2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_HEADER */
|
2015-03-09 17:05:11 +00:00
|
|
|
#include "mbedtls/cipher.h"
|
2019-07-29 17:46:29 +02:00
|
|
|
#include "mbedtls/aes.h"
|
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C)
|
2015-03-09 17:05:11 +00:00
|
|
|
#include "mbedtls/gcm.h"
|
2013-09-03 20:17:35 +02:00
|
|
|
#endif
|
2019-08-01 12:47:40 +02:00
|
|
|
|
2025-01-16 16:24:35 +00:00
|
|
|
#include "cipher_invasive.h"
|
|
|
|
|
|
|
|
|
|
#include "test/constant_flow.h"
|
|
|
|
|
|
2023-10-16 11:35:57 +02:00
|
|
|
#if defined(MBEDTLS_CIPHER_HAVE_SOME_AEAD_VIA_LEGACY_OR_USE_PSA) || defined(MBEDTLS_NIST_KW_C)
|
2020-11-26 10:22:50 +01:00
|
|
|
#define MBEDTLS_CIPHER_AUTH_CRYPT
|
|
|
|
|
#endif
|
|
|
|
|
|
Constant-flow AES-CBC multipart decrypt tests
The main goal is to validate that unpadding is constant-time, including
error reporting.
Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.
The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.
Same test data as the newly introduced functional tests.
#!/usr/bin/env python3
from Crypto.Cipher import AES
KEYS = {
128: bytes.fromhex("ffffffffe00000000000000000000000"),
192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
}
IV = bytes.fromhex("00000000000000000000000000000000")
def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
plaintext = bytes.fromhex(padded_hex)
plaintext_length = len(plaintext)
if bits != 128:
depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
key = KEYS[bits]
iv = IV
result = '0'
if mode == 'NONE':
padding_description = 'no padding'
assert padding_length == 0
else:
depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
padding_description = mode
if padding_length is None:
result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
plaintext_length = 0
else:
plaintext_length -= padding_length
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
ciphertext = cipher.encrypt(plaintext)
function = 'decrypt_test_vec'
cf_maybe = ''
if cf:
function += '_cf'
cf_maybe = 'CF '
depends.append('HAVE_CONSTANT_TIME_AES')
if note:
note = f' ({note})'
print(f'''\
{cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
depends_on:{':'.join(depends)}
{function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
''')
def emit_tests(cf):
# Already existing tests
decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)
# New tests
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
emit_tests(True)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-27 18:03:26 +02:00
|
|
|
/* Our software AES implementation is not constant-time. For constant-time
|
|
|
|
|
* testing involving AES, require a hardware-assisted AES that is
|
|
|
|
|
* constant-time.
|
|
|
|
|
*
|
|
|
|
|
* We assume that if the hardware-assisted version is available in the build,
|
|
|
|
|
* it will be available at runtime. The AES tests will fail if run on a
|
|
|
|
|
* processor without AESNI/AESCE.
|
|
|
|
|
*/
|
|
|
|
|
#include "aesce.h"
|
|
|
|
|
#include "aesni.h"
|
|
|
|
|
#if defined(MBEDTLS_AESCE_HAVE_CODE) || defined(MBEDTLS_AESNI_HAVE_CODE)
|
|
|
|
|
#define HAVE_CONSTANT_TIME_AES
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-07-19 16:32:54 +02:00
|
|
|
/* Check the internal consistency of a cipher info structure, and
|
|
|
|
|
* check it against mbedtls_cipher_info_from_xxx(). */
|
2023-01-11 14:50:10 +01:00
|
|
|
static int check_cipher_info(mbedtls_cipher_type_t type,
|
|
|
|
|
const mbedtls_cipher_info_t *info)
|
2021-07-19 16:32:54 +02:00
|
|
|
{
|
2021-11-28 14:02:36 +01:00
|
|
|
size_t key_bitlen, block_size, iv_size;
|
2021-07-19 16:32:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(info != NULL);
|
|
|
|
|
TEST_EQUAL(type, mbedtls_cipher_info_get_type(info));
|
|
|
|
|
TEST_EQUAL(type, info->type);
|
|
|
|
|
TEST_ASSERT(mbedtls_cipher_info_from_type(type) == info);
|
2021-07-19 16:32:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(info->mode, mbedtls_cipher_info_get_mode(info));
|
2021-07-19 16:32:54 +02:00
|
|
|
|
|
|
|
|
/* Insist that get_name() return the string from the structure and
|
|
|
|
|
* not a copy. A copy would have an unknown storage duration. */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_info_get_name(info) == info->name);
|
|
|
|
|
TEST_ASSERT(mbedtls_cipher_info_from_string(info->name) == info);
|
|
|
|
|
|
|
|
|
|
key_bitlen = mbedtls_cipher_info_get_key_bitlen(info);
|
|
|
|
|
block_size = mbedtls_cipher_info_get_block_size(info);
|
|
|
|
|
iv_size = mbedtls_cipher_info_get_iv_size(info);
|
|
|
|
|
if (info->type == MBEDTLS_CIPHER_NULL) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 0);
|
|
|
|
|
TEST_ASSERT(block_size == 1);
|
|
|
|
|
TEST_ASSERT(iv_size == 0);
|
|
|
|
|
} else if (info->mode == MBEDTLS_MODE_XTS) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 256 ||
|
|
|
|
|
key_bitlen == 384 ||
|
|
|
|
|
key_bitlen == 512);
|
|
|
|
|
} else if (!strncmp(info->name, "DES-EDE3-", 9)) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 192);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_key_bitlen(info));
|
|
|
|
|
TEST_ASSERT(block_size == 8);
|
|
|
|
|
} else if (!strncmp(info->name, "DES-EDE-", 8)) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 128);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_key_bitlen(info));
|
|
|
|
|
TEST_ASSERT(block_size == 8);
|
|
|
|
|
} else if (!strncmp(info->name, "DES-", 4)) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 64);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_key_bitlen(info));
|
|
|
|
|
TEST_ASSERT(block_size == 8);
|
|
|
|
|
} else if (!strncmp(info->name, "AES", 3)) {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 128 ||
|
|
|
|
|
key_bitlen == 192 ||
|
|
|
|
|
key_bitlen == 256);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_key_bitlen(info));
|
|
|
|
|
TEST_ASSERT(block_size == 16);
|
|
|
|
|
} else {
|
|
|
|
|
TEST_ASSERT(key_bitlen == 128 ||
|
|
|
|
|
key_bitlen == 192 ||
|
|
|
|
|
key_bitlen == 256);
|
2021-09-01 08:31:49 +02:00
|
|
|
}
|
2023-06-14 17:34:31 +02:00
|
|
|
TEST_LE_U(key_bitlen, MBEDTLS_MAX_KEY_LENGTH * 8);
|
|
|
|
|
TEST_LE_U(block_size, MBEDTLS_MAX_BLOCK_LENGTH);
|
|
|
|
|
TEST_LE_U(iv_size, MBEDTLS_MAX_IV_LENGTH);
|
2021-07-19 16:32:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
if (strstr(info->name, "-ECB") != NULL) {
|
|
|
|
|
TEST_ASSERT(iv_size == 0);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_iv_size(info));
|
|
|
|
|
} else if (strstr(info->name, "-CBC") != NULL ||
|
|
|
|
|
strstr(info->name, "-CTR") != NULL) {
|
|
|
|
|
TEST_ASSERT(iv_size == block_size);
|
|
|
|
|
TEST_ASSERT(!mbedtls_cipher_info_has_variable_iv_size(info));
|
|
|
|
|
} else if (strstr(info->name, "-GCM") != NULL) {
|
|
|
|
|
TEST_ASSERT(iv_size == block_size - 4);
|
|
|
|
|
TEST_ASSERT(mbedtls_cipher_info_has_variable_iv_size(info));
|
2021-11-09 22:38:56 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
return 1;
|
2021-07-19 16:32:54 +02:00
|
|
|
|
|
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
return 0;
|
2021-07-19 16:32:54 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-17 11:43:34 +02:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
|
2020-11-27 09:32:55 +01:00
|
|
|
/* Helper for resetting key/direction
|
|
|
|
|
*
|
|
|
|
|
* The documentation doesn't explicitly say whether calling
|
|
|
|
|
* mbedtls_cipher_setkey() twice is allowed or not. This currently works with
|
|
|
|
|
* the default software implementation, but only by accident. It isn't
|
|
|
|
|
* guaranteed to work with new ciphers or with alternative implementations of
|
|
|
|
|
* individual ciphers, and it doesn't work with the PSA wrappers. So don't do
|
|
|
|
|
* it, and instead start with a fresh context.
