mirror of
				https://github.com/yuzu-emu/mbedtls.git
				synced 2025-10-25 07:57:08 +00:00 
			
		
		
		
	Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check the tag correctly (or at all). So force them to use auth_decrypt() instead. See also https://github.com/ARMmbed/mbedtls/pull/1668
		
			
				
	
	
		
			348 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			348 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| /* BEGIN_HEADER */
 | |
| #include "mbedtls/chachapoly.h"
 | |
| /* END_HEADER */
 | |
| 
 | |
| /* BEGIN_DEPENDENCIES
 | |
|  * depends_on:MBEDTLS_CHACHAPOLY_C
 | |
|  * END_DEPENDENCIES
 | |
|  */
 | |
| 
 | |
| /* BEGIN_CASE */
 | |
| void mbedtls_chachapoly_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
 | |
| {
 | |
|     unsigned char key_str[32]; /* size set by the standard */
 | |
|     unsigned char nonce_str[12]; /* size set by the standard */
 | |
|     unsigned char aad_str[12]; /* max size of test data so far */
 | |
|     unsigned char input_str[265]; /* max size of binary input/output so far */
 | |
|     unsigned char output_str[265];
 | |
|     unsigned char output[265];
 | |
|     unsigned char mac_str[16]; /* size set by the standard */
 | |
|     unsigned char mac[16]; /* size set by the standard */
 | |
|     size_t input_len;
 | |
|     size_t output_len;
 | |
|     size_t aad_len;
 | |
|     size_t key_len;
 | |
|     size_t nonce_len;
 | |
|     size_t mac_len;
 | |
|     mbedtls_chachapoly_context ctx;
 | |
| 
 | |
|     memset( key_str,    0x00, sizeof( key_str ) );
 | |
|     memset( nonce_str,  0x00, sizeof( nonce_str ) );
 | |
|     memset( aad_str,    0x00, sizeof( aad_str ) );
 | |
|     memset( input_str,  0x00, sizeof( input_str ) );
 | |
|     memset( output_str, 0x00, sizeof( output_str ) );
 | |
|     memset( mac_str,    0x00, sizeof( mac_str ) );
 | |
| 
 | |
|     aad_len    = unhexify( aad_str,    hex_aad_string    );
 | |
|     input_len  = unhexify( input_str,  hex_input_string  );
 | |
|     output_len = unhexify( output_str, hex_output_string );
 | |
|     key_len    = unhexify( key_str,    hex_key_string    );
 | |
|     nonce_len  = unhexify( nonce_str,  hex_nonce_string  );
 | |
|     mac_len    = unhexify( mac_str,    hex_mac_string    );
 | |
| 
 | |
|     TEST_ASSERT( key_len   == 32 );
 | |
|     TEST_ASSERT( nonce_len == 12 );
 | |
|     TEST_ASSERT( mac_len   == 16 );
 | |
| 
 | |
|     mbedtls_chachapoly_init( &ctx );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       input_len, nonce_str,
 | |
|                                       aad_str, aad_len,
 | |
|                                       input_str, output, mac ) == 0 );
 | |
| 
 | |
|     TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
 | |
|     TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
 | |
| 
 | |
| exit:
 | |
|     mbedtls_chachapoly_free( &ctx );
 | |
| }
 | |
| /* END_CASE */
 | |
| 
 | |
| /* BEGIN_CASE */
 | |
| void mbedtls_chachapoly_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string, int ret_exp )
 | |
| {
 | |
|     unsigned char key_str[32]; /* size set by the standard */
 | |
|     unsigned char nonce_str[12]; /* size set by the standard */
 | |
|     unsigned char aad_str[12]; /* max size of test data so far */
 | |
|     unsigned char input_str[265]; /* max size of binary input/output so far */
 | |
|     unsigned char output_str[265];
 | |
|     unsigned char output[265];
 | |
|     unsigned char mac_str[16]; /* size set by the standard */
 | |
|     size_t input_len;
 | |
|     size_t output_len;
 | |
|     size_t aad_len;
 | |
|     size_t key_len;
 | |
|     size_t nonce_len;
 | |
|     size_t mac_len;
 | |
|     int ret;
 | |
|     mbedtls_chachapoly_context ctx;
 | |
| 
 | |
|     memset( key_str,    0x00, sizeof( key_str ) );
 | |
|     memset( nonce_str,  0x00, sizeof( nonce_str ) );
 | |
|     memset( aad_str,    0x00, sizeof( aad_str ) );
 | |
|     memset( input_str,  0x00, sizeof( input_str ) );
 | |
|     memset( output_str, 0x00, sizeof( output_str ) );
 | |
|     memset( mac_str,    0x00, sizeof( mac_str ) );
 | |
| 
 | |
|     aad_len    = unhexify( aad_str,    hex_aad_string    );
 | |
|     input_len  = unhexify( input_str,  hex_input_string  );
