Files
wolfssl/tests/api/test_aes.c
T
Sean Parkinson 59a17dd598 Unit testing: Add Monte Carlo testing to ciphers
Monte Carlo testing is randomized test data.
These new tests have random keys, IVs, nonce, etc and random data to
encrypt.
100 sets of random test data are encrypted and decrypted with a check to
ensure the input to encrypt is the same as the output of decrypt.
Tags are generated and checked in the calls to encrypt and decrypt.
2026-04-14 13:25:15 +10:00

6754 lines
251 KiB
C

/* test_aes.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include <tests/unit.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/wc_encrypt.h>
#include <wolfssl/wolfcrypt/types.h>
#include <tests/api/api.h>
#include <tests/api/test_aes.h>
/*******************************************************************************
* AES
******************************************************************************/
#ifndef NO_AES
static int test_wc_AesSetKey_BadArgs(Aes* aes, byte* key, word32 keyLen,
byte* iv)
{
EXPECT_DECLS;
ExpectIntEQ(wc_AesSetKey(NULL, NULL, keyLen, iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetKey(NULL, key , keyLen, iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetKey(aes , key , 48 , iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
}
static int test_wc_AesSetKey_WithKey(Aes* aes, byte* key, word32 keyLen,
byte* iv, int ret)
{
EXPECT_DECLS;
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), ret);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), ret);
return EXPECT_RESULT();
}
#endif
/*
* Testing function for wc_AesSetKey().
*/
int test_wc_AesSetKey(void)
{
EXPECT_DECLS;
#ifndef NO_AES
Aes aes;
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte badKey16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(NULL, NULL, INVALID_DEVID),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesSetKey_BadArgs(&aes, key, keyLen, iv));
#ifdef WOLFSSL_AES_128
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
#ifdef WOLFSSL_AES_192
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
#ifdef WOLFSSL_AES_256
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
ExpectIntEQ(wc_AesSetKey(&aes, badKey16,
(word32)sizeof(badKey16) / sizeof(byte), iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesSetKey */
/*
* Testing function for wc_AesSetIV
*/
int test_wc_AesSetIV(void)
{
EXPECT_DECLS;
#if !defined(NO_AES)
Aes aes;
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
byte iv1[] = "1234567890abcdef";
byte iv2[] = "0987654321fedcba";
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
#if defined(WOLFSSL_AES_128)
ExpectIntEQ(wc_AesSetKey(&aes, key16, (word32) sizeof(key16) / sizeof(byte),
iv1, AES_ENCRYPTION), 0);
#endif
ExpectIntEQ(wc_AesSetIV(&aes, iv2), 0);
ExpectIntEQ(wc_AesSetIV(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetIV(NULL, iv1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetIV(&aes, NULL), 0);
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* test_wc_AesSetIV */
/*******************************************************************************
* AES Direct
******************************************************************************/
#if !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) && \
(!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
static int test_wc_AesEncryptDecryptDirect_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* expected)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
#ifdef HAVE_AES_DECRYPT
byte decrypted[WC_AES_BLOCK_SIZE];
#endif
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesEncryptDirect(NULL, NULL, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEncryptDirect(aes, cipher, plain), 0);
ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesDecryptDirect(NULL, NULL, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesDecryptDirect(aes, decrypted, cipher), 0);
ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
#endif
return EXPECT_RESULT();
}
#endif
int test_wc_AesEncryptDecryptDirect(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) && \
(!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
Aes aes;
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected16[WC_AES_BLOCK_SIZE] = {
0x0b, 0x9b, 0x15, 0xda, 0x4b, 0x44, 0xa0, 0xf5,
0x15, 0x1d, 0xcf, 0xc4, 0xc0, 0x1f, 0x35, 0xd5,
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected24[WC_AES_BLOCK_SIZE] = {
0xbe, 0x55, 0x02, 0x05, 0xfc, 0x91, 0xe8, 0x9c,
0x9b, 0x9c, 0xc4, 0x70, 0x93, 0xb9, 0x0a, 0x08,
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected32[WC_AES_BLOCK_SIZE] = {
0x7d, 0xbd, 0x88, 0x27, 0x2f, 0xb2, 0x59, 0x37,
0x69, 0x2a, 0x3b, 0x81, 0x00, 0x47, 0x41, 0x75,
};
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
#ifdef WOLFSSL_AES_128
EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), expected16));
#endif
#ifdef WOLFSSL_AES_192
EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), expected24));
#endif
#ifdef WOLFSSL_AES_256
EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), expected32));
#endif
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
}
/*******************************************************************************
* AES-ECB
******************************************************************************/
#if !defined(NO_AES) && defined(HAVE_AES_ECB)
/* Assembly code doing 8 iterations at a time. */
#define ECB_LEN (15 * WC_AES_BLOCK_SIZE)
static int test_wc_AesEcbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
word32 keyLen)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
byte decrypted[WC_AES_BLOCK_SIZE];
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesEcbEncrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(NULL, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(NULL, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(aes, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbEncrypt(NULL, cipher, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesEcbDecrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(NULL, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(NULL, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(aes, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEcbDecrypt(NULL, decrypted, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
}
static int test_wc_AesEcbEncryptDecrypt_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
WC_DECLARE_VAR(decrypted, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(decrypted, byte, ECB_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(plain, 0, ECB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
0);
ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
#endif
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, plain, 32), 0);
ExpectBufEQ(cipher + WC_AES_BLOCK_SIZE, cipher, WC_AES_BLOCK_SIZE);
ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, cipher, 32), 0);
ExpectBufEQ(decrypted, plain, 32);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
return EXPECT_RESULT();
}
static int test_wc_AesEcbEncryptDecrypt_MultiBlocks(Aes* aes, byte* key,
word32 keyLen, byte* expected)
{
EXPECT_DECLS;
int sz;
int cnt;
WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
WC_DECLARE_VAR(decrypted, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(decrypted, byte, ECB_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(plain, 0, ECB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
/* Test multiple blocks. */
for (sz = WC_AES_BLOCK_SIZE; sz <= ECB_LEN; sz += WC_AES_BLOCK_SIZE) {
XMEMSET(cipher, 0x00, ECB_LEN);
for (cnt = 0; cnt + sz <= ECB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher + cnt, plain + cnt, sz),
0);
}
if (cnt < ECB_LEN) {
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher + cnt, plain + cnt,
ECB_LEN - cnt), 0);
}
for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
ExpectBufEQ(cipher + cnt, expected, WC_AES_BLOCK_SIZE);
}
}
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
for (sz = WC_AES_BLOCK_SIZE; sz <= ECB_LEN; sz += WC_AES_BLOCK_SIZE) {
XMEMSET(decrypted, 0xff, ECB_LEN);
for (cnt = 0; cnt + sz <= ECB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted + cnt, cipher + cnt,
sz), 0);
}
if (cnt < ECB_LEN) {
ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted + cnt, cipher + cnt,
ECB_LEN - cnt), 0);
}
for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
ExpectBufEQ(decrypted + cnt, plain, WC_AES_BLOCK_SIZE);
}
}
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
return EXPECT_RESULT();
}
static int test_wc_AesEcbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
word32 keyLen, byte* expected)
{
EXPECT_DECLS;
int cnt;
WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#endif
XMEMSET(plain, 0, ECB_LEN);
/* Testing using same buffer for input and output. */
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
XMEMCPY(cipher, plain, ECB_LEN);
ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, cipher, ECB_LEN), 0);
for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
ExpectBufEQ(cipher + cnt, expected, WC_AES_BLOCK_SIZE);
}
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen,
NULL, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesEcbDecrypt(aes, cipher, cipher, ECB_LEN), 0);
for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
ExpectBufEQ(cipher + cnt, plain, WC_AES_BLOCK_SIZE);
}
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
return EXPECT_RESULT();
}
#endif
int test_wc_AesEcbEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AES_ECB)
Aes aes;
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected16[WC_AES_BLOCK_SIZE] = {
0x0b, 0x9b, 0x15, 0xda, 0x4b, 0x44, 0xa0, 0xf5,
0x15, 0x1d, 0xcf, 0xc4, 0xc0, 0x1f, 0x35, 0xd5,
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected24[WC_AES_BLOCK_SIZE] = {
0xbe, 0x55, 0x02, 0x05, 0xfc, 0x91, 0xe8, 0x9c,
0x9b, 0x9c, 0xc4, 0x70, 0x93, 0xb9, 0x0a, 0x08,
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected32[WC_AES_BLOCK_SIZE] = {
0x7d, 0xbd, 0x88, 0x27, 0x2f, 0xb2, 0x59, 0x37,
0x69, 0x2a, 0x3b, 0x81, 0x00, 0x47, 0x41, 0x75,
};
#endif
byte* key;
word32 keyLen;
byte* expected;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
expected = expected16;
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
expected = expected24;
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
expected = expected32;
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_BadArgs(&aes, key, keyLen));
#if defined(WOLFSSL_AES_128)
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), expected16));
#endif
#if defined(WOLFSSL_AES_192)
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), expected24));
#endif
#if defined(WOLFSSL_AES_256)
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), expected32));
#endif
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_MultiBlocks(&aes, key, keyLen,
expected));
EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_SameBuffer(&aes, key, keyLen,
expected));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
}
/*******************************************************************************
* AES-CBC
******************************************************************************/
#if !defined(NO_AES) && defined(HAVE_AES_CBC)
/* Assembly code doing 8 iterations at a time. */
#define CBC_LEN (9 * WC_AES_BLOCK_SIZE)
static int test_wc_AesCbcEncryptDecrypt_BadArgs(Aes* aes, byte* key,
word32 keyLen, byte* iv)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
byte decrypted[WC_AES_BLOCK_SIZE];
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCbcEncrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(NULL, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(NULL, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(aes, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcEncrypt(NULL, cipher, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCbcDecrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(NULL, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(NULL, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(aes, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecrypt(NULL, decrypted, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, NULL, keyLen, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, NULL, 0, NULL, keyLen, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, cipher, 0, NULL, keyLen, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, key, keyLen, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, NULL, keyLen, iv),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
WC_AES_BLOCK_SIZE * 2, key, keyLen, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
WC_AES_BLOCK_SIZE * 2, NULL, keyLen, iv),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, NULL,
WC_AES_BLOCK_SIZE * 2, key, keyLen, iv),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, cipher,
WC_AES_BLOCK_SIZE * 2, key, keyLen, iv),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
}
static int test_wc_AesCbcEncryptDecrypt_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* vector, byte* vector_enc, word32 vector_len)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE * 2];
byte cipher[WC_AES_BLOCK_SIZE * 2];
byte decrypted[WC_AES_BLOCK_SIZE * 2];
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE * 2);
XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE * 2);
XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
(HAVE_FIPS_VERSION == 2) && defined(WOLFSSL_AESNI)
fprintf(stderr, "Zero length inputs not supported with AESNI in FIPS "
"mode (v2), skip test");
#else
/* Test passing in size of 0 */
XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE * 2);
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, 0), 0);
/* Check enc was not modified */
{
int i;
for (i = 0; i < (int)WC_AES_BLOCK_SIZE * 2; i++)
ExpectIntEQ(cipher[i], 0x00);
}
#endif
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len),
0);
ExpectBufEQ(cipher, vector_enc, vector_len);
#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len - 1),
WC_NO_ERR_TRACE(BAD_LENGTH_E));
#endif
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
WC_AES_BLOCK_SIZE * 2), 0);
ExpectBufEQ(decrypted, vector, vector_len);
#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
WC_AES_BLOCK_SIZE * 2 - 1), WC_NO_ERR_TRACE(BAD_LENGTH_E));
#else
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
WC_AES_BLOCK_SIZE * 2 - 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
WC_AES_BLOCK_SIZE * 2, key, keyLen, iv), 0);
ExpectBufEQ(decrypted, vector, vector_len);
/* Test passing in size of 0 */
XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher, 0), 0);
/* Check dec was not modified */
{
int i;
for (i = 0; i < (int)WC_AES_BLOCK_SIZE * 2; i++)
ExpectIntEQ(decrypted[i], 0);
}
#endif
return EXPECT_RESULT();
}
static int test_wc_AesCbcEncryptDecrypt_MultiBlocks(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
#ifdef WOLFSSL_KCAPI
(void)aes;
(void)key;
(void)keyLen;
(void)iv;
(void)expected;
#else /* !WOLFSSL_KCAPI */
int sz;
int cnt;
WC_DECLARE_VAR(plain, byte, CBC_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CBC_LEN, NULL);
WC_DECLARE_VAR(decrypted, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(decrypted, byte, CBC_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(plain, 0, CBC_LEN);
XMEMSET(cipher, 0, CBC_LEN);
XMEMSET(decrypted, 0, CBC_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
/* Test multiple blocks. */
for (sz = WC_AES_BLOCK_SIZE; sz <= CBC_LEN; sz += WC_AES_BLOCK_SIZE) {
XMEMSET(cipher, 0x00, CBC_LEN);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
for (cnt = 0; cnt + sz <= CBC_LEN; cnt += sz) {
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher + cnt, plain + cnt, sz),
0);
}
if (cnt < CBC_LEN) {
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher + cnt, plain + cnt,
CBC_LEN - cnt), 0);
}
ExpectBufEQ(cipher, expected, CBC_LEN);
}
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
for (sz = WC_AES_BLOCK_SIZE; sz <= CBC_LEN; sz += WC_AES_BLOCK_SIZE) {
XMEMSET(decrypted, 0xff, CBC_LEN);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
for (cnt = 0; cnt + sz <= CBC_LEN; cnt += sz) {
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted + cnt, cipher + cnt,
sz), 0);
}
if (cnt < CBC_LEN) {
ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted + cnt, cipher + cnt,
CBC_LEN - cnt), 0);
}
ExpectBufEQ(decrypted, plain, CBC_LEN);
}
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif /* !WOLFSSL_KCAPI */
return EXPECT_RESULT();
}
static int test_wc_AesCbcEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, CBC_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#endif
XMEMSET(plain, 0, CBC_LEN);
/* Testing using same buffer for input and output. */
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
XMEMCPY(cipher, plain, CBC_LEN);
ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, cipher, CBC_LEN), 0);
ExpectBufEQ(cipher, expected, CBC_LEN);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCbcDecrypt(aes, cipher, cipher, CBC_LEN), 0);
ExpectBufEQ(cipher, plain, CBC_LEN);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
return EXPECT_RESULT();
}
#endif
/*
* test function for wc_AesCbcEncrypt(), wc_AesCbcDecrypt(),
* and wc_AesCbcDecryptWithKey()
*/
int test_wc_AesCbcEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AES_CBC)
Aes aes;
byte vector[] = { /* Now is the time for all good men w/o trailing 0 */
0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,
0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20,
0x67, 0x6f, 0x6f, 0x64, 0x20, 0x6d, 0x65, 0x6e
};
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc16[] = {
0x26, 0x5b, 0x55, 0xf1, 0xcc, 0x77, 0xc0, 0x9a,
0x60, 0x77, 0x99, 0x1d, 0x52, 0xf1, 0xc0, 0x3a,
0x0f, 0x16, 0xae, 0x62, 0xf1, 0x71, 0xf5, 0x95,
0xb6, 0x74, 0x98, 0x2a, 0x6b, 0x7c, 0x7c, 0x39
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc24[] = {
0xdb, 0x96, 0xfa, 0x55, 0x90, 0x1e, 0x0c, 0x4f,
0xe4, 0x0f, 0xde, 0x16, 0x33, 0x44, 0xca, 0xa5,
0xe6, 0xa8, 0xbd, 0xd4, 0x88, 0xe5, 0x2f, 0x88,
0xfd, 0x61, 0x0f, 0x88, 0x6d, 0xf1, 0xf6, 0xa5
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc32[] = {
0xd7, 0xd6, 0x04, 0x5b, 0x4d, 0xc4, 0x90, 0xdf,
0x4a, 0x82, 0xed, 0x61, 0x26, 0x4e, 0x23, 0xb3,
0xe4, 0xb5, 0x85, 0x30, 0x29, 0x4c, 0x9d, 0xcf,
0x73, 0xc9, 0x46, 0xd1, 0xaa, 0xc8, 0xcb, 0x62,
};
#endif
#ifdef WOLFSSL_AES_128
byte expected16[CBC_LEN] = {
0x46, 0x1a, 0x5f, 0xfd, 0x9d, 0xf7, 0x91, 0x71,
0x35, 0x8e, 0x9e, 0x01, 0x77, 0xd8, 0x4e, 0xaa,
0x34, 0x28, 0xba, 0x95, 0x76, 0xa5, 0x60, 0xeb,
0xbf, 0x6e, 0x89, 0xf5, 0x9a, 0x03, 0x7a, 0x7e,
0x07, 0xc5, 0xec, 0x60, 0xe1, 0x9b, 0x7a, 0x35,
0x9c, 0x29, 0x74, 0x6c, 0x2b, 0x1c, 0xff, 0x1b,
0xa0, 0xd5, 0xf3, 0x5b, 0x23, 0x86, 0x31, 0xbe,
0x1a, 0x20, 0x2c, 0x57, 0xf4, 0x9e, 0x81, 0x67,
0xb8, 0xf2, 0x60, 0x28, 0x36, 0x50, 0x6c, 0x06,
0x69, 0xa8, 0xec, 0x36, 0x46, 0x2a, 0xc9, 0x12,
0x54, 0xc8, 0xeb, 0x73, 0x8d, 0xe8, 0x0f, 0x0c,
0xd6, 0x53, 0x8b, 0xd2, 0x24, 0xdb, 0x08, 0xf7,
0x1e, 0x2e, 0x34, 0x8d, 0x27, 0x6d, 0x77, 0x8f,
0x00, 0xa5, 0x8e, 0xc3, 0x0d, 0x07, 0x61, 0xd4,
0xe0, 0x54, 0x9b, 0xfe, 0x71, 0x4f, 0x25, 0x75,
0x9f, 0x7a, 0x2c, 0xa4, 0x0e, 0x47, 0x1f, 0xef,
0x85, 0x19, 0x36, 0x65, 0x3b, 0x28, 0x20, 0x3a,
0xf9, 0x7f, 0x13, 0xe8, 0x24, 0xd7, 0x64, 0x27,
};
#elif defined(WOLFSSL_AES_192)
byte expected24[CBC_LEN] = {
0x7b, 0xde, 0x53, 0xac, 0x88, 0x24, 0xe6, 0xde,
0x68, 0xd4, 0x64, 0x18, 0x20, 0x96, 0x62, 0x68,
0xd0, 0x04, 0x81, 0x50, 0x73, 0xe7, 0x6d, 0x8e,
0x14, 0x44, 0x87, 0xad, 0x6d, 0x44, 0xf9, 0xc3,
0xe9, 0x82, 0x2e, 0x2d, 0x17, 0x16, 0x43, 0xa6,
0x29, 0xe3, 0x9d, 0x7f, 0x84, 0x2e, 0x9a, 0x14,
0x69, 0xe9, 0x7b, 0x38, 0xfd, 0xec, 0x71, 0x4a,
0xf7, 0x0f, 0xbf, 0x6e, 0x4d, 0x46, 0x7e, 0xad,
0x83, 0xcb, 0xfa, 0x20, 0x25, 0xf8, 0x13, 0xc6,
0x75, 0xdd, 0x12, 0x1f, 0xed, 0xfa, 0x3a, 0x1c,
0x01, 0x68, 0x02, 0x12, 0x69, 0x4c, 0xe7, 0x00,
0xf1, 0x9c, 0x40, 0xed, 0x7d, 0x64, 0x16, 0x1c,
0x63, 0x07, 0x87, 0x37, 0xb3, 0x5b, 0x59, 0x97,
0xc9, 0xe4, 0x86, 0xfd, 0xd2, 0xae, 0x5b, 0x59,
0x5a, 0xe9, 0xf5, 0x0b, 0xa0, 0x87, 0xf4, 0xb5,
0x65, 0x9c, 0x98, 0x0f, 0xbf, 0x11, 0xa4, 0x7d,
0x06, 0x80, 0xb5, 0x27, 0x9c, 0xd5, 0x09, 0x7a,
0xa1, 0x42, 0xbd, 0x87, 0x6b, 0x85, 0x2f, 0x6e,
};
#else
byte expected32[CBC_LEN] = {
0x18, 0x5a, 0x48, 0xfd, 0xb7, 0xd5, 0x35, 0xf3,
0x3f, 0xb9, 0x14, 0x16, 0xf3, 0x05, 0xf3, 0x71,
0xea, 0x4e, 0x22, 0xcd, 0x15, 0x3a, 0xcc, 0xba,
0x3f, 0x5b, 0x85, 0x15, 0xdf, 0x07, 0xf6, 0xa4,
0xf4, 0x41, 0xe7, 0x08, 0x30, 0x9b, 0x09, 0x2d,
0xd4, 0x3e, 0x68, 0xea, 0x45, 0x3d, 0x3a, 0xe3,
0x7c, 0x68, 0x00, 0xda, 0xeb, 0x87, 0xd7, 0x11,
0x2a, 0x0b, 0x7c, 0x48, 0xe5, 0xef, 0xae, 0x6d,
0x61, 0x04, 0xa4, 0x16, 0xc7, 0xb6, 0x0f, 0xab,
0x24, 0x0c, 0x74, 0x0b, 0x4f, 0xfe, 0xfd, 0xd1,
0x38, 0xae, 0x92, 0x18, 0x57, 0xdd, 0x20, 0x90,
0x74, 0x0a, 0xdf, 0x7b, 0x06, 0x2d, 0x8a, 0xe8,
0x43, 0x77, 0x0d, 0x18, 0x25, 0x8b, 0x04, 0x98,
0xf4, 0x4c, 0x43, 0x19, 0x99, 0x16, 0x5a, 0xac,
0x7f, 0x52, 0x0f, 0x79, 0xd2, 0x10, 0xa5, 0xf3,
0x88, 0xf3, 0x79, 0x0a, 0x05, 0x22, 0xb8, 0xb2,
0xb7, 0xd4, 0x8e, 0x17, 0x80, 0x1b, 0x4d, 0xcb,
0x99, 0xa7, 0x30, 0x1b, 0xe0, 0xee, 0xd5, 0xd3,
};
#endif
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
byte* expected;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
expected = expected16;
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
expected = expected24;
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
expected = expected32;
#endif
/* Init stack variables. */
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
#ifdef WOLFSSL_AES_128
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, vector, vector_enc16,
(word32)sizeof(vector) / sizeof(byte)));
#endif
#ifdef WOLFSSL_AES_192
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, vector, vector_enc24,
(word32)sizeof(vector) / sizeof(byte)));
#endif
#ifdef WOLFSSL_AES_256
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, vector, vector_enc32,
(word32)sizeof(vector) / sizeof(byte)));
#endif
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_MultiBlocks(&aes, key, keyLen, iv,
expected));
EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
expected));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesCbcEncryptDecrypt */
/*******************************************************************************
* AES-CFB
******************************************************************************/
#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB)
#define CFB_LEN (5 * WC_AES_BLOCK_SIZE)
static int test_wc_AesCfbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
word32 keyLen, byte* iv)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
#ifdef HAVE_AES_DECRYPT
byte decrypted[WC_AES_BLOCK_SIZE];
#endif
XMEMSET(plain, 0x00, WC_AES_BLOCK_SIZE);
XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbEncrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(NULL, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(NULL, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(aes, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbEncrypt(NULL, cipher, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbDecrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(NULL, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(NULL, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(aes, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCfbDecrypt(NULL, decrypted, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
