1/* BEGIN_HEADER */ 2#include "mbedtls/ccm.h" 3 4/* Use the multipart interface to process the encrypted data in two parts 5 * and check that the output matches the expected output. 6 * The context must have been set up with the key. */ 7static int check_multipart(mbedtls_ccm_context *ctx, 8 int mode, 9 const data_t *iv, 10 const data_t *add, 11 const data_t *input, 12 const data_t *expected_output, 13 const data_t *tag, 14 size_t n1, 15 size_t n1_add) 16{ 17 int ok = 0; 18 uint8_t *output = NULL; 19 size_t n2 = input->len - n1; 20 size_t n2_add = add->len - n1_add; 21 size_t olen; 22 23 /* Sanity checks on the test data */ 24 TEST_ASSERT(n1 <= input->len); 25 TEST_ASSERT(n1_add <= add->len); 26 TEST_EQUAL(input->len, expected_output->len); 27 TEST_EQUAL(0, mbedtls_ccm_starts(ctx, mode, iv->x, iv->len)); 28 TEST_EQUAL(0, mbedtls_ccm_set_lengths(ctx, add->len, input->len, tag->len)); 29 TEST_EQUAL(0, mbedtls_ccm_update_ad(ctx, add->x, n1_add)); 30 TEST_EQUAL(0, mbedtls_ccm_update_ad(ctx, add->x + n1_add, n2_add)); 31 32 /* Allocate a tight buffer for each update call. This way, if the function 33 * tries to write beyond the advertised required buffer size, this will 34 * count as an overflow for memory sanitizers and static checkers. */ 35 TEST_CALLOC(output, n1); 36 olen = 0xdeadbeef; 37 TEST_EQUAL(0, mbedtls_ccm_update(ctx, input->x, n1, output, n1, &olen)); 38 TEST_EQUAL(n1, olen); 39 TEST_MEMORY_COMPARE(output, olen, expected_output->x, n1); 40 mbedtls_free(output); 41 output = NULL; 42 43 TEST_CALLOC(output, n2); 44 olen = 0xdeadbeef; 45 TEST_EQUAL(0, mbedtls_ccm_update(ctx, input->x + n1, n2, output, n2, &olen)); 46 TEST_EQUAL(n2, olen); 47 TEST_MEMORY_COMPARE(output, olen, expected_output->x + n1, n2); 48 mbedtls_free(output); 49 output = NULL; 50 51 TEST_CALLOC(output, tag->len); 52 TEST_EQUAL(0, mbedtls_ccm_finish(ctx, output, tag->len)); 53 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 54 mbedtls_free(output); 55 output = NULL; 56 57 ok = 1; 58exit: 59 mbedtls_free(output); 60 return ok; 61} 62/* END_HEADER */ 63 64/* BEGIN_DEPENDENCIES 65 * depends_on:MBEDTLS_CCM_C 66 * END_DEPENDENCIES 67 */ 68 69/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */ 70void mbedtls_ccm_self_test() 71{ 72 BLOCK_CIPHER_PSA_INIT(); 73 TEST_ASSERT(mbedtls_ccm_self_test(1) == 0); 74 BLOCK_CIPHER_PSA_DONE(); 75} 76/* END_CASE */ 77 78/* BEGIN_CASE */ 79void mbedtls_ccm_setkey(int cipher_id, int key_size, int result) 80{ 81 mbedtls_ccm_context ctx; 82 unsigned char key[32]; 83 int ret; 84 85 BLOCK_CIPHER_PSA_INIT(); 86 mbedtls_ccm_init(&ctx); 87 88 memset(key, 0x2A, sizeof(key)); 89 TEST_ASSERT((unsigned) key_size <= 8 * sizeof(key)); 90 91 ret = mbedtls_ccm_setkey(&ctx, cipher_id, key, key_size); 92 TEST_ASSERT(ret == result); 93 94exit: 95 mbedtls_ccm_free(&ctx); 96 BLOCK_CIPHER_PSA_DONE(); 97} 98/* END_CASE */ 99 100/* BEGIN_CASE depends_on:MBEDTLS_CCM_GCM_CAN_AES */ 101void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res) 102{ 103 mbedtls_ccm_context ctx; 104 unsigned char key[16]; 105 unsigned char msg[10]; 106 unsigned char iv[14]; 107 unsigned char *add = NULL; 108 unsigned char out[10]; 109 unsigned char tag[18]; 110 int decrypt_ret; 111 112 BLOCK_CIPHER_PSA_INIT(); 113 mbedtls_ccm_init(&ctx); 114 115 TEST_CALLOC_OR_SKIP(add, add_len); 116 memset(key, 0, sizeof(key)); 117 memset(msg, 0, sizeof(msg)); 118 memset(iv, 0, sizeof(iv)); 119 memset(out, 0, sizeof(out)); 120 memset(tag, 0, sizeof(tag)); 