diff --git a/ChangeLog.d/gcm-update.txt b/ChangeLog.d/gcm-update.txt index 0fffd094d0..858bd0a734 100644 --- a/ChangeLog.d/gcm-update.txt +++ b/ChangeLog.d/gcm-update.txt @@ -15,3 +15,5 @@ Features * The multi-part GCM interface (mbedtls_gcm_update() or mbedtls_cipher_update()) no longer requires the size of partial inputs to be a multiple of 16. + * The multi-part GCM interface now supports chunked associated data through + multiple calls to mbedtls_gcm_update_ad(). diff --git a/docs/3.0-migration-guide.d/gcm-multipart.md b/docs/3.0-migration-guide.d/gcm-multipart.md index 98e9fad2e1..ebc6397fa0 100644 --- a/docs/3.0-migration-guide.d/gcm-multipart.md +++ b/docs/3.0-migration-guide.d/gcm-multipart.md @@ -6,7 +6,6 @@ This changes the interface for applications using the GCM module directly for mu Applications using one-shot GCM or using GCM via the `mbedtls_cipher_xxx` or `psa_aead_xxx` interfaces do not require any changes. * `mbedtls_gcm_starts()` now only sets the mode and the nonce (IV). Call the new function `mbedtls_gcm_update_ad()` to pass the associated data. -* The current implementation has a limitation that `mbedtls_gcm_update_ad()` may only be called once. This limitation will be lifted shortly; watch https://github.com/ARMmbed/mbedtls/issues/4351 for updates. * `mbedtls_gcm_update()` now takes an extra parameter to indicate the actual output length. In Mbed TLS 2.x, applications had to pass inputs consisting of whole 16-byte blocks except for the last block (this limitation has been lifted). In this case: * As long as the input remains block-aligned, the output length is exactly the input length, as before. * If the length of the last input is not a multiple of 16, alternative implementations may return the last partial block in the call to `mbedtls_gcm_finish()` instead of returning it in the last call to `mbedtls_gcm_update()`. diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 63c53094f5..99dc7c79b9 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -725,8 +725,6 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ); /** * \brief This function adds additional data for AEAD ciphers. * Currently supported with GCM and ChaCha20+Poly1305. - * This must be called exactly once, after - * mbedtls_cipher_reset(). * * \param ctx The generic cipher context. This must be initialized. * \param ad The additional data to use. This must be a readable diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index c8e384ad89..f3c30350de 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -246,11 +246,6 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, * you do not need to call this function. You may not * call this function after calling mbedtls_cipher_update(). * - * \note This function may only be called once per operation: - * you must pass the whole associated data in a single - * call. This limitation will be lifted in a future version - * of Mbed TLS. - * * \param ctx The GCM context. This must have been started with * mbedtls_gcm_starts() and must not have yet received * any input with mbedtls_gcm_update(). diff --git a/library/gcm.c b/library/gcm.c index 2bd907115e..8fa4ee779b 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -281,7 +281,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); - /* IV is are limited to 2^64 bits, so 2^61 bytes */ + /* IV is limited to 2^64 bits, so 2^61 bytes */ /* IV is not allowed to be zero length */ if( iv_len == 0 || (uint64_t) iv_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -332,36 +332,72 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, return( 0 ); } - +/** + * mbedtls_gcm_context::buf contains the partial state of the computation of + * the authentication tag. + * mbedtls_gcm_context::add_len and mbedtls_gcm_context::len indicate + * different stages of the computation: + * * len == 0 && add_len == 0: initial state + * * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have + * a partial block of AD that has been + * xored in but not yet multiplied in. + * * len == 0 && add_len % 16 == 0: the authentication tag is correct if + * the data ends now. + * * len % 16 != 0: the first `len % 16` bytes have + * a partial block of ciphertext that has + * been xored in but not yet multiplied in. + * * len > 0 && len % 16 == 0: the authentication tag is correct if + * the data ends now. + */ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len ) { const unsigned char *p; - size_t use_len, i; + size_t use_len, i, offset; GCM_VALIDATE_RET( add_len == 0 || add != NULL ); - /* IV is are limited to 2^64 bits, so 2^61 bytes */ + /* IV is limited to 2^64 bits, so 2^61 bytes */ if( (uint64_t) add_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); - /* Calling update_ad multiple times is not yet supported */ - if( ctx->add_len != 0 ) - return( MBEDTLS_ERR_GCM_BAD_INPUT ); - - ctx->add_len = add_len; + offset = ctx->add_len % 16; p = add; - while( add_len > 0 ) + + if( offset != 0 ) { - use_len = ( add_len < 