}
static int test_wc_AesCfbEncryptDecrypt_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, CFB_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, CFB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, CFB_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(plain, 0xa5, CFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
0);
ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
#endif
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, plain, CFB_LEN), 0);
ExpectBufEQ(cipher, expected, CFB_LEN);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, cipher, CFB_LEN), 0);
ExpectBufEQ(decrypted, plain, CFB_LEN);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
static int test_wc_AesCfbEncryptDecrypt_Chunking(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
int sz;
int cnt;
WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, CFB_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, CFB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, CFB_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(plain, 0xa5, CFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
for (sz = 1; sz < CFB_LEN; sz++) {
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
XMEMSET(cipher, 0, CFB_LEN);
for (cnt = 0; cnt + sz <= CFB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher + cnt, plain + cnt, sz),
0);
}
if (cnt < CFB_LEN) {
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher + cnt, plain + cnt,
CFB_LEN - cnt), 0);
}
ExpectBufEQ(cipher, expected, CFB_LEN);
}
#ifdef HAVE_AES_DECRYPT
for (sz = 1; sz < CFB_LEN; sz++) {
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
XMEMSET(decrypted, 0xff, CFB_LEN);
for (cnt = 0; cnt + sz <= CFB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted + cnt, cipher + cnt,
sz), 0);
}
if (cnt < CFB_LEN) {
ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted + cnt, cipher + cnt,
CFB_LEN - cnt), 0);
}
ExpectBufEQ(decrypted, plain, CFB_LEN);
}
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
static int test_wc_AesCfbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#endif
XMEMSET(plain, 0xa5, CFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
/* Testing using same buffer for input and output. */
XMEMCPY(cipher, plain, CFB_LEN);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, cipher, CFB_LEN), 0);
ExpectBufEQ(cipher, expected, CFB_LEN);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesCfbDecrypt(aes, cipher, cipher, CFB_LEN), 0);
ExpectBufEQ(cipher, plain, CFB_LEN);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
return EXPECT_RESULT();
}
#endif
#endif
int test_wc_AesCfbEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB)
Aes aes;
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected16[CFB_LEN] = {
0xe3, 0xbf, 0xfa, 0x58, 0x38, 0x52, 0x34, 0xd4,
0x90, 0x2b, 0x3b, 0xa4, 0xd2, 0x7d, 0xeb, 0x0f,
0x01, 0x1f, 0xb4, 0x51, 0xa3, 0x6b, 0x21, 0x0c,
0x17, 0xb0, 0xb2, 0xbf, 0x33, 0x3d, 0xe4, 0x3f,
0xf9, 0x50, 0xcc, 0x2b, 0xab, 0xb7, 0x30, 0xaa,
0xaf, 0x56, 0xad, 0xdb, 0xca, 0x73, 0x4b, 0x13,
0x3b, 0xe2, 0xef, 0x8a, 0xb9, 0x1c, 0xfe, 0xfa,
0x79, 0xcd, 0x92, 0x34, 0x27, 0xae, 0x6c, 0xe9,
0x18, 0x60, 0x05, 0x44, 0xdd, 0x87, 0xe5, 0xfa,
0x87, 0x64, 0xd0, 0x4c, 0x21, 0x00, 0xe9, 0x8d,
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected24[CFB_LEN] = {
0xde, 0x7b, 0xf6, 0x09, 0x2d, 0x81, 0x43, 0x7b,
0xcd, 0x71, 0xc1, 0xbd, 0x85, 0x33, 0xc7, 0xcd,
0x23, 0xb2, 0x9f, 0xf8, 0x69, 0xe5, 0x77, 0xbf,
0x5a, 0x7f, 0xad, 0x5d, 0x98, 0x8f, 0x17, 0x70,
0x65, 0xf6, 0x18, 0x90, 0x95, 0x5f, 0x85, 0xfd,
0xfb, 0xc4, 0xed, 0xf2, 0x85, 0x6a, 0x3f, 0x62,
0x8c, 0x33, 0x08, 0x42, 0x5d, 0x29, 0x51, 0xec,
0xaa, 0x37, 0x7c, 0x57, 0x51, 0xa0, 0xde, 0xf8,
0x68, 0x12, 0xf7, 0x73, 0x1c, 0x0c, 0xc7, 0xa6,
0xb1, 0x82, 0x0e, 0xc8, 0xbd, 0xe3, 0x48, 0x3c,
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected32[CFB_LEN] = {
0xbd, 0xff, 0xed, 0x58, 0x12, 0x70, 0x90, 0x56,
0x9a, 0x1c, 0xb1, 0xb3, 0x56, 0xa0, 0x56, 0xd4,
0x97, 0xb3, 0x9c, 0xf9, 0xeb, 0x2a, 0xb6, 0x23,
0x11, 0x0c, 0x8d, 0x15, 0x2d, 0x03, 0x66, 0x76,
0x4a, 0x7f, 0xb4, 0xf4, 0xe6, 0x7c, 0xec, 0x8b,
0xe9, 0xa9, 0x40, 0x2b, 0x97, 0xec, 0x0e, 0x24,
0xfe, 0x4b, 0xa1, 0xd6, 0xfc, 0x8f, 0x9c, 0x79,
0x0c, 0x84, 0x18, 0x67, 0x14, 0x7d, 0x8c, 0x5a,
0x78, 0x4f, 0x18, 0xb1, 0x04, 0xd9, 0x41, 0x79,
0x72, 0x92, 0x5e, 0x91, 0xe8, 0xa9, 0xe7, 0xe9,
};
#endif
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
byte* expected;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
expected = expected16;
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
expected = expected24;
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
expected = expected32;
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
#if defined(WOLFSSL_AES_128)
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, expected16));
#endif
#if defined(WOLFSSL_AES_192)
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, expected24));
#endif
#if defined(WOLFSSL_AES_256)
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, expected32));
#endif
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_Chunking(&aes, key, keyLen, iv,
expected));
#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
expected));
#endif
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
}
/*******************************************************************************
* AES-OFB
******************************************************************************/
#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB)
#define OFB_LEN (5 * WC_AES_BLOCK_SIZE)
static int test_wc_AesOfbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
word32 keyLen, byte* iv)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
#ifdef HAVE_AES_DECRYPT
byte decrypted[WC_AES_BLOCK_SIZE];
#endif
XMEMSET(plain, 0x00, WC_AES_BLOCK_SIZE);
XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbEncrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(NULL, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(NULL, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(aes, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbEncrypt(NULL, cipher, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbDecrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(NULL, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(NULL, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(aes, NULL, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesOfbDecrypt(NULL, decrypted, cipher, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
}
static int test_wc_AesOfbEncryptDecrypt_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, OFB_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, OFB_LEN, NULL);
#endif
XMEMSET(plain, 0xa5, OFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
0);
ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
#endif
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, plain, OFB_LEN), 0);
ExpectBufEQ(cipher, expected, OFB_LEN);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, cipher, OFB_LEN), 0);
ExpectBufEQ(decrypted, plain, OFB_LEN);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
static int test_wc_AesOfbEncryptDecrypt_Chunking(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
int sz;
int cnt;
WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, OFB_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, OFB_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(plain, 0xa5, OFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
for (sz = 1; sz < OFB_LEN; sz++) {
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
XMEMSET(cipher, 0, OFB_LEN);
for (cnt = 0; cnt + sz <= OFB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher + cnt, plain + cnt, sz),
0);
}
if (cnt < OFB_LEN) {
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher + cnt, plain + cnt,
OFB_LEN - cnt), 0);
}
ExpectBufEQ(cipher, expected, OFB_LEN);
}
#ifdef HAVE_AES_DECRYPT
for (sz = 1; sz < OFB_LEN; sz++) {
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
XMEMSET(decrypted, 0xff, OFB_LEN);
for (cnt = 0; cnt + sz <= OFB_LEN; cnt += sz) {
ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted + cnt, cipher + cnt,
sz), 0);
}
if (cnt < OFB_LEN) {
ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted + cnt, cipher + cnt,
OFB_LEN - cnt), 0);
}
ExpectBufEQ(decrypted, plain, OFB_LEN);
}
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
static int test_wc_AesOfbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#endif
XMEMSET(plain, 0xa5, OFB_LEN);
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
/* Testing using same buffer for input and output. */
XMEMCPY(cipher, plain, OFB_LEN);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, cipher, OFB_LEN), 0);
ExpectBufEQ(cipher, expected, OFB_LEN);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
ExpectIntEQ(wc_AesOfbDecrypt(aes, cipher, cipher, OFB_LEN), 0);
ExpectBufEQ(cipher, plain, OFB_LEN);
#endif
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
return EXPECT_RESULT();
}
#endif
int test_wc_AesOfbEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB)
Aes aes;
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected16[OFB_LEN] = {
0xe3, 0xbf, 0xfa, 0x58, 0x38, 0x52, 0x34, 0xd4,
0x90, 0x2b, 0x3b, 0xa4, 0xd2, 0x7d, 0xeb, 0x0f,
0x91, 0x8d, 0x1f, 0x30, 0xd3, 0x00, 0xc5, 0x4e,
0x1a, 0xcb, 0x2c, 0x50, 0x3f, 0xa6, 0xdf, 0xdb,
0xa2, 0x60, 0x49, 0xc5, 0x44, 0x3e, 0xdf, 0x90,
0x39, 0x8c, 0xd1, 0xc9, 0x8e, 0xb9, 0x5a, 0xbe,
0x05, 0x70, 0x56, 0xfe, 0x86, 0x23, 0x94, 0x1b,
0xbf, 0x85, 0x89, 0xf2, 0x51, 0x3b, 0x24, 0xc2,
0x1d, 0x57, 0xc5, 0x8d, 0x93, 0xf5, 0xc9, 0xa3,
0xcc, 0x0d, 0x49, 0x93, 0xe3, 0x8f, 0x6c, 0xb7,
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected24[OFB_LEN] = {
0xde, 0x7b, 0xf6, 0x09, 0x2d, 0x81, 0x43, 0x7b,
0xcd, 0x71, 0xc1, 0xbd, 0x85, 0x33, 0xc7, 0xcd,
0x75, 0xa1, 0x24, 0xf5, 0xd6, 0x42, 0xc8, 0x2b,
0xb1, 0xe1, 0x22, 0x08, 0xc8, 0xe1, 0x5c, 0x66,
0x4c, 0x27, 0x8b, 0x88, 0xb2, 0xb3, 0xe6, 0x03,
0x8c, 0x46, 0x38, 0xda, 0x21, 0x8b, 0x3f, 0xb1,
0xcc, 0x4c, 0xde, 0x9d, 0x58, 0x49, 0xd4, 0xef,
0x52, 0xaa, 0x1a, 0xcb, 0xe8, 0xe3, 0xdb, 0x08,
0x26, 0x6e, 0x5f, 0x85, 0x80, 0x5d, 0xb6, 0x63,
0xd0, 0x78, 0xb7, 0xba, 0x48, 0x5f, 0x9f, 0xb9,
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte expected32[OFB_LEN] = {
0xbd, 0xff, 0xed, 0x58, 0x12, 0x70, 0x90, 0x56,
0x9a, 0x1c, 0xb1, 0xb3, 0x56, 0xa0, 0x56, 0xd4,
0x4f, 0xeb, 0x87, 0x68, 0xb0, 0x9f, 0x69, 0x1f,
0x9a, 0xfe, 0x20, 0xb0, 0x7a, 0xa2, 0x53, 0x01,
0x51, 0xe4, 0x42, 0xad, 0x95, 0x3e, 0xac, 0x88,
0x71, 0x9b, 0xcd, 0x4f, 0xe0, 0x98, 0x9f, 0x46,
0xd9, 0xcd, 0xa5, 0x7f, 0x4e, 0x22, 0x72, 0xb4,
0x8f, 0xae, 0xd9, 0xed, 0x40, 0x4a, 0x0b, 0xc8,
0xc4, 0xa1, 0x01, 0xb3, 0x62, 0x13, 0xaa, 0x0e,
0x81, 0xa9, 0xd1, 0xae, 0xea, 0x5b, 0x58, 0x74,
};
#endif
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
byte* expected;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
expected = expected16;
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
expected = expected24;
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
expected = expected32;
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
#if defined(WOLFSSL_AES_128)
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, expected16));
#endif
#if defined(WOLFSSL_AES_192)
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, expected24));
#endif
#if defined(WOLFSSL_AES_256)
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, expected32));
#endif
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_Chunking(&aes, key, keyLen, iv,
expected));
EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
expected));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
}
/*******************************************************************************
* AES-CTS
******************************************************************************/
int test_wc_AesCtsEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_CTS) && \
defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_128)
/* Test vectors taken form RFC3962 Appendix B */
const struct {
const char* input;
const char* output;
size_t inLen;
size_t outLen;
} vects[] = {
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20",
"\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f"
"\x97",
17, 17
},
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20",
"\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5",
31, 31
},
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43",
"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84",
32, 32
},
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c",
"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
"\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e"
"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5",
47, 47
},
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20",
"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8"
"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8",
48, 48
},
{
"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e",
"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
"\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40"
"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8",
64, 64
}
};
const byte keyBytes[AES_128_KEY_SIZE] = {
0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69
};
byte tmp[64]; /* Largest vector size */
size_t i;
byte iv[AES_IV_SIZE]; /* All-zero IV for all cases */
XMEMSET(iv, 0, sizeof(iv));
for (i = 0; i < XELEM_CNT(vects) && EXPECT_SUCCESS(); i++) {
/* One-shot encrypt */
XMEMSET(tmp, 0, sizeof(tmp));
ExpectIntEQ(wc_AesCtsEncrypt(keyBytes, sizeof(keyBytes), tmp,
(const byte*)vects[i].input, (word32)vects[i].inLen, iv), 0);
ExpectBufEQ(tmp, vects[i].output, vects[i].outLen);
XMEMSET(tmp, 0, sizeof(tmp));
ExpectIntEQ(wc_AesCtsDecrypt(keyBytes, sizeof(keyBytes), tmp,
(const byte*)vects[i].output, (word32)vects[i].outLen, iv), 0);
ExpectBufEQ(tmp, vects[i].input, vects[i].inLen);
}
/* Execute all branches */
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[5].input;
byte* out = tmp;
word32 outSz = (word32)vects[5].outLen;
word32 remSz = (word32)vects[5].outLen;
XMEMSET(tmp, 0, sizeof(tmp));
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 1), 0);
in += 1; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 31), 0);
in += 31; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 32), 0);
in += 32; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[5].output, vects[5].outLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[5].input;
byte* out = tmp;
word32 outSz = (word32)vects[5].outLen;
word32 remSz = (word32)vects[5].outLen;
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 1), 0);
in += 1; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 63), 0);
in += 63; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[5].output, vects[5].outLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[2].input;
byte* out = tmp;
word32 outSz = (word32)vects[2].outLen;
word32 remSz = (word32)vects[2].outLen;
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 16), 0);
in += 16; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 16), 0);
in += 16; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[2].output, vects[2].outLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[5].output;
byte* out = tmp;
word32 outSz = (word32)vects[5].inLen;
word32 remSz = (word32)vects[5].inLen;
XMEMSET(tmp, 0, sizeof(tmp));
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 1), 0);
in += 1; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 31), 0);
in += 31; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 32), 0);
in += 32; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[5].input, vects[5].inLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[5].output;
byte* out = tmp;
word32 outSz = (word32)vects[5].inLen;
word32 remSz = (word32)vects[5].inLen;
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 1), 0);
in += 1; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 63), 0);
in += 63; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[5].input, vects[5].inLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
{
Aes* aes = NULL;
int result_code = 0;
const byte* in = (const byte*)vects[2].output;
byte* out = tmp;
word32 outSz = (word32)vects[2].inLen;
word32 remSz = (word32)vects[2].inLen;
ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 16), 0);
in += 16; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 16), 0);
in += 16; out += outSz; remSz -= outSz; outSz = remSz;
ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
remSz -= outSz;
ExpectIntEQ(remSz, 0);
ExpectBufEQ(tmp, vects[2].input, vects[2].inLen);
ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
}
#endif
return EXPECT_RESULT();
}
/*******************************************************************************
* AES-CTR
******************************************************************************/
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
static int test_wc_AesCtrSetKey_BadArgs(Aes* aes, byte* key, word32 keyLen,
byte* iv)
{
EXPECT_DECLS;
ExpectIntEQ(wc_AesCtrSetKey(NULL, NULL, keyLen, iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrSetKey(NULL, key , keyLen, iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrSetKey(aes , key , 48 , iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
}
static int test_wc_AesCtrSetKey_WithKey(Aes* aes, byte* key, word32 keyLen,
byte* iv, int ret)
{
EXPECT_DECLS;
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), ret);
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), ret);
return EXPECT_RESULT();
}
#endif /* !NO_AES && WOLFSSL_AES_COUNTER && */
/* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && */
/* !HAVE_SELFTEST && !WOLFSSL_AFALG && */
/* !WOLFSSL_KCAPI */
/*
* Testing function for wc_AesCtrSetKey().
*/
int test_wc_AesCtrSetKey(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
Aes aes;
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte badKey16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(NULL, NULL, INVALID_DEVID),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesCtrSetKey_BadArgs(&aes, key, keyLen, iv));
#ifdef WOLFSSL_AES_128
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
#ifdef WOLFSSL_AES_192
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
#ifdef WOLFSSL_AES_256
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, 0));
#else
EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, BAD_FUNC_ARG));
#endif
ExpectIntEQ(wc_AesCtrSetKey(&aes, badKey16,
(word32)sizeof(badKey16) / sizeof(byte), iv, AES_ENCRYPTION),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&aes);
#endif /* !NO_AES && WOLFSSL_AES_COUNTER && */
/* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && */
/* !HAVE_SELFTEST && !WOLFSSL_AFALG && */
/* !WOLFSSL_KCAPI */
return EXPECT_RESULT();
} /* END test_wc_AesCtrSetKey */
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
/* Assembly code doing 8 iterations at a time. */
#define CTR_LEN (15 * WC_AES_BLOCK_SIZE)
static int test_wc_AesCtrEncrypt_BadArgs(Aes* aes, byte* key,
word32 keyLen, byte* iv)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE];
byte cipher[WC_AES_BLOCK_SIZE];
byte decrypted[WC_AES_BLOCK_SIZE];
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE);
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#else
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#endif
ExpectIntEQ(wc_AesCtrEncrypt(NULL, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(aes, NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(NULL, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(NULL, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(aes, NULL, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCtrEncrypt(NULL, cipher, plain, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
}
static int test_wc_AesCtrEncrypt_WithKey(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* vector, byte* vector_enc, word32 vector_len)
{
EXPECT_DECLS;
byte plain[WC_AES_BLOCK_SIZE * 2];
byte cipher[WC_AES_BLOCK_SIZE * 2];
byte decrypted[WC_AES_BLOCK_SIZE * 2];
XMEMSET(plain, 0, WC_AES_BLOCK_SIZE * 2);
XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE * 2);
XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#else
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#endif
ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, vector, vector_len), 0);
ExpectBufEQ(cipher, vector_enc, vector_len);
/* Decrypt with wc_AesCtrEncrypt() */
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#else
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
#endif
ExpectIntEQ(wc_AesCtrEncrypt(aes, decrypted, cipher, vector_len), 0);
ExpectBufEQ(decrypted, vector, vector_len);
return EXPECT_RESULT();
}
static int test_wc_AesCtrEncrypt_Chunking(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
#if defined(WOLFSSL_AFALG) || defined(WOLFSSL_KCAPI)
(void)aes;
(void)key;
(void)keyLen;
(void)iv;
(void)expected;
#else
int sz;
int cnt;
WC_DECLARE_VAR(plain, byte, CTR_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CTR_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, CTR_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, CTR_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CTR_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, CTR_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(plain, 0, CTR_LEN);
XMEMSET(cipher, 0, CTR_LEN);
XMEMSET(decrypted, 0, CTR_LEN);
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST)
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
#else
ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
#endif
/* Test multiple blocks. */
for (sz = 1; sz <= CTR_LEN; sz++) {
XMEMSET(cipher, 0x00, CTR_LEN);
ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
for (cnt = 0; cnt + sz <= CTR_LEN; cnt += sz) {
ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher + cnt, plain + cnt, sz),
0);
}
if (cnt < CTR_LEN) {
ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher + cnt, plain + cnt,
CTR_LEN - cnt), 0);
}
ExpectBufEQ(cipher, expected, CTR_LEN);
}
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
#endif /* !WOLFSSL_AFALG && !WOLFSSL_KCAPI */
return EXPECT_RESULT();
}
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
static int test_wc_AesCtrEncrypt_SameBuffer(Aes* aes, byte* key,
word32 keyLen, byte* iv, byte* expected)
{
EXPECT_DECLS;
WC_DECLARE_VAR(plain, byte, CTR_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, CTR_LEN, NULL);
WC_ALLOC_VAR(plain, byte, CTR_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, CTR_LEN, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#endif
XMEMSET(plain, 0, CTR_LEN);
/* Testing using same buffer for input and output. */
ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
XMEMCPY(cipher, plain, CTR_LEN);
ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, cipher, CTR_LEN), 0);
ExpectBufEQ(cipher, expected, CTR_LEN);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
return EXPECT_RESULT();
}
#endif
#endif
/*
* Testing wc_AesCtrEncrypt
* Decrypt is an encrypt.