121 122 TEST_ASSERT(mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, 123 key, 8 * sizeof(key)) == 0); 124 125 TEST_ASSERT(mbedtls_ccm_encrypt_and_tag(&ctx, msg_len, iv, iv_len, add, add_len, 126 msg, out, tag, tag_len) == res); 127 128 decrypt_ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len, iv, iv_len, add, add_len, 129 msg, out, tag, tag_len); 130 131 if (res == 0) { 132 TEST_ASSERT(decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED); 133 } else { 134 TEST_ASSERT(decrypt_ret == res); 135 } 136 137exit: 138 mbedtls_free(add); 139 mbedtls_ccm_free(&ctx); 140 BLOCK_CIPHER_PSA_DONE(); 141} 142/* END_CASE */ 143 144/* BEGIN_CASE depends_on:MBEDTLS_CCM_GCM_CAN_AES */ 145void ccm_star_lengths(int msg_len, int iv_len, int add_len, int tag_len, 146 int res) 147{ 148 mbedtls_ccm_context ctx; 149 unsigned char key[16]; 150 unsigned char msg[10]; 151 unsigned char iv[14]; 152 unsigned char add[10]; 153 unsigned char out[10]; 154 unsigned char tag[18]; 155 int decrypt_ret; 156 157 BLOCK_CIPHER_PSA_INIT(); 158 mbedtls_ccm_init(&ctx); 159 160 memset(key, 0, sizeof(key)); 161 memset(msg, 0, sizeof(msg)); 162 memset(iv, 0, sizeof(iv)); 163 memset(add, 0, sizeof(add)); 164 memset(out, 0, sizeof(out)); 165 memset(tag, 0, sizeof(tag)); 166 167 TEST_ASSERT(mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, 168 key, 8 * sizeof(key)) == 0); 169 170 TEST_ASSERT(mbedtls_ccm_star_encrypt_and_tag(&ctx, msg_len, iv, iv_len, 171 add, add_len, msg, out, tag, tag_len) == res); 172 173 decrypt_ret = mbedtls_ccm_star_auth_decrypt(&ctx, msg_len, iv, iv_len, add, 174 add_len, msg, out, tag, tag_len); 175 176 if (res == 0 && tag_len != 0) { 177 TEST_ASSERT(decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED); 178 } else { 179 TEST_ASSERT(decrypt_ret == res); 180 } 181 182exit: 183 mbedtls_ccm_free(&ctx); 184 BLOCK_CIPHER_PSA_DONE(); 185} 186/* END_CASE */ 187 188/* BEGIN_CASE */ 189void mbedtls_ccm_encrypt_and_tag(int cipher_id, data_t *key, 190 data_t *msg, data_t *iv, 191 data_t *add, data_t *result) 192{ 193 mbedtls_ccm_context ctx; 194 size_t n1, n1_add; 195 uint8_t *io_msg_buf = NULL; 196 uint8_t *tag_buf = NULL; 197 const size_t expected_tag_len = result->len - msg->len; 198 const uint8_t *expected_tag = result->x + msg->len; 199 200 /* Prepare input/output message buffer */ 201 TEST_CALLOC(io_msg_buf, msg->len); 202 if (msg->len != 0) { 203 memcpy(io_msg_buf, msg->x, msg->len); 204 } 205 206 /* Prepare tag buffer */ 207 TEST_CALLOC(tag_buf, expected_tag_len); 208 209 BLOCK_CIPHER_PSA_INIT(); 210 mbedtls_ccm_init(&ctx); 211 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 212 /* Test with input == output */ 213 TEST_EQUAL(mbedtls_ccm_encrypt_and_tag(&ctx, msg->len, iv->x, iv->len, add->x, add->len, 214 io_msg_buf, io_msg_buf, tag_buf, expected_tag_len), 0); 215 216 TEST_MEMORY_COMPARE(io_msg_buf, msg->len, result->x, msg->len); 217 TEST_MEMORY_COMPARE(tag_buf, expected_tag_len, expected_tag, expected_tag_len); 218 219 /* Prepare data_t structures for multipart testing */ 220 const data_t encrypted_expected = { .x = result->x, 221 .len = msg->len }; 222 const data_t tag_expected = { .x = (uint8_t *) expected_tag, /* cast to conform with data_t x type */ 223 .len = expected_tag_len }; 224 225 for (n1 = 0; n1 <= msg->len; n1 += 1) { 226 for (n1_add = 0; n1_add <= add->len; n1_add += 1) { 227 mbedtls_test_set_step(n1 * 10000 + n1_add); 228 if (!check_multipart(&ctx, MBEDTLS_CCM_ENCRYPT, 