1/* BEGIN_HEADER */ 2#include "mbedtls/cipher.h" 3 4#if defined(MBEDTLS_AES_C) 5#include "mbedtls/aes.h" 6#endif 7 8#if defined(MBEDTLS_GCM_C) 9#include "mbedtls/gcm.h" 10#endif 11 12#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 13#define MBEDTLS_CIPHER_AUTH_CRYPT 14#endif 15 16/* Check the internal consistency of a cipher info structure, and 17 * check it against mbedtls_cipher_info_from_xxx(). */ 18static int check_cipher_info( mbedtls_cipher_type_t type, 19 const mbedtls_cipher_info_t *info ) 20{ 21 size_t key_bitlen; 22 23 TEST_ASSERT( info != NULL ); 24 TEST_EQUAL( type, mbedtls_cipher_info_get_type( info ) ); 25 TEST_EQUAL( type, info->type ); 26 TEST_ASSERT( mbedtls_cipher_info_from_type( type ) == info ); 27 28 TEST_EQUAL( info->mode, mbedtls_cipher_info_get_mode( info ) ); 29 30 /* Insist that get_name() return the string from the structure and 31 * not a copy. A copy would have an unknown storage duration. */ 32 TEST_ASSERT( mbedtls_cipher_info_get_name( info ) == info->name ); 33 TEST_ASSERT( mbedtls_cipher_info_from_string( info->name ) == info ); 34 35 key_bitlen = mbedtls_cipher_info_get_key_bitlen( info ); 36 if( info->type == MBEDTLS_CIPHER_NULL ) 37 TEST_ASSERT( key_bitlen == 0 ); 38 else if( info->mode == MBEDTLS_MODE_XTS ) 39 { 40 TEST_ASSERT( key_bitlen == 256 || 41 key_bitlen == 384 || 42 key_bitlen == 512 ); 43 } 44 else if( ! strncmp( info->name, "DES-EDE3-", 9 ) ) 45 { 46 TEST_ASSERT( key_bitlen == 192 ); 47 } 48 else if( ! strncmp( info->name, "DES-EDE-", 8 ) ) 49 { 50 TEST_ASSERT( key_bitlen == 128 ); 51 } 52 else if( ! strncmp( info->name, "DES-", 4 ) ) 53 { 54 TEST_ASSERT( key_bitlen == 64 ); 55 } 56 else 57 { 58 TEST_ASSERT( key_bitlen == 128 || 59 key_bitlen == 192 || 60 key_bitlen == 256 ); 61 } 62 63 return( 1 ); 64 65exit: 66 return( 0 ); 67} 68 69#if defined(MBEDTLS_CIPHER_AUTH_CRYPT) 70/* Helper for resetting key/direction 71 * 72 * The documentation doesn't explicitly say whether calling 73 * mbedtls_cipher_setkey() twice is allowed or not. This currently works with 74 * the default software implementation, but only by accident. It isn't 75 * guaranteed to work with new ciphers or with alternative implementations of 76 * individual ciphers, and it doesn't work with the PSA wrappers. So don't do 77 * it, and instead start with a fresh context. 78 */ 79static int cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id, 80 int use_psa, size_t tag_len, const data_t *key, int direction ) 81{ 82 mbedtls_cipher_free( ctx ); 83 mbedtls_cipher_init( ctx ); 84 85#if !defined(MBEDTLS_USE_PSA_CRYPTO) 86 (void) use_psa; 87 (void) tag_len; 88#else 89 if( use_psa == 1 ) 90 { 91 TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( ctx, 92 mbedtls_cipher_info_from_type( cipher_id ), 93 tag_len ) ); 94 } 95 else 96#endif /* MBEDTLS_USE_PSA_CRYPTO */ 97 { 98 TEST_ASSERT( 0 == mbedtls_cipher_setup( ctx, 99 mbedtls_cipher_info_from_type( cipher_id ) ) ); 100 } 101 102 TEST_ASSERT( 0 == mbedtls_cipher_setkey( ctx, key->x, 8 * key->len, 103 direction ) ); 104 return( 1 ); 105 106exit: 107 return( 0 ); 108} 109 110/* 111 * Check if a buffer is all-0 bytes: 112 * return 1 if it is, 113 * 0 if it isn't. 114 */ 115int buffer_is_all_zero( const uint8_t *buf, size_t size ) 116{ 117 for( size_t i = 0; i < size; i++ ) 118 if( buf[i] != 0 ) 119 return 0; 120 return 1; 121} 122#endif /* MBEDTLS_CIPHER_AUTH_CRYPT */ 123 124/* END_HEADER */ 125 126/* BEGIN_DEPENDENCIES 127 * depends_on:MBEDTLS_CIPHER_C 128 * END_DEPENDENCIES 129 */ 130 131/* BEGIN_CASE */ 132void mbedtls_cipher_list( ) 133{ 134 const int *cipher_type; 135 136 for( cipher_type = mbedtls_cipher_list(); *cipher_type != 0; cipher_type++ ) 137 { 138 const mbedtls_cipher_info_t *info = 139 mbedtls_cipher_info_from_type( *cipher_type ); 140 mbedtls_test_set_step( *cipher_type ); 141 if( ! check_cipher_info( *cipher_type, info ) ) 142 goto exit; 143 } 144} 145/* END_CASE */ 146 147/* BEGIN_CASE */ 148void cipher_invalid_param_unconditional( ) 149{ 150 mbedtls_cipher_context_t valid_ctx; 151 mbedtls_cipher_context_t invalid_ctx; 152 mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT; 153 mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS; 154 unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; 155 int valid_size = sizeof(valid_buffer); 