cjson
fuzzing
inputs
test1 test10 test11 test2 test3 test3.bu test3.uf test3.uu test4 test5 test6 test7 test8 test9library_config
cJSONConfig.cmake.in cJSONConfigVersion.cmake.in libcjson.pc.in libcjson_utils.pc.in uninstall.cmaketests
inputs
test1 test1.expected test10 test10.expected test11 test11.expected test2 test2.expected test3 test3.expected test4 test4.expected test5 test5.expected test6 test7 test7.expected test8 test8.expected test9 test9.expectedjson-patch-tests
.editorconfig .gitignore .npmignore README.md cjson-utils-tests.json package.json spec_tests.json tests.jsonunity
auto
colour_prompt.rb colour_reporter.rb generate_config.yml generate_module.rb generate_test_runner.rb parse_output.rb stylize_as_junit.rb test_file_filter.rb type_sanitizer.rb unity_test_summary.py unity_test_summary.rb unity_to_junit.pydocs
ThrowTheSwitchCodingStandard.md UnityAssertionsCheatSheetSuitableforPrintingandPossiblyFraming.pdf UnityAssertionsReference.md UnityConfigurationGuide.md UnityGettingStartedGuide.md UnityHelperScriptsGuide.md license.txtexamples
unity_config.hcurl
.github
scripts
cleancmd.pl cmp-config.pl cmp-pkg-config.sh codespell-ignore.words codespell.sh distfiles.sh pyspelling.words pyspelling.yaml randcurl.pl requirements-docs.txt requirements-proselint.txt requirements.txt shellcheck-ci.sh shellcheck.sh spellcheck.curl trimmarkdownheader.pl typos.sh typos.toml verify-examples.pl verify-synopsis.pl yamlcheck.sh yamlcheck.yamlworkflows
appveyor-status.yml checkdocs.yml checksrc.yml checkurls.yml codeql.yml configure-vs-cmake.yml curl-for-win.yml distcheck.yml fuzz.yml http3-linux.yml label.yml linux-old.yml linux.yml macos.yml non-native.yml windows.ymlCMake
CurlSymbolHiding.cmake CurlTests.c FindBrotli.cmake FindCares.cmake FindGSS.cmake FindGnuTLS.cmake FindLDAP.cmake FindLibbacktrace.cmake FindLibgsasl.cmake FindLibidn2.cmake FindLibpsl.cmake FindLibssh.cmake FindLibssh2.cmake FindLibuv.cmake FindMbedTLS.cmake FindNGHTTP2.cmake FindNGHTTP3.cmake FindNGTCP2.cmake FindNettle.cmake FindQuiche.cmake FindRustls.cmake FindWolfSSL.cmake FindZstd.cmake Macros.cmake OtherTests.cmake PickyWarnings.cmake Utilities.cmake cmake_uninstall.in.cmake curl-config.in.cmake unix-cache.cmake win32-cache.cmakedocs
cmdline-opts
.gitignore CMakeLists.txt MANPAGE.md Makefile.am Makefile.inc _AUTHORS.md _BUGS.md _DESCRIPTION.md _ENVIRONMENT.md _EXITCODES.md _FILES.md _GLOBBING.md _NAME.md _OPTIONS.md _OUTPUT.md _PROGRESS.md _PROTOCOLS.md _PROXYPREFIX.md _SEEALSO.md _SYNOPSIS.md _URL.md _VARIABLES.md _VERSION.md _WWW.md abstract-unix-socket.md alt-svc.md anyauth.md append.md aws-sigv4.md basic.md ca-native.md cacert.md capath.md cert-status.md cert-type.md cert.md ciphers.md compressed-ssh.md compressed.md config.md connect-timeout.md connect-to.md continue-at.md cookie-jar.md cookie.md create-dirs.md create-file-mode.md crlf.md crlfile.md curves.md data-ascii.md data-binary.md data-raw.md data-urlencode.md data.md delegation.md digest.md disable-eprt.md disable-epsv.md disable.md disallow-username-in-url.md dns-interface.md dns-ipv4-addr.md dns-ipv6-addr.md dns-servers.md doh-cert-status.md doh-insecure.md doh-url.md dump-ca-embed.md dump-header.md ech.md egd-file.md engine.md etag-compare.md etag-save.md expect100-timeout.md fail-early.md fail-with-body.md fail.md false-start.md follow.md form-escape.md form-string.md form.md ftp-account.md ftp-alternative-to-user.md ftp-create-dirs.md ftp-method.md ftp-pasv.md ftp-port.md ftp-pret.md ftp-skip-pasv-ip.md ftp-ssl-ccc-mode.md ftp-ssl-ccc.md ftp-ssl-control.md get.md globoff.md happy-eyeballs-timeout-ms.md haproxy-clientip.md haproxy-protocol.md head.md header.md help.md hostpubmd5.md hostpubsha256.md hsts.md http0.9.md http1.0.md http1.1.md http2-prior-knowledge.md http2.md http3-only.md http3.md ignore-content-length.md insecure.md interface.md ip-tos.md ipfs-gateway.md ipv4.md ipv6.md json.md junk-session-cookies.md keepalive-cnt.md keepalive-time.md key-type.md key.md knownhosts.md krb.md libcurl.md limit-rate.md list-only.md local-port.md location-trusted.md location.md login-options.md mail-auth.md mail-from.md mail-rcpt-allowfails.md mail-rcpt.md mainpage.idx manual.md max-filesize.md max-redirs.md max-time.md metalink.md mptcp.md negotiate.md netrc-file.md netrc-optional.md netrc.md next.md no-alpn.md no-buffer.md no-clobber.md no-keepalive.md no-npn.md no-progress-meter.md no-sessionid.md noproxy.md ntlm-wb.md ntlm.md oauth2-bearer.md out-null.md output-dir.md output.md parallel-immediate.md parallel-max-host.md parallel-max.md parallel.md pass.md path-as-is.md pinnedpubkey.md post301.md post302.md post303.md preproxy.md progress-bar.md proto-default.md proto-redir.md proto.md proxy-anyauth.md proxy-basic.md proxy-ca-native.md proxy-cacert.md proxy-capath.md proxy-cert-type.md proxy-cert.md proxy-ciphers.md proxy-crlfile.md proxy-digest.md proxy-header.md proxy-http2.md proxy-insecure.md proxy-key-type.md proxy-key.md proxy-negotiate.md proxy-ntlm.md proxy-pass.md proxy-pinnedpubkey.md proxy-service-name.md proxy-ssl-allow-beast.md proxy-ssl-auto-client-cert.md proxy-tls13-ciphers.md proxy-tlsauthtype.md proxy-tlspassword.md proxy-tlsuser.md proxy-tlsv1.md proxy-user.md proxy.md proxy1.0.md proxytunnel.md pubkey.md quote.md random-file.md range.md rate.md raw.md referer.md remote-header-name.md remote-name-all.md remote-name.md remote-time.md remove-on-error.md request-target.md request.md resolve.md retry-all-errors.md retry-connrefused.md retry-delay.md retry-max-time.md retry.md sasl-authzid.md sasl-ir.md service-name.md show-error.md show-headers.md sigalgs.md silent.md skip-existing.md socks4.md socks4a.md socks5-basic.md socks5-gssapi-nec.md socks5-gssapi-service.md socks5-gssapi.md socks5-hostname.md socks5.md speed-limit.md speed-time.md ssl-allow-beast.md ssl-auto-client-cert.md ssl-no-revoke.md ssl-reqd.md ssl-revoke-best-effort.md ssl-sessions.md ssl.md sslv2.md sslv3.md stderr.md styled-output.md suppress-connect-headers.md tcp-fastopen.md tcp-nodelay.md telnet-option.md tftp-blksize.md tftp-no-options.md time-cond.md tls-earlydata.md tls-max.md tls13-ciphers.md tlsauthtype.md tlspassword.md tlsuser.md tlsv1.0.md tlsv1.1.md tlsv1.2.md tlsv1.3.md tlsv1.md tr-encoding.md trace-ascii.md trace-config.md trace-ids.md trace-time.md trace.md unix-socket.md upload-file.md upload-flags.md url-query.md url.md use-ascii.md user-agent.md user.md variable.md verbose.md version.md vlan-priority.md write-out.md xattr.mdexamples
.checksrc .gitignore 10-at-a-time.c CMakeLists.txt Makefile.am Makefile.example Makefile.inc README.md adddocsref.pl address-scope.c altsvc.c anyauthput.c block_ip.c cacertinmem.c certinfo.c chkspeed.c connect-to.c cookie_interface.c crawler.c debug.c default-scheme.c ephiperfifo.c evhiperfifo.c externalsocket.c fileupload.c ftp-delete.c ftp-wildcard.c ftpget.c ftpgetinfo.c ftpgetresp.c ftpsget.c ftpupload.c ftpuploadfrommem.c ftpuploadresume.c getinfo.c getinmemory.c getredirect.c getreferrer.c ghiper.c headerapi.c hiperfifo.c hsts-preload.c htmltidy.c htmltitle.cpp http-options.c http-post.c http2-download.c http2-pushinmemory.c http2-serverpush.c http2-upload.c http3-present.c http3.c httpcustomheader.c httpput-postfields.c httpput.c https.c imap-append.c imap-authzid.c imap-copy.c imap-create.c imap-delete.c imap-examine.c imap-fetch.c imap-list.c imap-lsub.c imap-multi.c imap-noop.c imap-search.c imap-ssl.c imap-store.c imap-tls.c interface.c ipv6.c keepalive.c localport.c log_failed_transfers.c maxconnects.c multi-app.c multi-debugcallback.c multi-double.c multi-event.c multi-formadd.c multi-legacy.c multi-post.c multi-single.c multi-uv.c netrc.c parseurl.c persistent.c pop3-authzid.c pop3-dele.c pop3-list.c pop3-multi.c pop3-noop.c pop3-retr.c pop3-ssl.c pop3-stat.c pop3-tls.c pop3-top.c pop3-uidl.c post-callback.c postinmemory.c postit2-formadd.c postit2.c progressfunc.c protofeats.c range.c resolve.c rtsp-options.c sendrecv.c sepheaders.c sessioninfo.c sftpget.c sftpuploadresume.c shared-connection-cache.c simple.c simplepost.c simplessl.c smooth-gtk-thread.c smtp-authzid.c smtp-expn.c smtp-mail.c smtp-mime.c smtp-multi.c smtp-ssl.c smtp-tls.c smtp-vrfy.c sslbackend.c synctime.c threaded.c unixsocket.c url2file.c urlapi.c usercertinmem.c version-check.pl websocket-cb.c websocket-updown.c websocket.c xmlstream.cinternals
BUFQ.md BUFREF.md CHECKSRC.md CLIENT-READERS.md CLIENT-WRITERS.md CODE_STYLE.md CONNECTION-FILTERS.md CREDENTIALS.md CURLX.md DYNBUF.md HASH.md LLIST.md MID.md MQTT.md MULTI-EV.md NEW-PROTOCOL.md PEERS.md PORTING.md RATELIMITS.md README.md SCORECARD.md SPLAY.md STRPARSE.md THRDPOOL-AND-QUEUE.md TIME-KEEPING.md TLS-SESSIONS.md UINT_SETS.md WEBSOCKET.mdlibcurl
opts
CMakeLists.txt CURLINFO_ACTIVESOCKET.md CURLINFO_APPCONNECT_TIME.md CURLINFO_APPCONNECT_TIME_T.md CURLINFO_CAINFO.md CURLINFO_CAPATH.md CURLINFO_CERTINFO.md CURLINFO_CONDITION_UNMET.md CURLINFO_CONNECT_TIME.md CURLINFO_CONNECT_TIME_T.md CURLINFO_CONN_ID.md CURLINFO_CONTENT_LENGTH_DOWNLOAD.md CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md CURLINFO_CONTENT_LENGTH_UPLOAD.md CURLINFO_CONTENT_LENGTH_UPLOAD_T.md CURLINFO_CONTENT_TYPE.md CURLINFO_COOKIELIST.md CURLINFO_EARLYDATA_SENT_T.md CURLINFO_EFFECTIVE_METHOD.md CURLINFO_EFFECTIVE_URL.md CURLINFO_FILETIME.md CURLINFO_FILETIME_T.md CURLINFO_FTP_ENTRY_PATH.md CURLINFO_HEADER_SIZE.md CURLINFO_HTTPAUTH_AVAIL.md CURLINFO_HTTPAUTH_USED.md CURLINFO_HTTP_CONNECTCODE.md CURLINFO_HTTP_VERSION.md CURLINFO_LASTSOCKET.md CURLINFO_LOCAL_IP.md CURLINFO_LOCAL_PORT.md CURLINFO_NAMELOOKUP_TIME.md CURLINFO_NAMELOOKUP_TIME_T.md CURLINFO_NUM_CONNECTS.md CURLINFO_OS_ERRNO.md CURLINFO_POSTTRANSFER_TIME_T.md CURLINFO_PRETRANSFER_TIME.md CURLINFO_PRETRANSFER_TIME_T.md CURLINFO_PRIMARY_IP.md CURLINFO_PRIMARY_PORT.md CURLINFO_PRIVATE.md CURLINFO_PROTOCOL.md CURLINFO_PROXYAUTH_AVAIL.md CURLINFO_PROXYAUTH_USED.md CURLINFO_PROXY_ERROR.md CURLINFO_PROXY_SSL_VERIFYRESULT.md CURLINFO_QUEUE_TIME_T.md CURLINFO_REDIRECT_COUNT.md CURLINFO_REDIRECT_TIME.md CURLINFO_REDIRECT_TIME_T.md CURLINFO_REDIRECT_URL.md CURLINFO_REFERER.md CURLINFO_REQUEST_SIZE.md CURLINFO_RESPONSE_CODE.md CURLINFO_RETRY_AFTER.md CURLINFO_RTSP_CLIENT_CSEQ.md CURLINFO_RTSP_CSEQ_RECV.md CURLINFO_RTSP_SERVER_CSEQ.md CURLINFO_RTSP_SESSION_ID.md CURLINFO_SCHEME.md CURLINFO_SIZE_DELIVERED.md CURLINFO_SIZE_DOWNLOAD.md CURLINFO_SIZE_DOWNLOAD_T.md CURLINFO_SIZE_UPLOAD.md CURLINFO_SIZE_UPLOAD_T.md CURLINFO_SPEED_DOWNLOAD.md CURLINFO_SPEED_DOWNLOAD_T.md CURLINFO_SPEED_UPLOAD.md CURLINFO_SPEED_UPLOAD_T.md CURLINFO_SSL_ENGINES.md CURLINFO_SSL_VERIFYRESULT.md CURLINFO_STARTTRANSFER_TIME.md CURLINFO_STARTTRANSFER_TIME_T.md CURLINFO_TLS_SESSION.md CURLINFO_TLS_SSL_PTR.md CURLINFO_TOTAL_TIME.md CURLINFO_TOTAL_TIME_T.md CURLINFO_USED_PROXY.md CURLINFO_XFER_ID.md CURLMINFO_XFERS_ADDED.md CURLMINFO_XFERS_CURRENT.md CURLMINFO_XFERS_DONE.md CURLMINFO_XFERS_PENDING.md CURLMINFO_XFERS_RUNNING.md CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.md CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.md CURLMOPT_MAXCONNECTS.md CURLMOPT_MAX_CONCURRENT_STREAMS.md CURLMOPT_MAX_HOST_CONNECTIONS.md CURLMOPT_MAX_PIPELINE_LENGTH.md CURLMOPT_MAX_TOTAL_CONNECTIONS.md CURLMOPT_NETWORK_CHANGED.md CURLMOPT_NOTIFYDATA.md CURLMOPT_NOTIFYFUNCTION.md CURLMOPT_PIPELINING.md CURLMOPT_PIPELINING_SERVER_BL.md CURLMOPT_PIPELINING_SITE_BL.md CURLMOPT_PUSHDATA.md CURLMOPT_PUSHFUNCTION.md CURLMOPT_QUICK_EXIT.md CURLMOPT_RESOLVE_THREADS_MAX.md CURLMOPT_SOCKETDATA.md CURLMOPT_SOCKETFUNCTION.md CURLMOPT_TIMERDATA.md CURLMOPT_TIMERFUNCTION.md CURLOPT_ABSTRACT_UNIX_SOCKET.md CURLOPT_ACCEPTTIMEOUT_MS.md CURLOPT_ACCEPT_ENCODING.md CURLOPT_ADDRESS_SCOPE.md CURLOPT_ALTSVC.md CURLOPT_ALTSVC_CTRL.md CURLOPT_APPEND.md CURLOPT_AUTOREFERER.md CURLOPT_AWS_SIGV4.md CURLOPT_BUFFERSIZE.md CURLOPT_CAINFO.md CURLOPT_CAINFO_BLOB.md CURLOPT_CAPATH.md CURLOPT_CA_CACHE_TIMEOUT.md CURLOPT_CERTINFO.md CURLOPT_CHUNK_BGN_FUNCTION.md CURLOPT_CHUNK_DATA.md CURLOPT_CHUNK_END_FUNCTION.md CURLOPT_CLOSESOCKETDATA.md CURLOPT_CLOSESOCKETFUNCTION.md CURLOPT_CONNECTTIMEOUT.md CURLOPT_CONNECTTIMEOUT_MS.md CURLOPT_CONNECT_ONLY.md CURLOPT_CONNECT_TO.md CURLOPT_CONV_FROM_NETWORK_FUNCTION.md CURLOPT_CONV_FROM_UTF8_FUNCTION.md CURLOPT_CONV_TO_NETWORK_FUNCTION.md CURLOPT_COOKIE.md CURLOPT_COOKIEFILE.md CURLOPT_COOKIEJAR.md CURLOPT_COOKIELIST.md CURLOPT_COOKIESESSION.md CURLOPT_COPYPOSTFIELDS.md CURLOPT_CRLF.md CURLOPT_CRLFILE.md CURLOPT_CURLU.md CURLOPT_CUSTOMREQUEST.md CURLOPT_DEBUGDATA.md CURLOPT_DEBUGFUNCTION.md CURLOPT_DEFAULT_PROTOCOL.md CURLOPT_DIRLISTONLY.md CURLOPT_DISALLOW_USERNAME_IN_URL.md CURLOPT_DNS_CACHE_TIMEOUT.md CURLOPT_DNS_INTERFACE.md CURLOPT_DNS_LOCAL_IP4.md CURLOPT_DNS_LOCAL_IP6.md CURLOPT_DNS_SERVERS.md CURLOPT_DNS_SHUFFLE_ADDRESSES.md CURLOPT_DNS_USE_GLOBAL_CACHE.md CURLOPT_DOH_SSL_VERIFYHOST.md CURLOPT_DOH_SSL_VERIFYPEER.md CURLOPT_DOH_SSL_VERIFYSTATUS.md CURLOPT_DOH_URL.md CURLOPT_ECH.md CURLOPT_EGDSOCKET.md CURLOPT_ERRORBUFFER.md CURLOPT_EXPECT_100_TIMEOUT_MS.md CURLOPT_FAILONERROR.md CURLOPT_FILETIME.md CURLOPT_FNMATCH_DATA.md CURLOPT_FNMATCH_FUNCTION.md CURLOPT_FOLLOWLOCATION.md CURLOPT_FORBID_REUSE.md CURLOPT_FRESH_CONNECT.md CURLOPT_FTPPORT.md CURLOPT_FTPSSLAUTH.md CURLOPT_FTP_ACCOUNT.md CURLOPT_FTP_ALTERNATIVE_TO_USER.md CURLOPT_FTP_CREATE_MISSING_DIRS.md CURLOPT_FTP_FILEMETHOD.md CURLOPT_FTP_SKIP_PASV_IP.md CURLOPT_FTP_SSL_CCC.md CURLOPT_FTP_USE_EPRT.md CURLOPT_FTP_USE_EPSV.md CURLOPT_FTP_USE_PRET.md CURLOPT_GSSAPI_DELEGATION.md CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.md CURLOPT_HAPROXYPROTOCOL.md CURLOPT_HAPROXY_CLIENT_IP.md CURLOPT_HEADER.md CURLOPT_HEADERDATA.md CURLOPT_HEADERFUNCTION.md CURLOPT_HEADEROPT.md CURLOPT_HSTS.md CURLOPT_HSTSREADDATA.md CURLOPT_HSTSREADFUNCTION.md CURLOPT_HSTSWRITEDATA.md CURLOPT_HSTSWRITEFUNCTION.md CURLOPT_HSTS_CTRL.md CURLOPT_HTTP09_ALLOWED.md CURLOPT_HTTP200ALIASES.md CURLOPT_HTTPAUTH.md CURLOPT_HTTPGET.md CURLOPT_HTTPHEADER.md CURLOPT_HTTPPOST.md CURLOPT_HTTPPROXYTUNNEL.md CURLOPT_HTTP_CONTENT_DECODING.md CURLOPT_HTTP_TRANSFER_DECODING.md CURLOPT_HTTP_VERSION.md CURLOPT_IGNORE_CONTENT_LENGTH.md CURLOPT_INFILESIZE.md CURLOPT_INFILESIZE_LARGE.md CURLOPT_INTERFACE.md CURLOPT_INTERLEAVEDATA.md CURLOPT_INTERLEAVEFUNCTION.md CURLOPT_IOCTLDATA.md CURLOPT_IOCTLFUNCTION.md CURLOPT_IPRESOLVE.md CURLOPT_ISSUERCERT.md CURLOPT_ISSUERCERT_BLOB.md CURLOPT_KEEP_SENDING_ON_ERROR.md CURLOPT_KEYPASSWD.md CURLOPT_KRBLEVEL.md CURLOPT_LOCALPORT.md CURLOPT_LOCALPORTRANGE.md CURLOPT_LOGIN_OPTIONS.md CURLOPT_LOW_SPEED_LIMIT.md CURLOPT_LOW_SPEED_TIME.md CURLOPT_MAIL_AUTH.md CURLOPT_MAIL_FROM.md CURLOPT_MAIL_RCPT.md CURLOPT_MAIL_RCPT_ALLOWFAILS.md CURLOPT_MAXAGE_CONN.md CURLOPT_MAXCONNECTS.md CURLOPT_MAXFILESIZE.md CURLOPT_MAXFILESIZE_LARGE.md CURLOPT_MAXLIFETIME_CONN.md CURLOPT_MAXREDIRS.md CURLOPT_MAX_RECV_SPEED_LARGE.md CURLOPT_MAX_SEND_SPEED_LARGE.md CURLOPT_MIMEPOST.md CURLOPT_MIME_OPTIONS.md CURLOPT_NETRC.md CURLOPT_NETRC_FILE.md CURLOPT_NEW_DIRECTORY_PERMS.md CURLOPT_NEW_FILE_PERMS.md CURLOPT_NOBODY.md CURLOPT_NOPROGRESS.md CURLOPT_NOPROXY.md CURLOPT_NOSIGNAL.md CURLOPT_OPENSOCKETDATA.md CURLOPT_OPENSOCKETFUNCTION.md CURLOPT_PASSWORD.md CURLOPT_PATH_AS_IS.md CURLOPT_PINNEDPUBLICKEY.md CURLOPT_PIPEWAIT.md CURLOPT_PORT.md CURLOPT_POST.md CURLOPT_POSTFIELDS.md CURLOPT_POSTFIELDSIZE.md CURLOPT_POSTFIELDSIZE_LARGE.md CURLOPT_POSTQUOTE.md CURLOPT_POSTREDIR.md CURLOPT_PREQUOTE.md CURLOPT_PREREQDATA.md CURLOPT_PREREQFUNCTION.md CURLOPT_PRE_PROXY.md CURLOPT_PRIVATE.md CURLOPT_PROGRESSDATA.md CURLOPT_PROGRESSFUNCTION.md CURLOPT_PROTOCOLS.md CURLOPT_PROTOCOLS_STR.md CURLOPT_PROXY.md CURLOPT_PROXYAUTH.md CURLOPT_PROXYHEADER.md CURLOPT_PROXYPASSWORD.md CURLOPT_PROXYPORT.md CURLOPT_PROXYTYPE.md CURLOPT_PROXYUSERNAME.md CURLOPT_PROXYUSERPWD.md CURLOPT_PROXY_CAINFO.md CURLOPT_PROXY_CAINFO_BLOB.md CURLOPT_PROXY_CAPATH.md CURLOPT_PROXY_CRLFILE.md CURLOPT_PROXY_ISSUERCERT.md CURLOPT_PROXY_ISSUERCERT_BLOB.md CURLOPT_PROXY_KEYPASSWD.md CURLOPT_PROXY_PINNEDPUBLICKEY.md CURLOPT_PROXY_SERVICE_NAME.md CURLOPT_PROXY_SSLCERT.md CURLOPT_PROXY_SSLCERTTYPE.md CURLOPT_PROXY_SSLCERT_BLOB.md CURLOPT_PROXY_SSLKEY.md CURLOPT_PROXY_SSLKEYTYPE.md CURLOPT_PROXY_SSLKEY_BLOB.md CURLOPT_PROXY_SSLVERSION.md CURLOPT_PROXY_SSL_CIPHER_LIST.md CURLOPT_PROXY_SSL_OPTIONS.md CURLOPT_PROXY_SSL_VERIFYHOST.md CURLOPT_PROXY_SSL_VERIFYPEER.md CURLOPT_PROXY_TLS13_CIPHERS.md CURLOPT_PROXY_TLSAUTH_PASSWORD.md CURLOPT_PROXY_TLSAUTH_TYPE.md CURLOPT_PROXY_TLSAUTH_USERNAME.md CURLOPT_PROXY_TRANSFER_MODE.md CURLOPT_PUT.md CURLOPT_QUICK_EXIT.md CURLOPT_QUOTE.md CURLOPT_RANDOM_FILE.md CURLOPT_RANGE.md CURLOPT_READDATA.md CURLOPT_READFUNCTION.md CURLOPT_REDIR_PROTOCOLS.md CURLOPT_REDIR_PROTOCOLS_STR.md CURLOPT_REFERER.md CURLOPT_REQUEST_TARGET.md CURLOPT_RESOLVE.md CURLOPT_RESOLVER_START_DATA.md CURLOPT_RESOLVER_START_FUNCTION.md CURLOPT_RESUME_FROM.md CURLOPT_RESUME_FROM_LARGE.md CURLOPT_RTSP_CLIENT_CSEQ.md CURLOPT_RTSP_REQUEST.md CURLOPT_RTSP_SERVER_CSEQ.md CURLOPT_RTSP_SESSION_ID.md CURLOPT_RTSP_STREAM_URI.md CURLOPT_RTSP_TRANSPORT.md CURLOPT_SASL_AUTHZID.md CURLOPT_SASL_IR.md CURLOPT_SEEKDATA.md CURLOPT_SEEKFUNCTION.md CURLOPT_SERVER_RESPONSE_TIMEOUT.md CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md CURLOPT_SERVICE_NAME.md CURLOPT_SHARE.md CURLOPT_SOCKOPTDATA.md CURLOPT_SOCKOPTFUNCTION.md CURLOPT_SOCKS5_AUTH.md CURLOPT_SOCKS5_GSSAPI_NEC.md CURLOPT_SOCKS5_GSSAPI_SERVICE.md CURLOPT_SSH_AUTH_TYPES.md CURLOPT_SSH_COMPRESSION.md CURLOPT_SSH_HOSTKEYDATA.md CURLOPT_SSH_HOSTKEYFUNCTION.md CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.md CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256.md CURLOPT_SSH_KEYDATA.md CURLOPT_SSH_KEYFUNCTION.md CURLOPT_SSH_KNOWNHOSTS.md CURLOPT_SSH_PRIVATE_KEYFILE.md CURLOPT_SSH_PUBLIC_KEYFILE.md CURLOPT_SSLCERT.md CURLOPT_SSLCERTTYPE.md CURLOPT_SSLCERT_BLOB.md CURLOPT_SSLENGINE.md CURLOPT_SSLENGINE_DEFAULT.md CURLOPT_SSLKEY.md CURLOPT_SSLKEYTYPE.md CURLOPT_SSLKEY_BLOB.md CURLOPT_SSLVERSION.md CURLOPT_SSL_CIPHER_LIST.md CURLOPT_SSL_CTX_DATA.md CURLOPT_SSL_CTX_FUNCTION.md CURLOPT_SSL_EC_CURVES.md CURLOPT_SSL_ENABLE_ALPN.md CURLOPT_SSL_ENABLE_NPN.md CURLOPT_SSL_FALSESTART.md CURLOPT_SSL_OPTIONS.md CURLOPT_SSL_SESSIONID_CACHE.md CURLOPT_SSL_SIGNATURE_ALGORITHMS.md CURLOPT_SSL_VERIFYHOST.md CURLOPT_SSL_VERIFYPEER.md CURLOPT_SSL_VERIFYSTATUS.md CURLOPT_STDERR.md CURLOPT_STREAM_DEPENDS.md CURLOPT_STREAM_DEPENDS_E.md CURLOPT_STREAM_WEIGHT.md CURLOPT_SUPPRESS_CONNECT_HEADERS.md CURLOPT_TCP_FASTOPEN.md CURLOPT_TCP_KEEPALIVE.md CURLOPT_TCP_KEEPCNT.md CURLOPT_TCP_KEEPIDLE.md CURLOPT_TCP_KEEPINTVL.md CURLOPT_TCP_NODELAY.md CURLOPT_TELNETOPTIONS.md CURLOPT_TFTP_BLKSIZE.md CURLOPT_TFTP_NO_OPTIONS.md CURLOPT_TIMECONDITION.md CURLOPT_TIMEOUT.md CURLOPT_TIMEOUT_MS.md CURLOPT_TIMEVALUE.md CURLOPT_TIMEVALUE_LARGE.md CURLOPT_TLS13_CIPHERS.md CURLOPT_TLSAUTH_PASSWORD.md CURLOPT_TLSAUTH_TYPE.md CURLOPT_TLSAUTH_USERNAME.md CURLOPT_TRAILERDATA.md CURLOPT_TRAILERFUNCTION.md CURLOPT_TRANSFERTEXT.md CURLOPT_TRANSFER_ENCODING.md CURLOPT_UNIX_SOCKET_PATH.md CURLOPT_UNRESTRICTED_AUTH.md CURLOPT_UPKEEP_INTERVAL_MS.md CURLOPT_UPLOAD.md CURLOPT_UPLOAD_BUFFERSIZE.md CURLOPT_UPLOAD_FLAGS.md CURLOPT_URL.md CURLOPT_USERAGENT.md CURLOPT_USERNAME.md CURLOPT_USERPWD.md CURLOPT_USE_SSL.md CURLOPT_VERBOSE.md CURLOPT_WILDCARDMATCH.md CURLOPT_WRITEDATA.md CURLOPT_WRITEFUNCTION.md CURLOPT_WS_OPTIONS.md CURLOPT_XFERINFODATA.md CURLOPT_XFERINFOFUNCTION.md CURLOPT_XOAUTH2_BEARER.md CURLSHOPT_LOCKFUNC.md CURLSHOPT_SHARE.md CURLSHOPT_UNLOCKFUNC.md CURLSHOPT_UNSHARE.md CURLSHOPT_USERDATA.md Makefile.am Makefile.incinclude
curl
Makefile.am curl.h curlver.h easy.h header.h mprintf.h multi.h options.h stdcheaders.h system.h typecheck-gcc.h urlapi.h websockets.hlib
curlx
base64.c base64.h basename.c basename.h dynbuf.c dynbuf.h fopen.c fopen.h inet_ntop.c inet_ntop.h inet_pton.c inet_pton.h multibyte.c multibyte.h nonblock.c nonblock.h snprintf.c snprintf.h strcopy.c strcopy.h strdup.c strdup.h strerr.c strerr.h strparse.c strparse.h timediff.c timediff.h timeval.c timeval.h version_win32.c version_win32.h wait.c wait.h warnless.c warnless.h winapi.c winapi.hvauth
cleartext.c cram.c digest.c digest.h digest_sspi.c gsasl.c krb5_gssapi.c krb5_sspi.c ntlm.c ntlm_sspi.c oauth2.c spnego_gssapi.c spnego_sspi.c vauth.c vauth.hvquic
curl_ngtcp2.c curl_ngtcp2.h curl_quiche.c curl_quiche.h vquic-tls.c vquic-tls.h vquic.c vquic.h vquic_int.hvtls
apple.c apple.h cipher_suite.c cipher_suite.h gtls.c gtls.h hostcheck.c hostcheck.h keylog.c keylog.h mbedtls.c mbedtls.h openssl.c openssl.h rustls.c rustls.h schannel.c schannel.h schannel_int.h schannel_verify.c vtls.c vtls.h vtls_int.h vtls_scache.c vtls_scache.h vtls_spack.c vtls_spack.h wolfssl.c wolfssl.h x509asn1.c x509asn1.hm4
.gitignore curl-amissl.m4 curl-apple-sectrust.m4 curl-compilers.m4 curl-confopts.m4 curl-functions.m4 curl-gnutls.m4 curl-mbedtls.m4 curl-openssl.m4 curl-override.m4 curl-reentrant.m4 curl-rustls.m4 curl-schannel.m4 curl-sysconfig.m4 curl-wolfssl.m4 xc-am-iface.m4 xc-cc-check.m4 xc-lt-iface.m4 xc-val-flgs.m4 zz40-xc-ovr.m4 zz50-xc-ovr.m4projects
OS400
.checksrc README.OS400 ccsidcurl.c ccsidcurl.h config400.default curl.cmd curl.inc.in curlcl.c curlmain.c initscript.sh make-docs.sh make-include.sh make-lib.sh make-src.sh make-tests.sh makefile.sh os400sys.c os400sys.hWindows
tmpl
.gitattributes README.txt curl-all.sln curl.sln curl.vcxproj curl.vcxproj.filters libcurl.sln libcurl.vcxproj libcurl.vcxproj.filtersvms
Makefile.am backup_gnv_curl_src.com build_curl-config_script.com build_gnv_curl.com build_gnv_curl_pcsi_desc.com build_gnv_curl_pcsi_text.com build_gnv_curl_release_notes.com build_libcurl_pc.com build_vms.com clean_gnv_curl.com compare_curl_source.com config_h.com curl_crtl_init.c curl_gnv_build_steps.txt curl_release_note_start.txt curl_startup.com curlmsg.h curlmsg.msg curlmsg.sdl curlmsg_vms.h generate_config_vms_h_curl.com generate_vax_transfer.com gnv_conftest.c_first gnv_curl_configure.sh gnv_libcurl_symbols.opt gnv_link_curl.com macro32_exactcase.patch make_gnv_curl_install.sh make_pcsi_curl_kit_name.com pcsi_gnv_curl_file_list.txt pcsi_product_gnv_curl.com readme report_openssl_version.c setup_gnv_curl_build.com stage_curl_install.com vms_eco_level.hscripts
.checksrc CMakeLists.txt Makefile.am badwords badwords-all badwords.txt cd2cd cd2nroff cdall checksrc-all.pl checksrc.pl cmakelint.sh completion.pl contributors.sh contrithanks.sh coverage.sh delta dmaketgz extract-unit-protos firefox-db2pem.sh installcheck.sh maketgz managen mdlinkcheck mk-ca-bundle.pl mk-unity.pl nroff2cd perlcheck.sh pythonlint.sh randdisable release-notes.pl release-tools.sh schemetable.c singleuse.pl spacecheck.pl top-complexity top-length verify-release wcurlsrc
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc config2setopts.c config2setopts.h curl.rc curlinfo.c mk-file-embed.pl mkhelp.pl slist_wc.c slist_wc.h terminal.c terminal.h tool_cb_dbg.c tool_cb_dbg.h tool_cb_hdr.c tool_cb_hdr.h tool_cb_prg.c tool_cb_prg.h tool_cb_rea.c tool_cb_rea.h tool_cb_see.c tool_cb_see.h tool_cb_soc.c tool_cb_soc.h tool_cb_wrt.c tool_cb_wrt.h tool_cfgable.c tool_cfgable.h tool_dirhie.c tool_dirhie.h tool_doswin.c tool_doswin.h tool_easysrc.c tool_easysrc.h tool_filetime.c tool_filetime.h tool_findfile.c tool_findfile.h tool_formparse.c tool_formparse.h tool_getparam.c tool_getparam.h tool_getpass.c tool_getpass.h tool_help.c tool_help.h tool_helpers.c tool_helpers.h tool_hugehelp.h tool_ipfs.c tool_ipfs.h tool_libinfo.c tool_libinfo.h tool_listhelp.c tool_main.c tool_main.h tool_msgs.c tool_msgs.h tool_operate.c tool_operate.h tool_operhlp.c tool_operhlp.h tool_paramhlp.c tool_paramhlp.h tool_parsecfg.c tool_parsecfg.h tool_progress.c tool_progress.h tool_sdecls.h tool_setopt.c tool_setopt.h tool_setup.h tool_ssls.c tool_ssls.h tool_stderr.c tool_stderr.h tool_urlglob.c tool_urlglob.h tool_util.c tool_util.h tool_version.h tool_vms.c tool_vms.h tool_writeout.c tool_writeout.h tool_writeout_json.c tool_writeout_json.h tool_xattr.c tool_xattr.h var.c var.htests
certs
.gitignore CMakeLists.txt Makefile.am Makefile.inc genserv.pl srp-verifier-conf srp-verifier-db test-ca.cnf test-ca.prm test-client-cert.prm test-client-eku-only.prm test-localhost-san-first.prm test-localhost-san-last.prm test-localhost.nn.prm test-localhost.prm test-localhost0h.prmdata