229 iv, add, msg, 230 &encrypted_expected, 231 &tag_expected, 232 n1, n1_add)) { 233 goto exit; 234 } 235 } 236 } 237 238exit: 239 mbedtls_ccm_free(&ctx); 240 mbedtls_free(io_msg_buf); 241 mbedtls_free(tag_buf); 242 BLOCK_CIPHER_PSA_DONE(); 243} 244/* END_CASE */ 245 246/* BEGIN_CASE */ 247void mbedtls_ccm_star_no_tag(int cipher_id, int mode, data_t *key, 248 data_t *msg, data_t *iv, data_t *result) 249{ 250 mbedtls_ccm_context ctx; 251 uint8_t *output = NULL; 252 size_t olen; 253 254 BLOCK_CIPHER_PSA_INIT(); 255 mbedtls_ccm_init(&ctx); 256 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 257 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 258 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, 0)); 259 260 TEST_CALLOC(output, msg->len); 261 TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen)); 262 TEST_EQUAL(result->len, olen); 263 TEST_MEMORY_COMPARE(output, olen, result->x, result->len); 264 265 TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, NULL, 0)); 266exit: 267 mbedtls_free(output); 268 mbedtls_ccm_free(&ctx); 269 BLOCK_CIPHER_PSA_DONE(); 270} 271/* END_CASE */ 272 273/* BEGIN_CASE */ 274void mbedtls_ccm_auth_decrypt(int cipher_id, data_t *key, 275 data_t *msg, data_t *iv, 276 data_t *add, int expected_tag_len, int result, 277 data_t *expected_msg) 278{ 279 mbedtls_ccm_context ctx; 280 size_t n1, n1_add; 281 282 const size_t expected_msg_len = msg->len - expected_tag_len; 283 const uint8_t *expected_tag = msg->x + expected_msg_len; 284 285 /* Prepare input/output message buffer */ 286 uint8_t *io_msg_buf = NULL; 287 TEST_CALLOC(io_msg_buf, expected_msg_len); 288 if (expected_msg_len) { 289 memcpy(io_msg_buf, msg->x, expected_msg_len); 290 } 291 292 BLOCK_CIPHER_PSA_INIT(); 293 mbedtls_ccm_init(&ctx); 294 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 295 /* Test with input == output */ 296 TEST_EQUAL(mbedtls_ccm_auth_decrypt(&ctx, expected_msg_len, iv->x, iv->len, add->x, add->len, 297 io_msg_buf, io_msg_buf, expected_tag, expected_tag_len), 298 result); 299 300 if (result == 0) { 301 TEST_MEMORY_COMPARE(io_msg_buf, expected_msg_len, expected_msg->x, expected_msg_len); 302 303 /* Prepare data_t structures for multipart testing */ 304 const data_t encrypted = { .x = msg->x, 305 .len = expected_msg_len }; 306 307 const data_t tag_expected = { .x = (uint8_t *) expected_tag, 308 .len = expected_tag_len }; 309 310 for (n1 = 0; n1 <= expected_msg_len; n1 += 1) { 311 for (n1_add = 0; n1_add <= add->len; n1_add += 1) { 312 mbedtls_test_set_step(n1 * 10000 + n1_add); 313 if (!check_multipart(&ctx, MBEDTLS_CCM_DECRYPT, 314 iv, add, &encrypted, 315 expected_msg, 316 &tag_expected, 317 n1, n1_add)) { 318 goto exit; 319 } 320 } 321 } 322 } else { 323 size_t i; 324 325 for (i = 0; i < expected_msg_len; i++) { 326 TEST_EQUAL(io_msg_buf[i], 0); 327 } 328 } 329 330exit: 331 mbedtls_free(io_msg_buf); 332 mbedtls_ccm_free(&ctx); 333 BLOCK_CIPHER_PSA_DONE(); 334} 335/* END_CASE */ 336 337/* BEGIN_CASE */ 338void mbedtls_ccm_star_encrypt_and_tag(int cipher_id, 339 data_t *key, data_t *msg, 340 data_t *source_address, data_t *frame_counter, 341 int sec_level, data_t *add, 342 data_t *expected_result, int output_ret) 343{ 344 unsigned char iv[13]; 345 mbedtls_ccm_context ctx; 346 size_t iv_len, expected_tag_len; 347 size_t n1, n1_add; 348 uint8_t *io_msg_buf = NULL; 349 uint8_t *tag_buf = NULL; 350 351 const uint8_t *expected_tag = expected_result->x + msg->len; 352 353 /* Calculate