 | |
|     output_len = unhexify( output_str, hex_output_string );
 | |
|     key_len    = unhexify( key_str,    hex_key_string    );
 | |
|     nonce_len  = unhexify( nonce_str,  hex_nonce_string  );
 | |
|     mac_len    = unhexify( mac_str,    hex_mac_string    );
 | |
| 
 | |
|     TEST_ASSERT( key_len   == 32 );
 | |
|     TEST_ASSERT( nonce_len == 12 );
 | |
|     TEST_ASSERT( mac_len   == 16 );
 | |
| 
 | |
|     mbedtls_chachapoly_init( &ctx );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
 | |
| 
 | |
|     ret = mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            input_len, nonce_str,
 | |
|                                            aad_str, aad_len,
 | |
|                                            mac_str, input_str, output );
 | |
| 
 | |
|     TEST_ASSERT( ret == ret_exp );
 | |
|     if( ret_exp == 0 )
 | |
|     {
 | |
|         TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
 | |
|     }
 | |
| 
 | |
| exit:
 | |
|     mbedtls_chachapoly_free( &ctx );
 | |
| }
 | |
| /* END_CASE */
 | |
| 
 | |
| /* BEGIN_CASE */
 | |
| void chachapoly_bad_params()
 | |
| {
 | |
|     unsigned char key[32];
 | |
|     unsigned char nonce[12];
 | |
|     unsigned char aad[1];
 | |
|     unsigned char input[1];
 | |
|     unsigned char output[1];
 | |
|     unsigned char mac[16];
 | |
|     size_t input_len = sizeof( input );
 | |
|     size_t aad_len = sizeof( aad );
 | |
|     mbedtls_chachapoly_context ctx;
 | |
| 
 | |
|     memset( key,    0x00, sizeof( key ) );
 | |
|     memset( nonce,  0x00, sizeof( nonce ) );
 | |
|     memset( aad,    0x00, sizeof( aad ) );
 | |
|     memset( input,  0x00, sizeof( input ) );
 | |
|     memset( output, 0x00, sizeof( output ) );
 | |
|     memset( mac,    0x00, sizeof( mac ) );
 | |
| 
 | |
|     mbedtls_chachapoly_init( NULL );
 | |
|     mbedtls_chachapoly_free( NULL );
 | |
| 
 | |
|     mbedtls_chachapoly_init( &ctx );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_setkey( NULL, key )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, NULL )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( NULL,
 | |
|                                       0, nonce,
 | |
|                                       aad, 0,
 | |
|                                       input, output, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       0, NULL,
 | |
|                                       aad, 0,
 | |
|                                       input, output, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       0, nonce,
 | |
|                                       NULL, aad_len,
 | |
|                                       input, output, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       input_len, nonce,
 | |
|                                       aad, 0,
 | |
|                                       NULL, output, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       input_len, nonce,
 | |
|                                       aad, 0,
 | |
|                                       input, NULL, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       0, nonce,
 | |
|                                       aad, 0,
 | |
|                                       input, output, NULL )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( NULL,
 | |
|                                            0, nonce,
 | |
|                                            aad, 0,
 | |
|                                            mac, input, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            0, NULL,
 | |
|                                            aad, 0,
 | |
|                                            mac, input, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            0, nonce,
 | |
|                                            NULL, aad_len,
 | |
|                                            mac, input, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            0, nonce,
 | |
|                                            aad, 0,
 | |
|                                            NULL, input, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            input_len, nonce,
 | |
|                                            aad, 0,