.gitignore DISABLED Makefile.am data-xml1 data1400.c data1401.c data1402.c data1403.c data1404.c data1405.c data1406.c data1407.c data1420.c data1461.txt data1463.txt data1465.c data1481.c data1705-1.md data1705-2.md data1705-3.md data1705-4.md data1705-stdout.1 data1706-1.md data1706-2.md data1706-3.md data1706-4.md data1706-stdout.txt data320.html test1 test10 test100 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 test1008 test1009 test101 test1010 test1011 test1012 test1013 test1014 test1015 test1016 test1017 test1018 test1019 test102 test1020 test1021 test1022 test1023 test1024 test1025 test1026 test1027 test1028 test1029 test103 test1030 test1031 test1032 test1033 test1034 test1035 test1036 test1037 test1038 test1039 test104 test1040 test1041 test1042 test1043 test1044 test1045 test1046 test1047 test1048 test1049 test105 test1050 test1051 test1052 test1053 test1054 test1055 test1056 test1057 test1058 test1059 test106 test1060 test1061 test1062 test1063 test1064 test1065 test1066 test1067 test1068 test1069 test107 test1070 test1071 test1072 test1073 test1074 test1075 test1076 test1077 test1078 test1079 test108 test1080 test1081 test1082 test1083 test1084 test1085 test1086 test1087 test1088 test1089 test109 test1090 test1091 test1092 test1093 test1094 test1095 test1096 test1097 test1098 test1099 test11 test110 test1100 test1101 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 test111 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 test112 test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 test1128 test1129 test113 test1130 test1131 test1132 test1133 test1134 test1135 test1136 test1137 test1138 test1139 test114 test1140 test1141 test1142 test1143 test1144 test1145 test1146 test1147 test1148 test1149 test115 test1150 test1151 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 test116 test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 test1168 test1169 test117 test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 test1178 test1179 test118 test1180 test1181 test1182 test1183 test1184 test1185 test1186 test1187 test1188 test1189 test119 test1190 test1191 test1192 test1193 test1194 test1195 test1196 test1197 test1198 test1199 test12 test120 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 test1208 test1209 test121 test1210 test1211 test1212 test1213 test1214 test1215 test1216 test1217 test1218 test1219 test122 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 test1228 test1229 test123 test1230 test1231 test1232 test1233 test1234 test1235 test1236 test1237 test1238 test1239 test124 test1240 test1241 test1242 test1243 test1244 test1245 test1246 test1247 test1248 test1249 test125 test1250 test1251 test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 test126 test1260 test1261 test1262 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test127 test1270 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 test1279 test128 test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 test1288 test1289 test129 test1290 test1291 test1292 test1293 test1294 test1295 test1296 test1297 test1298 test1299 test13 test130 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 test1309 test131 test1310 test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 test132 test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 test1328 test1329 test133 test1330 test1331 test1332 test1333 test1334 test1335 test1336 test1337 test1338 test1339 test134 test1340 test1341 test1342 test1343 test1344 test1345 test1346 test1347 test1348 test1349 test135 test1350 test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 test136 test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 test1368 test1369 test137 test1370 test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 test138 test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 test1388 test1389 test139 test1390 test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 test14 test140 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 test1408 test1409 test141 test1410 test1411 test1412 test1413 test1414 test1415 test1416 test1417 test1418 test1419 test142 test1420 test1421 test1422 test1423 test1424 test1425 test1426 test1427 test1428 test1429 test143 test1430 test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 test144 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 test1448 test1449 test145 test1450 test1451 test1452 test1453 test1454 test1455 test1456 test1457 test1458 test1459 test146 test1460 test1461 test1462 test1463 test1464 test1465 test1466 test1467 test1468 test1469 test147 test1470 test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 test1479 test148 test1480 test1481 test1482 test1483 test1484 test1485 test1486 test1487 test1488 test1489 test149 test1490 test1491 test1492 test1493 test1494 test1495 test1496 test1497 test1498 test1499 test15 test150 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 test1508 test1509 test151 test1510 test1511 test1512 test1513 test1514 test1515 test1516 test1517 test1518 test1519 test152 test1520 test1521 test1522 test1523 test1524 test1525 test1526 test1527 test1528 test1529 test153 test1530 test1531 test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 test154 test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 test1548 test1549 test155 test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 test1558 test1559 test156 test1560 test1561 test1562 test1563 test1564 test1565 test1566 test1567 test1568 test1569 test157 test1570 test1571 test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 test158 test1580 test1581 test1582 test1583 test1584 test1585 test1586 test1587 test1588 test1589 test159 test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 test1598 test1599 test16 test160 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 test1608 test1609 test161 test1610 test1611 test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 test162 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 test1628 test1629 test163 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 test1638 test1639 test164 test1640 test1641 test1642 test1643 test1644 test1645 test165 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 test1658 test1659 test166 test1660 test1661 test1662 test1663 test1664 test1665 test1666 test1667 test1668 test1669 test167 test1670 test1671 test1672 test1673 test1674 test1675 test1676 test168 test1680 test1681 test1682 test1683 test1684 test1685 test169 test17 test170 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 test1708 test1709 test171 test1710 test1711 test1712 test1713 test1714 test1715 test172 test1720 test1721 test173 test174 test175 test176 test177 test178 test179 test18 test180 test1800 test1801 test1802 test181 test182 test183 test184 test1847 test1848 test1849 test185 test1850 test1851 test186 test187 test188 test189 test19 test190 test1900 test1901 test1902 test1903 test1904 test1905 test1906 test1907 test1908 test1909 test191 test1910 test1911 test1912 test1913 test1914 test1915 test1916 test1917 test1918 test1919 test192 test1920 test1921 test193 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test194 test1940 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 test195 test1955 test1956 test1957 test1958 test1959 test196 test1960 test1964 test1965 test1966 test197 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 test1978 test1979 test198 test1980 test1981 test1982 test1983 test1984 test199 test2 test20 test200 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 test2008 test2009 test201 test2010 test2011 test2012 test2013 test2014 test202 test2023 test2024 test2025 test2026 test2027 test2028 test2029 test203 test2030 test2031 test2032 test2033 test2034 test2035 test2037 test2038 test2039 test204 test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 test2048 test2049 test205 test2050 test2051 test2052 test2053 test2054 test2055 test2056 test2057 test2058 test2059 test206 test2060 test2061 test2062 test2063 test2064 test2065 test2066 test2067 test2068 test2069 test207 test2070 test2071 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 test208 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 test2088 test2089 test209 test2090 test2091 test2092 test21 test210 test2100 test2101 test2102 test2103 test2104 test211 test212 test213 test214 test215 test216 test217 test218 test219 test22 test220 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 test221 test222 test223 test224 test225 test226 test227 test228 test229 test23 test230 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 test2309 test231 test232 test233 test234 test235 test236 test237 test238 test239 test24 test240 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 test2408 test2409 test241 test2410 test2411 test242 test243 test244 test245 test246 test247 test248 test249 test25 test250 test2500 test2501 test2502 test2503 test2504 test2505 test2506 test251 test252 test253 test254 test255 test256 test257 test258 test259 test26 test260 test2600 test2601 test2602 test2603 test2604 test2605 test261 test262 test263 test264 test265 test266 test267 test268 test269 test27 test270 test2700 test2701 test2702 test2703 test2704 test2705 test2706 test2707 test2708 test2709 test271 test2710 test2711 test2712 test2713 test2714 test2715 test2716 test2717 test2718 test2719 test272 test2720 test2721 test2722 test2723 test273 test274 test275 test276 test277 test278 test279 test28 test280 test281 test282 test283 test284 test285 test286 test287 test288 test289 test29 test290 test291 test292 test293 test294 test295 test296 test297 test298 test299 test3 test30 test300 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 test3008 test3009 test301 test3010 test3011 test3012 test3013 test3014 test3015 test3016 test3017 test3018 test3019 test302 test3020 test3021 test3022 test3023 test3024 test3025 test3026 test3027 test3028 test3029 test303 test3030 test3031 test3032 test3033 test3034 test3035 test3036 test304 test305 test306 test307 test308 test309 test31 test310 test3100 test3101 test3102 test3103 test3104 test3105 test3106 test311 test312 test313 test314 test315 test316 test317 test318 test319 test32 test320 test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 test3209 test321 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 test3218 test3219 test322 test3220 test323 test324 test325 test326 test327 test328 test329 test33 test330 test3300 test3301 test3302 test331 test332 test333 test334 test335 test336 test337 test338 test339 test34 test340 test341 test342 test343 test344 test345 test346 test347 test348 test349 test35 test350 test351 test352 test353 test354 test355 test356 test357 test358 test359 test36 test360 test361 test362 test363 test364 test365 test366 test367 test368 test369 test37 test370 test371 test372 test373 test374 test375 test376 test378 test379 test38 test380 test381 test383 test384 test385 test386 test387 test388 test389 test39 test390 test391 test392 test393 test394 test395 test396 test397 test398 test399 test4 test40 test400 test4000 test4001 test401 test402 test403 test404 test405 test406 test407 test408 test409 test41 test410 test411 test412 test413 test414 test415 test416 test417 test418 test419 test42 test420 test421 test422 test423 test424 test425 test426 test427 test428 test429 test43 test430 test431 test432 test433 test434 test435 test436 test437 test438 test439 test44 test440 test441 test442 test443 test444 test445 test446 test447 test448 test449 test45 test450 test451 test452 test453 test454 test455 test456 test457 test458 test459 test46 test460 test461 test462 test463 test467 test468 test469 test47 test470 test471 test472 test473 test474 test475 test476 test477 test478 test479 test48 test480 test481 test482 test483 test484 test485 test486 test487 test488 test489 test49 test490 test491 test492 test493 test494 test495 test496 test497 test498 test499 test5 test50 test500 test501 test502 test503 test504 test505 test506 test507 test508 test509 test51 test510 test511 test512 test513 test514 test515 test516 test517 test518 test519 test52 test520 test521 test522 test523 test524 test525 test526 test527 test528 test529 test53 test530 test531 test532 test533 test534 test535 test536 test537 test538 test539 test54 test540 test541 test542 test543 test544 test545 test546 test547 test548 test549 test55 test550 test551 test552 test553 test554 test555 test556 test557 test558 test559 test56 test560 test561 test562 test563 test564 test565 test566 test567 test568 test569 test57 test570 test571 test572 test573 test574 test575 test576 test577 test578 test579 test58 test580 test581 test582 test583 test584 test585 test586 test587 test588 test589 test59 test590 test591 test592 test593 test594 test595 test596 test597 test598 test599 test6 test60 test600 test601 test602 test603 test604 test605 test606 test607 test608 test609 test61 test610 test611 test612 test613 test614 test615 test616 test617 test618 test619 test62 test620 test621 test622 test623 test624 test625 test626 test627 test628 test629 test63 test630 test631 test632 test633 test634 test635 test636 test637 test638 test639 test64 test640 test641 test642 test643 test644 test645 test646 test647 test648 test649 test65 test650 test651 test652 test653 test654 test655 test656 test658 test659 test66 test660 test661 test662 test663 test664 test665 test666 test667 test668 test669 test67 test670 test671 test672 test673 test674 test675 test676 test677 test678 test679 test68 test680 test681 test682 test683 test684 test685 test686 test687 test688 test689 test69 test690 test691 test692 test693 test694 test695 test696 test697 test698 test699 test7 test70 test700 test701 test702 test703 test704 test705 test706 test707 test708 test709 test71 test710 test711 test712 test713 test714 test715 test716 test717 test718 test719 test72 test720 test721 test722 test723 test724 test725 test726 test727 test728 test729 test73 test730 test731 test732 test733 test734 test735 test736 test737 test738 test739 test74 test740 test741 test742 test743 test744 test745 test746 test747 test748 test749 test75 test750 test751 test752 test753 test754 test755 test756 test757 test758 test759 test76 test760 test761 test762 test763 test764 test765 test766 test767 test768 test769 test77 test770 test771 test772 test773 test774 test775 test776 test777 test778 test779 test78 test780 test781 test782 test783 test784 test785 test786 test787 test788 test789 test79 test790 test791 test792 test793 test794 test795 test796 test797 test798 test799 test8 test80 test800 test801 test802 test803 test804 test805 test806 test807 test808 test809 test81 test810 test811 test812 test813 test814 test815 test816 test817 test818 test819 test82 test820 test821 test822 test823 test824 test825 test826 test827 test828 test829 test83 test830 test831 test832 test833 test834 test835 test836 test837 test838 test839 test84 test840 test841 test842 test843 test844 test845 test846 test847 test848 test849 test85 test850 test851 test852 test853 test854 test855 test856 test857 test858 test859 test86 test860 test861 test862 test863 test864 test865 test866 test867 test868 test869 test87 test870 test871 test872 test873 test874 test875 test876 test877 test878 test879 test88 test880 test881 test882 test883 test884 test885 test886 test887 test888 test889 test89 test890 test891 test892 test893 test894 test895 test896 test897 test898 test899 test9 test90 test900 test901 test902 test903 test904 test905 test906 test907 test908 test909 test91 test910 test911 test912 test913 test914 test915 test916 test917 test918 test919 test92 test920 test921 test922 test923 test924 test925 test926 test927 test928 test929 test93 test930 test931 test932 test933 test934 test935 test936 test937 test938 test939 test94 test940 test941 test942 test943 test944 test945 test946 test947 test948 test949 test95 test950 test951 test952 test953 test954 test955 test956 test957 test958 test959 test96 test960 test961 test962 test963 test964 test965 test966 test967 test968 test969 test97 test970 test971 test972 test973 test974 test975 test976 test977 test978 test979 test98 test980 test981 test982 test983 test984 test985 test986 test987 test988 test989 test99 test990 test991 test992 test993 test994 test995 test996 test997 test998 test999http
testenv
__init__.py caddy.py certs.py client.py curl.py dante.py dnsd.py env.py httpd.py nghttpx.py ports.py sshd.py vsftpd.py ws_echo_server.pylibtest
.gitignore CMakeLists.txt Makefile.am Makefile.inc cli_ftp_upload.c cli_h2_pausing.c cli_h2_serverpush.c cli_h2_upgrade_extreme.c cli_hx_download.c cli_hx_upload.c cli_tls_session_reuse.c cli_upload_pausing.c cli_ws_data.c cli_ws_pingpong.c first.c first.h lib1156.c lib1301.c lib1308.c lib1485.c lib1500.c lib1501.c lib1502.c lib1506.c lib1507.c lib1508.c lib1509.c lib1510.c lib1511.c lib1512.c lib1513.c lib1514.c lib1515.c lib1517.c lib1518.c lib1520.c lib1522.c lib1523.c lib1525.c lib1526.c lib1527.c lib1528.c lib1529.c lib1530.c lib1531.c lib1532.c lib1533.c lib1534.c lib1535.c lib1536.c lib1537.c lib1538.c lib1540.c lib1541.c lib1542.c lib1545.c lib1549.c lib1550.c lib1551.c lib1552.c lib1553.c lib1554.c lib1555.c lib1556.c lib1557.c lib1558.c lib1559.c lib1560.c lib1564.c lib1565.c lib1567.c lib1568.c lib1569.c lib1571.c lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c lib1598.c lib1599.c lib1662.c lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c lib1915.c lib1916.c lib1918.c lib1919.c lib1920.c lib1921.c lib1933.c lib1934.c lib1935.c lib1936.c lib1937.c lib1938.c lib1939.c lib1940.c lib1945.c lib1947.c lib1948.c lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c lib1964.c lib1965.c lib1970.c lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c lib2023.c lib2032.c lib2082.c lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c lib2402.c lib2404.c lib2405.c lib2502.c lib2504.c lib2505.c lib2506.c lib2700.c lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c lib3207.c lib3208.c lib500.c lib501.c lib502.c lib503.c lib504.c lib505.c lib506.c lib507.c lib508.c lib509.c lib510.c lib511.c lib512.c lib513.c lib514.c lib515.c lib516.c lib517.c lib518.c lib519.c lib520.c lib521.c lib523.c lib524.c lib525.c lib526.c lib530.c lib533.c lib536.c lib537.c lib539.c lib540.c lib541.c lib542.c lib543.c lib544.c lib547.c lib549.c lib552.c lib553.c lib554.c lib555.c lib556.c lib557.c lib558.c lib559.c lib560.c lib562.c lib564.c lib566.c lib567.c lib568.c lib569.c lib570.c lib571.c lib572.c lib573.c lib574.c lib575.c lib576.c lib578.c lib579.c lib582.c lib583.c lib586.c lib589.c lib590.c lib591.c lib597.c lib598.c lib599.c lib643.c lib650.c lib651.c lib652.c lib653.c lib654.c lib655.c lib658.c lib659.c lib661.c lib666.c lib667.c lib668.c lib670.c lib674.c lib676.c lib677.c lib678.c lib694.c lib695.c lib751.c lib753.c lib757.c lib758.c lib766.c memptr.c mk-lib1521.pl test1013.pl test1022.pl test307.pl test610.pl test613.pl testtrace.c testtrace.h testutil.c testutil.h unitcheck.hserver
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc dnsd.c first.c first.h getpart.c mqttd.c resolve.c rtspd.c sockfilt.c socksd.c sws.c tftpd.c util.ctunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md tool1394.c tool1604.c tool1621.c tool1622.c tool1623.c tool1720.cunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md unit1300.c unit1302.c unit1303.c unit1304.c unit1305.c unit1307.c unit1309.c unit1323.c unit1330.c unit1395.c unit1396.c unit1397.c unit1398.c unit1399.c unit1600.c unit1601.c unit1602.c unit1603.c unit1605.c unit1606.c unit1607.c unit1608.c unit1609.c unit1610.c unit1611.c unit1612.c unit1614.c unit1615.c unit1616.c unit1620.c unit1625.c unit1626.c unit1627.c unit1636.c unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c unit1657.c unit1658.c unit1660.c unit1661.c unit1663.c unit1664.c unit1666.c unit1667.c unit1668.c unit1669.c unit1674.c unit1675.c unit1676.c unit1979.c unit1980.c unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c unit3200.c unit3205.c unit3211.c unit3212.c unit3213.c unit3214.c unit3216.c unit3219.c unit3300.c unit3301.c unit3302.cexamples
.env config.ini crypto_test.lua env_test.lua fs_example.lua http_server.lua https_test.lua ini_example.lua json.lua log.lua path_fs_example.lua process_example.lua request_download.lua request_test.lua run_all.lua sqlite_example.lua sqlite_http_template.lua stash_test.lua template_test.lua timer.lua websocket.luainiparser
example
iniexample.c iniwrite.c parse.c twisted-errors.ini twisted-genhuge.py twisted-ofkey.ini twisted-ofval.ini twisted.initest
CMakeLists.txt test_dictionary.c test_iniparser.c unity-config.yml unity_config.hjinjac
libjinjac
src
CMakeLists.txt ast.c ast.h block_statement.c block_statement.h buffer.c buffer.h buildin.c buildin.h common.h convert.c convert.h flex_decl.h jfunction.c jfunction.h jinja_expression.l jinja_expression.y jinjac_parse.c jinjac_parse.h jinjac_stream.c jinjac_stream.h jlist.c jlist.h jobject.c jobject.h parameter.c parameter.h str_obj.c str_obj.h trace.c trace.htest
.gitignore CMakeLists.txt autotest.rb test_01.expected test_01.jinja test_01b.expected test_01b.jinja test_01c.expected test_01c.jinja test_01d.expected test_01d.jinja test_02.expected test_02.jinja test_03.expected test_03.jinja test_04.expected test_04.jinja test_05.expected test_05.jinja test_06.expected test_06.jinja test_07.expected test_07.jinja test_08.expected test_08.jinja test_08b.expected test_08b.jinja test_09.expected test_09.jinja test_10.expected test_10.jinja test_11.expected test_11.jinja test_12.expected test_12.jinja test_13.expected test_13.jinja test_14.expected test_14.jinja test_15.expected test_15.jinja test_16.expected test_16.jinja test_17.expected test_17.jinja test_18.expected test_18.jinja test_18b.expected test_18b.jinja test_18c.expected test_18c.jinja test_19.expected test_19.jinja test_19b.expected test_19b.jinja test_19c.expected test_19c.jinja test_19d.expected test_19d.jinja test_19e.expected test_19e.jinja test_19f.expected test_19f.jinja test_20.expected test_20.jinja test_21.expected test_21.jinja test_22.expected test_22.jinja test_22a.expected test_22a.jinja test_22b.expected test_22b.jinja test_23.expected test_23.jinja test_24.expected test_24.jinjalibev
Changes LICENSE Makefile Makefile.am Makefile.in README Symbols.ev Symbols.event aclocal.m4 autogen.sh compile config.guess config.h config.h.in config.status config.sub configure configure.ac depcomp ev++.h ev.3 ev.c ev.h ev.pod ev_epoll.c ev_kqueue.c ev_poll.c ev_port.c ev_select.c ev_vars.h ev_win32.c ev_wrap.h event.c event.h install-sh libev.m4 libtool ltmain.sh missing mkinstalldirs stamp-h1luajit
doc
bluequad-print.css bluequad.css contact.html ext_buffer.html ext_c_api.html ext_ffi.html ext_ffi_api.html ext_ffi_semantics.html ext_ffi_tutorial.html ext_jit.html ext_profiler.html extensions.html install.html luajit.html running.html
dynasm
dasm_arm.h dasm_arm.lua dasm_arm64.h dasm_arm64.lua dasm_mips.h dasm_mips.lua dasm_mips64.lua dasm_ppc.h dasm_ppc.lua dasm_proto.h dasm_x64.lua dasm_x86.h dasm_x86.lua dynasm.luasrc
host
.gitignore README buildvm.c buildvm.h buildvm_asm.c buildvm_fold.c buildvm_lib.c buildvm_libbc.h buildvm_peobj.c genlibbc.lua genminilua.lua genversion.lua minilua.cjit
.gitignore bc.lua bcsave.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_mips.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua dis_mipsel.lua dis_ppc.lua dis_x64.lua dis_x86.lua dump.lua p.lua v.lua zone.luawolfssl
.github
workflows
ada.yml arduino.yml async-examples.yml async.yml atecc608-sim.yml bind.yml cmake-autoconf.yml cmake.yml codespell.yml coverity-scan-fixes.yml cryptocb-only.yml curl.yml cyrus-sasl.yml disable-pk-algs.yml docker-Espressif.yml docker-OpenWrt.yml emnet-nonblock.yml fil-c.yml freertos-mem-track.yml gencertbuf.yml grpc.yml haproxy.yml hostap-vm.yml intelasm-c-fallback.yml ipmitool.yml jwt-cpp.yml krb5.yml libspdm.yml libssh2.yml libvncserver.yml linuxkm.yml macos-apple-native-cert-validation.yml mbedtls.sh mbedtls.yml membrowse-comment.yml membrowse-onboard.yml membrowse-report.yml memcached.sh memcached.yml mono.yml mosquitto.yml msmtp.yml msys2.yml multi-arch.yml multi-compiler.yml net-snmp.yml nginx.yml no-malloc.yml no-tls.yml nss.sh nss.yml ntp.yml ocsp.yml openldap.yml openssh.yml openssl-ech.yml opensslcoexist.yml openvpn.yml os-check.yml packaging.yml pam-ipmi.yml pq-all.yml pr-commit-check.yml psk.yml puf.yml python.yml rng-tools.yml rust-wrapper.yml se050-sim.yml smallStackSize.yml socat.yml softhsm.yml sssd.yml stm32-sim.yml stsafe-a120-sim.yml stunnel.yml symbol-prefixes.yml threadx.yml tls-anvil.yml trackmemory.yml watcomc.yml win-csharp-test.yml wolfCrypt-Wconversion.yml wolfboot-integration.yml wolfsm.yml xcode.yml zephyr-4.x.yml zephyr.ymlIDE
ARDUINO
Arduino_README_prepend.md README.md include.am keywords.txt library.properties.template wolfssl-arduino.cpp wolfssl-arduino.sh wolfssl.hECLIPSE
Espressif
ESP-IDF
examples
template
CMakeLists.txt Makefile README.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp8266wolfssl_benchmark
VisualGDB
wolfssl_benchmark_IDF_v4.4_ESP32.sln wolfssl_benchmark_IDF_v4.4_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32.sln wolfssl_benchmark_IDF_v5_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32C3.sln wolfssl_benchmark_IDF_v5_ESP32C3.vgdbproj wolfssl_benchmark_IDF_v5_ESP32S3.sln wolfssl_benchmark_IDF_v5_ESP32S3.vgdbprojwolfssl_client
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_client_ESP8266.vgdbprojwolfssl_server
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_server_ESP8266.vgdbprojwolfssl_test
VisualGDB
wolfssl_test-IDF_v5_ESP32.sln wolfssl_test-IDF_v5_ESP32.vgdbproj wolfssl_test-IDF_v5_ESP32C3.sln wolfssl_test-IDF_v5_ESP32C3.vgdbproj wolfssl_test-IDF_v5_ESP32C6.sln wolfssl_test-IDF_v5_ESP32C6.vgdbproj wolfssl_test_IDF_v5_ESP32S3.sln wolfssl_test_IDF_v5_ESP32S3.vgdbprojGCC-ARM
Makefile Makefile.bench Makefile.client Makefile.common Makefile.server Makefile.static Makefile.test README.md include.am linker.ld linker_fips.ldIAR-EWARM
embOS
SAMV71_XULT
embOS_SAMV71_XULT_user_settings
user_settings.h user_settings_simple_example.h user_settings_verbose_example.hembOS_wolfcrypt_benchmark_SAMV71_XULT
README_wolfcrypt_benchmark wolfcrypt_benchmark.ewd wolfcrypt_benchmark.ewpINTIME-RTOS
Makefile README.md include.am libwolfssl.c libwolfssl.vcxproj user_settings.h wolfExamples.c wolfExamples.h wolfExamples.sln wolfExamples.vcxproj wolfssl-lib.sln wolfssl-lib.vcxprojMQX
Makefile README-jp.md README.md client-tls.c include.am server-tls.c user_config.h user_settings.hMSVS-2019-AZSPHERE
wolfssl_new_azsphere
.gitignore CMakeLists.txt CMakeSettings.json app_manifest.json applibs_versions.h launch.vs.json main.cNETOS
Makefile.wolfcrypt.inc README.md include.am user_settings.h user_settings.h-cert2425 user_settings.h-cert3389 wolfssl_netos_custom.cPlatformIO
examples
wolfssl_benchmark
CMakeLists.txt README.md platformio.ini sdkconfig.defaults wolfssl_benchmark.code-workspaceROWLEY-CROSSWORKS-ARM
Kinetis_FlashPlacement.xml README.md arm_startup.c benchmark_main.c hw.h include.am kinetis_hw.c retarget.c test_main.c user_settings.h wolfssl.hzp wolfssl_ltc.hzpRenesas
e2studio
RA6M3
README.md README_APRA6M_en.md README_APRA6M_jp.md include.amRX72N
EnvisionKit
Simple
README_EN.md README_JP.mdwolfssl_demo
key_data.c key_data.h user_settings.h wolfssl_demo.c wolfssl_demo.h wolfssl_tsip_unit_test.cSTM32Cube
README.md STM32_Benchmarks.md default_conf.ftl include.am main.c wolfssl_example.c wolfssl_example.hWIN
README.txt include.am test.vcxproj user_settings.h user_settings_dtls.h wolfssl-fips.sln wolfssl-fips.vcxprojWIN-SRTP-KDF-140-3
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojWIN10
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojXCODE
Benchmark
include.amXilinxSDK
