From bd513bb53d80276431161e5a64a2ae61740c4e68 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 26 May 2021 14:25:39 +0200 Subject: [PATCH 01/16] Enable multiple calls to mbedtls_gcm_update_ad. Signed-off-by: Mateusz Starzyk --- docs/3.0-migration-guide.d/gcm-multipart.md | 1 - include/mbedtls/gcm.h | 5 --- library/gcm.c | 48 +++++++++++++++++---- 3 files changed, 40 insertions(+), 14 deletions(-) diff --git a/docs/3.0-migration-guide.d/gcm-multipart.md b/docs/3.0-migration-guide.d/gcm-multipart.md index 98e9fad2e1..ebc6397fa0 100644 --- a/docs/3.0-migration-guide.d/gcm-multipart.md +++ b/docs/3.0-migration-guide.d/gcm-multipart.md @@ -6,7 +6,6 @@ This changes the interface for applications using the GCM module directly for mu Applications using one-shot GCM or using GCM via the `mbedtls_cipher_xxx` or `psa_aead_xxx` interfaces do not require any changes. * `mbedtls_gcm_starts()` now only sets the mode and the nonce (IV). Call the new function `mbedtls_gcm_update_ad()` to pass the associated data. -* The current implementation has a limitation that `mbedtls_gcm_update_ad()` may only be called once. This limitation will be lifted shortly; watch https://github.com/ARMmbed/mbedtls/issues/4351 for updates. * `mbedtls_gcm_update()` now takes an extra parameter to indicate the actual output length. In Mbed TLS 2.x, applications had to pass inputs consisting of whole 16-byte blocks except for the last block (this limitation has been lifted). In this case: * As long as the input remains block-aligned, the output length is exactly the input length, as before. * If the length of the last input is not a multiple of 16, alternative implementations may return the last partial block in the call to `mbedtls_gcm_finish()` instead of returning it in the last call to `mbedtls_gcm_update()`. diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index c8e384ad89..f3c30350de 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -246,11 +246,6 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, * you do not need to call this function. You may not * call this function after calling mbedtls_cipher_update(). * - * \note This function may only be called once per operation: - * you must pass the whole associated data in a single - * call. This limitation will be lifted in a future version - * of Mbed TLS. - * * \param ctx The GCM context. This must have been started with * mbedtls_gcm_starts() and must not have yet received * any input with mbedtls_gcm_update(). diff --git a/library/gcm.c b/library/gcm.c index 2bd907115e..23b6ebb2fe 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -337,7 +337,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len ) { const unsigned char *p; - size_t use_len, i; + size_t use_len, i, offset; GCM_VALIDATE_RET( add_len == 0 || add != NULL ); @@ -345,15 +345,31 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, if( (uint64_t) add_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); - /* Calling update_ad multiple times is not yet supported */ - if( ctx->add_len != 0 ) - return( MBEDTLS_ERR_GCM_BAD_INPUT ); - - ctx->add_len = add_len; + offset = ctx->add_len % 16; p = add; - while( add_len > 0 ) + + if (offset) { - use_len = ( add_len < 16 ) ? add_len : 16; + use_len = 16 - offset; + if( use_len > add_len ) + use_len = add_len; + + for (i = 0; i < use_len; i++) + ctx->buf[i+offset] ^= p[i]; + + if( offset + use_len == 16 ) + gcm_mult( ctx, ctx->buf, ctx->buf ); + + ctx->add_len += use_len; + add_len -= use_len; + p += use_len; + } + + ctx->add_len += add_len; + + while( add_len >= 16 ) + { + use_len = 16; for( i = 0; i < use_len; i++ ) ctx->buf[i] ^= p[i]; @@ -364,6 +380,12 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, p += use_len; } + if ( add_len > 0 ) + { + for( i = 0; i < add_len; i++ ) + ctx->buf[i] ^= p[i]; + } + return( 0 ); } @@ -442,6 +464,11 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, return( MBEDTLS_ERR_GCM_BAD_INPUT ); } + if ( ( ctx->len == 0 ) && ( ctx->add_len % 16 ) ) + { + gcm_mult( ctx, ctx->buf, ctx->buf ); + } + offset = ctx->len % 16; if( offset != 0 ) { @@ -507,6 +534,11 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, orig_len = ctx->len * 8; orig_add_len = ctx->add_len * 8; + if ( ( ctx->len == 0 ) && ( ctx->add_len % 16 ) ) + { + gcm_mult( ctx, ctx->buf, ctx->buf ); + } + if( tag_len > 16 || tag_len < 4 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); From 658f4fd6d8dbfab6f13c943ae12af2695f8b8c1f Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 26 May 2021 14:26:48 +0200 Subject: [PATCH 02/16] Cover multiple calls to mbedtls_gcm_update_ad in gcm test suite. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.function | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index a6b0a4c119..c7942f81a7 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -16,15 +16,19 @@ static int check_multipart( mbedtls_gcm_context *ctx, int ok = 0; uint8_t *output = NULL; size_t n2 = input->len - n1; + size_t n1_add = n1 < add->len ? add->len - n1 : add->len; + size_t n2_add = add->len - n1_add; size_t olen; /* Sanity checks on the test data */ TEST_ASSERT( n1 <= input->len ); + TEST_ASSERT( n1_add <= add->len ); TEST_EQUAL( input->len, expected_output->len ); TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); - TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, add->len ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, n1_add ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x + n1_add, n2_add ) ); /* Allocate a tight buffer for each update call. This way, if the function * tries to write beyond the advertised required buffer size, this will From d6f673d710ea9db7d972c2a582a4ea0bbc1ead2c Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 12:49:55 +0200 Subject: [PATCH 03/16] Remove outdated note about multiple calls to cipher update for associated data. Signed-off-by: Mateusz Starzyk --- include/mbedtls/cipher.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 25e1d8d678..4989da7b58 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -732,8 +732,6 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ); /** * \brief This function adds additional data for AEAD ciphers. * Currently supported with GCM and ChaCha20+Poly1305. - * This must be called exactly once, after - * mbedtls_cipher_reset(). * * \param ctx The generic cipher context. This must be initialized. * \param ad The additional data to use. This must be a readable From c1ec0b89596cdad8b5302233101a9296b4a29790 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 14:23:24 +0200 Subject: [PATCH 04/16] Add changelog entry for chunked associated data in GCM. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/gcm-update.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog.d/gcm-update.txt b/ChangeLog.d/gcm-update.txt index 0fffd094d0..858bd0a734 100644 --- a/ChangeLog.d/gcm-update.txt +++ b/ChangeLog.d/gcm-update.txt @@ -15,3 +15,5 @@ Features * The multi-part GCM interface (mbedtls_gcm_update() or mbedtls_cipher_update()) no longer requires the size of partial inputs to be a multiple of 16. + * The multi-part GCM interface now supports chunked associated data through + multiple calls to mbedtls_gcm_update_ad(). From 333f48f40750769e6e3292c1d72a737278a6fcc4 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 14:42:27 +0200 Subject: [PATCH 05/16] Fix code style. Signed-off-by: Mateusz Starzyk --- library/gcm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index 23b6ebb2fe..a20a767415 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -348,7 +348,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, offset = ctx->add_len % 16; p = add; - if (offset) + if( offset != 0 ) { use_len = 16 - offset; if( use_len > add_len ) @@ -380,7 +380,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, p += use_len; } - if ( add_len > 0 ) + if( add_len > 0 ) { for( i = 0; i < add_len; i++ ) ctx->buf[i] ^= p[i]; @@ -464,7 +464,7 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, return( MBEDTLS_ERR_GCM_BAD_INPUT ); } - if ( ( ctx->len == 0 ) && ( ctx->add_len % 16 ) ) + if( ctx->len == 0 && ctx->add_len % 16 != 0 ) { gcm_mult( ctx, ctx->buf, ctx->buf ); } @@ -534,7 +534,7 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, orig_len = ctx->len * 8; orig_add_len = ctx->add_len * 8; - if ( ( ctx->len == 0 ) && ( ctx->add_len % 16 ) ) + if( ctx->len == 0 && ctx->add_len % 16 != 0 ) { gcm_mult( ctx, ctx->buf, ctx->buf ); } From b45b57eec673c1e9cd1920ef80279dd09095c18b Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 15:44:18 +0200 Subject: [PATCH 06/16] Add comment on how mbedtls_gcm_context::buf data depends on values of add_len and len. Signed-off-by: Mateusz Starzyk --- library/gcm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index a20a767415..01e12e69ca 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -332,7 +332,16 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, return( 0 ); } - +/** + * mbedtls_gcm_context::buf contains different data type, depending + * on the values of mbedtls_gcm_context::::add_len and + * mbedtls_gcm_context::len: + * * When add_len % 16 == 0 and len == 0: initial state. + * * When add_len % 16 != 0 and len == 0: the first `add_len % 16` bytes + * of