*/
int test_wc_AesCtrEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
Aes aes;
byte vector[] = { /* Now is the time for all w/o trailing 0 */
0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
};
#if defined(WOLFSSL_AES_128)
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc16[] = {
0x08, 0x75, 0x28, 0xdd, 0xf4, 0x84, 0xb1, 0x05,
0x5d, 0xeb, 0xbe, 0x75, 0x1e, 0xb5, 0x2b, 0x8a,
0x39, 0x70, 0x64, 0x06, 0x98, 0xa1, 0x82, 0x35,
};
#endif
#if defined(WOLFSSL_AES_192)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc24[] = {
0x35, 0xb1, 0x24, 0x8c, 0xe1, 0x57, 0xc6, 0xaa,
0x00, 0xb1, 0x44, 0x6c, 0x49, 0xfb, 0x07, 0x48,
0xd2, 0xa7, 0x1e, 0x81, 0xcf, 0xa0, 0x72, 0x54,
};
#endif
#if defined(WOLFSSL_AES_256)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector_enc32[] = {
0x56, 0x35, 0x3f, 0xdd, 0xde, 0xa6, 0x15, 0x87,
0x57, 0xdc, 0x34, 0x62, 0x9a, 0x68, 0x96, 0x51,
0x14, 0xeb, 0xfa, 0xba, 0x30, 0x8e, 0xfb, 0x8a,
};
#endif
#if defined(WOLFSSL_AES_128)
byte expected16[CTR_LEN] = {
0x46, 0x1a, 0x5f, 0xfd, 0x9d, 0xf7, 0x91, 0x71,
0x35, 0x8e, 0x9e, 0x01, 0x77, 0xd8, 0x4e, 0xaa,
0x5f, 0x1f, 0x16, 0x26, 0xf9, 0xcd, 0xee, 0x15,
0xce, 0x4d, 0x4d, 0x3d, 0x17, 0x56, 0xa1, 0x48,
0x36, 0x0b, 0x0e, 0x8b, 0x3d, 0x3b, 0x70, 0x02,
0x2e, 0xd1, 0x0b, 0x61, 0x51, 0x05, 0xd6, 0x2b,
0x4b, 0xb9, 0xaf, 0x26, 0x27, 0xed, 0x41, 0x50,
0x08, 0xaf, 0xdd, 0xbf, 0x5b, 0x12, 0x4b, 0xb2,
0x80, 0xd5, 0xba, 0x31, 0x31, 0x70, 0xfa, 0xfd,
0x15, 0x19, 0x1e, 0x35, 0xc9, 0x10, 0x96, 0x6c,
0xe4, 0x38, 0x61, 0xd8, 0x95, 0x30, 0x4d, 0xca,
0xd8, 0x68, 0xc9, 0xdc, 0x6f, 0x8b, 0x86, 0x26,
0x11, 0xee, 0x2d, 0x01, 0xd3, 0x0e, 0x35, 0xa2,
0x4b, 0x26, 0x22, 0x8c, 0xd0, 0x4e, 0xda, 0x5d,
0x49, 0x1e, 0x6d, 0xfa, 0x33, 0xcb, 0xa0, 0x0f,
0x86, 0x8f, 0x83, 0xff, 0x3d, 0xbe, 0x6e, 0xfa,
0xd2, 0x2b, 0x3e, 0x70, 0x21, 0x1c, 0xe8, 0x7b,
0xe4, 0x01, 0x2c, 0xd0, 0x82, 0xe2, 0x7a, 0x4a,
0xcf, 0x67, 0x82, 0x1c, 0x80, 0x79, 0x85, 0x5e,
0xe5, 0xf9, 0x3a, 0x0d, 0x1a, 0xa7, 0x89, 0x29,
0xee, 0xe7, 0x2b, 0xd6, 0x29, 0xac, 0xfa, 0xca,
0xc8, 0xcb, 0x4e, 0x6c, 0x1f, 0x30, 0x5e, 0x95,
0xa5, 0xa2, 0x17, 0xe2, 0x93, 0xd3, 0xe6, 0xbe,
0x91, 0x37, 0x84, 0x01, 0xdb, 0x44, 0x4c, 0x60,
0x1c, 0x2c, 0x64, 0x7d, 0xb7, 0x73, 0x12, 0x11,
0xc2, 0x6a, 0xfd, 0xac, 0x6d, 0x85, 0xd8, 0xeb,
0x0e, 0x70, 0xd3, 0x82, 0x93, 0x65, 0xff, 0x18,
0x4e, 0x22, 0x07, 0x8a, 0xf6, 0xfd, 0x36, 0x9d,
0x5c, 0x15, 0x1c, 0x84, 0x69, 0x13, 0x68, 0x78,
0xf1, 0x04, 0x02, 0x66, 0xec, 0x37, 0xcc, 0x0d,
};
#elif defined(WOLFSSL_AES_192)
byte expected24[CTR_LEN] = {
0x7b, 0xde, 0x53, 0xac, 0x88, 0x24, 0xe6, 0xde,
0x68, 0xd4, 0x64, 0x18, 0x20, 0x96, 0x62, 0x68,
0xb4, 0xc8, 0x6c, 0xa1, 0xae, 0xcc, 0x1e, 0x74,
0x2a, 0xd6, 0x69, 0x5c, 0x71, 0x76, 0x92, 0x5b,
0xd8, 0x61, 0xfa, 0x70, 0x8c, 0x80, 0x3e, 0xfc,
0xdc, 0xd8, 0xbb, 0x31, 0x22, 0x47, 0x78, 0x02,
0x5b, 0xa2, 0xb5, 0xb1, 0x41, 0x88, 0xc4, 0x84,
0x82, 0xd7, 0x20, 0x11, 0xdc, 0x58, 0xea, 0xf9,
0x2c, 0x43, 0x50, 0xc2, 0x33, 0x15, 0x58, 0x14,
0xd0, 0xf3, 0xe5, 0xe1, 0x17, 0x86, 0x4b, 0xfb,
0xdd, 0x83, 0xa3, 0xdd, 0x3a, 0xcc, 0x82, 0x05,
0xb9, 0xf2, 0xfd, 0x8d, 0x3c, 0x08, 0x5f, 0xd9,
0x79, 0x2d, 0xa3, 0xa0, 0xeb, 0xa3, 0xa2, 0xfe,
0x7b, 0x2b, 0xf9, 0x5d, 0x32, 0x52, 0xeb, 0xee,
0xe1, 0x68, 0xff, 0xe7, 0xb3, 0x0c, 0x08, 0x74,
0x8d, 0x3b, 0xa9, 0x17, 0x4c, 0x2a, 0xc7, 0x97,
0x99, 0xb7, 0xaf, 0x86, 0x17, 0xf9, 0xe4, 0x2c,
0x5a, 0x4d, 0x6d, 0x7f, 0xfe, 0xb8, 0xaa, 0x9b,
0xf8, 0xb6, 0xcb, 0x6f, 0x2f, 0xa4, 0x57, 0x61,
0x88, 0x6c, 0x94, 0xaa, 0xf7, 0x97, 0xcf, 0xcd,
0x19, 0x29, 0x9e, 0xf3, 0x30, 0xb8, 0xaa, 0x56,
0x49, 0xcb, 0xf0, 0x56, 0xdd, 0xac, 0x4b, 0x41,
0x00, 0xb3, 0x19, 0xdd, 0xef, 0x69, 0xd0, 0x9c,
0xd1, 0x67, 0x48, 0x62, 0x9f, 0x56, 0x21, 0x2d,
0x05, 0xb3, 0x4d, 0x0b, 0xac, 0xb6, 0x63, 0xf4,
0x44, 0xfc, 0x43, 0xc0, 0xa9, 0x8c, 0x37, 0xd6,
0xc3, 0x8c, 0xa4, 0x42, 0x68, 0x08, 0x2c, 0x1e,
0xe7, 0xcc, 0xe4, 0x1f, 0x82, 0x9a, 0xe0, 0xfb,
0x18, 0x84, 0x55, 0xaf, 0x02, 0xcc, 0x55, 0x13,
0x7e, 0xc7, 0x05, 0xb8, 0xb9, 0x5e, 0x90, 0xc3,
};
#else
byte expected32[CTR_LEN] = {
0x18, 0x5a, 0x48, 0xfd, 0xb7, 0xd5, 0x35, 0xf3,
0x3f, 0xb9, 0x14, 0x16, 0xf3, 0x05, 0xf3, 0x71,
0x72, 0x84, 0x88, 0x9a, 0x51, 0xe2, 0x97, 0xaa,
0x65, 0xc1, 0x3c, 0x0b, 0x1e, 0x9f, 0x29, 0xb8,
0xf4, 0xc8, 0x16, 0x9c, 0x47, 0x42, 0x0a, 0x9e,
0xae, 0xf0, 0x75, 0x9b, 0x54, 0xdd, 0x8a, 0xa4,
0x28, 0x97, 0xc1, 0x5a, 0xbb, 0x08, 0x52, 0x73,
0xf7, 0x67, 0xa4, 0xb8, 0xc9, 0x37, 0x8d, 0x9e,
0x23, 0x27, 0x68, 0xca, 0x2b, 0xb5, 0xd0, 0x1c,
0x11, 0xe2, 0x2e, 0x7e, 0x17, 0x6b, 0x38, 0x99,
0x82, 0x0c, 0x65, 0xed, 0x33, 0xd8, 0xa4, 0x47,
0x43, 0x9c, 0x16, 0xa6, 0xab, 0x5d, 0x39, 0xad,
0x88, 0x6a, 0x50, 0x86, 0xd4, 0x95, 0x1b, 0x91,
0xb3, 0x91, 0x7d, 0x06, 0xe0, 0xfc, 0x5e, 0xd1,
0xaf, 0x4c, 0xb3, 0xdb, 0x01, 0x01, 0xc9, 0x09,
0xf1, 0x7b, 0x2b, 0x87, 0xe4, 0xcd, 0x93, 0x22,
0x07, 0xdc, 0x35, 0x46, 0x8a, 0x1d, 0xf5, 0xe4,
0x23, 0x01, 0x67, 0x00, 0x66, 0x7b, 0xd6, 0x56,
0x0d, 0x57, 0x4f, 0x6f, 0x45, 0x82, 0x91, 0x58,
0x81, 0x37, 0xcc, 0xb4, 0xa4, 0xa3, 0x3c, 0x57,
0x42, 0x05, 0x95, 0xa3, 0x04, 0x1f, 0xfd, 0x32,
0xb7, 0xc8, 0xbb, 0x14, 0xe7, 0xf1, 0xc1, 0x1f,
0xe9, 0x33, 0x6a, 0xb0, 0x10, 0x0d, 0xfb, 0x91,
0x88, 0xca, 0x20, 0x29, 0xeb, 0xcd, 0x9c, 0x71,
0x07, 0xfd, 0x3f, 0x6b, 0x1f, 0xb3, 0x76, 0xb7,
0x6b, 0xa1, 0xad, 0xbe, 0xd3, 0x45, 0xb5, 0xe9,
0x04, 0x9a, 0xfd, 0x6a, 0x85, 0xa2, 0xbc, 0x4e,
0xca, 0xdb, 0x84, 0xbc, 0x0e, 0x0c, 0x96, 0x65,
0xc9, 0x95, 0x2b, 0xcb, 0x98, 0x8c, 0xd2, 0x78,
0x85, 0x7e, 0x1a, 0xa2, 0x6a, 0x73, 0x90, 0x80,
};
#endif
byte iv[] = "1234567890abcdef";
byte* key;
word32 keyLen;
byte* expected;
#if defined(WOLFSSL_AES_128)
key = key16;
keyLen = (word32)sizeof(key16) / sizeof(byte);
expected = expected16;
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = (word32)sizeof(key24) / sizeof(byte);
expected = expected24;
#else
key = key32;
keyLen = (word32)sizeof(key32) / sizeof(byte);
expected = expected32;
#endif
/* Init stack variables. */
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
EXPECT_TEST(test_wc_AesCtrEncrypt_BadArgs(&aes, key, keyLen, iv));
#ifdef WOLFSSL_AES_128
EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key16,
(word32)sizeof(key16) / sizeof(byte), iv, vector, vector_enc16,
(word32)sizeof(vector) / sizeof(byte)));
#endif
#ifdef WOLFSSL_AES_192
EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key24,
(word32)sizeof(key24) / sizeof(byte), iv, vector, vector_enc24,
(word32)sizeof(vector) / sizeof(byte)));
#endif
#ifdef WOLFSSL_AES_256
EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key32,
(word32)sizeof(key32) / sizeof(byte), iv, vector, vector_enc32,
(word32)sizeof(vector) / sizeof(byte)));
#endif
EXPECT_TEST(test_wc_AesCtrEncrypt_Chunking(&aes, key, keyLen, iv,
expected));
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
EXPECT_TEST(test_wc_AesCtrEncrypt_SameBuffer(&aes, key, keyLen, iv,
expected));
#endif
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesCtrEncryptDecrypt */
/*******************************************************************************
* AES-GCM
******************************************************************************/
/*
* test function for wc_AesGcmSetKey()
*/
int test_wc_AesGcmSetKey(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESGCM)
Aes aes;
#ifdef WOLFSSL_AES_128
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
#ifdef WOLFSSL_AES_192
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
#endif
#ifdef WOLFSSL_AES_256
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
byte badKey16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte badKey24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36
};
byte badKey32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x37, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte* key;
word32 keyLen;
#ifdef WOLFSSL_AES_128
key = key16;
keyLen = sizeof(key16)/sizeof(byte);
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = sizeof(key24)/sizeof(byte);
#else
key = key32;
keyLen = sizeof(key32)/sizeof(byte);
#endif
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_AesGcmSetKey(&aes, key16, sizeof(key16)/sizeof(byte)), 0);
#endif
#ifdef WOLFSSL_AES_192
ExpectIntEQ(wc_AesGcmSetKey(&aes, key24, sizeof(key24)/sizeof(byte)), 0);
#endif
#ifdef WOLFSSL_AES_256
ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
#endif
/* Pass in bad args. */
ExpectIntEQ(wc_AesGcmSetKey(NULL, NULL, keyLen),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmSetKey(NULL, key, keyLen),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
ExpectIntEQ(wc_AesGcmSetKey(&aes, NULL, keyLen),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey16, sizeof(badKey16)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey24, sizeof(badKey24)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey32, sizeof(badKey32)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesGcmSetKey */
int test_wc_AesGcmEncryptDecrypt_Sizes(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
!defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
#define GCM_LEN (WC_AES_BLOCK_SIZE * 16)
byte expTagShort[WC_AES_BLOCK_SIZE][WC_AES_BLOCK_SIZE] = {
{
0x41, 0x5d, 0x72, 0x1e, 0xe0, 0x17, 0x7c, 0xe2,
0x33, 0xfb, 0x0e, 0xab, 0x5a, 0x08, 0x4c, 0xb0,
},
{
0x26, 0xe8, 0xc0, 0x9f, 0xbc, 0x70, 0x1d, 0x7e,
0x22, 0x43, 0x26, 0x1b, 0x21, 0x9d, 0x2c, 0x5b,
},
{
0x94, 0x8f, 0x24, 0xeb, 0xd1, 0x5b, 0x3d, 0x2a,
0x31, 0xf2, 0xe4, 0xf9, 0x07, 0xc8, 0xe7, 0x63,
},
{
0x62, 0xa9, 0x79, 0x97, 0x6c, 0x93, 0x77, 0x52,
0x2f, 0xbf, 0x51, 0xb2, 0xc2, 0xf7, 0xe5, 0xf4,
},
{
0xa5, 0x44, 0xfd, 0x3c, 0x16, 0x2a, 0x05, 0x7a,
0x52, 0xe1, 0xed, 0x13, 0x49, 0x81, 0x93, 0x7a,
},
{
0xe5, 0x3b, 0xd4, 0xc9, 0x9f, 0x9e, 0xf0, 0x55,
0xcd, 0x80, 0xb7, 0x42, 0xa4, 0xaf, 0x33, 0x88,
},
{
0x65, 0xa8, 0xc9, 0xa7, 0x8b, 0xdb, 0x80, 0xfe,
0x40, 0xfe, 0xb6, 0xe4, 0x00, 0xf9, 0x23, 0x72,
},
{
0xe0, 0x1e, 0xec, 0x38, 0x45, 0xf0, 0x9c, 0x82,
0x72, 0xac, 0x2f, 0xec, 0x3b, 0x2b, 0xfe, 0x75,
},
{
0xea, 0xb4, 0x5b, 0x4d, 0x76, 0x98, 0xc8, 0x34,
0x07, 0x1d, 0x7b, 0xaf, 0x36, 0xfa, 0x72, 0x9b,
},
{
0xcf, 0x2b, 0x12, 0x7a, 0x5a, 0x5a, 0x73, 0x73,
0xb5, 0xb6, 0xb6, 0xb0, 0x42, 0xa5, 0xc0, 0x23,
},
{
0xc1, 0x14, 0x52, 0xd0, 0xd0, 0x1d, 0xca, 0xce,
0x2e, 0x4c, 0xd8, 0x94, 0x62, 0x92, 0xf6, 0x9c,
},
{
0x5b, 0xd9, 0xa6, 0x8c, 0x34, 0x0e, 0x81, 0xaf,
0x09, 0xc3, 0x44, 0x74, 0x35, 0xce, 0x89, 0x92,
},
{
0xdc, 0x9f, 0xd0, 0xd5, 0xaa, 0x38, 0xe2, 0xce,
0x75, 0x88, 0x64, 0xee, 0x7a, 0x5d, 0x44, 0xa4,
},
{
0xc3, 0x35, 0xfe, 0xa9, 0x9d, 0x3d, 0x75, 0xb7,
0xba, 0xdd, 0x9e, 0xa5, 0x5d, 0xd3, 0x65, 0x80,
},
{
0x1d, 0x1a, 0x04, 0x99, 0xb5, 0x8b, 0xe8, 0xec,
0x81, 0xd1, 0xde, 0xd3, 0x3a, 0x09, 0xb4, 0x9f,
},
{
0xb8, 0x14, 0x0a, 0xc3, 0x8b, 0x88, 0x87, 0xa1,
0xdf, 0xfa, 0x6d, 0x15, 0x70, 0xde, 0xff, 0x3b,
},
};
byte expected[GCM_LEN] = {
0x9a, 0x10, 0xb2, 0x60, 0x38, 0x65, 0x46, 0x81,
0xc0, 0xa7, 0x0d, 0x3f, 0x5b, 0x4f, 0x27,
};
byte expTagLong[][WC_AES_BLOCK_SIZE] = {
{
0xdd, 0x1c, 0x3d, 0x12, 0xa4, 0x16, 0xa5, 0xf7,
0x67, 0xc5, 0x58, 0xb8, 0xda, 0x22, 0x6c, 0x22,
},
{
0xbe, 0x5e, 0x04, 0x61, 0xae, 0x36, 0x61, 0xfb,
0x86, 0x66, 0xda, 0x62, 0xaa, 0x36, 0x7e, 0x22,
},
{
0x18, 0xc3, 0xf5, 0xcf, 0x76, 0x24, 0xd4, 0x5c,
0xbb, 0xeb, 0xb3, 0x0a, 0x7a, 0x53, 0x64, 0x9b,
},
{
0xe0, 0xaa, 0xe9, 0x10, 0x41, 0x16, 0x72, 0x1b,
0x16, 0xd6, 0xd9, 0xcd, 0x2f, 0xe4, 0xd2, 0xe8,
},
{
0xfa, 0xdc, 0x28, 0x4a, 0x65, 0x96, 0xe0, 0x73,
0xfb, 0xcd, 0x2b, 0x35, 0xa0, 0x68, 0xde, 0x60,
},
};
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
Aes aes;
byte tag[WC_AES_BLOCK_SIZE];
byte iv[] = "1234567890a";
word32 ivLen = (word32)sizeof(iv)/sizeof(byte);
int sz;
int i;
WC_DECLARE_VAR(plain, byte, GCM_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, GCM_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, GCM_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, GCM_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, GCM_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, GCM_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(&aes, 0, sizeof(Aes));
XMEMSET(plain, 0xa5, GCM_LEN);
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
for (sz = 0; sz < WC_AES_BLOCK_SIZE; sz++) {
XMEMSET(cipher, 0, GCM_LEN);
ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, sz, iv, ivLen, tag,
sizeof(tag), NULL, 0), 0);
ExpectBufEQ(cipher, expected, sz);
ExpectBufEQ(tag, expTagShort[sz], WC_AES_BLOCK_SIZE);
#ifdef HAVE_AES_DECRYPT
XMEMSET(decrypted, 0xff, GCM_LEN);
ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, sz, iv, ivLen,
tag, sizeof(tag), NULL, 0), 0);
ExpectBufEQ(decrypted, plain, sz);
#endif
}
i = 0;
for (sz = WC_AES_BLOCK_SIZE; sz <= GCM_LEN; sz *= 2) {
XMEMSET(cipher, 0, GCM_LEN);
ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, sz, iv, ivLen, tag,
sizeof(tag), NULL, 0), 0);
ExpectBufEQ(tag, expTagLong[i], WC_AES_BLOCK_SIZE);
i++;
#ifdef HAVE_AES_DECRYPT
XMEMSET(decrypted, 0xff, GCM_LEN);
ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, sz, iv, ivLen,
tag, sizeof(tag), NULL, 0), 0);
ExpectBufEQ(decrypted, plain, sz);
#endif
}
wc_AesFree(&aes);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
#endif
return EXPECT_RESULT();
}
/*
* test function for wc_AesGcmEncrypt and wc_AesGcmDecrypt
*/
int test_wc_AesGcmEncryptDecrypt(void)
{
EXPECT_DECLS;
/* WOLFSSL_AFALG requires 12 byte IV */
#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
!defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO_AES)
Aes aes;
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector[] = { /* Now is the time for all w/o trailing 0 */
0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
};
const byte a[] = {
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2
};
byte iv[] = "1234567890a";
byte longIV[] = "1234567890abcdefghij";
byte enc[sizeof(vector)];
byte resultT[WC_AES_BLOCK_SIZE];
byte dec[sizeof(vector)];
/* Init stack variables. */
XMEMSET(&aes, 0, sizeof(Aes));
XMEMSET(enc, 0, sizeof(vector));
XMEMSET(dec, 0, sizeof(vector));
XMEMSET(resultT, 0, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)), 0);
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(vector), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)), 0);
ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);
/* Test bad args for wc_AesGcmEncrypt and wc_AesGcmDecrypt */
ExpectIntEQ(wc_AesGcmEncrypt(NULL, enc, vector, sizeof(vector), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) - 5, a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
(HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST) || \
defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
/* FIPS does not check the lower bound of ivSz */
#else
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv, 0,
resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
/* This case is now considered good. Long IVs are now allowed.