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
static int cipher_reset_key(mbedtls_cipher_context_t *ctx, int cipher_id,
|
|
|
|
|
int use_psa, size_t tag_len, const data_t *key, int direction)
|
2020-11-27 09:32:55 +01:00
|
|
|
{
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(ctx);
|
|
|
|
|
mbedtls_cipher_init(ctx);
|
2020-11-27 09:32:55 +01:00
|
|
|
|
2022-10-20 05:19:47 -04:00
|
|
|
#if !defined(MBEDTLS_USE_PSA_CRYPTO) || !defined(MBEDTLS_TEST_DEPRECATED)
|
2020-11-27 09:32:55 +01:00
|
|
|
(void) use_psa;
|
|
|
|
|
(void) tag_len;
|
|
|
|
|
#else
|
2023-01-11 14:50:10 +01:00
|
|
|
if (use_psa == 1) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup_psa(ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id),
|
|
|
|
|
tag_len));
|
|
|
|
|
} else
|
2022-05-19 12:26:33 +02:00
|
|
|
#endif /* !MBEDTLS_USE_PSA_CRYPTO || !MBEDTLS_TEST_DEPRECATED */
|
2020-11-27 09:32:55 +01:00
|
|
|
{
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
2020-11-27 09:32:55 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(ctx, key->x, 8 * key->len,
|
|
|
|
|
direction));
|
|
|
|
|
return 1;
|
2020-12-03 21:06:15 +01:00
|
|
|
|
2020-11-27 09:32:55 +01:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
return 0;
|
2020-11-27 09:32:55 +01:00
|
|
|
}
|
2020-12-03 12:33:31 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check if a buffer is all-0 bytes:
|
|
|
|
|
* return 1 if it is,
|
|
|
|
|
* 0 if it isn't.
|
|
|
|
|
*/
|
2024-06-04 02:30:22 +02:00
|
|
|
static int buffer_is_all_zero(const uint8_t *buf, size_t size)
|
2020-12-03 12:33:31 +01:00
|
|
|
{
|
2023-01-11 14:50:10 +01:00
|
|
|
for (size_t i = 0; i < size; i++) {
|
|
|
|
|
if (buf[i] != 0) {
|
2020-12-03 12:33:31 +01:00
|
|
|
return 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
|
|
|
|
}
|
2020-12-03 12:33:31 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
2020-11-27 09:32:55 +01:00
|
|
|
#endif /* MBEDTLS_CIPHER_AUTH_CRYPT */
|
|
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_HEADER */
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_DEPENDENCIES
|
2015-04-08 12:49:31 +02:00
|
|
|
* depends_on:MBEDTLS_CIPHER_C
|
2013-08-20 11:48:36 +02:00
|
|
|
* END_DEPENDENCIES
|
|
|
|
|
*/
|
2011-05-26 13:16:06 +00:00
|
|
|
|
2014-03-29 16:10:55 +01:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void mbedtls_cipher_list()
|
2014-03-29 16:10:55 +01:00
|
|
|
{
|
|
|
|
|
const int *cipher_type;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
for (cipher_type = mbedtls_cipher_list(); *cipher_type != 0; cipher_type++) {
|
2021-07-19 16:32:54 +02:00
|
|
|
const mbedtls_cipher_info_t *info =
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_info_from_type(*cipher_type);
|
|
|
|
|
mbedtls_test_set_step(*cipher_type);
|
|
|
|
|
if (!check_cipher_info(*cipher_type, info)) {
|
2021-07-19 16:32:54 +02:00
|
|
|
goto exit;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2021-07-19 16:32:54 +02:00
|
|
|
}
|
2014-03-29 16:10:55 +01:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2014-06-13 16:08:07 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void cipher_invalid_param_unconditional()
|
2014-06-13 16:08:07 +02:00
|
|
|
{
|
2019-01-31 08:20:20 -05:00
|
|
|
mbedtls_cipher_context_t valid_ctx;
|
|
|
|
|
mbedtls_cipher_context_t invalid_ctx;
|
|
|
|
|
mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT;
|
|
|
|
|
mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS;
|
|
|
|
|
unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
|
|
|
|
|
int valid_size = sizeof(valid_buffer);
|
|
|
|
|
int valid_bitlen = valid_size * 8;
|
2023-10-04 12:09:06 +02:00
|
|
|
const int *cipher_list = mbedtls_cipher_list();
|
|
|
|
|
const mbedtls_cipher_info_t *valid_info;
|
2019-01-31 08:20:20 -05:00
|
|
|
size_t size_t_var;
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
(void) valid_mode; /* In some configurations this is unused */
|
2019-01-31 08:20:20 -05:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&valid_ctx);
|
|
|
|
|
mbedtls_cipher_init(&invalid_ctx);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
2023-10-04 12:09:06 +02:00
|
|
|
/* Ensure that there is at least 1 supported cipher, otherwise exit gracefully */
|
2023-10-19 10:51:03 +02:00
|
|
|
TEST_ASSUME(*cipher_list != 0);
|
2023-10-04 12:09:06 +02:00
|
|
|
valid_info = mbedtls_cipher_info_from_type(*cipher_list);
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, valid_info) == 0);
|
2021-12-10 14:28:31 +01:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_setup() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, NULL) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
/* mbedtls_cipher_get_block_size() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_block_size(&invalid_ctx) == 0);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_cipher_mode() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_cipher_mode(&invalid_ctx) ==
|
|
|
|
|
MBEDTLS_MODE_NONE);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_iv_size() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_iv_size(&invalid_ctx) == 0);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_type() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_get_type(&invalid_ctx) ==
|
2019-01-31 08:20:20 -05:00
|
|
|
MBEDTLS_CIPHER_NONE);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_name() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_name(&invalid_ctx) == 0);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_key_bitlen() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_key_bitlen(&invalid_ctx) ==
|
|
|
|
|
MBEDTLS_KEY_LENGTH_NONE);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_get_operation() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_get_operation(&invalid_ctx) ==
|
|
|
|
|
MBEDTLS_OPERATION_NONE);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_setkey() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_setkey(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_bitlen,
|
|
|
|
|
valid_operation) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_set_iv() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_set_iv(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_size) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
/* mbedtls_cipher_reset() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_reset(&invalid_ctx) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2014-06-13 16:08:07 +02:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_update_ad() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_update_ad(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_size) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
|
|
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
|
|
|
|
/* mbedtls_cipher_set_padding_mode() */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_set_padding_mode(&invalid_ctx, valid_mode) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2014-06-13 16:08:07 +02:00
|
|
|
#endif
|
|
|
|
|
|
2019-01-31 08:20:20 -05:00
|
|
|
/* mbedtls_cipher_update() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_update(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_size,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
&size_t_var) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
/* mbedtls_cipher_finish() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_finish(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
&size_t_var) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
/* mbedtls_cipher_write_tag() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_write_tag(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_size) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
/* mbedtls_cipher_check_tag() */
|
|
|
|
|
TEST_ASSERT(
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_check_tag(&invalid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_size) ==
|
|
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2019-01-31 08:20:20 -05:00
|
|
|
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
|
|
|
|
|
|
|
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&invalid_ctx);
|
|
|
|
|
mbedtls_cipher_free(&valid_ctx);
|
2019-01-31 08:20:20 -05:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2022-07-29 14:45:55 +01:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void cipher_invalid_param_conditional()
|
2019-01-31 08:20:20 -05:00
|
|
|
{
|
|
|
|
|
mbedtls_cipher_context_t valid_ctx;
|
|
|
|
|
|
|
|
|
|
mbedtls_operation_t invalid_operation = 100;
|
|
|
|
|
unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
|
|
|
|
|
int valid_size = sizeof(valid_buffer);
|
|
|
|
|
int valid_bitlen = valid_size * 8;
|
|
|
|
|
|
2021-05-21 08:50:00 +02:00
|
|
|
TEST_EQUAL(
|
2019-01-31 08:20:20 -05:00
|
|
|
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_setkey(&valid_ctx,
|
|
|
|
|
valid_buffer,
|
|
|
|
|
valid_bitlen,
|
|
|
|
|
invalid_operation));
|
2019-01-31 08:20:20 -05:00
|
|
|
|
|
|
|
|
exit:
|
2021-05-27 13:52:59 +02:00
|
|
|
;
|
2014-06-13 16:08:07 +02:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2016-07-14 13:46:10 +01:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
|
2023-01-11 14:50:10 +01:00
|
|
|
void cipher_special_behaviours()
|
2016-07-14 13:46:10 +01:00
|
|
|
{
|
|
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
unsigned char input[32];
|
|
|
|
|
unsigned char output[32];
|
2023-01-11 14:50:10 +01:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
2016-07-14 13:46:10 +01:00
|
|
|
unsigned char iv[32];
|
2017-09-26 12:08:54 +03:00
|
|
|
#endif
|
2016-07-14 13:46:10 +01:00
|
|
|
size_t olen = 0;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
memset(input, 0, sizeof(input));
|
|
|
|
|
memset(output, 0, sizeof(output));
|
2017-10-01 17:04:54 +03:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(iv, 0, sizeof(iv));
|
2016-07-14 13:46:10 +01:00
|
|
|
|
|
|
|
|
/* Check and get info structures */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CBC);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
2016-07-14 13:46:10 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));
|
2016-07-14 13:46:10 +01:00
|
|
|
|
|
|
|
|
/* IV too big */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_set_iv(&ctx, iv, MBEDTLS_MAX_IV_LENGTH + 1)
|
|
|
|
|
== MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
|
2016-07-14 13:46:10 +01:00
|
|
|
|
|
|
|
|
/* IV too small */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_set_iv(&ctx, iv, 0)
|
|
|
|
|
== MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2016-07-14 13:46:10 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
mbedtls_cipher_init(&ctx);
|
2017-09-26 12:08:54 +03:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
2017-09-25 17:03:12 +03:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));
|
2017-09-25 17:03:12 +03:00
|
|
|
|
2016-07-14 13:46:10 +01:00
|
|
|
/* Update ECB with partial block */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(mbedtls_cipher_update(&ctx, input, 1, output, &olen)
|
|
|
|
|
== MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED);
|
2016-07-14 13:46:10 +01:00
|
|
|
|
|
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2016-07-14 13:46:10 +01:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void enc_dec_buf(int cipher_id, char *cipher_string, int key_len,
|
|
|
|
|
int length_val, int pad_mode)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2021-10-27 16:27:44 +02:00
|
|
|
size_t length = length_val, outlen, total_len, i, block_size, iv_len;
|
2018-06-08 11:03:16 +01:00
|
|
|
unsigned char key[64];
|
2011-01-06 15:37:30 +00:00
|
|
|
unsigned char iv[16];
|
2013-08-31 17:31:03 +02:00
|
|
|
unsigned char ad[13];
|
|
|
|
|
unsigned char tag[16];
|
2011-01-06 15:37:30 +00:00
|
|
|
unsigned char inbuf[64];
|
|
|
|
|
unsigned char encbuf[64];
|
|
|
|
|
unsigned char decbuf[64];
|
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx_dec;
|
|
|
|
|
mbedtls_cipher_context_t ctx_enc;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-09-05 10:30:32 +02:00
|
|
|
/*
|
|
|
|
|
* Prepare contexts
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_init(&ctx_enc);
|
2013-09-05 10:30:32 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(key, 0x2a, sizeof(key));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
/* Check and get info structures */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
|
|
|
|
TEST_ASSERT(mbedtls_cipher_info_from_string(cipher_string) == cipher_info);
|
|
|
|
|
TEST_ASSERT(strcmp(mbedtls_cipher_info_get_name(cipher_info),
|
|
|
|
|
cipher_string) == 0);
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
/* Initialise enc and dec contexts */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));
|
2013-09-05 10:30:32 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec, key, key_len, MBEDTLS_DECRYPT));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_enc, key, key_len, MBEDTLS_ENCRYPT));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
2023-01-11 14:50:10 +01:00
|
|
|
if (-1 != pad_mode) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_dec, pad_mode));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_enc, pad_mode));
|
2013-07-26 13:20:42 +02:00
|
|
|
}
|
2013-09-13 14:41:45 +02:00
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
2015-04-08 12:49:31 +02:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2013-07-26 13:20:42 +02:00
|
|
|
|
2013-09-05 10:30:32 +02:00
|
|
|
/*
|
|
|
|
|
* Do a few encode/decode cycles
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
for (i = 0; i < 3; i++) {
|
|
|
|
|
memset(iv, 0x00 + i, sizeof(iv));
|
|
|
|
|
memset(ad, 0x10 + i, sizeof(ad));
|
|
|
|
|
memset(inbuf, 0x20 + i, sizeof(inbuf));
|
|
|
|
|
|
|
|
|
|
memset(encbuf, 0, sizeof(encbuf));
|
|
|
|
|
memset(decbuf, 0, sizeof(decbuf));
|
|
|
|
|
memset(tag, 0, sizeof(tag));
|
|
|
|
|
|
|
|
|
|
if (NULL != strstr(cipher_info->name, "CCM*-NO-TAG")) {
|
|
|
|
|
iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes.
