Constant-flow tests for mbedtls_cipher_crypt
Add some basic constant-flow tests for `mbedtls_cipher_crypt()`. We already
test auxiliary functions and functional behavior pretty thoroughly
elsewhere, so here just focus on the interesting cases for constant-flow
behavior with this specific function: encrypt, valid decrypt and
invalid-padding decrypt.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/suites/test_suite_cipher.constant_time.data b/tests/suites/test_suite_cipher.constant_time.data
index af60804..7f9f4af 100644
--- a/tests/suites/test_suite_cipher.constant_time.data
+++ b/tests/suites/test_suite_cipher.constant_time.data
@@ -120,3 +120,28 @@
CF AES-256-CBC Decrypt test vector, PKCS7 (short, bad pad 17)
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7:HAVE_CONSTANT_TIME_AES
decrypt_test_vec_cf:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_PADDING_PKCS7:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"3e536c7917a695485ef046bda7c6a3e6":"":"":"":MBEDTLS_ERR_CIPHER_INVALID_PADDING:0
+
+CF AES-128-CBC crypt Encrypt NIST KAT #4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:HAVE_CONSTANT_TIME_AES
+test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_NONE:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e":0:0
+
+CF AES-128-CBC crypt Decrypt NIST KAT #4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:HAVE_CONSTANT_TIME_AES
+test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_NONE:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"0336763e966d92595a567cc9ce537f5e":"f34481ec3cc627bacd5dc3fb08f273e6":0:0
+
+CF AES-128-CBC crypt Decrypt PKCS7 invalid padding
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:HAVE_CONSTANT_TIME_AES
+test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_PKCS7:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"0336763e966d92595a567cc9ce537f5e":"":MBEDTLS_ERR_CIPHER_INVALID_PADDING:0
+
+CF AES-128-CBC crypt Encrypt NIST KAT #4 PSA
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:HAVE_CONSTANT_TIME_AES
+test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_NONE:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e":0:1
+
+CF AES-128-CBC crypt Decrypt NIST KAT #4 PSA
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:HAVE_CONSTANT_TIME_AES
+test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_NONE:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"0336763e966d92595a567cc9ce537f5e":"f34481ec3cc627bacd5dc3fb08f273e6":0:1
+
+## PSA-backed cipher contexts do not support PKCS7 padding.
+#CF AES-128-CBC crypt Decrypt PKCS7 invalid padding PSA
+#depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7:HAVE_CONSTANT_TIME_AES
+#test_vec_crypt_cf:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_PKCS7:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"00000000000000000000000000000000":"0336763e966d92595a567cc9ce537f5e":"":MBEDTLS_ERR_CIPHER_INVALID_PADDING:1
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 37a77e5..8ae2234 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -1229,6 +1229,60 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
+void test_vec_crypt_cf(int cipher_id, int pad_mode, int operation, data_t *key,
+ data_t *iv, data_t *input, data_t *result,
+ int expected_finish_result, int use_psa)
+{
+ mbedtls_cipher_context_t ctx;
+ unsigned char output[32];
+ size_t outlen;
+
+ mbedtls_cipher_init(&ctx);
+
+ memset(output, 0x00, sizeof(output));
+
+ TEST_CF_SECRET(key->x, key->len);
+ TEST_CF_SECRET(input->x, input->len);
+
+ /* Prepare context */
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) || !defined(MBEDTLS_TEST_DEPRECATED)
+ (void) use_psa;
+#else
+ if (use_psa == 1) {
+ PSA_ASSERT(psa_crypto_init());
+ TEST_ASSERT(0 == mbedtls_cipher_setup_psa(&ctx,
+ mbedtls_cipher_info_from_type(cipher_id), 0));
+ } else
+#endif /* !MBEDTLS_USE_PSA_CRYPTO || !MBEDTLS_TEST_DEPRECATED*/
+ TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
+ mbedtls_cipher_info_from_type(cipher_id)));
+
+ TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));
+ if (MBEDTLS_MODE_CBC == ctx.cipher_info->mode) {
+ TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
+ }
+
+ int actual_finish_result =
+ mbedtls_cipher_crypt(&ctx, iv->len ? iv->x : NULL, iv->len,
+ input->x, input->len,
+ output, &outlen);
+ TEST_EQUAL(expected_finish_result, actual_finish_result);
+
+ /* check plaintext only if everything went fine */
+ if (0 == expected_finish_result) {
+ TEST_CF_PUBLIC(output, sizeof(output));
+ TEST_MEMORY_COMPARE(output, outlen, result->x, result->len);
+ }
+
+exit:
+ mbedtls_cipher_free(&ctx);
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_TEST_DEPRECATED)
+ PSA_DONE();
+#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_TEST_DEPRECATED */
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
void set_padding(int cipher_id, int pad_mode, int ret)
{
const mbedtls_cipher_info_t *cipher_info;