esp-idf/components/mbedtls/test_apps/main/test_gcm.c

/*
 * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
#include <stdio.h>
#include <string.h>
#include "sys/param.h"
#include "esp_heap_caps.h"
#include "mbedtls/gcm.h"
#include "sdkconfig.h"
#include "unity.h"


#if CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER

typedef struct  {
    uint8_t *plaintext;
    size_t plaintext_length;
    uint8_t *aad_buf;
    size_t aad_length;
    uint8_t *iv;
    size_t iv_length;
    uint8_t *key;
    size_t key_bits;
    size_t tag_len;
} gcm_test_cfg_t;

typedef struct {
    const uint8_t *expected_tag;
    const uint8_t *ciphertext_last_block; // Last block of the ciphertext
} gcm_test_expected_res_t;

typedef enum {
    GCM_TEST_CRYPT_N_TAG,
    GCM_TEST_START_UPDATE_FINISH,
} gcm_test_type_t;

static void gcm_test(gcm_test_cfg_t *cfg, gcm_test_expected_res_t *res, gcm_test_type_t gcm_type)
{
    mbedtls_gcm_context ctx;
    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_ARIA;

    uint8_t tag_buf_encrypt[16] = {};
    uint8_t tag_buf_decrypt[16] = {};
    uint8_t iv_buf[16] = {};
    uint8_t *ciphertext = malloc(cfg->plaintext_length);
    uint8_t *output = malloc(cfg->plaintext_length);
    size_t olen;

    if (cfg->plaintext_length != 0) {
        TEST_ASSERT_NOT_NULL(ciphertext);
        TEST_ASSERT_NOT_NULL(output);
    }

    memset(ciphertext, 0, cfg->plaintext_length);
    memset(output, 0, cfg->plaintext_length);
    memcpy(iv_buf, cfg->iv, cfg->iv_length);

    mbedtls_gcm_init(&ctx);
    TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher, cfg->key, cfg->key_bits) == 0);

    if (gcm_type == GCM_TEST_CRYPT_N_TAG) {
        mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT, cfg->plaintext_length, iv_buf, cfg->iv_length, cfg->aad_buf, cfg->aad_length, cfg->plaintext, ciphertext, cfg->tag_len, tag_buf_encrypt);
    } else if (gcm_type == GCM_TEST_START_UPDATE_FINISH) {
        TEST_ASSERT(mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_ENCRYPT, iv_buf, cfg->iv_length) == 0);
        TEST_ASSERT(mbedtls_gcm_update_ad(&ctx, cfg->aad_buf, cfg->aad_length) == 0);
        TEST_ASSERT(mbedtls_gcm_update(&ctx, cfg->plaintext, cfg->plaintext_length, ciphertext, cfg->plaintext_length, &olen) == 0);
        TEST_ASSERT(mbedtls_gcm_finish(&ctx, ciphertext, cfg->plaintext_length, &olen, tag_buf_encrypt, cfg->tag_len) == 0);
    }

    size_t offset = cfg->plaintext_length > 16 ? cfg->plaintext_length - 16 : 0;
    /* Sanity check: make sure the last ciphertext block matches what we expect to see. */
    TEST_ASSERT_EQUAL_HEX8_ARRAY(res->ciphertext_last_block, ciphertext + offset, MIN(16, cfg->plaintext_length));
    TEST_ASSERT_EQUAL_HEX8_ARRAY(res->expected_tag, tag_buf_encrypt, cfg->tag_len);


    if (gcm_type == GCM_TEST_CRYPT_N_TAG) {
        TEST_ASSERT(mbedtls_gcm_auth_decrypt(&ctx, cfg->plaintext_length, iv_buf, cfg->iv_length, cfg->aad_buf, cfg->aad_length, res->expected_tag, cfg->tag_len, ciphertext, output) == 0);
    } else if (gcm_type == GCM_TEST_START_UPDATE_FINISH) {
        TEST_ASSERT(mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv_buf, cfg->iv_length) == 0);
        TEST_ASSERT(mbedtls_gcm_update_ad(&ctx, cfg->aad_buf, cfg->aad_length) == 0);
        TEST_ASSERT(mbedtls_gcm_update(&ctx, ciphertext, cfg->plaintext_length, output, cfg->plaintext_length, &olen) == 0);
        TEST_ASSERT(mbedtls_gcm_finish(&ctx, output, cfg->plaintext_length, &olen, tag_buf_decrypt, cfg->tag_len) == 0);

        /* mbedtls_gcm_auth_decrypt already checks tag so only needed for GCM_TEST_START_UPDATE_FINISH */
        TEST_ASSERT_EQUAL_HEX8_ARRAY(res->expected_tag, tag_buf_decrypt, cfg->tag_len);
    }

    TEST_ASSERT_EQUAL_HEX8_ARRAY(cfg->plaintext, output, cfg->plaintext_length);

    mbedtls_gcm_free(&ctx);
    free(ciphertext);
    free(output);
}


TEST_CASE("mbedtls ARIA GCM test", "[gcm]")
{
    const unsigned SZ = 1600;
    uint8_t aad[16];
    uint8_t iv[16];
    uint8_t key[16];

    const uint8_t expected_last_block[] = {
        0xbe, 0x96, 0xf1, 0x57, 0x34, 0x07, 0x3f, 0x9d,
        0x87, 0x6b, 0x39, 0x22, 0xe4, 0xef, 0xff, 0xf0,
    };
    const uint8_t expected_tag[] = {
        0xef, 0x4e, 0xa8, 0x24, 0x07, 0x65, 0x36, 0x12,
        0xb1, 0xde, 0x7e, 0x23, 0xda, 0xea, 0x7c, 0x6b,
    };

    uint8_t *plaintext = malloc(SZ);
    TEST_ASSERT_NOT_NULL(plaintext);

    memset(plaintext, 0xAA, SZ);
    memset(iv, 0xEE, 16);
    memset(key, 0x44, 16);
    memset(aad, 0x76, 16);

    gcm_test_cfg_t cfg = {
        .plaintext = plaintext,
        .plaintext_length = SZ,
        .iv = iv,
        .iv_length = sizeof(iv),
        .key = key,
        .key_bits = 8 * sizeof(key),
        .aad_buf = aad,
        .aad_length = sizeof(aad),
        .tag_len = 16
    };

    gcm_test_expected_res_t res = {
        .expected_tag = expected_tag,
        .ciphertext_last_block = expected_last_block,
    };

    gcm_test(&cfg, &res, GCM_TEST_CRYPT_N_TAG);
    gcm_test(&cfg, &res, GCM_TEST_START_UPDATE_FINISH);
    free(plaintext);
}

#endif /* CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER */