TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / HEAD / . / tests / suites / test_suite_gcm.function
blob: 43c11c3d00429697b638e4101c47eae2da4cd19c [file] [log] [blame]
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]1/* BEGIN_HEADER */
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]2#include "mbedtls/gcm.h"
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]3
4/* Use the multipart interface to process the encrypted data in two parts
5 * and check that the output matches the expected output.
6 * The context must have been set up with the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]7static int check_multipart(mbedtls_gcm_context *ctx,
8 int mode,
9 const data_t *iv,
10 const data_t *add,
11 const data_t *input,
12 const data_t *expected_output,
13 const data_t *tag,
14 size_t n1,
15 size_t n1_add)
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]16{
17 int ok = 0;
18 uint8_t *output = NULL;
19 size_t n2 = input->len - n1;
Mateusz Starzyk658f4fd2021-05-26 14:26:48 +0200[diff] [blame]20 size_t n2_add = add->len - n1_add;
Gilles Peskinea56c4482021-04-15 17:22:35 +0200[diff] [blame]21 size_t olen;
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]22
23 /* Sanity checks on the test data */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]24 TEST_ASSERT(n1 <= input->len);
25 TEST_ASSERT(n1_add <= add->len);
26 TEST_EQUAL(input->len, expected_output->len);
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]27
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]28 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
29 iv->x, iv->len));
30 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, n1_add));
31 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x + n1_add, n2_add));
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]32
33 /* Allocate a tight buffer for each update call. This way, if the function
34 * tries to write beyond the advertised required buffer size, this will
35 * count as an overflow for memory sanitizers and static checkers. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]36 TEST_CALLOC(output, n1);
Gilles Peskinea56c4482021-04-15 17:22:35 +0200[diff] [blame]37 olen = 0xdeadbeef;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]38 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, n1, output, n1, &olen));
39 TEST_EQUAL(n1, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]40 TEST_MEMORY_COMPARE(output, olen, expected_output->x, n1);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]41 mbedtls_free(output);
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]42 output = NULL;
43
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]44 TEST_CALLOC(output, n2);
Gilles Peskinea56c4482021-04-15 17:22:35 +0200[diff] [blame]45 olen = 0xdeadbeef;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x + n1, n2, output, n2, &olen));
47 TEST_EQUAL(n2, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]48 TEST_MEMORY_COMPARE(output, olen, expected_output->x + n1, n2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 mbedtls_free(output);
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]50 output = NULL;
51
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]52 TEST_CALLOC(output, tag->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
54 TEST_EQUAL(0, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]55 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]56 mbedtls_free(output);
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]57 output = NULL;
58
59 ok = 1;
60exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 mbedtls_free(output);
62 return ok;
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]63}
64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65static void check_cipher_with_empty_ad(mbedtls_gcm_context *ctx,
66 int mode,
67 const data_t *iv,
68 const data_t *input,
69 const data_t *expected_output,
70 const data_t *tag,
71 size_t ad_update_count)
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]72{
73 size_t n;
74 uint8_t *output = NULL;
75 size_t olen;
76
77 /* Sanity checks on the test data */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 TEST_EQUAL(input->len, expected_output->len);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]79
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
81 iv->x, iv->len));
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 for (n = 0; n < ad_update_count; n++) {
84 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, NULL, 0));
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]85 }
86
87 /* Allocate a tight buffer for each update call. This way, if the function
88 * tries to write beyond the advertised required buffer size, this will
89 * count as an overflow for memory sanitizers and static checkers. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]90 TEST_CALLOC(output, input->len);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]91 olen = 0xdeadbeef;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, input->len, output, input->len, &olen));
93 TEST_EQUAL(input->len, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]94 TEST_MEMORY_COMPARE(output, olen, expected_output->x, input->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]95 mbedtls_free(output);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]96 output = NULL;
97
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]98 TEST_CALLOC(output, tag->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]99 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
100 TEST_EQUAL(0, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]101 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]102
103exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 mbedtls_free(output);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]105}
106
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107static void check_empty_cipher_with_ad(mbedtls_gcm_context *ctx,
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]108 int mode,
109 const data_t *iv,
110 const data_t *add,
111 const data_t *tag,
112 size_t cipher_update_count)
113{
114 size_t olen;
115 size_t n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 uint8_t *output_tag = NULL;
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]117
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, iv->x, iv->len));
119 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, add->len));
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]120