156 int valid_bitlen = valid_size * 8; 157 const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type( 158 *( mbedtls_cipher_list() ) ); 159 size_t size_t_var; 160 161 (void)valid_mode; /* In some configurations this is unused */ 162 163 mbedtls_cipher_init( &valid_ctx ); 164 mbedtls_cipher_setup( &valid_ctx, valid_info ); 165 mbedtls_cipher_init( &invalid_ctx ); 166 167 /* mbedtls_cipher_setup() */ 168 TEST_ASSERT( mbedtls_cipher_setup( &valid_ctx, NULL ) == 169 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 170 171 /* mbedtls_cipher_get_block_size() */ 172 TEST_ASSERT( mbedtls_cipher_get_block_size( &invalid_ctx ) == 0 ); 173 174 /* mbedtls_cipher_get_cipher_mode() */ 175 TEST_ASSERT( mbedtls_cipher_get_cipher_mode( &invalid_ctx ) == 176 MBEDTLS_MODE_NONE ); 177 178 /* mbedtls_cipher_get_iv_size() */ 179 TEST_ASSERT( mbedtls_cipher_get_iv_size( &invalid_ctx ) == 0 ); 180 181 /* mbedtls_cipher_get_type() */ 182 TEST_ASSERT( 183 mbedtls_cipher_get_type( &invalid_ctx ) == 184 MBEDTLS_CIPHER_NONE); 185 186 /* mbedtls_cipher_get_name() */ 187 TEST_ASSERT( mbedtls_cipher_get_name( &invalid_ctx ) == 0 ); 188 189 /* mbedtls_cipher_get_key_bitlen() */ 190 TEST_ASSERT( mbedtls_cipher_get_key_bitlen( &invalid_ctx ) == 191 MBEDTLS_KEY_LENGTH_NONE ); 192 193 /* mbedtls_cipher_get_operation() */ 194 TEST_ASSERT( mbedtls_cipher_get_operation( &invalid_ctx ) == 195 MBEDTLS_OPERATION_NONE ); 196 197 /* mbedtls_cipher_setkey() */ 198 TEST_ASSERT( 199 mbedtls_cipher_setkey( &invalid_ctx, 200 valid_buffer, 201 valid_bitlen, 202 valid_operation ) == 203 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 204 205 /* mbedtls_cipher_set_iv() */ 206 TEST_ASSERT( 207 mbedtls_cipher_set_iv( &invalid_ctx, 208 valid_buffer, 209 valid_size ) == 210 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 211 212 /* mbedtls_cipher_reset() */ 213 TEST_ASSERT( mbedtls_cipher_reset( &invalid_ctx ) == 214 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 215 216#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 217 /* mbedtls_cipher_update_ad() */ 218 TEST_ASSERT( 219 mbedtls_cipher_update_ad( &invalid_ctx, 220 valid_buffer, 221 valid_size ) == 222 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 223#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */ 224 225#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 226 /* mbedtls_cipher_set_padding_mode() */ 227 TEST_ASSERT( mbedtls_cipher_set_padding_mode( &invalid_ctx, valid_mode ) == 228 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 229#endif 230 231 /* mbedtls_cipher_update() */ 232 TEST_ASSERT( 233 mbedtls_cipher_update( &invalid_ctx, 234 valid_buffer, 235 valid_size, 236 valid_buffer, 237 &size_t_var ) == 238 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 239 240 /* mbedtls_cipher_finish() */ 241 TEST_ASSERT( 242 mbedtls_cipher_finish( &invalid_ctx, 243 valid_buffer, 244 &size_t_var ) == 245 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 246 247#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 248 /* mbedtls_cipher_write_tag() */ 249 TEST_ASSERT( 250 mbedtls_cipher_write_tag( &invalid_ctx, 251 valid_buffer, 252 valid_size ) == 253 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 254 255 /* mbedtls_cipher_check_tag() */ 256 TEST_ASSERT( 257 mbedtls_cipher_check_tag( &invalid_ctx, 258 valid_buffer, 259 valid_size ) == 260 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 261#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */ 262 263exit: 264 mbedtls_cipher_free( &invalid_ctx ); 265 mbedtls_cipher_free( &valid_ctx ); 266} 267/* END_CASE */ 268 269/* BEGIN_CASE depends_on:NOT_DEFINED */ 270void cipher_invalid_param_conditional( ) 271{ 272 mbedtls_cipher_context_t valid_ctx; 273 274 mbedtls_operation_t invalid_operation = 100; 275 unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; 276 int valid_size = sizeof(valid_buffer); 277 int valid_bitlen = valid_size * 8; 278 const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type( 279 *( mbedtls_cipher_list() ) ); 280 281 TEST_EQUAL( 282 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, 283 mbedtls_cipher_setkey( &valid_ctx, 284 valid_buffer, 285 valid_bitlen, 286 invalid_operation ) ); 287 288exit: 289 ; 290} 291/* END_CASE */ 292 293/* BEGIN_CASE depends_on:MBEDTLS_AES_C */ 294void cipher_special_behaviours( ) 295{ 296 const mbedtls_cipher_info_t *cipher_info; 297 mbedtls_cipher_context_t ctx; 298 unsigned char input[32]; 299 unsigned char output[32]; 300#if defined (MBEDTLS_CIPHER_MODE_CBC) 301 unsigned char iv[32]; 302#endif 303 size_t olen = 0; 304 305 mbedtls_cipher_init( &ctx ); 306 memset( input, 0, sizeof( input ) ); 307 memset( output, 0, sizeof( output ) ); 308#if defined(MBEDTLS_CIPHER_MODE_CBC) 309 memset( iv, 0, sizeof( iv ) ); 310 311 /* Check and get info structures */ 312 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_CBC ); 313 TEST_ASSERT( NULL != cipher_info ); 314 315 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, cipher_info ) ); 316 317 /* IV too big */ 318 TEST_ASSERT( mbedtls_cipher_set_iv( &ctx, iv, MBEDTLS_MAX_IV_LENGTH + 1 ) 319 == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 320 321 /* IV too small */ 322 TEST_ASSERT( mbedtls_cipher_set_iv( &ctx, iv, 0 ) 323 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 324 325 mbedtls_cipher_free( &ctx ); 326 mbedtls_cipher_init( &ctx ); 327#endif /* MBEDTLS_CIPHER_MODE_CBC */ 328 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 329 TEST_ASSERT( NULL != cipher_info ); 330 331 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, cipher_info ) ); 332 333 /* Update ECB with partial block */ 334 TEST_ASSERT( mbedtls_cipher_update( &ctx, input, 1, output, &olen ) 335 == MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 336 337exit: 338 mbedtls_cipher_free( &ctx ); 339} 340/* END_CASE */ 341 342/* BEGIN_CASE */ 343void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, 344 int length_val, int pad_mode ) 345{ 346 size_t length = length_val, outlen, total_len, i, block_size, iv_len; 347 unsigned char key[64]; 348 unsigned char iv[16]; 349 unsigned char ad[13]; 350 unsigned char tag[16]; 351 unsigned char inbuf[64]; 352 unsigned char encbuf[64]; 353 unsigned char decbuf[64]; 354 355 const mbedtls_cipher_info_t *cipher_info; 356 mbedtls_cipher_context_t ctx_dec; 357 mbedtls_cipher_context_t ctx_enc; 358 359 /* 360 * Prepare contexts 361 */ 362 mbedtls_cipher_init( &ctx_dec ); 363 mbedtls_cipher_init( &ctx_enc ); 364 365 memset( key, 0x2a, sizeof( key ) ); 366 367 /* Check and get info structures */ 368 cipher_info = mbedtls_cipher_info_from_type( cipher_id ); 369 TEST_ASSERT( NULL != cipher_info ); 370 TEST_ASSERT( mbedtls_cipher_info_from_string( cipher_string ) == cipher_info ); 371 TEST_ASSERT( strcmp( mbedtls_cipher_info_get_name( cipher_info ), 372 cipher_string ) == 0 ); 373 374 /* Initialise enc and dec contexts */ 375 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) ); 376 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_enc, cipher_info ) ); 377 378 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_dec, key, key_len, MBEDTLS_DECRYPT ) ); 379 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_enc, key, key_len, MBEDTLS_ENCRYPT ) ); 380 381#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 382 if( -1 != pad_mode ) 383 { 384 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx_dec, pad_mode ) ); 385 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx_enc, pad_mode ) ); 386 } 387#else 388 (void) pad_mode; 389#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 390 391 /* 392 * Do a few encode/decode cycles 393 */ 394 for( i = 0; i < 3; i++ ) 395 { 396 memset( iv , 0x00 + i, sizeof( iv ) ); 397 memset( ad, 0x10 + i, sizeof( ad ) ); 398 memset( inbuf, 0x20 + i, sizeof( inbuf ) ); 399 400 memset( encbuf, 0, sizeof( encbuf ) ); 401 memset( decbuf, 0, sizeof( decbuf ) ); 402 memset( tag, 0, sizeof( tag ) ); 403 404 if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) 405 iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. 