|
|
|
|
|
* For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */
|
|
|
|
|
} else if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
|
|
|
|
|
iv_len = 12;
|
|
|
|
|
} else {
|
|
|
|
|
iv_len = sizeof(iv);
|
|
|
|
|
}
|
2021-10-27 16:27:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));
|
2013-09-03 13:04:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_enc));
|
2013-09-03 13:54:12 +02:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int expected = (cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
2022-09-30 17:13:35 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx_dec, ad, sizeof(ad) - i));
|
|
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx_enc, ad, sizeof(ad) - i));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
block_size = mbedtls_cipher_get_block_size(&ctx_enc);
|
|
|
|
|
TEST_ASSERT(block_size != 0);
|
2015-06-24 01:08:09 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
/* encode length number of bytes from inbuf */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_enc, inbuf, length, encbuf, &outlen));
|
|
|
|
|
total_len = outlen;
|
2013-07-25 15:26:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(total_len == length ||
|
|
|
|
|
(total_len % block_size == 0 &&
|
|
|
|
|
total_len < length &&
|
|
|
|
|
total_len + block_size > length));
|
2011-06-09 14:27:58 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_enc, encbuf + outlen, &outlen));
|
|
|
|
|
total_len += outlen;
|
2011-06-09 14:27:58 +00:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_write_tag(&ctx_enc, tag, sizeof(tag)));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2013-09-03 16:19:22 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(total_len == length ||
|
|
|
|
|
(total_len % block_size == 0 &&
|
|
|
|
|
total_len > length &&
|
|
|
|
|
total_len <= length + block_size));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
/* decode the previously encoded string */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_dec, encbuf, total_len, decbuf, &outlen));
|
|
|
|
|
total_len = outlen;
|
2013-07-25 15:26:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(total_len == length ||
|
|
|
|
|
(total_len % block_size == 0 &&
|
|
|
|
|
total_len < length &&
|
|
|
|
|
total_len + block_size >= length));
|
2011-06-09 14:27:58 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_dec, decbuf + outlen, &outlen));
|
|
|
|
|
total_len += outlen;
|
2011-06-09 14:27:58 +00:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_check_tag(&ctx_dec, tag, sizeof(tag)));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2013-09-03 16:19:22 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
/* check result */
|
|
|
|
|
TEST_ASSERT(total_len == length);
|
|
|
|
|
TEST_ASSERT(0 == memcmp(inbuf, decbuf, length));
|
2013-09-05 10:30:32 +02:00
|
|
|
}
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-09-05 10:30:32 +02:00
|
|
|
/*
|
|
|
|
|
* Done
|
|
|
|
|
*/
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_free(&ctx_enc);
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void enc_fail(int cipher_id, int pad_mode, int key_len, int length_val,
|
|
|
|
|
int ret)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2013-08-20 11:48:36 +02:00
|
|
|
size_t length = length_val;
|
2013-07-26 16:50:44 +02:00
|
|
|
unsigned char key[32];
|
|
|
|
|
unsigned char iv[16];
|
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
2013-07-26 16:50:44 +02:00
|
|
|
|
|
|
|
|
unsigned char inbuf[64];
|
|
|
|
|
unsigned char encbuf[64];
|
|
|
|
|
|
|
|
|
|
size_t outlen = 0;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(key, 0, 32);
|
|
|
|
|
memset(iv, 0, 16);
|
2013-07-26 16:50:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2013-07-26 16:50:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(inbuf, 5, 64);
|
|
|
|
|
memset(encbuf, 0, 64);
|
2013-07-26 16:50:44 +02:00
|
|
|
|
|
|
|
|
/* Check and get info structures */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
2013-07-26 16:50:44 +02:00
|
|
|
|
|
|
|
|
/* Initialise context */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key, key_len, MBEDTLS_ENCRYPT));
|
2015-04-08 12:49:31 +02:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
2013-09-13 14:41:45 +02:00
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
2015-04-08 12:49:31 +02:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv, 16));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int expected = (cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
2022-09-30 17:13:35 +01:00
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx, NULL, 0));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2013-07-26 16:50:44 +02:00
|
|
|
|
|
|
|
|
/* encode length number of bytes from inbuf */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, inbuf, length, encbuf, &outlen));
|
|
|
|
|
TEST_ASSERT(ret == mbedtls_cipher_finish(&ctx, encbuf + outlen, &outlen));
|
2024-05-01 11:47:12 -05:00
|
|
|
if (0 != ret) {
|
|
|
|
|
/* Check output parameter is set to the least-harmful value on error */
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
|
|
|
|
}
|
2013-07-26 16:50:44 +02:00
|
|
|
|
|
|
|
|
/* done */
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2013-07-26 16:50:44 +02:00
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void dec_empty_buf(int cipher,
|
|
|
|
|
int expected_update_ret,
|
|
|
|
|
int expected_finish_ret)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2011-01-06 15:37:30 +00:00
|
|
|
unsigned char key[32];
|
2022-01-14 16:31:39 +01:00
|
|
|
|
|
|
|
|
unsigned char *iv = NULL;
|
|
|
|
|
size_t iv_len = 16;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_context_t ctx_dec;
|
|
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
unsigned char encbuf[64];
|
|
|
|
|
unsigned char decbuf[64];
|
|
|
|
|
|
2011-04-24 15:53:29 +00:00
|
|
|
size_t outlen = 0;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(key, 0, 32);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx_dec);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(encbuf, 0, 64);
|
|
|
|
|
memset(decbuf, 0, 64);
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-09-03 13:04:44 +02:00
|
|
|
/* Initialise context */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
2021-12-01 22:19:33 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
|
2021-12-01 22:19:33 +01:00
|
|
|
iv_len = 12;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2021-12-01 22:19:33 +01:00
|
|
|
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(iv, iv_len);
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(iv, 0, iv_len);
|
2022-01-14 16:31:39 +01:00
|
|
|
|
2023-06-24 11:03:04 +01:00
|
|
|
TEST_ASSERT(sizeof(key) * 8 >= mbedtls_cipher_info_get_key_bitlen(cipher_info));
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec,
|
2023-06-24 11:03:04 +01:00
|
|
|
key, mbedtls_cipher_info_get_key_bitlen(cipher_info),
|
2023-01-11 14:50:10 +01:00
|
|
|
MBEDTLS_DECRYPT));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
|
2013-09-03 13:04:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));
|
2013-09-03 13:54:12 +02:00
|
|
|
|
2023-09-21 14:04:35 +01:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) && defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
2023-09-07 17:54:46 +01:00
|
|
|
if (ctx_dec.cipher_info->mode == MBEDTLS_MODE_CBC) {
|
2023-09-18 17:41:25 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_dec,
|
|
|
|
|
MBEDTLS_PADDING_PKCS7));
|
2023-09-07 17:54:46 +01:00
|
|
|
}
|
2023-09-21 14:04:35 +01:00
|
|
|
#endif
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int expected = (cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
2022-09-30 17:13:35 +01:00
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx_dec, NULL, 0));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
/* decode 0-byte string */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(expected_update_ret ==
|
|
|
|
|
mbedtls_cipher_update(&ctx_dec, encbuf, 0, decbuf, &outlen));
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
2019-06-05 15:35:08 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
if (expected_finish_ret == 0 &&
|
|
|
|
|
(cipher_info->mode == MBEDTLS_MODE_CBC ||
|
|
|
|
|
cipher_info->mode == MBEDTLS_MODE_ECB)) {
|
2019-06-05 15:35:08 +01:00
|
|
|
/* Non-CBC and non-ECB ciphers are OK with decrypting empty buffers and
|
|
|
|
|
* return success, not MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED, when
|
2019-07-29 17:46:29 +02:00
|
|
|
* decrypting an empty buffer.
|
|
|
|
|
* On the other hand, CBC and ECB ciphers need a full block of input.