tag length */ 354 if (sec_level % 4 == 0) { 355 expected_tag_len = 0; 356 } else { 357 expected_tag_len = 1 << (sec_level % 4 + 1); 358 } 359 360 /* Prepare input/output message buffer */ 361 TEST_CALLOC(io_msg_buf, msg->len); 362 if (msg->len) { 363 memcpy(io_msg_buf, msg->x, msg->len); 364 } 365 366 /* Prepare tag buffer */ 367 if (expected_tag_len == 0) { 368 TEST_CALLOC(tag_buf, 16); 369 } else { 370 TEST_CALLOC(tag_buf, expected_tag_len); 371 } 372 373 /* Calculate iv */ 374 TEST_ASSERT(source_address->len == 8); 375 TEST_ASSERT(frame_counter->len == 4); 376 memcpy(iv, source_address->x, source_address->len); 377 memcpy(iv + source_address->len, frame_counter->x, frame_counter->len); 378 iv[source_address->len + frame_counter->len] = sec_level; 379 iv_len = sizeof(iv); 380 381 BLOCK_CIPHER_PSA_INIT(); 382 mbedtls_ccm_init(&ctx); 383 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, 384 key->x, key->len * 8), 0); 385 /* Test with input == output */ 386 TEST_EQUAL(mbedtls_ccm_star_encrypt_and_tag(&ctx, msg->len, iv, iv_len, 387 add->x, add->len, io_msg_buf, 388 io_msg_buf, tag_buf, expected_tag_len), output_ret); 389 390 TEST_MEMORY_COMPARE(io_msg_buf, msg->len, expected_result->x, msg->len); 391 TEST_MEMORY_COMPARE(tag_buf, expected_tag_len, expected_tag, expected_tag_len); 392 393 if (output_ret == 0) { 394 const data_t iv_data = { .x = iv, 395 .len = iv_len }; 396 397 const data_t encrypted_expected = { .x = expected_result->x, 398 .len = msg->len }; 399 const data_t tag_expected = { .x = (uint8_t *) expected_tag, 400 .len = expected_tag_len }; 401 402 for (n1 = 0; n1 <= msg->len; n1 += 1) { 403 for (n1_add = 0; n1_add <= add->len; n1_add += 1) { 404 mbedtls_test_set_step(n1 * 10000 + n1_add); 405 if (!check_multipart(&ctx, MBEDTLS_CCM_STAR_ENCRYPT, 406 &iv_data, add, msg, 407 &encrypted_expected, 408 &tag_expected, 409 n1, n1_add)) { 410 goto exit; 411 } 412 } 413 } 414 } 415 416exit: 417 mbedtls_ccm_free(&ctx); 418 mbedtls_free(io_msg_buf); 419 mbedtls_free(tag_buf); 420 BLOCK_CIPHER_PSA_DONE(); 421} 422/* END_CASE */ 423 424/* BEGIN_CASE */ 425void mbedtls_ccm_star_auth_decrypt(int cipher_id, 426 data_t *key, data_t *msg, 427 data_t *source_address, data_t *frame_counter, 428 int sec_level, data_t *add, 429 data_t *expected_result, int output_ret) 430{ 431 unsigned char iv[13]; 432 mbedtls_ccm_context ctx; 433 size_t iv_len, expected_tag_len; 434 size_t n1, n1_add; 435 436 /* Calculate tag length */ 437 if (sec_level % 4 == 0) { 438 expected_tag_len = 0; 439 } else { 440 expected_tag_len = 1 << (sec_level % 4 + 1); 441 } 442 443 const size_t expected_msg_len = msg->len - expected_tag_len; 444 const uint8_t *expected_tag = msg->x + expected_msg_len; 445 446 /* Prepare input/output message buffer */ 447 uint8_t *io_msg_buf = NULL; 448 TEST_CALLOC(io_msg_buf, expected_msg_len); 449 if (expected_msg_len) { 450 memcpy(io_msg_buf, msg->x, expected_msg_len); 451 } 452 453 /* Calculate iv */ 454 memset(iv, 0x00, sizeof(iv)); 455 TEST_ASSERT(source_address->len == 8); 456 TEST_ASSERT(frame_counter->len == 4); 457 memcpy(iv, source_address->x, source_address->len); 458 memcpy(iv + source_address->len, frame_counter->x, frame_counter->len); 459 iv[source_address->len + frame_counter->len] = sec_level; 460 iv_len = sizeof(iv); 461 462 BLOCK_CIPHER_PSA_INIT(); 463 mbedtls_ccm_init(&ctx); 464 TEST_ASSERT(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8) == 0); 465 /* Test with input == output */ 466 TEST_EQUAL(mbedtls_ccm_star_auth_decrypt(&ctx, expected_msg_len, iv, iv_len, 467 add->x, add->len, io_msg_buf, io_msg_buf, 468 expected_tag, expected_tag_len), output_ret); 469 470 TEST_MEMORY_COMPARE(io_msg_buf, expected_msg_len, expected_result->x, expected_msg_len); 471 472 if (output_ret == 0) { 473 const data_t iv_data = { .x = iv, 474 .len = iv_len }; 475 476 const data_t encrypted = { .x = msg->x, 477 .len = expected_msg_len }; 478 479 const data_t tag_expected = { .x = (uint8_t *) expected_tag, 480 .len = expected_tag_len }; 481 482 for (n1 = 0; n1 <= expected_msg_len; n1 += 1) { 483 for (n1_add = 0; n1_add <= add->len; n1_add += 1) { 484 mbedtls_test_set_step(n1 * 10000 + n1_add); 485 if (!check_multipart(&ctx, MBEDTLS_CCM_STAR_DECRYPT, 486 &iv_data, add, &encrypted, 487 expected_result, 488 &tag_expected, 489 n1, n1_add)) { 490 goto exit; 491 } 492 } 493 } 494 } 495 496exit: 497 mbedtls_ccm_free(&ctx); 498 mbedtls_free(io_msg_buf); 499 BLOCK_CIPHER_PSA_DONE(); 500} 501/* END_CASE */ 502 503/* Skip auth data, provide full text */ 504/* BEGIN_CASE */ 505void mbedtls_ccm_skip_ad(int cipher_id, int mode, 506 data_t *key, data_t *msg, data_t *iv, 507 data_t *result, data_t *tag) 508{ 509 mbedtls_ccm_context ctx; 510 uint8_t *output = NULL; 511 size_t olen; 512 513 /* Sanity checks on the test data */ 514 TEST_EQUAL(msg->len, result->len); 515 516 BLOCK_CIPHER_PSA_INIT(); 517 mbedtls_ccm_init(&ctx); 518 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 519 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 520 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, tag->len)); 521 522 TEST_CALLOC(output, result->len); 523 olen = 0xdeadbeef; 524 TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, result->len, &olen)); 525 TEST_EQUAL(result->len, olen); 526 TEST_MEMORY_COMPARE(output, olen, result->x, result->len); 527 mbedtls_free(output); 528 output = NULL; 529 530 TEST_CALLOC(output, tag->len); 531 TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, output, tag->len)); 532 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 533 mbedtls_free(output); 534 output = NULL; 535 536exit: 537 mbedtls_free(output); 538 mbedtls_ccm_free(&ctx); 539 BLOCK_CIPHER_PSA_DONE(); 540} 541/* END_CASE */ 542 543/* Provide auth data, skip full text */ 544/* BEGIN_CASE */ 545void mbedtls_ccm_skip_update(int cipher_id, int mode, 546 data_t *key, data_t *iv, data_t *add, 547 data_t *tag) 548{ 549 mbedtls_ccm_context ctx; 550 uint8_t *output = NULL; 551 552 BLOCK_CIPHER_PSA_INIT(); 553 mbedtls_ccm_init(&ctx); 554 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 555 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 556 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, tag->len)); 557 558 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 559 560 TEST_CALLOC(output, tag->len); 561 TEST_EQUAL(0, mbedtls_ccm_finish(&ctx, output, tag->len)); 562 TEST_MEMORY_COMPARE(output, tag->len, tag->x, tag->len); 563 mbedtls_free(output); 564 output = NULL; 565 566exit: 567 mbedtls_free(output); 568 mbedtls_ccm_free(&ctx); 569 BLOCK_CIPHER_PSA_DONE(); 570} 571/* END_CASE */ 572 573/* Provide too much auth data */ 574/* BEGIN_CASE */ 575void mbedtls_ccm_overflow_ad(int cipher_id, int mode, 576 data_t *key, data_t *iv, 577 data_t *add) 578{ 579 mbedtls_ccm_context ctx; 580 581 BLOCK_CIPHER_PSA_INIT(); 582 mbedtls_ccm_init(&ctx); 583 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 584 