test_suite_gcm.function (25317B)
1 /* BEGIN_HEADER */ 2 #include "mbedtls/gcm.h" 3 4 /* Use the multipart interface to process the encrypted data in two parts 5 * and check that the output matches the expected output. 6 * The context must have been set up with the key. */ 7 static int check_multipart(mbedtls_gcm_context *ctx, 8 int mode, 9 const data_t *iv, 10 const data_t *add, 11 const data_t *input, 12 const data_t *expected_output, 13 const data_t *tag, 14 size_t n1, 15 size_t n1_add) 16 { 17 int ok = 0; 18 uint8_t *output = NULL; 19 size_t n2 = input->len - n1; 20 size_t n2_add = add->len - n1_add; 21 size_t olen; 22 23 /* Sanity checks on the test data */ 24 TEST_ASSERT(n1 <= input->len); 25 TEST_ASSERT(n1_add <= add->len); 26 TEST_EQUAL(input->len, expected_output->len); 27 28 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, 29 iv->x, iv->len)); 30 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, n1_add)); 31 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x + n1_add, n2_add)); 32 33 /* Allocate a tight buffer for each update call. This way, if the function 34 * tries to write beyond the advertised required buffer size, this will 35 * count as an overflow for memory sanitizers and static checkers. */ 36 TEST_CALLOC(output, n1); 37 olen = 0xdeadbeef; 38 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, n1, output, n1, &olen)); 39 TEST_EQUAL(n1, olen); 40 TEST_MEMORY_COMPARE(output, olen, expected_output->x, n1); 41 mbedtls_free(output); 42 output = NULL; 43 44 TEST_CALLOC(output, n2); 45 olen = 0xdeadbeef; 46 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x + n1, n2, output, n2, &olen)); 47 TEST_EQUAL(n2, olen); 48 TEST_MEMORY_COMPARE(output, olen, expected_output->x + n1, n2); 49 mbedtls_free(output); 50 output = NULL; 51 52 TEST_CALLOC(output, tag->len); 53 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len)); 54 TEST_EQUAL(0, olen); 55 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 56 mbedtls_free(output); 57 output = NULL; 58 59 ok = 1; 60 exit: 61 mbedtls_free(output); 62 return ok; 63 } 64 65 static void check_cipher_with_empty_ad(mbedtls_gcm_context *ctx, 66 int mode, 67 const data_t *iv, 68 const data_t *input, 69 const data_t *expected_output, 70 const data_t *tag, 71 size_t ad_update_count) 72 { 73 size_t n; 74 uint8_t *output = NULL; 75 size_t olen; 76 77 /* Sanity checks on the test data */ 78 TEST_EQUAL(input->len, expected_output->len); 79 80 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, 81 iv->x, iv->len)); 82 83 for (n = 0; n < ad_update_count; n++) { 84 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, NULL, 0)); 85 } 86 87 /* Allocate a tight buffer for each update call. This way, if the function 88 * tries to write beyond the advertised required buffer size, this will 89 * count as an overflow for memory sanitizers and static checkers. */ 90 TEST_CALLOC(output, input->len); 91 olen = 0xdeadbeef; 92 TEST_EQUAL(0, mbedtls_gcm_update(ctx, input->x, input->len, output, input->len, &olen)); 93 TEST_EQUAL(input->len, olen); 94 TEST_MEMORY_COMPARE(output, olen, expected_output->x, input->len); 95 mbedtls_free(output); 96 output = NULL; 97 98 TEST_CALLOC(output, tag->len); 99 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len)); 100 TEST_EQUAL(0, olen); 101 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 102 103 exit: 104 mbedtls_free(output); 105 } 106 107 static void check_empty_cipher_with_ad(mbedtls_gcm_context *ctx, 108 int mode, 109 