mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-01-16 22:20:56 +00:00
8ad56b822b
This commit fixes issues with TEST_CALLOC in GCM buffer overlap tests cases. Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
744 lines
25 KiB
C
744 lines
25 KiB
C
/* BEGIN_HEADER */
|
|
#include "mbedtls/gcm.h"
|
|
|
|
/* Use the multipart interface to process the encrypted data in two parts
|
|
* and check that the output matches the expected output.
|
|
* The context must have been set up with the key. */
|
|
static int check_multipart(mbedtls_gcm_context *ctx,
|
|
int mode,
|
|
const data_t *iv,
|
|
const data_t *add,
|
|
const data_t *input,
|
|
const data_t *expected_output,
|
|
const data_t *tag,
|
|
size_t n1,
|
|
size_t n1_add)
|
|
{
|
|
int ok = 0;
|
|
uint8_t *output = NULL;
|
|
size_t n2 = input->len - n1;
|
|
size_t n2_add = add->len - n1_add;
|
|
size_t olen;
|
|
|
|
/* Sanity checks on the test data */
|
|
TEST_ASSERT(n1 <= input->len);
|
|
TEST_ASSERT(n1_add <= add->len);
|
|
TEST_EQUAL(input->len, expected_output->len);
|
|
|
|
TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
|
|
iv->x, iv->len));
|
|
TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, n1_add));
|
|
TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x + n1_add, n2_add));
|
|
|
|
/* Allocate a tight buffer for each update call. This way, if the function
|
|
* tries to write beyond the advertised required buffer size, this will
|
|
* count as an overflow for memory sanitizers and static checkers. */
|
|
TEST_CALLOC(output, n1);
|
|
olen = 0xdeadbeef;
|
|
TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, n1, output, n1, &olen));
|
|
TEST_EQUAL(n1, olen);
|
|
TEST_MEMORY_COMPARE(output, olen, expected_output->x, n1);
|
|
mbedtls_free(output);
|
|
output = NULL;
|
|
|
|
TEST_CALLOC(output, n2);
|
|
olen = 0xdeadbeef;
|
|
TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x + n1, n2, output, n2, &olen));
|
|
TEST_EQUAL(n2, olen);
|
|
TEST_MEMORY_COMPARE(output, olen, expected_output->x + n1, n2);
|
|
mbedtls_free(output);
|
|
output = NULL;
|
|
|
|
TEST_CALLOC(output, tag->len);
|
|
TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
|
|
TEST_EQUAL(0, olen);
|
|
TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
|
|
mbedtls_free(output);
|
|
output = NULL;
|
|
|
|
ok = 1;
|
|
exit:
|
|
mbedtls_free(output);
|
|
return ok;
|
|
}
|
|
|
|
static void check_cipher_with_empty_ad(mbedtls_gcm_context *ctx,
|
|
int mode,
|
|
const data_t *iv,
|
|
const data_t *input,
|
|
const data_t *expected_output,
|
|
const data_t *tag,
|
|
size_t ad_update_count)
|
|
{
|
|
size_t n;
|
|
uint8_t *output = NULL;
|
|
size_t olen;
|
|
|
|
/* Sanity checks on the test data */
|
|
TEST_EQUAL(input->len, expected_output->len);
|
|
|
|
TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
|
|
iv->x, iv->len));
|
|
|
|
for (n = 0; n < ad_update_count; n++) {
|
|
TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, NULL, 0));
|
|
}
|
|
|
|
/* Allocate a tight buffer for each update call. This way, if the function
|
|
* tries to write beyond the advertised required buffer size, this will
|
|
* count as an overflow for memory sanitizers and static checkers. */
|
|
TEST_CALLOC(output, input->len);
|
|
olen = 0xdeadbeef;
|
|
TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, input->len, output, input->len, &olen));
|
|
TEST_EQUAL(input->len, olen);
|
|
TEST_MEMORY_COMPARE(output, olen, expected_output->x, input->len);
|
|
mbedtls_free(output);
|
|
output = NULL;
|
|
|
|
TEST_CALLOC(output, tag->len);
|
|
TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
|
|
TEST_EQUAL(0, olen);
|
|
TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
|
|
|
|
exit:
|
|
mbedtls_free(output);
|
|
}
|
|
|
|
static void check_empty_cipher_with_ad(mbedtls_gcm_context *ctx,
|
|
int mode,
|
|
const data_t *iv,
|
|
const data_t *add,
|
|
const data_t *tag,
|
|
size_t cipher_update_count)
|
|
{
|
|
size_t olen;
|
|
size_t n;
|
|
uint8_t *output_tag = NULL;
|
|
|
|
TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, iv->x, iv->len));
|
|
TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, add->len));
|
|
|
|
for (n = 0; n < cipher_update_count; n++) {
|
|
olen = 0xdeadbeef;
|
|
TEST_EQUAL(0, mbedtls_gcm_update(ctx, NULL, 0, NULL, 0, &olen));
|
|
TEST_EQUAL(0, olen);
|
|
}
|
|
|
|
TEST_CALLOC(output_tag, tag->len);
|
|
TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen,
|
|
output_tag, tag->len));
|
|
TEST_EQUAL(0, olen);
|
|
TEST_MEMORY_COMPARE(output_tag, tag->len, tag->x, tag->len);
|
|
|
|
exit:
|
|
mbedtls_free(output_tag);
|
|
}
|
|
|
|
static void check_no_cipher_no_ad(mbedtls_gcm_context *ctx,
|
|
int mode,
|
|
const data_t *iv,
|
|
const data_t *tag)
|
|
{
|
|
uint8_t *output = NULL;
|
|
size_t olen = 0;
|
|
|
|
TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
|
|
iv->x, iv->len));
|
|
TEST_CALLOC(output, tag->len);
|
|
TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
|
|
TEST_EQUAL(0, olen);
|
|
TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
|
|
|
|
exit:
|
|
mbedtls_free(output);
|
|
}
|
|
|
|
static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key,
|
|
size_t key_bits, const uint8_t *iv, size_t iv_len,
|
|
int starts_ret)
|
|
{
|
|
int mode = MBEDTLS_GCM_ENCRYPT;
|
|
mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
|
|
|
|
mbedtls_gcm_init(ctx);
|
|
TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0);
|
|
TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len));
|
|
exit:
|
|
/* empty */
|
|
return;
|
|
}
|
|
|
|
/* END_HEADER */
|
|
|
|
/* BEGIN_DEPENDENCIES
|
|
* depends_on:MBEDTLS_GCM_C
|
|
* END_DEPENDENCIES
|
|
*/
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_bad_parameters(int cipher_id, int direction,
|
|
data_t *key_str, data_t *src_str,
|
|
data_t *iv_str, data_t *add_str,
|
|
int tag_len_bits, int gcm_result)
|
|
{
|
|
unsigned char output[128];
|
|
unsigned char tag_output[16];
|
|
mbedtls_gcm_context ctx;
|
|
size_t tag_len = tag_len_bits / 8;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
memset(output, 0x00, sizeof(output));
|
|
memset(tag_output, 0x00, sizeof(tag_output));
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, direction, src_str->len, iv_str->x, iv_str->len,
|
|
add_str->x, add_str->len, src_str->x, output, tag_len,
|
|
tag_output) == gcm_result);
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_encrypt_and_tag(int cipher_id, data_t *key_str,
|
|
data_t *src_str, data_t *iv_str,
|
|
data_t *add_str, data_t *dst,
|
|
int tag_len_bits, data_t *tag,
|
|
int init_result)
|
|
{
|
|
unsigned char output[128];
|
|
unsigned char tag_output[16];
|
|
mbedtls_gcm_context ctx;
|
|
size_t tag_len = tag_len_bits / 8;
|
|
size_t n1;
|
|
size_t n1_add;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
memset(output, 0x00, 128);
|
|
memset(tag_output, 0x00, 16);
|
|
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
|
|
if (init_result == 0) {
|
|
TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x,
|
|
iv_str->len, add_str->x, add_str->len, src_str->x,
|
|
output, tag_len, tag_output) == 0);
|
|
|
|
TEST_MEMORY_COMPARE(output, src_str->len, dst->x, dst->len);
|
|
TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len);
|
|
|
|
for (n1 = 0; n1 <= src_str->len; n1 += 1) {
|
|
for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
|
|
mbedtls_test_set_step(n1 * 10000 + n1_add);
|
|
if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT,
|
|
iv_str, add_str, src_str,
|
|
dst, tag,
|
|
n1, n1_add)) {
|
|
goto exit;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_decrypt_and_verify(int cipher_id, data_t *key_str,
|
|
data_t *src_str, data_t *iv_str,
|
|
data_t *add_str, int tag_len_bits,
|
|
data_t *tag_str, char *result,
|
|
data_t *pt_result, int init_result)
|
|
{
|
|
unsigned char output[128];