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 585 // use hardcoded values for msg length and tag length. They are not a part of this test 586 // subtract 1 from configured auth data length to provoke an overflow 587 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len - 1, 16, 16)); 588 589 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 590exit: 591 mbedtls_ccm_free(&ctx); 592 BLOCK_CIPHER_PSA_DONE(); 593} 594/* END_CASE */ 595 596/* Provide unexpected auth data */ 597/* BEGIN_CASE */ 598void mbedtls_ccm_unexpected_ad(int cipher_id, int mode, 599 data_t *key, data_t *iv, 600 data_t *add) 601{ 602 mbedtls_ccm_context ctx; 603 604 BLOCK_CIPHER_PSA_INIT(); 605 mbedtls_ccm_init(&ctx); 606 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 607 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 608 // use hardcoded values for msg length and tag length. They are not a part of this test 609 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, 16, 16)); 610 611 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 612exit: 613 mbedtls_ccm_free(&ctx); 614 BLOCK_CIPHER_PSA_DONE(); 615} 616/* END_CASE */ 617 618/* Provide unexpected plaintext/ciphertext data */ 619/* BEGIN_CASE */ 620void mbedtls_ccm_unexpected_text(int cipher_id, int mode, 621 data_t *key, data_t *msg, data_t *iv, 622 data_t *add) 623{ 624 mbedtls_ccm_context ctx; 625 uint8_t *output = NULL; 626 size_t olen; 627 628 BLOCK_CIPHER_PSA_INIT(); 629 mbedtls_ccm_init(&ctx); 630 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 631 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 632 // use hardcoded value for tag length. It is not a part of this test 633 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, 16)); 634 635 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 636 637 TEST_CALLOC(output, msg->len); 638 olen = 0xdeadbeef; 639 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, 640 mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen)); 641exit: 642 mbedtls_free(output); 643 mbedtls_ccm_free(&ctx); 644 BLOCK_CIPHER_PSA_DONE(); 645} 646/* END_CASE */ 647 648/* Provide incomplete auth data and finish */ 649/* BEGIN_CASE */ 650void mbedtls_ccm_incomplete_ad(int cipher_id, int mode, 651 data_t *key, data_t *iv, data_t *add) 652{ 653 mbedtls_ccm_context ctx; 654 uint8_t *output = NULL; 655 656 BLOCK_CIPHER_PSA_INIT(); 657 mbedtls_ccm_init(&ctx); 658 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 659 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 660 // use hardcoded values for msg length and tag length. They are not a part of this test 661 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, 16)); 662 663 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len - 1)); 664 665 TEST_CALLOC(output, 16); 666 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16)); 667 668exit: 669 mbedtls_free(output); 670 mbedtls_ccm_free(&ctx); 671 BLOCK_CIPHER_PSA_DONE(); 672} 673/* END_CASE */ 674 675/* Provide complete auth data on first update_ad. 676 * Provide unexpected auth data on second update_ad */ 677/* BEGIN_CASE */ 678void mbedtls_ccm_full_ad_and_overflow(int cipher_id, int mode, 679 data_t *key, data_t *iv, 680 data_t *add) 681{ 682 mbedtls_ccm_context ctx; 683 684 BLOCK_CIPHER_PSA_INIT(); 685 mbedtls_ccm_init(&ctx); 686 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 687 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 688 // use hardcoded values for msg length and tag length. They are