406 * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ 407 else 408 iv_len = sizeof(iv); 409 410 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, iv_len ) ); 411 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, iv_len ) ); 412 413 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); 414 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); 415 416#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 417 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) ); 418 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) ); 419#endif 420 421 block_size = mbedtls_cipher_get_block_size( &ctx_enc ); 422 TEST_ASSERT( block_size != 0 ); 423 424 /* encode length number of bytes from inbuf */ 425 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_enc, inbuf, length, encbuf, &outlen ) ); 426 total_len = outlen; 427 428 TEST_ASSERT( total_len == length || 429 ( total_len % block_size == 0 && 430 total_len < length && 431 total_len + block_size > length ) ); 432 433 TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) ); 434 total_len += outlen; 435 436#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 437 TEST_ASSERT( 0 == mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) ); 438#endif 439 440 TEST_ASSERT( total_len == length || 441 ( total_len % block_size == 0 && 442 total_len > length && 443 total_len <= length + block_size ) ); 444 445 /* decode the previously encoded string */ 446 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_dec, encbuf, total_len, decbuf, &outlen ) ); 447 total_len = outlen; 448 449 TEST_ASSERT( total_len == length || 450 ( total_len % block_size == 0 && 451 total_len < length && 452 total_len + block_size >= length ) ); 453 454 TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) ); 455 total_len += outlen; 456 457#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 458 TEST_ASSERT( 0 == mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) ); 459#endif 460 461 /* check result */ 462 TEST_ASSERT( total_len == length ); 463 TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) ); 464 } 465 466 /* 467 * Done 468 */ 469exit: 470 mbedtls_cipher_free( &ctx_dec ); 471 mbedtls_cipher_free( &ctx_enc ); 472} 473/* END_CASE */ 474 475/* BEGIN_CASE */ 476void enc_fail( int cipher_id, int pad_mode, int key_len, int length_val, 477 int ret ) 478{ 479 size_t length = length_val; 480 unsigned char key[32]; 481 unsigned char iv[16]; 482 483 const mbedtls_cipher_info_t *cipher_info; 484 mbedtls_cipher_context_t ctx; 485 486 unsigned char inbuf[64]; 487 unsigned char encbuf[64]; 488 489 size_t outlen = 0; 490 491 memset( key, 0, 32 ); 492 memset( iv , 0, 16 ); 493 494 mbedtls_cipher_init( &ctx ); 495 496 memset( inbuf, 5, 64 ); 497 memset( encbuf, 0, 64 ); 498 499 /* Check and get info structures */ 500 cipher_info = mbedtls_cipher_info_from_type( cipher_id ); 501 TEST_ASSERT( NULL != cipher_info ); 502 503 /* Initialise context */ 504 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, cipher_info ) ); 505 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, key_len, MBEDTLS_ENCRYPT ) ); 506#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 507 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) ); 508#else 509 (void) pad_mode; 510#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 511 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, 16 ) ); 512 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); 513#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 514 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, NULL, 0 ) ); 515#endif 516 517 /* encode length number of bytes from inbuf */ 518 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, inbuf, length, encbuf, &outlen ) ); 519 TEST_ASSERT( ret == mbedtls_cipher_finish( &ctx, encbuf + outlen, &outlen ) ); 520 521 /* done */ 522exit: 523 mbedtls_cipher_free( &ctx ); 524} 525/* END_CASE */ 526 527/* BEGIN_CASE */ 528void dec_empty_buf( int cipher, 529 int expected_update_ret, 530 int expected_finish_ret ) 531{ 532 unsigned char key[32]; 533 unsigned char iv[16]; 534 535 mbedtls_cipher_context_t ctx_dec; 536 const mbedtls_cipher_info_t *cipher_info; 537 538 unsigned char encbuf[64]; 539 unsigned char decbuf[64]; 540 541 size_t outlen = 0; 542 543 memset( key, 0, 32 ); 544 memset( iv , 0, 16 ); 545 546 mbedtls_cipher_init( &ctx_dec ); 547 548 memset( encbuf, 0, 64 ); 549 memset( decbuf, 0, 64 ); 550 551 /* Initialise context */ 552 cipher_info = mbedtls_cipher_info_from_type( cipher ); 553 TEST_ASSERT( NULL != cipher_info); 554 TEST_ASSERT( sizeof(key) * 8 >= cipher_info->key_bitlen ); 555 556 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) ); 557 558 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_dec, 559 key, cipher_info->key_bitlen, 560 MBEDTLS_DECRYPT ) ); 561 562 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, 