diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c index 2eb35190be..b5f90a89cc 100644 --- a/tests/api/test_aes.c +++ b/tests/api/test_aes.c @@ -4400,6 +4400,70 @@ int test_wc_AesGcmStream_ReinitAfterFinal(void) return EXPECT_RESULT(); } /* END test_wc_AesGcmStream_ReinitAfterFinal */ +int test_wc_AesGcmStream_BadAuthTag(void) +{ + EXPECT_DECLS; +#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT) && \ + defined(WOLFSSL_AES_128) && defined(WOLFSSL_AESGCM_STREAM) + static const byte key[AES_128_KEY_SIZE] = { + 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c, + 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08 + }; + static const byte iv[GCM_NONCE_MID_SZ] = { + 0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad, + 0xde,0xca,0xf8,0x88 + }; + static const byte aad[20] = { + 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef, + 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef, + 0xab,0xad,0xda,0xd2 + }; + static const byte plain[16] = { + 0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5, + 0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a + }; + Aes enc[1]; + Aes dec[1]; + byte ct[sizeof(plain)]; + byte pt[sizeof(plain)]; + byte tag[WC_AES_BLOCK_SIZE]; + byte bad_aad[sizeof(aad)]; + + XMEMSET(enc, 0, sizeof(Aes)); + XMEMSET(dec, 0, sizeof(Aes)); + XMEMSET(tag, 0, sizeof(tag)); + + ExpectIntEQ(wc_AesInit(enc, NULL, INVALID_DEVID), 0); + ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv, sizeof(iv)), 0); + ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct, plain, sizeof(plain), + aad, sizeof(aad)), 0); + ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag, sizeof(tag)), 0); + wc_AesFree(enc); + + tag[0] ^= 0x01; + + ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0); + ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0); + ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct), + aad, sizeof(aad)), 0); + ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)), + WC_NO_ERR_TRACE(AES_GCM_AUTH_E)); + wc_AesFree(dec); + + tag[0] ^= 0x01; + XMEMCPY(bad_aad, aad, sizeof(aad)); + bad_aad[0] ^= 0x01; + ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0); + ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0); + ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct), + bad_aad, sizeof(bad_aad)), 0); + ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)), + WC_NO_ERR_TRACE(AES_GCM_AUTH_E)); + wc_AesFree(dec); +#endif + return EXPECT_RESULT(); +} + /******************************************************************************* * GMAC ******************************************************************************/ diff --git a/tests/api/test_aes.h b/tests/api/test_aes.h index 133170ff17..73e4b715ac 100644 --- a/tests/api/test_aes.h +++ b/tests/api/test_aes.h @@ -54,6 +54,7 @@ int test_wc_AesGcmNonStdNonce(void); int test_wc_AesGcmStream(void); int test_wc_AesGcmStream_MidStreamState(void); int test_wc_AesGcmStream_ReinitAfterFinal(void); +int test_wc_AesGcmStream_BadAuthTag(void); int test_wc_AesCcmSetKey(void); int test_wc_AesCcmEncryptDecrypt(void); int test_wc_AesCcmEncryptDecrypt_InPlace(void); @@ -151,6 +152,7 @@ int test_wc_CryptoCb_Tls13_Key_No_Zero_Without_Offload(void); TEST_DECL_GROUP("aes", test_wc_AesGcmStream), \ TEST_DECL_GROUP("aes", test_wc_AesGcmStream_MidStreamState), \ TEST_DECL_GROUP("aes", test_wc_AesGcmStream_ReinitAfterFinal), \ + TEST_DECL_GROUP("aes", test_wc_AesGcmStream_BadAuthTag), \ TEST_DECL_GROUP("aes", test_wc_AesCcmSetKey), \ TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt), \ TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt_InPlace), \ diff --git a/tests/api/test_chacha20_poly1305.c b/tests/api/test_chacha20_poly1305.c index 9a8ad4032b..6f90c71712 100644 --- a/tests/api/test_chacha20_poly1305.c +++ b/tests/api/test_chacha20_poly1305.c @@ -284,6 +284,66 @@ int test_wc_XChaCha20Poly1305_aead(void) return EXPECT_RESULT(); } /* END test_wc_XChaCha20Poly1305_aead */ +int test_wc_XChaCha20Poly1305_BadAuthTag(void) +{ + EXPECT_DECLS; +#if defined(HAVE_POLY1305) && defined(HAVE_XCHACHA) + const byte key[32] = { + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f + }; + const byte nonce[24] = { + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57 + }; + const byte plaintext[] = { + 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, + 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x73 + }; + const byte aad[] = { + 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3 + }; + byte ct[sizeof(plaintext) + 16]; + byte pt[sizeof(plaintext)]; + byte ct_bad[sizeof(ct)]; + byte aad_bad[sizeof(aad)]; + + XMEMSET(ct, 0, sizeof(ct)); + + ExpectIntEQ(wc_XChaCha20Poly1305_Encrypt(ct, sizeof(ct), + plaintext, sizeof(plaintext), aad, sizeof(aad), + nonce, sizeof(nonce), key, sizeof(key)), 0); + + ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct), + aad, sizeof(aad), nonce, sizeof(nonce), key, sizeof(key)), 0); + + XMEMCPY(ct_bad, ct, sizeof(ct)); + ct_bad[sizeof(ct) - 1] ^= 0x01; + ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad, + sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce), + key, sizeof(key)), + WC_NO_ERR_TRACE(MAC_CMP_FAILED_E)); + + XMEMCPY(ct_bad, ct, sizeof(ct)); + ct_bad[0] ^= 0x01; + ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad, + sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce), + key, sizeof(key)), + WC_NO_ERR_TRACE(MAC_CMP_FAILED_E)); + + XMEMCPY(aad_bad, aad, sizeof(aad)); + aad_bad[0] ^= 0x01; + ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct), + aad_bad, sizeof(aad_bad), nonce, sizeof(nonce), + key, sizeof(key)), + WC_NO_ERR_TRACE(MAC_CMP_FAILED_E)); +#endif + return EXPECT_RESULT(); +} + #include #define MC_CIPHER_TEST_COUNT 100 diff --git a/tests/api/test_chacha20_poly1305.h b/tests/api/test_chacha20_poly1305.h index 398d1d939c..22d3cc6af3 100644 --- a/tests/api/test_chacha20_poly1305.h +++ b/tests/api/test_chacha20_poly1305.h @@ -26,6 +26,7 @@ int test_wc_ChaCha20Poly1305_aead(void); int test_wc_XChaCha20Poly1305_aead(void); +int test_wc_XChaCha20Poly1305_BadAuthTag(void); int test_wc_ChaCha20Poly1305_MonteCarlo(void); int test_wc_ChaCha20Poly1305_Stream(void); int test_wc_ChaCha20Poly1305_AeadEdgeCases(void); @@ -38,6 +39,7 @@ int test_wc_ChaCha20Poly1305_CrossCipher(void); #define TEST_CHACHA20_POLY1305_DECLS \ TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_aead), \ TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_aead), \ + TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_BadAuthTag), \ TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_MonteCarlo), \ TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_Stream), \ TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_AeadEdgeCases), \