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 for (n = 0; n < cipher_update_count; n++) {
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]122 olen = 0xdeadbeef;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]123 TEST_EQUAL(0, mbedtls_gcm_update(ctx, NULL, 0, NULL, 0, &olen));
124 TEST_EQUAL(0, olen);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]125 }
126
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]127 TEST_CALLOC(output_tag, tag->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen,
129 output_tag, tag->len));
130 TEST_EQUAL(0, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]131 TEST_MEMORY_COMPARE(output_tag, tag->len, tag->x, tag->len);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]132
133exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]134 mbedtls_free(output_tag);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]135}
136
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]137static void check_no_cipher_no_ad(mbedtls_gcm_context *ctx,
138 int mode,
139 const data_t *iv,
140 const data_t *tag)
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]141{
142 uint8_t *output = NULL;
Gilles Peskine5a7be102021-06-23 21:51:32 +0200[diff] [blame]143 size_t olen = 0;
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]145 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode,
146 iv->x, iv->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]147 TEST_CALLOC(output, tag->len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]148 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len));
149 TEST_EQUAL(0, olen);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]150 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]151
152exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]153 mbedtls_free(output);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]154}
155
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]156static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key,
157 size_t key_bits, const uint8_t *iv, size_t iv_len,
158 int starts_ret)
159{
160 int mode = MBEDTLS_GCM_ENCRYPT;
161 mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
162
163 mbedtls_gcm_init(ctx);
164 TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0);
165 TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len));
166exit:
167 /* empty */
Dave Rodgman68232472024-01-31 15:59:06 +0000[diff] [blame]168 return;
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]169}
170
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]171/* END_HEADER */
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]172
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]173/* BEGIN_DEPENDENCIES
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]174 * depends_on:MBEDTLS_GCM_C
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]175 * END_DEPENDENCIES
176 */
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]177
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]178/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179void gcm_bad_parameters(int cipher_id, int direction,
180 data_t *key_str, data_t *src_str,
181 data_t *iv_str, data_t *add_str,
182 int tag_len_bits, int gcm_result)
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]183{
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]184 unsigned char output[128];
185 unsigned char tag_output[16];
186 mbedtls_gcm_context ctx;
Azim Khan317efe82017-08-02 17:33:54 +0100[diff] [blame]187 size_t tag_len = tag_len_bits / 8;
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]188
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]189 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]190 mbedtls_gcm_init(&ctx);
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]191
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]192 memset(output, 0x00, sizeof(output));
193 memset(tag_output, 0x00, sizeof(tag_output));
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]195 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
196 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, direction, src_str->len, iv_str->x, iv_str->len,
197 add_str->x, add_str->len, src_str->x, output, tag_len,
198 tag_output) == gcm_result);
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]199
200exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]202 BLOCK_CIPHER_PSA_DONE();
Ron Eldor5a21fd62016-12-16 16:15:56 +0200[diff] [blame]203}
204/* END_CASE */
205
206/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]207void gcm_encrypt_and_tag(int cipher_id, data_t *key_str,
208 data_t *src_str, data_t *iv_str,
209 data_t *add_str, data_t *dst,
210 int tag_len_bits, data_t *tag,
211 int init_result)
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]212{
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]213 unsigned char output[128];
214 unsigned char tag_output[16];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]215 mbedtls_gcm_context ctx;
Azim Khanf1aaec92017-05-30 14:23:15 +0100[diff] [blame]216 size_t tag_len = tag_len_bits / 8;
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]217 size_t n1;
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]218 size_t n1_add;
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]219
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]220 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]221 mbedtls_gcm_init(&ctx);
Manuel Pégourié-Gonnardc34e8dd2015-04-28 21:42:17 +0200[diff] [blame]222
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]223 memset(output, 0x00, 128);
224 memset(tag_output, 0x00, 16);
225
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
228 if (init_result == 0) {
229 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x,
230 iv_str->len, add_str->x, add_str->len, src_str->x,
231 output, tag_len, tag_output) == 0);
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]232
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]233 TEST_MEMORY_COMPARE(output, src_str->len, dst->x, dst->len);
234 TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len);
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]235
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]236 for (n1 = 0; n1 <= src_str->len; n1 += 1) {
237 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
238 mbedtls_test_set_step(n1 * 10000 + n1_add);
239 if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT,
240 iv_str, add_str, src_str,
241 dst, tag,
242 n1, n1_add)) {
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]243 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]244 }