README.md bench.sh combine.sh eclipse_formatter_profile.xml graph.sh include.am user_settings.h wolfssl_example.capple-universal
wolfssl-multiplatform
iotsafe
Makefile README.md ca-cert.c devices.c devices.h include.am main.c memory-tls.c startup.c target.ld user_settings.hmynewt
README.md apps.wolfcrypttest.pkg.yml crypto.wolfssl.pkg.yml crypto.wolfssl.syscfg.yml include.am setup.shcerts
1024
ca-cert.der ca-cert.pem ca-key.der ca-key.pem client-cert.der client-cert.pem client-key.der client-key.pem client-keyPub.der dh1024.der dh1024.pem dsa-pub-1024.pem dsa1024.der dsa1024.pem include.am rsa1024.der server-cert.der server-cert.pem server-key.der server-key.pemcrl
extra-crls
ca-int-cert-revoked.pem claim-root.pem crl_critical_entry.pem crlnum_57oct.pem crlnum_64oct.pem general-server-crl.pem large_crlnum.pem large_crlnum2.pemdilithium
bench_dilithium_level2_key.der bench_dilithium_level3_key.der bench_dilithium_level5_key.der include.amecc
bp256r1-key.der bp256r1-key.pem ca-secp256k1-cert.pem ca-secp256k1-key.pem client-bp256r1-cert.der client-bp256r1-cert.pem client-secp256k1-cert.der client-secp256k1-cert.pem genecc.sh include.am secp256k1-key.der secp256k1-key.pem secp256k1-param.pem secp256k1-privkey.der secp256k1-privkey.pem server-bp256r1-cert.der server-bp256r1-cert.pem server-secp256k1-cert.der server-secp256k1-cert.pem server2-secp256k1-cert.der server2-secp256k1-cert.pem wolfssl.cnf wolfssl_384.cnfed25519
ca-ed25519-key.der ca-ed25519-key.pem ca-ed25519-priv.der ca-ed25519-priv.pem ca-ed25519.der ca-ed25519.pem client-ed25519-key.der client-ed25519-key.pem client-ed25519-priv.der client-ed25519-priv.pem client-ed25519.der client-ed25519.pem eddsa-ed25519.der eddsa-ed25519.pem gen-ed25519-certs.sh gen-ed25519-keys.sh gen-ed25519.sh include.am root-ed25519-key.der root-ed25519-key.pem root-ed25519-priv.der root-ed25519-priv.pem root-ed25519.der root-ed25519.pem server-ed25519-cert.pem server-ed25519-key.der server-ed25519-key.pem server-ed25519-priv.der server-ed25519-priv.pem server-ed25519.der server-ed25519.pemed448
ca-ed448-key.der ca-ed448-key.pem ca-ed448-priv.der ca-ed448-priv.pem ca-ed448.der ca-ed448.pem client-ed448-key.der client-ed448-key.pem client-ed448-priv.der client-ed448-priv.pem client-ed448.der client-ed448.pem gen-ed448-certs.sh gen-ed448-keys.sh include.am root-ed448-key.der root-ed448-key.pem root-ed448-priv.der root-ed448-priv.pem root-ed448.der root-ed448.pem server-ed448-cert.pem server-ed448-key.der server-ed448-key.pem server-ed448-priv.der server-ed448-priv.pem server-ed448.der server-ed448.pemexternal
DigiCertGlobalRootCA.pem README.txt ca-digicert-ev.pem ca-globalsign-root.pem ca-google-root.pem ca_collection.pem include.amintermediate
ca_false_intermediate
gentestcert.sh int_ca.key server.key test_ca.key test_ca.pem test_int_not_cacert.pem test_sign_bynoca_srv.pem wolfssl_base.conf wolfssl_srv.conflms
bc_hss_L2_H5_W8_root.der bc_hss_L3_H5_W4_root.der bc_lms_chain_ca.der bc_lms_chain_leaf.der bc_lms_native_bc_root.der bc_lms_sha256_h10_w8_root.der bc_lms_sha256_h5_w4_root.der include.ammldsa
README.txt include.am mldsa44-cert.der mldsa44-cert.pem mldsa44-key.pem mldsa44_bare-priv.der mldsa44_bare-seed.der mldsa44_oqskeypair.der mldsa44_priv-only.der mldsa44_pub-spki.der mldsa44_seed-only.der mldsa44_seed-priv.der mldsa65-cert.der mldsa65-cert.pem mldsa65-key.pem mldsa65_bare-priv.der mldsa65_bare-seed.der mldsa65_oqskeypair.der mldsa65_priv-only.der mldsa65_pub-spki.der mldsa65_seed-only.der mldsa65_seed-priv.der mldsa87-cert.der mldsa87-cert.pem mldsa87-key.pem mldsa87_bare-priv.der mldsa87_bare-seed.der mldsa87_oqskeypair.der mldsa87_priv-only.der mldsa87_pub-spki.der mldsa87_seed-only.der mldsa87_seed-priv.derocsp
imposter-root-ca-cert.der imposter-root-ca-cert.pem imposter-root-ca-key.der imposter-root-ca-key.pem include.am index-ca-and-intermediate-cas.txt index-ca-and-intermediate-cas.txt.attr index-intermediate1-ca-issued-certs.txt index-intermediate1-ca-issued-certs.txt.attr index-intermediate2-ca-issued-certs.txt index-intermediate2-ca-issued-certs.txt.attr index-intermediate3-ca-issued-certs.txt index-intermediate3-ca-issued-certs.txt.attr intermediate1-ca-cert.der intermediate1-ca-cert.pem intermediate1-ca-key.der intermediate1-ca-key.pem intermediate2-ca-cert.der intermediate2-ca-cert.pem intermediate2-ca-key.der intermediate2-ca-key.pem intermediate3-ca-cert.der intermediate3-ca-cert.pem intermediate3-ca-key.der intermediate3-ca-key.pem ocsp-responder-cert.der ocsp-responder-cert.pem ocsp-responder-key.der ocsp-responder-key.pem openssl.cnf renewcerts-for-test.sh renewcerts.sh root-ca-cert.der root-ca-cert.pem root-ca-crl.pem root-ca-key.der root-ca-key.pem server1-cert.der server1-cert.pem server1-chain-noroot.pem server1-key.der server1-key.pem server2-cert.der server2-cert.pem server2-key.der server2-key.pem server3-cert.der server3-cert.pem server3-key.der server3-key.pem server4-cert.der server4-cert.pem server4-key.der server4-key.pem server5-cert.der server5-cert.pem server5-key.der server5-key.pem test-leaf-response.der test-multi-response.der test-response-nointern.der test-response-rsapss.der test-response.derp521
ca-p521-key.der ca-p521-key.pem ca-p521-priv.der ca-p521-priv.pem ca-p521.der ca-p521.pem client-p521-key.der client-p521-key.pem client-p521-priv.der client-p521-priv.pem client-p521.der client-p521.pem gen-p521-certs.sh gen-p521-keys.sh include.am root-p521-key.der root-p521-key.pem root-p521-priv.der root-p521-priv.pem root-p521.der root-p521.pem server-p521-cert.pem server-p521-key.der server-p521-key.pem server-p521-priv.der server-p521-priv.pem server-p521.der server-p521.pemrpk
client-cert-rpk.der client-ecc-cert-rpk.der include.am server-cert-rpk.der server-ecc-cert-rpk.derrsapss
ca-3072-rsapss-key.der ca-3072-rsapss-key.pem ca-3072-rsapss-priv.der ca-3072-rsapss-priv.pem ca-3072-rsapss.der ca-3072-rsapss.pem ca-rsapss-key.der ca-rsapss-key.pem ca-rsapss-priv.der ca-rsapss-priv.pem ca-rsapss.der ca-rsapss.pem client-3072-rsapss-key.der client-3072-rsapss-key.pem client-3072-rsapss-priv.der client-3072-rsapss-priv.pem client-3072-rsapss.der client-3072-rsapss.pem client-rsapss-key.der client-rsapss-key.pem client-rsapss-priv.der client-rsapss-priv.pem client-rsapss.der client-rsapss.pem gen-rsapss-keys.sh include.am renew-rsapss-certs.sh root-3072-rsapss-key.der root-3072-rsapss-key.pem root-3072-rsapss-priv.der root-3072-rsapss-priv.pem root-3072-rsapss.der root-3072-rsapss.pem root-rsapss-key.der root-rsapss-key.pem root-rsapss-priv.der root-rsapss-priv.pem root-rsapss.der root-rsapss.pem server-3072-rsapss-cert.pem server-3072-rsapss-key.der server-3072-rsapss-key.pem server-3072-rsapss-priv.der server-3072-rsapss-priv.pem server-3072-rsapss.der server-3072-rsapss.pem server-mix-rsapss-cert.pem server-rsapss-cert.pem server-rsapss-key.der server-rsapss-key.pem server-rsapss-priv.der server-rsapss-priv.pem server-rsapss.der server-rsapss.pemslhdsa
bench_slhdsa_sha2_128f_key.der bench_slhdsa_sha2_128s_key.der bench_slhdsa_sha2_192f_key.der bench_slhdsa_sha2_192s_key.der bench_slhdsa_sha2_256f_key.der bench_slhdsa_sha2_256s_key.der bench_slhdsa_shake128f_key.der bench_slhdsa_shake128s_key.der bench_slhdsa_shake192f_key.der bench_slhdsa_shake192s_key.der bench_slhdsa_shake256f_key.der bench_slhdsa_shake256s_key.der client-mldsa44-priv.pem client-mldsa44-sha2.der client-mldsa44-sha2.pem client-mldsa44-shake.der client-mldsa44-shake.pem gen-slhdsa-mldsa-certs.sh include.am root-slhdsa-sha2-128s-priv.der root-slhdsa-sha2-128s-priv.pem root-slhdsa-sha2-128s.der root-slhdsa-sha2-128s.pem root-slhdsa-shake-128s-priv.der root-slhdsa-shake-128s-priv.pem root-slhdsa-shake-128s.der root-slhdsa-shake-128s.pem server-mldsa44-priv.pem server-mldsa44-sha2.der server-mldsa44-sha2.pem server-mldsa44-shake.der server-mldsa44-shake.pemsm2
ca-sm2-key.der ca-sm2-key.pem ca-sm2-priv.der ca-sm2-priv.pem ca-sm2.der ca-sm2.pem client-sm2-key.der client-sm2-key.pem client-sm2-priv.der client-sm2-priv.pem client-sm2.der client-sm2.pem fix_sm2_spki.py gen-sm2-certs.sh gen-sm2-keys.sh include.am root-sm2-key.der root-sm2-key.pem root-sm2-priv.der root-sm2-priv.pem root-sm2.der root-sm2.pem self-sm2-cert.pem self-sm2-key.pem self-sm2-priv.pem server-sm2-cert.der server-sm2-cert.pem server-sm2-key.der server-sm2-key.pem server-sm2-priv.der server-sm2-priv.pem server-sm2.der server-sm2.pemstatickeys
dh-ffdhe2048-params.pem dh-ffdhe2048-pub.der dh-ffdhe2048-pub.pem dh-ffdhe2048.der dh-ffdhe2048.pem ecc-secp256r1.der ecc-secp256r1.pem gen-static.sh include.am x25519-pub.der x25519-pub.pem x25519.der x25519.pemtest
catalog.txt cert-bad-neg-int.der cert-bad-oid.der cert-bad-utf8.der cert-ext-ia.cfg cert-ext-ia.der cert-ext-ia.pem cert-ext-joi.cfg cert-ext-joi.der cert-ext-joi.pem cert-ext-mnc.der cert-ext-multiple.cfg cert-ext-multiple.der cert-ext-multiple.pem cert-ext-nc-combined.der cert-ext-nc-combined.pem cert-ext-nc.cfg cert-ext-nc.der cert-ext-nc.pem cert-ext-ncdns.der cert-ext-ncdns.pem cert-ext-ncip.der cert-ext-ncip.pem cert-ext-ncmixed.der cert-ext-ncmulti.der cert-ext-ncmulti.pem cert-ext-ncrid.der cert-ext-ncrid.pem cert-ext-nct.cfg cert-ext-nct.der cert-ext-nct.pem cert-ext-ndir-exc.cfg cert-ext-ndir-exc.der cert-ext-ndir-exc.pem cert-ext-ndir.cfg cert-ext-ndir.der cert-ext-ndir.pem cert-ext-ns.der cert-over-max-altnames.cfg cert-over-max-altnames.der cert-over-max-altnames.pem cert-over-max-nc.cfg cert-over-max-nc.der cert-over-max-nc.pem client-ecc-cert-ski.hex cn-ip-literal.der cn-ip-wildcard.der crit-cert.pem crit-key.pem dh1024.der dh1024.pem dh512.der dh512.pem digsigku.pem encrypteddata.msg gen-badsig.sh gen-ext-certs.sh gen-testcerts.sh include.am kari-keyid-cms.msg ktri-keyid-cms.msg ossl-trusted-cert.pem server-badaltname.der server-badaltname.pem server-badaltnull.der server-badaltnull.pem server-badcn.der server-badcn.pem server-badcnnull.der server-badcnnull.pem server-cert-ecc-badsig.der server-cert-ecc-badsig.pem server-cert-rsa-badsig.der server-cert-rsa-badsig.pem server-duplicate-policy.pem server-garbage.der server-garbage.pem server-goodalt.der server-goodalt.pem server-goodaltwild.der server-goodaltwild.pem server-goodcn.der server-goodcn.pem server-goodcnwild.der server-goodcnwild.pem server-localhost.der server-localhost.pem smime-test-canon.p7s smime-test-multipart-badsig.p7s smime-test-multipart.p7s smime-test.p7stest-pathlen
assemble-chains.sh chainA-ICA1-key.pem chainA-ICA1-pathlen0.pem chainA-assembled.pem chainA-entity-key.pem chainA-entity.pem chainB-ICA1-key.pem chainB-ICA1-pathlen0.pem chainB-ICA2-key.pem chainB-ICA2-pathlen1.pem chainB-assembled.pem chainB-entity-key.pem chainB-entity.pem chainC-ICA1-key.pem chainC-ICA1-pathlen1.pem chainC-assembled.pem chainC-entity-key.pem chainC-entity.pem chainD-ICA1-key.pem chainD-ICA1-pathlen127.pem chainD-assembled.pem chainD-entity-key.pem chainD-entity.pem chainE-ICA1-key.pem chainE-ICA1-pathlen128.pem chainE-assembled.pem chainE-entity-key.pem chainE-entity.pem chainF-ICA1-key.pem chainF-ICA1-pathlen1.pem chainF-ICA2-key.pem chainF-ICA2-pathlen0.pem chainF-assembled.pem chainF-entity-key.pem chainF-entity.pem chainG-ICA1-key.pem chainG-ICA1-pathlen0.pem chainG-ICA2-key.pem chainG-ICA2-pathlen1.pem chainG-ICA3-key.pem chainG-ICA3-pathlen99.pem chainG-ICA4-key.pem chainG-ICA4-pathlen5.pem chainG-ICA5-key.pem chainG-ICA5-pathlen20.pem chainG-ICA6-key.pem chainG-ICA6-pathlen10.pem chainG-ICA7-key.pem chainG-ICA7-pathlen100.pem chainG-assembled.pem chainG-entity-key.pem chainG-entity.pem chainH-ICA1-key.pem chainH-ICA1-pathlen0.pem chainH-ICA2-key.pem chainH-ICA2-pathlen2.pem chainH-ICA3-key.pem chainH-ICA3-pathlen2.pem chainH-ICA4-key.pem chainH-ICA4-pathlen2.pem chainH-assembled.pem chainH-entity-key.pem chainH-entity.pem chainI-ICA1-key.pem chainI-ICA1-no_pathlen.pem chainI-ICA2-key.pem chainI-ICA2-no_pathlen.pem chainI-ICA3-key.pem chainI-ICA3-pathlen2.pem chainI-assembled.pem chainI-entity-key.pem chainI-entity.pem chainJ-ICA1-key.pem chainJ-ICA1-no_pathlen.pem chainJ-ICA2-key.pem chainJ-ICA2-no_pathlen.pem chainJ-ICA3-key.pem chainJ-ICA3-no_pathlen.pem chainJ-ICA4-key.pem chainJ-ICA4-pathlen2.pem chainJ-assembled.pem chainJ-entity-key.pem chainJ-entity.pem include.am refreshkeys.shtest-serial0
ee_normal.pem ee_serial0.pem generate_certs.sh include.am intermediate_serial0.pem root_serial0.pem root_serial0_key.pem selfsigned_nonca_serial0.pemxmss
bc_xmss_chain_ca.der bc_xmss_chain_leaf.der bc_xmss_sha2_10_256_root.der bc_xmss_sha2_16_256_root.der bc_xmssmt_sha2_20_2_256_root.der bc_xmssmt_sha2_20_4_256_root.der bc_xmssmt_sha2_40_8_256_root.der include.amcmake
Config.cmake.in README.md config.in functions.cmake include.am options.h.in wolfssl-config-version.cmake.in wolfssl-targets.cmake.indebian
changelog.in control.in copyright include.am libwolfssl-dev.install libwolfssl.install rules.indoc
dox_comments
header_files
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h puf.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wc_she.h wc_slhdsa.h wolfio.hheader_files-ja
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wolfio.h
examples
async
Makefile README.md async_client.c async_server.c async_tls.c async_tls.h include.am user_settings.hconfigs
README.md include.am user_settings_EBSnet.h user_settings_all.h user_settings_arduino.h user_settings_baremetal.h user_settings_ca.h user_settings_curve25519nonblock.h user_settings_dtls13.h user_settings_eccnonblock.h user_settings_espressif.h user_settings_fipsv2.h user_settings_fipsv5.h user_settings_min_ecc.h user_settings_openssl_compat.h user_settings_pkcs7.h user_settings_platformio.h user_settings_pq.h user_settings_rsa_only.h user_settings_stm32.h user_settings_template.h user_settings_tls12.h user_settings_tls13.h user_settings_wolfboot_keytools.h user_settings_wolfssh.h user_settings_wolftpm.hechoclient
echoclient.c echoclient.h echoclient.sln echoclient.vcproj echoclient.vcxproj include.am quitlinuxkm
Kbuild Makefile README.md get_thread_size.c include.am linuxkm-fips-hash-wrapper.sh linuxkm-fips-hash.c linuxkm_memory.c linuxkm_memory.h linuxkm_wc_port.h lkcapi_aes_glue.c lkcapi_dh_glue.c lkcapi_ecdh_glue.c lkcapi_ecdsa_glue.c lkcapi_glue.c lkcapi_rsa_glue.c lkcapi_sha_glue.c module_exports.c.template module_hooks.c pie_redirect_table.c wolfcrypt.lds x86_vector_register_glue.cm4
ax_add_am_macro.m4 ax_am_jobserver.m4 ax_am_macros.m4 ax_append_compile_flags.m4 ax_append_flag.m4 ax_append_link_flags.m4 ax_append_to_file.m4 ax_atomic.m4 ax_bsdkm.m4 ax_check_compile_flag.m4 ax_check_link_flag.m4 ax_compiler_version.m4 ax_count_cpus.m4 ax_create_generic_config.m4 ax_debug.m4 ax_file_escapes.m4 ax_harden_compiler_flags.m4 ax_linuxkm.m4 ax_print_to_file.m4 ax_pthread.m4 ax_require_defined.m4 ax_tls.m4 ax_vcs_checkout.m4 hexversion.m4 lib_socket_nsl.m4 visibility.m4mqx
wolfcrypt_benchmark
ReferencedRSESystems.xml wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfcrypt_test
ReferencedRSESystems.xml wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfssl_client
ReferencedRSESystems.xml wolfssl_client_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchscripts
aria-cmake-build-test.sh asn1_oid_sum.pl benchmark.test benchmark_compare.sh cleanup_testfiles.sh crl-gen-openssl.test crl-revoked.test dertoc.pl dtls.test dtlscid.test external.test google.test include.am makedistsmall.sh memtest.sh ocsp-responder-openssl-interop.test ocsp-stapling-with-ca-as-responder.test ocsp-stapling-with-wolfssl-responder.test ocsp-stapling.test ocsp-stapling2.test ocsp-stapling_tls13multi.test ocsp.test openssl.test openssl_srtp.test pem.test ping.test pkcallbacks.test psk.test resume.test rsapss.test sniffer-gen.sh sniffer-ipv6.pcap sniffer-static-rsa.pcap sniffer-testsuite.test sniffer-tls12-keylog.out sniffer-tls12-keylog.pcap sniffer-tls12-keylog.sslkeylog sniffer-tls13-dh-resume.pcap sniffer-tls13-dh.pcap sniffer-tls13-ecc-resume.pcap sniffer-tls13-ecc.pcap sniffer-tls13-hrr.pcap sniffer-tls13-keylog.out sniffer-tls13-keylog.pcap sniffer-tls13-keylog.sslkeylog sniffer-tls13-x25519-resume.pcap sniffer-tls13-x25519.pcap stm32l4-v4_0_1_build.sh tls13.test trusted_peer.test unit.test.in user_settings_asm.shsrc
bio.c conf.c crl.c dtls.c dtls13.c include.am internal.c keys.c ocsp.c pk.c pk_ec.c pk_rsa.c quic.c sniffer.c ssl.c ssl_api_cert.c ssl_api_crl_ocsp.c ssl_api_pk.c ssl_asn1.c ssl_bn.c ssl_certman.c ssl_crypto.c ssl_ech.c ssl_load.c ssl_misc.c ssl_p7p12.c ssl_sess.c ssl_sk.c tls.c tls13.c wolfio.c x509.c x509_str.ctests
api
api.h api_decl.h create_ocsp_test_blobs.py include.am test_aes.c test_aes.h test_arc4.c test_arc4.h test_ascon.c test_ascon.h test_ascon_kats.h test_asn.c test_asn.h test_blake2.c test_blake2.h test_camellia.c test_camellia.h test_certman.c test_certman.h test_chacha.c test_chacha.h test_chacha20_poly1305.c test_chacha20_poly1305.h test_cmac.c test_cmac.h test_curve25519.c test_curve25519.h test_curve448.c test_curve448.h test_des3.c test_des3.h test_dh.c test_dh.h test_digest.h test_dsa.c test_dsa.h test_dtls.c test_dtls.h test_ecc.c test_ecc.h test_ed25519.c test_ed25519.h test_ed448.c test_ed448.h test_evp.c test_evp.h test_evp_cipher.c test_evp_cipher.h test_evp_digest.c test_evp_digest.h test_evp_pkey.c test_evp_pkey.h test_hash.c test_hash.h test_hmac.c test_hmac.h test_md2.c test_md2.h test_md4.c test_md4.h test_md5.c test_md5.h test_mldsa.c test_mldsa.h test_mlkem.c test_mlkem.h test_ocsp.c test_ocsp.h test_ocsp_test_blobs.h test_ossl_asn1.c test_ossl_asn1.h test_ossl_bio.c test_ossl_bio.h test_ossl_bn.c test_ossl_bn.h test_ossl_cipher.c test_ossl_cipher.h test_ossl_dgst.c test_ossl_dgst.h test_ossl_dh.c test_ossl_dh.h test_ossl_dsa.c test_ossl_dsa.h test_ossl_ec.c test_ossl_ec.h test_ossl_ecx.c test_ossl_ecx.h test_ossl_mac.c test_ossl_mac.h test_ossl_obj.c test_ossl_obj.h test_ossl_p7p12.c test_ossl_p7p12.h test_ossl_pem.c test_ossl_pem.h test_ossl_rand.c test_ossl_rand.h test_ossl_rsa.c test_ossl_rsa.h test_ossl_sk.c test_ossl_sk.h test_ossl_x509.c test_ossl_x509.h test_ossl_x509_acert.c test_ossl_x509_acert.h test_ossl_x509_crypto.c test_ossl_x509_crypto.h test_ossl_x509_ext.c test_ossl_x509_ext.h test_ossl_x509_info.c test_ossl_x509_info.h test_ossl_x509_io.c test_ossl_x509_io.h test_ossl_x509_lu.c test_ossl_x509_lu.h test_ossl_x509_name.c test_ossl_x509_name.h test_ossl_x509_pk.c test_ossl_x509_pk.h test_ossl_x509_str.c test_ossl_x509_str.h test_ossl_x509_vp.c test_ossl_x509_vp.h test_pkcs12.c test_pkcs12.h test_pkcs7.c test_pkcs7.h test_poly1305.c test_poly1305.h test_random.c test_random.h test_rc2.c test_rc2.h test_ripemd.c test_ripemd.h test_rsa.c test_rsa.h test_sha.c test_sha.h test_sha256.c test_sha256.h test_sha3.c test_sha3.h test_sha512.c test_sha512.h test_she.c test_she.h test_signature.c test_signature.h test_slhdsa.c test_slhdsa.h test_sm2.c test_sm2.h test_sm3.c test_sm3.h test_sm4.c test_sm4.h test_tls.c test_tls.h test_tls13.c test_tls13.h test_tls_ext.c test_tls_ext.h test_wc_encrypt.c test_wc_encrypt.h test_wolfmath.c test_wolfmath.h test_x509.c test_x509.hwolfcrypt
benchmark
README.md benchmark-VS2022.sln benchmark-VS2022.vcxproj benchmark-VS2022.vcxproj.user benchmark.c benchmark.h benchmark.sln benchmark.vcproj benchmark.vcxproj include.amsrc
port
Espressif
esp_crt_bundle
README.md cacrt_all.pem cacrt_deprecated.pem cacrt_local.pem esp_crt_bundle.c gen_crt_bundle.py pio_install_cryptography.pyRenesas
README.md renesas_common.c renesas_fspsm_aes.c renesas_fspsm_rsa.c renesas_fspsm_sha.c renesas_fspsm_util.c renesas_rx64_hw_sha.c renesas_rx64_hw_util.c renesas_tsip_aes.c renesas_tsip_rsa.c renesas_tsip_sha.c renesas_tsip_util.carm
armv8-32-aes-asm.S armv8-32-aes-asm_c.c armv8-32-chacha-asm.S armv8-32-chacha-asm_c.c armv8-32-curve25519.S armv8-32-curve25519_c.c armv8-32-mlkem-asm.S armv8-32-mlkem-asm_c.c armv8-32-poly1305-asm.S armv8-32-poly1305-asm_c.c armv8-32-sha256-asm.S armv8-32-sha256-asm_c.c armv8-32-sha3-asm.S armv8-32-sha3-asm_c.c armv8-32-sha512-asm.S armv8-32-sha512-asm_c.c armv8-aes-asm.S armv8-aes-asm_c.c armv8-aes.c armv8-chacha-asm.S armv8-chacha-asm_c.c armv8-curve25519.S armv8-curve25519_c.c armv8-mlkem-asm.S armv8-mlkem-asm_c.c armv8-poly1305-asm.S armv8-poly1305-asm_c.c armv8-sha256-asm.S armv8-sha256-asm_c.c armv8-sha256.c armv8-sha3-asm.S armv8-sha3-asm_c.c armv8-sha512-asm.S armv8-sha512-asm_c.c armv8-sha512.c cryptoCell.c cryptoCellHash.c thumb2-aes-asm.S thumb2-aes-asm_c.c thumb2-chacha-asm.S thumb2-chacha-asm_c.c thumb2-curve25519.S thumb2-curve25519_c.c thumb2-mlkem-asm.S thumb2-mlkem-asm_c.c thumb2-poly1305-asm.S thumb2-poly1305-asm_c.c thumb2-sha256-asm.S thumb2-sha256-asm_c.c thumb2-sha3-asm.S thumb2-sha3-asm_c.c thumb2-sha512-asm.S thumb2-sha512-asm_c.ccaam
README.md caam_aes.c caam_doc.pdf caam_driver.c caam_error.c caam_integrity.c caam_qnx.c caam_sha.c wolfcaam_aes.c wolfcaam_cmac.c wolfcaam_ecdsa.c wolfcaam_fsl_nxp.c wolfcaam_hash.c wolfcaam_hmac.c wolfcaam_init.c wolfcaam_qnx.c wolfcaam_rsa.c wolfcaam_seco.c wolfcaam_x25519.cdevcrypto
README.md devcrypto_aes.c devcrypto_ecdsa.c devcrypto_hash.c devcrypto_hmac.c devcrypto_rsa.c devcrypto_x25519.c wc_devcrypto.criscv
riscv-64-aes.c riscv-64-chacha.c riscv-64-poly1305.c riscv-64-sha256.c riscv-64-sha3.c riscv-64-sha512.cwolfssl
openssl
aes.h asn1.h asn1t.h bio.h bn.h buffer.h camellia.h cmac.h cms.h compat_types.h conf.h crypto.h des.h dh.h dsa.h ec.h ec25519.h ec448.h ecdh.h ecdsa.h ed25519.h ed448.h engine.h err.h evp.h fips_rand.h hmac.h include.am kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h opensslconf.h opensslv.h ossl_typ.h pem.h pkcs12.h pkcs7.h rand.h rc4.h ripemd.h rsa.h safestack.h sha.h sha3.h srp.h ssl.h ssl23.h stack.h tls1.h txt_db.h ui.h x509.h x509_vfy.h x509v3.hwolfcrypt
port
Renesas
renesas-fspsm-crypt.h renesas-fspsm-types.h renesas-rx64-hw-crypt.h renesas-tsip-crypt.h renesas_cmn.h renesas_fspsm_internal.h renesas_sync.h renesas_tsip_internal.h renesas_tsip_types.hcaam
caam_driver.h caam_error.h caam_qnx.h wolfcaam.h wolfcaam_aes.h wolfcaam_cmac.h wolfcaam_ecdsa.h wolfcaam_fsl_nxp.h wolfcaam_hash.h wolfcaam_qnx.h wolfcaam_rsa.h wolfcaam_seco.h wolfcaam_sha.h wolfcaam_x25519.hwrapper
Ada
examples
src
aes_verify_main.adb rsa_verify_main.adb sha256_main.adb spark_sockets.adb spark_sockets.ads spark_terminal.adb spark_terminal.ads tls_client.adb tls_client.ads tls_client_main.adb tls_server.adb tls_server.ads tls_server_main.adbtests
src
aes_bindings_tests.adb aes_bindings_tests.ads rsa_verify_bindings_tests.adb rsa_verify_bindings_tests.ads sha256_bindings_tests.adb sha256_bindings_tests.ads tests.adbCSharp
wolfSSL-Example-IOCallbacks
App.config wolfSSL-Example-IOCallbacks.cs wolfSSL-Example-IOCallbacks.csprojwolfSSL-TLS-ServerThreaded
App.config wolfSSL-TLS-ServerThreaded.cs wolfSSL-TLS-ServerThreaded.csprojrust
wolfssl-wolfcrypt
src
aes.rs blake2.rs chacha20_poly1305.rs cmac.rs cmac_mac.rs curve25519.rs dh.rs dilithium.rs ecc.rs ecdsa.rs ed25519.rs ed448.rs fips.rs hkdf.rs hmac.rs hmac_mac.rs kdf.rs lib.rs lms.rs mlkem.rs mlkem_kem.rs pbkdf2_password_hash.rs prf.rs random.rs rsa.rs rsa_pkcs1v15.rs sha.rs sha_digest.rs sys.rstests
test_aes.rs test_blake2.rs test_chacha20_poly1305.rs test_cmac.rs test_cmac_mac.rs test_curve25519.rs test_dh.rs test_dilithium.rs test_ecc.rs test_ecdsa.rs test_ed25519.rs test_ed448.rs test_hkdf.rs test_hmac.rs test_hmac_mac.rs test_kdf.rs test_lms.rs test_mlkem.rs test_mlkem_kem.rs test_pbkdf2_password_hash.rs test_prf.rs test_random.rs test_rsa.rs test_rsa_pkcs1v15.rs test_sha.rs test_sha_digest.rs test_wolfcrypt.rszephyr
samples
wolfssl_benchmark
CMakeLists.txt README install_test.sh prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.confwolfssl_test
CMakeLists.txt README install_test.sh prj-no-malloc.conf prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.conf
wolfssl/tests/api/test_aes.c
raw
1/* test_aes.c
2 *
3 * Copyright (C) 2006-2026 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22#include <tests/unit.h>
23
24#ifdef NO_INLINE
25 #include <wolfssl/wolfcrypt/misc.h>
26#else
27 #define WOLFSSL_MISC_INCLUDED
28 #include <wolfcrypt/src/misc.c>
29#endif
30
31#include <wolfssl/wolfcrypt/aes.h>
32#include <wolfssl/wolfcrypt/wc_encrypt.h>
33#include <wolfssl/wolfcrypt/types.h>
34/* <wolfssl/internal.h> is required because the CryptoCB TLS 1.3 key-zeroing
35 * tests below inspect session state (ssl->keys.*_write_key,
36 * ssl->encrypt.aes->devCtx) to verify that the TLS-layer staging buffers are
37 * zeroed after a CryptoCB-driven AES-GCM key offload. The tests live here
38 * rather than in test_tls13.c because they exercise a CryptoCB-AES
39 * interaction and share the existing AES test harness. */
40#include <wolfssl/internal.h>
41#include <tests/api/api.h>
42#include <tests/api/test_aes.h>
43#include <tests/utils.h>
44
45#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS_VERSION) && \
46 (HAVE_FIPS_VERSION <= 2))
47 #define GCM_NONCE_MAX_SZ 16
48 #define CCM_NONCE_MAX_SZ 13
49#endif
50
51/*******************************************************************************
52 * AES
53 ******************************************************************************/
54
55#ifndef NO_AES
56static int test_wc_AesSetKey_BadArgs(Aes* aes, byte* key, word32 keyLen,
57 byte* iv)
58{
59 EXPECT_DECLS;
60
61 ExpectIntEQ(wc_AesSetKey(NULL, NULL, keyLen, iv, AES_ENCRYPTION),
62 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
63 ExpectIntEQ(wc_AesSetKey(NULL, key , keyLen, iv, AES_ENCRYPTION),
64 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
65 ExpectIntEQ(wc_AesSetKey(aes , key , 48 , iv, AES_ENCRYPTION),
66 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
67
68 return EXPECT_RESULT();
69}
70
71static int test_wc_AesSetKey_WithKey(Aes* aes, byte* key, word32 keyLen,
72 byte* iv, int ret)
73{
74 EXPECT_DECLS;
75
76 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), ret);
77 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), ret);
78
79 return EXPECT_RESULT();
80}
81#endif
82
83/*
84 * Testing function for wc_AesSetKey().