* Except for the original FIPS release, it still has an upper
* bound on the IV length. */
#if (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
!defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
0);
#else
(void)longIV;
#endif /* Old FIPS */
/* END wc_AesGcmEncrypt */
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesGcmDecrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecrypt(&aes, NULL, enc, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, NULL, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), NULL,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), NULL, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if (defined(HAVE_FIPS) && FIPS_VERSION_LE(2,0) && defined(WOLFSSL_ARMASM))
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
#else
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
#if ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
(HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST)) && \
!defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
/* FIPS does not check the lower bound of ivSz */
#else
ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte),
iv, 0, resultT, sizeof(resultT), a, sizeof(a)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
#endif /* HAVE_AES_DECRYPT */
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesGcmEncryptDecrypt */
/*
* test function for mixed (one-shot encryption + stream decryption) AES GCM
* using a long IV (older FIPS does NOT support long IVs). Relates to zd15423
*/
int test_wc_AesGcmMixedEncDecLongIV(void)
{
EXPECT_DECLS;
#if (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
!defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
defined(WOLFSSL_AESGCM_STREAM)
const byte key[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
const byte in[] = {
0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
};
const byte aad[] = {
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2
};
Aes aesEnc;
Aes aesDec;
byte iv[] = "1234567890abcdefghij";
byte out[sizeof(in)];
byte plain[sizeof(in)];
byte tag[WC_AES_BLOCK_SIZE];
XMEMSET(&aesEnc, 0, sizeof(Aes));
XMEMSET(&aesDec, 0, sizeof(Aes));
XMEMSET(out, 0, sizeof(out));
XMEMSET(plain, 0, sizeof(plain));
XMEMSET(tag, 0, sizeof(tag));
/* Perform one-shot encryption using long IV */
ExpectIntEQ(wc_AesInit(&aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmSetKey(&aesEnc, key, sizeof(key)), 0);
ExpectIntEQ(wc_AesGcmEncrypt(&aesEnc, out, in, sizeof(in), iv, sizeof(iv),
tag, sizeof(tag), aad, sizeof(aad)), 0);
/* Perform streaming decryption using long IV */
ExpectIntEQ(wc_AesInit(&aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(&aesDec, key, sizeof(key), iv, sizeof(iv)), 0);
ExpectIntEQ(wc_AesGcmDecryptUpdate(&aesDec, plain, out, sizeof(out), aad,
sizeof(aad)), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(&aesDec, tag, sizeof(tag)), 0);
ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
/* Free resources */
wc_AesFree(&aesEnc);
wc_AesFree(&aesDec);
#endif
return EXPECT_RESULT();
} /* END wc_AesGcmMixedEncDecLongIV */
/*
* Testing streaming AES-GCM API.
*/
int test_wc_AesGcmStream(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_128) && defined(HAVE_AESGCM) && \
defined(WOLFSSL_AESGCM_STREAM)
int i;
WC_RNG rng[1];
Aes aesEnc[1];
Aes aesDec[1];
byte tag[WC_AES_BLOCK_SIZE];
byte in[WC_AES_BLOCK_SIZE * 3 + 2] = { 0, };
byte out[WC_AES_BLOCK_SIZE * 3 + 2];
byte plain[WC_AES_BLOCK_SIZE * 3 + 2];
byte aad[WC_AES_BLOCK_SIZE * 3 + 2] = { 0, };
byte key[AES_128_KEY_SIZE] = { 0, };
byte iv[AES_IV_SIZE] = { 1, };
byte ivOut[AES_IV_SIZE];
static const byte expTagAAD1[WC_AES_BLOCK_SIZE] = {
0x6c, 0x35, 0xe6, 0x7f, 0x59, 0x9e, 0xa9, 0x2f,
0x27, 0x2d, 0x5f, 0x8e, 0x7e, 0x42, 0xd3, 0x05
};
static const byte expTagPlain1[WC_AES_BLOCK_SIZE] = {
0x24, 0xba, 0x57, 0x95, 0xd0, 0x27, 0x9e, 0x78,
0x3a, 0x88, 0x4c, 0x0a, 0x5d, 0x50, 0x23, 0xd1
};
static const byte expTag[WC_AES_BLOCK_SIZE] = {
0x22, 0x91, 0x70, 0xad, 0x42, 0xc3, 0xad, 0x96,
0xe0, 0x31, 0x57, 0x60, 0xb7, 0x92, 0xa3, 0x6d
};
XMEMSET(&rng, 0, sizeof(WC_RNG));
XMEMSET(&aesEnc, 0, sizeof(Aes));
XMEMSET(&aesDec, 0, sizeof(Aes));
/* Create a random for generating IV/nonce. */
ExpectIntEQ(wc_InitRng(rng), 0);
/* Initialize data structures. */
ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
/* BadParameters to streaming init. */
ExpectIntEQ(wc_AesGcmEncryptInit(NULL, NULL, 0, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptInit(NULL, NULL, 0, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptInit(aesEnc, NULL, AES_128_KEY_SIZE, NULL,
0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptInit(aesEnc, NULL, 0, NULL, GCM_NONCE_MID_SZ),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Bad parameters to encrypt update. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(NULL, NULL, NULL, 0, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, in, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, NULL, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, NULL, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Bad parameters to decrypt update. */
ExpectIntEQ(wc_AesGcmDecryptUpdate(NULL, NULL, NULL, 0, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, in, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, out, NULL, 1, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, NULL, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Bad parameters to encrypt final. */
ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, tag, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, NULL, WC_AES_BLOCK_SIZE),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, NULL, WC_AES_BLOCK_SIZE),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE + 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Bad parameters to decrypt final. */
ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, tag, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, NULL, WC_AES_BLOCK_SIZE),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, NULL, WC_AES_BLOCK_SIZE),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE + 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Check calling final before setting key fails. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, sizeof(tag)),
WC_NO_ERR_TRACE(MISSING_KEY));
ExpectIntEQ(wc_AesGcmEncryptFinal(aesDec, tag, sizeof(tag)),
WC_NO_ERR_TRACE(MISSING_KEY));
/* Check calling update before setting key else fails. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1),
WC_NO_ERR_TRACE(MISSING_KEY));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1),
WC_NO_ERR_TRACE(MISSING_KEY));
/* Set key but not IV. */
ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), NULL, 0), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), NULL, 0), 0);
/* Check calling final before setting IV fails. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, sizeof(tag)),
WC_NO_ERR_TRACE(MISSING_IV));
ExpectIntEQ(wc_AesGcmEncryptFinal(aesDec, tag, sizeof(tag)),
WC_NO_ERR_TRACE(MISSING_IV));
/* Check calling update before setting IV else fails. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1),
WC_NO_ERR_TRACE(MISSING_IV));
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1),
WC_NO_ERR_TRACE(MISSING_IV));
/* Set IV using fixed part IV and external IV APIs. */
ExpectIntEQ(wc_AesGcmSetIV(aesEnc, GCM_NONCE_MID_SZ, iv, AES_IV_FIXED_SZ,
rng), 0);
ExpectIntEQ(wc_AesGcmEncryptInit_ex(aesEnc, NULL, 0, ivOut,
GCM_NONCE_MID_SZ), 0);
ExpectIntEQ(wc_AesGcmSetExtIV(aesDec, ivOut, GCM_NONCE_MID_SZ), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, NULL, 0, NULL, 0), 0);
/* Encrypt and decrypt data. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, 1, aad, 1), 0);
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, 1, aad, 1), 0);
ExpectIntEQ(XMEMCMP(plain, in, 1), 0);
/* Finalize and check tag matches. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
/* Set key and IV through streaming init API. */
wc_AesFree(aesEnc);
wc_AesFree(aesDec);
ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
/* Encrypt/decrypt one block and AAD of one block. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, WC_AES_BLOCK_SIZE, aad,
WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, WC_AES_BLOCK_SIZE,
aad, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(XMEMCMP(plain, in, WC_AES_BLOCK_SIZE), 0);
/* Finalize and check tag matches. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
/* Set key and IV through streaming init API. */
wc_AesFree(aesEnc);
wc_AesFree(aesDec);
ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
/* No data to encrypt/decrypt one byte of AAD. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1), 0);
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1), 0);
/* Finalize and check tag matches. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(XMEMCMP(tag, expTagAAD1, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
/* Set key and IV through streaming init API. */
wc_AesFree(aesEnc);
wc_AesFree(aesDec);
ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
/* Encrypt/decrypt one byte and no AAD. */
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, 1, NULL, 0), 0);
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, 1, NULL, 0), 0);
ExpectIntEQ(XMEMCMP(plain, in, 1), 0);
/* Finalize and check tag matches. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(XMEMCMP(tag, expTagPlain1, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
/* Set key and IV through streaming init API. */
wc_AesFree(aesEnc);
wc_AesFree(aesDec);
ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
/* Encryption AES is one byte at a time */
for (i = 0; i < (int)sizeof(aad); i++) {
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad + i, 1),
0);
}
for (i = 0; i < (int)sizeof(in); i++) {
ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out + i, in + i, 1, NULL, 0),
0);
}
/* Decryption AES is two bytes at a time */
for (i = 0; i < (int)sizeof(aad); i += 2) {
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad + i, 2),
0);
}
for (i = 0; i < (int)sizeof(aad); i += 2) {
ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain + i, out + i, 2, NULL,
0), 0);
}
ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
/* Finalize and check tag matches. */
ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(XMEMCMP(tag, expTag, WC_AES_BLOCK_SIZE), 0);
ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
/* Check streaming encryption can be decrypted with one shot. */
wc_AesFree(aesDec);
ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
ExpectIntEQ(wc_AesGcmSetKey(aesDec, key, sizeof(key)), 0);
ExpectIntEQ(wc_AesGcmDecrypt(aesDec, plain, out, sizeof(in), iv,
AES_IV_SIZE, tag, WC_AES_BLOCK_SIZE, aad, sizeof(aad)), 0);
ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
wc_AesFree(aesEnc);
wc_AesFree(aesDec);
wc_FreeRng(rng);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesGcmStream */
/*******************************************************************************
* GMAC
******************************************************************************/
/*
* unit test for wc_GmacSetKey()
*/
int test_wc_GmacSetKey(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESGCM)
Gmac gmac;
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#ifdef WOLFSSL_AES_192
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
#endif
#ifdef WOLFSSL_AES_256
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
byte badKey16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x66
};
byte badKey24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
byte badKey32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
XMEMSET(&gmac, 0, sizeof(Gmac));
ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_GmacSetKey(&gmac, key16, sizeof(key16)/sizeof(byte)), 0);
#endif
#ifdef WOLFSSL_AES_192
ExpectIntEQ(wc_GmacSetKey(&gmac, key24, sizeof(key24)/sizeof(byte)), 0);
#endif
#ifdef WOLFSSL_AES_256
ExpectIntEQ(wc_GmacSetKey(&gmac, key32, sizeof(key32)/sizeof(byte)), 0);
#endif
/* Pass in bad args. */
ExpectIntEQ(wc_GmacSetKey(NULL, key16, sizeof(key16)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacSetKey(&gmac, NULL, sizeof(key16)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacSetKey(&gmac, badKey16, sizeof(badKey16)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacSetKey(&gmac, badKey24, sizeof(badKey24)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacSetKey(&gmac, badKey32, sizeof(badKey32)/sizeof(byte)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&gmac.aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_GmacSetKey */
/*
* unit test for wc_GmacUpdate
*/
int test_wc_GmacUpdate(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESGCM)
Gmac gmac;
#ifdef WOLFSSL_AES_128
const byte key16[] = {
0x89, 0xc9, 0x49, 0xe9, 0xc8, 0x04, 0xaf, 0x01,
0x4d, 0x56, 0x04, 0xb3, 0x94, 0x59, 0xf2, 0xc8
};
#endif
#ifdef WOLFSSL_AES_192
byte key24[] = {
0x41, 0xc5, 0xda, 0x86, 0x67, 0xef, 0x72, 0x52,
0x20, 0xff, 0xe3, 0x9a, 0xe0, 0xac, 0x59, 0x0a,
0xc9, 0xfc, 0xa7, 0x29, 0xab, 0x60, 0xad, 0xa0
};
#endif
#ifdef WOLFSSL_AES_256
byte key32[] = {
0x78, 0xdc, 0x4e, 0x0a, 0xaf, 0x52, 0xd9, 0x35,
0xc3, 0xc0, 0x1e, 0xea, 0x57, 0x42, 0x8f, 0x00,
0xca, 0x1f, 0xd4, 0x75, 0xf5, 0xda, 0x86, 0xa4,
0x9c, 0x8d, 0xd7, 0x3d, 0x68, 0xc8, 0xe2, 0x23
};
#endif
#ifdef WOLFSSL_AES_128
const byte authIn[] = {
0x82, 0xad, 0xcd, 0x63, 0x8d, 0x3f, 0xa9, 0xd9,
0xf3, 0xe8, 0x41, 0x00, 0xd6, 0x1e, 0x07, 0x77
};
#endif
#ifdef WOLFSSL_AES_192
const byte authIn2[] = {
0x8b, 0x5c, 0x12, 0x4b, 0xef, 0x6e, 0x2f, 0x0f,
0xe4, 0xd8, 0xc9, 0x5c, 0xd5, 0xfa, 0x4c, 0xf1
};
#endif
const byte authIn3[] = {
0xb9, 0x6b, 0xaa, 0x8c, 0x1c, 0x75, 0xa6, 0x71,
0xbf, 0xb2, 0xd0, 0x8d, 0x06, 0xbe, 0x5f, 0x36
};
#ifdef WOLFSSL_AES_128
const byte tag1[] = { /* Known. */
0x88, 0xdb, 0x9d, 0x62, 0x17, 0x2e, 0xd0, 0x43,
0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
};
#endif
#ifdef WOLFSSL_AES_192
const byte tag2[] = { /* Known */
0x20, 0x4b, 0xdb, 0x1b, 0xd6, 0x21, 0x54, 0xbf,
0x08, 0x92, 0x2a, 0xaa, 0x54, 0xee, 0xd7, 0x05
};
#endif
const byte tag3[] = { /* Known */
0x3e, 0x5d, 0x48, 0x6a, 0xa2, 0xe3, 0x0b, 0x22,
0xe0, 0x40, 0xb8, 0x57, 0x23, 0xa0, 0x6e, 0x76
};
#ifdef WOLFSSL_AES_128
const byte iv[] = {
0xd1, 0xb1, 0x04, 0xc8, 0x15, 0xbf, 0x1e, 0x94,
0xe2, 0x8c, 0x8f, 0x16
};
#endif
#ifdef WOLFSSL_AES_192
const byte iv2[] = {
0x05, 0xad, 0x13, 0xa5, 0xe2, 0xc2, 0xab, 0x66,
0x7e, 0x1a, 0x6f, 0xbc
};
#endif
const byte iv3[] = {
0xd7, 0x9c, 0xf2, 0x2d, 0x50, 0x4c, 0xc7, 0x93,
0xc3, 0xfb, 0x6c, 0x8a
};
byte tagOut[16];
byte tagOut2[24];
byte tagOut3[32];
/* Init stack variables. */
XMEMSET(&gmac, 0, sizeof(Gmac));
XMEMSET(tagOut, 0, sizeof(tagOut));
XMEMSET(tagOut2, 0, sizeof(tagOut2));
XMEMSET(tagOut3, 0, sizeof(tagOut3));
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_GmacSetKey(&gmac, key16, sizeof(key16)), 0);
ExpectIntEQ(wc_GmacUpdate(&gmac, iv, sizeof(iv), authIn, sizeof(authIn),
tagOut, sizeof(tag1)), 0);
ExpectIntEQ(XMEMCMP(tag1, tagOut, sizeof(tag1)), 0);
wc_AesFree(&gmac.aes);
#endif
#ifdef WOLFSSL_AES_192
ExpectNotNull(XMEMSET(&gmac, 0, sizeof(Gmac)));
ExpectIntEQ(wc_AesInit(&gmac.aes, HEAP_HINT, INVALID_DEVID), 0);
ExpectIntEQ(wc_GmacSetKey(&gmac, key24, sizeof(key24)/sizeof(byte)), 0);
ExpectIntEQ(wc_GmacUpdate(&gmac, iv2, sizeof(iv2), authIn2, sizeof(authIn2),
tagOut2, sizeof(tag2)), 0);
ExpectIntEQ(XMEMCMP(tagOut2, tag2, sizeof(tag2)), 0);
wc_AesFree(&gmac.aes);
#endif
#ifdef WOLFSSL_AES_256
ExpectNotNull(XMEMSET(&gmac, 0, sizeof(Gmac)));
ExpectIntEQ(wc_AesInit(&gmac.aes, HEAP_HINT, INVALID_DEVID), 0);
ExpectIntEQ(wc_GmacSetKey(&gmac, key32, sizeof(key32)/sizeof(byte)), 0);
ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
tagOut3, sizeof(tag3)), 0);
ExpectIntEQ(XMEMCMP(tag3, tagOut3, sizeof(tag3)), 0);
wc_AesFree(&gmac.aes);
#endif
/* Pass bad args. */
ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_GmacUpdate(NULL, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
tagOut3, sizeof(tag3)), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
tagOut3, sizeof(tag3) - 5), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
tagOut3, sizeof(tag3) + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&gmac.aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_GmacUpdate */
/*******************************************************************************
* AES-CCM
******************************************************************************/
/*
* unit test for wc_AesCcmSetKey
*/
int test_wc_AesCcmSetKey(void)
{
EXPECT_DECLS;
#ifdef HAVE_AESCCM
Aes aes;
const byte key16[] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
};
const byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
};
const byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16)), 0);
#endif
#ifdef WOLFSSL_AES_192
ExpectIntEQ(wc_AesCcmSetKey(&aes, key24, sizeof(key24)), 0);
#endif
#ifdef WOLFSSL_AES_256
ExpectIntEQ(wc_AesCcmSetKey(&aes, key32, sizeof(key32)), 0);
#endif
/* Test bad args. */
ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16) - 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmSetKey(&aes, key24, sizeof(key24) - 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmSetKey(&aes, key32, sizeof(key32) - 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesFree(&aes);
#endif
return EXPECT_RESULT();
} /* END test_wc_AesCcmSetKey */
/*
* Unit test function for wc_AesCcmEncrypt and wc_AesCcmDecrypt
*/
int test_wc_AesCcmEncryptDecrypt(void)
{
EXPECT_DECLS;
#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
Aes aes;
const byte key16[] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
};
/* plaintext */
const byte plainT[] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
};
/* nonce */