16 ) ? add_len : 16; + use_len = 16 - offset; + if( use_len > add_len ) + use_len = add_len; for( i = 0; i < use_len; i++ ) + ctx->buf[i+offset] ^= p[i]; + + if( offset + use_len == 16 ) + gcm_mult( ctx, ctx->buf, ctx->buf ); + + ctx->add_len += use_len; + add_len -= use_len; + p += use_len; + } + + ctx->add_len += add_len; + + while( add_len >= 16 ) + { + for( i = 0; i < 16; i++ ) ctx->buf[i] ^= p[i]; gcm_mult( ctx, ctx->buf, ctx->buf ); - add_len -= use_len; - p += use_len; + add_len -= 16; + p += 16; + } + + if( add_len > 0 ) + { + for( i = 0; i < add_len; i++ ) + ctx->buf[i] ^= p[i]; } return( 0 ); @@ -423,7 +459,9 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, *output_length = input_length; /* Exit early if input_length==0 so that we don't do any pointer arithmetic - * on a potentially null pointer. */ + * on a potentially null pointer. + * Returning early also means that the last partial block of AD remains + * untouched for mbedtls_gcm_finish */ if( input_length == 0 ) return( 0 ); @@ -442,6 +480,11 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, return( MBEDTLS_ERR_GCM_BAD_INPUT ); } + if( ctx->len == 0 && ctx->add_len % 16 != 0 ) + { + gcm_mult( ctx, ctx->buf, ctx->buf ); + } + offset = ctx->len % 16; if( offset != 0 ) { @@ -507,6 +550,11 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, orig_len = ctx->len * 8; orig_add_len = ctx->add_len * 8; + if( ctx->len == 0 && ctx->add_len % 16 != 0 ) + { + gcm_mult( ctx, ctx->buf, ctx->buf ); + } + if( tag_len > 16 || tag_len < 4 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data index c865b0cba6..3df31e56bf 100644 --- a/tests/suites/test_suite_gcm.aes128_de.data +++ b/tests/suites/test_suite_gcm.aes128_de.data @@ -670,6 +670,58 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":"":0 +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":0 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":1 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":2 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":0 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":1 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":2 + +AES-GCM NIST - empty AD, empty ciphertext +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"cf063a34d4a9a76c2c86787d3f96db71":"113b9785971864c83b01c787":"72ac8493e3a5228b5d130a69d2510e42" + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index b1dae75390..d60c458bcd 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -670,6 +670,58 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"246e1f2babab8da98b17cc928bd49504d7d87ea2cc174f9ffb7dbafe5969ff824a0bcb52f35441d22f3edcd10fab0ec04c0bde5abd3624ca25cbb4541b5d62a3deb52c00b75d68aaf0504d51f95b8dcbebdd8433f4966c584ac7f8c19407ca927a79fa4ead2688c4a7baafb4c31ef83c05e8848ec2b4f657aab84c109c91c277":"1a2c18c6bf13b3b2785610c71ccd98ca":"b0ab3cb5256575774b8242b89badfbe0dfdfd04f5dd75a8e5f218b28d3f6bc085a013defa5f5b15dfb46132db58ed7a9ddb812d28ee2f962796ad988561a381c02d1cf37dca5fd33e081d61cc7b3ab0b477947524a4ca4cb48c36f48b302c440be6f5777518a60585a8a16cea510dbfc5580b0daac49a2b1242ff55e91a8eae8":"5587620bbb77f70afdf3cdb7ae390edd0473286d86d3f862ad70902d90ff1d315947c959f016257a8fe1f52cc22a54f21de8cb60b74808ac7b22ea7a15945371e18b77c9571aad631aa080c60c1e472019fa85625fc80ed32a51d05e397a8987c8fece197a566689d24d05361b6f3a75616c89db6123bf5902960b21a18bc03a":32:"bd4265a8":0 +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":0 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":1 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":2 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":0 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":1 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":2 + +AES-GCM NIST - empty AD, empty plaintext +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"11754cd72aec309bf52f7687212e8957":"3c819d9a9bed087615030b65":"250327c674aaf477aef2675748cf6971" + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index a6b0a4c119..49859dda91 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -11,20 +11,24 @@ static int check_multipart( mbedtls_gcm_context *ctx, const data_t *input, const data_t *expected_output, const data_t *tag, - size_t n1 ) + size_t n1, + size_t n1_add) { int ok = 0; uint8_t *output = NULL; size_t n2 = input->len - n1; + size_t n2_add = add->len - n1_add; size_t olen; /* Sanity checks on the test data */ TEST_ASSERT( n1 <= input->len ); + TEST_ASSERT( n1_add <= add->len ); TEST_EQUAL( input->len, expected_output->len ); TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); - TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, add->len ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, n1_add ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x + n1_add, n2_add ) ); /* Allocate a tight buffer for each update call. This way, if the function * tries to write beyond the advertised required buffer size, this will @@ -57,6 +61,94 @@ exit: return( ok ); } +static void