85 */
86int test_wc_AesSetKey(void)
87{
88 EXPECT_DECLS;
89#ifndef NO_AES
90 Aes aes;
91 byte key16[] = {
92 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
93 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
94 };
95 byte key24[] = {
96 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
97 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
98 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
99 };
100 byte key32[] = {
101 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
102 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
103 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
104 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
105 };
106 byte badKey16[] = {
107 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
108 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
109 };
110 byte iv[] = "1234567890abcdef";
111 byte* key;
112 word32 keyLen;
113
114#if defined(WOLFSSL_AES_128)
115 key = key16;
116 keyLen = (word32)sizeof(key16) / sizeof(byte);
117#elif defined(WOLFSSL_AES_192)
118 key = key24;
119 keyLen = (word32)sizeof(key24) / sizeof(byte);
120#else
121 key = key32;
122 keyLen = (word32)sizeof(key32) / sizeof(byte);
123#endif
124
125 XMEMSET(&aes, 0, sizeof(Aes));
126
127 ExpectIntEQ(wc_AesInit(NULL, NULL, INVALID_DEVID),
128 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
129 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
130
131 EXPECT_TEST(test_wc_AesSetKey_BadArgs(&aes, key, keyLen, iv));
132
133#ifdef WOLFSSL_AES_128
134 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key16,
135 (word32)sizeof(key16) / sizeof(byte), iv, 0));
136#else
137 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key16,
138 (word32)sizeof(key16) / sizeof(byte), iv, BAD_FUNC_ARG));
139#endif
140#ifdef WOLFSSL_AES_192
141 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key24,
142 (word32)sizeof(key24) / sizeof(byte), iv, 0));
143#else
144 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key24,
145 (word32)sizeof(key24) / sizeof(byte), iv, BAD_FUNC_ARG));
146#endif
147#ifdef WOLFSSL_AES_256
148 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key32,
149 (word32)sizeof(key32) / sizeof(byte), iv, 0));
150#else
151 EXPECT_TEST(test_wc_AesSetKey_WithKey(&aes, key32,
152 (word32)sizeof(key32) / sizeof(byte), iv, BAD_FUNC_ARG));
153#endif
154
155 ExpectIntEQ(wc_AesSetKey(&aes, badKey16,
156 (word32)sizeof(badKey16) / sizeof(byte), iv, AES_ENCRYPTION),
157 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
158
159 wc_AesFree(&aes);
160#endif
161 return EXPECT_RESULT();
162} /* END test_wc_AesSetKey */
163
164/*
165 * Testing function for wc_AesSetIV
166 */
167int test_wc_AesSetIV(void)
168{
169 EXPECT_DECLS;
170#if !defined(NO_AES)
171 Aes aes;
172#if defined(WOLFSSL_AES_128)
173 byte key16[] = {
174 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
175 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
176 };
177#endif
178 byte iv1[] = "1234567890abcdef";
179 byte iv2[] = "0987654321fedcba";
180
181 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
182
183#if defined(WOLFSSL_AES_128)
184 ExpectIntEQ(wc_AesSetKey(&aes, key16, (word32) sizeof(key16) / sizeof(byte),
185 iv1, AES_ENCRYPTION), 0);
186#endif
187 ExpectIntEQ(wc_AesSetIV(&aes, iv2), 0);
188
189 ExpectIntEQ(wc_AesSetIV(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
190 ExpectIntEQ(wc_AesSetIV(NULL, iv1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
191 ExpectIntEQ(wc_AesSetIV(&aes, NULL), 0);
192
193 wc_AesFree(&aes);
194#endif
195 return EXPECT_RESULT();
196} /* test_wc_AesSetIV */
197
198
199/*******************************************************************************
200 * AES Direct
201 ******************************************************************************/
202
203#if !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) && \
204 (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
205 (HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
206static int test_wc_AesEncryptDecryptDirect_WithKey(Aes* aes, byte* key,
207 word32 keyLen, byte* expected)
208{
209 EXPECT_DECLS;
210 byte plain[WC_AES_BLOCK_SIZE];
211 byte cipher[WC_AES_BLOCK_SIZE];
212#ifdef HAVE_AES_DECRYPT
213 byte decrypted[WC_AES_BLOCK_SIZE];
214#endif
215
216 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
217
218 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
219
220 ExpectIntEQ(wc_AesEncryptDirect(NULL, NULL, NULL),
221 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
222
223 ExpectIntEQ(wc_AesEncryptDirect(aes, cipher, plain), 0);
224 ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
225
226#ifdef HAVE_AES_DECRYPT
227 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
228 ExpectIntEQ(wc_AesDecryptDirect(NULL, NULL, NULL),
229 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
230 ExpectIntEQ(wc_AesDecryptDirect(aes, decrypted, cipher), 0);
231 ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
232#endif
233
234 return EXPECT_RESULT();
235}
236#endif
237
238int test_wc_AesEncryptDecryptDirect(void)
239{
240 EXPECT_DECLS;
241#if !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) && \
242 (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
243 (HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
244 Aes aes;
245#if defined(WOLFSSL_AES_128)
246 byte key16[] = {
247 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
248 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
249 };
250 byte expected16[WC_AES_BLOCK_SIZE] = {
251 0x0b, 0x9b, 0x15, 0xda, 0x4b, 0x44, 0xa0, 0xf5,
252 0x15, 0x1d, 0xcf, 0xc4, 0xc0, 0x1f, 0x35, 0xd5,
253 };
254#endif
255#if defined(WOLFSSL_AES_192)
256 byte key24[] = {
257 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
258 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
259 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
260 };
261 byte expected24[WC_AES_BLOCK_SIZE] = {
262 0xbe, 0x55, 0x02, 0x05, 0xfc, 0x91, 0xe8, 0x9c,
263 0x9b, 0x9c, 0xc4, 0x70, 0x93, 0xb9, 0x0a, 0x08,
264 };
265#endif
266#if defined(WOLFSSL_AES_256)
267 byte key32[] = {
268 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
269 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
270 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
271 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
272 };
273 byte expected32[WC_AES_BLOCK_SIZE] = {
274 0x7d, 0xbd, 0x88, 0x27, 0x2f, 0xb2, 0x59, 0x37,
275 0x69, 0x2a, 0x3b, 0x81, 0x00, 0x47, 0x41, 0x75,
276 };
277#endif
278
279 XMEMSET(&aes, 0, sizeof(Aes));
280 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
281
282#ifdef WOLFSSL_AES_128
283 EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key16,
284 (word32)sizeof(key16) / sizeof(byte), expected16));
285#endif
286#ifdef WOLFSSL_AES_192
287 EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key24,
288 (word32)sizeof(key24) / sizeof(byte), expected24));
289#endif
290#ifdef WOLFSSL_AES_256
291 EXPECT_TEST(test_wc_AesEncryptDecryptDirect_WithKey(&aes, key32,
292 (word32)sizeof(key32) / sizeof(byte), expected32));
293#endif
294
295 wc_AesFree(&aes);
296#endif
297 return EXPECT_RESULT();
298}
299
300/*******************************************************************************
301 * AES-ECB
302 ******************************************************************************/
303
304#if !defined(NO_AES) && defined(HAVE_AES_ECB)
305/* Assembly code doing 8 iterations at a time. */
306#define ECB_LEN (15 * WC_AES_BLOCK_SIZE)
307
308static int test_wc_AesEcbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
309 word32 keyLen)
310{
311 EXPECT_DECLS;
312 byte plain[WC_AES_BLOCK_SIZE];
313 byte cipher[WC_AES_BLOCK_SIZE];
314 byte decrypted[WC_AES_BLOCK_SIZE];
315
316 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
317 XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
318
319 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
320 ExpectIntEQ(wc_AesEcbEncrypt(NULL, NULL, NULL, 0),
321 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
322 ExpectIntEQ(wc_AesEcbEncrypt(aes, NULL, NULL, 0),
323 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
324 ExpectIntEQ(wc_AesEcbEncrypt(NULL, cipher, NULL, 0),
325 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
326 ExpectIntEQ(wc_AesEcbEncrypt(NULL, NULL, plain, 0),
327 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
328 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, NULL, 0),
329 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
330 ExpectIntEQ(wc_AesEcbEncrypt(aes, NULL, plain, 0),
331 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
332 ExpectIntEQ(wc_AesEcbEncrypt(NULL, cipher, plain, 0),
333 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
334
335 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
336 ExpectIntEQ(wc_AesEcbDecrypt(NULL, NULL, NULL, 0),
337 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
338 ExpectIntEQ(wc_AesEcbDecrypt(aes, NULL, NULL, 0),
339 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
340 ExpectIntEQ(wc_AesEcbDecrypt(NULL, decrypted, NULL, 0),
341 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
342 ExpectIntEQ(wc_AesEcbDecrypt(NULL, NULL, cipher, 0),
343 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
344 ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, NULL, 0),
345 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
346 ExpectIntEQ(wc_AesEcbDecrypt(aes, NULL, cipher, 0),
347 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
348 ExpectIntEQ(wc_AesEcbDecrypt(NULL, decrypted, cipher, 0),
349 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
350
351 return EXPECT_RESULT();
352}
353
354static int test_wc_AesEcbEncryptDecrypt_WithKey(Aes* aes, byte* key,
355 word32 keyLen, byte* expected)
356{
357 EXPECT_DECLS;
358 WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
359 WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
360 WC_DECLARE_VAR(decrypted, byte, ECB_LEN, NULL);
361
362 WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
363 WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
364 WC_ALLOC_VAR(decrypted, byte, ECB_LEN, NULL);
365
366#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
367 ExpectNotNull(plain);
368 ExpectNotNull(cipher);
369 ExpectNotNull(decrypted);
370#endif
371
372 XMEMSET(plain, 0, ECB_LEN);
373
374 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
375 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
376 ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
377
378#ifdef HAVE_AES_DECRYPT
379 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
380 ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
381 0);
382 ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
383#endif
384
385 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
386 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, plain, 32), 0);
387 ExpectBufEQ(cipher + WC_AES_BLOCK_SIZE, cipher, WC_AES_BLOCK_SIZE);
388 ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
389#ifdef HAVE_AES_DECRYPT
390 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
391 ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted, cipher, 32), 0);
392 ExpectBufEQ(decrypted, plain, 32);
393#endif
394
395 WC_FREE_VAR(plain, NULL);
396 WC_FREE_VAR(cipher, NULL);
397 WC_FREE_VAR(decrypted, NULL);
398 return EXPECT_RESULT();
399}
400
401static int test_wc_AesEcbEncryptDecrypt_MultiBlocks(Aes* aes, byte* key,
402 word32 keyLen, byte* expected)
403{
404 EXPECT_DECLS;
405 int sz;
406 int cnt;
407 WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
408 WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
409 WC_DECLARE_VAR(decrypted, byte, ECB_LEN, NULL);
410
411 WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
412 WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
413 WC_ALLOC_VAR(decrypted, byte, ECB_LEN, NULL);
414
415#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
416 ExpectNotNull(plain);
417 ExpectNotNull(cipher);
418 ExpectNotNull(decrypted);
419#endif
420
421 XMEMSET(plain, 0, ECB_LEN);
422
423 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
424 /* Test multiple blocks. */
425 for (sz = WC_AES_BLOCK_SIZE; sz <= ECB_LEN; sz += WC_AES_BLOCK_SIZE) {
426 XMEMSET(cipher, 0x00, ECB_LEN);
427 for (cnt = 0; cnt + sz <= ECB_LEN; cnt += sz) {
428 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher + cnt, plain + cnt, sz),
429 0);
430 }
431 if (cnt < ECB_LEN) {
432 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher + cnt, plain + cnt,
433 ECB_LEN - cnt), 0);
434 }
435 for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
436 ExpectBufEQ(cipher + cnt, expected, WC_AES_BLOCK_SIZE);
437 }
438 }
439#ifdef HAVE_AES_DECRYPT
440 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
441 for (sz = WC_AES_BLOCK_SIZE; sz <= ECB_LEN; sz += WC_AES_BLOCK_SIZE) {
442 XMEMSET(decrypted, 0xff, ECB_LEN);
443 for (cnt = 0; cnt + sz <= ECB_LEN; cnt += sz) {
444 ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted + cnt, cipher + cnt,
445 sz), 0);
446 }
447 if (cnt < ECB_LEN) {
448 ExpectIntEQ(wc_AesEcbDecrypt(aes, decrypted + cnt, cipher + cnt,
449 ECB_LEN - cnt), 0);
450 }
451 for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
452 ExpectBufEQ(decrypted + cnt, plain, WC_AES_BLOCK_SIZE);
453 }
454 }
455#endif
456
457 WC_FREE_VAR(plain, NULL);
458 WC_FREE_VAR(cipher, NULL);
459 WC_FREE_VAR(decrypted, NULL);
460 return EXPECT_RESULT();
461}
462
463static int test_wc_AesEcbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
464 word32 keyLen, byte* expected)
465{
466 EXPECT_DECLS;
467 int cnt;
468 WC_DECLARE_VAR(plain, byte, ECB_LEN, NULL);
469 WC_DECLARE_VAR(cipher, byte, ECB_LEN, NULL);
470
471 WC_ALLOC_VAR(plain, byte, ECB_LEN, NULL);
472 WC_ALLOC_VAR(cipher, byte, ECB_LEN, NULL);
473
474#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
475 ExpectNotNull(plain);
476 ExpectNotNull(cipher);
477#endif
478
479 XMEMSET(plain, 0, ECB_LEN);
480
481 /* Testing using same buffer for input and output. */
482 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
483 XMEMCPY(cipher, plain, ECB_LEN);
484 ExpectIntEQ(wc_AesEcbEncrypt(aes, cipher, cipher, ECB_LEN), 0);
485 for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
486 ExpectBufEQ(cipher + cnt, expected, WC_AES_BLOCK_SIZE);
487 }
488#ifdef HAVE_AES_DECRYPT
489 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen,
490 NULL, AES_DECRYPTION), 0);
491 ExpectIntEQ(wc_AesEcbDecrypt(aes, cipher, cipher, ECB_LEN), 0);
492 for (cnt = 0; cnt < ECB_LEN; cnt += WC_AES_BLOCK_SIZE) {
493 ExpectBufEQ(cipher + cnt, plain, WC_AES_BLOCK_SIZE);
494 }
495#endif
496
497 WC_FREE_VAR(plain, NULL);
498 WC_FREE_VAR(cipher, NULL);
499 return EXPECT_RESULT();
500}
501#endif
502
503int test_wc_AesEcbEncryptDecrypt(void)
504{
505 EXPECT_DECLS;
506#if !defined(NO_AES) && defined(HAVE_AES_ECB)
507 Aes aes;
508#if defined(WOLFSSL_AES_128)
509 byte key16[] = {
510 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
511 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
512 };
513 byte expected16[WC_AES_BLOCK_SIZE] = {
514 0x0b, 0x9b, 0x15, 0xda, 0x4b, 0x44, 0xa0, 0xf5,
515 0x15, 0x1d, 0xcf, 0xc4, 0xc0, 0x1f, 0x35, 0xd5,
516 };
517#endif
518#if defined(WOLFSSL_AES_192)
519 byte key24[] = {
520 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
521 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
522 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
523 };
524 byte expected24[WC_AES_BLOCK_SIZE] = {
525 0xbe, 0x55, 0x02, 0x05, 0xfc, 0x91, 0xe8, 0x9c,
526 0x9b, 0x9c, 0xc4, 0x70, 0x93, 0xb9, 0x0a, 0x08,
527 };
528#endif
529#if defined(WOLFSSL_AES_256)
530 byte key32[] = {
531 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
532 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
533 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
534 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
535 };
536 byte expected32[WC_AES_BLOCK_SIZE] = {
537 0x7d, 0xbd, 0x88, 0x27, 0x2f, 0xb2, 0x59, 0x37,
538 0x69, 0x2a, 0x3b, 0x81, 0x00, 0x47, 0x41, 0x75,
539 };
540#endif
541 byte* key;
542 word32 keyLen;
543 byte* expected;
544
545#if defined(WOLFSSL_AES_128)
546 key = key16;
547 keyLen = (word32)sizeof(key16) / sizeof(byte);
548 expected = expected16;
549#elif defined(WOLFSSL_AES_192)
550 key = key24;
551 keyLen = (word32)sizeof(key24) / sizeof(byte);
552 expected = expected24;
553#else
554 key = key32;
555 keyLen = (word32)sizeof(key32) / sizeof(byte);
556 expected = expected32;
557#endif
558
559 XMEMSET(&aes, 0, sizeof(Aes));
560 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
561
562 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_BadArgs(&aes, key, keyLen));
563
564#if defined(WOLFSSL_AES_128)
565 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key16,
566 (word32)sizeof(key16) / sizeof(byte), expected16));
567#endif
568#if defined(WOLFSSL_AES_192)
569 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key24,
570 (word32)sizeof(key24) / sizeof(byte), expected24));
571#endif
572#if defined(WOLFSSL_AES_256)
573 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_WithKey(&aes, key32,
574 (word32)sizeof(key32) / sizeof(byte), expected32));
575#endif
576
577 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_MultiBlocks(&aes, key, keyLen,
578 expected));
579 EXPECT_TEST(test_wc_AesEcbEncryptDecrypt_SameBuffer(&aes, key, keyLen,
580 expected));
581
582 wc_AesFree(&aes);
583#endif
584 return EXPECT_RESULT();
585}
586
587/*******************************************************************************
588 * AES-CBC
589 ******************************************************************************/
590
591#if !defined(NO_AES) && defined(HAVE_AES_CBC)
592/* Assembly code doing 8 iterations at a time. */
593#define CBC_LEN (9 * WC_AES_BLOCK_SIZE)
594
595static int test_wc_AesCbcEncryptDecrypt_BadArgs(Aes* aes, byte* key,
596 word32 keyLen, byte* iv)
597{
598 EXPECT_DECLS;
599 byte plain[WC_AES_BLOCK_SIZE];
600 byte cipher[WC_AES_BLOCK_SIZE];
601 byte decrypted[WC_AES_BLOCK_SIZE];
602
603 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
604 XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
605 XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE);
606
607 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
608 ExpectIntEQ(wc_AesCbcEncrypt(NULL, NULL, NULL, 0),
609 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
610 ExpectIntEQ(wc_AesCbcEncrypt(aes, NULL, NULL, 0),
611 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
612 ExpectIntEQ(wc_AesCbcEncrypt(NULL, cipher, NULL, 0),
613 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
614 ExpectIntEQ(wc_AesCbcEncrypt(NULL, NULL, plain, 0),
615 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
616 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, NULL, 0),
617 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
618 ExpectIntEQ(wc_AesCbcEncrypt(aes, NULL, plain, 0),
619 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
620 ExpectIntEQ(wc_AesCbcEncrypt(NULL, cipher, plain, 0),
621 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
622
623 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
624 ExpectIntEQ(wc_AesCbcDecrypt(NULL, NULL, NULL, 0),
625 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
626 ExpectIntEQ(wc_AesCbcDecrypt(aes, NULL, NULL, 0),
627 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
628 ExpectIntEQ(wc_AesCbcDecrypt(NULL, decrypted, NULL, 0),
629 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
630 ExpectIntEQ(wc_AesCbcDecrypt(NULL, NULL, cipher, 0),
631 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
632 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, NULL, 0),
633 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
634 ExpectIntEQ(wc_AesCbcDecrypt(aes, NULL, cipher, 0),
635 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
636 ExpectIntEQ(wc_AesCbcDecrypt(NULL, decrypted, cipher, 0),
637 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
638
639 ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, NULL, keyLen, NULL),
640 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
641 ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, NULL, 0, NULL, keyLen, NULL),
642 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
643 ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, cipher, 0, NULL, keyLen, NULL),
644 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
645 ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, key, keyLen, NULL),
646 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
647 ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, NULL, 0, NULL, keyLen, iv),
648 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
649 ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
650 WC_AES_BLOCK_SIZE * 2, key, keyLen, NULL),
651 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
652 ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
653 WC_AES_BLOCK_SIZE * 2, NULL, keyLen, iv),
654 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
655 ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, NULL,
656 WC_AES_BLOCK_SIZE * 2, key, keyLen, iv),
657 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
658 ExpectIntEQ(wc_AesCbcDecryptWithKey(NULL, cipher,
659 WC_AES_BLOCK_SIZE * 2, key, keyLen, iv),
660 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
661
662 return EXPECT_RESULT();
663}
664
665static int test_wc_AesCbcEncryptDecrypt_WithKey(Aes* aes, byte* key,
666 word32 keyLen, byte* iv, byte* vector, byte* vector_enc, word32 vector_len)
667{
668 EXPECT_DECLS;
669 byte plain[WC_AES_BLOCK_SIZE * 2];
670 byte cipher[WC_AES_BLOCK_SIZE * 2];
671 byte decrypted[WC_AES_BLOCK_SIZE * 2];
672
673 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE * 2);
674 XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE * 2);
675 XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
676
677 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
678#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
679 (HAVE_FIPS_VERSION == 2) && defined(WOLFSSL_AESNI)
680 fprintf(stderr, "Zero length inputs not supported with AESNI in FIPS "
681 "mode (v2), skip test");
682#else
683 /* Test passing in size of 0 */
684 XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE * 2);
685 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, 0), 0);
686 /* Check enc was not modified */
687 {
688 int i;
689 for (i = 0; i < (int)WC_AES_BLOCK_SIZE * 2; i++)
690 ExpectIntEQ(cipher[i], 0x00);
691 }
692#endif
693 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len),
694 0);
695 ExpectBufEQ(cipher, vector_enc, vector_len);
696#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
697 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len - 1),
698 WC_NO_ERR_TRACE(BAD_LENGTH_E));
699#endif
700
701#ifdef HAVE_AES_DECRYPT
702 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
703 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
704 WC_AES_BLOCK_SIZE * 2), 0);
705 ExpectBufEQ(decrypted, vector, vector_len);
706#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
707 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
708 WC_AES_BLOCK_SIZE * 2 - 1), WC_NO_ERR_TRACE(BAD_LENGTH_E));
709#else
710 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
711 WC_AES_BLOCK_SIZE * 2 - 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
712#endif
713
714 ExpectIntEQ(wc_AesCbcDecryptWithKey(decrypted, cipher,
715 WC_AES_BLOCK_SIZE * 2, key, keyLen, iv), 0);
716 ExpectBufEQ(decrypted, vector, vector_len);
717
718 /* Test passing in size of 0 */
719 XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
720 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher, 0), 0);
721 /* Check dec was not modified */
722 {
723 int i;
724 for (i = 0; i < (int)WC_AES_BLOCK_SIZE * 2; i++)
725 ExpectIntEQ(decrypted[i], 0);
726 }
727#endif
728
729 return EXPECT_RESULT();
730}
731
732static int test_wc_AesCbcEncryptDecrypt_MultiBlocks(Aes* aes, byte* key,
733 word32 keyLen, byte* iv, byte* expected)
734{
735 EXPECT_DECLS;
736#ifdef WOLFSSL_KCAPI
737 (void)aes;
738 (void)key;
739 (void)keyLen;
740 (void)iv;
741 (void)expected;
742#else /* !WOLFSSL_KCAPI */
743 int sz;
744 int cnt;
745 WC_DECLARE_VAR(plain, byte, CBC_LEN, NULL);
746 WC_DECLARE_VAR(cipher, byte, CBC_LEN, NULL);
747 WC_DECLARE_VAR(decrypted, byte, CBC_LEN, NULL);
748
749 WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
750 WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
751 WC_ALLOC_VAR(decrypted, byte, CBC_LEN, NULL);
752
753#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
754 ExpectNotNull(plain);
755 ExpectNotNull(cipher);
756 ExpectNotNull(decrypted);
757#endif
758
759
760 XMEMSET(plain, 0, CBC_LEN);
761 XMEMSET(cipher, 0, CBC_LEN);
762 XMEMSET(decrypted, 0, CBC_LEN);
763
764 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
765 /* Test multiple blocks. */
766 for (sz = WC_AES_BLOCK_SIZE; sz <= CBC_LEN; sz += WC_AES_BLOCK_SIZE) {
767 XMEMSET(cipher, 0x00, CBC_LEN);
768 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
769 for (cnt = 0; cnt + sz <= CBC_LEN; cnt += sz) {
770 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher + cnt, plain + cnt, sz),
771 0);
772 }
773 if (cnt < CBC_LEN) {
774 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher + cnt, plain + cnt,
775 CBC_LEN - cnt), 0);
776 }
777 ExpectBufEQ(cipher, expected, CBC_LEN);
778 }
779#ifdef HAVE_AES_DECRYPT
780 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), 0);
781 for (sz = WC_AES_BLOCK_SIZE; sz <= CBC_LEN; sz += WC_AES_BLOCK_SIZE) {
782 XMEMSET(decrypted, 0xff, CBC_LEN);
783 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
784 for (cnt = 0; cnt + sz <= CBC_LEN; cnt += sz) {
785 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted + cnt, cipher + cnt,
786 sz), 0);
787 }
788 if (cnt < CBC_LEN) {
789 ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted + cnt, cipher + cnt,
790 CBC_LEN - cnt), 0);
791 }
792 ExpectBufEQ(decrypted, plain, CBC_LEN);
793 }
794#endif
795
796 WC_FREE_VAR(plain, NULL);
797 WC_FREE_VAR(cipher, NULL);
798 WC_FREE_VAR(decrypted, NULL);
799#endif /* !WOLFSSL_KCAPI */
800 return EXPECT_RESULT();
801}
802
803static int test_wc_AesCbcEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
804 word32 keyLen, byte* iv, byte* expected)
805{
806 EXPECT_DECLS;
807 WC_DECLARE_VAR(plain, byte, CBC_LEN, NULL);
808 WC_DECLARE_VAR(cipher, byte, CBC_LEN, NULL);
809
810 WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
811 WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
812
813#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
814 ExpectNotNull(plain);
815 ExpectNotNull(cipher);
816#endif
817
818 XMEMSET(plain, 0, CBC_LEN);
819
820 /* Testing using same buffer for input and output. */
821 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
822 XMEMCPY(cipher, plain, CBC_LEN);
823 ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, cipher, CBC_LEN), 0);
824 ExpectBufEQ(cipher, expected, CBC_LEN);
825#ifdef HAVE_AES_DECRYPT
826 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_DECRYPTION), 0);
827 ExpectIntEQ(wc_AesCbcDecrypt(aes, cipher, cipher, CBC_LEN), 0);
828 ExpectBufEQ(cipher, plain, CBC_LEN);
829#endif
830
831 WC_FREE_VAR(plain, NULL);
832 WC_FREE_VAR(cipher, NULL);
833 return EXPECT_RESULT();
834}
835#endif
836
837/*
838 * test function for wc_AesCbcEncrypt(), wc_AesCbcDecrypt(),
839 * and wc_AesCbcDecryptWithKey()
840 */
841int test_wc_AesCbcEncryptDecrypt(void)
842{
843 EXPECT_DECLS;
844#if !defined(NO_AES) && defined(HAVE_AES_CBC)
845 Aes aes;
846 byte vector[] = { /* Now is the time for all good men w/o trailing 0 */
847 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
848 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,
849 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20,
850 0x67, 0x6f, 0x6f, 0x64, 0x20, 0x6d, 0x65, 0x6e
851 };
852#if defined(WOLFSSL_AES_128)
853 byte key16[] = {
854 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
855 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
856 };
857 byte vector_enc16[] = {
858 0x26, 0x5b, 0x55, 0xf1, 0xcc, 0x77, 0xc0, 0x9a,
859 0x60, 0x77, 0x99, 0x1d, 0x52, 0xf1, 0xc0, 0x3a,
860 0x0f, 0x16, 0xae, 0x62, 0xf1, 0x71, 0xf5, 0x95,
861 0xb6, 0x74, 0x98, 0x2a, 0x6b, 0x7c, 0x7c, 0x39
862 };
863#endif
864#if defined(WOLFSSL_AES_192)
865 byte key24[] = {
866 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
867 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
868 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
869 };
870 byte vector_enc24[] = {
871 0xdb, 0x96, 0xfa, 0x55, 0x90, 0x1e, 0x0c, 0x4f,
872 0xe4, 0x0f, 0xde, 0x16, 0x33, 0x44, 0xca, 0xa5,
873 0xe6, 0xa8, 0xbd, 0xd4, 0x88, 0xe5, 0x2f, 0x88,
874 0xfd, 0x61, 0x0f, 0x88, 0x6d, 0xf1, 0xf6, 0xa5
875 };
876#endif
877#if defined(WOLFSSL_AES_256)
878 byte key32[] = {
879 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
880 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
881 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
882 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
883 };
884 byte vector_enc32[] = {
885 0xd7, 0xd6, 0x04, 0x5b, 0x4d, 0xc4, 0x90, 0xdf,
886 0x4a, 0x82, 0xed, 0x61, 0x26, 0x4e, 0x23, 0xb3,
887 0xe4, 0xb5, 0x85, 0x30, 0x29, 0x4c, 0x9d, 0xcf,
888 0x73, 0xc9, 0x46, 0xd1, 0xaa, 0xc8, 0xcb, 0x62,
889 };
890#endif
891#ifdef WOLFSSL_AES_128
892 byte expected16[CBC_LEN] = {
893 0x46, 0x1a, 0x5f, 0xfd, 0x9d, 0xf7, 0x91, 0x71,
894 0x35, 0x8e, 0x9e, 0x01, 0x77, 0xd8, 0x4e, 0xaa,
895 0x34, 0x28, 0xba, 0x95, 0x76, 0xa5, 0x60, 0xeb,
896 0xbf, 0x6e, 0x89, 0xf5, 0x9a, 0x03, 0x7a, 0x7e,
897 0x07, 0xc5, 0xec, 0x60, 0xe1, 0x9b, 0x7a, 0x35,
898 0x9c, 0x29, 0x74, 0x6c, 0x2b, 0x1c, 0xff, 0x1b,
899 0xa0, 0xd5, 0xf3, 0x5b, 0x23, 0x86, 0x31, 0xbe,
900 0x1a, 0x20, 0x2c, 0x57, 0xf4, 0x9e, 0x81, 0x67,
901 0xb8, 0xf2, 0x60, 0x28, 0x36, 0x50, 0x6c, 0x06,
902 0x69, 0xa8, 0xec, 0x36, 0x46, 0x2a, 0xc9, 0x12,
903 0x54, 0xc8, 0xeb, 0x73, 0x8d, 0xe8, 0x0f, 0x0c,
904 0xd6, 0x53, 0x8b, 0xd2, 0x24, 0xdb, 0x08, 0xf7,
905 0x1e, 0x2e, 0x34, 0x8d, 0x27, 0x6d, 0x77, 0x8f,
906 0x00, 0xa5, 0x8e, 0xc3, 0x0d, 0x07, 0x61, 0xd4,
907 0xe0, 0x54, 0x9b, 0xfe, 0x71, 0x4f, 0x25, 0x75,
908 0x9f, 0x7a, 0x2c, 0xa4, 0x0e, 0x47, 0x1f, 0xef,
909 0x85, 0x19, 0x36, 0x65, 0x3b, 0x28, 0x20, 0x3a,
910 0xf9, 0x7f, 0x13, 0xe8, 0x24, 0xd7, 0x64, 0x27,
911 };
912#elif defined(WOLFSSL_AES_192)
913 byte expected24[CBC_LEN] = {
914 0x7b, 0xde, 0x53, 0xac, 0x88, 0x24, 0xe6, 0xde,
915 0x68, 0xd4, 0x64, 0x18, 0x20, 0x96, 0x62, 0x68,
916 0xd0, 0x04, 0x81, 0x50, 0x73, 0xe7, 0x6d, 0x8e,
917 0x14, 0x44, 0x87, 0xad, 0x6d, 0x44, 0xf9, 0xc3,
918 0xe9, 0x82, 0x2e, 0x2d, 0x17, 0x16, 0x43, 0xa6,
919 0x29, 0xe3, 0x9d, 0x7f, 0x84, 0x2e, 0x9a, 0x14,
920 0x69, 0xe9, 0x7b, 0x38, 0xfd, 0xec, 0x71, 0x4a,
921 0xf7, 0x0f, 0xbf, 0x6e, 0x4d, 0x46, 0x7e, 0xad,
922 0x83, 0xcb, 0xfa, 0x20, 0x25, 0xf8, 0x13, 0xc6,
923 0x75, 0xdd, 0x12, 0x1f, 0xed, 0xfa, 0x3a, 0x1c,
924 0x01, 0x68, 0x02, 0x12, 0x69, 0x4c, 0xe7, 0x00,
925 0xf1, 0x9c, 0x40, 0xed, 0x7d, 0x64, 0x16, 0x1c,
926 0x63, 0x07, 0x87, 0x37, 0xb3, 0x5b, 0x59, 0x97,
927 0xc9, 0xe4, 0x86, 0xfd, 0xd2, 0xae, 0x5b, 0x59,
928 0x5a, 0xe9, 0xf5, 0x0b, 0xa0, 0x87, 0xf4, 0xb5,
929 0x65, 0x9c, 0x98, 0x0f, 0xbf, 0x11, 0xa4, 0x7d,
930 0x06, 0x80, 0xb5, 0x27, 0x9c, 0xd5, 0x09, 0x7a,
931 0xa1, 0x42, 0xbd, 0x87, 0x6b, 0x85, 0x2f, 0x6e,
932 };
933#else
934 byte expected32[CBC_LEN] = {
935 0x18, 0x5a, 0x48, 0xfd, 0xb7, 0xd5, 0x35, 0xf3,
936 0x3f, 0xb9, 0x14, 0x16, 0xf3, 0x05, 0xf3, 0x71,
937 0xea, 0x4e, 0x22, 0xcd, 0x15, 0x3a, 0xcc, 0xba,
938 0x3f, 0x5b, 0x85, 0x15, 0xdf, 0x07, 0xf6, 0xa4,
939 0xf4, 0x41, 0xe7, 0x08, 0x30, 0x9b, 0x09, 0x2d,
940 0xd4, 0x3e, 0x68, 0xea, 0x45, 0x3d, 0x3a, 0xe3,
941 0x7c, 0x68, 0x00, 0xda, 0xeb, 0x87, 0xd7, 0x11,
942 0x2a, 0x0b, 0x7c, 0x48, 0xe5, 0xef, 0xae, 0x6d,
943 0x61, 0x04, 0xa4, 0x16, 0xc7, 0xb6, 0x0f, 0xab,
944 0x24, 0x0c, 0x74, 0x0b, 0x4f, 0xfe, 0xfd, 0xd1,
945 0x38, 0xae, 0x92, 0x18, 0x57, 0xdd, 0x20, 0x90,
946 0x74, 0x0a, 0xdf, 0x7b, 0x06, 0x2d, 0x8a, 0xe8,
947 0x43, 0x77, 0x0d, 0x18, 0x25, 0x8b, 0x04, 0x98,
948 0xf4, 0x4c, 0x43, 0x19, 0x99, 0x16, 0x5a, 0xac,
949 0x7f, 0x52, 0x0f, 0x79, 0xd2, 0x10, 0xa5, 0xf3,
950 0x88, 0xf3, 0x79, 0x0a, 0x05, 0x22, 0xb8, 0xb2,
951 0xb7, 0xd4, 0x8e, 0x17, 0x80, 0x1b, 0x4d, 0xcb,
952 0x99, 0xa7, 0x30, 0x1b, 0xe0, 0xee, 0xd5, 0xd3,
953 };
954#endif
955 byte iv[] = "1234567890abcdef";
956 byte* key;
957 word32 keyLen;
958 byte* expected;
959
960#if defined(WOLFSSL_AES_128)
961 key = key16;
962 keyLen = (word32)sizeof(key16) / sizeof(byte);
963 expected = expected16;
964#elif defined(WOLFSSL_AES_192)
965 key = key24;
966 keyLen = (word32)sizeof(key24) / sizeof(byte);
967 expected = expected24;
968#else
969 key = key32;
970 keyLen = (word32)sizeof(key32) / sizeof(byte);
971 expected = expected32;
972#endif
973
974 /* Init stack variables. */
975 XMEMSET(&aes, 0, sizeof(Aes));
976
977 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
978
979 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
980
981#ifdef WOLFSSL_AES_128
982 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key16,
983 (word32)sizeof(key16) / sizeof(byte), iv, vector, vector_enc16,
984 (word32)sizeof(vector) / sizeof(byte)));
985#endif
986#ifdef WOLFSSL_AES_192
987 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key24,
988 (word32)sizeof(key24) / sizeof(byte), iv, vector, vector_enc24,
989 (word32)sizeof(vector) / sizeof(byte)));
990#endif
991#ifdef WOLFSSL_AES_256
992 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_WithKey(&aes, key32,
993 (word32)sizeof(key32) / sizeof(byte), iv, vector, vector_enc32,
994 (word32)sizeof(vector) / sizeof(byte)));
995#endif
996
997 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_MultiBlocks(&aes, key, keyLen, iv,
998 expected));
999 EXPECT_TEST(test_wc_AesCbcEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
1000 expected));
1001
1002 wc_AesFree(&aes);
1003#endif
1004 return EXPECT_RESULT();
1005} /* END test_wc_AesCbcEncryptDecrypt */
1006
1007/*******************************************************************************
1008 * AES-CBC unaligned buffers
1009 ******************************************************************************/
1010
1011/*
1012 * Verify that wc_AesCbcEncrypt / wc_AesCbcDecrypt produce correct results
1013 * when the input and output buffers are byte-offset (unaligned). Tests
1014 * offsets 1, 2, and 3 to cover all misalignment residues mod 4.