const byte iv[] = {
0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
0xa1, 0xa2, 0xa3, 0xa4, 0xa5
};
const byte c[] = { /* cipher text. */
0x58, 0x8c, 0x97, 0x9a, 0x61, 0xc6, 0x63, 0xd2,
0xf0, 0x66, 0xd0, 0xc2, 0xc0, 0xf9, 0x89, 0x80,
0x6d, 0x5f, 0x6b, 0x61, 0xda, 0xc3, 0x84
};
const byte t[] = { /* Auth tag */
0x17, 0xe8, 0xd1, 0x2c, 0xfd, 0xf9, 0x26, 0xe0
};
const byte authIn[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
byte cipherOut[sizeof(plainT)];
byte authTag[sizeof(t)];
#ifdef HAVE_AES_DECRYPT
byte plainOut[sizeof(cipherOut)];
#endif
XMEMSET(&aes, 0, sizeof(Aes));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16)), 0);
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)), 0);
ExpectIntEQ(XMEMCMP(cipherOut, c, sizeof(c)), 0);
ExpectIntEQ(XMEMCMP(t, authTag, sizeof(t)), 0);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)), 0);
ExpectIntEQ(XMEMCMP(plainOut, plainT, sizeof(plainT)), 0);
#endif
/* Pass in bad args. Encrypt*/
ExpectIntEQ(wc_AesCcmEncrypt(NULL, cipherOut, plainT, sizeof(cipherOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, NULL, plainT, sizeof(cipherOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, NULL, sizeof(cipherOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
NULL, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
iv, sizeof(iv), NULL, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
iv, sizeof(iv) + 1, authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
iv, sizeof(iv) - 7, authTag, sizeof(authTag), authIn , sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#ifdef HAVE_AES_DECRYPT
/* Pass in bad args. Decrypt*/
ExpectIntEQ(wc_AesCcmDecrypt(NULL, plainOut, cipherOut, sizeof(plainOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, NULL, cipherOut, sizeof(plainOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, NULL, sizeof(plainOut),
iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
NULL, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
iv, sizeof(iv), NULL, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
iv, sizeof(iv) + 1, authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
iv, sizeof(iv) - 7, authTag, sizeof(authTag), authIn, sizeof(authIn)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
wc_AesFree(&aes);
#endif /* HAVE_AESCCM */
return EXPECT_RESULT();
} /* END test_wc_AesCcmEncryptDecrypt */
/*******************************************************************************
* AES-XTS
******************************************************************************/
/*
* test function for wc_AesXtsSetKey()
*/
int test_wc_AesXtsSetKey(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS)
XtsAes aes;
#ifdef WOLFSSL_AES_128
byte key16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
};
#endif
#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
byte key24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
#ifdef WOLFSSL_AES_256
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
#endif
byte badKey16[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte badKey24[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36
};
byte badKey32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x37, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
byte* key;
word32 keyLen;
#ifdef WOLFSSL_AES_128
key = key16;
keyLen = sizeof(key16)/sizeof(byte);
#elif defined(WOLFSSL_AES_192)
key = key24;
keyLen = sizeof(key24)/sizeof(byte);
#else
key = key32;
keyLen = sizeof(key32)/sizeof(byte);
#endif
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_AesXtsSetKey(&aes, key16, sizeof(key16)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
wc_AesXtsFree(&aes);
#endif
#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
ExpectIntEQ(wc_AesXtsSetKey(&aes, key24, sizeof(key24)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
wc_AesXtsFree(&aes);
#endif
#ifdef WOLFSSL_AES_256
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
wc_AesXtsFree(&aes);
#endif
/* Pass in bad args. */
ExpectIntEQ(wc_AesXtsSetKey(NULL, NULL, keyLen, AES_ENCRYPTION, NULL,
INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsSetKey(NULL, key, keyLen, AES_ENCRYPTION, NULL,
INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsSetKey(&aes, NULL, keyLen, AES_ENCRYPTION, NULL,
INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey16, sizeof(badKey16)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey24, sizeof(badKey24)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey32, sizeof(badKey32)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
ExpectIntEQ(wc_AesXtsSetKey(&aes, key, keyLen, -2, NULL, INVALID_DEVID),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
} /* END test_wc_AesXtsSetKey */
int test_wc_AesXtsEncryptDecrypt_Sizes(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
!defined(WOLFSSL_KCAPI)
#define XTS_LEN (WC_AES_BLOCK_SIZE * 16)
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte tweak[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
};
XtsAes aes;
word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
int sz;
WC_DECLARE_VAR(plain, byte, XTS_LEN, NULL);
WC_DECLARE_VAR(cipher, byte, XTS_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_DECLARE_VAR(decrypted, byte, XTS_LEN, NULL);
#endif
WC_ALLOC_VAR(plain, byte, XTS_LEN, NULL);
WC_ALLOC_VAR(cipher, byte, XTS_LEN, NULL);
#ifdef HAVE_AES_DECRYPT
WC_ALLOC_VAR(decrypted, byte, XTS_LEN, NULL);
#endif
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
#ifdef HAVE_AES_DECRYPT
ExpectNotNull(decrypted);
#endif
#endif
XMEMSET(&aes, 0, sizeof(Aes));
XMEMSET(plain, 0xa5, XTS_LEN);
for (sz = WC_AES_BLOCK_SIZE; sz <= XTS_LEN; sz *= 2) {
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
XMEMSET(cipher, 0, XTS_LEN);
ExpectIntEQ(wc_AesXtsEncrypt(&aes, cipher, plain, sz, tweak, tweakLen),
0);
wc_AesXtsFree(&aes);
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_DECRYPTION, NULL, INVALID_DEVID), 0);
XMEMSET(decrypted, 0xff, XTS_LEN);
ExpectIntEQ(wc_AesXtsDecrypt(&aes, decrypted, cipher, sz, tweak,
tweakLen), 0);
ExpectBufEQ(decrypted, plain, sz);
wc_AesXtsFree(&aes);
#endif
}
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
#ifdef HAVE_AES_DECRYPT
WC_FREE_VAR(decrypted, NULL);
#endif
#endif
return EXPECT_RESULT();
}
/*
* test function for wc_AesXtsEncrypt and wc_AesXtsDecrypt
*/
int test_wc_AesXtsEncryptDecrypt(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
defined(WOLFSSL_AES_256)
XtsAes aes;
byte key32[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
};
byte vector[] = { /* Now is the time for all w/o trailing 0 */
0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
};
byte tweak[] = {
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
};
word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
byte enc[sizeof(vector)];
byte resultT[WC_AES_BLOCK_SIZE];
byte dec[sizeof(vector)];
/* Init stack variables. */
XMEMSET(&aes, 0, sizeof(Aes));
XMEMSET(enc, 0, sizeof(vector));
XMEMSET(dec, 0, sizeof(vector));
XMEMSET(resultT, 0, WC_AES_BLOCK_SIZE);
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, vector, sizeof(vector), tweak,
tweakLen), 0);
wc_AesXtsFree(&aes);
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_DECRYPTION, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, enc, sizeof(vector), tweak,
tweakLen), 0);
ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);
wc_AesXtsFree(&aes);
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
/* Test bad args for wc_AesXtsEncrypt and wc_AesXtsDecrypt */
ExpectIntEQ(wc_AesXtsEncrypt(NULL, enc, vector, sizeof(vector), tweak,
tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsEncrypt(&aes, NULL, vector, sizeof(vector), tweak,
tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, NULL, sizeof(vector), tweak,
tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesXtsFree(&aes);
/* END wc_AesXtsEncrypt */
#ifdef HAVE_AES_DECRYPT
ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
AES_DECRYPTION, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesXtsDecrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte),
tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsDecrypt(&aes, NULL, enc, sizeof(enc)/sizeof(byte),
tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, NULL, sizeof(enc)/sizeof(byte),
tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wc_AesXtsFree(&aes);
#endif /* HAVE_AES_DECRYPT */
#endif
return EXPECT_RESULT();
} /* END test_wc_AesXtsEncryptDecrypt */
#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
/*******************************************************************************
* AES-EAX
******************************************************************************/
/*
* Testing test_wc_AesEaxVectors()
*/
int test_wc_AesEaxVectors(void)
{
EXPECT_DECLS;
typedef struct {
byte key[AES_256_KEY_SIZE];
int key_length;
byte iv[WC_AES_BLOCK_SIZE];
int iv_length;
byte aad[WC_AES_BLOCK_SIZE * 2];
int aad_length;
byte msg[WC_AES_BLOCK_SIZE * 5];
int msg_length;
byte ct[WC_AES_BLOCK_SIZE * 5];
int ct_length;
byte tag[WC_AES_BLOCK_SIZE];
int tag_length;
int valid;
} AadVector;
/* Test vectors obtained from Google wycheproof project
* https://github.com/google/wycheproof
* from testvectors/aes_eax_test.json
*/
const AadVector vectors[] = {
#ifdef WOLFSSL_AES_128
{
/* key, key length */
{0x23, 0x39, 0x52, 0xde, 0xe4, 0xd5, 0xed, 0x5f,
0x9b, 0x9c, 0x6d, 0x6f, 0xf8, 0x0f, 0xf4, 0x78}, 16,
/* iv, iv length */
{0x62, 0xec, 0x67, 0xf9, 0xc3, 0xa4, 0xa4, 0x07,
0xfc, 0xb2, 0xa8, 0xc4, 0x90, 0x31, 0xa8, 0xb3}, 16,
/* aad, aad length */
{0x6b, 0xfb, 0x91, 0x4f, 0xd0, 0x7e, 0xae, 0x6b}, 8,
/* msg, msg length */
{0x00}, 0,
/* ct, ct length */
{0x00}, 0,
/* tag, tag length */
{0xe0, 0x37, 0x83, 0x0e, 0x83, 0x89, 0xf2, 0x7b,
0x02, 0x5a, 0x2d, 0x65, 0x27, 0xe7, 0x9d, 0x01}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4}, 16,
/* iv, iv length */
{0xbe, 0xca, 0xf0, 0x43, 0xb0, 0xa2, 0x3d, 0x84,
0x31, 0x94, 0xba, 0x97, 0x2c, 0x66, 0xde, 0xbd}, 16,
/* aad, aad length */
{0xfa, 0x3b, 0xfd, 0x48, 0x06, 0xeb, 0x53, 0xfa}, 8,
/* msg, msg length */
{0xf7, 0xfb}, 2,
/* ct, ct length */
{0x19, 0xdd}, 2,
/* tag, tag length */
{0x5c, 0x4c, 0x93, 0x31, 0x04, 0x9d, 0x0b, 0xda,
0xb0, 0x27, 0x74, 0x08, 0xf6, 0x79, 0x67, 0xe5}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x01, 0xf7, 0x4a, 0xd6, 0x40, 0x77, 0xf2, 0xe7,
0x04, 0xc0, 0xf6, 0x0a, 0xda, 0x3d, 0xd5, 0x23}, 16,
/* iv, iv length */
{0x70, 0xc3, 0xdb, 0x4f, 0x0d, 0x26, 0x36, 0x84,
0x00, 0xa1, 0x0e, 0xd0, 0x5d, 0x2b, 0xff, 0x5e}, 16,
/* aad, aad length */
{0x23, 0x4a, 0x34, 0x63, 0xc1, 0x26, 0x4a, 0xc6}, 8,
/* msg, msg length */
{0x1a, 0x47, 0xcb, 0x49, 0x33}, 5,
/* ct, ct length */
{0xd8, 0x51, 0xd5, 0xba, 0xe0}, 5,
/* tag, tag length */
{0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80}, 16,
/* valid */
1,
},
{
/* key, key length */
{0xd0, 0x7c, 0xf6, 0xcb, 0xb7, 0xf3, 0x13, 0xbd,
0xde, 0x66, 0xb7, 0x27, 0xaf, 0xd3, 0xc5, 0xe8}, 16,
/* iv, iv length */
{0x84, 0x08, 0xdf, 0xff, 0x3c, 0x1a, 0x2b, 0x12,
0x92, 0xdc, 0x19, 0x9e, 0x46, 0xb7, 0xd6, 0x17}, 16,
/* aad, aad length */
{0x33, 0xcc, 0xe2, 0xea, 0xbf, 0xf5, 0xa7, 0x9d}, 8,
/* msg, msg length */
{0x48, 0x1c, 0x9e, 0x39, 0xb1}, 5,
/* ct, ct length */
{0x63, 0x2a, 0x9d, 0x13, 0x1a}, 5,
/* tag, tag length */
{0xd4, 0xc1, 0x68, 0xa4, 0x22, 0x5d, 0x8e, 0x1f,
0xf7, 0x55, 0x93, 0x99, 0x74, 0xa7, 0xbe, 0xde}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x35, 0xb6, 0xd0, 0x58, 0x00, 0x05, 0xbb, 0xc1,
0x2b, 0x05, 0x87, 0x12, 0x45, 0x57, 0xd2, 0xc2}, 16,
/* iv, iv length */
{0xfd, 0xb6, 0xb0, 0x66, 0x76, 0xee, 0xdc, 0x5c,
0x61, 0xd7, 0x42, 0x76, 0xe1, 0xf8, 0xe8, 0x16}, 16,
/* aad, aad length */
{0xae, 0xb9, 0x6e, 0xae, 0xbe, 0x29, 0x70, 0xe9}, 8,
/* msg, msg length */
{0x40, 0xd0, 0xc0, 0x7d, 0xa5, 0xe4}, 6,
/* ct, ct length */
{0x07, 0x1d, 0xfe, 0x16, 0xc6, 0x75}, 6,
/* tag, tag length */
{0xcb, 0x06, 0x77, 0xe5, 0x36, 0xf7, 0x3a, 0xfe,
0x6a, 0x14, 0xb7, 0x4e, 0xe4, 0x98, 0x44, 0xdd}, 16,
/* valid */
1,
},
{
/* key, key length */
{0xbd, 0x8e, 0x6e, 0x11, 0x47, 0x5e, 0x60, 0xb2,
0x68, 0x78, 0x4c, 0x38, 0xc6, 0x2f, 0xeb, 0x22}, 16,
/* iv, iv length */
{0x6e, 0xac, 0x5c, 0x93, 0x07, 0x2d, 0x8e, 0x85,
0x13, 0xf7, 0x50, 0x93, 0x5e, 0x46, 0xda, 0x1b}, 16,
/* aad, aad length */
{0xd4, 0x48, 0x2d, 0x1c, 0xa7, 0x8d, 0xce, 0x0f}, 8,
/* msg, msg length */
{0x4d, 0xe3, 0xb3, 0x5c, 0x3f, 0xc0, 0x39, 0x24,
0x5b, 0xd1, 0xfb, 0x7d}, 12,
/* ct, ct length */
{0x83, 0x5b, 0xb4, 0xf1, 0x5d, 0x74, 0x3e, 0x35,
0x0e, 0x72, 0x84, 0x14}, 12,
/* tag, tag length */
{0xab, 0xb8, 0x64, 0x4f, 0xd6, 0xcc, 0xb8, 0x69,
0x47, 0xc5, 0xe1, 0x05, 0x90, 0x21, 0x0a, 0x4f}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x7c, 0x77, 0xd6, 0xe8, 0x13, 0xbe, 0xd5, 0xac,
0x98, 0xba, 0xa4, 0x17, 0x47, 0x7a, 0x2e, 0x7d}, 16,
/* iv, iv length */
{0x1a, 0x8c, 0x98, 0xdc, 0xd7, 0x3d, 0x38, 0x39,
0x3b, 0x2b, 0xf1, 0x56, 0x9d, 0xee, 0xfc, 0x19}, 16,
/* aad, aad length */
{0x65, 0xd2, 0x01, 0x79, 0x90, 0xd6, 0x25, 0x28}, 8,
/* msg, msg length */
{0x8b, 0x0a, 0x79, 0x30, 0x6c, 0x9c, 0xe7, 0xed,
0x99, 0xda, 0xe4, 0xf8, 0x7f, 0x8d, 0xd6, 0x16,
0x36}, 17,
/* ct, ct length */
{0x02, 0x08, 0x3e, 0x39, 0x79, 0xda, 0x01, 0x48,
0x12, 0xf5, 0x9f, 0x11, 0xd5, 0x26, 0x30, 0xda,
0x30}, 17,
/* tag, tag length */
{0x13, 0x73, 0x27, 0xd1, 0x06, 0x49, 0xb0, 0xaa,
0x6e, 0x1c, 0x18, 0x1d, 0xb6, 0x17, 0xd7, 0xf2}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x5f, 0xff, 0x20, 0xca, 0xfa, 0xb1, 0x19, 0xca,
0x2f, 0xc7, 0x35, 0x49, 0xe2, 0x0f, 0x5b, 0x0d}, 16,
/* iv, iv length */
{0xdd, 0xe5, 0x9b, 0x97, 0xd7, 0x22, 0x15, 0x6d,
0x4d, 0x9a, 0xff, 0x2b, 0xc7, 0x55, 0x98, 0x26}, 16,
/* aad, aad length */
{0x54, 0xb9, 0xf0, 0x4e, 0x6a, 0x09, 0x18, 0x9a}, 8,
/* msg, msg length */
{0x1b, 0xda, 0x12, 0x2b, 0xce, 0x8a, 0x8d, 0xba,
0xf1, 0x87, 0x7d, 0x96, 0x2b, 0x85, 0x92, 0xdd,
0x2d, 0x56}, 18,
/* ct, ct length */
{0x2e, 0xc4, 0x7b, 0x2c, 0x49, 0x54, 0xa4, 0x89,
0xaf, 0xc7, 0xba, 0x48, 0x97, 0xed, 0xcd, 0xae,
0x8c, 0xc3}, 18,
/* tag, tag length */
{0x3b, 0x60, 0x45, 0x05, 0x99, 0xbd, 0x02, 0xc9,
0x63, 0x82, 0x90, 0x2a, 0xef, 0x7f, 0x83, 0x2a}, 16,
/* valid */
1,
},
{
/* key, key length */
{0xa4, 0xa4, 0x78, 0x2b, 0xcf, 0xfd, 0x3e, 0xc5,
0xe7, 0xef, 0x6d, 0x8c, 0x34, 0xa5, 0x61, 0x23}, 16,
/* iv, iv length */
{0xb7, 0x81, 0xfc, 0xf2, 0xf7, 0x5f, 0xa5, 0xa8,
0xde, 0x97, 0xa9, 0xca, 0x48, 0xe5, 0x22, 0xec}, 16,
/* aad, aad length */
{0x89, 0x9a, 0x17, 0x58, 0x97, 0x56, 0x1d, 0x7e}, 8,
/* msg, msg length */
{0x6c, 0xf3, 0x67, 0x20, 0x87, 0x2b, 0x85, 0x13,
0xf6, 0xea, 0xb1, 0xa8, 0xa4, 0x44, 0x38, 0xd5,
0xef, 0x11}, 18,
/* ct, ct length */
{0x0d, 0xe1, 0x8f, 0xd0, 0xfd, 0xd9, 0x1e, 0x7a,
0xf1, 0x9f, 0x1d, 0x8e, 0xe8, 0x73, 0x39, 0x38,
0xb1, 0xe8}, 18,
/* tag, tag length */
{0xe7, 0xf6, 0xd2, 0x23, 0x16, 0x18, 0x10, 0x2f,
0xdb, 0x7f, 0xe5, 0x5f, 0xf1, 0x99, 0x17, 0x00}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x83, 0x95, 0xfc, 0xf1, 0xe9, 0x5b, 0xeb, 0xd6,
0x97, 0xbd, 0x01, 0x0b, 0xc7, 0x66, 0xaa, 0xc3}, 16,
/* iv, iv length */
{0x22, 0xe7, 0xad, 0xd9, 0x3c, 0xfc, 0x63, 0x93,
0xc5, 0x7e, 0xc0, 0xb3, 0xc1, 0x7d, 0x6b, 0x44}, 16,
/* aad, aad length */
{0x12, 0x67, 0x35, 0xfc, 0xc3, 0x20, 0xd2, 0x5a}, 8,
/* msg, msg length */
{0xca, 0x40, 0xd7, 0x44, 0x6e, 0x54, 0x5f, 0xfa,
0xed, 0x3b, 0xd1, 0x2a, 0x74, 0x0a, 0x65, 0x9f,
0xfb, 0xbb, 0x3c, 0xea, 0xb7}, 21,
/* ct, ct length */
{0xcb, 0x89, 0x20, 0xf8, 0x7a, 0x6c, 0x75, 0xcf,
0xf3, 0x96, 0x27, 0xb5, 0x6e, 0x3e, 0xd1, 0x97,
0xc5, 0x52, 0xd2, 0x95, 0xa7}, 21,
/* tag, tag length */
{0xcf, 0xc4, 0x6a, 0xfc, 0x25, 0x3b, 0x46, 0x52,
0xb1, 0xaf, 0x37, 0x95, 0xb1, 0x24, 0xab, 0x6e}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x3c, 0x8c, 0xc2, 0x97, 0x0a, 0x00, 0x8f, 0x75,
0xcc, 0x5b, 0xea, 0xe2, 0x84, 0x72, 0x58, 0xc2}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0x3c, 0x44, 0x1f, 0x32, 0xce, 0x07, 0x82, 0x23,
0x64, 0xd7, 0xa2, 0x99, 0x0e, 0x50, 0xbb, 0x13,
0xd7, 0xb0, 0x2a, 0x26, 0x96, 0x9e, 0x4a, 0x93,
0x7e, 0x5e, 0x90, 0x73, 0xb0, 0xd9, 0xc9, 0x68}, 32,
/* tag, tag length */
{0xdb, 0x90, 0xbd, 0xb3, 0xda, 0x3d, 0x00, 0xaf,
0xd0, 0xfc, 0x6a, 0x83, 0x55, 0x1d, 0xa9, 0x5e}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0xae, 0xf0, 0x3d, 0x00, 0x59, 0x84, 0x94, 0xe9,
0xfb, 0x03, 0xcd, 0x7d, 0x8b, 0x59, 0x08, 0x66}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0xd1, 0x9a, 0xc5, 0x98, 0x49, 0x02, 0x6a, 0x91,
0xaa, 0x1b, 0x9a, 0xec, 0x29, 0xb1, 0x1a, 0x20,
0x2a, 0x4d, 0x73, 0x9f, 0xd8, 0x6c, 0x28, 0xe3,
0xae, 0x3d, 0x58, 0x8e, 0xa2, 0x1d, 0x70, 0xc6}, 32,
/* tag, tag length */
{0xc3, 0x0f, 0x6c, 0xd9, 0x20, 0x20, 0x74, 0xed,
0x6e, 0x2a, 0x2a, 0x36, 0x0e, 0xac, 0x8c, 0x47}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x55, 0xd1, 0x25, 0x11, 0xc6, 0x96, 0xa8, 0x0d,
0x05, 0x14, 0xd1, 0xff, 0xba, 0x49, 0xca, 0xda}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0x21, 0x08, 0x55, 0x8a, 0xc4, 0xb2, 0xc2, 0xd5,
0xcc, 0x66, 0xce, 0xa5, 0x1d, 0x62, 0x10, 0xe0,
0x46, 0x17, 0x7a, 0x67, 0x63, 0x1c, 0xd2, 0xdd,
0x8f, 0x09, 0x46, 0x97, 0x33, 0xac, 0xb5, 0x17}, 32,
/* tag, tag length */
{0xfc, 0x35, 0x5e, 0x87, 0xa2, 0x67, 0xbe, 0x3a,
0xe3, 0xe4, 0x4c, 0x0b, 0xf3, 0xf9, 0x9b, 0x2b}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x79, 0x42, 0x2d, 0xdd, 0x91, 0xc4, 0xee, 0xe2,
0xde, 0xae, 0xf1, 0xf9, 0x68, 0x30, 0x53, 0x04}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0x4d, 0x2c, 0x15, 0x24, 0xca, 0x4b, 0xaa, 0x4e,
0xef, 0xcc, 0xe6, 0xb9, 0x1b, 0x22, 0x7e, 0xe8,
0x3a, 0xba, 0xff, 0x81, 0x05, 0xdc, 0xaf, 0xa2,
0xab, 0x19, 0x1f, 0x5d, 0xf2, 0x57, 0x50, 0x35}, 32,
/* tag, tag length */
{0xe2, 0xc8, 0x65, 0xce, 0x2d, 0x7a, 0xbd, 0xac,
0x02, 0x4c, 0x6f, 0x99, 0x1a, 0x84, 0x83, 0x90}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x0a, 0xf5, 0xaa, 0x7a, 0x76, 0x76, 0xe2, 0x83,