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]245 }
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]246 }
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]247 }
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200[diff] [blame]248
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]249exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]250 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]251 BLOCK_CIPHER_PSA_DONE();
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]252}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]253/* END_CASE */
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]254
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]255/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]256void gcm_decrypt_and_verify(int cipher_id, data_t *key_str,
257 data_t *src_str, data_t *iv_str,
258 data_t *add_str, int tag_len_bits,
259 data_t *tag_str, char *result,
260 data_t *pt_result, int init_result)
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]261{
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]262 unsigned char output[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]263 mbedtls_gcm_context ctx;
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]264 int ret;
Azim Khanf1aaec92017-05-30 14:23:15 +0100[diff] [blame]265 size_t tag_len = tag_len_bits / 8;
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]266 size_t n1;
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]267 size_t n1_add;
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]268
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]269 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]270 mbedtls_gcm_init(&ctx);
Manuel Pégourié-Gonnardc34e8dd2015-04-28 21:42:17 +0200[diff] [blame]271
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]272 memset(output, 0x00, 128);
273
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]275 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
276 if (init_result == 0) {
277 ret = mbedtls_gcm_auth_decrypt(&ctx,
278 src_str->len,
279 iv_str->x,
280 iv_str->len,
281 add_str->x,
282 add_str->len,
283 tag_str->x,
284 tag_len,
285 src_str->x,
286 output);
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]288 if (strcmp("FAIL", result) == 0) {
289 TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED);
290 } else {
291 TEST_ASSERT(ret == 0);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100[diff] [blame]292 TEST_MEMORY_COMPARE(output, src_str->len, pt_result->x, pt_result->len);
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294 for (n1 = 0; n1 <= src_str->len; n1 += 1) {
295 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
296 mbedtls_test_set_step(n1 * 10000 + n1_add);
297 if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT,
298 iv_str, add_str, src_str,
299 pt_result, tag_str,
300 n1, n1_add)) {
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]301 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 }
Mateusz Starzykaf4ecdd2021-06-15 15:29:48 +0200[diff] [blame]303 }
Gilles Peskine36dd93e2021-04-13 13:02:03 +0200[diff] [blame]304 }
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]305 }
306 }
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200[diff] [blame]307
Paul Bakkerbd51b262014-07-10 15:26:12 +0200[diff] [blame]308exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]309 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]310 BLOCK_CIPHER_PSA_DONE();
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]311}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]312/* END_CASE */
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]313
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]314/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315void gcm_decrypt_and_verify_empty_cipher(int cipher_id,
316 data_t *key_str,
317 data_t *iv_str,
318 data_t *add_str,
319 data_t *tag_str,
320 int cipher_update_calls)
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]321{
322 mbedtls_gcm_context ctx;
323
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]324 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]325 mbedtls_gcm_init(&ctx);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]326
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]327 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
328 check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_DECRYPT,
329 iv_str, add_str, tag_str,
330 cipher_update_calls);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]331
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]332 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]333 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]334}
335/* END_CASE */
336
337/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]338void gcm_decrypt_and_verify_empty_ad(int cipher_id,
339 data_t *key_str,
340 data_t *iv_str,
341 data_t *src_str,
342 data_t *tag_str,
343 data_t *pt_result,
344 int ad_update_calls)
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]345{
346 mbedtls_gcm_context ctx;
347
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]348 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]349 mbedtls_gcm_init(&ctx);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
352 check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_DECRYPT,
353 iv_str, src_str, pt_result, tag_str,
354 ad_update_calls);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]355
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]356 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]357 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]358}
359/* END_CASE */
360
361/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]362void gcm_decrypt_and_verify_no_ad_no_cipher(int cipher_id,
363 data_t *key_str,
364 data_t *iv_str,
365 data_t *tag_str)
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]366{
367 mbedtls_gcm_context ctx;
368
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]369 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]370 mbedtls_gcm_init(&ctx);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]372 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
373 check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_DECRYPT,
374 iv_str, tag_str);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]377 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]378}
379/* END_CASE */
380
381/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]382void gcm_encrypt_and_tag_empty_cipher(int cipher_id,
383 data_t *key_str,