16 ) ); 563 564 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); 565 566#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 567 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); 568#endif 569 570 /* decode 0-byte string */ 571 TEST_ASSERT( expected_update_ret == 572 mbedtls_cipher_update( &ctx_dec, encbuf, 0, decbuf, &outlen ) ); 573 TEST_ASSERT( 0 == outlen ); 574 575 if ( expected_finish_ret == 0 && 576 ( cipher_info->mode == MBEDTLS_MODE_CBC || 577 cipher_info->mode == MBEDTLS_MODE_ECB ) ) 578 { 579 /* Non-CBC and non-ECB ciphers are OK with decrypting empty buffers and 580 * return success, not MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED, when 581 * decrypting an empty buffer. 582 * On the other hand, CBC and ECB ciphers need a full block of input. 583 */ 584 expected_finish_ret = MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 585 } 586 587 TEST_ASSERT( expected_finish_ret == mbedtls_cipher_finish( 588 &ctx_dec, decbuf + outlen, &outlen ) ); 589 TEST_ASSERT( 0 == outlen ); 590 591exit: 592 mbedtls_cipher_free( &ctx_dec ); 593} 594/* END_CASE */ 595 596/* BEGIN_CASE */ 597void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, 598 int second_length_val, int pad_mode, 599 int first_encrypt_output_len, int second_encrypt_output_len, 600 int first_decrypt_output_len, int second_decrypt_output_len ) 601{ 602 size_t first_length = first_length_val; 603 size_t second_length = second_length_val; 604 size_t length = first_length + second_length; 605 size_t block_size; 606 size_t iv_len; 607 unsigned char key[32]; 608 unsigned char iv[16]; 609 610 mbedtls_cipher_context_t ctx_dec; 611 mbedtls_cipher_context_t ctx_enc; 612 const mbedtls_cipher_info_t *cipher_info; 613 614 unsigned char inbuf[64]; 615 unsigned char encbuf[64]; 616 unsigned char decbuf[64]; 617 618 size_t outlen = 0; 619 size_t totaloutlen = 0; 620 621 memset( key, 0, 32 ); 622 memset( iv , 0, 16 ); 623 624 mbedtls_cipher_init( &ctx_dec ); 625 mbedtls_cipher_init( &ctx_enc ); 626 627 memset( inbuf, 5, 64 ); 628 memset( encbuf, 0, 64 ); 629 memset( decbuf, 0, 64 ); 630 631 /* Initialise enc and dec contexts */ 632 cipher_info = mbedtls_cipher_info_from_type( cipher_id ); 633 TEST_ASSERT( NULL != cipher_info); 634 635 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) ); 636 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_enc, cipher_info ) ); 637 638 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_dec, key, key_len, MBEDTLS_DECRYPT ) ); 639 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_enc, key, key_len, MBEDTLS_ENCRYPT ) ); 640 641#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 642 if( -1 != pad_mode ) 643 { 644 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx_dec, pad_mode ) ); 645 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx_enc, pad_mode ) ); 646 } 647#else 648 (void) pad_mode; 649#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 650 651 if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) 652 iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. 653 * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ 654 else 655 iv_len = sizeof(iv); 656 657 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, iv_len ) ); 658 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, iv_len ) ); 659 660 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); 661 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); 662 663#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 664 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); 665 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) ); 666#endif 667 668 block_size = mbedtls_cipher_get_block_size( &ctx_enc ); 669 TEST_ASSERT( block_size != 0 ); 670 671 /* encode length number of bytes from inbuf */ 672 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_enc, inbuf, first_length, encbuf, &outlen ) ); 673 TEST_ASSERT( (size_t)first_encrypt_output_len == outlen ); 674 totaloutlen = outlen; 675 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_enc, inbuf + first_length, second_length, encbuf + totaloutlen, &outlen ) ); 676 TEST_ASSERT( (size_t)second_encrypt_output_len == outlen ); 677 totaloutlen += outlen; 678 TEST_ASSERT( totaloutlen == length || 679 ( totaloutlen % block_size == 0 && 680 