|
|
mbedtls_gcm_context ctx;
|
|
int ret;
|
|
size_t tag_len = tag_len_bits / 8;
|
|
size_t n1;
|
|
size_t n1_add;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
memset(output, 0x00, 128);
|
|
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
|
|
if (init_result == 0) {
|
|
ret = mbedtls_gcm_auth_decrypt(&ctx,
|
|
src_str->len,
|
|
iv_str->x,
|
|
iv_str->len,
|
|
add_str->x,
|
|
add_str->len,
|
|
tag_str->x,
|
|
tag_len,
|
|
src_str->x,
|
|
output);
|
|
|
|
if (strcmp("FAIL", result) == 0) {
|
|
TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED);
|
|
} else {
|
|
TEST_ASSERT(ret == 0);
|
|
TEST_MEMORY_COMPARE(output, src_str->len, pt_result->x, pt_result->len);
|
|
|
|
for (n1 = 0; n1 <= src_str->len; n1 += 1) {
|
|
for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
|
|
mbedtls_test_set_step(n1 * 10000 + n1_add);
|
|
if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT,
|
|
iv_str, add_str, src_str,
|
|
pt_result, tag_str,
|
|
n1, n1_add)) {
|
|
goto exit;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_decrypt_and_verify_empty_cipher(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *add_str,
|
|
data_t *tag_str,
|
|
int cipher_update_calls)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_DECRYPT,
|
|
iv_str, add_str, tag_str,
|
|
cipher_update_calls);
|
|
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_decrypt_and_verify_empty_ad(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *src_str,
|
|
data_t *tag_str,
|
|
data_t *pt_result,
|
|
int ad_update_calls)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_DECRYPT,
|
|
iv_str, src_str, pt_result, tag_str,
|
|
ad_update_calls);
|
|
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_decrypt_and_verify_no_ad_no_cipher(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *tag_str)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_DECRYPT,
|
|
iv_str, tag_str);
|
|
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_encrypt_and_tag_empty_cipher(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *add_str,
|
|
data_t *tag_str,
|
|
int cipher_update_calls)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
|
|
iv_str, add_str, tag_str,
|
|
cipher_update_calls);
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_encrypt_and_tag_empty_ad(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *src_str,
|
|
data_t *dst,
|
|
data_t *tag_str,
|
|
int ad_update_calls)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
|
|
iv_str, src_str, dst, tag_str,
|
|
ad_update_calls);
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_encrypt_and_verify_no_ad_no_cipher(int cipher_id,
|
|
data_t *key_str,
|
|
data_t *iv_str,
|
|
data_t *tag_str)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
|
|
check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
|
|
iv_str, tag_str);
|
|
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_invalid_param()
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
|
|
mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
|
|
int invalid_bitlen = 1;
|
|
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
/* mbedtls_gcm_setkey */
|
|
TEST_EQUAL(
|
|
MBEDTLS_ERR_GCM_BAD_INPUT,
|
|
mbedtls_gcm_setkey(&ctx, valid_cipher, valid_buffer, invalid_bitlen));
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_update_output_buffer_too_small(int cipher_id, int mode,
|
|
data_t *key_str, const data_t *input,
|
|
const data_t *iv)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
uint8_t *output = NULL;
|
|
size_t olen = 0;
|
|
size_t output_len = input->len - 1;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
TEST_EQUAL(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8), 0);
|
|
TEST_EQUAL(0, mbedtls_gcm_starts(&ctx, mode, iv->x, iv->len));
|
|
|
|
TEST_CALLOC(output, output_len);
|
|
TEST_EQUAL(MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL,
|
|