1015 */
1016int test_wc_AesCbcEncryptDecrypt_UnalignedBuffers(void)
1017{
1018 EXPECT_DECLS;
1019#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
1020 Aes aes;
1021 /* NIST SP 800-38A F.2.1 key and IV (AES-128 CBC) */
1022 static const byte key[AES_128_KEY_SIZE] = {
1023 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
1024 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
1025 };
1026 static const byte iv[AES_IV_SIZE] = {
1027 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1028 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
1029 };
1030 /* Two AES blocks of plaintext */
1031 static const byte plain[32] = {
1032 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
1033 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
1034 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
1035 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51
1036 };
1037 byte ref_ct[sizeof(plain)];
1038 byte in_buf[sizeof(plain) + 3];
1039 byte out_buf[sizeof(plain) + 3];
1040 int off;
1041
1042 XMEMSET(&aes, 0, sizeof(aes));
1043 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1044
1045 /* Reference ciphertext with naturally-aligned buffers */
1046 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), iv, AES_ENCRYPTION), 0);
1047 ExpectIntEQ(wc_AesCbcEncrypt(&aes, ref_ct, plain, sizeof(plain)), 0);
1048
1049 /* Encrypt with byte offsets 1, 2, 3 on both in and out */
1050 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
1051 XMEMCPY(in_buf + off, plain, sizeof(plain));
1052 XMEMSET(out_buf, 0, sizeof(out_buf));
1053 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), iv, AES_ENCRYPTION), 0);
1054 ExpectIntEQ(wc_AesCbcEncrypt(&aes, out_buf + off, in_buf + off,
1055 sizeof(plain)), 0);
1056 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
1057 }
1058
1059#ifdef HAVE_AES_DECRYPT
1060 /* Decrypt with byte offsets 1, 2, 3 on both in and out */
1061 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
1062 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
1063 XMEMSET(out_buf, 0, sizeof(out_buf));
1064 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), iv, AES_DECRYPTION), 0);
1065 ExpectIntEQ(wc_AesCbcDecrypt(&aes, out_buf + off, in_buf + off,
1066 sizeof(plain)), 0);
1067 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
1068 }
1069#endif
1070
1071 wc_AesFree(&aes);
1072#endif
1073 return EXPECT_RESULT();
1074} /* END test_wc_AesCbcEncryptDecrypt_UnalignedBuffers */
1075
1076/*
1077 * Cross-cipher test: CBC mode is equivalent to block-by-block ECB encryption
1078 * with XOR chaining. C[i] = ECB_Encrypt(K, P[i] XOR C[i-1]), C[-1] = IV.
1079 *
1080 * This test verifies that relationship directly: encrypt with CBC, then
1081 * independently compute the same ciphertext using ECB + XOR, and compare.
1082 */
1083int test_wc_AesCbc_CrossCipher(void)
1084{
1085 EXPECT_DECLS;
1086#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(HAVE_AES_ECB) && \
1087 defined(WOLFSSL_AES_128)
1088 Aes aes;
1089 /* NIST SP 800-38A F.2.1 (first two plaintext blocks) */
1090 static const byte key[AES_128_KEY_SIZE] = {
1091 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
1092 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c
1093 };
1094 static const byte iv[WC_AES_BLOCK_SIZE] = {
1095 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
1096 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f
1097 };
1098 static const byte plain[2 * WC_AES_BLOCK_SIZE] = {
1099 0x6b,0xc1,0xbe,0xe2, 0x2e,0x40,0x9f,0x96,
1100 0xe9,0x3d,0x7e,0x11, 0x73,0x93,0x17,0x2a,
1101 0xae,0x2d,0x8a,0x57, 0x1e,0x03,0xac,0x9c,
1102 0x9e,0xb7,0x6f,0xac, 0x45,0xaf,0x8e,0x51
1103 };
1104 byte cbc_ct[sizeof(plain)];
1105 byte ecb_ct[sizeof(plain)];
1106 byte xored[WC_AES_BLOCK_SIZE];
1107 int i;
1108
1109 XMEMSET(&aes, 0, sizeof(aes));
1110 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1111
1112 /* CBC ciphertext via the API */
1113 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), iv, AES_ENCRYPTION), 0);
1114 ExpectIntEQ(wc_AesCbcEncrypt(&aes, cbc_ct, plain, sizeof(plain)), 0);
1115
1116 /* Manually compute CBC via ECB + XOR chaining */
1117 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
1118
1119 /* Block 0: xor plaintext with IV, then ECB-encrypt */
1120 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1121 xored[i] = plain[i] ^ iv[i];
1122 ExpectIntEQ(wc_AesEcbEncrypt(&aes, ecb_ct, xored, WC_AES_BLOCK_SIZE), 0);
1123
1124 /* Block 1: xor plaintext with C[0], then ECB-encrypt */
1125 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1126 xored[i] = plain[WC_AES_BLOCK_SIZE + i] ^ ecb_ct[i];
1127 ExpectIntEQ(wc_AesEcbEncrypt(&aes, ecb_ct + WC_AES_BLOCK_SIZE, xored,
1128 WC_AES_BLOCK_SIZE), 0);
1129
1130 /* CBC ciphertext must equal the manually-chained ECB ciphertext */
1131 ExpectBufEQ(cbc_ct, ecb_ct, sizeof(plain));
1132
1133 wc_AesFree(&aes);
1134#endif
1135 return EXPECT_RESULT();
1136} /* END test_wc_AesCbc_CrossCipher */
1137
1138/*******************************************************************************
1139 * AES-CFB
1140 ******************************************************************************/
1141
1142#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB)
1143#define CFB_LEN (5 * WC_AES_BLOCK_SIZE)
1144
1145static int test_wc_AesCfbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
1146 word32 keyLen, byte* iv)
1147{
1148 EXPECT_DECLS;
1149 byte plain[WC_AES_BLOCK_SIZE];
1150 byte cipher[WC_AES_BLOCK_SIZE];
1151#ifdef HAVE_AES_DECRYPT
1152 byte decrypted[WC_AES_BLOCK_SIZE];
1153#endif
1154
1155 XMEMSET(plain, 0x00, WC_AES_BLOCK_SIZE);
1156 XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE);
1157
1158 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1159
1160 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1161 ExpectIntEQ(wc_AesCfbEncrypt(NULL, NULL, NULL, 0),
1162 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1163 ExpectIntEQ(wc_AesCfbEncrypt(aes, NULL, NULL, 0),
1164 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1165 ExpectIntEQ(wc_AesCfbEncrypt(NULL, cipher, NULL, 0),
1166 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1167 ExpectIntEQ(wc_AesCfbEncrypt(NULL, NULL, plain, 0),
1168 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1169 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, NULL, 0),
1170 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1171 ExpectIntEQ(wc_AesCfbEncrypt(aes, NULL, plain, 0),
1172 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1173 ExpectIntEQ(wc_AesCfbEncrypt(NULL, cipher, plain, 0),
1174 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1175
1176#ifdef HAVE_AES_DECRYPT
1177 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1178 ExpectIntEQ(wc_AesCfbDecrypt(NULL, NULL, NULL, 0),
1179 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1180 ExpectIntEQ(wc_AesCfbDecrypt(aes, NULL, NULL, 0),
1181 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1182 ExpectIntEQ(wc_AesCfbDecrypt(NULL, decrypted, NULL, 0),
1183 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1184 ExpectIntEQ(wc_AesCfbDecrypt(NULL, NULL, cipher, 0),
1185 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1186 ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, NULL, 0),
1187 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1188 ExpectIntEQ(wc_AesCfbDecrypt(aes, NULL, cipher, 0),
1189 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1190 ExpectIntEQ(wc_AesCfbDecrypt(NULL, decrypted, cipher, 0),
1191 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1192#endif
1193
1194 return EXPECT_RESULT();
1195}
1196
1197static int test_wc_AesCfbEncryptDecrypt_WithKey(Aes* aes, byte* key,
1198 word32 keyLen, byte* iv, byte* expected)
1199{
1200 EXPECT_DECLS;
1201 WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
1202 WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
1203#ifdef HAVE_AES_DECRYPT
1204 WC_DECLARE_VAR(decrypted, byte, CFB_LEN, NULL);
1205#endif
1206
1207 WC_ALLOC_VAR(plain, byte, CFB_LEN, NULL);
1208 WC_ALLOC_VAR(cipher, byte, CFB_LEN, NULL);
1209#ifdef HAVE_AES_DECRYPT
1210 WC_ALLOC_VAR(decrypted, byte, CFB_LEN, NULL);
1211#endif
1212
1213#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
1214 ExpectNotNull(plain);
1215 ExpectNotNull(cipher);
1216#ifdef HAVE_AES_DECRYPT
1217 ExpectNotNull(decrypted);
1218#endif
1219#endif
1220
1221 XMEMSET(plain, 0xa5, CFB_LEN);
1222
1223 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1224
1225 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1226 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
1227 ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
1228
1229#ifdef HAVE_AES_DECRYPT
1230 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1231 ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
1232 0);
1233 ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
1234#endif
1235
1236 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1237 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, plain, CFB_LEN), 0);
1238 ExpectBufEQ(cipher, expected, CFB_LEN);
1239#ifdef HAVE_AES_DECRYPT
1240 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1241 ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted, cipher, CFB_LEN), 0);
1242 ExpectBufEQ(decrypted, plain, CFB_LEN);
1243#endif
1244
1245 WC_FREE_VAR(plain, NULL);
1246 WC_FREE_VAR(cipher, NULL);
1247#ifdef HAVE_AES_DECRYPT
1248 WC_FREE_VAR(decrypted, NULL);
1249#endif
1250 return EXPECT_RESULT();
1251}
1252
1253static int test_wc_AesCfbEncryptDecrypt_Chunking(Aes* aes, byte* key,
1254 word32 keyLen, byte* iv, byte* expected)
1255{
1256 EXPECT_DECLS;
1257 int sz;
1258 int cnt;
1259 WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
1260 WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
1261#ifdef HAVE_AES_DECRYPT
1262 WC_DECLARE_VAR(decrypted, byte, CFB_LEN, NULL);
1263#endif
1264
1265 WC_ALLOC_VAR(plain, byte, CFB_LEN, NULL);
1266 WC_ALLOC_VAR(cipher, byte, CFB_LEN, NULL);
1267#ifdef HAVE_AES_DECRYPT
1268 WC_ALLOC_VAR(decrypted, byte, CFB_LEN, NULL);
1269#endif
1270
1271#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
1272 ExpectNotNull(plain);
1273 ExpectNotNull(cipher);
1274#ifdef HAVE_AES_DECRYPT
1275 ExpectNotNull(decrypted);
1276#endif
1277#endif
1278
1279 XMEMSET(plain, 0xa5, CFB_LEN);
1280
1281 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1282
1283 for (sz = 1; sz < CFB_LEN; sz++) {
1284 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1285 XMEMSET(cipher, 0, CFB_LEN);
1286 for (cnt = 0; cnt + sz <= CFB_LEN; cnt += sz) {
1287 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher + cnt, plain + cnt, sz),
1288 0);
1289 }
1290 if (cnt < CFB_LEN) {
1291 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher + cnt, plain + cnt,
1292 CFB_LEN - cnt), 0);
1293 }
1294 ExpectBufEQ(cipher, expected, CFB_LEN);
1295 }
1296#ifdef HAVE_AES_DECRYPT
1297 for (sz = 1; sz < CFB_LEN; sz++) {
1298 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1299 XMEMSET(decrypted, 0xff, CFB_LEN);
1300 for (cnt = 0; cnt + sz <= CFB_LEN; cnt += sz) {
1301 ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted + cnt, cipher + cnt,
1302 sz), 0);
1303 }
1304 if (cnt < CFB_LEN) {
1305 ExpectIntEQ(wc_AesCfbDecrypt(aes, decrypted + cnt, cipher + cnt,
1306 CFB_LEN - cnt), 0);
1307 }
1308 ExpectBufEQ(decrypted, plain, CFB_LEN);
1309 }
1310#endif
1311
1312 WC_FREE_VAR(plain, NULL);
1313 WC_FREE_VAR(cipher, NULL);
1314#ifdef HAVE_AES_DECRYPT
1315 WC_FREE_VAR(decrypted, NULL);
1316#endif
1317 return EXPECT_RESULT();
1318}
1319
1320#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
1321 (HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
1322static int test_wc_AesCfbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
1323 word32 keyLen, byte* iv, byte* expected)
1324{
1325 EXPECT_DECLS;
1326 WC_DECLARE_VAR(plain, byte, CFB_LEN, NULL);
1327 WC_DECLARE_VAR(cipher, byte, CFB_LEN, NULL);
1328
1329 WC_ALLOC_VAR(plain, byte, CBC_LEN, NULL);
1330 WC_ALLOC_VAR(cipher, byte, CBC_LEN, NULL);
1331
1332#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
1333 ExpectNotNull(plain);
1334 ExpectNotNull(cipher);
1335#endif
1336
1337 XMEMSET(plain, 0xa5, CFB_LEN);
1338
1339 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1340
1341 /* Testing using same buffer for input and output. */
1342 XMEMCPY(cipher, plain, CFB_LEN);
1343 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1344 ExpectIntEQ(wc_AesCfbEncrypt(aes, cipher, cipher, CFB_LEN), 0);
1345 ExpectBufEQ(cipher, expected, CFB_LEN);
1346#ifdef HAVE_AES_DECRYPT
1347 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1348 ExpectIntEQ(wc_AesCfbDecrypt(aes, cipher, cipher, CFB_LEN), 0);
1349 ExpectBufEQ(cipher, plain, CFB_LEN);
1350#endif
1351
1352 WC_FREE_VAR(plain, NULL);
1353 WC_FREE_VAR(cipher, NULL);
1354 return EXPECT_RESULT();
1355}
1356#endif
1357#endif
1358
1359int test_wc_AesCfbEncryptDecrypt(void)
1360{
1361 EXPECT_DECLS;
1362#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB)
1363 Aes aes;
1364#if defined(WOLFSSL_AES_128)
1365 byte key16[] = {
1366 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1367 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1368 };
1369 byte expected16[CFB_LEN] = {
1370 0xe3, 0xbf, 0xfa, 0x58, 0x38, 0x52, 0x34, 0xd4,
1371 0x90, 0x2b, 0x3b, 0xa4, 0xd2, 0x7d, 0xeb, 0x0f,
1372 0x01, 0x1f, 0xb4, 0x51, 0xa3, 0x6b, 0x21, 0x0c,
1373 0x17, 0xb0, 0xb2, 0xbf, 0x33, 0x3d, 0xe4, 0x3f,
1374 0xf9, 0x50, 0xcc, 0x2b, 0xab, 0xb7, 0x30, 0xaa,
1375 0xaf, 0x56, 0xad, 0xdb, 0xca, 0x73, 0x4b, 0x13,
1376 0x3b, 0xe2, 0xef, 0x8a, 0xb9, 0x1c, 0xfe, 0xfa,
1377 0x79, 0xcd, 0x92, 0x34, 0x27, 0xae, 0x6c, 0xe9,
1378 0x18, 0x60, 0x05, 0x44, 0xdd, 0x87, 0xe5, 0xfa,
1379 0x87, 0x64, 0xd0, 0x4c, 0x21, 0x00, 0xe9, 0x8d,
1380 };
1381#endif
1382#if defined(WOLFSSL_AES_192)
1383 byte key24[] = {
1384 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1385 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
1386 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1387 };
1388 byte expected24[CFB_LEN] = {
1389 0xde, 0x7b, 0xf6, 0x09, 0x2d, 0x81, 0x43, 0x7b,
1390 0xcd, 0x71, 0xc1, 0xbd, 0x85, 0x33, 0xc7, 0xcd,
1391 0x23, 0xb2, 0x9f, 0xf8, 0x69, 0xe5, 0x77, 0xbf,
1392 0x5a, 0x7f, 0xad, 0x5d, 0x98, 0x8f, 0x17, 0x70,
1393 0x65, 0xf6, 0x18, 0x90, 0x95, 0x5f, 0x85, 0xfd,
1394 0xfb, 0xc4, 0xed, 0xf2, 0x85, 0x6a, 0x3f, 0x62,
1395 0x8c, 0x33, 0x08, 0x42, 0x5d, 0x29, 0x51, 0xec,
1396 0xaa, 0x37, 0x7c, 0x57, 0x51, 0xa0, 0xde, 0xf8,
1397 0x68, 0x12, 0xf7, 0x73, 0x1c, 0x0c, 0xc7, 0xa6,
1398 0xb1, 0x82, 0x0e, 0xc8, 0xbd, 0xe3, 0x48, 0x3c,
1399 };
1400#endif
1401#if defined(WOLFSSL_AES_256)
1402 byte key32[] = {
1403 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1404 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
1405 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1406 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1407 };
1408 byte expected32[CFB_LEN] = {
1409 0xbd, 0xff, 0xed, 0x58, 0x12, 0x70, 0x90, 0x56,
1410 0x9a, 0x1c, 0xb1, 0xb3, 0x56, 0xa0, 0x56, 0xd4,
1411 0x97, 0xb3, 0x9c, 0xf9, 0xeb, 0x2a, 0xb6, 0x23,
1412 0x11, 0x0c, 0x8d, 0x15, 0x2d, 0x03, 0x66, 0x76,
1413 0x4a, 0x7f, 0xb4, 0xf4, 0xe6, 0x7c, 0xec, 0x8b,
1414 0xe9, 0xa9, 0x40, 0x2b, 0x97, 0xec, 0x0e, 0x24,
1415 0xfe, 0x4b, 0xa1, 0xd6, 0xfc, 0x8f, 0x9c, 0x79,
1416 0x0c, 0x84, 0x18, 0x67, 0x14, 0x7d, 0x8c, 0x5a,
1417 0x78, 0x4f, 0x18, 0xb1, 0x04, 0xd9, 0x41, 0x79,
1418 0x72, 0x92, 0x5e, 0x91, 0xe8, 0xa9, 0xe7, 0xe9,
1419 };
1420#endif
1421 byte iv[] = "1234567890abcdef";
1422 byte* key;
1423 word32 keyLen;
1424 byte* expected;
1425
1426#if defined(WOLFSSL_AES_128)
1427 key = key16;
1428 keyLen = (word32)sizeof(key16) / sizeof(byte);
1429 expected = expected16;
1430#elif defined(WOLFSSL_AES_192)
1431 key = key24;
1432 keyLen = (word32)sizeof(key24) / sizeof(byte);
1433 expected = expected24;
1434#else
1435 key = key32;
1436 keyLen = (word32)sizeof(key32) / sizeof(byte);
1437 expected = expected32;
1438#endif
1439
1440 XMEMSET(&aes, 0, sizeof(Aes));
1441 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1442
1443 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
1444
1445#if defined(WOLFSSL_AES_128)
1446 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key16,
1447 (word32)sizeof(key16) / sizeof(byte), iv, expected16));
1448#endif
1449#if defined(WOLFSSL_AES_192)
1450 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key24,
1451 (word32)sizeof(key24) / sizeof(byte), iv, expected24));
1452#endif
1453#if defined(WOLFSSL_AES_256)
1454 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_WithKey(&aes, key32,
1455 (word32)sizeof(key32) / sizeof(byte), iv, expected32));
1456#endif
1457
1458 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_Chunking(&aes, key, keyLen, iv,
1459 expected));
1460#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
1461 (HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
1462 EXPECT_TEST(test_wc_AesCfbEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
1463 expected));
1464#endif
1465
1466 wc_AesFree(&aes);
1467#endif
1468 return EXPECT_RESULT();
1469} /* END test_wc_AesCfbEncryptDecrypt */
1470
1471/*
1472 * Cross-cipher test: CFB128 encrypts by first running ECB on the previous
1473 * ciphertext block (or IV for the first block), then XOR-ing the result with
1474 * the plaintext.
1475 * C[i] = ECB_Encrypt(K, C[i-1]) XOR P[i], C[-1] = IV.
1476 *
1477 * This test verifies that relationship: encrypt with CFB, then independently
1478 * compute the same ciphertext using ECB + feedback, and compare.
1479 */
1480int test_wc_AesCfb_CrossCipher(void)
1481{
1482 EXPECT_DECLS;
1483#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && defined(HAVE_AES_ECB) && \
1484 defined(WOLFSSL_AES_128)
1485 Aes aes;
1486 /* NIST SP 800-38A F.3.13 (first two plaintext blocks, CFB128) */
1487 static const byte key[AES_128_KEY_SIZE] = {
1488 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
1489 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c
1490 };
1491 static const byte iv[WC_AES_BLOCK_SIZE] = {
1492 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
1493 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f
1494 };
1495 static const byte plain[2 * WC_AES_BLOCK_SIZE] = {
1496 0x6b,0xc1,0xbe,0xe2, 0x2e,0x40,0x9f,0x96,
1497 0xe9,0x3d,0x7e,0x11, 0x73,0x93,0x17,0x2a,
1498 0xae,0x2d,0x8a,0x57, 0x1e,0x03,0xac,0x9c,
1499 0x9e,0xb7,0x6f,0xac, 0x45,0xaf,0x8e,0x51
1500 };
1501 byte cfb_ct[sizeof(plain)];
1502 byte ecb_ct[sizeof(plain)];
1503 byte ks[WC_AES_BLOCK_SIZE];
1504 int i;
1505
1506 XMEMSET(&aes, 0, sizeof(aes));
1507 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1508
1509 /* CFB ciphertext via the API */
1510 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
1511 ExpectIntEQ(wc_AesSetIV(&aes, iv), 0);
1512 ExpectIntEQ(wc_AesCfbEncrypt(&aes, cfb_ct, plain, sizeof(plain)), 0);
1513
1514 /* Manually compute CFB via ECB + ciphertext feedback */
1515 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
1516
1517 /* Block 0: encrypt IV to get keystream, then XOR with plaintext */
1518 ExpectIntEQ(wc_AesEcbEncrypt(&aes, ks, iv, WC_AES_BLOCK_SIZE), 0);
1519 if (EXPECT_SUCCESS()) {
1520 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1521 ecb_ct[i] = plain[i] ^ ks[i];
1522 }
1523
1524 /* Block 1: encrypt C[0] to get keystream, then XOR with plaintext */
1525 ExpectIntEQ(wc_AesEcbEncrypt(&aes, ks, ecb_ct, WC_AES_BLOCK_SIZE), 0);
1526 if (EXPECT_SUCCESS()) {
1527 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1528 ecb_ct[WC_AES_BLOCK_SIZE + i] = plain[WC_AES_BLOCK_SIZE + i] ^
1529 ks[i];
1530 }
1531
1532 /* CFB ciphertext must equal the manually computed ECB+feedback ciphertext */
1533 ExpectBufEQ(cfb_ct, ecb_ct, sizeof(plain));
1534
1535 wc_AesFree(&aes);
1536#endif
1537 return EXPECT_RESULT();
1538} /* END test_wc_AesCfb_CrossCipher */
1539
1540/*******************************************************************************
1541 * AES-OFB
1542 ******************************************************************************/
1543
1544#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB)
1545#define OFB_LEN (5 * WC_AES_BLOCK_SIZE)
1546
1547static int test_wc_AesOfbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
1548 word32 keyLen, byte* iv)
1549{
1550 EXPECT_DECLS;
1551 byte plain[WC_AES_BLOCK_SIZE];
1552 byte cipher[WC_AES_BLOCK_SIZE];
1553#ifdef HAVE_AES_DECRYPT
1554 byte decrypted[WC_AES_BLOCK_SIZE];
1555#endif
1556
1557 XMEMSET(plain, 0x00, WC_AES_BLOCK_SIZE);
1558 XMEMSET(cipher, 0x00, WC_AES_BLOCK_SIZE);
1559
1560 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1561
1562 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1563 ExpectIntEQ(wc_AesOfbEncrypt(NULL, NULL, NULL, 0),
1564 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1565 ExpectIntEQ(wc_AesOfbEncrypt(aes, NULL, NULL, 0),
1566 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1567 ExpectIntEQ(wc_AesOfbEncrypt(NULL, cipher, NULL, 0),
1568 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1569 ExpectIntEQ(wc_AesOfbEncrypt(NULL, NULL, plain, 0),
1570 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1571 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, NULL, 0),
1572 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1573 ExpectIntEQ(wc_AesOfbEncrypt(aes, NULL, plain, 0),
1574 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1575 ExpectIntEQ(wc_AesOfbEncrypt(NULL, cipher, plain, 0),
1576 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1577
1578#ifdef HAVE_AES_DECRYPT
1579 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1580 ExpectIntEQ(wc_AesOfbDecrypt(NULL, NULL, NULL, 0),
1581 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1582 ExpectIntEQ(wc_AesOfbDecrypt(aes, NULL, NULL, 0),
1583 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1584 ExpectIntEQ(wc_AesOfbDecrypt(NULL, decrypted, NULL, 0),
1585 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1586 ExpectIntEQ(wc_AesOfbDecrypt(NULL, NULL, cipher, 0),
1587 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1588 ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, NULL, 0),
1589 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1590 ExpectIntEQ(wc_AesOfbDecrypt(aes, NULL, cipher, 0),
1591 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1592 ExpectIntEQ(wc_AesOfbDecrypt(NULL, decrypted, cipher, 0),
1593 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
1594#endif
1595
1596 return EXPECT_RESULT();
1597}
1598
1599static int test_wc_AesOfbEncryptDecrypt_WithKey(Aes* aes, byte* key,
1600 word32 keyLen, byte* iv, byte* expected)
1601{
1602 EXPECT_DECLS;
1603 WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
1604 WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
1605#ifdef HAVE_AES_DECRYPT
1606 WC_DECLARE_VAR(decrypted, byte, OFB_LEN, NULL);
1607#endif
1608
1609 WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
1610 WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
1611#ifdef HAVE_AES_DECRYPT
1612 WC_ALLOC_VAR(decrypted, byte, OFB_LEN, NULL);
1613#endif
1614
1615 XMEMSET(plain, 0xa5, OFB_LEN);
1616
1617 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1618
1619 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1620 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, plain, WC_AES_BLOCK_SIZE), 0);
1621 ExpectBufEQ(cipher, expected, WC_AES_BLOCK_SIZE);
1622
1623#ifdef HAVE_AES_DECRYPT
1624 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1625 ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, cipher, WC_AES_BLOCK_SIZE),
1626 0);
1627 ExpectBufEQ(decrypted, plain, WC_AES_BLOCK_SIZE);
1628#endif
1629
1630 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1631 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, plain, OFB_LEN), 0);
1632 ExpectBufEQ(cipher, expected, OFB_LEN);
1633#ifdef HAVE_AES_DECRYPT
1634 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1635 ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted, cipher, OFB_LEN), 0);
1636 ExpectBufEQ(decrypted, plain, OFB_LEN);
1637#endif
1638
1639 WC_FREE_VAR(plain, NULL);
1640 WC_FREE_VAR(cipher, NULL);
1641#ifdef HAVE_AES_DECRYPT
1642 WC_FREE_VAR(decrypted, NULL);
1643#endif
1644 return EXPECT_RESULT();
1645}
1646
1647static int test_wc_AesOfbEncryptDecrypt_Chunking(Aes* aes, byte* key,
1648 word32 keyLen, byte* iv, byte* expected)
1649{
1650 EXPECT_DECLS;
1651 int sz;
1652 int cnt;
1653 WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
1654 WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
1655#ifdef HAVE_AES_DECRYPT
1656 WC_DECLARE_VAR(decrypted, byte, OFB_LEN, NULL);
1657#endif
1658
1659 WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
1660 WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
1661#ifdef HAVE_AES_DECRYPT
1662 WC_ALLOC_VAR(decrypted, byte, OFB_LEN, NULL);
1663#endif
1664
1665#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
1666 ExpectNotNull(plain);
1667 ExpectNotNull(cipher);
1668#ifdef HAVE_AES_DECRYPT
1669 ExpectNotNull(decrypted);
1670#endif
1671#endif
1672
1673 XMEMSET(plain, 0xa5, OFB_LEN);
1674
1675 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1676
1677 for (sz = 1; sz < OFB_LEN; sz++) {
1678 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1679 XMEMSET(cipher, 0, OFB_LEN);
1680 for (cnt = 0; cnt + sz <= OFB_LEN; cnt += sz) {
1681 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher + cnt, plain + cnt, sz),
1682 0);
1683 }
1684 if (cnt < OFB_LEN) {
1685 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher + cnt, plain + cnt,
1686 OFB_LEN - cnt), 0);
1687 }
1688 ExpectBufEQ(cipher, expected, OFB_LEN);
1689 }
1690#ifdef HAVE_AES_DECRYPT
1691 for (sz = 1; sz < OFB_LEN; sz++) {
1692 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1693 XMEMSET(decrypted, 0xff, OFB_LEN);
1694 for (cnt = 0; cnt + sz <= OFB_LEN; cnt += sz) {
1695 ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted + cnt, cipher + cnt,
1696 sz), 0);
1697 }
1698 if (cnt < OFB_LEN) {
1699 ExpectIntEQ(wc_AesOfbDecrypt(aes, decrypted + cnt, cipher + cnt,
1700 OFB_LEN - cnt), 0);
1701 }
1702 ExpectBufEQ(decrypted, plain, OFB_LEN);
1703 }
1704#endif
1705
1706 WC_FREE_VAR(plain, NULL);
1707 WC_FREE_VAR(cipher, NULL);
1708#ifdef HAVE_AES_DECRYPT
1709 WC_FREE_VAR(decrypted, NULL);
1710#endif
1711 return EXPECT_RESULT();
1712}
1713
1714static int test_wc_AesOfbEncryptDecrypt_SameBuffer(Aes* aes, byte* key,
1715 word32 keyLen, byte* iv, byte* expected)
1716{
1717 EXPECT_DECLS;
1718 WC_DECLARE_VAR(plain, byte, OFB_LEN, NULL);
1719 WC_DECLARE_VAR(cipher, byte, OFB_LEN, NULL);
1720
1721 WC_ALLOC_VAR(plain, byte, OFB_LEN, NULL);
1722 WC_ALLOC_VAR(cipher, byte, OFB_LEN, NULL);
1723
1724#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
1725 ExpectNotNull(plain);
1726 ExpectNotNull(cipher);
1727#endif
1728 XMEMSET(plain, 0xa5, OFB_LEN);
1729
1730 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
1731
1732 /* Testing using same buffer for input and output. */
1733 XMEMCPY(cipher, plain, OFB_LEN);
1734 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1735 ExpectIntEQ(wc_AesOfbEncrypt(aes, cipher, cipher, OFB_LEN), 0);
1736 ExpectBufEQ(cipher, expected, OFB_LEN);
1737#ifdef HAVE_AES_DECRYPT
1738 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
1739 ExpectIntEQ(wc_AesOfbDecrypt(aes, cipher, cipher, OFB_LEN), 0);
1740 ExpectBufEQ(cipher, plain, OFB_LEN);
1741#endif
1742
1743 WC_FREE_VAR(plain, NULL);
1744 WC_FREE_VAR(cipher, NULL);
1745 return EXPECT_RESULT();
1746}
1747#endif
1748
1749int test_wc_AesOfbEncryptDecrypt(void)
1750{
1751 EXPECT_DECLS;
1752#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB)
1753 Aes aes;
1754#if defined(WOLFSSL_AES_128)
1755 byte key16[] = {
1756 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1757 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1758 };
1759 byte expected16[OFB_LEN] = {
1760 0xe3, 0xbf, 0xfa, 0x58, 0x38, 0x52, 0x34, 0xd4,
1761 0x90, 0x2b, 0x3b, 0xa4, 0xd2, 0x7d, 0xeb, 0x0f,
1762 0x91, 0x8d, 0x1f, 0x30, 0xd3, 0x00, 0xc5, 0x4e,
1763 0x1a, 0xcb, 0x2c, 0x50, 0x3f, 0xa6, 0xdf, 0xdb,
1764 0xa2, 0x60, 0x49, 0xc5, 0x44, 0x3e, 0xdf, 0x90,
1765 0x39, 0x8c, 0xd1, 0xc9, 0x8e, 0xb9, 0x5a, 0xbe,
1766 0x05, 0x70, 0x56, 0xfe, 0x86, 0x23, 0x94, 0x1b,
1767 0xbf, 0x85, 0x89, 0xf2, 0x51, 0x3b, 0x24, 0xc2,
1768 0x1d, 0x57, 0xc5, 0x8d, 0x93, 0xf5, 0xc9, 0xa3,
1769 0xcc, 0x0d, 0x49, 0x93, 0xe3, 0x8f, 0x6c, 0xb7,
1770 };
1771#endif
1772#if defined(WOLFSSL_AES_192)
1773 byte key24[] = {
1774 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1775 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
1776 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1777 };
1778 byte expected24[OFB_LEN] = {
1779 0xde, 0x7b, 0xf6, 0x09, 0x2d, 0x81, 0x43, 0x7b,
1780 0xcd, 0x71, 0xc1, 0xbd, 0x85, 0x33, 0xc7, 0xcd,
1781 0x75, 0xa1, 0x24, 0xf5, 0xd6, 0x42, 0xc8, 0x2b,
1782 0xb1, 0xe1, 0x22, 0x08, 0xc8, 0xe1, 0x5c, 0x66,
1783 0x4c, 0x27, 0x8b, 0x88, 0xb2, 0xb3, 0xe6, 0x03,
1784 0x8c, 0x46, 0x38, 0xda, 0x21, 0x8b, 0x3f, 0xb1,
1785 0xcc, 0x4c, 0xde, 0x9d, 0x58, 0x49, 0xd4, 0xef,
1786 0x52, 0xaa, 0x1a, 0xcb, 0xe8, 0xe3, 0xdb, 0x08,
1787 0x26, 0x6e, 0x5f, 0x85, 0x80, 0x5d, 0xb6, 0x63,
1788 0xd0, 0x78, 0xb7, 0xba, 0x48, 0x5f, 0x9f, 0xb9,
1789 };
1790#endif
1791#if defined(WOLFSSL_AES_256)
1792 byte key32[] = {
1793 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1794 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
1795 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
1796 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
1797 };
1798 byte expected32[OFB_LEN] = {
1799 0xbd, 0xff, 0xed, 0x58, 0x12, 0x70, 0x90, 0x56,
1800 0x9a, 0x1c, 0xb1, 0xb3, 0x56, 0xa0, 0x56, 0xd4,
1801 0x4f, 0xeb, 0x87, 0x68, 0xb0, 0x9f, 0x69, 0x1f,
1802 0x9a, 0xfe, 0x20, 0xb0, 0x7a, 0xa2, 0x53, 0x01,
1803 0x51, 0xe4, 0x42, 0xad, 0x95, 0x3e, 0xac, 0x88,
1804 0x71, 0x9b, 0xcd, 0x4f, 0xe0, 0x98, 0x9f, 0x46,
1805 0xd9, 0xcd, 0xa5, 0x7f, 0x4e, 0x22, 0x72, 0xb4,
1806 0x8f, 0xae, 0xd9, 0xed, 0x40, 0x4a, 0x0b, 0xc8,
1807 0xc4, 0xa1, 0x01, 0xb3, 0x62, 0x13, 0xaa, 0x0e,
1808 0x81, 0xa9, 0xd1, 0xae, 0xea, 0x5b, 0x58, 0x74,
1809 };
1810#endif
1811 byte iv[] = "1234567890abcdef";
1812 byte* key;
1813 word32 keyLen;
1814 byte* expected;
1815
1816#if defined(WOLFSSL_AES_128)
1817 key = key16;
1818 keyLen = (word32)sizeof(key16) / sizeof(byte);
1819 expected = expected16;
1820#elif defined(WOLFSSL_AES_192)
1821 key = key24;
1822 keyLen = (word32)sizeof(key24) / sizeof(byte);
1823 expected = expected24;
1824#else
1825 key = key32;
1826 keyLen = (word32)sizeof(key32) / sizeof(byte);
1827 expected = expected32;
1828#endif
1829
1830 XMEMSET(&aes, 0, sizeof(Aes));
1831 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1832
1833 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_BadArgs(&aes, key, keyLen, iv));
1834
1835#if defined(WOLFSSL_AES_128)
1836 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key16,
1837 (word32)sizeof(key16) / sizeof(byte), iv, expected16));
1838#endif
1839#if defined(WOLFSSL_AES_192)
1840 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key24,
1841 (word32)sizeof(key24) / sizeof(byte), iv, expected24));
1842#endif
1843#if defined(WOLFSSL_AES_256)
1844 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_WithKey(&aes, key32,
1845 (word32)sizeof(key32) / sizeof(byte), iv, expected32));
1846#endif
1847
1848 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_Chunking(&aes, key, keyLen, iv,
1849 expected));
1850 EXPECT_TEST(test_wc_AesOfbEncryptDecrypt_SameBuffer(&aes, key, keyLen, iv,
1851 expected));
1852
1853 wc_AesFree(&aes);
1854#endif
1855 return EXPECT_RESULT();
1856} /* END test_wc_AesOfbEncryptDecrypt */
1857
1858/*
1859 * Cross-cipher test: OFB mode generates a keystream by repeatedly ECB-
1860 * encrypting the previous output block, starting from the IV.