|
|
|
|
|
*/
|
|
|
|
|
expected_finish_ret = MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
|
2019-06-05 15:35:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(expected_finish_ret == mbedtls_cipher_finish(
|
|
|
|
|
&ctx_dec, decbuf + outlen, &outlen));
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_free(iv);
|
|
|
|
|
mbedtls_cipher_free(&ctx_dec);
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-08-20 11:48:36 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void enc_dec_buf_multipart(int cipher_id, int key_len, int first_length_val,
|
|
|
|
|
int second_length_val, int pad_mode,
|
|
|
|
|
int first_encrypt_output_len, int second_encrypt_output_len,
|
|
|
|
|
int first_decrypt_output_len, int second_decrypt_output_len)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2013-08-20 11:48:36 +02:00
|
|
|
size_t first_length = first_length_val;
|
|
|
|
|
size_t second_length = second_length_val;
|
2011-04-24 08:57:21 +00:00
|
|
|
size_t length = first_length + second_length;
|
2015-06-24 01:08:09 +02:00
|
|
|
size_t block_size;
|
2021-10-27 16:27:44 +02:00
|
|
|
size_t iv_len;
|
2011-01-06 15:37:30 +00:00
|
|
|
unsigned char key[32];
|
|
|
|
|
unsigned char iv[16];
|
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_context_t ctx_dec;
|
|
|
|
|
mbedtls_cipher_context_t ctx_enc;
|
|
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
unsigned char inbuf[64];
|
|
|
|
|
unsigned char encbuf[64];
|
|
|
|
|
unsigned char decbuf[64];
|
|
|
|
|
|
2011-04-24 08:57:21 +00:00
|
|
|
size_t outlen = 0;
|
|
|
|
|
size_t totaloutlen = 0;
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(key, 0, 32);
|
|
|
|
|
memset(iv, 0, 16);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_init(&ctx_enc);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(inbuf, 5, 64);
|
|
|
|
|
memset(encbuf, 0, 64);
|
|
|
|
|
memset(decbuf, 0, 64);
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
/* Initialise enc and dec contexts */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec, key, key_len, MBEDTLS_DECRYPT));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_enc, key, key_len, MBEDTLS_ENCRYPT));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2018-03-27 19:16:17 -07:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
2023-01-11 14:50:10 +01:00
|
|
|
if (-1 != pad_mode) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_dec, pad_mode));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_enc, pad_mode));
|
2018-03-27 19:16:17 -07:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
if (NULL != strstr(cipher_info->name, "CCM*-NO-TAG")) {
|
2021-10-27 16:27:44 +02:00
|
|
|
iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes.
|
|
|
|
|
* For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */
|
2023-01-11 14:50:10 +01:00
|
|
|
} else if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
|
2021-12-01 21:58:05 +01:00
|
|
|
iv_len = 12;
|
2023-01-11 14:50:10 +01:00
|
|
|
} else {
|
2021-10-27 16:27:44 +02:00
|
|
|
iv_len = sizeof(iv);
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2021-10-27 16:27:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));
|
2013-09-03 13:04:44 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_enc));
|
2013-09-03 13:54:12 +02:00
|
|
|
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int expected = (cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
2022-09-30 17:13:35 +01:00
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx_dec, NULL, 0));
|
|
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx_enc, NULL, 0));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
block_size = mbedtls_cipher_get_block_size(&ctx_enc);
|
|
|
|
|
TEST_ASSERT(block_size != 0);
|
2015-06-24 01:08:09 +02:00
|
|
|
|
2011-01-06 15:37:30 +00:00
|
|
|
/* encode length number of bytes from inbuf */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_enc, inbuf, first_length, encbuf, &outlen));
|
|
|
|
|
TEST_ASSERT((size_t) first_encrypt_output_len == outlen);
|
2011-01-06 15:37:30 +00:00
|
|
|
totaloutlen = outlen;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 ==
|
|
|
|
|
mbedtls_cipher_update(&ctx_enc, inbuf + first_length, second_length,
|
|
|
|
|
encbuf + totaloutlen,
|
|
|
|
|
&outlen));
|
|
|
|
|
TEST_ASSERT((size_t) second_encrypt_output_len == outlen);
|
2011-01-06 15:37:30 +00:00
|
|
|
totaloutlen += outlen;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(totaloutlen == length ||
|
|
|
|
|
(totaloutlen % block_size == 0 &&
|
|
|
|
|
totaloutlen < length &&
|
|
|
|
|
totaloutlen + block_size > length));
|
2013-07-25 15:26:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_enc, encbuf + totaloutlen, &outlen));
|
2011-01-06 15:37:30 +00:00
|
|
|
totaloutlen += outlen;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(totaloutlen == length ||
|
|
|
|
|
(totaloutlen % block_size == 0 &&
|
|
|
|
|
totaloutlen > length &&
|
|
|
|
|
totaloutlen <= length + block_size));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
|
|
|
|
/* decode the previously encoded string */
|
2018-03-27 19:16:17 -07:00
|
|
|
second_length = totaloutlen - first_length;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_dec, encbuf, first_length, decbuf, &outlen));
|
|
|
|
|
TEST_ASSERT((size_t) first_decrypt_output_len == outlen);
|
2013-07-25 15:26:54 +02:00
|
|
|
totaloutlen = outlen;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 ==
|
|
|
|
|
mbedtls_cipher_update(&ctx_dec, encbuf + first_length, second_length,
|
|
|
|
|
decbuf + totaloutlen,
|
|
|
|
|
&outlen));
|
|
|
|
|
TEST_ASSERT((size_t) second_decrypt_output_len == outlen);
|
2018-03-27 19:16:17 -07:00
|
|
|
totaloutlen += outlen;
|
2013-07-25 15:26:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(totaloutlen == length ||
|
|
|
|
|
(totaloutlen % block_size == 0 &&
|
|
|
|
|
totaloutlen < length &&
|
|
|
|
|
totaloutlen + block_size >= length));
|
2013-07-25 15:26:54 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_dec, decbuf + totaloutlen, &outlen));
|
2013-07-25 15:26:54 +02:00
|
|
|
totaloutlen += outlen;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(totaloutlen == length);
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == memcmp(inbuf, decbuf, length));
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_free(&ctx_enc);
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2013-09-03 18:31:25 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void decrypt_test_vec(int cipher_id, int pad_mode, data_t *key,
|
|
|
|
|
data_t *iv, data_t *cipher,
|
|
|
|
|
data_t *clear, data_t *ad, data_t *tag,
|
|
|
|
|
int finish_result, int tag_result)
|
2013-09-03 18:31:25 +02:00
|
|
|
{
|
2018-05-10 12:54:32 +02:00
|
|
|
unsigned char output[265];
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_context_t ctx;
|
2013-09-03 18:31:25 +02:00
|
|
|
size_t outlen, total_len;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(output, 0x00, sizeof(output));
|
2013-09-03 18:31:25 +02:00
|
|
|
|
2017-05-30 14:23:15 +01:00
|
|
|
#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
|
2017-06-13 14:55:58 +01:00
|
|
|
((void) ad);
|
|
|
|
|
((void) tag);
|
2013-09-20 11:29:59 +02:00
|
|
|
#endif
|
2013-09-03 18:31:25 +02:00
|
|
|
|
|
|
|
|
/* Prepare context */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT));
|
2015-04-08 12:49:31 +02:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
2023-01-11 14:50:10 +01:00
|
|
|
if (pad_mode != -1) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
|
|
|
|
}
|
2013-09-13 14:41:45 +02:00
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
2015-04-08 12:49:31 +02:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv->x, iv->len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
2022-09-30 17:13:35 +01:00
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx, ad->x, ad->len));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2013-09-03 18:31:25 +02:00
|
|
|
|
2017-06-09 04:32:58 +01:00
|
|
|
/* decode buffer and check tag->x */
|
2013-09-03 18:31:25 +02:00
|
|
|
total_len = 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, cipher->x, cipher->len, output, &outlen));
|
2013-09-03 18:31:25 +02:00
|
|
|
total_len += outlen;
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen,
|
|
|
|
|
&outlen));
|
2024-05-01 11:47:12 -05:00
|
|
|
if (0 != finish_result) {
|
|
|
|
|
/* Check output parameter is set to the least-harmful value on error */
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
|
|
|
|
}
|
2013-09-03 18:31:25 +02:00
|
|
|
total_len += outlen;
|
2018-05-07 10:43:27 +02:00
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
2023-01-11 14:50:10 +01:00
|
|
|
int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
2022-09-30 17:13:35 +01:00
|
|
|
tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_EQUAL(tag_expected, mbedtls_cipher_check_tag(&ctx, tag->x, tag->len));
|
2014-06-24 15:26:28 +02:00
|
|
|
#endif
|
2013-09-03 18:31:25 +02:00
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
2023-01-11 14:50:10 +01:00
|
|
|
if (0 == finish_result && 0 == tag_result) {
|
|
|
|
|
TEST_ASSERT(total_len == clear->len);
|
|
|
|
|
TEST_ASSERT(0 == memcmp(output, clear->x, clear->len));
|
2013-09-03 18:31:25 +02:00
|
|
|
}
|
|
|
|
|
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2013-09-03 18:31:25 +02:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
Constant-flow AES-CBC multipart decrypt tests
The main goal is to validate that unpadding is constant-time, including
error reporting.
Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.
The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.
Same test data as the newly introduced functional tests.
#!/usr/bin/env python3
from Crypto.Cipher import AES
KEYS = {
128: bytes.fromhex("ffffffffe00000000000000000000000"),
192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
}
IV = bytes.fromhex("00000000000000000000000000000000")
def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
plaintext = bytes.fromhex(padded_hex)
plaintext_length = len(plaintext)
if bits != 128:
depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
key = KEYS[bits]
iv = IV
result = '0'
if mode == 'NONE':
padding_description = 'no padding'
assert padding_length == 0
else:
depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
padding_description = mode
if padding_length is None:
result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
plaintext_length = 0
else:
plaintext_length -= padding_length
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
ciphertext = cipher.encrypt(plaintext)
function = 'decrypt_test_vec'
cf_maybe = ''
if cf:
function += '_cf'
cf_maybe = 'CF '
depends.append('HAVE_CONSTANT_TIME_AES')
if note:
note = f' ({note})'
print(f'''\
{cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
depends_on:{':'.join(depends)}
{function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
''')
def emit_tests(cf):
# Already existing tests
decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)
# New tests
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
emit_tests(True)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-27 18:03:26 +02:00
|
|
|
/* BEGIN_CASE */
|
2025-08-25 16:53:54 +02:00
|
|
|
/* Similar to decrypt_test_vec, but with constant-flow assertions.
|
|
|
|
|
* We use a separate test function so that we can run the functional tests
|
|
|
|
|
* in all configurations where the underlying cipher is enabled, and
|
|
|
|
|
* run the constant-flow tests only in configurations where the underlying
|
|
|
|
|
* cipher is constant-time. In particular, AES test cases need to depend
|
|
|
|
|
* on HAVE_CONSTANT_TIME_AES.
|
|
|
|
|
*/
|
Constant-flow AES-CBC multipart decrypt tests
The main goal is to validate that unpadding is constant-time, including
error reporting.
Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.
The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.
Same test data as the newly introduced functional tests.
#!/usr/bin/env python3
from Crypto.Cipher import AES
KEYS = {
128: bytes.fromhex("ffffffffe00000000000000000000000"),
192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
}
IV = bytes.fromhex("00000000000000000000000000000000")
def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
plaintext = bytes.fromhex(padded_hex)
plaintext_length = len(plaintext)
if bits != 128:
depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
key = KEYS[bits]
iv = IV
result = '0'
if mode == 'NONE':
padding_description = 'no padding'
assert padding_length == 0
else:
depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
padding_description = mode
if padding_length is None:
result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
plaintext_length = 0
else:
plaintext_length -= padding_length
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
ciphertext = cipher.encrypt(plaintext)
function = 'decrypt_test_vec'
cf_maybe = ''
if cf:
function += '_cf'
cf_maybe = 'CF '
depends.append('HAVE_CONSTANT_TIME_AES')
if note:
note = f' ({note})'
print(f'''\
{cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
depends_on:{':'.join(depends)}
{function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
''')
def emit_tests(cf):
# Already existing tests
decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)
# New tests
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
emit_tests(True)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-27 18:03:26 +02:00
|
|
|
void decrypt_test_vec_cf(int cipher_id, int pad_mode, data_t *key,
|
|
|
|
|
data_t *iv, data_t *cipher,
|
|
|
|
|
data_t *clear, data_t *ad, data_t *tag,
|
|
|
|
|
int expected_finish_result, int tag_result)
|
|
|
|
|
{
|
|
|
|
|
unsigned char output[265];
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
size_t outlen, total_len;
|
|
|
|
|
|
|
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
|
|
|
|
|
memset(output, 0x00, sizeof(output));
|
|
|
|
|
|
|
|
|
|
#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
((void) ad);
|
|
|
|
|
((void) tag);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
TEST_CF_SECRET(key->x, key->len);
|
|
|
|
|
TEST_CF_SECRET(cipher->x, cipher->len);
|
|
|
|
|
|
|
|
|
|
/* Prepare context */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT));
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
|
|
|
|
if (pad_mode != -1) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv->x, iv->len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx, ad->x, ad->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* decode buffer and check tag->x */
|
|
|
|
|
total_len = 0;
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, cipher->x, cipher->len, output, &outlen));
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
int actual_finish_result = mbedtls_cipher_finish(&ctx, output + outlen,
|
|
|
|
|
&outlen);
|
2025-07-27 21:20:47 +02:00
|
|
|
TEST_CF_PUBLIC(&outlen, sizeof(outlen));
|
Constant-flow AES-CBC multipart decrypt tests
The main goal is to validate that unpadding is constant-time, including
error reporting.
Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.
The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.
Same test data as the newly introduced functional tests.
#!/usr/bin/env python3
from Crypto.Cipher import AES
KEYS = {
128: bytes.fromhex("ffffffffe00000000000000000000000"),
192: bytes.fromhex("000000000000000000000000000000000000000000000000"),
256: bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000000"),
}
IV = bytes.fromhex("00000000000000000000000000000000")
def decrypt_test_vec(cf, bits, mode, padded_hex, padding_length, note=''):
depends = ['MBEDTLS_AES_C', 'MBEDTLS_CIPHER_MODE_CBC']
plaintext = bytes.fromhex(padded_hex)
plaintext_length = len(plaintext)
if bits != 128:
depends.append('!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH')
key = KEYS[bits]
iv = IV
result = '0'
if mode == 'NONE':
padding_description = 'no padding'
assert padding_length == 0
else:
depends.append('MBEDTLS_CIPHER_PADDING_' + mode)
padding_description = mode
if padding_length is None:
result = 'MBEDTLS_ERR_CIPHER_INVALID_PADDING'
plaintext_length = 0
else:
plaintext_length -= padding_length
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
ciphertext = cipher.encrypt(plaintext)
function = 'decrypt_test_vec'
cf_maybe = ''
if cf:
function += '_cf'
cf_maybe = 'CF '
depends.append('HAVE_CONSTANT_TIME_AES')
if note:
note = f' ({note})'
print(f'''\
{cf_maybe}AES-{bits}-CBC Decrypt test vector, {padding_description}{note}
depends_on:{':'.join(depends)}
{function}:MBEDTLS_CIPHER_AES_{bits}_CBC:MBEDTLS_PADDING_{mode}:"{key.hex()}":"{iv.hex()}":"{ciphertext.hex()}":"{plaintext[:plaintext_length].hex()}":"":"":{result}:0
''')
def emit_tests(cf):
# Already existing tests
decrypt_test_vec(cf, 128, 'NONE', "00000000000000000000000000000000", 0)
decrypt_test_vec(cf, 192, 'NONE', "fffffffff80000000000000000000000", 0)
decrypt_test_vec(cf, 256, 'NONE', "ff000000000000000000000000000000", 0)
# New tests
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000001", 1, 'good pad 1')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000202", 2, 'good pad 2')
decrypt_test_vec(cf, 128, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 192, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 256, 'PKCS7', "2a0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f", 15, 'good pad 15')
decrypt_test_vec(cf, 128, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 192, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 256, 'PKCS7', "10101010101010101010101010101010", 16, 'good pad 16')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000000", None, 'bad pad 0')
decrypt_test_vec(cf, 128, 'PKCS7', "00000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 192, 'PKCS7', "fffffffff80000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 256, 'PKCS7', "ff000000000000000000000000000102", None, 'bad pad 0102')
decrypt_test_vec(cf, 128, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "1111111111111111111111111111111111111111111111111111111111111111", None, 'long, bad pad 17')
decrypt_test_vec(cf, 128, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 192, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
decrypt_test_vec(cf, 256, 'PKCS7', "11111111111111111111111111111111", None, 'short, bad pad 17')
emit_tests(True)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-27 18:03:26 +02:00
|
|
|
TEST_EQUAL(actual_finish_result, expected_finish_result);
|
|
|
|
|
if (0 != expected_finish_result) {
|
|
|
|
|
/* Check output parameter is set to the least-harmful value on error */
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
|
|
|
|
}
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(tag_expected, mbedtls_cipher_check_tag(&ctx, tag->x, tag->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
|
|
|
|
if (0 == expected_finish_result && 0 == tag_result) {
|
|
|
|
|
TEST_CF_PUBLIC(output, sizeof(output));
|
|
|
|
|
TEST_MEMORY_COMPARE(output, total_len, clear->x, clear->len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2025-07-27 18:53:57 +02:00
|
|
|
/* BEGIN_CASE */
|
|
|
|
|
void decrypt_padded_test_vec(int cipher_id, int pad_mode, data_t *key,
|
|
|
|
|
data_t *iv, data_t *cipher,
|
|
|
|
|
data_t *clear, data_t *ad, data_t *tag,
|
|
|
|
|
int expected_finish_result, int tag_result)
|
|
|
|
|
{
|
|
|
|
|
unsigned char output[265];
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
size_t outlen, total_len;
|
|
|
|
|
|
|
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
|
|
|
|
|
memset(output, 0x00, sizeof(output));
|
|
|
|
|
|
|
|
|
|
#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
((void) ad);
|
|
|
|
|
((void) tag);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Prepare context */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT));
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
|
|
|
|
if (pad_mode != -1) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv->x, iv->len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx, ad->x, ad->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* decode buffer and check tag->x */
|
|
|
|
|
total_len = 0;
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, cipher->x, cipher->len, output, &outlen));
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
|
|
|
|
|
size_t invalid_padding = 42;
|
|
|
|
|
int actual_finish_result =
|
|
|
|
|
mbedtls_cipher_finish_padded(&ctx, output + outlen, &outlen,
|
|
|
|
|
&invalid_padding);
|
|
|
|
|
switch (expected_finish_result) {
|
|
|
|
|
case 0:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, 0);
|
|
|
|
|
TEST_EQUAL(invalid_padding, 0);
|
|
|
|
|
break;
|
|
|
|
|
case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, 0);
|
2025-08-26 13:11:27 +02:00
|
|
|
TEST_EQUAL(invalid_padding, ~(size_t) 0);
|
2025-07-27 18:53:57 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, expected_finish_result);
|
|
|
|
|
/* Check output parameter is set to the least-harmful value on error */
|
|
|
|
|
TEST_EQUAL(0, outlen);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(tag_expected, mbedtls_cipher_check_tag(&ctx, tag->x, tag->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
|
|
|
|
if (0 == expected_finish_result && 0 == tag_result) {
|
|
|
|
|
TEST_ASSERT(total_len == clear->len);
|
|
|
|
|
TEST_ASSERT(0 == memcmp(output, clear->x, clear->len));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
|
|
|
|
/* BEGIN_CASE */
|
2025-08-25 16:53:54 +02:00
|
|
|
/* Similar to decrypt_padded_test_vec, but with constant-flow assertions.
|
|
|
|
|
* We use a separate test function so that we can run the functional tests
|
|
|
|
|
* in all configurations where the underlying cipher is enabled, and
|
|
|
|
|
* run the constant-flow tests only in configurations where the underlying
|
|
|
|
|
* cipher is constant-time. In particular, AES test cases need to depend
|
|
|
|
|
* on HAVE_CONSTANT_TIME_AES.