 | |
|                                            mac, NULL, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            input_len, nonce,
 | |
|                                            aad, 0,
 | |
|                                            mac, input, NULL )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       0, nonce,
 | |
|                                       aad, aad_len,
 | |
|                                       NULL, NULL, mac )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            0, nonce,
 | |
|                                            aad, aad_len,
 | |
|                                            mac, NULL, NULL )
 | |
|                  == 0 );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
 | |
|                                       input_len, nonce,
 | |
|                                       NULL, 0,
 | |
|                                       input, output, mac )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
 | |
|                                            input_len, nonce,
 | |
|                                            NULL, 0,
 | |
|                                            mac, input, output )
 | |
|                  == 0 );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_starts( NULL, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, NULL, MBEDTLS_CHACHAPOLY_ENCRYPT )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( NULL, aad, aad_len )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, NULL, aad_len )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( NULL, input_len, input, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, NULL, output )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, NULL )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( NULL, mac )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, NULL )
 | |
|                  == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 | |
| 
 | |
| exit:
 | |
|     mbedtls_chachapoly_free( &ctx );
 | |
| }
 | |
| /* END_CASE */
 | |
| 
 | |
| /* BEGIN_CASE */
 | |
| void chachapoly_state()
 | |
| {
 | |
|     unsigned char key[32];
 | |
|     unsigned char nonce[12];
 | |
|     unsigned char aad[1];
 | |
|     unsigned char input[1];
 | |
|     unsigned char output[1];
 | |
|     unsigned char mac[16];
 | |
|     size_t input_len = sizeof( input );
 | |
|     size_t aad_len = sizeof( aad );
 | |
|     mbedtls_chachapoly_context ctx;
 | |
| 
 | |
|     memset( key,    0x00, sizeof( key ) );
 | |
|     memset( nonce,  0x00, sizeof( nonce ) );
 | |
|     memset( aad,    0x00, sizeof( aad ) );
 | |
|     memset( input,  0x00, sizeof( input ) );
 | |
|     memset( output, 0x00, sizeof( output ) );
 | |
|     memset( mac,    0x00, sizeof( mac ) );
 | |
| 
 | |
|     /* Initial state: finish, update, update_aad forbidden */
 | |
|     mbedtls_chachapoly_init( &ctx );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
| 
 | |
|     /* Still initial state: finish, update, update_aad forbidden */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key )
 | |
|                  == 0 );
 | |
| 
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
| 
 | |
|     /* Starts -> finish OK */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
 | |
|                  == 0 );
 | |
| 
 | |
|     /* After finish: update, update_aad forbidden */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
| 
 | |
|     /* Starts -> update* OK */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
 | |
|                  == 0 );
 | |
| 
 | |
|     /* After update: update_aad forbidden */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
 | |
| 
 | |
|     /* Starts -> update_aad* -> finish OK */
 | |
|     TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
 | |
|                  == 0 );
 | |
|     TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
 | |
|                  == 0 );
 | |
| 
 | |
| exit:
 | |
|     mbedtls_chachapoly_free( &ctx );
 | |
| }
 | |
| /* END_CASE */
 | |
| 
 | |
| /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
 | |
| void chachapoly_selftest()
 | |
| {
 | |
|     TEST_ASSERT( mbedtls_chachapoly_self_test( 1 ) == 0 );
 | |
| }
 | |
| /* END_CASE */
 |