not a part of this test 689 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 16, 16)); 690 691 // pass full auth data 692 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 693 // pass 1 extra byte 694 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, 1)); 695exit: 696 mbedtls_ccm_free(&ctx); 697 BLOCK_CIPHER_PSA_DONE(); 698} 699/* END_CASE */ 700 701/* Provide incomplete auth data on first update_ad. 702 * Provide too much auth data on second update_ad */ 703/* BEGIN_CASE */ 704void mbedtls_ccm_incomplete_ad_and_overflow(int cipher_id, int mode, 705 data_t *key, data_t *iv, 706 data_t *add) 707{ 708 mbedtls_ccm_context ctx; 709 uint8_t add_second_buffer[2]; 710 711 add_second_buffer[0] = add->x[add->len - 1]; 712 add_second_buffer[1] = 0xAB; // some magic value 713 714 BLOCK_CIPHER_PSA_INIT(); 715 mbedtls_ccm_init(&ctx); 716 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 717 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 718 // use hardcoded values for msg length and tag length. They are not a part of this test 719 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 16, 16)); 720 721 // pass incomplete auth data 722 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len - 1)); 723 // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) 724 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add_second_buffer, 2)); 725exit: 726 mbedtls_ccm_free(&ctx); 727 BLOCK_CIPHER_PSA_DONE(); 728} 729/* END_CASE */ 730 731/* Provide too much plaintext/ciphertext */ 732/* BEGIN_CASE */ 733void mbedtls_ccm_overflow_update(int cipher_id, int mode, 734 data_t *key, data_t *msg, data_t *iv, 735 data_t *add) 736{ 737 mbedtls_ccm_context ctx; 738 uint8_t *output = NULL; 739 size_t olen; 740 741 BLOCK_CIPHER_PSA_INIT(); 742 mbedtls_ccm_init(&ctx); 743 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 744 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 745 // use hardcoded value for tag length. It is a not a part of this test 746 // subtract 1 from configured msg length to provoke an overflow 747 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len - 1, 16)); 748 749 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 750 751 TEST_CALLOC(output, msg->len); 752 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \ 753 mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen)); 754exit: 755 mbedtls_free(output); 756 mbedtls_ccm_free(&ctx); 757 BLOCK_CIPHER_PSA_DONE(); 758} 759/* END_CASE */ 760 761/* Provide incomplete plaintext/ciphertext and finish */ 762/* BEGIN_CASE */ 763void mbedtls_ccm_incomplete_update(int cipher_id, int mode, 764 data_t *key, data_t *msg, data_t *iv, 765 data_t *add) 766{ 767 mbedtls_ccm_context ctx; 768 uint8_t *output = NULL; 769 size_t olen; 770 771 BLOCK_CIPHER_PSA_INIT(); 772 mbedtls_ccm_init(&ctx); 773 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 774 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 775 // use hardcoded value for tag length. It is not a part of this test 776 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16)); 777 778 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 779 780 TEST_CALLOC(output, msg->len); 781 olen = 0xdeadbeef; 782 TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len - 1, output, msg->len, &olen)); 783 mbedtls_free(output); 784 output = NULL; 785 786 TEST_CALLOC(output, 16); 787 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16)); 788 789exit: 790 mbedtls_free(output); 791 