buf have a partial AD block xored in and not yet multiplied in. + * * When len != 0: the first `add_len % 16` bytes of buf have partial + * ciphertext xored in and not yet multiplied in. + */ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len ) { From 3443bd25702232a393172995f8aff5567817162d Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 16:03:27 +0200 Subject: [PATCH 07/16] Add comment on exiting early from mbedtls_gcm_update(). Signed-off-by: Mateusz Starzyk --- library/gcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index 01e12e69ca..be72f99412 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -454,7 +454,9 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, *output_length = input_length; /* Exit early if input_length==0 so that we don't do any pointer arithmetic - * on a potentially null pointer. */ + * on a potentially null pointer. + * Returning early also means that the last partial block of AD remains + * untouched for mbedtls_gcm_finish */ if( input_length == 0 ) return( 0 ); From 25a571e0768ddcfbd7f712996d1144a445c68043 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 15 Jun 2021 13:22:42 +0200 Subject: [PATCH 08/16] Code style fix Signed-off-by: Mateusz Starzyk --- library/gcm.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index be72f99412..a3a3e48102 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -363,7 +363,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, if( use_len > add_len ) use_len = add_len; - for (i = 0; i < use_len; i++) + for ( i = 0; i < use_len; i++ ) ctx->buf[i+offset] ^= p[i]; if( offset + use_len == 16 ) @@ -378,15 +378,13 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, while( add_len >= 16 ) { - use_len = 16; - - for( i = 0; i < use_len; i++ ) + for( i = 0; i < 16; i++ ) ctx->buf[i] ^= p[i]; gcm_mult( ctx, ctx->buf, ctx->buf ); - add_len -= use_len; - p += use_len; + add_len -= 16; + p += 16; } if( add_len > 0 ) From 3d0bbeef0c15830177e13039ee433a5aae0242ee Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 15 Jun 2021 14:26:53 +0200 Subject: [PATCH 09/16] Reword description of the authentation tag computation stages Signed-off-by: Mateusz Starzyk --- library/gcm.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index a3a3e48102..02265ce897 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -333,14 +333,21 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, } /** - * mbedtls_gcm_context::buf contains different data type, depending - * on the values of mbedtls_gcm_context::::add_len and - * mbedtls_gcm_context::len: - * * When add_len % 16 == 0 and len == 0: initial state. - * * When add_len % 16 != 0 and len == 0: the first `add_len % 16` bytes - * of buf have a partial AD block xored in and not yet multiplied in. - * * When len != 0: the first `add_len % 16` bytes of buf have partial - * ciphertext xored in and not yet multiplied in. + * mbedtls_gcm_context::buf contains the partial state of the computation of + * the authentication tag. + * mbedtls_gcm_context::::add_len and mbedtls_gcm_context::len indicate + * differenet stages of the computation: + * * len == 0 && add_len == 0: initial state + * * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have + * a partial block of AD that has been + * xored in but not yet multiplied in. + * * len == 0 && add_len % 16 == 0: the authentication tag is correct if + * the data ends now. + * * len % 16 != 0: the first `len % 16` bytes have + * a partial block of ciphertext that has + * been xored in but not yet multiplied in. + * * len > 0 && len % 16 == 0: the authentication tag is correct if + * the data ends now. */ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len ) From af4ecddd4febb8c241e23cea0129911892816cd0 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 15 Jun 2021 15:29:48 +0200 Subject: [PATCH 10/16] Pass associated data split as check_multipart argument. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.function | 35 ++++++++++++++++++---------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index c7942f81a7..fc01b40337 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -11,12 +11,12 @@ static int check_multipart( mbedtls_gcm_context *ctx, const data_t *input, const data_t *expected_output, const data_t *tag, - size_t n1 ) + size_t n1, + size_t n1_add) { int ok = 0; uint8_t *output = NULL; size_t n2 = input->len - n1; - size_t n1_add = n1 < add->len ? add->len - n1 : add->len; size_t n2_add = add->len - n1_add; size_t olen; @@ -105,6 +105,7 @@ void gcm_encrypt_and_tag( int cipher_id, data_t * key_str, mbedtls_gcm_context ctx; size_t tag_len = tag_len_bits / 8; size_t n1; + size_t n1_add; mbedtls_gcm_init( &ctx ); @@ -123,11 +124,16 @@ void gcm_encrypt_and_tag( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { mbedtls_test_set_step( n1 ); - if( !check_multipart( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_str, add_str, src_str, - dst, tag, - n1 ) ) - goto exit; + + for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1_add ); + if( !check_multipart( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, add_str, src_str, + dst, tag, + n1, n1_add ) ) + goto exit; + } } } @@ -148,6 +154,7 @@ void gcm_decrypt_and_verify( int cipher_id, data_t * key_str, int ret; size_t tag_len = tag_len_bits / 8; size_t n1; + size_t n1_add; mbedtls_gcm_init( &ctx ); @@ -171,11 +178,15 @@ void gcm_decrypt_and_verify( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { mbedtls_test_set_step( n1 ); - if( !check_multipart( &ctx, MBEDTLS_GCM_DECRYPT, - iv_str, add_str, src_str, - pt_result, tag_str, - n1 ) ) - goto exit; + for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) + { + mbedtls_test_set_step( n1_add ); + if( !check_multipart( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, add_str, src_str, + pt_result, tag_str, + n1, n1_add ) ) + goto exit; + } } } } From fc60622710121fde2fb8ed73e3935ce9c7436307 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 16 Jun 2021 11:04:07 +0200 Subject: [PATCH 11/16] Add customized test functions for GCM update and update_ad. New functions are used to cover corner cases: * authentication data is fed to gcm with 0, 1 or 2 calls to gcm_update * ciphertext is fed to gcm with 0, 1 or 2 calls to gcm_update_ad AES-GCM NIST test vectors downloaded at 16.06.2021 from: csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.aes128_de.data | 24 +++ tests/suites/test_suite_gcm.aes128_en.data | 24 +++ tests/suites/test_suite_gcm.function | 175 +++++++++++++++++++++ 3 files changed, 223 insertions(+) diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data index c865b0cba6..efafb9dc3e 100644 --- a/tests/suites/test_suite_gcm.aes128_de.data +++ b/tests/suites/test_suite_gcm.aes128_de.data @@ -670,6 +670,30 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":"":0 +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0:0 + +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1:0 + +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2:0 + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index b1dae75390..8f68b37585 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -670,6 +670,30 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"246e1f2babab8da98b17cc928bd49504d7d87ea2cc174f9ffb7dbafe5969ff824a0bcb52f35441d22f3edcd10fab0ec04c0bde5abd3624ca25cbb4541b5d62a3deb52c00b75d68aaf0504d51f95b8dcbebdd8433f4966c584ac7f8c19407ca927a79fa4ead2688c4a7baafb4c31ef83c05e8848ec2b4f657aab84c109c91c277":"1a2c18c6bf13b3b2785610c71ccd98ca":"b0ab3cb5256575774b8242b89badfbe0dfdfd04f5dd75a8e5f218b28d3f6bc085a013defa5f5b15dfb46132db58ed7a9ddb812d28ee2f962796ad988561a381c02d1cf37dca5fd33e081d61cc7b3ab0b477947524a4ca4cb48c36f48b302c440be6f5777518a60585a8a16cea510dbfc5580b0daac49a2b1242ff55e91a8eae8":"5587620bbb77f70afdf3cdb7ae390edd0473286d86d3f862ad70902d90ff1d315947c959f016257a8fe1f52cc22a54f21de8cb60b74808ac7b22ea7a15945371e18b77c9571aad631aa080c60c1e472019fa85625fc80ed32a51d05e397a8987c8fece197a566689d24d05361b6f3a75616c89db6123bf5902960b21a18bc03a":32:"bd4265a8":0 +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0:0 + +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1:0 + +AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1:0 + +AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2:0 + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index fc01b40337..86f7fb9929 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -61,6 +61,77 @@ exit: return( ok ); } +static void check_cipher_with_empty_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *input, + const data_t *expected_output, + const data_t *tag, + size_t ad_update_count) +{ + size_t n; + uint8_t *output = NULL; + size_t olen; + + /* Sanity checks on the test data */ + TEST_EQUAL( input->len, expected_output->len ); + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, + iv->x, iv->len ) ); + + for( n = 0; n < ad_update_count; n += 1 ) + { + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, NULL, 0 ) ); + } + + /* Allocate a tight buffer for each update call. This way, if the function + * tries to write beyond the advertised required buffer size, this will + * count as an overflow for memory sanitizers and static checkers. */ + ASSERT_ALLOC( output, input->len ); + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_gcm_update( ctx, input->x, input->len, output, input->len, &olen ) ); + TEST_EQUAL( input->len, olen ); + ASSERT_COMPARE( output, olen, expected_output->x, input->len ); + mbedtls_free( output ); + output = NULL; + + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output ); +} + +static void check_empty_cipher_with_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *add, + const data_t *tag, + size_t cipher_update_count) +{ + size_t olen; + size_t n; + uint8_t* output_tag = NULL; + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, add->len ) ); + + for( n = 0; n < cipher_update_count; n += 1 ) + { + olen = 0xdeadbeef; + TEST_EQUAL( 0, mbedtls_gcm_update( ctx, NULL, 0, NULL, 0, &olen ) ); + TEST_EQUAL( 0, olen ); + } + + ASSERT_ALLOC( output_tag, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output_tag, tag->len ) ); + ASSERT_COMPARE( output_tag, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output_tag ); +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -196,6 +267,110 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_empty_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * add_str, + data_t * tag_str, + int cipher_update_calls, + int init_result ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); + if( init_result == 0 ) + { + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); + } + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_empty_ad( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * src_str, + data_t * tag_str, + data_t * pt_result, + int ad_update_calls, + int init_result ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); + if( init_result == 0 ) + { + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, src_str, pt_result, tag_str, + ad_update_calls ); + } + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_encrypt_and_tag_empty_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * add_str, + data_t * tag_str, + int cipher_update_calls, + int init_result ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); + if( init_result == 0 ) + { + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); + } + +exit: + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void gcm_encrypt_and_tag_empty_ad( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * src_str, + data_t * dst, + data_t * tag_str, + int ad_update_calls, + int init_result ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); + if( init_result == 0 ) + { + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, src_str, dst, tag_str, + ad_update_calls ); + } + +exit: + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:NOT_DEFINED */ void gcm_invalid_param( ) { From f8a0d4d3bf4d5574f5521ae5b18a6445453cf308 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 17 Jun 2021 11:40:52 +0200 Subject: [PATCH 12/16] Fix nested loops set_step in gcm test suite. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.function | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 86f7fb9929..109f300e2c 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -194,11 +194,9 @@ void gcm_encrypt_and_tag( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { - mbedtls_test_set_step( n1 ); - for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) { - mbedtls_test_set_step( n1_add ); + mbedtls_test_set_step( n1 * 10000 + n1_add ); if( !check_multipart( &ctx, MBEDTLS_GCM_ENCRYPT, iv_str, add_str, src_str, dst, tag, @@ -248,10 +246,9 @@ void gcm_decrypt_and_verify( int cipher_id, data_t * key_str, for( n1 = 0; n1 <= src_str->len; n1 += 1 ) { - mbedtls_test_set_step( n1 ); for( n1_add = 0; n1_add <= add_str->len; n1_add += 1 ) { - mbedtls_test_set_step( n1_add ); + mbedtls_test_set_step( n1 * 10000 + n1_add ); if( !check_multipart( &ctx, MBEDTLS_GCM_DECRYPT, iv_str, add_str, src_str, pt_result, tag_str, From 032a1ceaf32cdd16fa063e55c8fefe55ac0929aa Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 17 Jun 2021 11:50:26 +0200 Subject: [PATCH 13/16] Remove init_result check from custom gcm test functions. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.aes128_de.data | 12 ++--- tests/suites/test_suite_gcm.aes128_en.data | 12 ++--- tests/suites/test_suite_gcm.function | 56 ++++++++-------------- 3 files changed, 32 insertions(+), 48 deletions(-) diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data index efafb9dc3e..ed41d1e3d5 100644 --- a/tests/suites/test_suite_gcm.aes128_de.data +++ b/tests/suites/test_suite_gcm.aes128_de.data @@ -672,27 +672,27 @@ gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114": AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0:0 +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0 AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1:0 +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1 AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2:0 +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0:0 +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1:0 +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 depends_on:MBEDTLS_AES_C -gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2:0 +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2 AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index 8f68b37585..40b2e5fbf1 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -672,27 +672,27 @@ gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"24 AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0:0 +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0 AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1:0 +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1 AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2:0 +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0:0 +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1:0 +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1 AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 depends_on:MBEDTLS_AES_C -gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2:0 +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2 AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 109f300e2c..af5cacd98c 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -270,20 +270,16 @@ void gcm_decrypt_and_verify_empty_cipher( int cipher_id, data_t * iv_str, data_t * add_str, data_t * tag_str, - int cipher_update_calls, - int init_result ) + int cipher_update_calls ) { mbedtls_gcm_context ctx; mbedtls_gcm_init( &ctx ); - TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); - if( init_result == 0 ) - { - check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_DECRYPT, - iv_str, add_str, tag_str, - cipher_update_calls ); - } + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); mbedtls_gcm_free( &ctx ); } @@ -296,20 +292,16 @@ void gcm_decrypt_and_verify_empty_ad( int cipher_id, data_t * src_str, data_t * tag_str, data_t * pt_result, - int ad_update_calls, - int init_result ) + int ad_update_calls ) { mbedtls_gcm_context ctx; mbedtls_gcm_init( &ctx ); - TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); - if( init_result == 0 ) - { - check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_DECRYPT, - iv_str, src_str, pt_result, tag_str, - ad_update_calls ); - } + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, src_str, pt_result, tag_str, + ad_update_calls ); mbedtls_gcm_free( &ctx ); } @@ -321,20 +313,16 @@ void gcm_encrypt_and_tag_empty_cipher( int cipher_id, data_t * iv_str, data_t * add_str, data_t * tag_str, - int cipher_update_calls, - int init_result ) + int cipher_update_calls ) { mbedtls_gcm_context ctx; mbedtls_gcm_init( &ctx ); - TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); - if( init_result == 0 ) - { - check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_str, add_str, tag_str, - cipher_update_calls ); - } + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_empty_cipher_with_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, add_str, tag_str, + cipher_update_calls ); exit: mbedtls_gcm_free( &ctx ); @@ -348,20 +336,16 @@ void gcm_encrypt_and_tag_empty_ad( int cipher_id, data_t * src_str, data_t * dst, data_t * tag_str, - int ad_update_calls, - int init_result ) + int ad_update_calls ) { mbedtls_gcm_context ctx; mbedtls_gcm_init( &ctx ); - TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result ); - if( init_result == 0 ) - { - check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_ENCRYPT, - iv_str, src_str, dst, tag_str, - ad_update_calls ); - } + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_cipher_with_empty_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, src_str, dst, tag_str, + ad_update_calls ); exit: mbedtls_gcm_free( &ctx ); From 58d3a7ef9775eecdeacb3643d63b1c6f0d5a4b37 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 17 Jun 2021 23:48:08 +0200 Subject: [PATCH 14/16] Add GCM tests with vectors lengths non-dividable by 16. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.aes128_de.data | 36 ++++++++++++++++++---- tests/suites/test_suite_gcm.aes128_en.data | 36 ++++++++++++++++++---- 2 files changed, 60 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data index ed41d1e3d5..7b823dd784 100644 --- a/tests/suites/test_suite_gcm.aes128_de.data +++ b/tests/suites/test_suite_gcm.aes128_de.data @@ -670,30 +670,54 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":"":0 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 0 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 1 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 2 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":0 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":1 + +AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":2 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 0 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 1 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 2 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2 +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":0 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":1 + +AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":2 + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index 40b2e5fbf1..f4856bff24 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -670,30 +670,54 @@ AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2] depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"246e1f2babab8da98b17cc928bd49504d7d87ea2cc174f9ffb7dbafe5969ff824a0bcb52f35441d22f3edcd10fab0ec04c0bde5abd3624ca25cbb4541b5d62a3deb52c00b75d68aaf0504d51f95b8dcbebdd8433f4966c584ac7f8c19407ca927a79fa4ead2688c4a7baafb4c31ef83c05e8848ec2b4f657aab84c109c91c277":"1a2c18c6bf13b3b2785610c71ccd98ca":"b0ab3cb5256575774b8242b89badfbe0dfdfd04f5dd75a8e5f218b28d3f6bc085a013defa5f5b15dfb46132db58ed7a9ddb812d28ee2f962796ad988561a381c02d1cf37dca5fd33e081d61cc7b3ab0b477947524a4ca4cb48c36f48b302c440be6f5777518a60585a8a16cea510dbfc5580b0daac49a2b1242ff55e91a8eae8":"5587620bbb77f70afdf3cdb7ae390edd0473286d86d3f862ad70902d90ff1d315947c959f016257a8fe1f52cc22a54f21de8cb60b74808ac7b22ea7a15945371e18b77c9571aad631aa080c60c1e472019fa85625fc80ed32a51d05e397a8987c8fece197a566689d24d05361b6f3a75616c89db6123bf5902960b21a18bc03a":32:"bd4265a8":0 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 0 +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 0 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 1 +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 1 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1 -AES-GCM NIST CAVS 14.0 - Empty ciphertext. Non-empty AD. Ciphertext updates: 2 +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 2 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 0 +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":0 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":1 + +AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":2 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 0 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 1 +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 1 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1 -AES-GCM NIST CAVS 14.0 - Empty AD. Non-empty ciphertext. AD updates: 2 +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 2 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2 +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 0 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":0 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 1 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":1 + +AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 2 +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":2 + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT From 469c9f35f6934e5e0727a5d47c5dd598a9ab4afd Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 18 Jun 2021 00:06:52 +0200 Subject: [PATCH 15/16] Add GCM tests for empty ciphertext/plaintext and empty AD. Signed-off-by: Mateusz Starzyk --- tests/suites/test_suite_gcm.aes128_de.data | 4 ++ tests/suites/test_suite_gcm.aes128_en.data | 4 ++ tests/suites/test_suite_gcm.function | 53 ++++++++++++++++++++++ 3 files changed, 61 insertions(+) diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data index 7b823dd784..3df31e56bf 100644 --- a/tests/suites/test_suite_gcm.aes128_de.data +++ b/tests/suites/test_suite_gcm.aes128_de.data @@ -718,6 +718,10 @@ AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 2 depends_on:MBEDTLS_AES_C gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":2 +AES-GCM NIST - empty AD, empty ciphertext +depends_on:MBEDTLS_AES_C +gcm_decrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"cf063a34d4a9a76c2c86787d3f96db71":"113b9785971864c83b01c787":"72ac8493e3a5228b5d130a69d2510e42" + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index f4856bff24..d60c458bcd 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -718,6 +718,10 @@ AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 