1861 * O[0] = ECB_Encrypt(K, IV); C[0] = P[0] XOR O[0]
1862 * O[1] = ECB_Encrypt(K, O[0]); C[1] = P[1] XOR O[1]
1863 *
1864 * Unlike CFB, the feedback is taken from the keystream output, not the
1865 * ciphertext, making OFB a synchronous stream cipher.
1866 */
1867int test_wc_AesOfb_CrossCipher(void)
1868{
1869 EXPECT_DECLS;
1870#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB) && defined(HAVE_AES_ECB) && \
1871 defined(WOLFSSL_AES_128)
1872 Aes aes;
1873 /* NIST SP 800-38A F.4.1 (first two plaintext blocks, OFB) */
1874 static const byte key[AES_128_KEY_SIZE] = {
1875 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
1876 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c
1877 };
1878 static const byte iv[WC_AES_BLOCK_SIZE] = {
1879 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
1880 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f
1881 };
1882 static const byte plain[2 * WC_AES_BLOCK_SIZE] = {
1883 0x6b,0xc1,0xbe,0xe2, 0x2e,0x40,0x9f,0x96,
1884 0xe9,0x3d,0x7e,0x11, 0x73,0x93,0x17,0x2a,
1885 0xae,0x2d,0x8a,0x57, 0x1e,0x03,0xac,0x9c,
1886 0x9e,0xb7,0x6f,0xac, 0x45,0xaf,0x8e,0x51
1887 };
1888 byte ofb_ct[sizeof(plain)];
1889 byte ecb_ct[sizeof(plain)];
1890 byte o0[WC_AES_BLOCK_SIZE]; /* output-feedback block 0 */
1891 byte o1[WC_AES_BLOCK_SIZE]; /* output-feedback block 1 */
1892 int i;
1893
1894 XMEMSET(&aes, 0, sizeof(aes));
1895 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
1896
1897 /* OFB ciphertext via the API */
1898 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
1899 ExpectIntEQ(wc_AesSetIV(&aes, iv), 0);
1900 ExpectIntEQ(wc_AesOfbEncrypt(&aes, ofb_ct, plain, sizeof(plain)), 0);
1901
1902 /* Manually compute OFB via ECB + output feedback */
1903 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
1904
1905 /* O[0] = ECB_E(K, IV); C[0] = P[0] XOR O[0] */
1906 ExpectIntEQ(wc_AesEcbEncrypt(&aes, o0, iv, WC_AES_BLOCK_SIZE), 0);
1907 if (EXPECT_SUCCESS()) {
1908 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1909 ecb_ct[i] = plain[i] ^ o0[i];
1910 }
1911
1912 /* O[1] = ECB_E(K, O[0]); C[1] = P[1] XOR O[1] */
1913 ExpectIntEQ(wc_AesEcbEncrypt(&aes, o1, o0, WC_AES_BLOCK_SIZE), 0);
1914 if (EXPECT_SUCCESS()) {
1915 for (i = 0; i < WC_AES_BLOCK_SIZE; i++)
1916 ecb_ct[WC_AES_BLOCK_SIZE + i] = plain[WC_AES_BLOCK_SIZE + i] ^
1917 o1[i];
1918 }
1919
1920 /* OFB ciphertext must equal the manually computed ECB+output-feedback */
1921 ExpectBufEQ(ofb_ct, ecb_ct, sizeof(plain));
1922
1923 wc_AesFree(&aes);
1924#endif
1925 return EXPECT_RESULT();
1926} /* END test_wc_AesOfb_CrossCipher */
1927
1928/*******************************************************************************
1929 * AES-CTS
1930 ******************************************************************************/
1931
1932int test_wc_AesCtsEncryptDecrypt(void)
1933{
1934 EXPECT_DECLS;
1935#if !defined(NO_AES) && defined(WOLFSSL_AES_CTS) && \
1936 defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_128)
1937 /* Test vectors taken form RFC3962 Appendix B */
1938 const struct {
1939 const char* input;
1940 const char* output;
1941 size_t inLen;
1942 size_t outLen;
1943 } vects[] = {
1944 {
1945 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1946 "\x20",
1947 "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f"
1948 "\x97",
1949 17, 17
1950 },
1951 {
1952 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1953 "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20",
1954 "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
1955 "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5",
1956 31, 31
1957 },
1958 {
1959 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1960 "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43",
1961 "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
1962 "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84",
1963 32, 32
1964 },
1965 {
1966 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1967 "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
1968 "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c",
1969 "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
1970 "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e"
1971 "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5",
1972 47, 47
1973 },
1974 {
1975 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1976 "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
1977 "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20",
1978 "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
1979 "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8"
1980 "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8",
1981 48, 48
1982 },
1983 {
1984 "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
1985 "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
1986 "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
1987 "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e",
1988 "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
1989 "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
1990 "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40"
1991 "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8",
1992 64, 64
1993 }
1994 };
1995 const byte keyBytes[AES_128_KEY_SIZE] = {
1996 0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
1997 0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69
1998 };
1999 byte tmp[64]; /* Largest vector size */
2000 size_t i;
2001 byte iv[AES_IV_SIZE]; /* All-zero IV for all cases */
2002
2003 XMEMSET(iv, 0, sizeof(iv));
2004 for (i = 0; i < XELEM_CNT(vects) && EXPECT_SUCCESS(); i++) {
2005 /* One-shot encrypt */
2006 XMEMSET(tmp, 0, sizeof(tmp));
2007 ExpectIntEQ(wc_AesCtsEncrypt(keyBytes, sizeof(keyBytes), tmp,
2008 (const byte*)vects[i].input, (word32)vects[i].inLen, iv), 0);
2009 ExpectBufEQ(tmp, vects[i].output, vects[i].outLen);
2010 XMEMSET(tmp, 0, sizeof(tmp));
2011 ExpectIntEQ(wc_AesCtsDecrypt(keyBytes, sizeof(keyBytes), tmp,
2012 (const byte*)vects[i].output, (word32)vects[i].outLen, iv), 0);
2013 ExpectBufEQ(tmp, vects[i].input, vects[i].inLen);
2014 }
2015 /* Execute all branches */
2016 {
2017 Aes* aes = NULL;
2018 int result_code = 0;
2019 const byte* in = (const byte*)vects[5].input;
2020 byte* out = tmp;
2021 word32 outSz = (word32)vects[5].outLen;
2022 word32 remSz = (word32)vects[5].outLen;
2023
2024 XMEMSET(tmp, 0, sizeof(tmp));
2025 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2026 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2027 AES_ENCRYPTION), 0);
2028 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 1), 0);
2029 in += 1; out += outSz; remSz -= outSz; outSz = remSz;
2030 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 31), 0);
2031 in += 31; out += outSz; remSz -= outSz; outSz = remSz;
2032 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 32), 0);
2033 in += 32; out += outSz; remSz -= outSz; outSz = remSz;
2034 ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
2035 remSz -= outSz;
2036 ExpectIntEQ(remSz, 0);
2037 ExpectBufEQ(tmp, vects[5].output, vects[5].outLen);
2038 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2039 }
2040 {
2041 Aes* aes = NULL;
2042 int result_code = 0;
2043 const byte* in = (const byte*)vects[5].input;
2044 byte* out = tmp;
2045 word32 outSz = (word32)vects[5].outLen;
2046 word32 remSz = (word32)vects[5].outLen;
2047
2048 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2049 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2050 AES_ENCRYPTION), 0);
2051 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 1), 0);
2052 in += 1; out += outSz; remSz -= outSz; outSz = remSz;
2053 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 63), 0);
2054 in += 63; out += outSz; remSz -= outSz; outSz = remSz;
2055 ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
2056 remSz -= outSz;
2057 ExpectIntEQ(remSz, 0);
2058 ExpectBufEQ(tmp, vects[5].output, vects[5].outLen);
2059 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2060 }
2061 {
2062 Aes* aes = NULL;
2063 int result_code = 0;
2064 const byte* in = (const byte*)vects[2].input;
2065 byte* out = tmp;
2066 word32 outSz = (word32)vects[2].outLen;
2067 word32 remSz = (word32)vects[2].outLen;
2068
2069 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2070 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2071 AES_ENCRYPTION), 0);
2072 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 16), 0);
2073 in += 16; out += outSz; remSz -= outSz; outSz = remSz;
2074 ExpectIntEQ(wc_AesCtsEncryptUpdate(aes, out, &outSz, in, 16), 0);
2075 in += 16; out += outSz; remSz -= outSz; outSz = remSz;
2076 ExpectIntEQ(wc_AesCtsEncryptFinal(aes, out, &outSz), 0);
2077 remSz -= outSz;
2078 ExpectIntEQ(remSz, 0);
2079 ExpectBufEQ(tmp, vects[2].output, vects[2].outLen);
2080 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2081 }
2082 {
2083 Aes* aes = NULL;
2084 int result_code = 0;
2085 const byte* in = (const byte*)vects[5].output;
2086 byte* out = tmp;
2087 word32 outSz = (word32)vects[5].inLen;
2088 word32 remSz = (word32)vects[5].inLen;
2089
2090 XMEMSET(tmp, 0, sizeof(tmp));
2091 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2092 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2093 AES_DECRYPTION), 0);
2094 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 1), 0);
2095 in += 1; out += outSz; remSz -= outSz; outSz = remSz;
2096 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 31), 0);
2097 in += 31; out += outSz; remSz -= outSz; outSz = remSz;
2098 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 32), 0);
2099 in += 32; out += outSz; remSz -= outSz; outSz = remSz;
2100 ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
2101 remSz -= outSz;
2102 ExpectIntEQ(remSz, 0);
2103 ExpectBufEQ(tmp, vects[5].input, vects[5].inLen);
2104 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2105 }
2106 {
2107 Aes* aes = NULL;
2108 int result_code = 0;
2109 const byte* in = (const byte*)vects[5].output;
2110 byte* out = tmp;
2111 word32 outSz = (word32)vects[5].inLen;
2112 word32 remSz = (word32)vects[5].inLen;
2113
2114 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2115 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2116 AES_DECRYPTION), 0);
2117 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 1), 0);
2118 in += 1; out += outSz; remSz -= outSz; outSz = remSz;
2119 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 63), 0);
2120 in += 63; out += outSz; remSz -= outSz; outSz = remSz;
2121 ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
2122 remSz -= outSz;
2123 ExpectIntEQ(remSz, 0);
2124 ExpectBufEQ(tmp, vects[5].input, vects[5].inLen);
2125 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2126 }
2127 {
2128 Aes* aes = NULL;
2129 int result_code = 0;
2130 const byte* in = (const byte*)vects[2].output;
2131 byte* out = tmp;
2132 word32 outSz = (word32)vects[2].inLen;
2133 word32 remSz = (word32)vects[2].inLen;
2134
2135 ExpectNotNull(aes = wc_AesNew(NULL, INVALID_DEVID, &result_code));
2136 ExpectIntEQ(wc_AesSetKey(aes, keyBytes, sizeof(keyBytes), iv,
2137 AES_DECRYPTION), 0);
2138 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 16), 0);
2139 in += 16; out += outSz; remSz -= outSz; outSz = remSz;
2140 ExpectIntEQ(wc_AesCtsDecryptUpdate(aes, out, &outSz, in, 16), 0);
2141 in += 16; out += outSz; remSz -= outSz; outSz = remSz;
2142 ExpectIntEQ(wc_AesCtsDecryptFinal(aes, out, &outSz), 0);
2143 remSz -= outSz;
2144 ExpectIntEQ(remSz, 0);
2145 ExpectBufEQ(tmp, vects[2].input, vects[2].inLen);
2146 ExpectIntEQ(wc_AesDelete(aes, &aes), 0);
2147 }
2148#endif
2149 return EXPECT_RESULT();
2150}
2151
2152/*******************************************************************************
2153 * AES-CTS overlapping (in-place) buffers
2154 ******************************************************************************/
2155
2156/*
2157 * Verify that wc_AesCtsEncrypt / wc_AesCtsDecrypt correctly handle an
2158 * in-place call (out == in). RFC 3962 Appendix B test vector 5 (48 bytes,
2159 * three full AES blocks) is used because the CTS one-shot API buffers input
2160 * internally before writing output, so it is safe for in-place use.
2161 */
2162int test_wc_AesCtsEncryptDecrypt_InPlace(void)
2163{
2164 EXPECT_DECLS;
2165#if !defined(NO_AES) && defined(WOLFSSL_AES_CTS) && \
2166 defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_128)
2167 static const byte key[AES_128_KEY_SIZE] = {
2168 0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
2169 0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69
2170 };
2171 /* RFC 3962 plaintext vector 5 (48 bytes):
2172 * "I would like the General Gau's Chicken, please, " */
2173 static const byte plain[48] = {
2174 0x49, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20,
2175 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x74, 0x68, 0x65,
2176 0x20, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c,
2177 0x20, 0x47, 0x61, 0x75, 0x27, 0x73, 0x20, 0x43,
2178 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x2c, 0x20,
2179 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x2c, 0x20
2180 };
2181 byte iv[AES_IV_SIZE];
2182 byte ref_ct[sizeof(plain)];
2183 byte buf[sizeof(plain)];
2184
2185 /* Reference ciphertext with separate in/out buffers */
2186 XMEMSET(iv, 0, sizeof(iv));
2187 ExpectIntEQ(wc_AesCtsEncrypt(key, sizeof(key), ref_ct, plain,
2188 sizeof(plain), iv), 0);
2189
2190 /* Encrypt in-place (out == in) - must produce the same ciphertext */
2191 XMEMSET(iv, 0, sizeof(iv));
2192 XMEMCPY(buf, plain, sizeof(buf));
2193 ExpectIntEQ(wc_AesCtsEncrypt(key, sizeof(key), buf, buf,
2194 sizeof(buf), iv), 0);
2195 ExpectBufEQ(buf, ref_ct, sizeof(buf));
2196
2197 /* Decrypt in-place - must recover original plaintext */
2198 XMEMSET(iv, 0, sizeof(iv));
2199 ExpectIntEQ(wc_AesCtsDecrypt(key, sizeof(key), buf, buf,
2200 sizeof(buf), iv), 0);
2201 ExpectBufEQ(buf, plain, sizeof(buf));
2202#endif
2203 return EXPECT_RESULT();
2204} /* END test_wc_AesCtsEncryptDecrypt_InPlace */
2205
2206/*******************************************************************************
2207 * AES-CTS unaligned buffers
2208 ******************************************************************************/
2209
2210/*
2211 * Verify that wc_AesCtsEncrypt / wc_AesCtsDecrypt produce correct results
2212 * when the input and output buffers are byte-offset (unaligned). Tests
2213 * offsets 1, 2, and 3 to cover all misalignment residues mod 4.
2214 */
2215int test_wc_AesCtsEncryptDecrypt_UnalignedBuffers(void)
2216{
2217 EXPECT_DECLS;
2218#if !defined(NO_AES) && defined(WOLFSSL_AES_CTS) && \
2219 defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_128)
2220 /* RFC 3962 Appendix B test vector 5 - same as InPlace test */
2221 static const byte key[AES_128_KEY_SIZE] = {
2222 0x63, 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x20,
2223 0x74, 0x65, 0x72, 0x69, 0x79, 0x61, 0x6b, 0x69
2224 };
2225 static const byte plain[48] = {
2226 0x49, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20,
2227 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x74, 0x68, 0x65,
2228 0x20, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c,
2229 0x20, 0x47, 0x61, 0x75, 0x27, 0x73, 0x20, 0x43,
2230 0x68, 0x69, 0x63, 0x6b, 0x65, 0x6e, 0x2c, 0x20,
2231 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x2c, 0x20
2232 };
2233 byte iv[AES_IV_SIZE];
2234 byte ref_ct[sizeof(plain)];
2235 byte in_buf[sizeof(plain) + 3];
2236 byte out_buf[sizeof(plain) + 3];
2237 int off;
2238
2239 /* Reference ciphertext with naturally-aligned buffers */
2240 XMEMSET(iv, 0, sizeof(iv));
2241 ExpectIntEQ(wc_AesCtsEncrypt(key, sizeof(key), ref_ct, plain,
2242 sizeof(plain), iv), 0);
2243
2244 /* Encrypt with byte offsets 1, 2, 3 on both in and out */
2245 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
2246 XMEMSET(iv, 0, sizeof(iv));
2247 XMEMCPY(in_buf + off, plain, sizeof(plain));
2248 XMEMSET(out_buf, 0, sizeof(out_buf));
2249 ExpectIntEQ(wc_AesCtsEncrypt(key, sizeof(key), out_buf + off,
2250 in_buf + off, sizeof(plain), iv), 0);
2251 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
2252 }
2253
2254 /* Decrypt with byte offsets 1, 2, 3 on both in and out */
2255 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
2256 XMEMSET(iv, 0, sizeof(iv));
2257 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
2258 XMEMSET(out_buf, 0, sizeof(out_buf));
2259 ExpectIntEQ(wc_AesCtsDecrypt(key, sizeof(key), out_buf + off,
2260 in_buf + off, sizeof(plain), iv), 0);
2261 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
2262 }
2263#endif
2264 return EXPECT_RESULT();
2265} /* END test_wc_AesCtsEncryptDecrypt_UnalignedBuffers */
2266
2267/*******************************************************************************
2268 * AES-CTR
2269 ******************************************************************************/
2270
2271#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
2272 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2273 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2274 !defined(WOLFSSL_KCAPI)
2275static int test_wc_AesCtrSetKey_BadArgs(Aes* aes, byte* key, word32 keyLen,
2276 byte* iv)
2277{
2278 EXPECT_DECLS;
2279
2280 ExpectIntEQ(wc_AesCtrSetKey(NULL, NULL, keyLen, iv, AES_ENCRYPTION),
2281 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2282 ExpectIntEQ(wc_AesCtrSetKey(NULL, key , keyLen, iv, AES_ENCRYPTION),
2283 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2284 ExpectIntEQ(wc_AesCtrSetKey(aes , key , 48 , iv, AES_ENCRYPTION),
2285 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2286
2287 return EXPECT_RESULT();
2288}
2289
2290static int test_wc_AesCtrSetKey_WithKey(Aes* aes, byte* key, word32 keyLen,
2291 byte* iv, int ret)
2292{
2293 EXPECT_DECLS;
2294
2295 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), ret);
2296 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, NULL, AES_DECRYPTION), ret);
2297
2298 return EXPECT_RESULT();
2299}
2300#endif /* !NO_AES && WOLFSSL_AES_COUNTER && */
2301 /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && */
2302 /* !HAVE_SELFTEST && !WOLFSSL_AFALG && */
2303 /* !WOLFSSL_KCAPI */
2304
2305/*
2306 * Testing function for wc_AesCtrSetKey().
2307 */
2308int test_wc_AesCtrSetKey(void)
2309{
2310 EXPECT_DECLS;
2311#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
2312 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2313 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2314 !defined(WOLFSSL_KCAPI)
2315 Aes aes;
2316 byte key16[] = {
2317 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2318 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
2319 };
2320 byte key24[] = {
2321 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2322 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
2323 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
2324 };
2325 byte key32[] = {
2326 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2327 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
2328 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2329 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
2330 };
2331 byte badKey16[] = {
2332 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2333 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
2334 };
2335 byte iv[] = "1234567890abcdef";
2336 byte* key;
2337 word32 keyLen;
2338
2339#if defined(WOLFSSL_AES_128)
2340 key = key16;
2341 keyLen = (word32)sizeof(key16) / sizeof(byte);
2342#elif defined(WOLFSSL_AES_192)
2343 key = key24;
2344 keyLen = (word32)sizeof(key24) / sizeof(byte);
2345#else
2346 key = key32;
2347 keyLen = (word32)sizeof(key32) / sizeof(byte);
2348#endif
2349
2350 XMEMSET(&aes, 0, sizeof(Aes));
2351
2352 ExpectIntEQ(wc_AesInit(NULL, NULL, INVALID_DEVID),
2353 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2354 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
2355
2356 EXPECT_TEST(test_wc_AesCtrSetKey_BadArgs(&aes, key, keyLen, iv));
2357
2358#ifdef WOLFSSL_AES_128
2359 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key16,
2360 (word32)sizeof(key16) / sizeof(byte), iv, 0));
2361#else
2362 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key16,
2363 (word32)sizeof(key16) / sizeof(byte), iv, BAD_FUNC_ARG));
2364#endif
2365#ifdef WOLFSSL_AES_192
2366 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key24,
2367 (word32)sizeof(key24) / sizeof(byte), iv, 0));
2368#else
2369 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key24,
2370 (word32)sizeof(key24) / sizeof(byte), iv, BAD_FUNC_ARG));
2371#endif
2372#ifdef WOLFSSL_AES_256
2373 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key32,
2374 (word32)sizeof(key32) / sizeof(byte), iv, 0));
2375#else
2376 EXPECT_TEST(test_wc_AesCtrSetKey_WithKey(&aes, key32,
2377 (word32)sizeof(key32) / sizeof(byte), iv, BAD_FUNC_ARG));
2378#endif
2379
2380 ExpectIntEQ(wc_AesCtrSetKey(&aes, badKey16,
2381 (word32)sizeof(badKey16) / sizeof(byte), iv, AES_ENCRYPTION),
2382 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2383
2384 wc_AesFree(&aes);
2385#endif /* !NO_AES && WOLFSSL_AES_COUNTER && */
2386 /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && */
2387 /* !HAVE_SELFTEST && !WOLFSSL_AFALG && */
2388 /* !WOLFSSL_KCAPI */
2389
2390 return EXPECT_RESULT();
2391} /* END test_wc_AesCtrSetKey */
2392
2393#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
2394/* Assembly code doing 8 iterations at a time. */
2395#define CTR_LEN (15 * WC_AES_BLOCK_SIZE)
2396
2397static int test_wc_AesCtrEncrypt_BadArgs(Aes* aes, byte* key,
2398 word32 keyLen, byte* iv)
2399{
2400 EXPECT_DECLS;
2401 byte plain[WC_AES_BLOCK_SIZE];
2402 byte cipher[WC_AES_BLOCK_SIZE];
2403 byte decrypted[WC_AES_BLOCK_SIZE];
2404
2405 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE);
2406 XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE);
2407 XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE);
2408
2409#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2410 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2411 !defined(WOLFSSL_KCAPI)
2412 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2413#else
2414 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2415#endif
2416 ExpectIntEQ(wc_AesCtrEncrypt(NULL, NULL, NULL, 0),
2417 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2418 ExpectIntEQ(wc_AesCtrEncrypt(aes, NULL, NULL, 0),
2419 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2420 ExpectIntEQ(wc_AesCtrEncrypt(NULL, cipher, NULL, 0),
2421 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2422 ExpectIntEQ(wc_AesCtrEncrypt(NULL, NULL, plain, 0),
2423 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2424 ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, NULL, 0),
2425 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2426 ExpectIntEQ(wc_AesCtrEncrypt(aes, NULL, plain, 0),
2427 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2428 ExpectIntEQ(wc_AesCtrEncrypt(NULL, cipher, plain, 0),
2429 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2430
2431 return EXPECT_RESULT();
2432}
2433
2434static int test_wc_AesCtrEncrypt_WithKey(Aes* aes, byte* key,
2435 word32 keyLen, byte* iv, byte* vector, byte* vector_enc, word32 vector_len)
2436{
2437 EXPECT_DECLS;
2438 byte plain[WC_AES_BLOCK_SIZE * 2];
2439 byte cipher[WC_AES_BLOCK_SIZE * 2];
2440 byte decrypted[WC_AES_BLOCK_SIZE * 2];
2441
2442 XMEMSET(plain, 0, WC_AES_BLOCK_SIZE * 2);
2443 XMEMSET(cipher, 0, WC_AES_BLOCK_SIZE * 2);
2444 XMEMSET(decrypted, 0, WC_AES_BLOCK_SIZE * 2);
2445
2446#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2447 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2448 !defined(WOLFSSL_KCAPI)
2449 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2450#else
2451 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2452#endif
2453 ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, vector, vector_len), 0);
2454 ExpectBufEQ(cipher, vector_enc, vector_len);
2455 /* Decrypt with wc_AesCtrEncrypt() */
2456#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2457 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2458 !defined(WOLFSSL_KCAPI)
2459 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2460#else
2461 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2462#endif
2463 ExpectIntEQ(wc_AesCtrEncrypt(aes, decrypted, cipher, vector_len), 0);
2464 ExpectBufEQ(decrypted, vector, vector_len);
2465
2466 return EXPECT_RESULT();
2467}
2468
2469static int test_wc_AesCtrEncrypt_Chunking(Aes* aes, byte* key,
2470 word32 keyLen, byte* iv, byte* expected)
2471{
2472 EXPECT_DECLS;
2473#if defined(WOLFSSL_AFALG) || defined(WOLFSSL_KCAPI)
2474 (void)aes;
2475 (void)key;
2476 (void)keyLen;
2477 (void)iv;
2478 (void)expected;
2479#else
2480 int sz;
2481 int cnt;
2482 WC_DECLARE_VAR(plain, byte, CTR_LEN, NULL);
2483 WC_DECLARE_VAR(cipher, byte, CTR_LEN, NULL);
2484#ifdef HAVE_AES_DECRYPT
2485 WC_DECLARE_VAR(decrypted, byte, CTR_LEN, NULL);
2486#endif
2487
2488 WC_ALLOC_VAR(plain, byte, CTR_LEN, NULL);
2489 WC_ALLOC_VAR(cipher, byte, CTR_LEN, NULL);
2490#ifdef HAVE_AES_DECRYPT
2491 WC_ALLOC_VAR(decrypted, byte, CTR_LEN, NULL);
2492#endif
2493
2494#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
2495 ExpectNotNull(plain);
2496 ExpectNotNull(cipher);
2497#ifdef HAVE_AES_DECRYPT
2498 ExpectNotNull(decrypted);
2499#endif
2500#endif
2501
2502 XMEMSET(plain, 0, CTR_LEN);
2503 XMEMSET(cipher, 0, CTR_LEN);
2504 XMEMSET(decrypted, 0, CTR_LEN);
2505
2506#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2507 !defined(HAVE_SELFTEST)
2508 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
2509#else
2510 ExpectIntEQ(wc_AesSetKey(aes, key, keyLen, NULL, AES_ENCRYPTION), 0);
2511#endif
2512 /* Test multiple blocks. */
2513 for (sz = 1; sz <= CTR_LEN; sz++) {
2514 XMEMSET(cipher, 0x00, CTR_LEN);
2515 ExpectIntEQ(wc_AesSetIV(aes, iv), 0);
2516 for (cnt = 0; cnt + sz <= CTR_LEN; cnt += sz) {
2517 ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher + cnt, plain + cnt, sz),
2518 0);
2519 }
2520 if (cnt < CTR_LEN) {
2521 ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher + cnt, plain + cnt,
2522 CTR_LEN - cnt), 0);
2523 }
2524 ExpectBufEQ(cipher, expected, CTR_LEN);
2525 }
2526
2527 WC_FREE_VAR(plain, NULL);
2528 WC_FREE_VAR(cipher, NULL);
2529#ifdef HAVE_AES_DECRYPT
2530 WC_FREE_VAR(decrypted, NULL);
2531#endif
2532#endif /* !WOLFSSL_AFALG && !WOLFSSL_KCAPI */
2533 return EXPECT_RESULT();
2534}
2535
2536#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2537 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2538 !defined(WOLFSSL_KCAPI)
2539static int test_wc_AesCtrEncrypt_SameBuffer(Aes* aes, byte* key,
2540 word32 keyLen, byte* iv, byte* expected)
2541{
2542 EXPECT_DECLS;
2543 WC_DECLARE_VAR(plain, byte, CTR_LEN, NULL);
2544 WC_DECLARE_VAR(cipher, byte, CTR_LEN, NULL);
2545
2546 WC_ALLOC_VAR(plain, byte, CTR_LEN, NULL);
2547 WC_ALLOC_VAR(cipher, byte, CTR_LEN, NULL);
2548
2549#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
2550 ExpectNotNull(plain);
2551 ExpectNotNull(cipher);
2552#endif
2553
2554 XMEMSET(plain, 0, CTR_LEN);
2555
2556 /* Testing using same buffer for input and output. */
2557 ExpectIntEQ(wc_AesCtrSetKey(aes, key, keyLen, iv, AES_ENCRYPTION), 0);
2558 XMEMCPY(cipher, plain, CTR_LEN);
2559 ExpectIntEQ(wc_AesCtrEncrypt(aes, cipher, cipher, CTR_LEN), 0);
2560 ExpectBufEQ(cipher, expected, CTR_LEN);
2561
2562 WC_FREE_VAR(plain, NULL);
2563 WC_FREE_VAR(cipher, NULL);
2564 return EXPECT_RESULT();
2565}
2566#endif
2567#endif
2568
2569/*******************************************************************************
2570 * AES-CTR counter overflow
2571 ******************************************************************************/
2572
2573/*
2574 * Verify that AES-CTR counter carry-propagation works across byte boundaries
2575 * when the counter wraps around. We encrypt three blocks starting from a
2576 * near-overflow IV (last four bytes = 0xFF,0xFF,0xFF,0xFE) in a single call,
2577 * then re-encrypt each block individually with the expected IV value for that
2578 * block position, and confirm the outputs match.