check_cipher_with_empty_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *input, + const data_t *expected_output, + const data_t *tag, + size_t ad_update_count) +{ + size_t n; + uint8_t *output = NULL; + size_t olen; + + /* Sanity checks on the test data */ + TEST_EQUAL( input->len, expected_output->len ); + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, + iv->x, iv->len ) ); + + for( n = 0; n < ad_update_count; n++ ) + { + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, NULL, 0 ) ); + } + + /* Allocate a tight buffer for each update call. This way, if the function + * tries to write beyond the advertised required buffer size, this will + * count as an overflow for memory sanitizers and static checkers. */ + ASSERT_ALLOC( output, input->len ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_gcm_update( ctx, input->x, input->len, output, input->len, &olen ) ); + TEST_EQUAL( input->len, olen ); + ASSERT_COMPARE( output, olen, expected_output->x, input->len ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output ); +} + +static void check_empty_cipher_with_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *add, + const data_t *tag, + size_t cipher_update_count) +{ + size_t olen; + size_t n; + uint8_t* output_tag = NULL; + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, add->len ) ); + + for( n = 0; n < cipher_update_count; n++ ) + { + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_gcm_update( ctx, NULL, 0, NULL, 0, &olen ) ); + TEST_EQUAL( 0, olen ); + } + + ASSERT_ALLOC( output_tag, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output_tag, tag->len ) ); + ASSERT_COMPARE( output_tag, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output_tag ); +} + +static void check_no_cipher_no_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *tag ) +{ + uint8_t *output = NULL; + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, + iv->x, iv->len ) ); + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output ); +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -101,6 +193,7 @@ void gcm_encrypt_and_tag( int cipher_id, data_t * key_str, mbedtls_gcm_context ctx; size_t tag_len = tag_len_bits / 8; size_t n1; + size_t n1_add; mbedtls_gcm_init( &ctx ); @@ -118,12 +211,15 @@ void gcm_encrypt_and_tag( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { - mbedtls_test_set_step( n1 ); - if( !check_multipart( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_str, add_str, src_str, - dst, tag, - n1 ) ) - goto exit; + for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, add_str, src_str, + dst, tag, + n1, n1_add ) ) + goto exit; + } } } @@ -144,6 +240,7 @@ void gcm_decrypt_and_verify( int cipher_id, data_t * key_str, int ret; size_t tag_len = tag_len_bits / 8; size_t n1; + size_t n1_add; mbedtls_gcm_init( &ctx ); @@ -166,12 +263,15 @@ void gcm_decrypt_and_verify( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { - mbedtls_test_set_step( n1 ); - if( !check_multipart( &ctx, MBEDTLS_GCM_DECRYPT, - iv_str, add_str, src_str, - pt_result, tag_str, - n1 ) ) - goto exit; + for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1 * 10000 + n1_add ); + if( !check_multipart( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, add_str, src_str, + pt_result, tag_str, + n1, n1_add ) ) + goto exit; + } } } } @@ -181,6 +281,130 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_empty_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * add_str, + data_t * tag_str, + int cipher_update_calls ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_empty_ad( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * src_str, + data_t * tag_str, + data_t * pt_result, + int ad_update_calls ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, src_str, pt_result, tag_str, + ad_update_calls ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_no_ad_no_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * tag_str ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_no_cipher_no_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, tag_str ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_encrypt_and_tag_empty_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * add_str, + data_t * tag_str, + int cipher_update_calls ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); + +exit: + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_encrypt_and_tag_empty_ad( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * src_str, + data_t * dst, + data_t * tag_str, + int ad_update_calls ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, src_str, dst, tag_str, + ad_update_calls ); + +exit: + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_encrypt_and_verify_no_ad_no_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * tag_str ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_no_cipher_no_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, tag_str ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:NOT_DEFINED */ void gcm_invalid_param( ) {