const data_t *iv, 110 const data_t *add, 111 const data_t *tag, 112 size_t cipher_update_count) 113 { 114 size_t olen; 115 size_t n; 116 uint8_t *output_tag = NULL; 117 118 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, iv->x, iv->len)); 119 TEST_EQUAL(0, mbedtls_gcm_update_ad(ctx, add->x, add->len)); 120 121 for (n = 0; n < cipher_update_count; n++) { 122 olen = 0xdeadbeef; 123 TEST_EQUAL(0, mbedtls_gcm_update(ctx, NULL, 0, NULL, 0, &olen)); 124 TEST_EQUAL(0, olen); 125 } 126 127 TEST_CALLOC(output_tag, tag->len); 128 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, 129 output_tag, tag->len)); 130 TEST_EQUAL(0, olen); 131 TEST_MEMORY_COMPARE(output_tag, tag->len, tag->x, tag->len); 132 133 exit: 134 mbedtls_free(output_tag); 135 } 136 137 static void check_no_cipher_no_ad(mbedtls_gcm_context *ctx, 138 int mode, 139 const data_t *iv, 140 const data_t *tag) 141 { 142 uint8_t *output = NULL; 143 size_t olen = 0; 144 145 TEST_EQUAL(0, mbedtls_gcm_starts(ctx, mode, 146 iv->x, iv->len)); 147 TEST_CALLOC(output, tag->len); 148 TEST_EQUAL(0, mbedtls_gcm_finish(ctx, NULL, 0, &olen, output, tag->len)); 149 TEST_EQUAL(0, olen); 150 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 151 152 exit: 153 mbedtls_free(output); 154 } 155 156 static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key, 157 size_t key_bits, const uint8_t *iv, size_t iv_len, 158 int starts_ret) 159 { 160 int mode = MBEDTLS_GCM_ENCRYPT; 161 mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES; 162 163 mbedtls_gcm_init(ctx); 164 TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0); 165 TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len)); 166 exit: 167 /* empty */ 168 return; 169 } 170 171 /* END_HEADER */ 172 173 /* BEGIN_DEPENDENCIES 174 * depends_on:MBEDTLS_GCM_C 175 * END_DEPENDENCIES 176 */ 177 178 /* BEGIN_CASE */ 179 void gcm_bad_parameters(int cipher_id, int direction, 180 data_t *key_str, data_t *src_str, 181 data_t *iv_str, data_t *add_str, 182 int tag_len_bits, int gcm_result) 183 { 184 unsigned char output[128]; 185 unsigned char tag_output[16]; 186 mbedtls_gcm_context ctx; 187 size_t tag_len = tag_len_bits / 8; 188 189 BLOCK_CIPHER_PSA_INIT(); 190 mbedtls_gcm_init(&ctx); 191 192 memset(output, 0x00, sizeof(output)); 193 memset(tag_output, 0x00, sizeof(tag_output)); 194 195 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 196 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, direction, src_str->len, iv_str->x, iv_str->len, 197 add_str->x, add_str->len, src_str->x, output, tag_len, 198 tag_output) == gcm_result); 199 200 exit: 201 mbedtls_gcm_free(&ctx); 202 BLOCK_CIPHER_PSA_DONE(); 203 } 204 /* END_CASE */ 205 206 /* BEGIN_CASE */ 207 void gcm_encrypt_and_tag(int cipher_id, data_t *key_str, 208 data_t *src_str, data_t *iv_str, 209 data_t *add_str, data_t *dst, 210 int tag_len_bits, data_t *tag, 211 int init_result) 212 { 213 unsigned char output[128]; 214 unsigned char tag_output[16]; 215 mbedtls_gcm_context ctx; 216 size_t tag_len = tag_len_bits / 8; 217 size_t n1; 218 size_t n1_add; 219 220 BLOCK_CIPHER_PSA_INIT(); 221 mbedtls_gcm_init(&ctx); 222 223 memset(output, 0x00, 128); 224 memset(tag_output, 0x00, 16); 225 226 227 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result); 228 if (init_result == 0) { 229 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x, 230 iv_str->len, add_str->x, add_str->len, src_str->x, 231 output, tag_len, tag_output) == 0); 232 233 TEST_MEMORY_COMPARE(output, src_str->len, dst->x, dst->len); 