384 data_t *iv_str,
385 data_t *add_str,
386 data_t *tag_str,
387 int cipher_update_calls)
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]388{
389 mbedtls_gcm_context ctx;
390
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]391 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]392 mbedtls_gcm_init(&ctx);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]393
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]394 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
395 check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
396 iv_str, add_str, tag_str,
397 cipher_update_calls);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]398
399exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]401 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]402}
403/* END_CASE */
404
405/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406void gcm_encrypt_and_tag_empty_ad(int cipher_id,
407 data_t *key_str,
408 data_t *iv_str,
409 data_t *src_str,
410 data_t *dst,
411 data_t *tag_str,
412 int ad_update_calls)
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]413{
414 mbedtls_gcm_context ctx;
415
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]416 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]417 mbedtls_gcm_init(&ctx);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]418
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]419 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
420 check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
421 iv_str, src_str, dst, tag_str,
422 ad_update_calls);
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]423
424exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]425 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]426 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzykfc606222021-06-16 11:04:07 +0200[diff] [blame]427}
428/* END_CASE */
429
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]430/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431void gcm_encrypt_and_verify_no_ad_no_cipher(int cipher_id,
432 data_t *key_str,
433 data_t *iv_str,
434 data_t *tag_str)
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]435{
436 mbedtls_gcm_context ctx;
437
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]438 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 mbedtls_gcm_init(&ctx);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
442 check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_ENCRYPT,
443 iv_str, tag_str);
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]444
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]445 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]446 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzyk469c9f32021-06-18 00:06:52 +0200[diff] [blame]447}
448/* END_CASE */
449
Tuvshinzaya Erdenekhuu104eb7f2022-07-29 14:48:21 +0100[diff] [blame]450/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]451void gcm_invalid_param()
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]452{
453 mbedtls_gcm_context ctx;
454 unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
455 mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
Ronald Cron875b5fb2021-05-21 08:50:00 +0200[diff] [blame]456 int invalid_bitlen = 1;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 mbedtls_gcm_init(&ctx);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]459
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]460 /* mbedtls_gcm_setkey */
Ronald Cron875b5fb2021-05-21 08:50:00 +0200[diff] [blame]461 TEST_EQUAL(
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]462 MBEDTLS_ERR_GCM_BAD_INPUT,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]463 mbedtls_gcm_setkey(&ctx, valid_cipher, valid_buffer, invalid_bitlen));
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]464
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]465exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]466 mbedtls_gcm_free(&ctx);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]467}
468/* END_CASE */
469
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]470/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471void gcm_update_output_buffer_too_small(int cipher_id, int mode,
472 data_t *key_str, const data_t *input,
473 const data_t *iv)
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]474{
475 mbedtls_gcm_context ctx;
476 uint8_t *output = NULL;
Mateusz Starzyk33d01ff2021-10-21 14:55:59 +0200[diff] [blame]477 size_t olen = 0;
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]478 size_t output_len = input->len - 1;
479
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]480 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]481 mbedtls_gcm_init(&ctx);
482 TEST_EQUAL(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8), 0);
483 TEST_EQUAL(0, mbedtls_gcm_starts(&ctx, mode, iv->x, iv->len));
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]484
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100[diff] [blame]485 TEST_CALLOC(output, output_len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 TEST_EQUAL(MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL,
487 mbedtls_gcm_update(&ctx, input->x, input->len, output, output_len, &olen));
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]488
489exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]490 mbedtls_free(output);
491 mbedtls_gcm_free(&ctx);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]492 BLOCK_CIPHER_PSA_DONE();
Mateusz Starzykc48f43b2021-10-04 13:46:38 +0200[diff] [blame]493}
494/* END_CASE */
495
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]496/* BEGIN_CASE */
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]497/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should
498 * satisfy 1 <= bit_len(IV) <= 2^64 - 1. */
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]499void gcm_invalid_iv_len(void)
500{
501 mbedtls_gcm_context ctx;
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]502 mbedtls_gcm_init(&ctx);
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]503 uint8_t b16[16] = { 0 };
504
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]505 BLOCK_CIPHER_PSA_INIT();
506
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]507 // Invalid IV length 0
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]508 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT);
509 mbedtls_gcm_free(&ctx);
510
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]511 // Only testable on platforms where sizeof(size_t) >= 8.