totaloutlen < length && 681 totaloutlen + block_size > length ) ); 682 683 TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_enc, encbuf + totaloutlen, &outlen ) ); 684 totaloutlen += outlen; 685 TEST_ASSERT( totaloutlen == length || 686 ( totaloutlen % block_size == 0 && 687 totaloutlen > length && 688 totaloutlen <= length + block_size ) ); 689 690 /* decode the previously encoded string */ 691 second_length = totaloutlen - first_length; 692 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_dec, encbuf, first_length, decbuf, &outlen ) ); 693 TEST_ASSERT( (size_t)first_decrypt_output_len == outlen ); 694 totaloutlen = outlen; 695 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_dec, encbuf + first_length, second_length, decbuf + totaloutlen, &outlen ) ); 696 TEST_ASSERT( (size_t)second_decrypt_output_len == outlen ); 697 totaloutlen += outlen; 698 699 TEST_ASSERT( totaloutlen == length || 700 ( totaloutlen % block_size == 0 && 701 totaloutlen < length && 702 totaloutlen + block_size >= length ) ); 703 704 TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_dec, decbuf + totaloutlen, &outlen ) ); 705 totaloutlen += outlen; 706 707 TEST_ASSERT( totaloutlen == length ); 708 709 TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) ); 710 711exit: 712 mbedtls_cipher_free( &ctx_dec ); 713 mbedtls_cipher_free( &ctx_enc ); 714} 715/* END_CASE */ 716 717/* BEGIN_CASE */ 718void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key, 719 data_t * iv, data_t * cipher, 720 data_t * clear, data_t * ad, data_t * tag, 721 int finish_result, int tag_result ) 722{ 723 unsigned char output[265]; 724 mbedtls_cipher_context_t ctx; 725 size_t outlen, total_len; 726 727 mbedtls_cipher_init( &ctx ); 728 729 memset( output, 0x00, sizeof( output ) ); 730 731#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C) 732 ((void) ad); 733 ((void) tag); 734#endif 735 736 /* Prepare context */ 737 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, 738 mbedtls_cipher_info_from_type( cipher_id ) ) ); 739 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT ) ); 740#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 741 if( pad_mode != -1 ) 742 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) ); 743#else 744 (void) pad_mode; 745#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 746 TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv->x, iv->len ) ); 747 TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); 748#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 749 TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) ); 750#endif 751 752 /* decode buffer and check tag->x */ 753 total_len = 0; 754 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, cipher->x, cipher->len, output, &outlen ) ); 755 total_len += outlen; 756 TEST_ASSERT( finish_result == mbedtls_cipher_finish( &ctx, output + outlen, 757 &outlen ) ); 758 total_len += outlen; 759#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 760 TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) ); 761#endif 762 763 /* check plaintext only if everything went fine */ 764 if( 0 == finish_result && 0 == tag_result ) 765 { 766 TEST_ASSERT( total_len == clear->len ); 767 TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) ); 768 } 769 770exit: 771 mbedtls_cipher_free( &ctx ); 772} 773/* END_CASE */ 774 775/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */ 776void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, 777 data_t * ad, data_t * cipher, data_t * tag, 778 char * result, data_t * clear, int use_psa ) 779{ 780 /* 781 * Take an AEAD ciphertext + tag and perform a pair 782 * of AEAD decryption and AEAD encryption. Check that 783 * this results in the expected plaintext, and that 784 * decryption and encryption are inverse to one another. 785 */ 786 787 int ret; 788 int using_nist_kw, using_nist_kw_padding; 789 790 mbedtls_cipher_context_t ctx; 791 size_t outlen; 792 793 unsigned char *cipher_plus_tag = NULL; 794 size_t cipher_plus_tag_len; 795 unsigned char *decrypt_buf = NULL; 796 size_t decrypt_buf_len = 0; 797 unsigned char *encrypt_buf = NULL; 798 size_t encrypt_buf_len = 0; 799 800 /* Null pointers are documented as valid for inputs of length 0. 