234 TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len); 235 236 for (n1 = 0; n1 <= src_str->len; n1 += 1) { 237 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) { 238 mbedtls_test_set_step(n1 * 10000 + n1_add); 239 if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT, 240 iv_str, add_str, src_str, 241 dst, tag, 242 n1, n1_add)) { 243 goto exit; 244 } 245 } 246 } 247 } 248 249 exit: 250 mbedtls_gcm_free(&ctx); 251 BLOCK_CIPHER_PSA_DONE(); 252 } 253 /* END_CASE */ 254 255 /* BEGIN_CASE */ 256 void gcm_decrypt_and_verify(int cipher_id, data_t *key_str, 257 data_t *src_str, data_t *iv_str, 258 data_t *add_str, int tag_len_bits, 259 data_t *tag_str, char *result, 260 data_t *pt_result, int init_result) 261 { 262 unsigned char output[128]; 263 mbedtls_gcm_context ctx; 264 int ret; 265 size_t tag_len = tag_len_bits / 8; 266 size_t n1; 267 size_t n1_add; 268 269 BLOCK_CIPHER_PSA_INIT(); 270 mbedtls_gcm_init(&ctx); 271 272 memset(output, 0x00, 128); 273 274 275 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result); 276 if (init_result == 0) { 277 ret = mbedtls_gcm_auth_decrypt(&ctx, 278 src_str->len, 279 iv_str->x, 280 iv_str->len, 281 add_str->x, 282 add_str->len, 283 tag_str->x, 284 tag_len, 285 src_str->x, 286 output); 287 288 if (strcmp("FAIL", result) == 0) { 289 TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED); 290 } else { 291 TEST_ASSERT(ret == 0); 292 TEST_MEMORY_COMPARE(output, src_str->len, pt_result->x, pt_result->len); 293 294 for (n1 = 0; n1 <= src_str->len; n1 += 1) { 295 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) { 296 mbedtls_test_set_step(n1 * 10000 + n1_add); 297 if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT, 298 iv_str, add_str, src_str, 299 pt_result, tag_str, 300 n1, n1_add)) { 301 goto exit; 302 } 303 } 304 } 305 } 306 } 307 308 exit: 309 mbedtls_gcm_free(&ctx); 310 BLOCK_CIPHER_PSA_DONE(); 311 } 312 /* END_CASE */ 313 314 /* BEGIN_CASE */ 315 void gcm_decrypt_and_verify_empty_cipher(int cipher_id, 316 data_t *key_str, 317 data_t *iv_str, 318 data_t *add_str, 319 data_t *tag_str, 320 int cipher_update_calls) 321 { 322 mbedtls_gcm_context ctx; 323 324 BLOCK_CIPHER_PSA_INIT(); 325 mbedtls_gcm_init(&ctx); 326 327 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 328 check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_DECRYPT, 329 iv_str, add_str, tag_str, 330 cipher_update_calls); 331 332 mbedtls_gcm_free(&ctx); 333 BLOCK_CIPHER_PSA_DONE(); 334 } 335 /* END_CASE */ 336 337 /* BEGIN_CASE */ 338 void gcm_decrypt_and_verify_empty_ad(int cipher_id, 339 data_t *key_str, 340 data_t *iv_str, 341 data_t *src_str, 342 data_t *tag_str, 343 data_t *pt_result, 344 int ad_update_calls) 345 { 346 mbedtls_gcm_context ctx; 347 348 BLOCK_CIPHER_PSA_INIT(); 349 mbedtls_gcm_init(&ctx); 350 351 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 352 check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_DECRYPT, 353 iv_str, src_str, pt_result, tag_str, 354 ad_update_calls); 355 356 mbedtls_gcm_free(&ctx); 357 BLOCK_CIPHER_PSA_DONE(); 358 } 359 /* END_CASE */ 360 361 /* BEGIN_CASE */ 362 void gcm_decrypt_and_verify_no_ad_no_cipher(int cipher_id, 363 data_t *key_str, 364 data_t *iv_str, 365 data_t *tag_str) 366 { 367 mbedtls_gcm_context ctx; 368 369 BLOCK_CIPHER_PSA_INIT(); 370 mbedtls_gcm_init(&ctx); 371 372 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 373 check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_DECRYPT, 