrypt(&aes, dec, enc, AES_BLOCK_SIZE * 2 - 1);
         }
 #ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
-        if (cbcD == BAD_ALIGN_E) {
+        if (cbcD == BAD_LENGTH_E) {
             cbcD = 0;
         } else {
             cbcD = WOLFSSL_FATAL_ERROR;