0x06, 0x30, 0x6b, 0xcd, 0x9b, 0xf2, 0x00, 0x3a}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0x8e, 0xb0, 0x1e, 0x62, 0x18, 0x5d, 0x78, 0x2e,
0xb9, 0x28, 0x7a, 0x34, 0x1a, 0x68, 0x62, 0xac,
0x52, 0x57, 0xd6, 0xf9, 0xad, 0xc9, 0x9e, 0xe0,
0xa2, 0x4d, 0x9c, 0x22, 0xb3, 0xe9, 0xb3, 0x8a}, 32,
/* tag, tag length */
{0x39, 0xc3, 0x39, 0xbc, 0x8a, 0x74, 0xc7, 0x5e,
0x2c, 0x65, 0xc6, 0x11, 0x95, 0x44, 0xd6, 0x1e}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0xaf, 0x5a, 0x03, 0xae, 0x7e, 0xdd, 0x73, 0x47,
0x1b, 0xdc, 0xdf, 0xac, 0x5e, 0x19, 0x4a, 0x60}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
/* ct, ct length */
{0x94, 0xc5, 0xd2, 0xac, 0xa6, 0xdb, 0xbc, 0xe8,
0xc2, 0x45, 0x13, 0xa2, 0x5e, 0x09, 0x5c, 0x0e,
0x54, 0xa9, 0x42, 0x86, 0x0d, 0x32, 0x7a, 0x22,
0x2a, 0x81, 0x5c, 0xc7, 0x13, 0xb1, 0x63, 0xb4}, 32,
/* tag, tag length */
{0xf5, 0x0b, 0x30, 0x30, 0x4e, 0x45, 0xc9, 0xd4,
0x11, 0xe8, 0xdf, 0x45, 0x08, 0xa9, 0x86, 0x12}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0xb3, 0x70, 0x87, 0x68, 0x0f, 0x0e, 0xdd, 0x5a,
0x52, 0x22, 0x8b, 0x8c, 0x7a, 0xae, 0xa6, 0x64}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33}, 64,
/* ct, ct length */
{0x3b, 0xb6, 0x17, 0x3e, 0x37, 0x72, 0xd4, 0xb6,
0x2e, 0xef, 0x37, 0xf9, 0xef, 0x07, 0x81, 0xf3,
0x60, 0xb6, 0xc7, 0x4b, 0xe3, 0xbf, 0x6b, 0x37,
0x10, 0x67, 0xbc, 0x1b, 0x09, 0x0d, 0x9d, 0x66,
0x22, 0xa1, 0xfb, 0xec, 0x6a, 0xc4, 0x71, 0xb3,
0x34, 0x9c, 0xd4, 0x27, 0x7a, 0x10, 0x1d, 0x40,
0x89, 0x0f, 0xbf, 0x27, 0xdf, 0xdc, 0xd0, 0xb4,
0xe3, 0x78, 0x1f, 0x98, 0x06, 0xda, 0xab, 0xb6}, 64,
/* tag, tag length */
{0xa0, 0x49, 0x87, 0x45, 0xe5, 0x99, 0x99, 0xdd,
0xc3, 0x2d, 0x5b, 0x14, 0x02, 0x41, 0x12, 0x4e}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x4f, 0x80, 0x2d, 0xa6, 0x2a, 0x38, 0x45, 0x55,
0xa1, 0x9b, 0xc2, 0xb3, 0x82, 0xeb, 0x25, 0xaf}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44}, 80,
/* ct, ct length */
{0xe9, 0xb0, 0xbb, 0x88, 0x57, 0x81, 0x8c, 0xe3,
0x20, 0x1c, 0x36, 0x90, 0xd2, 0x1d, 0xaa, 0x7f,
0x26, 0x4f, 0xb8, 0xee, 0x93, 0xcc, 0x7a, 0x46,
0x74, 0xea, 0x2f, 0xc3, 0x2b, 0xf1, 0x82, 0xfb,
0x2a, 0x7e, 0x8a, 0xd5, 0x15, 0x07, 0xad, 0x4f,
0x31, 0xce, 0xfc, 0x23, 0x56, 0xfe, 0x79, 0x36,
0xa7, 0xf6, 0xe1, 0x9f, 0x95, 0xe8, 0x8f, 0xdb,
0xf1, 0x76, 0x20, 0x91, 0x6d, 0x3a, 0x6f, 0x3d,
0x01, 0xfc, 0x17, 0xd3, 0x58, 0x67, 0x2f, 0x77,
0x7f, 0xd4, 0x09, 0x92, 0x46, 0xe4, 0x36, 0xe1}, 80,
/* tag, tag length */
{0x67, 0x91, 0x0b, 0xe7, 0x44, 0xb8, 0x31, 0x5a,
0xe0, 0xeb, 0x61, 0x24, 0x59, 0x0c, 0x5d, 0x8b}, 16,
/* valid */
1,
},
{
/* key, key length */
{0xb6, 0x7b, 0x1a, 0x6e, 0xfd, 0xd4, 0x0d, 0x37,
0x08, 0x0f, 0xbe, 0x8f, 0x80, 0x47, 0xae, 0xb9}, 16,
/* iv, iv length */
{0xfa, 0x29, 0x4b, 0x12, 0x99, 0x72, 0xf7, 0xfc,
0x5b, 0xbd, 0x5b, 0x96, 0xbb, 0xa8, 0x37, 0xc9}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x00}, 0,
/* ct, ct length */
{0x00}, 0,
/* tag, tag length */
{0xb1, 0x4b, 0x64, 0xfb, 0x58, 0x98, 0x99, 0x69,
0x95, 0x70, 0xcc, 0x91, 0x60, 0xe3, 0x98, 0x96}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x20, 0x9e, 0x6d, 0xbf, 0x2a, 0xd2, 0x6a, 0x10,
0x54, 0x45, 0xfc, 0x02, 0x07, 0xcd, 0x9e, 0x9a}, 16,
/* iv, iv length */
{0x94, 0x77, 0x84, 0x9d, 0x6c, 0xcd, 0xfc, 0xa1,
0x12, 0xd9, 0x2e, 0x53, 0xfa, 0xe4, 0xa7, 0xca}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x01}, 1,
/* ct, ct length */
{0x1d}, 1,
/* tag, tag length */
{0x52, 0xa5, 0xf6, 0x00, 0xfe, 0x53, 0x38, 0x02,
0x6a, 0x7c, 0xb0, 0x9c, 0x11, 0x64, 0x00, 0x82}, 16,
/* valid */
1,
},
{
/* key, key length */
{0xa5, 0x49, 0x44, 0x2e, 0x35, 0x15, 0x40, 0x32,
0xd0, 0x7c, 0x86, 0x66, 0x00, 0x6a, 0xa6, 0xa2}, 16,
/* iv, iv length */
{0x51, 0x71, 0x52, 0x45, 0x68, 0xe8, 0x1d, 0x97,
0xe8, 0xc4, 0xde, 0x4b, 0xa5, 0x6c, 0x10, 0xa0}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x11, 0x82, 0xe9, 0x35, 0x96, 0xca, 0xc5, 0x60,
0x89, 0x46, 0x40, 0x0b, 0xc7, 0x3f, 0x3a}, 15,
/* ct, ct length */
{0xd7, 0xb8, 0xa6, 0xb4, 0x3d, 0x2e, 0x9f, 0x98,
0xc2, 0xb4, 0x4c, 0xe5, 0xe3, 0xcf, 0xdb}, 15,
/* tag, tag length */
{0x1b, 0xdd, 0x52, 0xfc, 0x98, 0x7d, 0xaf, 0x0e,
0xe1, 0x92, 0x34, 0xc9, 0x05, 0xea, 0x64, 0x5f}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x95, 0x8b, 0xcd, 0xb6, 0x6a, 0x39, 0x52, 0xb5,
0x37, 0x01, 0x58, 0x2a, 0x68, 0xa0, 0xe4, 0x74}, 16,
/* iv, iv length */
{0x0e, 0x6e, 0xc8, 0x79, 0xb0, 0x2c, 0x6f, 0x51,
0x69, 0x76, 0xe3, 0x58, 0x98, 0x42, 0x8d, 0xa7}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x14, 0x04, 0x15, 0x82, 0x3e, 0xcc, 0x89, 0x32,
0xa0, 0x58, 0x38, 0x4b, 0x73, 0x8e, 0xa6, 0xea,
0x6d, 0x4d, 0xfe, 0x3b, 0xbe, 0xee}, 22,
/* ct, ct length */
{0x73, 0xe5, 0xc6, 0xf0, 0xe7, 0x03, 0xa5, 0x2d,
0x02, 0xf7, 0xf7, 0xfa, 0xeb, 0x1b, 0x77, 0xfd,
0x4f, 0xd0, 0xcb, 0x42, 0x1e, 0xaf}, 22,
/* tag, tag length */
{0x6c, 0x15, 0x4a, 0x85, 0x96, 0x8e, 0xdd, 0x74,
0x77, 0x65, 0x75, 0xa4, 0x45, 0x0b, 0xd8, 0x97}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x96, 0x5b, 0x75, 0x7b, 0xa5, 0x01, 0x8a, 0x8d,
0x66, 0xed, 0xc7, 0x8e, 0x0c, 0xee, 0xe8, 0x6b}, 16,
/* iv, iv length */
{0x2e, 0x35, 0x90, 0x1a, 0xe7, 0xd4, 0x91, 0xee,
0xcc, 0x88, 0x38, 0xfe, 0xdd, 0x63, 0x14, 0x05}, 16,
/* aad, aad length */
{0xdf, 0x10, 0xd0, 0xd2, 0x12, 0x24, 0x24, 0x50}, 8,
/* msg, msg length */
{0x36, 0xe5, 0x7a, 0x76, 0x39, 0x58, 0xb0, 0x2c,
0xea, 0x9d, 0x6a, 0x67, 0x6e, 0xbc, 0xe8, 0x1f}, 16,
/* ct, ct length */
{0x93, 0x6b, 0x69, 0xb6, 0xc9, 0x55, 0xad, 0xfd,
0x15, 0x53, 0x9b, 0x9b, 0xe4, 0x98, 0x9c, 0xb6}, 16,
/* tag, tag length */
{0xee, 0x15, 0xa1, 0x45, 0x4e, 0x88, 0xfa, 0xad,
0x8e, 0x48, 0xa8, 0xdf, 0x29, 0x83, 0xb4, 0x25}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x88, 0xd0, 0x20, 0x33, 0x78, 0x1c, 0x7b, 0x41,
0x64, 0x71, 0x1a, 0x05, 0x42, 0x0f, 0x25, 0x6e}, 16,
/* iv, iv length */
{0x7f, 0x29, 0x85, 0x29, 0x63, 0x15, 0x50, 0x7a,
0xa4, 0xc0, 0xa9, 0x3d, 0x5c, 0x12, 0xbd, 0x77}, 16,
/* aad, aad length */
{0x7c, 0x57, 0x1d, 0x2f, 0xbb, 0x5f, 0x62, 0x52,
0x3c, 0x0e, 0xb3, 0x38, 0xbe, 0xf9, 0xa9}, 15,
/* msg, msg length */
{0xd9, 0x8a, 0xdc, 0x03, 0xd9, 0xd5, 0x82, 0x73,
0x2e, 0xb0, 0x7d, 0xf2, 0x3d, 0x7b, 0x9f, 0x74}, 16,
/* ct, ct length */
{0x67, 0xca, 0xac, 0x35, 0x44, 0x3a, 0x31, 0x38,
0xd2, 0xcb, 0x81, 0x1f, 0x0c, 0xe0, 0x4d, 0xd2}, 16,
/* tag, tag length */
{0xb7, 0x96, 0x8e, 0x0b, 0x56, 0x40, 0xe3, 0xb2,
0x36, 0x56, 0x96, 0x53, 0x20, 0x8b, 0x9d, 0xeb}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x51, 0x58, 0x40, 0xcf, 0x67, 0xd2, 0xe4, 0x0e,
0xb6, 0x5e, 0x54, 0xa2, 0x4c, 0x72, 0xcb, 0xf2}, 16,
/* iv, iv length */
{0xbf, 0x47, 0xaf, 0xdf, 0xd4, 0x92, 0x13, 0x7a,
0x24, 0x23, 0x6b, 0xc3, 0x67, 0x97, 0xa8, 0x8e}, 16,
/* aad, aad length */
{0x16, 0x84, 0x3c, 0x09, 0x1d, 0x43, 0xb0, 0xa1,
0x91, 0xd0, 0xc7, 0x3d, 0x15, 0x60, 0x1b, 0xe9}, 16,
/* msg, msg length */
{0xc8, 0x34, 0x58, 0x8c, 0xb6, 0xda, 0xf9, 0xf0,
0x6d, 0xd2, 0x35, 0x19, 0xf4, 0xbe, 0x9f, 0x56}, 16,
/* ct, ct length */
{0x20, 0x0a, 0xc4, 0x51, 0xfb, 0xeb, 0x0f, 0x61,
0x51, 0xd6, 0x15, 0x83, 0xa4, 0x3b, 0x73, 0x43}, 16,
/* tag, tag length */
{0x2a, 0xd4, 0x3e, 0x4c, 0xaa, 0x51, 0x98, 0x3a,
0x9d, 0x4d, 0x24, 0x48, 0x1b, 0xf4, 0xc8, 0x39}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x2e, 0x44, 0x92, 0xd4, 0x44, 0xe5, 0xb6, 0xf4,
0xce, 0xc8, 0xc2, 0xd3, 0x61, 0x5a, 0xc8, 0x58}, 16,
/* iv, iv length */
{0xd0, 0x2b, 0xf0, 0x76, 0x3a, 0x9f, 0xef, 0xbf,
0x70, 0xc3, 0x3a, 0xee, 0x1e, 0x9d, 0xa1, 0xd6}, 16,
/* aad, aad length */
{0x90, 0x4d, 0x86, 0xf1, 0x33, 0xce, 0xc1, 0x5a,
0x0c, 0x3c, 0xaf, 0x14, 0xd7, 0xe0, 0x29, 0xc8,
0x2a, 0x07, 0x70, 0x5a, 0x23, 0xf0, 0xd0, 0x80}, 24,
/* msg, msg length */
{0x9e, 0x62, 0xd6, 0x51, 0x1b, 0x0b, 0xda, 0x7d,
0xd7, 0x74, 0x0b, 0x61, 0x4d, 0x97, 0xba, 0xe0}, 16,
/* ct, ct length */
{0x27, 0xc6, 0xe9, 0xa6, 0x53, 0xc5, 0x25, 0x3c,
0xa1, 0xc5, 0x67, 0x3f, 0x97, 0xb9, 0xb3, 0x3e}, 16,
/* tag, tag length */
{0x2d, 0x58, 0x12, 0x71, 0xe1, 0xfa, 0x9e, 0x36,
0x86, 0x13, 0x6c, 0xaa, 0x8f, 0x4d, 0x6c, 0x8e}, 16,
/* valid */
1,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe7, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe4, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0x66, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0f, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0xd0, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x12, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x11, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0x72,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x53, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0xd2, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0xb8, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb0, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9a, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x99, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x1b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa6}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa5}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xe7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0x27}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe7, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
0x53, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0xd0, 0x13, 0xa6, 0xdb, 0x72,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0x72,
0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0x27}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0x19, 0xf1, 0x83, 0xaf, 0xec, 0x59, 0x24, 0x0d,
0xad, 0x67, 0x4e, 0x6d, 0x64, 0x3c, 0xa9, 0x58}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0x66, 0x8e, 0xfc, 0xd0, 0x93, 0x26, 0x5b, 0x72,
0xd2, 0x18, 0x31, 0x12, 0x1b, 0x43, 0xd6, 0x27}, 16,
/* valid */
0,
},
{
/* key, key length */
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
/* iv, iv length */
{0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
/* aad, aad length */
{0x00}, 0,
/* msg, msg length */
{0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
/* ct, ct length */
{0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
/* tag, tag length */
{0xe7, 0x0f, 0x7d, 0x51, 0x12, 0xa7, 0xda, 0xf3,
0x53, 0x99, 0xb0, 0x93, 0x9a, 0xc2, 0x57, 0xa6}, 16,
/* valid */
0,
},
#endif
};
byte ciphertext[sizeof(vectors[0].ct)];
byte authtag[sizeof(vectors[0].tag)];
int i;
int len;
int ret;
for (i = 0; i < (int)(sizeof(vectors)/sizeof(vectors[0])); i++) {
XMEMSET(ciphertext, 0, sizeof(ciphertext));
len = sizeof(authtag);
ExpectIntEQ(wc_AesEaxEncryptAuth(vectors[i].key, vectors[i].key_length,
ciphertext,
vectors[i].msg, vectors[i].msg_length,
vectors[i].iv, vectors[i].iv_length,
authtag, len,
vectors[i].aad, vectors[i].aad_length),
0);
/* check ciphertext matches vector */
ExpectIntEQ(XMEMCMP(ciphertext, vectors[i].ct, vectors[i].ct_length),
0);
/* check that computed tag matches vector only for vectors marked asx
* valid */
ret = XMEMCMP(authtag, vectors[i].tag, len);
if (vectors[i].valid) {
ExpectIntEQ(ret, 0);
}
else {
ExpectIntNE(ret, 0);
}
XMEMSET(ciphertext, 0, sizeof(ciphertext));
/* Decrypt, checking that the computed auth tags match */
ExpectIntEQ(wc_AesEaxDecryptAuth(vectors[i].key, vectors[i].key_length,
ciphertext,
vectors[i].ct, vectors[i].ct_length,
vectors[i].iv, vectors[i].iv_length,
authtag, len,
vectors[i].aad, vectors[i].aad_length),
0);
/* check decrypted ciphertext matches vector plaintext */
ExpectIntEQ(XMEMCMP(ciphertext, vectors[i].msg, vectors[i].msg_length),
0);
}
return EXPECT_RESULT();
} /* END test_wc_AesEaxVectors */
/*
* Testing test_wc_AesEaxEncryptAuth()
*/
int test_wc_AesEaxEncryptAuth(void)
{
EXPECT_DECLS;
const byte key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
const byte iv[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
const byte aad[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
const byte msg[] = {0x00, 0x01, 0x02, 0x03, 0x04};
byte ciphertext[sizeof(msg)];
byte authtag[WC_AES_BLOCK_SIZE];
int i;
int len;
len = sizeof(authtag);
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
0);
/* Test null checking */
ExpectIntEQ(wc_AesEaxEncryptAuth(NULL, sizeof(key),
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
NULL,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
NULL, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
msg, sizeof(msg),
NULL, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
NULL, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
NULL, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Test bad key lengths */
for (i = 0; i <= 32; i++) {
int exp_ret;
#ifdef WOLFSSL_AES_128
if (i == AES_128_KEY_SIZE) {
exp_ret = 0;
}
else
#endif
#ifdef WOLFSSL_AES_192
if (i == AES_192_KEY_SIZE) {
exp_ret = 0;
}
else
#endif
#ifdef WOLFSSL_AES_256
if (i == AES_256_KEY_SIZE) {
exp_ret = 0;
}
else
#endif
{
exp_ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
}
ExpectIntEQ(wc_AesEaxEncryptAuth(key, (word32)i,
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
exp_ret);
}
/* Test auth tag size out of range */
len = WC_AES_BLOCK_SIZE + 1;
ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
ciphertext,
msg, sizeof(msg),
iv, sizeof(iv),
authtag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
} /* END test_wc_AesEaxEncryptAuth() */
/*
* Testing test_wc_AesEaxDecryptAuth()
*/
int test_wc_AesEaxDecryptAuth(void)
{
EXPECT_DECLS;
const byte key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
const byte iv[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
const byte aad[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
const byte ct[] = {0x00, 0x01, 0x02, 0x03, 0x04};
/* Garbage tag that should always fail for above aad */
const byte tag[] = {0xFE, 0xED, 0xBE, 0xEF, 0xDE, 0xAD, 0xC0, 0xDE,
0xCA, 0xFE, 0xBE, 0xEF, 0xDE, 0xAF, 0xBE, 0xEF};
byte plaintext[sizeof(ct)];
int i;
int len;
len = sizeof(tag);
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(AES_EAX_AUTH_E));
/* Test null checking */
ExpectIntEQ(wc_AesEaxDecryptAuth(NULL, sizeof(key),
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
NULL,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
NULL, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
ct, sizeof(ct),
NULL, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
NULL, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
NULL, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Test bad key lengths */
for (i = 0; i <= 32; i++) {
int exp_ret;
#ifdef WOLFSSL_AES_128
if (i == AES_128_KEY_SIZE) {
exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
}
else
#endif
#ifdef WOLFSSL_AES_192
if (i == AES_192_KEY_SIZE) {
exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
}
else
#endif
#ifdef WOLFSSL_AES_256
if (i == AES_256_KEY_SIZE) {
exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
}
else
#endif
{
exp_ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
}
ExpectIntEQ(wc_AesEaxDecryptAuth(key, (word32)i,
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
exp_ret);
}
/* Test auth tag size out of range */
len = WC_AES_BLOCK_SIZE + 1;
ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
plaintext,
ct, sizeof(ct),
iv, sizeof(iv),
tag, (word32)len,
aad, sizeof(aad)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
return EXPECT_RESULT();
} /* END test_wc_AesEaxDecryptAuth() */
/*
* Testing AES-EAX streaming (incremental) API:
* wc_AesEaxInit, wc_AesEaxEncryptUpdate, wc_AesEaxAuthDataUpdate,
* wc_AesEaxEncryptFinal, wc_AesEaxDecryptUpdate, wc_AesEaxDecryptFinal,
* wc_AesEaxFree
*/
int test_wc_AesEaxStream(void)
{
EXPECT_DECLS;
#ifdef WOLFSSL_AES_128
/* Wycheproof AES-EAX 128-bit key vectors */
/* Vector 1: empty plaintext - AAD passed via Init */
const byte key1[] = {0x23, 0x39, 0x52, 0xde, 0xe4, 0xd5, 0xed, 0x5f,
0x9b, 0x9c, 0x6d, 0x6f, 0xf8, 0x0f, 0xf4, 0x78};
const byte nonce1[] = {0x62, 0xec, 0x67, 0xf9, 0xc3, 0xa4, 0xa4, 0x07,
0xfc, 0xb2, 0xa8, 0xc4, 0x90, 0x31, 0xa8, 0xb3};
const byte aad1[] = {0x6b, 0xfb, 0x91, 0x4f, 0xd0, 0x7e, 0xae, 0x6b};
const byte tag1[] = {0xe0, 0x37, 0x83, 0x0e, 0x83, 0x89, 0xf2, 0x7b,
0x02, 0x5a, 0x2d, 0x65, 0x27, 0xe7, 0x9d, 0x01};
/* Vector 2: 2-byte plaintext - AAD passed via EncryptUpdate */
const byte key2[] = {0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4};
const byte nonce2[] = {0xbe, 0xca, 0xf0, 0x43, 0xb0, 0xa2, 0x3d, 0x84,
0x31, 0x94, 0xba, 0x97, 0x2c, 0x66, 0xde, 0xbd};
const byte aad2[] = {0xfa, 0x3b, 0xfd, 0x48, 0x06, 0xeb, 0x53, 0xfa};
const byte pt2[] = {0xf7, 0xfb};
const byte ct2[] = {0x19, 0xdd};
const byte tag2[] = {0x5c, 0x4c, 0x93, 0x31, 0x04, 0x9d, 0x0b, 0xda,
0xb0, 0x27, 0x74, 0x08, 0xf6, 0x79, 0x67, 0xe5};
/* Vector 3: 5-byte plaintext - multi-chunk, AAD via AuthDataUpdate */
const byte key3[] = {0x01, 0xf7, 0x4a, 0xd6, 0x40, 0x77, 0xf2, 0xe7,
0x04, 0xc0, 0xf6, 0x0a, 0xda, 0x3d, 0xd5, 0x23};
const byte nonce3[] = {0x70, 0xc3, 0xdb, 0x4f, 0x0d, 0x26, 0x36, 0x84,
0x00, 0xa1, 0x0e, 0xd0, 0x5d, 0x2b, 0xff, 0x5e};
const byte aad3[] = {0x23, 0x4a, 0x34, 0x63, 0xc1, 0x26, 0x4a, 0xc6};
const byte pt3[] = {0x1a, 0x47, 0xcb, 0x49, 0x33};
const byte ct3[] = {0xd8, 0x51, 0xd5, 0xba, 0xe0};
const byte tag3[] = {0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80};
AesEax eax;
byte out[16];
byte tagBuf[WC_AES_BLOCK_SIZE];
XMEMSET(&eax, 0, sizeof(eax));
XMEMSET(out, 0, sizeof(out));
XMEMSET(tagBuf, 0, sizeof(tagBuf));
/* --- Test 1: empty plaintext, AAD passed to Init --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
nonce1, sizeof(nonce1),
aad1, sizeof(aad1)), 0);
ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag1)), 0);
ExpectBufEQ(tagBuf, tag1, sizeof(tag1));
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Test 1d: empty plaintext decrypt --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
nonce1, sizeof(nonce1),
aad1, sizeof(aad1)), 0);
ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag1, sizeof(tag1)), 0);
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Test 2: 2-byte plaintext, single EncryptUpdate with inline AAD --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key2, sizeof(key2),
nonce2, sizeof(nonce2),
NULL, 0), 0);
ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out, pt2, sizeof(pt2),
aad2, sizeof(aad2)), 0);
ExpectBufEQ(out, ct2, sizeof(ct2));
ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag2)), 0);
ExpectBufEQ(tagBuf, tag2, sizeof(tag2));
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Test 2d: 2-byte ciphertext, single DecryptUpdate with inline AAD --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key2, sizeof(key2),
nonce2, sizeof(nonce2),
NULL, 0), 0);
ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out, ct2, sizeof(ct2),
aad2, sizeof(aad2)), 0);
ExpectBufEQ(out, pt2, sizeof(pt2));
ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag2, sizeof(tag2)), 0);
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Test 3: 5-byte plaintext, multi-chunk encrypt with AuthDataUpdate --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key3, sizeof(key3),
nonce3, sizeof(nonce3),
NULL, 0), 0);
/* Feed AAD via AuthDataUpdate split into two calls */
ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3, 4), 0);
ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3 + 4, sizeof(aad3) - 4), 0);
/* Encrypt plaintext in two chunks */
ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out, pt3, 2, NULL, 0), 0);
ExpectBufEQ(out, ct3, 2);
ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out + 2, pt3 + 2,
(word32)(sizeof(pt3) - 2), NULL, 0), 0);
ExpectBufEQ(out + 2, ct3 + 2, sizeof(ct3) - 2);
ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag3)), 0);
ExpectBufEQ(tagBuf, tag3, sizeof(tag3));
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Test 3d: 5-byte ciphertext, multi-chunk decrypt with AuthDataUpdate --- */
ExpectIntEQ(wc_AesEaxInit(&eax, key3, sizeof(key3),
nonce3, sizeof(nonce3),
NULL, 0), 0);
ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3, 4), 0);
ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3 + 4, sizeof(aad3) - 4), 0);
/* Decrypt ciphertext in two chunks */
ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out, ct3, 2, NULL, 0), 0);
ExpectBufEQ(out, pt3, 2);
ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out + 2, ct3 + 2,
(word32)(sizeof(ct3) - 2), NULL, 0), 0);
ExpectBufEQ(out + 2, pt3 + 2, sizeof(pt3) - 2);
ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag3, sizeof(tag3)), 0);
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* --- Bad args --- */
/* wc_AesEaxInit */
ExpectIntEQ(wc_AesEaxInit(NULL, key1, sizeof(key1),
nonce1, sizeof(nonce1), NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxInit(&eax, NULL, sizeof(key1),
nonce1, sizeof(nonce1), NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
NULL, sizeof(nonce1), NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* wc_AesEaxAuthDataUpdate */
ExpectIntEQ(wc_AesEaxAuthDataUpdate(NULL, aad1, sizeof(aad1)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* wc_AesEaxEncryptFinal */
ExpectIntEQ(wc_AesEaxEncryptFinal(NULL, tagBuf, WC_AES_BLOCK_SIZE),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* wc_AesEaxDecryptFinal NULL eax */
ExpectIntEQ(wc_AesEaxDecryptFinal(NULL, tag1, sizeof(tag1)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* wc_AesEaxDecryptFinal authInSz > WC_AES_BLOCK_SIZE */
ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
nonce1, sizeof(nonce1), NULL, 0), 0);
ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag1, WC_AES_BLOCK_SIZE + 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_AesEaxFree(&eax), 0);
/* wc_AesEaxFree NULL */
ExpectIntEQ(wc_AesEaxFree(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif /* WOLFSSL_AES_128 */
return EXPECT_RESULT();
} /* END test_wc_AesEaxStream() */
#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256
* (!HAVE_FIPS || FIPS_VERSION_GE(5, 3)) && !HAVE_SELFTEST
*/
/*----------------------------------------------------------------------------*
| AES-SIV Test
*----------------------------------------------------------------------------*/
#if defined(WOLFSSL_AES_SIV) && defined(WOLFSSL_AES_128)
/*
* Testing wc_AesSivEncrypt, wc_AesSivDecrypt,
* wc_AesSivEncrypt_ex, wc_AesSivDecrypt_ex.
* Uses RFC 5297 Example A.1 (single assoc) and A.2 (two assocs).
*/
int test_wc_AesSivEncryptDecrypt(void)
{
EXPECT_DECLS;
/* RFC 5297 Example A.1: single associated data buffer */
const byte key_a1[] = {
0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9,0xf8,
0xf7,0xf6,0xf5,0xf4,0xf3,0xf2,0xf1,0xf0,
0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
};
const byte assoc_a1[] = {
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27
};
const byte pt_a1[] = {
0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,
0x99,0xaa,0xbb,0xcc,0xdd,0xee
};
const byte siv_a1[] = {
0x85,0x63,0x2d,0x07,0xc6,0xe8,0xf3,0x7f,
0x95,0x0a,0xcd,0x32,0x0a,0x2e,0xcc,0x93
};
const byte ct_a1[] = {
0x40,0xc0,0x2b,0x96,0x90,0xc4,0xdc,0x04,
0xda,0xef,0x7f,0x6a,0xfe,0x5c
};
/* RFC 5297 Example A.2: two associated data buffers, no nonce */
const byte key_a2[] = {
0x7f,0x7e,0x7d,0x7c,0x7b,0x7a,0x79,0x78,
0x77,0x76,0x75,0x74,0x73,0x72,0x71,0x70,
0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,
0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f
};
const byte assoc2_1_a2[] = {
0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff,
0xde,0xad,0xda,0xda,0xde,0xad,0xda,0xda,
0xff,0xee,0xdd,0xcc,0xbb,0xaa,0x99,0x88,
0x77,0x66,0x55,0x44,0x33,0x22,0x11,0x00
};
const byte assoc2_2_a2[] = {
0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,
0x90,0xa0
};
const byte nonce_a2[] = {
0x09,0xf9,0x11,0x02,0x9d,0x74,0xe3,0x5b,
0xd8,0x41,0x56,0xc5,0x63,0x56,0x88,0xc0
};
const byte pt_a2[] = {
0x74,0x68,0x69,0x73,0x20,0x69,0x73,0x20,
0x73,0x6f,0x6d,0x65,0x20,0x70,0x6c,0x61,
0x69,0x6e,0x74,0x65,0x78,0x74,0x20,0x74,
0x6f,0x20,0x65,0x6e,0x63,0x72,0x79,0x70,
0x74,0x20,0x75,0x73,0x69,0x6e,0x67,0x20,
0x53,0x49,0x56,0x2d,0x41,0x45,0x53
};
const byte siv_a2[] = {
0x7b,0xdb,0x6e,0x3b,0x43,0x26,0x67,0xeb,
0x06,0xf4,0xd1,0x4b,0xff,0x2f,0xbd,0x0f
};
const byte ct_a2[] = {
0xcb,0x90,0x0f,0x2f,0xdd,0xbe,0x40,0x43,
0x26,0x60,0x19,0x65,0xc8,0x89,0xbf,0x17,
0xdb,0xa7,0x7c,0xeb,0x09,0x4f,0xa6,0x63,
0xb7,0xa3,0xf7,0x48,0xba,0x8a,0xf8,0x29,
0xea,0x64,0xad,0x54,0x4a,0x27,0x2e,0x9c,
0x48,0x5b,0x62,0xa3,0xfd,0x5c,0x0d
};
byte siv[WC_AES_BLOCK_SIZE];
byte ct[sizeof(pt_a2)]; /* large enough for both tests */
byte pt[sizeof(pt_a2)];
/* --- A.1: wc_AesSivEncrypt (single assoc, no nonce) --- */
XMEMSET(siv, 0, sizeof(siv));
XMEMSET(ct, 0, sizeof(ct));
ExpectIntEQ(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0,
pt_a1, sizeof(pt_a1),
siv, ct), 0);
ExpectBufEQ(siv, siv_a1, sizeof(siv_a1));
ExpectBufEQ(ct, ct_a1, sizeof(ct_a1));
/* --- A.1: wc_AesSivDecrypt --- */
XMEMSET(pt, 0, sizeof(pt));
XMEMCPY(siv, siv_a1, sizeof(siv_a1));
ExpectIntEQ(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0,
ct_a1, sizeof(ct_a1),
siv, pt), 0);
ExpectBufEQ(pt, pt_a1, sizeof(pt_a1));
/* Corrupt SIV: decrypt must fail */
siv[0] ^= 0xff;
ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0,
ct_a1, sizeof(ct_a1),
siv, pt), 0);
/* --- A.2: wc_AesSivEncrypt_ex (two assocs + nonce) --- */
{
const AesSivAssoc assocs[2] = {
{ assoc2_1_a2, sizeof(assoc2_1_a2) },
{ assoc2_2_a2, sizeof(assoc2_2_a2) }
};
XMEMSET(siv, 0, sizeof(siv));
XMEMSET(ct, 0, sizeof(ct));
ExpectIntEQ(wc_AesSivEncrypt_ex(key_a2, sizeof(key_a2),
assocs, 2,
nonce_a2, sizeof(nonce_a2),
pt_a2, sizeof(pt_a2),
siv, ct), 0);
ExpectBufEQ(siv, siv_a2, sizeof(siv_a2));
ExpectBufEQ(ct, ct_a2, sizeof(ct_a2));
/* wc_AesSivDecrypt_ex */
XMEMSET(pt, 0, sizeof(pt));
XMEMCPY(siv, siv_a2, sizeof(siv_a2));
ExpectIntEQ(wc_AesSivDecrypt_ex(key_a2, sizeof(key_a2),
assocs, 2,
nonce_a2, sizeof(nonce_a2),
ct_a2, sizeof(ct_a2),
siv, pt), 0);
ExpectBufEQ(pt, pt_a2, sizeof(pt_a2));
}
/* --- Bad args: wc_AesSivEncrypt --- */
ExpectIntNE(wc_AesSivEncrypt(NULL, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, pt_a1, sizeof(pt_a1), siv, ct), 0);
ExpectIntNE(wc_AesSivEncrypt(key_a1, 0,
assoc_a1, sizeof(assoc_a1),
NULL, 0, pt_a1, sizeof(pt_a1), siv, ct), 0);
ExpectIntNE(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, pt_a1, sizeof(pt_a1), NULL, ct), 0);
ExpectIntNE(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, pt_a1, sizeof(pt_a1), siv, NULL), 0);
/* --- Bad args: wc_AesSivDecrypt --- */
XMEMCPY(siv, siv_a1, sizeof(siv_a1));
ExpectIntNE(wc_AesSivDecrypt(NULL, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, ct_a1, sizeof(ct_a1), siv, pt), 0);
ExpectIntNE(wc_AesSivDecrypt(key_a1, 0,
assoc_a1, sizeof(assoc_a1),
NULL, 0, ct_a1, sizeof(ct_a1), siv, pt), 0);
ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, ct_a1, sizeof(ct_a1), NULL, pt), 0);
ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
assoc_a1, sizeof(assoc_a1),
NULL, 0, ct_a1, sizeof(ct_a1), siv, NULL), 0);
return EXPECT_RESULT();
} /* END test_wc_AesSivEncryptDecrypt */
#endif /* WOLFSSL_AES_SIV && WOLFSSL_AES_128 */
/*----------------------------------------------------------------------------*
| CryptoCB AES SetKey Test
*----------------------------------------------------------------------------*/
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
!defined(NO_AES) && defined(HAVE_AESGCM)
#include <wolfssl/wolfcrypt/cryptocb.h>
#define TEST_CRYPTOCB_AES_DEVID 7
/* Test state tracking */
static int cryptoCbAesSetKeyCalled = 0;
static int cryptoCbAesFreeCalled = 0;
/* Simulated SE key storage - in real SE this would be in secure hardware */
typedef struct {
byte key[AES_256_KEY_SIZE];
word32 keySz;
int valid;
} MockSeKeySlot;
static MockSeKeySlot mockSeKey = {0};
/* Mock handle pointing to our key slot */
static void* cryptoCbAesMockHandle = (void*)&mockSeKey;
/* Test CryptoCB callback for AES key import operations
* This emulates a Secure Element by:
* - Storing the key on SetKey (simulating SE key import)
* - Using stored key for encrypt/decrypt (simulating SE crypto)
* - Clearing key on Free (simulating SE key deletion)
*/
static int test_CryptoCb_Aes_Cb(int devId, wc_CryptoInfo* info, void* ctx)
{
(void)ctx;
if (devId != TEST_CRYPTOCB_AES_DEVID)
return CRYPTOCB_UNAVAILABLE;
/* AES SetKey operation - simulate SE key import */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES &&
info->cipher.aessetkey.aes != NULL) {
Aes* aes = info->cipher.aessetkey.aes;
const byte* key = info->cipher.aessetkey.key;
word32 keySz = info->cipher.aessetkey.keySz;
/* Validate key */
if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE) {
return BAD_FUNC_ARG;
}
/* "Import" key to simulated SE storage */
XMEMCPY(mockSeKey.key, key, keySz);
mockSeKey.keySz = keySz;
mockSeKey.valid = 1;
/* Store handle in aes->devCtx - this is what wolfSSL will use */
aes->devCtx = cryptoCbAesMockHandle;
cryptoCbAesSetKeyCalled++;
return 0;
}
/* AES-GCM Encrypt - simulate SE encryption using stored key */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES_GCM &&
info->cipher.enc) {
Aes* aes = info->cipher.aesgcm_enc.aes;
MockSeKeySlot* slot;
Aes tempAes;
int ret;
/* Verify handle points to our key slot */
if (aes == NULL || aes->devCtx != cryptoCbAesMockHandle) {
return BAD_FUNC_ARG;
}
slot = (MockSeKeySlot*)aes->devCtx;
if (!slot->valid) {
return BAD_STATE_E;
}
/* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
XMEMSET(&tempAes, 0, sizeof(tempAes));
ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID); /* No CryptoCB for internal use */
if (ret != 0) return ret;
ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
if (ret != 0) {
wc_AesFree(&tempAes);
return ret;
}
/* Perform the actual encryption */
ret = wc_AesGcmEncrypt(&tempAes,
info->cipher.aesgcm_enc.out,
info->cipher.aesgcm_enc.in,
info->cipher.aesgcm_enc.sz,
info->cipher.aesgcm_enc.iv,
info->cipher.aesgcm_enc.ivSz,
info->cipher.aesgcm_enc.authTag,
info->cipher.aesgcm_enc.authTagSz,
info->cipher.aesgcm_enc.authIn,
info->cipher.aesgcm_enc.authInSz);
wc_AesFree(&tempAes);
return ret;
}
/* AES-GCM Decrypt - simulate SE decryption using stored key */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES_GCM &&
!info->cipher.enc) {
Aes* aes = info->cipher.aesgcm_dec.aes;
MockSeKeySlot* slot;
Aes tempAes;
int ret;
/* Verify handle points to our key slot */
if (aes == NULL || aes->devCtx != cryptoCbAesMockHandle) {
return BAD_FUNC_ARG;
}
slot = (MockSeKeySlot*)aes->devCtx;
if (!slot->valid) {
return BAD_STATE_E;
}
/* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
XMEMSET(&tempAes, 0, sizeof(tempAes));
ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
if (ret != 0) return ret;
ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
if (ret != 0) {
wc_AesFree(&tempAes);
return ret;
}
/* Perform the actual decryption */
ret = wc_AesGcmDecrypt(&tempAes,
info->cipher.aesgcm_dec.out,
info->cipher.aesgcm_dec.in,
info->cipher.aesgcm_dec.sz,
info->cipher.aesgcm_dec.iv,
info->cipher.aesgcm_dec.ivSz,
info->cipher.aesgcm_dec.authTag,
info->cipher.aesgcm_dec.authTagSz,
info->cipher.aesgcm_dec.authIn,
info->cipher.aesgcm_dec.authInSz);
wc_AesFree(&tempAes);
return ret;
}
#ifdef WOLF_CRYPTO_CB_FREE
/* Free operation - simulate SE key deletion */
if (info->algo_type == WC_ALGO_TYPE_FREE &&
info->free.algo == WC_ALGO_TYPE_CIPHER &&
info->free.type == WC_CIPHER_AES) {
Aes* aes = (Aes*)info->free.obj;
if (aes != NULL && aes->devCtx == cryptoCbAesMockHandle) {
/* "Delete" key from simulated SE */
ForceZero(&mockSeKey, sizeof(mockSeKey));
cryptoCbAesFreeCalled++;
}
return 0;
}
#endif
return CRYPTOCB_UNAVAILABLE;
}
/*
* Test: CryptoCB AES SetKey hook for key import / secure element support
*/
int test_wc_CryptoCb_AesSetKey(void)
{
EXPECT_DECLS;
#ifdef WOLFSSL_SMALL_STACK
Aes* aes = NULL;
byte* key = NULL;
byte* iv = NULL;
byte* plain = NULL;
byte* cipher = NULL;
byte* decrypted = NULL;
byte* authTag = NULL;
#else
Aes aes[1];
byte key[AES_128_KEY_SIZE];
byte iv[GCM_NONCE_MID_SZ];
byte plain[16];
byte cipher[16];
byte decrypted[16];
byte authTag[AES_BLOCK_SIZE];
#endif
int ret;
#ifdef WOLFSSL_SMALL_STACK
aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
key = (byte*)XMALLOC(AES_128_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
iv = (byte*)XMALLOC(GCM_NONCE_MID_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
plain = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
cipher = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
decrypted = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
authTag = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (aes == NULL || key == NULL || iv == NULL || plain == NULL ||
cipher == NULL || decrypted == NULL || authTag == NULL) {
ret = MEMORY_E;
goto out;
}
#endif
/* Initialize key, iv, plain arrays */
{
static const byte keyData[AES_128_KEY_SIZE] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
static const byte plainData[16] = {
0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x77,
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x21, 0x00
};
XMEMCPY(key, keyData, AES_128_KEY_SIZE);
XMEMSET(iv, 0, GCM_NONCE_MID_SZ);
XMEMCPY(plain, plainData, 16);
}
XMEMSET(aes, 0, sizeof(Aes));
XMEMSET(&mockSeKey, 0, sizeof(mockSeKey));
/* Reset test state */
cryptoCbAesSetKeyCalled = 0;
cryptoCbAesFreeCalled = 0;
/* Register test callback */
ret = wc_CryptoCb_RegisterDevice(TEST_CRYPTOCB_AES_DEVID,
test_CryptoCb_Aes_Cb, NULL);
ExpectIntEQ(ret, 0);
/* Initialize Aes with device ID */
ret = wc_AesInit(aes, NULL, TEST_CRYPTOCB_AES_DEVID);
ExpectIntEQ(ret, 0);
ExpectIntEQ(aes->devId, TEST_CRYPTOCB_AES_DEVID);
/* Set key - should trigger CryptoCB and "import" to mock SE */
ret = wc_AesGcmSetKey(aes, key, sizeof(key));
ExpectIntEQ(ret, 0);
/* Verify callback was invoked */
ExpectIntEQ(cryptoCbAesSetKeyCalled, 1);
/* Verify handle stored in devCtx */
ExpectPtrEq(aes->devCtx, cryptoCbAesMockHandle);
/* Verify key was "imported" to mock SE */
ExpectIntEQ(mockSeKey.valid, 1);
ExpectIntEQ(mockSeKey.keySz, (int)sizeof(key));
/* Verify keylen metadata stored in Aes struct */
ExpectIntEQ(aes->keylen, (int)sizeof(key));
/* After SetKey succeeds via CryptoCB, verify key NOT in devKey */
{
byte zeroKey[AES_128_KEY_SIZE] = {0};
/* Key should NOT be copied to devKey - SE owns it */
ExpectIntEQ(XMEMCMP(aes->devKey, zeroKey, sizeof(key)), 0);
}
/* Test encrypt - callback performs crypto using stored key */
ret = wc_AesGcmEncrypt(aes, cipher, plain, sizeof(plain),
iv, sizeof(iv), authTag, sizeof(authTag),
NULL, 0);
ExpectIntEQ(ret, 0);
/* Test decrypt - callback performs crypto using stored key */
ret = wc_AesGcmDecrypt(aes, decrypted, cipher, sizeof(cipher),
iv, sizeof(iv), authTag, sizeof(authTag),
NULL, 0);
ExpectIntEQ(ret, 0);
/* Verify round-trip */
ExpectIntEQ(XMEMCMP(plain, decrypted, sizeof(plain)), 0);
#ifdef WOLF_CRYPTO_CB_FREE
/* Free should trigger callback and "delete" key from mock SE */
cryptoCbAesFreeCalled = 0;
wc_AesFree(aes);
/* Verify free callback invoked */
ExpectIntEQ(cryptoCbAesFreeCalled, 1);
/* Verify devCtx cleared */
ExpectPtrEq(aes->devCtx, NULL);
/* Verify key was "deleted" from mock SE */
ExpectIntEQ(mockSeKey.valid, 0);
#else
wc_AesFree(aes);
#endif
/* Cleanup */
wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_AES_DEVID);
/* Test software path (no devId) still works */
XMEMSET(aes, 0, sizeof(Aes));
cryptoCbAesSetKeyCalled = 0;
ret = wc_AesInit(aes, NULL, INVALID_DEVID);
ExpectIntEQ(ret, 0);
ret = wc_AesGcmSetKey(aes, key, sizeof(key));
ExpectIntEQ(ret, 0);
/* Callback should NOT have been invoked */
ExpectIntEQ(cryptoCbAesSetKeyCalled, 0);
/* devCtx should be NULL */
ExpectPtrEq(aes->devCtx, NULL);
wc_AesFree(aes);