|
|
|
|
|
*/
|
2025-07-27 18:53:57 +02:00
|
|
|
void decrypt_padded_test_vec_cf(int cipher_id, int pad_mode, data_t *key,
|
|
|
|
|
data_t *iv, data_t *cipher,
|
|
|
|
|
data_t *clear, data_t *ad, data_t *tag,
|
|
|
|
|
int expected_finish_result, int tag_result)
|
|
|
|
|
{
|
|
|
|
|
unsigned char output[265];
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
size_t outlen, total_len;
|
|
|
|
|
|
|
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
|
|
|
|
|
memset(output, 0x00, sizeof(output));
|
|
|
|
|
|
|
|
|
|
#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
((void) ad);
|
|
|
|
|
((void) tag);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
TEST_CF_SECRET(key->x, key->len);
|
|
|
|
|
TEST_CF_SECRET(cipher->x, cipher->len);
|
|
|
|
|
|
|
|
|
|
/* Prepare context */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT));
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
|
|
|
|
if (pad_mode != -1) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
(void) pad_mode;
|
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv->x, iv->len));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(expected, mbedtls_cipher_update_ad(&ctx, ad->x, ad->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* decode buffer and check tag->x */
|
|
|
|
|
total_len = 0;
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, cipher->x, cipher->len, output, &outlen));
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
|
|
|
|
|
size_t invalid_padding = 42;
|
|
|
|
|
int actual_finish_result =
|
|
|
|
|
mbedtls_cipher_finish_padded(&ctx, output + outlen, &outlen,
|
|
|
|
|
&invalid_padding);
|
2025-07-27 21:20:47 +02:00
|
|
|
TEST_CF_PUBLIC(&outlen, sizeof(outlen));
|
2025-07-27 18:53:57 +02:00
|
|
|
switch (expected_finish_result) {
|
|
|
|
|
case 0:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, 0);
|
|
|
|
|
TEST_EQUAL(invalid_padding, 0);
|
|
|
|
|
break;
|
|
|
|
|
case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, 0);
|
2025-08-26 13:11:27 +02:00
|
|
|
TEST_EQUAL(invalid_padding, ~(size_t) 0);
|
2025-07-27 18:53:57 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
TEST_EQUAL(actual_finish_result, expected_finish_result);
|
|
|
|
|
/* Check output parameter is set to the least-harmful value on error */
|
|
|
|
|
TEST_EQUAL(0, outlen);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
total_len += outlen;
|
|
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
|
|
|
|
|
ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) ?
|
|
|
|
|
tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
|
|
|
|
|
|
|
|
|
|
TEST_EQUAL(tag_expected, mbedtls_cipher_check_tag(&ctx, tag->x, tag->len));
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
|
|
|
|
if (0 == expected_finish_result && 0 == tag_result) {
|
|
|
|
|
TEST_CF_PUBLIC(output, sizeof(output));
|
|
|
|
|
TEST_MEMORY_COMPARE(output, total_len, clear->x, clear->len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2023-10-17 11:43:34 +02:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_AEAD */
|
2023-01-11 14:50:10 +01:00
|
|
|
void auth_crypt_tv(int cipher_id, data_t *key, data_t *iv,
|
|
|
|
|
data_t *ad, data_t *cipher, data_t *tag,
|
|
|
|
|
char *result, data_t *clear, int use_psa)
|
2014-05-15 16:03:07 +02:00
|
|
|
{
|
2020-11-26 10:22:50 +01:00
|
|
|
/*
|
|
|
|
|
* Take an AEAD ciphertext + tag and perform a pair
|
|
|
|
|
* of AEAD decryption and AEAD encryption. Check that
|
2018-11-12 16:27:30 +00:00
|
|
|
* this results in the expected plaintext, and that
|
2020-11-26 10:22:50 +01:00
|
|
|
* decryption and encryption are inverse to one another.
|
|
|
|
|
*/
|
2018-11-12 16:27:30 +00:00
|
|
|
|
2014-05-15 16:03:07 +02:00
|
|
|
int ret;
|
2020-11-30 10:17:01 +01:00
|
|
|
int using_nist_kw, using_nist_kw_padding;
|
2018-11-12 16:27:30 +00:00
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_context_t ctx;
|
2014-05-15 16:03:07 +02:00
|
|
|
size_t outlen;
|
|
|
|
|
|
2020-11-30 10:17:01 +01:00
|
|
|
unsigned char *cipher_plus_tag = NULL;
|
|
|
|
|
size_t cipher_plus_tag_len;
|
|
|
|
|
unsigned char *decrypt_buf = NULL;
|
|
|
|
|
size_t decrypt_buf_len = 0;
|
|
|
|
|
unsigned char *encrypt_buf = NULL;
|
|
|
|
|
size_t encrypt_buf_len = 0;
|
|
|
|
|
|
2020-12-03 20:27:27 +01:00
|
|
|
/* Null pointers are documented as valid for inputs of length 0.
|
|
|
|
|
* The test framework passes non-null pointers, so set them to NULL.
|
|
|
|
|
* key, cipher and tag can't be empty. */
|
2023-01-11 14:50:10 +01:00
|
|
|
if (iv->len == 0) {
|
2020-12-03 20:27:27 +01:00
|
|
|
iv->x = NULL;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
|
|
|
|
if (ad->len == 0) {
|
2020-12-03 20:27:27 +01:00
|
|
|
ad->x = NULL;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
|
|
|
|
if (clear->len == 0) {
|
2020-12-03 20:27:27 +01:00
|
|
|
clear->x = NULL;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2020-12-03 20:27:27 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2014-05-15 16:03:07 +02:00
|
|
|
|
2020-11-26 10:22:50 +01:00
|
|
|
/* Initialize PSA Crypto */
|
|
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
2023-01-11 14:50:10 +01:00
|
|
|
if (use_psa == 1) {
|
|
|
|
|
PSA_ASSERT(psa_crypto_init());
|
|
|
|
|
}
|
2018-11-12 16:27:30 +00:00
|
|
|
#else
|
2020-11-26 10:22:50 +01:00
|
|
|
(void) use_psa;
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-11-30 10:17:01 +01:00
|
|
|
/*
|
|
|
|
|
* Are we using NIST_KW? with padding?
|
|
|
|
|
*/
|
|
|
|
|
using_nist_kw_padding = cipher_id == MBEDTLS_CIPHER_AES_128_KWP ||
|
|
|
|
|
cipher_id == MBEDTLS_CIPHER_AES_192_KWP ||
|
|
|
|
|
cipher_id == MBEDTLS_CIPHER_AES_256_KWP;
|
|
|
|
|
using_nist_kw = cipher_id == MBEDTLS_CIPHER_AES_128_KW ||
|
|
|
|
|
cipher_id == MBEDTLS_CIPHER_AES_192_KW ||
|
|
|
|
|
cipher_id == MBEDTLS_CIPHER_AES_256_KW ||
|
|
|
|
|
using_nist_kw_padding;
|
|
|
|
|
|
2020-11-26 10:22:50 +01:00
|
|
|
/*
|
|
|
|
|
* Prepare context for decryption
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
|
|
|
|
|
MBEDTLS_DECRYPT)) {
|
2020-12-03 21:06:15 +01:00
|
|
|
goto exit;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2020-11-26 10:22:50 +01:00
|
|
|
|
|
|
|
|
/*
|
2020-11-30 10:17:01 +01:00
|
|
|
* prepare buffer for decryption
|
|
|
|
|
* (we need the tag appended to the ciphertext)
|
|
|
|
|
*/
|
|
|
|
|
cipher_plus_tag_len = cipher->len + tag->len;
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(cipher_plus_tag, cipher_plus_tag_len);
|
2023-01-11 14:50:10 +01:00
|
|
|
memcpy(cipher_plus_tag, cipher->x, cipher->len);
|
|
|
|
|
memcpy(cipher_plus_tag + cipher->len, tag->x, tag->len);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Compute length of output buffer according to the documentation
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
if (using_nist_kw) {
|
2020-11-30 10:17:01 +01:00
|
|
|
decrypt_buf_len = cipher_plus_tag_len - 8;
|
2023-01-11 14:50:10 +01:00
|
|
|
} else {
|
2020-11-30 10:17:01 +01:00
|
|
|
decrypt_buf_len = cipher_plus_tag_len - tag->len;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Try decrypting to a buffer that's 1B too small
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
if (decrypt_buf_len != 0) {
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(decrypt_buf, decrypt_buf_len - 1);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
outlen = 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
ret = mbedtls_cipher_auth_decrypt_ext(&ctx, iv->x, iv->len,
|
|
|
|
|
ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
|
|
|
|
|
decrypt_buf, decrypt_buf_len - 1, &outlen, tag->len);
|
|
|
|
|
TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_free(decrypt_buf);
|
2020-11-30 10:17:01 +01:00
|
|
|
decrypt_buf = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Authenticate and decrypt, and check result
|
|
|
|
|
*/
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(decrypt_buf, decrypt_buf_len);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
outlen = 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
ret = mbedtls_cipher_auth_decrypt_ext(&ctx, iv->x, iv->len,
|
|
|
|
|
ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
|
|
|
|
|
decrypt_buf, decrypt_buf_len, &outlen, tag->len);
|
|
|
|
|
|
|
|
|
|
if (strcmp(result, "FAIL") == 0) {
|
|
|
|
|
TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED);
|
|
|
|
|
TEST_ASSERT(buffer_is_all_zero(decrypt_buf, decrypt_buf_len));
|
|
|
|
|
} else {
|
|
|
|
|
TEST_ASSERT(ret == 0);
|
2023-07-21 11:40:20 +01:00
|
|
|
TEST_MEMORY_COMPARE(decrypt_buf, outlen, clear->x, clear->len);
|
2020-11-30 10:17:01 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_free(decrypt_buf);
|
2020-11-30 10:17:01 +01:00
|
|
|
decrypt_buf = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Encrypt back if test data was authentic
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
if (strcmp(result, "FAIL") != 0) {
|
2020-11-30 10:17:01 +01:00
|
|
|
/* prepare context for encryption */
|
2023-01-11 14:50:10 +01:00
|
|
|
if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
|
|
|
|
|
MBEDTLS_ENCRYPT)) {
|
2020-12-03 21:06:15 +01:00
|
|
|
goto exit;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Compute size of output buffer according to documentation
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
if (using_nist_kw) {
|
2020-11-30 10:17:01 +01:00
|
|
|
encrypt_buf_len = clear->len + 8;
|
2023-01-11 14:50:10 +01:00
|
|
|
if (using_nist_kw_padding && encrypt_buf_len % 8 != 0) {
|
2020-11-30 10:17:01 +01:00
|
|
|
encrypt_buf_len += 8 - encrypt_buf_len % 8;
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
|
|
|
|
} else {
|
2020-11-30 10:17:01 +01:00
|
|
|
encrypt_buf_len = clear->len + tag->len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Try encrypting with an output buffer that's 1B too small
|
|
|
|
|
*/
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(encrypt_buf, encrypt_buf_len - 1);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
outlen = 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
ret = mbedtls_cipher_auth_encrypt_ext(&ctx, iv->x, iv->len,
|
|
|
|
|
ad->x, ad->len, clear->x, clear->len,
|
|
|
|
|
encrypt_buf, encrypt_buf_len - 1, &outlen, tag->len);
|
|
|
|
|
TEST_ASSERT(ret != 0);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_free(encrypt_buf);
|
2020-11-30 10:17:01 +01:00
|
|
|
encrypt_buf = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Encrypt and check the result
|
|
|
|
|
*/
|
2023-07-21 11:31:13 +01:00
|
|
|
TEST_CALLOC(encrypt_buf, encrypt_buf_len);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
|
|
|
|
outlen = 0;
|
2023-01-11 14:50:10 +01:00
|
|
|
ret = mbedtls_cipher_auth_encrypt_ext(&ctx, iv->x, iv->len,
|
|
|
|
|
ad->x, ad->len, clear->x, clear->len,
|
|
|
|
|
encrypt_buf, encrypt_buf_len, &outlen, tag->len);
|
|
|
|
|
TEST_ASSERT(ret == 0);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(outlen == cipher->len + tag->len);
|
|
|
|
|
TEST_ASSERT(memcmp(encrypt_buf, cipher->x, cipher->len) == 0);
|
|
|
|
|
TEST_ASSERT(memcmp(encrypt_buf + cipher->len,
|
|
|
|
|
tag->x, tag->len) == 0);
|
2020-11-30 10:17:01 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_free(encrypt_buf);
|
2020-11-30 10:17:01 +01:00
|
|
|
encrypt_buf = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-12 16:27:30 +00:00
|
|
|
exit:
|
2014-05-15 16:03:07 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
mbedtls_free(decrypt_buf);
|
|
|
|
|
mbedtls_free(encrypt_buf);
|
|
|
|
|
mbedtls_free(cipher_plus_tag);
|
2019-08-01 12:47:40 +02:00
|
|
|
|
2018-11-12 16:27:30 +00:00
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
2023-01-11 14:50:10 +01:00
|
|
|
if (use_psa == 1) {
|
|
|
|
|
PSA_DONE();
|
|
|
|
|
}
|
2018-11-12 16:27:30 +00:00
|
|
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
2014-05-15 16:03:07 +02:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2013-09-08 23:04:04 +02:00
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void test_vec_ecb(int cipher_id, int operation, data_t *key,
|
|
|
|
|
data_t *input, data_t *result, int finish_result
|
|
|
|
|
)
|
2013-09-08 23:04:04 +02:00
|
|
|
{
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_context_t ctx;
|
2013-09-08 23:04:04 +02:00
|
|
|
unsigned char output[32];
|
|
|
|
|
size_t outlen;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(output, 0x00, sizeof(output));
|
2013-09-08 23:04:04 +02:00
|
|
|
|
|
|
|
|
/* Prepare context */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
2013-09-08 23:04:04 +02:00
|
|
|
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));
|
2013-09-08 23:04:04 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, input->x,
|
|
|
|
|
mbedtls_cipher_get_block_size(&ctx),
|
|
|
|
|
output, &outlen));
|
|
|
|
|
TEST_ASSERT(outlen == mbedtls_cipher_get_block_size(&ctx));
|
|
|
|
|
TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen,
|
|
|
|
|
&outlen));
|
|
|
|
|
TEST_ASSERT(0 == outlen);
|
2013-09-08 23:04:04 +02:00
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
2023-01-11 14:50:10 +01:00
|
|
|
if (0 == finish_result) {
|
|
|
|
|
TEST_ASSERT(0 == memcmp(output, result->x,
|
|
|
|
|
mbedtls_cipher_get_block_size(&ctx)));
|
|
|
|
|
}
|
2013-09-08 23:04:04 +02:00
|
|
|
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2013-09-08 23:04:04 +02:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2017-09-25 17:03:12 +03:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2023-01-11 14:50:10 +01:00
|
|
|
void test_vec_crypt(int cipher_id, int operation, data_t *key,
|
|
|
|
|
data_t *iv, data_t *input, data_t *result,
|
|
|
|
|
int finish_result, int use_psa)
|
2017-09-25 17:03:12 +03:00
|
|
|
{
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
unsigned char output[32];
|
|
|
|
|
size_t outlen;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2017-09-25 17:03:12 +03:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(output, 0x00, sizeof(output));
|
2017-09-25 17:03:12 +03:00
|
|
|
|
|
|
|
|
/* Prepare context */
|
2022-10-20 05:19:47 -04:00
|
|
|
#if !defined(MBEDTLS_USE_PSA_CRYPTO) || !defined(MBEDTLS_TEST_DEPRECATED)
|
2018-11-12 12:46:35 +00:00
|
|
|
(void) use_psa;
|
|
|
|
|
#else
|
2023-01-11 14:50:10 +01:00
|
|
|
if (use_psa == 1) {
|
|
|
|
|
PSA_ASSERT(psa_crypto_init());
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup_psa(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id), 0));
|
|
|
|
|
} else
|
2022-05-19 12:26:33 +02:00
|
|
|
#endif /* !MBEDTLS_USE_PSA_CRYPTO || !MBEDTLS_TEST_DEPRECATED*/
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
2017-09-25 17:03:12 +03:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));
|
|
|
|
|
if (MBEDTLS_MODE_CBC == ctx.cipher_info->mode) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, MBEDTLS_PADDING_NONE));
|
|
|
|
|
}
|
2017-09-25 17:03:12 +03:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(finish_result == mbedtls_cipher_crypt(&ctx, iv->len ? iv->x : NULL,
|
|
|
|
|
iv->len, input->x, input->len,
|
|
|
|
|
output, &outlen));
|
|
|
|
|
TEST_ASSERT(result->len == outlen);
|
2017-09-25 17:03:12 +03:00
|
|
|
/* check plaintext only if everything went fine */
|
2023-01-11 14:50:10 +01:00
|
|
|
if (0 == finish_result) {
|
|
|
|
|
TEST_ASSERT(0 == memcmp(output, result->x, outlen));
|
|
|
|
|
}
|
2017-09-25 17:03:12 +03:00
|
|
|
|
|
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2022-10-20 05:19:47 -04:00
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_TEST_DEPRECATED)
|
2023-01-11 14:50:10 +01:00
|
|
|
PSA_DONE();
|
2022-10-21 05:37:54 -04:00
|
|
|
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_TEST_DEPRECATED */
|
2017-09-25 17:03:12 +03:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2025-07-27 18:44:21 +02:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2025-08-25 16:53:54 +02:00
|
|
|
/* Similar to test_vec_crypt, but with constant-flow assertions.
|
|
|
|
|
* We use a separate test function so that we can run the functional tests
|
|
|
|
|
* in all configurations where the underlying cipher is enabled, and
|
|
|
|
|
* run the constant-flow tests only in configurations where the underlying
|
|
|
|
|
* cipher is constant-time. In particular, AES test cases need to depend
|
|
|
|
|
* on HAVE_CONSTANT_TIME_AES.
|
|
|
|
|
*/
|
2025-07-27 18:44:21 +02:00
|
|
|
void test_vec_crypt_cf(int cipher_id, int pad_mode, int operation, data_t *key,
|
|
|
|
|
data_t *iv, data_t *input, data_t *result,
|
|
|
|
|
int expected_finish_result, int use_psa)
|
|
|
|
|
{
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
|
|
|
|
unsigned char output[32];
|
|
|
|
|
size_t outlen;
|
|
|
|
|
|
|
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
|
|
|
|
|
memset(output, 0x00, sizeof(output));
|
|
|
|
|
|
|
|
|
|
TEST_CF_SECRET(key->x, key->len);
|
|
|
|
|
TEST_CF_SECRET(input->x, input->len);
|
|
|
|
|
|
|
|
|
|
/* Prepare context */
|
|
|
|
|
#if !defined(MBEDTLS_USE_PSA_CRYPTO) || !defined(MBEDTLS_TEST_DEPRECATED)
|
|
|
|
|
(void) use_psa;
|
|
|
|
|
#else
|
|
|
|
|
if (use_psa == 1) {
|
|
|
|
|
PSA_ASSERT(psa_crypto_init());
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup_psa(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id), 0));
|
|
|
|
|
} else
|
|
|
|
|
#endif /* !MBEDTLS_USE_PSA_CRYPTO || !MBEDTLS_TEST_DEPRECATED*/
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
|
|
|
|
|
mbedtls_cipher_info_from_type(cipher_id)));
|
|
|
|
|
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));
|
|
|
|
|
if (MBEDTLS_MODE_CBC == ctx.cipher_info->mode) {
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int actual_finish_result =
|
|
|
|
|
mbedtls_cipher_crypt(&ctx, iv->len ? iv->x : NULL, iv->len,
|
|
|
|
|
input->x, input->len,
|
|
|
|
|
output, &outlen);
|
2025-07-27 21:20:47 +02:00
|
|
|
TEST_CF_PUBLIC(&outlen, sizeof(outlen));
|
2025-07-27 18:44:21 +02:00
|
|
|
TEST_EQUAL(expected_finish_result, actual_finish_result);
|
|
|
|
|
|
|
|
|
|
/* check plaintext only if everything went fine */
|
|
|
|
|
if (0 == expected_finish_result) {
|
|
|
|
|
TEST_CF_PUBLIC(output, sizeof(output));
|
|
|
|
|
TEST_MEMORY_COMPARE(output, outlen, result->x, result->len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
mbedtls_cipher_free(&ctx);
|
|
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_TEST_DEPRECATED)
|
|
|
|
|
PSA_DONE();
|
|
|
|
|
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_TEST_DEPRECATED */
|
|
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
2023-01-11 14:50:10 +01:00
|
|
|
void set_padding(int cipher_id, int pad_mode, int ret)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2015-04-08 12:49:31 +02:00
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
2013-07-24 18:05:00 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2014-07-01 15:45:49 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));
|
2013-07-24 18:05:00 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(ret == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
2013-07-24 18:05:00 +02:00
|
|
|
|
2014-07-10 15:26:12 +02:00
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx);
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2011-01-06 15:37:30 +00:00
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
|
2025-07-27 21:22:39 +02:00
|
|
|
void check_padding(int pad_mode, data_t *input,
|
|
|
|
|
int expected_ret, int dlen_check)
|
2013-08-16 13:38:47 +02:00
|
|
|
{
|
2015-04-08 12:49:31 +02:00
|
|
|
mbedtls_cipher_info_t cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
2017-05-30 14:23:15 +01:00
|
|
|
size_t dlen;
|
2013-07-26 10:55:02 +02:00
|
|
|
|
|
|
|
|
/* build a fake context just for getting access to get_padding */
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
2015-04-08 12:49:31 +02:00
|
|
|
cipher_info.mode = MBEDTLS_MODE_CBC;
|
2013-07-26 10:55:02 +02:00
|
|
|
ctx.cipher_info = &cipher_info;
|
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
|
2013-07-26 10:55:02 +02:00
|
|
|
|
2025-07-27 21:22:39 +02:00
|
|
|
size_t invalid_padding = 42;
|
|
|
|
|
int ret = ctx.get_padding(input->x, input->len, &dlen, &invalid_padding);
|
|
|
|
|
switch (expected_ret) {
|
|
|
|
|
case 0:
|
|
|
|
|
TEST_EQUAL(ret, 0);
|
|
|
|
|
TEST_EQUAL(invalid_padding, 0);
|
|
|
|
|
TEST_EQUAL(dlen, dlen_check);
|
|
|
|
|
break;
|
|
|
|
|
case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
|
|
|
|
|
TEST_EQUAL(ret, 0);
|
2025-08-26 13:11:27 +02:00
|
|
|
TEST_EQUAL(invalid_padding, ~(size_t) 0);
|
2025-07-27 21:22:39 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
TEST_EQUAL(ret, expected_ret);
|
2023-01-11 14:50:10 +01:00
|
|
|
}
|
2013-08-16 13:38:47 +02:00
|
|
|
}
|
2013-08-20 11:48:36 +02:00
|
|
|
/* END_CASE */
|
2021-12-01 21:58:05 +01:00
|
|
|
|
|
|
|
|
/* BEGIN_CASE */
|
2023-01-11 14:50:10 +01:00
|
|
|
void iv_len_validity(int cipher_id, char *cipher_string,
|
|
|
|
|
int iv_len_val, int ret)
|
2021-12-01 21:58:05 +01:00
|
|
|
{
|
|
|
|
|
size_t iv_len = iv_len_val;
|
|
|
|
|
unsigned char iv[16];
|
|
|
|
|
|
2022-02-17 12:01:28 +00:00
|
|
|
/* Initialise iv buffer */
|
2023-01-11 14:50:10 +01:00
|
|
|
memset(iv, 0, sizeof(iv));
|
2022-02-17 12:01:28 +00:00
|
|
|
|
2021-12-01 21:58:05 +01:00
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
|
|
|
|
mbedtls_cipher_context_t ctx_dec;
|
|
|
|
|
mbedtls_cipher_context_t ctx_enc;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Prepare contexts
|
|
|
|
|
*/
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_init(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_init(&ctx_enc);
|
2021-12-01 21:58:05 +01:00
|
|
|
|
|
|
|
|
/* Check and get info structures */
|
2023-01-11 14:50:10 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
TEST_ASSERT(NULL != cipher_info);
|
|
|
|
|
TEST_ASSERT(mbedtls_cipher_info_from_string(cipher_string) == cipher_info);
|
|
|
|
|
TEST_ASSERT(strcmp(mbedtls_cipher_info_get_name(cipher_info),
|
|
|
|
|
cipher_string) == 0);
|
2021-12-01 21:58:05 +01:00
|
|
|
|
|
|
|
|
/* Initialise enc and dec contexts */
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
|
|
|
|
|
TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));
|
2021-12-01 21:58:05 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
TEST_ASSERT(ret == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
|
|
|
|
|
TEST_ASSERT(ret == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));
|
2021-12-01 21:58:05 +01:00
|
|
|
|
|
|
|
|
exit:
|
2023-01-11 14:50:10 +01:00
|
|
|
mbedtls_cipher_free(&ctx_dec);
|
|
|
|
|
mbedtls_cipher_free(&ctx_enc);
|
2021-12-01 21:58:05 +01:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-09-18 17:41:25 +01:00
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
|
|
|
void check_set_padding(int cipher_id)
|
2023-09-07 17:54:46 +01:00
|
|
|
{
|
|
|
|
|
mbedtls_cipher_context_t ctx;
|
2023-09-21 14:04:35 +01:00
|
|
|
unsigned char *key = NULL;
|
2023-09-07 17:54:46 +01:00
|
|
|
unsigned char iv[16] = { 0 };
|
|
|
|
|
unsigned char input[16] = { 0 };
|
|
|
|
|
unsigned char output[32] = { 0 };
|
|
|
|
|
size_t outlen = 0;
|
|
|
|
|
const mbedtls_cipher_info_t *cipher_info;
|
2023-09-21 14:04:35 +01:00
|
|
|
size_t keylen = 0;
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-10-18 15:09:09 +01:00
|
|
|
mbedtls_cipher_init(&ctx);
|
|
|
|
|
|
2023-09-18 17:41:25 +01:00
|
|
|
cipher_info = mbedtls_cipher_info_from_type(cipher_id);
|
|
|
|
|
|
|
|
|
|
if (cipher_info->mode != MBEDTLS_MODE_CBC) {
|
|
|
|
|
TEST_FAIL("Cipher mode must be CBC");
|
|
|
|
|
}
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-09-21 14:04:35 +01:00
|
|
|
keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info);
|
|
|
|
|
TEST_CALLOC(key, keylen/8);
|
|
|
|
|
memset(key, 0, keylen/8);
|
|
|
|
|
|
2023-09-18 17:41:25 +01:00
|
|
|
TEST_EQUAL(0, mbedtls_cipher_setup(&ctx, cipher_info));
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-09-21 14:04:35 +01:00
|
|
|
TEST_EQUAL(0, mbedtls_cipher_setkey(&ctx, key, keylen,
|
|
|
|
|
MBEDTLS_ENCRYPT));
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-09-18 17:41:25 +01:00
|
|
|
TEST_EQUAL(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
|
|
|
|
|
mbedtls_cipher_crypt(&ctx, iv, sizeof(iv), input,
|
|
|
|
|
sizeof(input), output, &outlen));
|
2023-09-07 17:54:46 +01:00
|
|
|
|
2023-09-18 17:41:25 +01:00
|
|
|
TEST_EQUAL(0, mbedtls_cipher_set_padding_mode(&ctx, MBEDTLS_PADDING_NONE));
|
|
|
|
|
TEST_EQUAL(0, mbedtls_cipher_crypt(&ctx, iv, sizeof(iv), input,
|
|
|
|
|
sizeof(input), output, &outlen));
|
2023-09-07 17:54:46 +01:00
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
mbedtls_cipher_free(&ctx);
|
2023-09-21 14:04:35 +01:00
|
|
|
mbedtls_free(key);
|
2023-09-07 17:54:46 +01:00
|
|
|
}
|
|
|
|
|
/* END_CASE */
|
2025-01-16 16:24:35 +00:00
|
|
|
|
|
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
|
|
|
|
|
void get_pkcs_padding(data_t *decrypted_block, int exp_ret, int exp_len)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
size_t calculated_len;
|
2025-07-27 21:22:39 +02:00
|
|
|
size_t invalid_padding;
|
2025-01-16 16:24:35 +00:00
|
|
|
|
|
|
|
|
TEST_CF_SECRET(decrypted_block->x, decrypted_block->len);
|
2025-03-28 10:57:45 +00:00
|
|
|
ret = mbedtls_get_pkcs_padding(decrypted_block->x, decrypted_block->len,
|
2025-07-27 21:22:39 +02:00
|
|
|
&calculated_len, &invalid_padding);
|
2025-01-16 16:24:35 +00:00
|
|
|
|
2025-07-27 21:22:39 +02:00
|
|
|
switch (exp_ret) {
|
|
|
|
|
case 0:
|
|
|
|
|
TEST_EQUAL(ret, 0);
|
|
|
|
|
TEST_EQUAL(invalid_padding, 0);
|
|
|
|
|
TEST_EQUAL(calculated_len, exp_len);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
|
|
|
|
|
TEST_EQUAL(ret, 0);
|
|
|
|
|
TEST_EQUAL(invalid_padding, ~(size_t) 0);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
TEST_EQUAL(ret, exp_ret);
|
|
|
|
|
break;
|
2025-01-16 16:24:35 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* END_CASE */
|