Crypto: Add a test for AEAD used just as authenticator
Support it only for GCM mode as it is the default mode
of Protected Storage service.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: Ief3a5182cd918562b5c62692403882121872a00e
diff --git a/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.c b/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.c
index 19f39d4..035ef9d 100644
--- a/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.c
+++ b/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.c
@@ -3299,3 +3299,184 @@
return;
}
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+static const uint8_t iv_tag_auth_test[][12] = {
+ {0x87, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, /* Valid set */
+ {0x8a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} /* Invalid set */
+};
+
+static const uint8_t cipher_tag_auth_test[][16] = {
+ {0x60, 0x9b, 0x3d, 0x51, 0x91, 0x60, 0x8, 0x17,
+ 0x82, 0xec, 0x63, 0x21, 0x3a, 0x4, 0xdc, 0x93}, /* Valid set */
+ {0xaa, 0x96, 0xcf, 0xb4, 0x68, 0xe5, 0x4, 0x91,
+ 0x52, 0x50, 0x59, 0xa, 0xab, 0x1a, 0xe9, 0x1b} /* Invalid set */
+};
+
+static const uint8_t add_tag_auth_test[][364] = {
+ {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcf, 0xf, 0xf2, 0x63, 0xb0, 0x1b, 0xa7, 0x28,
+ 0xfa, 0x46, 0xbd, 0x8d, 0x42, 0x34, 0xbb, 0x83, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0xba, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, 0x1d, 0x9c, 0x36, 0x16, 0x84, 0x34, 0x91,
+ 0x8d, 0x2f, 0xf3, 0xf8, 0x27, 0xe5, 0x36, 0xc4, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0xba, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7d, 0x0, 0x0, 0x0},
+ {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcf, 0xf, 0xf2, 0x63, 0xb0, 0x1b, 0xa7, 0x28,
+ 0xfa, 0x46, 0xbd, 0x8d, 0x42, 0x34, 0xbb, 0x83, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0xba, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xed, 0x58, 0x8f, 0xa4, 0x87, 0x90, 0xe2, 0xf7,
+ 0xca, 0x0, 0x2d, 0x9b, 0x93, 0x1f, 0x9, 0x66, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0xba, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0}
+};
+
+int psa_aead_as_authenticator_test(psa_algorithm_t alg)
+{
+ psa_status_t status;
+ psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_id_t key_id = PSA_KEY_ID_NULL;
+ const uint8_t key[] = {
+ 0xc8, 0x8b, 0x74, 0xc6,
+ 0x24, 0x50, 0xee, 0xd8,
+ 0xe9, 0x22, 0xd, 0x98,
+ 0x3a, 0x11, 0xc6, 0x1,
+ };
+ size_t out_len;
+ uint8_t ref[16]; size_t ref_size;
+ int ret = 0;
+
+ if (alg != PSA_ALG_GCM) {
+ TEST_LOG("Authenticator test supports only PSA_ALG_GCM: Skipping...\r\n");
+ return 0;
+ }
+
+ /* import key */
+ psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT);
+ psa_set_key_algorithm(&attr, alg);
+ psa_set_key_type(&attr, PSA_KEY_TYPE_AES);
+
+ status = psa_import_key(&attr, key, sizeof(key), &key_id);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("Unable to import the key\r\n");
+ return 1;
+ }
+
+ /* Create the reference for set 0 (valid set) */
+ status = psa_aead_encrypt(key_id, alg,
+ iv_tag_auth_test[0], sizeof(iv_tag_auth_test[0]),
+ add_tag_auth_test[0], sizeof(add_tag_auth_test[0]),
+ NULL, 0,
+ ref, sizeof(ref), &ref_size);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("Unable to create the reference tag for the valid set\r\n");
+ ret = 1;
+ goto destroy_key;
+ } else {
+ TEST_LOG("REF(0)TAG: ");
+ for (int i=0; i<ref_size; i++)
+ TEST_LOG("0x%x, ", ref[i]);
+ TEST_LOG("\r\n");
+ }
+
+ /* Validate the provided tag for set 0 */
+ status = psa_aead_decrypt(key_id, alg,
+ iv_tag_auth_test[0], sizeof(iv_tag_auth_test[0]),
+ add_tag_auth_test[0], sizeof(add_tag_auth_test[0]),
+ cipher_tag_auth_test[0], sizeof(cipher_tag_auth_test[0]),
+ NULL, 0, &out_len);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("status with test0 is %d\r\n", status);
+ return 1;
+ }
+
+ /* Validate the reference tag for set 0 */
+ status = psa_aead_decrypt(key_id, alg,
+ iv_tag_auth_test[0], sizeof(iv_tag_auth_test[0]),
+ add_tag_auth_test[0], sizeof(add_tag_auth_test[0]),
+ ref, ref_size,
+ NULL, 0, &out_len);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("status with ref0 is %d\r\n", status);
+ return 1;
+ }
+
+ /* Create the reference for set 1 (invalid set) */
+ status = psa_aead_encrypt(
+ key_id, alg,
+ iv_tag_auth_test[1], sizeof(iv_tag_auth_test[1]),
+ add_tag_auth_test[1], sizeof(add_tag_auth_test[1]),
+ NULL, 0,
+ ref, sizeof(ref), &ref_size);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("Unable to create the reference tag for the invalid set\r\n");
+ ret = 1;
+ goto destroy_key;
+ } else {
+ TEST_LOG("REF(1)TAG: ");
+ for (int i=0; i<ref_size; i++)
+ TEST_LOG("0x%x, ", ref[i]);
+ TEST_LOG("\r\n");
+ }
+
+ /* Validate the provided tag for set 1 */