801 * The test framework passes non-null pointers, so set them to NULL. 802 * key, cipher and tag can't be empty. */ 803 if( iv->len == 0 ) 804 iv->x = NULL; 805 if( ad->len == 0 ) 806 ad->x = NULL; 807 if( clear->len == 0 ) 808 clear->x = NULL; 809 810 mbedtls_cipher_init( &ctx ); 811 812 /* Initialize PSA Crypto */ 813#if defined(MBEDTLS_USE_PSA_CRYPTO) 814 if( use_psa == 1 ) 815 PSA_ASSERT( psa_crypto_init( ) ); 816#else 817 (void) use_psa; 818#endif 819 820 /* 821 * Are we using NIST_KW? with padding? 822 */ 823 using_nist_kw_padding = cipher_id == MBEDTLS_CIPHER_AES_128_KWP || 824 cipher_id == MBEDTLS_CIPHER_AES_192_KWP || 825 cipher_id == MBEDTLS_CIPHER_AES_256_KWP; 826 using_nist_kw = cipher_id == MBEDTLS_CIPHER_AES_128_KW || 827 cipher_id == MBEDTLS_CIPHER_AES_192_KW || 828 cipher_id == MBEDTLS_CIPHER_AES_256_KW || 829 using_nist_kw_padding; 830 831 /* 832 * Prepare context for decryption 833 */ 834 if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, 835 MBEDTLS_DECRYPT ) ) 836 goto exit; 837 838 /* 839 * prepare buffer for decryption 840 * (we need the tag appended to the ciphertext) 841 */ 842 cipher_plus_tag_len = cipher->len + tag->len; 843 ASSERT_ALLOC( cipher_plus_tag, cipher_plus_tag_len ); 844 memcpy( cipher_plus_tag, cipher->x, cipher->len ); 845 memcpy( cipher_plus_tag + cipher->len, tag->x, tag->len ); 846 847 /* 848 * Compute length of output buffer according to the documentation 849 */ 850 if( using_nist_kw ) 851 decrypt_buf_len = cipher_plus_tag_len - 8; 852 else 853 decrypt_buf_len = cipher_plus_tag_len - tag->len; 854 855 856 /* 857 * Try decrypting to a buffer that's 1B too small 858 */ 859 if( decrypt_buf_len != 0 ) 860 { 861 ASSERT_ALLOC( decrypt_buf, decrypt_buf_len - 1 ); 862 863 outlen = 0; 864 ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len, 865 ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len, 866 decrypt_buf, decrypt_buf_len - 1, &outlen, tag->len ); 867 TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 868 869 mbedtls_free( decrypt_buf ); 870 decrypt_buf = NULL; 871 } 872 873 /* 874 * Authenticate and decrypt, and check result 875 */ 876 ASSERT_ALLOC( decrypt_buf, decrypt_buf_len ); 877 878 outlen = 0; 879 ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len, 880 ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len, 881 decrypt_buf, decrypt_buf_len, &outlen, tag->len ); 882 883 if( strcmp( result, "FAIL" ) == 0 ) 884 { 885 TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 886 TEST_ASSERT( buffer_is_all_zero( decrypt_buf, decrypt_buf_len ) ); 887 } 888 else 889 { 890 TEST_ASSERT( ret == 0 ); 891 ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len ); 892 } 893 894 mbedtls_free( decrypt_buf ); 895 decrypt_buf = NULL; 896 897 /* 898 * Encrypt back if test data was authentic 899 */ 900 if( strcmp( result, "FAIL" ) != 0 ) 901 { 902 /* prepare context for encryption */ 903 if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key, 904 MBEDTLS_ENCRYPT ) ) 905 goto exit; 906 907 /* 908 * Compute size of output buffer according to documentation 909 */ 910 if( using_nist_kw ) 911 { 912 encrypt_buf_len = clear->len + 8; 913 if( using_nist_kw_padding && encrypt_buf_len % 8 != 0 ) 914 encrypt_buf_len += 8 - encrypt_buf_len % 8; 915 } 916 else 917 { 918 encrypt_buf_len = clear->len + tag->len; 919 } 920 921 /* 922 * Try encrypting with an output buffer that's 1B too small 923 */ 924 ASSERT_ALLOC( encrypt_buf, encrypt_buf_len - 1 ); 925 926 outlen = 0; 927 ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len, 928 ad->x, ad->len, clear->x, clear->len, 929 encrypt_buf, encrypt_buf_len - 1, &outlen, tag->len ); 930 TEST_ASSERT( ret != 0 ); 931 932 mbedtls_free( encrypt_buf ); 933 encrypt_buf = NULL; 934 935 /* 936 * Encrypt and check the result 937 */ 938 ASSERT_ALLOC( encrypt_buf, encrypt_buf_len ); 939 940 outlen = 0; 941 ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len, 942 ad->x, ad->len, clear->x, clear->len, 943 encrypt_buf, encrypt_buf_len, &outlen, tag->len ); 944 TEST_ASSERT( ret == 0 ); 945 946 TEST_ASSERT( outlen == cipher->len + tag->len ); 947 TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 ); 948 TEST_ASSERT( memcmp( encrypt_buf + cipher->len, 949 tag->x, tag->len ) == 0 ); 950 951 mbedtls_free( encrypt_buf ); 952 encrypt_buf = NULL; 953 } 954 955exit: 956 957 mbedtls_cipher_free( &ctx ); 958 mbedtls_free( decrypt_buf ); 959 mbedtls_free( encrypt_buf ); 960 mbedtls_free( cipher_plus_tag ); 961 962#if defined(MBEDTLS_USE_PSA_CRYPTO) 963 if( use_psa == 1 ) 964 PSA_DONE( ); 965#endif /* MBEDTLS_USE_PSA_CRYPTO */ 966} 967/* END_CASE */ 968 969/* BEGIN_CASE */ 970void test_vec_ecb( int cipher_id, int operation, data_t * key, 971 data_t * input, data_t * result, int finish_result 972 ) 973{ 974 mbedtls_cipher_context_t ctx; 975 unsigned char output[32]; 976 size_t outlen; 977 978 mbedtls_cipher_init( &ctx ); 979 980 memset( output, 0x00, sizeof( output ) ); 981 982 /* Prepare context */ 983 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, 984 mbedtls_cipher_info_from_type( cipher_id ) ) ); 985 986 987 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, operation ) ); 988 989 TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, input->x, 990 mbedtls_cipher_get_block_size( &ctx ), 991 output, &outlen ) ); 992 TEST_ASSERT( outlen == mbedtls_cipher_get_block_size( &ctx ) ); 993 TEST_ASSERT( finish_result == mbedtls_cipher_finish( &ctx, output + outlen, 994 &outlen ) ); 995 TEST_ASSERT( 0 == outlen ); 996 997 /* check plaintext only if everything went fine */ 998 if( 0 == finish_result ) 999 TEST_ASSERT( 0 == memcmp( output, result->x, 1000 mbedtls_cipher_get_block_size( &ctx ) ) ); 1001 1002exit: 1003 mbedtls_cipher_free( &ctx ); 1004} 1005/* END_CASE */ 1006 1007/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1008void test_vec_crypt( int cipher_id, int operation, data_t *key, 1009 data_t *iv, data_t *input, data_t *result, 1010 int finish_result, int use_psa ) 1011{ 1012 mbedtls_cipher_context_t ctx; 1013 unsigned char output[32]; 1014 size_t outlen; 1015 1016 mbedtls_cipher_init( &ctx ); 1017 1018 memset( output, 0x00, sizeof( output ) ); 1019 1020 /* Prepare context */ 1021#if !defined(MBEDTLS_USE_PSA_CRYPTO) 1022 (void) use_psa; 1023#else 1024 if( use_psa == 1 ) 1025 { 1026 PSA_ASSERT( psa_crypto_init( ) ); 1027 TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, 1028 mbedtls_cipher_info_from_type( cipher_id ), 0 ) ); 1029 } 1030 else 1031#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1032 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, 1033 mbedtls_cipher_info_from_type( cipher_id ) ) ); 1034 1035 TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, operation ) ); 1036 if( MBEDTLS_MODE_CBC == ctx.cipher_info->mode ) 1037 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, MBEDTLS_PADDING_NONE ) ); 1038 1039 TEST_ASSERT( finish_result == mbedtls_cipher_crypt( &ctx, iv->len ? iv->x : NULL, 1040 iv->len, input->x, input->len, 1041 output, &outlen ) ); 1042 TEST_ASSERT( result->len == outlen ); 1043 /* check plaintext only if everything went fine */ 1044 if( 0 == finish_result ) 1045 TEST_ASSERT( 0 == memcmp( output, result->x, outlen ) ); 1046 1047exit: 1048 mbedtls_cipher_free( &ctx ); 1049#if defined(MBEDTLS_USE_PSA_CRYPTO) 1050 PSA_DONE( ); 1051#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1052} 1053/* END_CASE */ 1054 1055/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1056void set_padding( int cipher_id, int pad_mode, int ret ) 1057{ 1058 const mbedtls_cipher_info_t *cipher_info; 1059 mbedtls_cipher_context_t ctx; 1060 1061 mbedtls_cipher_init( &ctx ); 1062 1063 cipher_info = mbedtls_cipher_info_from_type( cipher_id ); 1064 TEST_ASSERT( NULL != cipher_info ); 1065 TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, cipher_info ) ); 1066 1067 TEST_ASSERT( ret == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) ); 1068 1069exit: 1070 mbedtls_cipher_free( &ctx ); 1071} 1072/* END_CASE */ 1073 1074/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ 1075void check_padding( int pad_mode, data_t * input, int ret, int dlen_check 1076 ) 1077{ 1078 mbedtls_cipher_info_t cipher_info; 1079 mbedtls_cipher_context_t ctx; 1080 size_t dlen; 1081 1082 /* build a fake context just for getting access to get_padding */ 1083 mbedtls_cipher_init( &ctx ); 1084 cipher_info.mode = MBEDTLS_MODE_CBC; 1085 ctx.cipher_info = &cipher_info; 1086 1087 TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) ); 1088 1089 1090 TEST_ASSERT( ret == ctx.get_padding( input->x, input->len, &dlen ) ); 1091 if( 0 == ret ) 1092 TEST_ASSERT( dlen == (size_t) dlen_check ); 1093} 1094/* END_CASE */ 1095