2579 *
2580 * block 0 IV: ...0xFF,0xFF,0xFF,0xFE
2581 * block 1 IV: ...0xFF,0xFF,0xFF,0xFF
2582 * block 2 IV: ...0x01,0x00,0x00,0x00,0x00 (carry propagated through four FFs)
2583 */
2584int test_wc_AesCtrCounterOverflow(void)
2585{
2586 EXPECT_DECLS;
2587#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
2588 defined(WOLFSSL_AES_128) && \
2589 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2590 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2591 !defined(WOLFSSL_KCAPI)
2592 Aes enc;
2593 /* IV with last four bytes = 0xFF,0xFF,0xFF,0xFE (one before two-step
2594 * overflow: 0xFE->0xFF is a normal increment; 0xFF->0x00 carries through
2595 * all four bytes into byte[11]). */
2596 static const byte iv_start[WC_AES_BLOCK_SIZE] = {
2597 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
2598 0x00,0x00,0x00,0x00, 0xFF,0xFF,0xFF,0xFE
2599 };
2600 /* Expected IV for block 1: last byte incremented 0xFE->0xFF */
2601 static const byte iv_b1[WC_AES_BLOCK_SIZE] = {
2602 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
2603 0x00,0x00,0x00,0x00, 0xFF,0xFF,0xFF,0xFF
2604 };
2605 /* Expected IV for block 2: carry propagates all four 0xFF bytes ->
2606 * byte[11] increments 0x00->0x01, bytes[12..15] all become 0x00. */
2607 static const byte iv_b2[WC_AES_BLOCK_SIZE] = {
2608 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
2609 0x00,0x00,0x00,0x01, 0x00,0x00,0x00,0x00
2610 };
2611 static const byte key[16] = {
2612 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
2613 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c
2614 };
2615 /* Three blocks of all-zero plaintext - simplifies comparison. */
2616 static const byte plain[3 * WC_AES_BLOCK_SIZE] = { 0 };
2617
2618 byte cipher_combined[3 * WC_AES_BLOCK_SIZE];
2619 byte cipher_b0[WC_AES_BLOCK_SIZE];
2620 byte cipher_b1[WC_AES_BLOCK_SIZE];
2621 byte cipher_b2[WC_AES_BLOCK_SIZE];
2622 byte decrypted[3 * WC_AES_BLOCK_SIZE];
2623
2624 XMEMSET(&enc, 0, sizeof(enc));
2625 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
2626
2627 /* Encrypt three blocks in one call, spanning the carry-propagation
2628 * boundary. */
2629 ExpectIntEQ(wc_AesCtrSetKey(&enc, key, sizeof(key), iv_start,
2630 AES_ENCRYPTION), 0);
2631 ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher_combined, plain,
2632 sizeof(plain)), 0);
2633
2634 /* Block 0: starts at iv_start. */
2635 ExpectIntEQ(wc_AesCtrSetKey(&enc, key, sizeof(key), iv_start,
2636 AES_ENCRYPTION), 0);
2637 ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher_b0, plain,
2638 WC_AES_BLOCK_SIZE), 0);
2639
2640 /* Block 1: counter incremented once (0xFFFFFFFE -> 0xFFFFFFFF). */
2641 ExpectIntEQ(wc_AesCtrSetKey(&enc, key, sizeof(key), iv_b1,
2642 AES_ENCRYPTION), 0);
2643 ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher_b1, plain + WC_AES_BLOCK_SIZE,
2644 WC_AES_BLOCK_SIZE), 0);
2645
2646 /* Block 2: counter wrapped (0xFFFFFFFF -> 0x00000000 with carry into
2647 * the next byte group). */
2648 ExpectIntEQ(wc_AesCtrSetKey(&enc, key, sizeof(key), iv_b2,
2649 AES_ENCRYPTION), 0);
2650 ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher_b2,
2651 plain + 2 * WC_AES_BLOCK_SIZE, WC_AES_BLOCK_SIZE), 0);
2652
2653 /* Combined output must match per-block results. */
2654 ExpectBufEQ(cipher_combined, cipher_b0, WC_AES_BLOCK_SIZE);
2655 ExpectBufEQ(cipher_combined + WC_AES_BLOCK_SIZE, cipher_b1,
2656 WC_AES_BLOCK_SIZE);
2657 ExpectBufEQ(cipher_combined + 2 * WC_AES_BLOCK_SIZE, cipher_b2,
2658 WC_AES_BLOCK_SIZE);
2659
2660 /* Blocks 1 and 2 must differ - different counter values produce different
2661 * key-stream blocks. */
2662 ExpectIntNE(XMEMCMP(cipher_b1, cipher_b2, WC_AES_BLOCK_SIZE), 0);
2663
2664 /* Decrypt round-trip. */
2665 ExpectIntEQ(wc_AesCtrSetKey(&enc, key, sizeof(key), iv_start,
2666 AES_ENCRYPTION), 0);
2667 ExpectIntEQ(wc_AesCtrEncrypt(&enc, decrypted, cipher_combined,
2668 sizeof(cipher_combined)), 0);
2669 ExpectBufEQ(decrypted, plain, sizeof(plain));
2670
2671 wc_AesFree(&enc);
2672#endif
2673 return EXPECT_RESULT();
2674}
2675
2676/*
2677 * Testing wc_AesCtrEncrypt
2678 * Decrypt is an encrypt.
2679 */
2680int test_wc_AesCtrEncryptDecrypt(void)
2681{
2682 EXPECT_DECLS;
2683#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
2684 Aes aes;
2685 byte vector[] = { /* Now is the time for all w/o trailing 0 */
2686 0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
2687 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
2688 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
2689 };
2690#if defined(WOLFSSL_AES_128)
2691 byte key16[] = {
2692 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2693 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
2694 };
2695 byte vector_enc16[] = {
2696 0x08, 0x75, 0x28, 0xdd, 0xf4, 0x84, 0xb1, 0x05,
2697 0x5d, 0xeb, 0xbe, 0x75, 0x1e, 0xb5, 0x2b, 0x8a,
2698 0x39, 0x70, 0x64, 0x06, 0x98, 0xa1, 0x82, 0x35,
2699 };
2700#endif
2701#if defined(WOLFSSL_AES_192)
2702 byte key24[] = {
2703 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2704 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
2705 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
2706 };
2707 byte vector_enc24[] = {
2708 0x35, 0xb1, 0x24, 0x8c, 0xe1, 0x57, 0xc6, 0xaa,
2709 0x00, 0xb1, 0x44, 0x6c, 0x49, 0xfb, 0x07, 0x48,
2710 0xd2, 0xa7, 0x1e, 0x81, 0xcf, 0xa0, 0x72, 0x54,
2711 };
2712#endif
2713#if defined(WOLFSSL_AES_256)
2714 byte key32[] = {
2715 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2716 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
2717 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2718 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
2719 };
2720 byte vector_enc32[] = {
2721 0x56, 0x35, 0x3f, 0xdd, 0xde, 0xa6, 0x15, 0x87,
2722 0x57, 0xdc, 0x34, 0x62, 0x9a, 0x68, 0x96, 0x51,
2723 0x14, 0xeb, 0xfa, 0xba, 0x30, 0x8e, 0xfb, 0x8a,
2724 };
2725#endif
2726#if defined(WOLFSSL_AES_128)
2727 byte expected16[CTR_LEN] = {
2728 0x46, 0x1a, 0x5f, 0xfd, 0x9d, 0xf7, 0x91, 0x71,
2729 0x35, 0x8e, 0x9e, 0x01, 0x77, 0xd8, 0x4e, 0xaa,
2730 0x5f, 0x1f, 0x16, 0x26, 0xf9, 0xcd, 0xee, 0x15,
2731 0xce, 0x4d, 0x4d, 0x3d, 0x17, 0x56, 0xa1, 0x48,
2732 0x36, 0x0b, 0x0e, 0x8b, 0x3d, 0x3b, 0x70, 0x02,
2733 0x2e, 0xd1, 0x0b, 0x61, 0x51, 0x05, 0xd6, 0x2b,
2734 0x4b, 0xb9, 0xaf, 0x26, 0x27, 0xed, 0x41, 0x50,
2735 0x08, 0xaf, 0xdd, 0xbf, 0x5b, 0x12, 0x4b, 0xb2,
2736 0x80, 0xd5, 0xba, 0x31, 0x31, 0x70, 0xfa, 0xfd,
2737 0x15, 0x19, 0x1e, 0x35, 0xc9, 0x10, 0x96, 0x6c,
2738 0xe4, 0x38, 0x61, 0xd8, 0x95, 0x30, 0x4d, 0xca,
2739 0xd8, 0x68, 0xc9, 0xdc, 0x6f, 0x8b, 0x86, 0x26,
2740 0x11, 0xee, 0x2d, 0x01, 0xd3, 0x0e, 0x35, 0xa2,
2741 0x4b, 0x26, 0x22, 0x8c, 0xd0, 0x4e, 0xda, 0x5d,
2742 0x49, 0x1e, 0x6d, 0xfa, 0x33, 0xcb, 0xa0, 0x0f,
2743 0x86, 0x8f, 0x83, 0xff, 0x3d, 0xbe, 0x6e, 0xfa,
2744 0xd2, 0x2b, 0x3e, 0x70, 0x21, 0x1c, 0xe8, 0x7b,
2745 0xe4, 0x01, 0x2c, 0xd0, 0x82, 0xe2, 0x7a, 0x4a,
2746 0xcf, 0x67, 0x82, 0x1c, 0x80, 0x79, 0x85, 0x5e,
2747 0xe5, 0xf9, 0x3a, 0x0d, 0x1a, 0xa7, 0x89, 0x29,
2748 0xee, 0xe7, 0x2b, 0xd6, 0x29, 0xac, 0xfa, 0xca,
2749 0xc8, 0xcb, 0x4e, 0x6c, 0x1f, 0x30, 0x5e, 0x95,
2750 0xa5, 0xa2, 0x17, 0xe2, 0x93, 0xd3, 0xe6, 0xbe,
2751 0x91, 0x37, 0x84, 0x01, 0xdb, 0x44, 0x4c, 0x60,
2752 0x1c, 0x2c, 0x64, 0x7d, 0xb7, 0x73, 0x12, 0x11,
2753 0xc2, 0x6a, 0xfd, 0xac, 0x6d, 0x85, 0xd8, 0xeb,
2754 0x0e, 0x70, 0xd3, 0x82, 0x93, 0x65, 0xff, 0x18,
2755 0x4e, 0x22, 0x07, 0x8a, 0xf6, 0xfd, 0x36, 0x9d,
2756 0x5c, 0x15, 0x1c, 0x84, 0x69, 0x13, 0x68, 0x78,
2757 0xf1, 0x04, 0x02, 0x66, 0xec, 0x37, 0xcc, 0x0d,
2758 };
2759#elif defined(WOLFSSL_AES_192)
2760 byte expected24[CTR_LEN] = {
2761 0x7b, 0xde, 0x53, 0xac, 0x88, 0x24, 0xe6, 0xde,
2762 0x68, 0xd4, 0x64, 0x18, 0x20, 0x96, 0x62, 0x68,
2763 0xb4, 0xc8, 0x6c, 0xa1, 0xae, 0xcc, 0x1e, 0x74,
2764 0x2a, 0xd6, 0x69, 0x5c, 0x71, 0x76, 0x92, 0x5b,
2765 0xd8, 0x61, 0xfa, 0x70, 0x8c, 0x80, 0x3e, 0xfc,
2766 0xdc, 0xd8, 0xbb, 0x31, 0x22, 0x47, 0x78, 0x02,
2767 0x5b, 0xa2, 0xb5, 0xb1, 0x41, 0x88, 0xc4, 0x84,
2768 0x82, 0xd7, 0x20, 0x11, 0xdc, 0x58, 0xea, 0xf9,
2769 0x2c, 0x43, 0x50, 0xc2, 0x33, 0x15, 0x58, 0x14,
2770 0xd0, 0xf3, 0xe5, 0xe1, 0x17, 0x86, 0x4b, 0xfb,
2771 0xdd, 0x83, 0xa3, 0xdd, 0x3a, 0xcc, 0x82, 0x05,
2772 0xb9, 0xf2, 0xfd, 0x8d, 0x3c, 0x08, 0x5f, 0xd9,
2773 0x79, 0x2d, 0xa3, 0xa0, 0xeb, 0xa3, 0xa2, 0xfe,
2774 0x7b, 0x2b, 0xf9, 0x5d, 0x32, 0x52, 0xeb, 0xee,
2775 0xe1, 0x68, 0xff, 0xe7, 0xb3, 0x0c, 0x08, 0x74,
2776 0x8d, 0x3b, 0xa9, 0x17, 0x4c, 0x2a, 0xc7, 0x97,
2777 0x99, 0xb7, 0xaf, 0x86, 0x17, 0xf9, 0xe4, 0x2c,
2778 0x5a, 0x4d, 0x6d, 0x7f, 0xfe, 0xb8, 0xaa, 0x9b,
2779 0xf8, 0xb6, 0xcb, 0x6f, 0x2f, 0xa4, 0x57, 0x61,
2780 0x88, 0x6c, 0x94, 0xaa, 0xf7, 0x97, 0xcf, 0xcd,
2781 0x19, 0x29, 0x9e, 0xf3, 0x30, 0xb8, 0xaa, 0x56,
2782 0x49, 0xcb, 0xf0, 0x56, 0xdd, 0xac, 0x4b, 0x41,
2783 0x00, 0xb3, 0x19, 0xdd, 0xef, 0x69, 0xd0, 0x9c,
2784 0xd1, 0x67, 0x48, 0x62, 0x9f, 0x56, 0x21, 0x2d,
2785 0x05, 0xb3, 0x4d, 0x0b, 0xac, 0xb6, 0x63, 0xf4,
2786 0x44, 0xfc, 0x43, 0xc0, 0xa9, 0x8c, 0x37, 0xd6,
2787 0xc3, 0x8c, 0xa4, 0x42, 0x68, 0x08, 0x2c, 0x1e,
2788 0xe7, 0xcc, 0xe4, 0x1f, 0x82, 0x9a, 0xe0, 0xfb,
2789 0x18, 0x84, 0x55, 0xaf, 0x02, 0xcc, 0x55, 0x13,
2790 0x7e, 0xc7, 0x05, 0xb8, 0xb9, 0x5e, 0x90, 0xc3,
2791 };
2792#else
2793 byte expected32[CTR_LEN] = {
2794 0x18, 0x5a, 0x48, 0xfd, 0xb7, 0xd5, 0x35, 0xf3,
2795 0x3f, 0xb9, 0x14, 0x16, 0xf3, 0x05, 0xf3, 0x71,
2796 0x72, 0x84, 0x88, 0x9a, 0x51, 0xe2, 0x97, 0xaa,
2797 0x65, 0xc1, 0x3c, 0x0b, 0x1e, 0x9f, 0x29, 0xb8,
2798 0xf4, 0xc8, 0x16, 0x9c, 0x47, 0x42, 0x0a, 0x9e,
2799 0xae, 0xf0, 0x75, 0x9b, 0x54, 0xdd, 0x8a, 0xa4,
2800 0x28, 0x97, 0xc1, 0x5a, 0xbb, 0x08, 0x52, 0x73,
2801 0xf7, 0x67, 0xa4, 0xb8, 0xc9, 0x37, 0x8d, 0x9e,
2802 0x23, 0x27, 0x68, 0xca, 0x2b, 0xb5, 0xd0, 0x1c,
2803 0x11, 0xe2, 0x2e, 0x7e, 0x17, 0x6b, 0x38, 0x99,
2804 0x82, 0x0c, 0x65, 0xed, 0x33, 0xd8, 0xa4, 0x47,
2805 0x43, 0x9c, 0x16, 0xa6, 0xab, 0x5d, 0x39, 0xad,
2806 0x88, 0x6a, 0x50, 0x86, 0xd4, 0x95, 0x1b, 0x91,
2807 0xb3, 0x91, 0x7d, 0x06, 0xe0, 0xfc, 0x5e, 0xd1,
2808 0xaf, 0x4c, 0xb3, 0xdb, 0x01, 0x01, 0xc9, 0x09,
2809 0xf1, 0x7b, 0x2b, 0x87, 0xe4, 0xcd, 0x93, 0x22,
2810 0x07, 0xdc, 0x35, 0x46, 0x8a, 0x1d, 0xf5, 0xe4,
2811 0x23, 0x01, 0x67, 0x00, 0x66, 0x7b, 0xd6, 0x56,
2812 0x0d, 0x57, 0x4f, 0x6f, 0x45, 0x82, 0x91, 0x58,
2813 0x81, 0x37, 0xcc, 0xb4, 0xa4, 0xa3, 0x3c, 0x57,
2814 0x42, 0x05, 0x95, 0xa3, 0x04, 0x1f, 0xfd, 0x32,
2815 0xb7, 0xc8, 0xbb, 0x14, 0xe7, 0xf1, 0xc1, 0x1f,
2816 0xe9, 0x33, 0x6a, 0xb0, 0x10, 0x0d, 0xfb, 0x91,
2817 0x88, 0xca, 0x20, 0x29, 0xeb, 0xcd, 0x9c, 0x71,
2818 0x07, 0xfd, 0x3f, 0x6b, 0x1f, 0xb3, 0x76, 0xb7,
2819 0x6b, 0xa1, 0xad, 0xbe, 0xd3, 0x45, 0xb5, 0xe9,
2820 0x04, 0x9a, 0xfd, 0x6a, 0x85, 0xa2, 0xbc, 0x4e,
2821 0xca, 0xdb, 0x84, 0xbc, 0x0e, 0x0c, 0x96, 0x65,
2822 0xc9, 0x95, 0x2b, 0xcb, 0x98, 0x8c, 0xd2, 0x78,
2823 0x85, 0x7e, 0x1a, 0xa2, 0x6a, 0x73, 0x90, 0x80,
2824 };
2825#endif
2826 byte iv[] = "1234567890abcdef";
2827 byte* key;
2828 word32 keyLen;
2829 byte* expected;
2830
2831#if defined(WOLFSSL_AES_128)
2832 key = key16;
2833 keyLen = (word32)sizeof(key16) / sizeof(byte);
2834 expected = expected16;
2835#elif defined(WOLFSSL_AES_192)
2836 key = key24;
2837 keyLen = (word32)sizeof(key24) / sizeof(byte);
2838 expected = expected24;
2839#else
2840 key = key32;
2841 keyLen = (word32)sizeof(key32) / sizeof(byte);
2842 expected = expected32;
2843#endif
2844
2845 /* Init stack variables. */
2846 XMEMSET(&aes, 0, sizeof(Aes));
2847
2848 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
2849
2850 EXPECT_TEST(test_wc_AesCtrEncrypt_BadArgs(&aes, key, keyLen, iv));
2851
2852#ifdef WOLFSSL_AES_128
2853 EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key16,
2854 (word32)sizeof(key16) / sizeof(byte), iv, vector, vector_enc16,
2855 (word32)sizeof(vector) / sizeof(byte)));
2856#endif
2857#ifdef WOLFSSL_AES_192
2858 EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key24,
2859 (word32)sizeof(key24) / sizeof(byte), iv, vector, vector_enc24,
2860 (word32)sizeof(vector) / sizeof(byte)));
2861#endif
2862#ifdef WOLFSSL_AES_256
2863 EXPECT_TEST(test_wc_AesCtrEncrypt_WithKey(&aes, key32,
2864 (word32)sizeof(key32) / sizeof(byte), iv, vector, vector_enc32,
2865 (word32)sizeof(vector) / sizeof(byte)));
2866#endif
2867
2868 EXPECT_TEST(test_wc_AesCtrEncrypt_Chunking(&aes, key, keyLen, iv,
2869 expected));
2870#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2871 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2872 !defined(WOLFSSL_KCAPI)
2873 EXPECT_TEST(test_wc_AesCtrEncrypt_SameBuffer(&aes, key, keyLen, iv,
2874 expected));
2875#endif
2876
2877 wc_AesFree(&aes);
2878#endif
2879 return EXPECT_RESULT();
2880} /* END test_wc_AesCtrEncryptDecrypt */
2881
2882/*******************************************************************************
2883 * AES-CTR unaligned buffers
2884 ******************************************************************************/
2885
2886/*
2887 * Verify that wc_AesCtrEncrypt produces correct results when the input and
2888 * output buffers are byte-offset (unaligned). Tests offsets 1, 2, and 3.
2889 * A 35-byte plaintext is used to exercise both the full-block path and the
2890 * partial-block leftover (35 = 2*16 + 3).
2891 */
2892int test_wc_AesCtrEncryptDecrypt_UnalignedBuffers(void)
2893{
2894 EXPECT_DECLS;
2895#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && \
2896 defined(WOLFSSL_AES_128) && \
2897 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2898 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2899 !defined(WOLFSSL_KCAPI)
2900 Aes aes;
2901 static const byte key[AES_128_KEY_SIZE] = {
2902 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
2903 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
2904 };
2905 static const byte iv[AES_IV_SIZE] = {
2906 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2907 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
2908 };
2909 /* 35 bytes: two full blocks + 3-byte tail */
2910 static const byte plain[35] = {
2911 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
2912 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
2913 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
2914 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
2915 0x30, 0xc8, 0x1c
2916 };
2917 byte ref_ct[sizeof(plain)];
2918 byte in_buf[sizeof(plain) + 3];
2919 byte out_buf[sizeof(plain) + 3];
2920 int off;
2921
2922 XMEMSET(&aes, 0, sizeof(aes));
2923 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
2924
2925 /* Reference ciphertext with naturally-aligned buffers */
2926 ExpectIntEQ(wc_AesCtrSetKey(&aes, key, sizeof(key), iv, AES_ENCRYPTION), 0);
2927 ExpectIntEQ(wc_AesCtrEncrypt(&aes, ref_ct, plain, sizeof(plain)), 0);
2928
2929 /* Encrypt with byte offsets 1, 2, 3 on both in and out */
2930 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
2931 XMEMCPY(in_buf + off, plain, sizeof(plain));
2932 XMEMSET(out_buf, 0, sizeof(out_buf));
2933 ExpectIntEQ(wc_AesCtrSetKey(&aes, key, sizeof(key), iv,
2934 AES_ENCRYPTION), 0);
2935 ExpectIntEQ(wc_AesCtrEncrypt(&aes, out_buf + off, in_buf + off,
2936 sizeof(plain)), 0);
2937 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
2938 }
2939
2940 /* Decrypt (CTR is symmetric: encrypt again to recover plaintext) */
2941 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
2942 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
2943 XMEMSET(out_buf, 0, sizeof(out_buf));
2944 ExpectIntEQ(wc_AesCtrSetKey(&aes, key, sizeof(key), iv,
2945 AES_ENCRYPTION), 0);
2946 ExpectIntEQ(wc_AesCtrEncrypt(&aes, out_buf + off, in_buf + off,
2947 sizeof(plain)), 0);
2948 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
2949 }
2950
2951 wc_AesFree(&aes);
2952#endif
2953 return EXPECT_RESULT();
2954} /* END test_wc_AesCtrEncryptDecrypt_UnalignedBuffers */
2955
2956/*
2957 * Cross-cipher test: CTR mode generates a keystream by ECB-encrypting the
2958 * counter block. The counter starts at the IV value and increments as a
2959 * 128-bit big-endian integer after each block.
2960 * KS[i] = ECB_Encrypt(K, counter[i]); C[i] = P[i] XOR KS[i]
2961 *
2962 * This test verifies that relationship: encrypt with CTR, then independently
2963 * compute the same ciphertext using ECB + counter increment, and compare.
2964 */
2965int test_wc_AesCtr_CrossCipher(void)
2966{
2967 EXPECT_DECLS;
2968#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(HAVE_AES_ECB) && \
2969 defined(WOLFSSL_AES_128) && \
2970 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
2971 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_AFALG) && \
2972 !defined(WOLFSSL_KCAPI)
2973 Aes aes;
2974 /* NIST SP 800-38A F.5.1 (first two plaintext blocks, CTR) */
2975 static const byte key[AES_128_KEY_SIZE] = {
2976 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6,
2977 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c
2978 };
2979 static const byte iv[WC_AES_BLOCK_SIZE] = {
2980 0xf0,0xf1,0xf2,0xf3, 0xf4,0xf5,0xf6,0xf7,
2981 0xf8,0xf9,0xfa,0xfb, 0xfc,0xfd,0xfe,0xff
2982 };
2983 static const byte plain[2 * WC_AES_BLOCK_SIZE] = {
2984 0x6b,0xc1,0xbe,0xe2, 0x2e,0x40,0x9f,0x96,
2985 0xe9,0x3d,0x7e,0x11, 0x73,0x93,0x17,0x2a,
2986 0xae,0x2d,0x8a,0x57, 0x1e,0x03,0xac,0x9c,
2987 0x9e,0xb7,0x6f,0xac, 0x45,0xaf,0x8e,0x51
2988 };
2989 byte ctr_ct[sizeof(plain)];
2990 byte ecb_ct[sizeof(plain)];
2991 byte counter[WC_AES_BLOCK_SIZE];
2992 byte ks[WC_AES_BLOCK_SIZE];
2993 int i, j;
2994
2995 XMEMSET(&aes, 0, sizeof(aes));
2996 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
2997
2998 /* CTR ciphertext via the API */
2999 ExpectIntEQ(wc_AesCtrSetKey(&aes, key, sizeof(key), iv, AES_ENCRYPTION), 0);
3000 ExpectIntEQ(wc_AesCtrEncrypt(&aes, ctr_ct, plain, sizeof(plain)), 0);
3001
3002 /* Manually compute CTR via ECB + big-endian counter increment */
3003 ExpectIntEQ(wc_AesSetKey(&aes, key, sizeof(key), NULL, AES_ENCRYPTION), 0);
3004 XMEMCPY(counter, iv, WC_AES_BLOCK_SIZE);
3005
3006 for (i = 0; i < 2; i++) {
3007 /* KS[i] = ECB_E(K, counter[i]) */
3008 ExpectIntEQ(wc_AesEcbEncrypt(&aes, ks, counter, WC_AES_BLOCK_SIZE), 0);
3009 if (EXPECT_SUCCESS()) {
3010 /* C[i] = P[i] XOR KS[i] */
3011 for (j = 0; j < WC_AES_BLOCK_SIZE; j++)
3012 ecb_ct[i * WC_AES_BLOCK_SIZE + j] =
3013 plain[i * WC_AES_BLOCK_SIZE + j] ^ ks[j];
3014 /* Increment 128-bit counter big-endian (carry from last byte
3015 * upward) */
3016 for (j = WC_AES_BLOCK_SIZE - 1; j >= 0 && (++counter[j]) == 0; j--)
3017 ;
3018 }
3019 }
3020
3021 /* CTR ciphertext must equal the manually computed ECB+counter ciphertext */
3022 ExpectBufEQ(ctr_ct, ecb_ct, sizeof(plain));
3023
3024 wc_AesFree(&aes);
3025#endif
3026 return EXPECT_RESULT();
3027} /* END test_wc_AesCtr_CrossCipher */
3028
3029/*******************************************************************************
3030 * AES-GCM
3031 ******************************************************************************/
3032
3033/*
3034 * test function for wc_AesGcmSetKey()
3035 */
3036int test_wc_AesGcmSetKey(void)
3037{
3038 EXPECT_DECLS;
3039#if !defined(NO_AES) && defined(HAVE_AESGCM)
3040 Aes aes;
3041#ifdef WOLFSSL_AES_128
3042 byte key16[] = {
3043 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3044 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
3045 };
3046#endif
3047#ifdef WOLFSSL_AES_192
3048 byte key24[] = {
3049 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3050 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3051 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
3052 };
3053#endif
3054#ifdef WOLFSSL_AES_256
3055 byte key32[] = {
3056 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3057 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3058 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3059 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
3060 };
3061#endif
3062 byte badKey16[] = {
3063 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3064 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
3065 };
3066 byte badKey24[] = {
3067 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3068 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3069 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36
3070 };
3071 byte badKey32[] = {
3072 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x37, 0x37,
3073 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3074 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3075 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
3076 };
3077 byte* key;
3078 word32 keyLen;
3079
3080#ifdef WOLFSSL_AES_128
3081 key = key16;
3082 keyLen = sizeof(key16)/sizeof(byte);
3083#elif defined(WOLFSSL_AES_192)
3084 key = key24;
3085 keyLen = sizeof(key24)/sizeof(byte);
3086#else
3087 key = key32;
3088 keyLen = sizeof(key32)/sizeof(byte);
3089#endif
3090
3091 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3092
3093#ifdef WOLFSSL_AES_128
3094 ExpectIntEQ(wc_AesGcmSetKey(&aes, key16, sizeof(key16)/sizeof(byte)), 0);
3095#endif
3096#ifdef WOLFSSL_AES_192
3097 ExpectIntEQ(wc_AesGcmSetKey(&aes, key24, sizeof(key24)/sizeof(byte)), 0);
3098#endif
3099#ifdef WOLFSSL_AES_256
3100 ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
3101#endif
3102
3103 /* Pass in bad args. */
3104 ExpectIntEQ(wc_AesGcmSetKey(NULL, NULL, keyLen),
3105 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3106 ExpectIntEQ(wc_AesGcmSetKey(NULL, key, keyLen),
3107 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3108#if (!defined(HAVE_FIPS) || !defined(HAVE_FIPS_VERSION) || \
3109 (HAVE_FIPS_VERSION > 6)) && !defined(HAVE_SELFTEST)
3110 ExpectIntEQ(wc_AesGcmSetKey(&aes, NULL, keyLen),
3111 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3112#endif
3113 ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey16, sizeof(badKey16)/sizeof(byte)),
3114 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3115 ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey24, sizeof(badKey24)/sizeof(byte)),
3116 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3117 ExpectIntEQ(wc_AesGcmSetKey(&aes, badKey32, sizeof(badKey32)/sizeof(byte)),
3118 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3119
3120 wc_AesFree(&aes);
3121#endif
3122 return EXPECT_RESULT();
3123} /* END test_wc_AesGcmSetKey */
3124
3125int test_wc_AesGcmEncryptDecrypt_Sizes(void)
3126{
3127 EXPECT_DECLS;
3128#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
3129 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
3130 #define GCM_LEN (WC_AES_BLOCK_SIZE * 16)
3131 byte expTagShort[WC_AES_BLOCK_SIZE][WC_AES_BLOCK_SIZE] = {
3132 {
3133 0x41, 0x5d, 0x72, 0x1e, 0xe0, 0x17, 0x7c, 0xe2,
3134 0x33, 0xfb, 0x0e, 0xab, 0x5a, 0x08, 0x4c, 0xb0,
3135 },
3136 {
3137 0x26, 0xe8, 0xc0, 0x9f, 0xbc, 0x70, 0x1d, 0x7e,
3138 0x22, 0x43, 0x26, 0x1b, 0x21, 0x9d, 0x2c, 0x5b,
3139 },
3140 {
3141 0x94, 0x8f, 0x24, 0xeb, 0xd1, 0x5b, 0x3d, 0x2a,
3142 0x31, 0xf2, 0xe4, 0xf9, 0x07, 0xc8, 0xe7, 0x63,
3143 },
3144 {
3145 0x62, 0xa9, 0x79, 0x97, 0x6c, 0x93, 0x77, 0x52,
3146 0x2f, 0xbf, 0x51, 0xb2, 0xc2, 0xf7, 0xe5, 0xf4,
3147 },
3148 {
3149 0xa5, 0x44, 0xfd, 0x3c, 0x16, 0x2a, 0x05, 0x7a,
3150 0x52, 0xe1, 0xed, 0x13, 0x49, 0x81, 0x93, 0x7a,
3151 },
3152 {
3153 0xe5, 0x3b, 0xd4, 0xc9, 0x9f, 0x9e, 0xf0, 0x55,
3154 0xcd, 0x80, 0xb7, 0x42, 0xa4, 0xaf, 0x33, 0x88,
3155 },
3156 {
3157 0x65, 0xa8, 0xc9, 0xa7, 0x8b, 0xdb, 0x80, 0xfe,
3158 0x40, 0xfe, 0xb6, 0xe4, 0x00, 0xf9, 0x23, 0x72,
3159 },
3160 {
3161 0xe0, 0x1e, 0xec, 0x38, 0x45, 0xf0, 0x9c, 0x82,
3162 0x72, 0xac, 0x2f, 0xec, 0x3b, 0x2b, 0xfe, 0x75,
3163 },
3164 {
3165 0xea, 0xb4, 0x5b, 0x4d, 0x76, 0x98, 0xc8, 0x34,
3166 0x07, 0x1d, 0x7b, 0xaf, 0x36, 0xfa, 0x72, 0x9b,
3167 },
3168 {
3169 0xcf, 0x2b, 0x12, 0x7a, 0x5a, 0x5a, 0x73, 0x73,
3170 0xb5, 0xb6, 0xb6, 0xb0, 0x42, 0xa5, 0xc0, 0x23,
3171 },
3172 {
3173 0xc1, 0x14, 0x52, 0xd0, 0xd0, 0x1d, 0xca, 0xce,
3174 0x2e, 0x4c, 0xd8, 0x94, 0x62, 0x92, 0xf6, 0x9c,
3175 },
3176 {
3177 0x5b, 0xd9, 0xa6, 0x8c, 0x34, 0x0e, 0x81, 0xaf,
3178 0x09, 0xc3, 0x44, 0x74, 0x35, 0xce, 0x89, 0x92,
3179 },
3180 {
3181 0xdc, 0x9f, 0xd0, 0xd5, 0xaa, 0x38, 0xe2, 0xce,
3182 0x75, 0x88, 0x64, 0xee, 0x7a, 0x5d, 0x44, 0xa4,
3183 },
3184 {
3185 0xc3, 0x35, 0xfe, 0xa9, 0x9d, 0x3d, 0x75, 0xb7,
3186 0xba, 0xdd, 0x9e, 0xa5, 0x5d, 0xd3, 0x65, 0x80,
3187 },
3188 {
3189 0x1d, 0x1a, 0x04, 0x99, 0xb5, 0x8b, 0xe8, 0xec,
3190 0x81, 0xd1, 0xde, 0xd3, 0x3a, 0x09, 0xb4, 0x9f,
3191 },
3192 {
3193 0xb8, 0x14, 0x0a, 0xc3, 0x8b, 0x88, 0x87, 0xa1,
3194 0xdf, 0xfa, 0x6d, 0x15, 0x70, 0xde, 0xff, 0x3b,
3195 },
3196 };
3197 byte expected[GCM_LEN] = {
3198 0x9a, 0x10, 0xb2, 0x60, 0x38, 0x65, 0x46, 0x81,
3199 0xc0, 0xa7, 0x0d, 0x3f, 0x5b, 0x4f, 0x27,
3200 };
3201 byte expTagLong[][WC_AES_BLOCK_SIZE] = {
3202 {
3203 0xdd, 0x1c, 0x3d, 0x12, 0xa4, 0x16, 0xa5, 0xf7,
3204 0x67, 0xc5, 0x58, 0xb8, 0xda, 0x22, 0x6c, 0x22,
3205 },
3206 {
3207 0xbe, 0x5e, 0x04, 0x61, 0xae, 0x36, 0x61, 0xfb,
3208 0x86, 0x66, 0xda, 0x62, 0xaa, 0x36, 0x7e, 0x22,
3209 },
3210 {
3211 0x18, 0xc3, 0xf5, 0xcf, 0x76, 0x24, 0xd4, 0x5c,
3212 0xbb, 0xeb, 0xb3, 0x0a, 0x7a, 0x53, 0x64, 0x9b,
3213 },
3214 {
3215 0xe0, 0xaa, 0xe9, 0x10, 0x41, 0x16, 0x72, 0x1b,
3216 0x16, 0xd6, 0xd9, 0xcd, 0x2f, 0xe4, 0xd2, 0xe8,
3217 },
3218 {
3219 0xfa, 0xdc, 0x28, 0x4a, 0x65, 0x96, 0xe0, 0x73,
3220 0xfb, 0xcd, 0x2b, 0x35, 0xa0, 0x68, 0xde, 0x60,
3221 },
3222 };
3223 byte key32[] = {
3224 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3225 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3226 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3227 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
3228 };
3229 Aes aes;
3230 byte tag[WC_AES_BLOCK_SIZE];
3231 byte iv[] = "1234567890a";
3232 word32 ivLen = (word32)sizeof(iv)/sizeof(byte);
3233 int sz;
3234 int i;
3235 WC_DECLARE_VAR(plain, byte, GCM_LEN, NULL);
3236 WC_DECLARE_VAR(cipher, byte, GCM_LEN, NULL);
3237#ifdef HAVE_AES_DECRYPT
3238 WC_DECLARE_VAR(decrypted, byte, GCM_LEN, NULL);
3239#endif
3240
3241 WC_ALLOC_VAR(plain, byte, GCM_LEN, NULL);
3242 WC_ALLOC_VAR(cipher, byte, GCM_LEN, NULL);
3243#ifdef HAVE_AES_DECRYPT
3244 WC_ALLOC_VAR(decrypted, byte, GCM_LEN, NULL);
3245#endif
3246
3247#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
3248 ExpectNotNull(plain);
3249 ExpectNotNull(cipher);
3250#ifdef HAVE_AES_DECRYPT
3251 ExpectNotNull(decrypted);
3252#endif
3253#endif
3254
3255 XMEMSET(&aes, 0, sizeof(Aes));
3256 XMEMSET(plain, 0xa5, GCM_LEN);
3257
3258 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3259
3260 ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
3261 for (sz = 0; sz < WC_AES_BLOCK_SIZE; sz++) {
3262 XMEMSET(cipher, 0, GCM_LEN);
3263 ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, sz, iv, ivLen, tag,
3264 sizeof(tag), NULL, 0), 0);
3265 ExpectBufEQ(cipher, expected, sz);
3266 ExpectBufEQ(tag, expTagShort[sz], WC_AES_BLOCK_SIZE);
3267
3268#ifdef HAVE_AES_DECRYPT
3269 XMEMSET(decrypted, 0xff, GCM_LEN);
3270 ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, sz, iv, ivLen,
3271 tag, sizeof(tag), NULL, 0), 0);
3272 ExpectBufEQ(decrypted, plain, sz);
3273#endif
3274 }
3275
3276 i = 0;
3277 for (sz = WC_AES_BLOCK_SIZE; sz <= GCM_LEN; sz *= 2) {
3278 XMEMSET(cipher, 0, GCM_LEN);
3279 ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, sz, iv, ivLen, tag,
3280 sizeof(tag), NULL, 0), 0);
3281 ExpectBufEQ(tag, expTagLong[i], WC_AES_BLOCK_SIZE);
3282 i++;
3283
3284#ifdef HAVE_AES_DECRYPT
3285 XMEMSET(decrypted, 0xff, GCM_LEN);
3286 ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, sz, iv, ivLen,
3287 tag, sizeof(tag), NULL, 0), 0);
3288 ExpectBufEQ(decrypted, plain, sz);
3289#endif
3290 }
3291
3292 wc_AesFree(&aes);
3293 WC_FREE_VAR(plain, NULL);
3294 WC_FREE_VAR(cipher, NULL);
3295#ifdef HAVE_AES_DECRYPT
3296 WC_FREE_VAR(decrypted, NULL);
3297#endif
3298#endif
3299 return EXPECT_RESULT();
3300}
3301
3302/*
3303 * test function for wc_AesGcmEncrypt and wc_AesGcmDecrypt
3304 */
3305int test_wc_AesGcmEncryptDecrypt(void)
3306{
3307 EXPECT_DECLS;
3308 /* WOLFSSL_AFALG requires 12 byte IV */
3309#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
3310 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO_AES)
3311 Aes aes;
3312 byte key32[] = {
3313 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3314 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3315 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3316 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
3317 };
3318 byte vector[] = { /* Now is the time for all w/o trailing 0 */
3319 0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
3320 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
3321 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
3322 };
3323 const byte a[] = {
3324 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3325 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3326 0xab, 0xad, 0xda, 0xd2
3327 };
3328 byte iv[] = "1234567890a";
3329 byte longIV[] = "1234567890abcdefghij";
3330 byte enc[sizeof(vector)];
3331 byte resultT[WC_AES_BLOCK_SIZE];
3332 byte dec[sizeof(vector)];
3333
3334 /* Init stack variables. */
3335 XMEMSET(&aes, 0, sizeof(Aes));
3336 XMEMSET(enc, 0, sizeof(vector));
3337 XMEMSET(dec, 0, sizeof(vector));
3338 XMEMSET(resultT, 0, WC_AES_BLOCK_SIZE);
3339
3340 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3341
3342 ExpectIntEQ(wc_AesGcmSetKey(&aes, key32, sizeof(key32)/sizeof(byte)), 0);
3343 ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
3344 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)), 0);
3345 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(vector), iv,
3346 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)), 0);
3347 ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);
3348
3349 /* Test bad args for wc_AesGcmEncrypt and wc_AesGcmDecrypt */
3350 ExpectIntEQ(wc_AesGcmEncrypt(NULL, enc, vector, sizeof(vector), iv,
3351 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3352 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3353 ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
3354 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
3355 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3356 ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv,
3357 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) - 5, a, sizeof(a)),
3358 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3359
3360#if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
3361 (HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST) || \
3362 defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
3363 /* FIPS does not check the lower bound of ivSz */
3364#else
3365 ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), iv, 0,
3366 resultT, sizeof(resultT), a, sizeof(a)),
3367 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3368#endif
3369
3370 /* This case is now considered good. Long IVs are now allowed.