2 depends_on:MBEDTLS_AES_C gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":2 +AES-GCM NIST - empty AD, empty plaintext +depends_on:MBEDTLS_AES_C +gcm_encrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"11754cd72aec309bf52f7687212e8957":"3c819d9a9bed087615030b65":"250327c674aaf477aef2675748cf6971" + AES-GCM Bad IV (AES-128,128,0,0,32) #0 depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index af5cacd98c..005c49884c 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -132,6 +132,23 @@ exit: mbedtls_free( output_tag ); } +static void check_no_cipher_no_ad( mbedtls_gcm_context *ctx, + int mode, + const data_t *iv, + const data_t *tag ) +{ + uint8_t *output = NULL; + + TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, + iv->x, iv->len ) ); + ASSERT_ALLOC( output, tag->len ); + TEST_EQUAL( 0, mbedtls_gcm_finish( ctx, NULL, 0, output, tag->len ) ); + ASSERT_COMPARE( output, tag->len, tag->x, tag->len ); + +exit: + mbedtls_free( output ); +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -307,6 +324,24 @@ void gcm_decrypt_and_verify_empty_ad( int cipher_id, } /* END_CASE */ +/* BEGIN_CASE */ +void gcm_decrypt_and_verify_no_ad_no_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * tag_str ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_no_cipher_no_ad( &ctx, MBEDTLS_GCM_DECRYPT, + iv_str, tag_str ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE */ void gcm_encrypt_and_tag_empty_cipher( int cipher_id, data_t * key_str, @@ -352,6 +387,24 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void gcm_encrypt_and_verify_no_ad_no_cipher( int cipher_id, + data_t * key_str, + data_t * iv_str, + data_t * tag_str ) +{ + mbedtls_gcm_context ctx; + + mbedtls_gcm_init( &ctx ); + + TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 ); + check_no_cipher_no_ad( &ctx, MBEDTLS_GCM_ENCRYPT, + iv_str, tag_str ); + + mbedtls_gcm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:NOT_DEFINED */ void gcm_invalid_param( ) { From 939a54cda35d927f4c9869d0c2108fab8296c620 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Tue, 22 Jun 2021 11:12:28 +0200 Subject: [PATCH 16/16] Fix typos and style issues. Signed-off-by: Mateusz Starzyk --- library/gcm.c | 10 +++++----- tests/suites/test_suite_gcm.function | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index 02265ce897..8fa4ee779b 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -281,7 +281,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); - /* IV is are limited to 2^64 bits, so 2^61 bytes */ + /* IV is limited to 2^64 bits, so 2^61 bytes */ /* IV is not allowed to be zero length */ if( iv_len == 0 || (uint64_t) iv_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -335,8 +335,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, /** * mbedtls_gcm_context::buf contains the partial state of the computation of * the authentication tag. - * mbedtls_gcm_context::::add_len and mbedtls_gcm_context::len indicate - * differenet stages of the computation: + * mbedtls_gcm_context::add_len and mbedtls_gcm_context::len indicate + * different stages of the computation: * * len == 0 && add_len == 0: initial state * * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have * a partial block of AD that has been @@ -357,7 +357,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, GCM_VALIDATE_RET( add_len == 0 || add != NULL ); - /* IV is are limited to 2^64 bits, so 2^61 bytes */ + /* IV is limited to 2^64 bits, so 2^61 bytes */ if( (uint64_t) add_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -370,7 +370,7 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, if( use_len > add_len ) use_len = add_len; - for ( i = 0; i < use_len; i++ ) + for( i = 0; i < use_len; i++ ) ctx->buf[i+offset] ^= p[i]; if( offset + use_len == 16 ) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 005c49884c..49859dda91 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -79,7 +79,7 @@ static void check_cipher_with_empty_ad( mbedtls_gcm_context *ctx, TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); - for( n = 0; n < ad_update_count; n += 1 ) + for( n = 0; n < ad_update_count; n++ ) { TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, NULL, 0 ) ); } @@ -117,7 +117,7 @@ static void check_empty_cipher_with_ad( mbedtls_gcm_context *ctx, TEST_EQUAL( 0, mbedtls_gcm_starts( ctx, mode, iv->x, iv->len ) ); TEST_EQUAL( 0, mbedtls_gcm_update_ad( ctx, add->x, add->len ) ); - for( n = 0; n < cipher_update_count; n += 1 ) + for( n = 0; n < cipher_update_count; n++ ) { olen = 0xdeadbeef; TEST_EQUAL( 0, mbedtls_gcm_update( ctx, NULL, 0, NULL, 0, &olen ) );