374 iv_str, tag_str); 375 376 mbedtls_gcm_free(&ctx); 377 BLOCK_CIPHER_PSA_DONE(); 378 } 379 /* END_CASE */ 380 381 /* BEGIN_CASE */ 382 void gcm_encrypt_and_tag_empty_cipher(int cipher_id, 383 data_t *key_str, 384 data_t *iv_str, 385 data_t *add_str, 386 data_t *tag_str, 387 int cipher_update_calls) 388 { 389 mbedtls_gcm_context ctx; 390 391 BLOCK_CIPHER_PSA_INIT(); 392 mbedtls_gcm_init(&ctx); 393 394 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 395 check_empty_cipher_with_ad(&ctx, MBEDTLS_GCM_ENCRYPT, 396 iv_str, add_str, tag_str, 397 cipher_update_calls); 398 399 exit: 400 mbedtls_gcm_free(&ctx); 401 BLOCK_CIPHER_PSA_DONE(); 402 } 403 /* END_CASE */ 404 405 /* BEGIN_CASE */ 406 void gcm_encrypt_and_tag_empty_ad(int cipher_id, 407 data_t *key_str, 408 data_t *iv_str, 409 data_t *src_str, 410 data_t *dst, 411 data_t *tag_str, 412 int ad_update_calls) 413 { 414 mbedtls_gcm_context ctx; 415 416 BLOCK_CIPHER_PSA_INIT(); 417 mbedtls_gcm_init(&ctx); 418 419 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 420 check_cipher_with_empty_ad(&ctx, MBEDTLS_GCM_ENCRYPT, 421 iv_str, src_str, dst, tag_str, 422 ad_update_calls); 423 424 exit: 425 mbedtls_gcm_free(&ctx); 426 BLOCK_CIPHER_PSA_DONE(); 427 } 428 /* END_CASE */ 429 430 /* BEGIN_CASE */ 431 void gcm_encrypt_and_verify_no_ad_no_cipher(int cipher_id, 432 data_t *key_str, 433 data_t *iv_str, 434 data_t *tag_str) 435 { 436 mbedtls_gcm_context ctx; 437 438 BLOCK_CIPHER_PSA_INIT(); 439 mbedtls_gcm_init(&ctx); 440 441 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0); 442 check_no_cipher_no_ad(&ctx, MBEDTLS_GCM_ENCRYPT, 443 iv_str, tag_str); 444 445 mbedtls_gcm_free(&ctx); 446 BLOCK_CIPHER_PSA_DONE(); 447 } 448 /* END_CASE */ 449 450 /* BEGIN_CASE */ 451 void gcm_invalid_param() 452 { 453 mbedtls_gcm_context ctx; 454 unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; 455 mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES; 456 int invalid_bitlen = 1; 457 458 mbedtls_gcm_init(&ctx); 459 460 /* mbedtls_gcm_setkey */ 461 TEST_EQUAL( 462 MBEDTLS_ERR_GCM_BAD_INPUT, 463 mbedtls_gcm_setkey(&ctx, valid_cipher, valid_buffer, invalid_bitlen)); 464 465 exit: 466 mbedtls_gcm_free(&ctx); 467 } 468 /* END_CASE */ 469 470 /* BEGIN_CASE */ 471 void gcm_update_output_buffer_too_small(int cipher_id, int mode, 472 data_t *key_str, const data_t *input, 473 const data_t *iv) 474 { 475 mbedtls_gcm_context ctx; 476 uint8_t *output = NULL; 477 size_t olen = 0; 478 size_t output_len = input->len - 1; 479 480 BLOCK_CIPHER_PSA_INIT(); 481 mbedtls_gcm_init(&ctx); 482 TEST_EQUAL(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8), 0); 483 TEST_EQUAL(0, mbedtls_gcm_starts(&ctx, mode, iv->x, iv->len)); 484 485 TEST_CALLOC(output, output_len); 486 TEST_EQUAL(MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL, 487 mbedtls_gcm_update(&ctx, input->x, input->len, output, output_len, &olen)); 488 489 exit: 490 mbedtls_free(output); 491 mbedtls_gcm_free(&ctx); 492 BLOCK_CIPHER_PSA_DONE(); 493 } 494 /* END_CASE */ 495 496 /* BEGIN_CASE */ 497 /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should 498 * satisfy 1 <= bit_len(IV) <= 2^64 - 1. */ 499 void gcm_invalid_iv_len(void) 500 { 501 mbedtls_gcm_context ctx; 502 mbedtls_gcm_init(&ctx); 503 uint8_t b16[16] = { 0 }; 504 505 BLOCK_CIPHER_PSA_INIT(); 506 507 // Invalid IV length 0 508 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT); 509 mbedtls_gcm_free(&ctx); 510 511 // Only testable on platforms where sizeof(size_t) >= 8. 