+ status = psa_aead_decrypt(
+ key_id, alg,
+ iv_tag_auth_test[1], sizeof(iv_tag_auth_test[1]),
+ add_tag_auth_test[1], sizeof(add_tag_auth_test[1]),
+ cipher_tag_auth_test[1], sizeof(cipher_tag_auth_test[1]),
+ NULL, 0, &out_len);
+ if (status != PSA_ERROR_INVALID_SIGNATURE) {
+ TEST_LOG("status with test1 is %d\r\n", status);
+ ret = 1;
+ }
+
+ /* Validate the reference tag for set 1 */
+ status = psa_aead_decrypt(
+ key_id, alg,
+ iv_tag_auth_test[1], sizeof(iv_tag_auth_test[1]),
+ add_tag_auth_test[1], sizeof(add_tag_auth_test[1]),
+ ref, ref_size,
+ NULL, 0, &out_len);
+ if (status != PSA_SUCCESS) {
+ TEST_LOG("status with ref1 is %d\r\n", status);
+ ret = 1;
+ }
+
+destroy_key:
+ psa_destroy_key(key_id);
+
+ return ret;
+}
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
diff --git a/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.h b/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.h
index fb7ce0e..8a6588b 100644
--- a/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.h
+++ b/tests_reg/test/secure_fw/suites/crypto/crypto_tests_common.h
@@ -317,6 +317,18 @@
*/
void psa_verify_rsassa_pss_test(struct test_result_t *ret);
+/**
+ * @brief Test for using an AEAD algorithm as authenticator only
+ *
+ * @note Currently supports only PSA_ALG_GCM as to mirror the usage
+ * of it done by default by the Protected Storage service
+ *
+ * @param[in] alg The AEAD algorithm to be tested
+ *
+ * @return int 0 if no errors, 1 otherwise
+ */
+int psa_aead_as_authenticator_test(psa_algorithm_t alg);
+
#ifdef __cplusplus
}
#endif
diff --git a/tests_reg/test/secure_fw/suites/crypto/non_secure/crypto_ns_interface_testsuite.c b/tests_reg/test/secure_fw/suites/crypto/non_secure/crypto_ns_interface_testsuite.c
index bfc4267..79b51da 100644
--- a/tests_reg/test/secure_fw/suites/crypto/non_secure/crypto_ns_interface_testsuite.c
+++ b/tests_reg/test/secure_fw/suites/crypto/non_secure/crypto_ns_interface_testsuite.c
@@ -108,6 +108,9 @@
#ifdef TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION
static void tfm_crypto_test_1050(struct test_result_t *ret);
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+static void tfm_crypto_test_1054(struct test_result_t *ret);
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
static struct test_t crypto_tests[] = {
{&tfm_crypto_test_1001, "TFM_NS_CRYPTO_TEST_1001",
@@ -254,6 +257,10 @@
{&tfm_crypto_test_1052, "TFM_NS_CRYPTO_TEST_1052",
"Non Secure RFC7539 verification on Chacha20-Poly1305"},
#endif /* TFM_CRYPTO_TEST_ALG_CHACHA20_POLY1305 */
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+ {&tfm_crypto_test_1054, "TFM_S_CRYPTO_TEST_1054",
+ "Non Secure GCM authenticator"},
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
};
void register_testsuite_ns_crypto_interface(struct test_suite_t *p_test_suite)
@@ -559,3 +566,14 @@
psa_verify_rsassa_pss_test(ret);
}
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+static void tfm_crypto_test_1054(struct test_result_t *ret)
+{
+ if (!psa_aead_as_authenticator_test(PSA_ALG_GCM)) {
+ ret->val = TEST_PASSED;
+ } else {
+ ret->val = TEST_FAILED;
+ }
+}
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
diff --git a/tests_reg/test/secure_fw/suites/crypto/secure/crypto_sec_interface_testsuite.c b/tests_reg/test/secure_fw/suites/crypto/secure/crypto_sec_interface_testsuite.c
index 6ac2433..b156969 100644
--- a/tests_reg/test/secure_fw/suites/crypto/secure/crypto_sec_interface_testsuite.c
+++ b/tests_reg/test/secure_fw/suites/crypto/secure/crypto_sec_interface_testsuite.c
@@ -110,6 +110,9 @@
#ifdef TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION
static void tfm_crypto_test_1053(struct test_result_t *ret);
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+static void tfm_crypto_test_1055(struct test_result_t *ret);
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
static struct test_t crypto_tests[] = {
{&tfm_crypto_test_1001, "TFM_S_CRYPTO_TEST_1001",
@@ -258,6 +261,10 @@
{&tfm_crypto_test_1053, "TFM_S_CRYPTO_TEST_1053",
"Secure RSASSA-PSS signature verification (RSASSA-PSS-SHA256)"},
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+ {&tfm_crypto_test_1055, "TFM_S_CRYPTO_TEST_1055",
+ "Secure GCM authenticator"},
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */
};
void register_testsuite_s_crypto_interface(struct test_suite_t *p_test_suite)
@@ -603,3 +610,14 @@
psa_verify_rsassa_pss_test(ret);
}
#endif /* TFM_CRYPTO_TEST_ALG_RSASSA_PSS_VERIFICATION */
+
+#ifdef TFM_CRYPTO_TEST_ALG_GCM
+static void tfm_crypto_test_1055(struct test_result_t *ret)
+{
+ if (!psa_aead_as_authenticator_test(PSA_ALG_GCM)) {
+ ret->val = TEST_PASSED;
+ } else {
+ ret->val = TEST_FAILED;
+ }
+}
+#endif /* TFM_CRYPTO_TEST_ALG_GCM */