#ifdef WOLFSSL_SMALL_STACK
out:
XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(cipher, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(authTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return EXPECT_RESULT();
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM */
/*----------------------------------------------------------------------------*
| CryptoCB AES-GCM End-to-End Offload Test
*----------------------------------------------------------------------------*/
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
!defined(NO_AES) && defined(HAVE_AESGCM)
#define TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID 8
/* Test state tracking for end-to-end offload test */
static int cryptoCbAesGcmSetKeyCalled = 0;
static int cryptoCbAesGcmEncryptCalled = 0;
static int cryptoCbAesGcmDecryptCalled = 0;
static int cryptoCbAesGcmFreeCalled = 0;
/* Mock SE key storage for offload test */
typedef struct {
byte key[AES_256_KEY_SIZE];
word32 keySz;
int valid;
} MockSeKeySlotOffload;
static MockSeKeySlotOffload mockSeKeyOffload = {0};
/* Mock handle pointing to our key slot */
static void* cryptoCbAesGcmMockHandle = (void*)&mockSeKeyOffload;
/* Mock CryptoCB callback for end-to-end AES-GCM offload test
* This emulates a Secure Element that:
* - Stores the key on SetKey (simulating SE key import)
* - Performs encryption/decryption using stored key (simulating SE crypto)
* - Tracks all callback invocations to verify offload is working
* - Uses software AES internally (simulating SE internal operation)
*/
static int test_CryptoCb_AesGcm_Offload_Cb(int devId, wc_CryptoInfo* info, void* ctx)
{
(void)ctx;
if (devId != TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID)
return CRYPTOCB_UNAVAILABLE;
/* AES SetKey operation - simulate SE key import */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES &&
info->cipher.aessetkey.aes != NULL) {
Aes* aes = info->cipher.aessetkey.aes;
const byte* key = info->cipher.aessetkey.key;
word32 keySz = info->cipher.aessetkey.keySz;
/* Validate key */
if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE) {
return BAD_FUNC_ARG;
}
/* "Import" key to simulated SE storage */
XMEMCPY(mockSeKeyOffload.key, key, keySz);
mockSeKeyOffload.keySz = keySz;
mockSeKeyOffload.valid = 1;
/* Store handle in aes->devCtx - this is what wolfSSL will use */
aes->devCtx = cryptoCbAesGcmMockHandle;
cryptoCbAesGcmSetKeyCalled++;
return 0;
}
/* AES-GCM Encrypt - simulate SE encryption using stored key */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES_GCM &&
info->cipher.enc) {
Aes* aes = info->cipher.aesgcm_enc.aes;
MockSeKeySlotOffload* slot;
Aes tempAes;
int ret;
/* Verify handle points to our key slot */
if (aes == NULL || aes->devCtx != cryptoCbAesGcmMockHandle) {
return BAD_FUNC_ARG;
}
slot = (MockSeKeySlotOffload*)aes->devCtx;
if (!slot->valid) {
return BAD_STATE_E;
}
/* Track that encrypt callback was invoked */
cryptoCbAesGcmEncryptCalled++;
/* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
XMEMSET(&tempAes, 0, sizeof(tempAes));
ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID); /* No CryptoCB for internal use */
if (ret != 0) return ret;
ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
if (ret != 0) {
wc_AesFree(&tempAes);
return ret;
}
/* Perform the actual encryption using software AES (simulating SE internal operation) */
ret = wc_AesGcmEncrypt(&tempAes,
info->cipher.aesgcm_enc.out,
info->cipher.aesgcm_enc.in,
info->cipher.aesgcm_enc.sz,
info->cipher.aesgcm_enc.iv,
info->cipher.aesgcm_enc.ivSz,
info->cipher.aesgcm_enc.authTag,
info->cipher.aesgcm_enc.authTagSz,
info->cipher.aesgcm_enc.authIn,
info->cipher.aesgcm_enc.authInSz);
wc_AesFree(&tempAes);
return ret;
}
/* AES-GCM Decrypt - simulate SE decryption using stored key */
if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
info->cipher.type == WC_CIPHER_AES_GCM &&
!info->cipher.enc) {
Aes* aes = info->cipher.aesgcm_dec.aes;
MockSeKeySlotOffload* slot;
Aes tempAes;
int ret;
/* Verify handle points to our key slot */
if (aes == NULL || aes->devCtx != cryptoCbAesGcmMockHandle) {
return BAD_FUNC_ARG;
}
slot = (MockSeKeySlotOffload*)aes->devCtx;
if (!slot->valid) {
return BAD_STATE_E;
}
/* Track that decrypt callback was invoked */
cryptoCbAesGcmDecryptCalled++;
/* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
XMEMSET(&tempAes, 0, sizeof(tempAes));
ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
if (ret != 0) return ret;
ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
if (ret != 0) {
wc_AesFree(&tempAes);
return ret;
}
/* Perform the actual decryption using software AES (simulating SE internal operation) */
ret = wc_AesGcmDecrypt(&tempAes,
info->cipher.aesgcm_dec.out,
info->cipher.aesgcm_dec.in,
info->cipher.aesgcm_dec.sz,
info->cipher.aesgcm_dec.iv,
info->cipher.aesgcm_dec.ivSz,
info->cipher.aesgcm_dec.authTag,
info->cipher.aesgcm_dec.authTagSz,
info->cipher.aesgcm_dec.authIn,
info->cipher.aesgcm_dec.authInSz);
wc_AesFree(&tempAes);
return ret;
}
#ifdef WOLF_CRYPTO_CB_FREE
/* Free operation - simulate SE key deletion */
if (info->algo_type == WC_ALGO_TYPE_FREE &&
info->free.algo == WC_ALGO_TYPE_CIPHER &&
info->free.type == WC_CIPHER_AES) {
Aes* aes = (Aes*)info->free.obj;
if (aes != NULL && aes->devCtx == cryptoCbAesGcmMockHandle) {
/* "Delete" key from simulated SE */
ForceZero(&mockSeKeyOffload, sizeof(mockSeKeyOffload));
cryptoCbAesGcmFreeCalled++;
}
return 0;
}
#endif
return CRYPTOCB_UNAVAILABLE;
}
/*
* Test: End-to-End AES-GCM Offload via CryptoCB
* This test verifies that:
* - AES-GCM encryption/decryption operations are routed through CryptoCb
* - Software AES is bypassed when offload is enabled
* - Encrypted output and auth tag are correct
* - Decryption via CryptoCb restores the original plaintext
*/
int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void)
{
EXPECT_DECLS;
#ifdef WOLFSSL_SMALL_STACK
Aes* aes = NULL;
byte* key = NULL;
byte* iv = NULL;
byte* aad = NULL;
byte* plaintext = NULL;
byte* ciphertext = NULL;
byte* decrypted = NULL;
byte* authTag = NULL;
#else
Aes aes[1];
byte key[AES_128_KEY_SIZE];
byte iv[GCM_NONCE_MID_SZ];
byte aad[16];
byte plaintext[32];
byte ciphertext[32];
byte decrypted[32];
byte authTag[AES_BLOCK_SIZE];
#endif
int ret;
int i;
int hasNonZero = 0;
#ifdef WOLFSSL_SMALL_STACK
aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
key = (byte*)XMALLOC(AES_128_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
iv = (byte*)XMALLOC(GCM_NONCE_MID_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
aad = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
plaintext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
ciphertext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
decrypted = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
authTag = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (aes == NULL || key == NULL || iv == NULL || aad == NULL ||
plaintext == NULL || ciphertext == NULL || decrypted == NULL ||
authTag == NULL) {
ret = MEMORY_E;
goto out;
}
#endif
/* Initialize key, iv, aad, plaintext arrays */
{
static const byte keyData[AES_128_KEY_SIZE] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
static const byte ivData[GCM_NONCE_MID_SZ] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b
};
static const byte aadData[16] = {
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
static const byte plaintextData[32] = {
0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x77,
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x21, 0x00,
0x54, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73,
0x73, 0x61, 0x67, 0x65, 0x20, 0x32, 0x21, 0x00
};
XMEMCPY(key, keyData, AES_128_KEY_SIZE);
XMEMCPY(iv, ivData, GCM_NONCE_MID_SZ);
XMEMCPY(aad, aadData, 16);
XMEMCPY(plaintext, plaintextData, 32);
}
XMEMSET(aes, 0, sizeof(Aes));
XMEMSET(&mockSeKeyOffload, 0, sizeof(mockSeKeyOffload));
XMEMSET(ciphertext, 0, 32);
XMEMSET(decrypted, 0, 32);
XMEMSET(authTag, 0, AES_BLOCK_SIZE);
/* Reset test state */
cryptoCbAesGcmSetKeyCalled = 0;
cryptoCbAesGcmEncryptCalled = 0;
cryptoCbAesGcmDecryptCalled = 0;
cryptoCbAesGcmFreeCalled = 0;
/* Register test callback */
ret = wc_CryptoCb_RegisterDevice(TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID,
test_CryptoCb_AesGcm_Offload_Cb, NULL);
ExpectIntEQ(ret, 0);
/* Initialize Aes with device ID */
ret = wc_AesInit(aes, NULL, TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
ExpectIntEQ(ret, 0);
ExpectIntEQ(aes->devId, TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
/* Set key - should trigger CryptoCB and "import" to mock SE */
ret = wc_AesGcmSetKey(aes, key, sizeof(key));
ExpectIntEQ(ret, 0);
/* Verify SetKey callback was invoked */
ExpectIntEQ(cryptoCbAesGcmSetKeyCalled, 1);
/* Verify handle stored in devCtx */
ExpectPtrEq(aes->devCtx, cryptoCbAesGcmMockHandle);
/* Verify key was "imported" to mock SE */
ExpectIntEQ(mockSeKeyOffload.valid, 1);
ExpectIntEQ(mockSeKeyOffload.keySz, (int)sizeof(key));
/* Verify keylen metadata stored in Aes struct */
ExpectIntEQ(aes->keylen, (int)sizeof(key));
/* Encrypt via wolfCrypt API - should route through CryptoCb */
ret = wc_AesGcmEncrypt(aes, ciphertext, plaintext, 32,
iv, sizeof(iv), authTag, sizeof(authTag),
aad, 16);
ExpectIntEQ(ret, 0);
/* Assert: Encrypt callback was invoked */
ExpectIntEQ(cryptoCbAesGcmEncryptCalled, 1);
/* Assert: Ciphertext is different from plaintext */
ExpectIntNE(XMEMCMP(plaintext, ciphertext, 32), 0);
/* Assert: Auth tag is non-zero */
hasNonZero = 0;
for (i = 0; i < (int)sizeof(authTag); i++) {
if (authTag[i] != 0) {
hasNonZero = 1;
break;
}
}
ExpectIntEQ(hasNonZero, 1);
/* Decrypt via wolfCrypt API - should route through CryptoCb */
ret = wc_AesGcmDecrypt(aes, decrypted, ciphertext, 32,
iv, sizeof(iv), authTag, sizeof(authTag),
aad, 16);
ExpectIntEQ(ret, 0);
/* Assert: Decrypt callback was invoked */
ExpectIntEQ(cryptoCbAesGcmDecryptCalled, 1);
/* Assert: Decrypted plaintext matches original */
ExpectIntEQ(XMEMCMP(plaintext, decrypted, 32), 0);
#ifdef WOLF_CRYPTO_CB_FREE
/* Free should trigger callback and "delete" key from mock SE */
cryptoCbAesGcmFreeCalled = 0;
wc_AesFree(aes);
/* Verify free callback invoked */
ExpectIntEQ(cryptoCbAesGcmFreeCalled, 1);
/* Verify devCtx cleared */
ExpectPtrEq(aes->devCtx, NULL);
/* Verify key was "deleted" from mock SE */
ExpectIntEQ(mockSeKeyOffload.valid, 0);
#else
wc_AesFree(aes);
#endif
/* Cleanup */
wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
/* Verify lifecycle: SetKey -> Encrypt -> Decrypt -> Free */
ExpectIntEQ(cryptoCbAesGcmSetKeyCalled, 1);
ExpectIntEQ(cryptoCbAesGcmEncryptCalled, 1);
ExpectIntEQ(cryptoCbAesGcmDecryptCalled, 1);
#ifdef WOLF_CRYPTO_CB_FREE
ExpectIntEQ(cryptoCbAesGcmFreeCalled, 1);
#endif
#ifdef WOLFSSL_SMALL_STACK
out:
XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(aad, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(plaintext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ciphertext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(authTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return EXPECT_RESULT();
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM */
/*******************************************************************************
* Monte Carlo tests for AES modes
******************************************************************************/
#define MC_CIPHER_TEST_COUNT 100
#define MC_AES_MAX_DATA_SZ 1024
/* Monte Carlo test for AES-CBC: random key, IV, and plaintext each iteration */
int test_wc_AesCbc_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(HAVE_AES_DECRYPT)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes enc, dec;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
byte iv[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&enc, 0, sizeof(enc));
XMEMSET(&dec, 0, sizeof(dec));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
/* Length 1..1024, rounded up to AES block size */
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
plainLen = (plainLen + WC_AES_BLOCK_SIZE - 1) &
~((word32)WC_AES_BLOCK_SIZE - 1);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, iv, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCbcEncrypt(&enc, cipher, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, iv, AES_DECRYPTION), 0);
ExpectIntEQ(wc_AesCbcDecrypt(&dec, decrypted, cipher, plainLen), 0);
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&enc);
wc_AesFree(&dec);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
/* Monte Carlo test for AES-CTR: random key, IV, and plaintext each iteration */
int test_wc_AesCtr_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes enc, dec;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
byte iv[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&enc, 0, sizeof(enc));
XMEMSET(&dec, 0, sizeof(dec));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
/* CTR mode: decrypt is the same operation as encrypt */
ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, iv, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, iv, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesCtrEncrypt(&dec, decrypted, cipher, plainLen), 0);
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&enc);
wc_AesFree(&dec);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
/* Monte Carlo test for AES-GCM: random key, nonce, and plaintext each
* iteration */
int test_wc_AesGcm_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes aes;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
byte nonce[GCM_NONCE_MID_SZ];
byte tag[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&aes, 0, sizeof(aes));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, nonce, sizeof(nonce)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
ExpectIntEQ(wc_AesGcmSetKey(&aes, key, keyLen), 0);
ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, plainLen,
nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, plainLen,
nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&aes);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
/* Monte Carlo test for AES-CCM: random key, nonce, and plaintext each
* iteration */
int test_wc_AesCcm_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(HAVE_AES_DECRYPT)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes aes;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS_VERSION) || \
(HAVE_FIPS_VERSION > 2))
byte nonce[CCM_NONCE_MAX_SZ];
#else
byte nonce[13];
#endif
byte tag[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&aes, 0, sizeof(aes));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, nonce, sizeof(nonce)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
ExpectIntEQ(wc_AesCcmSetKey(&aes, key, keyLen), 0);
ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipher, plain, plainLen,
nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
ExpectIntEQ(wc_AesCcmDecrypt(&aes, decrypted, cipher, plainLen,
nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&aes);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
/* Monte Carlo test for AES-CFB: random key, IV, and plaintext each
* iteration */
int test_wc_AesCfb_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && defined(HAVE_AES_DECRYPT)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes enc, dec;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
byte iv[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&enc, 0, sizeof(enc));
XMEMSET(&dec, 0, sizeof(dec));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(&enc, iv), 0);
ExpectIntEQ(wc_AesCfbEncrypt(&enc, cipher, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(&dec, iv), 0);
ExpectIntEQ(wc_AesCfbDecrypt(&dec, decrypted, cipher, plainLen), 0);
if (XMEMCMP(decrypted, plain, plainLen) != 0) {
PRINT_DATA("Key", key, keyLen);
PRINT_DATA("IV", iv, sizeof(iv));
PRINT_DATA("Plain", plain, plainLen);
PRINT_DATA("Decrypted", decrypted, plainLen);
}
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&enc);
wc_AesFree(&dec);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}
/* Monte Carlo test for AES-OFB: random key, IV, and plaintext each
* iteration */
int test_wc_AesOfb_MonteCarlo(void)
{
EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB) && defined(HAVE_AES_DECRYPT)
static const word32 keySizes[] = {
#ifdef WOLFSSL_AES_128
16,
#endif
#ifdef WOLFSSL_AES_192
24,
#endif
#ifdef WOLFSSL_AES_256
32,
#endif
};
int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
Aes enc, dec;
WC_RNG rng;
byte key[AES_256_KEY_SIZE];
byte iv[WC_AES_BLOCK_SIZE];
word32 plainLen = 0, keyLen;
int i;
WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
ExpectNotNull(plain);
ExpectNotNull(cipher);
ExpectNotNull(decrypted);
#endif
XMEMSET(&enc, 0, sizeof(enc));
XMEMSET(&dec, 0, sizeof(dec));
XMEMSET(&rng, 0, sizeof(rng));
ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
ExpectIntEQ(wc_InitRng(&rng), 0);
for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
keyLen = keySizes[i % numKeySizes];
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
sizeof(plainLen)), 0);
plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(&enc, iv), 0);
ExpectIntEQ(wc_AesOfbEncrypt(&enc, cipher, plain, plainLen), 0);
ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, NULL, AES_ENCRYPTION), 0);
ExpectIntEQ(wc_AesSetIV(&dec, iv), 0);
ExpectIntEQ(wc_AesOfbDecrypt(&dec, decrypted, cipher, plainLen), 0);
if (XMEMCMP(decrypted, plain, plainLen) != 0) {
PRINT_DATA("Key", key, keyLen);
PRINT_DATA("IV", iv, sizeof(iv));
PRINT_DATA("Plain", plain, plainLen);
PRINT_DATA("Decrypted", decrypted, plainLen);
}
ExpectBufEQ(decrypted, plain, plainLen);
}
wc_AesFree(&enc);
wc_AesFree(&dec);
wc_FreeRng(&rng);
WC_FREE_VAR(plain, NULL);
WC_FREE_VAR(cipher, NULL);
WC_FREE_VAR(decrypted, NULL);
#endif
return EXPECT_RESULT();
}