From cff2e663841b6a68d3a8ce12647d57b2b6fbc36c Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Fri, 1 Mar 2024 16:42:18 +0100
Subject: [PATCH] Use nonce as IV for Aes256Cbc mechanism

---
 CHANGELOG.md                |  1 +
 src/client/mechanisms.rs    | 12 ++++++++++--
 src/mechanisms/aes256cbc.rs | 23 +++++++++++++++++++----
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cda7ced1227..6ec19bcd6f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Change store implementations to use littlefs2’s `DynFilesystem` trait instead
   of being generic over the storage implementation.
 - Add `nonce` argument to `wrap_key` and `unwrap_key` syscalls.
+- Use nonce as IV for Aes256Cbc mechanism.
 
 ### Fixed
 
diff --git a/src/client/mechanisms.rs b/src/client/mechanisms.rs
index 2003876b4ed..522841186d9 100644
--- a/src/client/mechanisms.rs
+++ b/src/client/mechanisms.rs
@@ -8,16 +8,24 @@ pub trait Aes256Cbc: CryptoClient {
         &'c mut self,
         key: KeyId,
         message: &[u8],
+        iv: &[u8],
     ) -> ClientResult<'c, reply::Decrypt, Self> {
-        self.decrypt(Mechanism::Aes256Cbc, key, message, &[], &[], &[])
+        self.decrypt(Mechanism::Aes256Cbc, key, message, &[], iv, &[])
     }
 
     fn wrap_key_aes256cbc(
         &mut self,
         wrapping_key: KeyId,
         key: KeyId,
+        iv: Option<&[u8; 16]>,
     ) -> ClientResult<'_, reply::WrapKey, Self> {
-        self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[], None)
+        self.wrap_key(
+            Mechanism::Aes256Cbc,
+            wrapping_key,
+            key,
+            &[],
+            iv.and_then(|iv| ShortData::from_slice(iv).ok()),
+        )
     }
 }
 
diff --git a/src/mechanisms/aes256cbc.rs b/src/mechanisms/aes256cbc.rs
index 2b114e00f35..192cbda0be5 100644
--- a/src/mechanisms/aes256cbc.rs
+++ b/src/mechanisms/aes256cbc.rs
@@ -31,8 +31,15 @@ impl Encrypt for super::Aes256Cbc {
             .try_into()
             .map_err(|_| Error::InternalError)?;
 
-        let zero_iv = [0u8; 16];
-        let cipher = Aes256CbcEnc::new_from_slices(&symmetric_key, &zero_iv).unwrap();
+        let iv = if let Some(nonce) = &request.nonce {
+            nonce
+                .as_slice()
+                .try_into()
+                .map_err(|_| Error::MechanismParamInvalid)?
+        } else {
+            [0u8; 16]
+        };
+        let cipher = Aes256CbcEnc::new_from_slices(&symmetric_key, &iv).unwrap();
 
         // buffer must have enough space for message+padding
         let mut buffer = request.message.clone();
@@ -117,8 +124,16 @@ impl Decrypt for super::Aes256Cbc {
             .try_into()
             .map_err(|_| Error::InternalError)?;
 
-        let zero_iv = [0u8; 16];
-        let cipher = Aes256CbcDec::new_from_slices(&symmetric_key, &zero_iv).unwrap();
+        let iv = if request.nonce.is_empty() {
+            [0u8; 16]
+        } else {
+            request
+                .nonce
+                .as_slice()
+                .try_into()
+                .map_err(|_| Error::MechanismParamInvalid)?
+        };
+        let cipher = Aes256CbcDec::new_from_slices(&symmetric_key, &iv).unwrap();
 
         // buffer must have enough space for message+padding
         let mut buffer = request.message.clone();