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]512#if SIZE_MAX >= UINT64_MAX
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]513 // Invalid IV length 2^61
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]514 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT);
515 mbedtls_gcm_free(&ctx);
516#endif
517
518 goto exit; /* To suppress error that exit is defined but not used */
519exit:
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]520 mbedtls_gcm_free(&ctx);
521 BLOCK_CIPHER_PSA_DONE();
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]522}
523/* END_CASE */
524
525/* BEGIN_CASE */
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]526void gcm_add_len_too_long(void)
527{
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]528 // Only testable on platforms where sizeof(size_t) >= 8.
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]529#if SIZE_MAX >= UINT64_MAX
530 mbedtls_gcm_context ctx;
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]531 mbedtls_gcm_init(&ctx);
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]532 uint8_t b16[16] = { 0 };
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]533 BLOCK_CIPHER_PSA_INIT();
534
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]535 /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should
536 * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */
537 uint64_t len_max = 1ULL << 61;
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]538
539 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]540 // Feed AD that just exceeds the length limit
541 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max),
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]542 MBEDTLS_ERR_GCM_BAD_INPUT);
543 mbedtls_gcm_free(&ctx);
544
545 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]546 // Feed AD that just exceeds the length limit in two calls
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]547 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]548 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1),
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]549 MBEDTLS_ERR_GCM_BAD_INPUT);
550 mbedtls_gcm_free(&ctx);
551
552 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]553 // Test if potential total AD length overflow is handled properly
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]554 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
555 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT);
556
557exit:
558 mbedtls_gcm_free(&ctx);
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]559 BLOCK_CIPHER_PSA_DONE();
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]560#endif
561}
562/* END_CASE */
563
564/* BEGIN_CASE */
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]565void gcm_input_len_too_long(void)
566{
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]567 // Only testable on platforms where sizeof(size_t) >= 8
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]568#if SIZE_MAX >= UINT64_MAX
569 mbedtls_gcm_context ctx;
570 uint8_t b16[16] = { 0 };
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]571 uint8_t out[1];
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]572 size_t out_len;
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]573 mbedtls_gcm_init(&ctx);
574 BLOCK_CIPHER_PSA_INIT();
575
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]576 /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should
577 * be <= 2^39 - 256. This is the maximum valid length in bytes. */
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]578 uint64_t len_max = (1ULL << 36) - 32;
579
580 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]581 // Feed input that just exceeds the length limit
582 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1,
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]583 &out_len),
584 MBEDTLS_ERR_GCM_BAD_INPUT);
585 mbedtls_gcm_free(&ctx);
586
587 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]588 // Feed input that just exceeds the length limit in two calls
589 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
Chien Wongef567952024-01-25 19:22:50 +0800[diff] [blame]590 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len),
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]591 MBEDTLS_ERR_GCM_BAD_INPUT);
592 mbedtls_gcm_free(&ctx);
593
594 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
Chien Wong92c17c42024-01-25 19:11:03 +0800[diff] [blame]595 // Test if potential total input length overflow is handled properly
596 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
597 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX,
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]598 &out_len),
599 MBEDTLS_ERR_GCM_BAD_INPUT);
600
601exit:
602 mbedtls_gcm_free(&ctx);
Dave Rodgman12285c52024-02-02 17:52:41 +0000[diff] [blame]603 BLOCK_CIPHER_PSA_DONE();
Chien Wong99ff1f52024-01-24 20:44:01 +0800[diff] [blame]604#endif
605}
606/* END_CASE */
607
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]608/* BEGIN_CASE */
609void gcm_encrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str,
610 data_t *src_str, data_t *iv_str,
611 data_t *add_str, data_t *dst,
612 int tag_len_bits, data_t *tag,
613 int init_result)
614{
615 unsigned char *buffer = NULL;
616 size_t buffer_len;
617 unsigned char tag_output[16];
618 mbedtls_gcm_context ctx;
619 size_t tag_len = tag_len_bits / 8;
620 size_t n1;
621 size_t n1_add;
622
623 BLOCK_CIPHER_PSA_INIT();
624 mbedtls_gcm_init(&ctx);
625
626 /* GCM includes padding and therefore input length can be shorter than the output length
627 * Therefore we must ensure we round up to the nearest 128-bits/16-bytes.