mbedtls_gcm_update(&ctx, input->x, input->len, output, output_len, &olen));
|
|
|
|
exit:
|
|
mbedtls_free(output);
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should
|
|
* satisfy 1 <= bit_len(IV) <= 2^64 - 1. */
|
|
void gcm_invalid_iv_len(void)
|
|
{
|
|
mbedtls_gcm_context ctx;
|
|
mbedtls_gcm_init(&ctx);
|
|
uint8_t b16[16] = { 0 };
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
|
|
// Invalid IV length 0
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
|
|
// Only testable on platforms where sizeof(size_t) >= 8.
|
|
#if SIZE_MAX >= UINT64_MAX
|
|
// Invalid IV length 2^61
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
#endif
|
|
|
|
goto exit; /* To suppress error that exit is defined but not used */
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_add_len_too_long(void)
|
|
{
|
|
// Only testable on platforms where sizeof(size_t) >= 8.
|
|
#if SIZE_MAX >= UINT64_MAX
|
|
mbedtls_gcm_context ctx;
|
|
mbedtls_gcm_init(&ctx);
|
|
uint8_t b16[16] = { 0 };
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
|
|
/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should
|
|
* be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */
|
|
uint64_t len_max = 1ULL << 61;
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Feed AD that just exceeds the length limit
|
|
TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max),
|
|
MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Feed AD that just exceeds the length limit in two calls
|
|
TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
|
|
TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1),
|
|
MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Test if potential total AD length overflow is handled properly
|
|
TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
|
|
TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
#endif
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_input_len_too_long(void)
|
|
{
|
|
// Only testable on platforms where sizeof(size_t) >= 8
|
|
#if SIZE_MAX >= UINT64_MAX
|
|
mbedtls_gcm_context ctx;
|
|
uint8_t b16[16] = { 0 };
|
|
uint8_t out[1];
|
|
size_t out_len;
|
|
mbedtls_gcm_init(&ctx);
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
|
|
/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should
|
|
* be <= 2^39 - 256. This is the maximum valid length in bytes. */
|
|
uint64_t len_max = (1ULL << 36) - 32;
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Feed input that just exceeds the length limit
|
|
TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1,
|
|
&out_len),
|
|
MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Feed input that just exceeds the length limit in two calls
|
|
TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
|
|
TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len),
|
|
MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
mbedtls_gcm_free(&ctx);
|
|
|
|
gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
|
|
// Test if potential total input length overflow is handled properly
|
|
TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
|
|
TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX,
|
|
&out_len),
|
|
MBEDTLS_ERR_GCM_BAD_INPUT);
|
|
|
|
exit:
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
#endif
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_encrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str,
|
|
data_t *src_str, data_t *iv_str,
|
|
data_t *add_str, data_t *dst,
|
|
int tag_len_bits, data_t *tag,
|
|
int init_result)
|
|
{
|
|
unsigned char *buffer = NULL;
|
|
size_t buffer_len;
|
|
unsigned char tag_output[16];
|
|
mbedtls_gcm_context ctx;
|
|
size_t tag_len = tag_len_bits / 8;
|
|
size_t n1;
|
|
size_t n1_add;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
/* GCM includes padding and therefore input length can be shorter than the output length
|
|
* Therefore we must ensure we round up to the nearest 128-bits/16-bytes.