mbedtls_ccm_free(&ctx); 792 BLOCK_CIPHER_PSA_DONE(); 793} 794/* END_CASE */ 795 796/* Provide full plaintext/ciphertext of first update 797 * Provide unexpected plaintext/ciphertext on second update */ 798/* BEGIN_CASE */ 799void mbedtls_ccm_full_update_and_overflow(int cipher_id, int mode, 800 data_t *key, data_t *msg, data_t *iv, 801 data_t *add) 802{ 803 mbedtls_ccm_context ctx; 804 uint8_t *output = NULL; 805 size_t olen; 806 807 BLOCK_CIPHER_PSA_INIT(); 808 mbedtls_ccm_init(&ctx); 809 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 810 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 811 // use hardcoded value for tag length. It is a not a part of this test 812 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16)); 813 814 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 815 816 TEST_CALLOC(output, msg->len); 817 // pass full text 818 TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len, output, msg->len, &olen)); 819 // pass 1 extra byte 820 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \ 821 mbedtls_ccm_update(&ctx, msg->x, 1, output, 1, &olen)); 822exit: 823 mbedtls_free(output); 824 mbedtls_ccm_free(&ctx); 825 BLOCK_CIPHER_PSA_DONE(); 826} 827/* END_CASE */ 828 829/* Provide incomplete plaintext/ciphertext of first update 830 * Provide too much plaintext/ciphertext on second update */ 831/* BEGIN_CASE */ 832void mbedtls_ccm_incomplete_update_overflow(int cipher_id, int mode, 833 data_t *key, data_t *msg, data_t *iv, 834 data_t *add) 835{ 836 mbedtls_ccm_context ctx; 837 uint8_t *output = NULL; 838 size_t olen; 839 uint8_t msg_second_buffer[2]; 840 841 msg_second_buffer[0] = msg->x[msg->len - 1]; 842 msg_second_buffer[1] = 0xAB; // some magic value 843 844 BLOCK_CIPHER_PSA_INIT(); 845 mbedtls_ccm_init(&ctx); 846 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 847 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 848 // use hardcoded value for tag length. It is a not a part of this test 849 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, msg->len, 16)); 850 851 TEST_EQUAL(0, mbedtls_ccm_update_ad(&ctx, add->x, add->len)); 852 853 TEST_CALLOC(output, msg->len + 1); 854 // pass incomplete text 855 TEST_EQUAL(0, mbedtls_ccm_update(&ctx, msg->x, msg->len - 1, output, msg->len + 1, &olen)); 856 // pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte) 857 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, \ 858 mbedtls_ccm_update(&ctx, msg_second_buffer, 2, output + msg->len - 1, 2, &olen)); 859exit: 860 mbedtls_free(output); 861 mbedtls_ccm_free(&ctx); 862 BLOCK_CIPHER_PSA_DONE(); 863} 864/* END_CASE */ 865 866/* Finish without passing any auth data or plaintext/ciphertext input */ 867/* BEGIN_CASE */ 868void mbedtls_ccm_instant_finish(int cipher_id, int mode, 869 data_t *key, data_t *iv) 870{ 871 mbedtls_ccm_context ctx; 872 uint8_t *output = NULL; 873 874 BLOCK_CIPHER_PSA_INIT(); 875 mbedtls_ccm_init(&ctx); 876 TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0); 877 TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len)); 878 // use hardcoded values for add length, msg length and tag length. 879 // They are not a part of this test 880 TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 16, 16, 16)); 881 882 TEST_CALLOC(output, 16); 883 TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish(&ctx, output, 16)); 884 885exit: 886 mbedtls_free(output); 887 mbedtls_ccm_free(&ctx); 888 BLOCK_CIPHER_PSA_DONE(); 889} 890/* END_CASE */ 891