512 #if SIZE_MAX >= UINT64_MAX 513 // Invalid IV length 2^61 514 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT); 515 mbedtls_gcm_free(&ctx); 516 #endif 517 518 goto exit; /* To suppress error that exit is defined but not used */ 519 exit: 520 mbedtls_gcm_free(&ctx); 521 BLOCK_CIPHER_PSA_DONE(); 522 } 523 /* END_CASE */ 524 525 /* BEGIN_CASE */ 526 void gcm_add_len_too_long(void) 527 { 528 // Only testable on platforms where sizeof(size_t) >= 8. 529 #if SIZE_MAX >= UINT64_MAX 530 mbedtls_gcm_context ctx; 531 mbedtls_gcm_init(&ctx); 532 uint8_t b16[16] = { 0 }; 533 BLOCK_CIPHER_PSA_INIT(); 534 535 /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should 536 * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */ 537 uint64_t len_max = 1ULL << 61; 538 539 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 540 // Feed AD that just exceeds the length limit 541 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max), 542 MBEDTLS_ERR_GCM_BAD_INPUT); 543 mbedtls_gcm_free(&ctx); 544 545 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 546 // Feed AD that just exceeds the length limit in two calls 547 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); 548 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1), 549 MBEDTLS_ERR_GCM_BAD_INPUT); 550 mbedtls_gcm_free(&ctx); 551 552 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 553 // Test if potential total AD length overflow is handled properly 554 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); 555 TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT); 556 557 exit: 558 mbedtls_gcm_free(&ctx); 559 BLOCK_CIPHER_PSA_DONE(); 560 #endif 561 } 562 /* END_CASE */ 563 564 /* BEGIN_CASE */ 565 void gcm_input_len_too_long(void) 566 { 567 // Only testable on platforms where sizeof(size_t) >= 8 568 #if SIZE_MAX >= UINT64_MAX 569 mbedtls_gcm_context ctx; 570 uint8_t b16[16] = { 0 }; 571 uint8_t out[1]; 572 size_t out_len; 573 mbedtls_gcm_init(&ctx); 574 BLOCK_CIPHER_PSA_INIT(); 575 576 /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should 577 * be <= 2^39 - 256. This is the maximum valid length in bytes. */ 578 uint64_t len_max = (1ULL << 36) - 32; 579 580 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 581 // Feed input that just exceeds the length limit 582 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1, 583 &out_len), 584 MBEDTLS_ERR_GCM_BAD_INPUT); 585 mbedtls_gcm_free(&ctx); 586 587 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 588 // Feed input that just exceeds the length limit in two calls 589 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0); 590 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len), 591 MBEDTLS_ERR_GCM_BAD_INPUT); 592 mbedtls_gcm_free(&ctx); 593 594 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); 595 // Test if potential total input length overflow is handled properly 596 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0); 597 TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX, 598 &out_len), 599 MBEDTLS_ERR_GCM_BAD_INPUT); 600 601 exit: 602 mbedtls_gcm_free(&ctx); 603 BLOCK_CIPHER_PSA_DONE(); 604 #endif 605 } 606 /* END_CASE */ 607 608 /* BEGIN_CASE */ 609 void gcm_encrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str, 610 data_t *src_str, data_t *iv_str, 611 data_t *add_str, data_t *dst, 612 int tag_len_bits, data_t *tag, 613 int init_result) 614 { 615 unsigned char *buffer = NULL; 616 size_t buffer_len; 617 unsigned char tag_output[16]; 618 mbedtls_gcm_context ctx; 619 size_t tag_len = tag_len_bits / 8; 620 size_t n1; 621 size_t n1_add; 622 623 BLOCK_CIPHER_PSA_INIT(); 624 mbedtls_gcm_init(&ctx); 625 626 /* GCM includes padding and therefore input length can be shorter than the output length 627 * Therefore we must ensure we round up to the nearest 128-bits/16-bytes. 