628 */
629 buffer_len = src_str->len;
Harry Ramseyd77207e2024-11-13 09:42:59 +0000[diff] [blame]630 if (buffer_len % 16 != 0 || buffer_len == 0) {
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]631 buffer_len += (16 - (buffer_len % 16));
632 }
633 TEST_CALLOC(buffer, buffer_len);
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]634 memcpy(buffer, src_str->x, src_str->len);
635
636 memset(tag_output, 0x00, 16);
637
638 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
639 if (init_result == 0) {
640 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x,
641 iv_str->len, add_str->x, add_str->len, buffer,
642 buffer, tag_len, tag_output) == 0);
643
644 TEST_MEMORY_COMPARE(buffer, src_str->len, dst->x, dst->len);
645 TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len);
646
647 for (n1 = 0; n1 <= src_str->len; n1 += 1) {
648 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
649 mbedtls_test_set_step(n1 * 10000 + n1_add);
650 if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT,
651 iv_str, add_str, src_str,
652 dst, tag,
653 n1, n1_add)) {
654 goto exit;
655 }
656 }
657 }
658 }
659
660exit:
Harry Ramseye320b892024-11-11 15:02:26 +0000[diff] [blame]661 mbedtls_free(buffer);
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]662 mbedtls_gcm_free(&ctx);
663 BLOCK_CIPHER_PSA_DONE();
664}
665/* END_CASE */
666
667/* BEGIN_CASE */
668void gcm_decrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str,
669 data_t *src_str, data_t *iv_str,
670 data_t *add_str, int tag_len_bits,
671 data_t *tag_str, char *result,
672 data_t *pt_result, int init_result)
673{
674 unsigned char *buffer = NULL;
675 size_t buffer_len;
676 mbedtls_gcm_context ctx;
677 int ret;
678 size_t tag_len = tag_len_bits / 8;
679 size_t n1;
680 size_t n1_add;
681
682 BLOCK_CIPHER_PSA_INIT();
683 mbedtls_gcm_init(&ctx);
684
685 /* GCM includes padding and therefore input length can be shorter than the output length
686 * Therefore we must ensure we round up to the nearest 128-bits/16-bytes.
687 */
688 buffer_len = src_str->len;
Harry Ramseyd77207e2024-11-13 09:42:59 +0000[diff] [blame]689 if (buffer_len % 16 != 0 || buffer_len == 0) {
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]690 buffer_len += (16 - (buffer_len % 16));
691 }
692 TEST_CALLOC(buffer, buffer_len);
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]693 memcpy(buffer, src_str->x, src_str->len);
694
695 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result);
696 if (init_result == 0) {
697 ret = mbedtls_gcm_auth_decrypt(&ctx,
698 src_str->len,
699 iv_str->x,
700 iv_str->len,
701 add_str->x,
702 add_str->len,
703 tag_str->x,
704 tag_len,
705 buffer,
706 buffer);
707
708 if (strcmp("FAIL", result) == 0) {
709 TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED);
710 } else {
711 TEST_ASSERT(ret == 0);
712 TEST_MEMORY_COMPARE(buffer, src_str->len, pt_result->x, pt_result->len);
713
714 for (n1 = 0; n1 <= src_str->len; n1 += 1) {
715 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) {
716 mbedtls_test_set_step(n1 * 10000 + n1_add);
717 if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT,
718 iv_str, add_str, src_str,
719 pt_result, tag_str,
720 n1, n1_add)) {
721 goto exit;
722 }
723 }
724 }
725 }
726 }
727
728exit:
Harry Ramseye320b892024-11-11 15:02:26 +0000[diff] [blame]729 mbedtls_free(buffer);
Harry Ramsey187fcce2024-11-07 09:26:43 +0000[diff] [blame]730 mbedtls_gcm_free(&ctx);
731 BLOCK_CIPHER_PSA_DONE();
732
733}
734/* END_CASE */
735
Valerio Setti689c0f72023-12-20 09:53:39 +0100[diff] [blame]736/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]737void gcm_selftest()
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]738{
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]739 BLOCK_CIPHER_PSA_INIT();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]740 TEST_ASSERT(mbedtls_gcm_self_test(1) == 0);
Valerio Setti10e9aa22023-12-12 11:54:20 +0100[diff] [blame]741 BLOCK_CIPHER_PSA_DONE();
Paul Bakker89e80c92012-03-20 13:50:09 +0000[diff] [blame]742}
Paul Bakker33b43f12013-08-20 11:48:36 +0200[diff] [blame]743/* END_CASE */