|
|
*/
|
|
buffer_len = src_str->len;
|
|
if (buffer_len % 16 != 0 || buffer_len == 0) {
|
|
buffer_len += (16 - (buffer_len % 16));
|
|
}
|
|
TEST_CALLOC(buffer, buffer_len);
|
|
memcpy(buffer, src_str->x, src_str->len);
|
|
|
|
memset(tag_output, 0x00, 16);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
|
|
if (init_result == 0) {
|
|
TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x,
|
|
iv_str->len, add_str->x, add_str->len, buffer,
|
|
buffer, tag_len, tag_output) == 0);
|
|
|
|
TEST_MEMORY_COMPARE(buffer, src_str->len, dst->x, dst->len);
|
|
TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len);
|
|
|
|
for (n1 = 0; n1 <= src_str->len; n1 += 1) {
|
|
for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
|
|
mbedtls_test_set_step(n1 * 10000 + n1_add);
|
|
if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT,
|
|
iv_str, add_str, src_str,
|
|
dst, tag,
|
|
n1, n1_add)) {
|
|
goto exit;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
exit:
|
|
mbedtls_free(buffer);
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void gcm_decrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str,
|
|
data_t *src_str, data_t *iv_str,
|
|
data_t *add_str, int tag_len_bits,
|
|
data_t *tag_str, char *result,
|
|
data_t *pt_result, int init_result)
|
|
{
|
|
unsigned char *buffer = NULL;
|
|
size_t buffer_len;
|
|
mbedtls_gcm_context ctx;
|
|
int ret;
|
|
size_t tag_len = tag_len_bits / 8;
|
|
size_t n1;
|
|
size_t n1_add;
|
|
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
mbedtls_gcm_init(&ctx);
|
|
|
|
/* GCM includes padding and therefore input length can be shorter than the output length
|
|
* Therefore we must ensure we round up to the nearest 128-bits/16-bytes.
|
|
*/
|
|
buffer_len = src_str->len;
|
|
if (buffer_len % 16 != 0 || buffer_len == 0) {
|
|
buffer_len += (16 - (buffer_len % 16));
|
|
}
|
|
TEST_CALLOC(buffer, buffer_len);
|
|
memcpy(buffer, src_str->x, src_str->len);
|
|
|
|
TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
|
|
if (init_result == 0) {
|
|
ret = mbedtls_gcm_auth_decrypt(&ctx,
|
|
src_str->len,
|
|
iv_str->x,
|
|
iv_str->len,
|
|
add_str->x,
|
|
add_str->len,
|
|
tag_str->x,
|
|
tag_len,
|
|
buffer,
|
|
buffer);
|
|
|
|
if (strcmp("FAIL", result) == 0) {
|
|
TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED);
|
|
} else {
|
|
TEST_ASSERT(ret == 0);
|
|
TEST_MEMORY_COMPARE(buffer, src_str->len, pt_result->x, pt_result->len);
|
|
|
|
for (n1 = 0; n1 <= src_str->len; n1 += 1) {
|
|
for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
|
|
mbedtls_test_set_step(n1 * 10000 + n1_add);
|
|
if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT,
|
|
iv_str, add_str, src_str,
|
|
pt_result, tag_str,
|
|
n1, n1_add)) {
|
|
goto exit;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
exit:
|
|
mbedtls_free(buffer);
|
|
mbedtls_gcm_free(&ctx);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */
|
|
void gcm_selftest()
|
|
{
|
|
BLOCK_CIPHER_PSA_INIT();
|
|
TEST_ASSERT(mbedtls_gcm_self_test(1) == 0);
|
|
BLOCK_CIPHER_PSA_DONE();
|
|
}
|
|
/* END_CASE */
|