628 */ 629 buffer_len = src_str->len; 630 if (buffer_len % 16 != 0 || buffer_len == 0) { 631 buffer_len += (16 - (buffer_len % 16)); 632 } 633 TEST_CALLOC(buffer, buffer_len); 634 memcpy(buffer, src_str->x, src_str->len); 635 636 memset(tag_output, 0x00, 16); 637 638 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result); 639 if (init_result == 0) { 640 TEST_ASSERT(mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x, 641 iv_str->len, add_str->x, add_str->len, buffer, 642 buffer, tag_len, tag_output) == 0); 643 644 TEST_MEMORY_COMPARE(buffer, src_str->len, dst->x, dst->len); 645 TEST_MEMORY_COMPARE(tag_output, tag_len, tag->x, tag->len); 646 647 for (n1 = 0; n1 <= src_str->len; n1 += 1) { 648 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) { 649 mbedtls_test_set_step(n1 * 10000 + n1_add); 650 if (!check_multipart(&ctx, MBEDTLS_GCM_ENCRYPT, 651 iv_str, add_str, src_str, 652 dst, tag, 653 n1, n1_add)) { 654 goto exit; 655 } 656 } 657 } 658 } 659 660 exit: 661 mbedtls_free(buffer); 662 mbedtls_gcm_free(&ctx); 663 BLOCK_CIPHER_PSA_DONE(); 664 } 665 /* END_CASE */ 666 667 /* BEGIN_CASE */ 668 void gcm_decrypt_input_output_buffer_overlap(int cipher_id, data_t *key_str, 669 data_t *src_str, data_t *iv_str, 670 data_t *add_str, int tag_len_bits, 671 data_t *tag_str, char *result, 672 data_t *pt_result, int init_result) 673 { 674 unsigned char *buffer = NULL; 675 size_t buffer_len; 676 mbedtls_gcm_context ctx; 677 int ret; 678 size_t tag_len = tag_len_bits / 8; 679 size_t n1; 680 size_t n1_add; 681 682 BLOCK_CIPHER_PSA_INIT(); 683 mbedtls_gcm_init(&ctx); 684 685 /* GCM includes padding and therefore input length can be shorter than the output length 686 * Therefore we must ensure we round up to the nearest 128-bits/16-bytes. 687 */ 688 buffer_len = src_str->len; 689 if (buffer_len % 16 != 0 || buffer_len == 0) { 690 buffer_len += (16 - (buffer_len % 16)); 691 } 692 TEST_CALLOC(buffer, buffer_len); 693 memcpy(buffer, src_str->x, src_str->len); 694 695 TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == init_result); 696 if (init_result == 0) { 697 ret = mbedtls_gcm_auth_decrypt(&ctx, 698 src_str->len, 699 iv_str->x, 700 iv_str->len, 701 add_str->x, 702 add_str->len, 703 tag_str->x, 704 tag_len, 705 buffer, 706 buffer); 707 708 if (strcmp("FAIL", result) == 0) { 709 TEST_ASSERT(ret == MBEDTLS_ERR_GCM_AUTH_FAILED); 710 } else { 711 TEST_ASSERT(ret == 0); 712 TEST_MEMORY_COMPARE(buffer, src_str->len, pt_result->x, pt_result->len); 713 714 for (n1 = 0; n1 <= src_str->len; n1 += 1) { 715 for (n1_add = 0; n1_add <= add_str->len; n1_add += 1) { 716 mbedtls_test_set_step(n1 * 10000 + n1_add); 717 if (!check_multipart(&ctx, MBEDTLS_GCM_DECRYPT, 718 iv_str, add_str, src_str, 719 pt_result, tag_str, 720 n1, n1_add)) { 721 goto exit; 722 } 723 } 724 } 725 } 726 } 727 728 exit: 729 mbedtls_free(buffer); 730 mbedtls_gcm_free(&ctx); 731 BLOCK_CIPHER_PSA_DONE(); 732 733 } 734 /* END_CASE */ 735 736 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */ 737 void gcm_selftest() 738 { 739 BLOCK_CIPHER_PSA_INIT(); 740 TEST_ASSERT(mbedtls_gcm_self_test(1) == 0); 741 BLOCK_CIPHER_PSA_DONE(); 742 } 743 /* END_CASE */