3371 * Except for the original FIPS release, it still has an upper
3372 * bound on the IV length. */
3373#if (!defined(HAVE_FIPS) || \
3374 (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
3375 !defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
3376 ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
3377 sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3378 0);
3379#else
3380 (void)longIV;
3381#endif /* Old FIPS */
3382 /* END wc_AesGcmEncrypt */
3383
3384#ifdef HAVE_AES_DECRYPT
3385 ExpectIntEQ(wc_AesGcmDecrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte), iv,
3386 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3387 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3388 ExpectIntEQ(wc_AesGcmDecrypt(&aes, NULL, enc, sizeof(enc)/sizeof(byte), iv,
3389 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3390 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3391 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, NULL, sizeof(enc)/sizeof(byte), iv,
3392 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3393 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3394 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), NULL,
3395 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
3396 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3397 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
3398 sizeof(iv)/sizeof(byte), NULL, sizeof(resultT), a, sizeof(a)),
3399 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3400 #if (defined(HAVE_FIPS) && FIPS_VERSION_LE(2,0) && defined(WOLFSSL_ARMASM))
3401 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
3402 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
3403 WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
3404 #else
3405 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte), iv,
3406 sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) + 1, a, sizeof(a)),
3407 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3408 #endif
3409 #if ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
3410 (HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST)) && \
3411 !defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
3412 /* FIPS does not check the lower bound of ivSz */
3413 #else
3414 ExpectIntEQ(wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc)/sizeof(byte),
3415 iv, 0, resultT, sizeof(resultT), a, sizeof(a)),
3416 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
3417 #endif
3418#endif /* HAVE_AES_DECRYPT */
3419
3420 wc_AesFree(&aes);
3421#endif
3422 return EXPECT_RESULT();
3423
3424} /* END test_wc_AesGcmEncryptDecrypt */
3425
3426/*******************************************************************************
3427 * AES-GCM overlapping (in-place) buffers
3428 ******************************************************************************/
3429
3430/*
3431 * Verify that wc_AesGcmEncrypt / wc_AesGcmDecrypt work correctly when the
3432 * plaintext/ciphertext pointer is the same buffer (in == out). AES-GCM uses
3433 * CTR mode for encryption (XOR keystream), so in-place operation is safe.
3434 * The auth tag is always a separate buffer, so it is not affected.
3435 *
3436 * McGrew & Viega Test Case 4 (AES-128) is used for the key and IV; a 24-byte
3437 * slice of the test-case plaintext provides a non-block-aligned length.
3438 */
3439int test_wc_AesGcmEncryptDecrypt_InPlace(void)
3440{
3441 EXPECT_DECLS;
3442#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
3443 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO_AES)
3444 Aes aes;
3445 static const byte key[AES_128_KEY_SIZE] = {
3446 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
3447 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
3448 };
3449 static const byte iv[GCM_NONCE_MID_SZ] = {
3450 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
3451 0xde, 0xca, 0xf8, 0x88
3452 };
3453 static const byte aad[20] = {
3454 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3455 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3456 0xab, 0xad, 0xda, 0xd2
3457 };
3458 static const byte plain[24] = {
3459 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
3460 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
3461 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda
3462 };
3463 byte ref_ct[sizeof(plain)], ref_tag[WC_AES_BLOCK_SIZE];
3464 byte buf[sizeof(plain)], tag[WC_AES_BLOCK_SIZE];
3465
3466 XMEMSET(&aes, 0, sizeof(aes));
3467 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3468 ExpectIntEQ(wc_AesGcmSetKey(&aes, key, sizeof(key)), 0);
3469
3470 /* Reference ciphertext with separate in/out buffers */
3471 XMEMSET(ref_ct, 0, sizeof(ref_ct));
3472 XMEMSET(ref_tag, 0, sizeof(ref_tag));
3473 ExpectIntEQ(wc_AesGcmEncrypt(&aes, ref_ct, plain, sizeof(plain),
3474 iv, sizeof(iv), ref_tag, sizeof(ref_tag), aad, sizeof(aad)), 0);
3475
3476 /* Encrypt in-place (out == in) - must produce the same ciphertext/tag */
3477 XMEMSET(tag, 0, sizeof(tag));
3478 XMEMCPY(buf, plain, sizeof(buf));
3479 ExpectIntEQ(wc_AesGcmEncrypt(&aes, buf, buf, sizeof(buf),
3480 iv, sizeof(iv), tag, sizeof(tag), aad, sizeof(aad)), 0);
3481 ExpectBufEQ(buf, ref_ct, sizeof(buf));
3482 ExpectBufEQ(tag, ref_tag, sizeof(tag));
3483
3484#ifdef HAVE_AES_DECRYPT
3485 /* Decrypt in-place - must recover original plaintext */
3486 ExpectIntEQ(wc_AesGcmDecrypt(&aes, buf, buf, sizeof(buf),
3487 iv, sizeof(iv), tag, sizeof(tag), aad, sizeof(aad)), 0);
3488 ExpectBufEQ(buf, plain, sizeof(buf));
3489#endif
3490
3491 wc_AesFree(&aes);
3492#endif
3493 return EXPECT_RESULT();
3494} /* END test_wc_AesGcmEncryptDecrypt_InPlace */
3495
3496/*******************************************************************************
3497 * AES-GCM unaligned buffers
3498 ******************************************************************************/
3499
3500/*
3501 * Verify that wc_AesGcmEncrypt / wc_AesGcmDecrypt produce correct results
3502 * when plaintext, ciphertext, and AAD buffers are byte-offset (unaligned).
3503 * Tests offsets 1, 2, and 3. Exercises the GHASH path as well as the CTR
3504 * encryption, both of which may use SIMD intrinsics sensitive to alignment.
3505 */
3506int test_wc_AesGcmEncryptDecrypt_UnalignedBuffers(void)
3507{
3508 EXPECT_DECLS;
3509#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
3510 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO_AES)
3511 Aes aes;
3512 /* Same key / IV / AAD as InPlace test (McGrew TC4, AES-128) */
3513 static const byte key[AES_128_KEY_SIZE] = {
3514 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
3515 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
3516 };
3517 static const byte iv[GCM_NONCE_MID_SZ] = {
3518 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
3519 0xde, 0xca, 0xf8, 0x88
3520 };
3521 static const byte aad[20] = {
3522 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3523 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3524 0xab, 0xad, 0xda, 0xd2
3525 };
3526 static const byte plain[24] = {
3527 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
3528 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
3529 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda
3530 };
3531 byte ref_ct[sizeof(plain)], ref_tag[WC_AES_BLOCK_SIZE];
3532 byte in_buf[sizeof(plain) + 3], out_buf[sizeof(plain) + 3];
3533 byte aad_buf[sizeof(aad) + 3];
3534 byte tag[WC_AES_BLOCK_SIZE];
3535 int off;
3536
3537 XMEMSET(&aes, 0, sizeof(aes));
3538 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3539 ExpectIntEQ(wc_AesGcmSetKey(&aes, key, sizeof(key)), 0);
3540
3541 /* Reference ciphertext/tag with naturally-aligned buffers */
3542 XMEMSET(ref_ct, 0, sizeof(ref_ct));
3543 XMEMSET(ref_tag, 0, sizeof(ref_tag));
3544 ExpectIntEQ(wc_AesGcmEncrypt(&aes, ref_ct, plain, sizeof(plain),
3545 iv, sizeof(iv), ref_tag, sizeof(ref_tag), aad, sizeof(aad)), 0);
3546
3547 /* Encrypt with byte offsets 1, 2, 3 on plaintext, ciphertext, and AAD */
3548 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
3549 XMEMCPY(in_buf + off, plain, sizeof(plain));
3550 XMEMCPY(aad_buf + off, aad, sizeof(aad));
3551 XMEMSET(out_buf, 0, sizeof(out_buf));
3552 XMEMSET(tag, 0, sizeof(tag));
3553 ExpectIntEQ(wc_AesGcmEncrypt(&aes, out_buf + off, in_buf + off,
3554 sizeof(plain), iv, sizeof(iv), tag, sizeof(tag),
3555 aad_buf + off, sizeof(aad)), 0);
3556 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
3557 ExpectBufEQ(tag, ref_tag, sizeof(tag));
3558 }
3559
3560#ifdef HAVE_AES_DECRYPT
3561 /* Decrypt with byte offsets 1, 2, 3 */
3562 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
3563 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
3564 XMEMCPY(aad_buf + off, aad, sizeof(aad));
3565 XMEMSET(out_buf, 0, sizeof(out_buf));
3566 ExpectIntEQ(wc_AesGcmDecrypt(&aes, out_buf + off, in_buf + off,
3567 sizeof(plain), iv, sizeof(iv), ref_tag, sizeof(ref_tag),
3568 aad_buf + off, sizeof(aad)), 0);
3569 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
3570 }
3571#endif
3572
3573 wc_AesFree(&aes);
3574#endif
3575 return EXPECT_RESULT();
3576} /* END test_wc_AesGcmEncryptDecrypt_UnalignedBuffers */
3577
3578/*
3579 * Cross-cipher test: AES-GCM encrypts plaintext using AES-CTR starting at the
3580 * counter block J0+1. For a 12-byte nonce, J0 = nonce || 0x00000001, so the
3581 * first counter block used for data is nonce || 0x00000002.
3582 *
3583 * This test verifies that the ciphertext portion of a GCM encrypt equals the
3584 * output of AES-CTR with the initial counter set to nonce || 0x00000002.
3585 */
3586int test_wc_AesGcm_CrossCipher(void)
3587{
3588 EXPECT_DECLS;
3589#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_COUNTER) && \
3590 defined(WOLFSSL_AES_128) && !defined(WOLFSSL_AFALG) && \
3591 !defined(WOLFSSL_DEVCRYPTO_AES) && \
3592 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
3593 !defined(HAVE_SELFTEST) && !defined(WOLFSSL_KCAPI)
3594 Aes aes;
3595 /* McGrew/Viega GCM test case 4 (128-bit key, 12-byte nonce) */
3596 static const byte key[AES_128_KEY_SIZE] = {
3597 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
3598 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
3599 };
3600 static const byte nonce[GCM_NONCE_MID_SZ] = {
3601 0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
3602 0xde,0xca,0xf8,0x88
3603 };
3604 static const byte aad[20] = {
3605 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
3606 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
3607 0xab,0xad,0xda,0xd2
3608 };
3609 static const byte plain[24] = {
3610 0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
3611 0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a,
3612 0x86,0xa7,0xa9,0x53, 0x15,0x34,0xf7,0xda
3613 };
3614 /* CTR initial counter = nonce || 0x00000002 (GCM's J0+1) */
3615 byte ctr_iv[WC_AES_BLOCK_SIZE];
3616 byte gcm_ct[sizeof(plain)], gcm_tag[WC_AES_BLOCK_SIZE];
3617 byte ctr_ct[sizeof(plain)];
3618
3619 XMEMSET(&aes, 0, sizeof(aes));
3620 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
3621
3622 /* GCM ciphertext */
3623 ExpectIntEQ(wc_AesGcmSetKey(&aes, key, sizeof(key)), 0);
3624 ExpectIntEQ(wc_AesGcmEncrypt(&aes, gcm_ct, plain, sizeof(plain),
3625 nonce, sizeof(nonce), gcm_tag, sizeof(gcm_tag), aad, sizeof(aad)), 0);
3626
3627 /* CTR ciphertext starting at J0+1: nonce || 0x00000002 */
3628 XMEMCPY(ctr_iv, nonce, sizeof(nonce));
3629 ctr_iv[12] = 0x00; ctr_iv[13] = 0x00; ctr_iv[14] = 0x00; ctr_iv[15] = 0x02;
3630 ExpectIntEQ(wc_AesCtrSetKey(&aes, key, sizeof(key), ctr_iv,
3631 AES_ENCRYPTION), 0);
3632 ExpectIntEQ(wc_AesCtrEncrypt(&aes, ctr_ct, plain, sizeof(plain)), 0);
3633
3634 /* GCM ciphertext portion must equal the CTR ciphertext */
3635 ExpectBufEQ(gcm_ct, ctr_ct, sizeof(plain));
3636
3637 wc_AesFree(&aes);
3638#endif
3639 return EXPECT_RESULT();
3640} /* END test_wc_AesGcm_CrossCipher */
3641
3642/*
3643 * test function for mixed (one-shot encryption + stream decryption) AES GCM
3644 * using a long IV (older FIPS does NOT support long IVs). Relates to zd15423
3645 */
3646int test_wc_AesGcmMixedEncDecLongIV(void)
3647{
3648 EXPECT_DECLS;
3649#if (!defined(HAVE_FIPS) || \
3650 (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
3651 !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \
3652 defined(WOLFSSL_AESGCM_STREAM)
3653 const byte key[] = {
3654 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3655 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
3656 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3657 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
3658 };
3659 const byte in[] = {
3660 0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
3661 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
3662 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
3663 };
3664 const byte aad[] = {
3665 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3666 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
3667 0xab, 0xad, 0xda, 0xd2
3668 };
3669 Aes aesEnc;
3670 Aes aesDec;
3671 byte iv[] = "1234567890abcdefghij";
3672 byte out[sizeof(in)];
3673 byte plain[sizeof(in)];
3674 byte tag[WC_AES_BLOCK_SIZE];
3675
3676 XMEMSET(&aesEnc, 0, sizeof(Aes));
3677 XMEMSET(&aesDec, 0, sizeof(Aes));
3678 XMEMSET(out, 0, sizeof(out));
3679 XMEMSET(plain, 0, sizeof(plain));
3680 XMEMSET(tag, 0, sizeof(tag));
3681
3682 /* Perform one-shot encryption using long IV */
3683 ExpectIntEQ(wc_AesInit(&aesEnc, NULL, INVALID_DEVID), 0);
3684 ExpectIntEQ(wc_AesGcmSetKey(&aesEnc, key, sizeof(key)), 0);
3685 ExpectIntEQ(wc_AesGcmEncrypt(&aesEnc, out, in, sizeof(in), iv, sizeof(iv),
3686 tag, sizeof(tag), aad, sizeof(aad)), 0);
3687
3688 /* Perform streaming decryption using long IV */
3689 ExpectIntEQ(wc_AesInit(&aesDec, NULL, INVALID_DEVID), 0);
3690 ExpectIntEQ(wc_AesGcmInit(&aesDec, key, sizeof(key), iv, sizeof(iv)), 0);
3691 ExpectIntEQ(wc_AesGcmDecryptUpdate(&aesDec, plain, out, sizeof(out), aad,
3692 sizeof(aad)), 0);
3693 ExpectIntEQ(wc_AesGcmDecryptFinal(&aesDec, tag, sizeof(tag)), 0);
3694 ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
3695
3696 /* Free resources */
3697 wc_AesFree(&aesEnc);
3698 wc_AesFree(&aesDec);
3699#endif
3700 return EXPECT_RESULT();
3701
3702} /* END wc_AesGcmMixedEncDecLongIV */
3703
3704/*******************************************************************************
3705 * AES-GCM non-standard nonce lengths
3706 ******************************************************************************/
3707
3708/*
3709 * Non-standard (non-96-bit) nonce tests for AES-GCM.
3710 *
3711 * NIST SP 800-38D requires a different counter-derivation path when
3712 * len(IV) != 96 bits (12 bytes): J0 = GHASH_H(IV || pad || len64(IV)).
3713 * Most hardware accelerators only support the 12-byte fast path, so these
3714 * tests are skipped on FIPS builds and hardware-only backends.
3715 *
3716 * Three sections:
3717 * 1. 1-byte IV - FIPS CAVS example vector (AES-128).
3718 * 2. 60-byte IV - McGrew & Viega Test Case 12 (AES-192).
3719 * 3. Variable IV length loop (1..GCM_NONCE_MAX_SZ, AES-128): roundtrip and
3720 * uniqueness - each distinct IV length must produce distinct ciphertext.
3721 * 4. Zero-length IV must be rejected with an error.
3722 */
3723int test_wc_AesGcmNonStdNonce(void)
3724{
3725 EXPECT_DECLS;
3726/* Hardware accelerators and FIPS mode only support the 12-byte IV fast path
3727 * and cannot exercise the GHASH-based counter derivation. */
3728#if !defined(NO_AES) && defined(HAVE_AESGCM) && \
3729 !defined(HAVE_FIPS) && \
3730 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
3731
3732 /* ------------------------------------------------------------------
3733 * Section 1: 1-byte IV, AES-128
3734 * Key, IV, plaintext, AAD, ciphertext, and tag are taken directly from
3735 * the FIPS CAVS non-96-bit-IV example vectors, also present in
3736 * wolfcrypt/test/test.c (variable k3/iv3/p3/a3/c3/t3).
3737 * ------------------------------------------------------------------ */
3738#ifdef WOLFSSL_AES_128
3739 {
3740 static const byte key_1b[AES_128_KEY_SIZE] = {
3741 0xbb,0x01,0xd7,0x03, 0x81,0x1c,0x10,0x1a,
3742 0x35,0xe0,0xff,0xd2, 0x91,0xba,0xf2,0x4b
3743 };
3744 static const byte iv_1b[1] = { 0xca };
3745 static const byte pt_1b[AES_128_KEY_SIZE] = {
3746 0x57,0xce,0x45,0x1f, 0xa5,0xe2,0x35,0xa5,
3747 0x8e,0x1a,0xa2,0x3b, 0x77,0xcb,0xaf,0xe2
3748 };
3749 static const byte aad_1b[AES_128_KEY_SIZE] = {
3750 0x40,0xfc,0xdc,0xd7, 0x4a,0xd7,0x8b,0xf1,
3751 0x3e,0x7c,0x60,0x55, 0x50,0x51,0xdd,0x54
3752 };
3753 static const byte expCt_1b[AES_128_KEY_SIZE] = {
3754 0x6b,0x5f,0xb3,0x9d, 0xc1,0xc5,0x7a,0x4f,
3755 0xf3,0x51,0x4d,0xc2, 0xd5,0xf0,0xd0,0x07
3756 };
3757 static const byte expTag_1b[WC_AES_BLOCK_SIZE] = {
3758 0x06,0x90,0xed,0x01, 0x34,0xdd,0xc6,0x95,
3759 0x31,0x2e,0x2a,0xf9, 0x57,0x7a,0x1e,0xa6
3760 };
3761 Aes enc;
3762#ifdef HAVE_AES_DECRYPT
3763 Aes dec;
3764#endif
3765 byte ct[AES_128_KEY_SIZE];
3766 byte tag[WC_AES_BLOCK_SIZE];
3767#ifdef HAVE_AES_DECRYPT
3768 byte pt[AES_128_KEY_SIZE];
3769#endif
3770
3771 XMEMSET(&enc, 0, sizeof(enc));
3772 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
3773 ExpectIntEQ(wc_AesGcmSetKey(&enc, key_1b, sizeof(key_1b)), 0);
3774 ExpectIntEQ(wc_AesGcmEncrypt(&enc, ct, pt_1b, sizeof(pt_1b),
3775 iv_1b, sizeof(iv_1b), tag, sizeof(tag),
3776 aad_1b, sizeof(aad_1b)), 0);
3777 ExpectBufEQ(ct, expCt_1b, sizeof(expCt_1b));
3778 ExpectBufEQ(tag, expTag_1b, sizeof(expTag_1b));
3779
3780#ifdef HAVE_AES_DECRYPT
3781 XMEMSET(&dec, 0, sizeof(dec));
3782 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
3783 ExpectIntEQ(wc_AesGcmSetKey(&dec, key_1b, sizeof(key_1b)), 0);
3784 ExpectIntEQ(wc_AesGcmDecrypt(&dec, pt, ct, sizeof(ct),
3785 iv_1b, sizeof(iv_1b), tag, sizeof(tag),
3786 aad_1b, sizeof(aad_1b)), 0);
3787 ExpectBufEQ(pt, pt_1b, sizeof(pt_1b));
3788 wc_AesFree(&dec);
3789#endif
3790 wc_AesFree(&enc);
3791 }
3792#endif /* WOLFSSL_AES_128 */
3793
3794 /* ------------------------------------------------------------------
3795 * Section 2: 60-byte IV, AES-192
3796 * McGrew & Viega Test Case 12 - uses the shared 60-byte plaintext and
3797 * 20-byte AAD from Test Case 16, but with a 60-byte (non-96-bit) IV.
3798 * Reference: wolfcrypt/test/test.c vectors k2/iv2/p/a/c2/t2.
3799 * ------------------------------------------------------------------ */
3800#ifdef WOLFSSL_AES_192
3801 {
3802 static const byte key_60b[AES_192_KEY_SIZE] = {
3803 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
3804 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08,
3805 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c
3806 };
3807 static const byte iv_60b[60] = {
3808 0x93,0x13,0x22,0x5d, 0xf8,0x84,0x06,0xe5,
3809 0x55,0x90,0x9c,0x5a, 0xff,0x52,0x69,0xaa,
3810 0x6a,0x7a,0x95,0x38, 0x53,0x4f,0x7d,0xa1,
3811 0xe4,0xc3,0x03,0xd2, 0xa3,0x18,0xa7,0x28,
3812 0xc3,0xc0,0xc9,0x51, 0x56,0x80,0x95,0x39,
3813 0xfc,0xf0,0xe2,0x42, 0x9a,0x6b,0x52,0x54,
3814 0x16,0xae,0xdb,0xf5, 0xa0,0xde,0x6a,0x57,
3815 0xa6,0x37,0xb3,0x9b
3816 };
3817 static const byte pt_60b[60] = {
3818 0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
3819 0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a,
3820 0x86,0xa7,0xa9,0x53, 0x15,0x34,0xf7,0xda,
3821 0x2e,0x4c,0x30,0x3d, 0x8a,0x31,0x8a,0x72,
3822 0x1c,0x3c,0x0c,0x95, 0x95,0x68,0x09,0x53,
3823 0x2f,0xcf,0x0e,0x24, 0x49,0xa6,0xb5,0x25,
3824 0xb1,0x6a,0xed,0xf5, 0xaa,0x0d,0xe6,0x57,
3825 0xba,0x63,0x7b,0x39
3826 };
3827 static const byte aad_60b[20] = {
3828 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
3829 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
3830 0xab,0xad,0xda,0xd2
3831 };
3832 static const byte expCt_60b[60] = {
3833 0xd2,0x7e,0x88,0x68, 0x1c,0xe3,0x24,0x3c,
3834 0x48,0x30,0x16,0x5a, 0x8f,0xdc,0xf9,0xff,
3835 0x1d,0xe9,0xa1,0xd8, 0xe6,0xb4,0x47,0xef,
3836 0x6e,0xf7,0xb7,0x98, 0x28,0x66,0x6e,0x45,
3837 0x81,0xe7,0x90,0x12, 0xaf,0x34,0xdd,0xd9,
3838 0xe2,0xf0,0x37,0x58, 0x9b,0x29,0x2d,0xb3,
3839 0xe6,0x7c,0x03,0x67, 0x45,0xfa,0x22,0xe7,
3840 0xe9,0xb7,0x37,0x3b
3841 };
3842 static const byte expTag_60b[WC_AES_BLOCK_SIZE] = {
3843 0xdc,0xf5,0x66,0xff, 0x29,0x1c,0x25,0xbb,
3844 0xb8,0x56,0x8f,0xc3, 0xd3,0x76,0xa6,0xd9
3845 };
3846 Aes enc;
3847#ifdef HAVE_AES_DECRYPT
3848 Aes dec;
3849#endif
3850 byte ct[60];
3851 byte tag[WC_AES_BLOCK_SIZE];
3852#ifdef HAVE_AES_DECRYPT
3853 byte pt[60];
3854#endif
3855
3856 XMEMSET(&enc, 0, sizeof(enc));
3857 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
3858 ExpectIntEQ(wc_AesGcmSetKey(&enc, key_60b, sizeof(key_60b)), 0);
3859 ExpectIntEQ(wc_AesGcmEncrypt(&enc, ct, pt_60b, sizeof(pt_60b),
3860 iv_60b, sizeof(iv_60b), tag, sizeof(tag),
3861 aad_60b, sizeof(aad_60b)), 0);
3862 ExpectBufEQ(ct, expCt_60b, sizeof(expCt_60b));
3863 ExpectBufEQ(tag, expTag_60b, sizeof(expTag_60b));
3864
3865#ifdef HAVE_AES_DECRYPT
3866 XMEMSET(&dec, 0, sizeof(dec));
3867 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
3868 ExpectIntEQ(wc_AesGcmSetKey(&dec, key_60b, sizeof(key_60b)), 0);
3869 ExpectIntEQ(wc_AesGcmDecrypt(&dec, pt, ct, sizeof(ct),
3870 iv_60b, sizeof(iv_60b), tag, sizeof(tag),
3871 aad_60b, sizeof(aad_60b)), 0);
3872 ExpectBufEQ(pt, pt_60b, sizeof(pt_60b));
3873 wc_AesFree(&dec);
3874#endif
3875 wc_AesFree(&enc);
3876 }
3877#endif /* WOLFSSL_AES_192 */
3878
3879 /* ------------------------------------------------------------------
3880 * Section 3: Variable IV length loop, AES-128
3881 * Iterates IV lengths 1..GCM_NONCE_MAX_SZ. For each length:
3882 * - Encrypt succeeds and produces a full-length ciphertext.
3883 * - Decrypt recovers the original plaintext (auth-tag verification).
3884 * - Adjacent IV lengths produce different ciphertext (uniqueness).
3885 * ------------------------------------------------------------------ */
3886#ifdef WOLFSSL_AES_128
3887 {
3888 static const byte key_var[AES_128_KEY_SIZE] = {
3889 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
3890 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
3891 };
3892 /* IV material: reuse the key bytes, take the first ivLen bytes. */
3893 static const byte ivMat[GCM_NONCE_MAX_SZ] = {
3894 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
3895 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
3896 };
3897 static const byte plain_var[AES_128_KEY_SIZE] = {
3898 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
3899 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f
3900 };
3901 Aes enc;
3902 byte ct[AES_128_KEY_SIZE];
3903 byte ctPrev[AES_128_KEY_SIZE]; /* ciphertext from previous ivLen */
3904 byte tag[WC_AES_BLOCK_SIZE];
3905#ifdef HAVE_AES_DECRYPT
3906 byte ptOut[AES_128_KEY_SIZE];
3907#endif
3908 word32 ivLen;
3909 int hasPrev = 0;
3910
3911 XMEMSET(&enc, 0, sizeof(enc));
3912 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
3913 ExpectIntEQ(wc_AesGcmSetKey(&enc, key_var, sizeof(key_var)), 0);
3914
3915 for (ivLen = 1;
3916 ivLen <= GCM_NONCE_MAX_SZ && EXPECT_SUCCESS();
3917 ivLen++) {
3918 XMEMSET(ct, 0, sizeof(ct));
3919 XMEMSET(tag, 0, sizeof(tag));
3920
3921 ExpectIntEQ(wc_AesGcmEncrypt(&enc, ct, plain_var,
3922 sizeof(plain_var), ivMat, ivLen, tag, sizeof(tag),
3923 NULL, 0), 0);
3924
3925 /* Adjacent IV lengths must produce distinct ciphertext. */
3926 if (hasPrev) {
3927 ExpectIntNE(XMEMCMP(ct, ctPrev, sizeof(ct)), 0);
3928 }
3929 XMEMCPY(ctPrev, ct, sizeof(ct));
3930 hasPrev = 1;
3931
3932#ifdef HAVE_AES_DECRYPT
3933 XMEMSET(ptOut, 0, sizeof(ptOut));
3934 ExpectIntEQ(wc_AesGcmDecrypt(&enc, ptOut, ct, sizeof(ct),
3935 ivMat, ivLen, tag, sizeof(tag), NULL, 0), 0);
3936 ExpectBufEQ(ptOut, plain_var, sizeof(plain_var));
3937#endif
3938 }
3939 wc_AesFree(&enc);
3940 }
3941#endif /* WOLFSSL_AES_128 */
3942
3943 /* ------------------------------------------------------------------
3944 * Section 4: Zero-length IV must be rejected.
3945 * ------------------------------------------------------------------ */
3946#ifdef WOLFSSL_AES_128
3947 {
3948 static const byte key_z[AES_128_KEY_SIZE] = { 0 };
3949 static const byte pt_z[1] = { 0 };
3950 Aes enc;
3951 byte ct[1];
3952 byte tag[WC_AES_BLOCK_SIZE];
3953
3954 XMEMSET(&enc, 0, sizeof(enc));
3955 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
3956 ExpectIntEQ(wc_AesGcmSetKey(&enc, key_z, sizeof(key_z)), 0);
3957#ifdef HAVE_SELFTEST
3958 ExpectIntEQ(wc_AesGcmEncrypt(&enc, ct, pt_z, sizeof(pt_z),
3959 NULL, 0, tag, sizeof(tag), NULL, 0), 0);
3960#else
3961 ExpectIntNE(wc_AesGcmEncrypt(&enc, ct, pt_z, sizeof(pt_z),
3962 NULL, 0, tag, sizeof(tag), NULL, 0), 0);
3963#endif
3964 wc_AesFree(&enc);
3965 }
3966#endif
3967
3968#endif /* !NO_AES && HAVE_AESGCM && !HAVE_FIPS && !HW */
3969 return EXPECT_RESULT();
3970} /* END test_wc_AesGcmNonStdNonce */
3971
3972/*
3973 * Testing streaming AES-GCM API.
3974 */
3975int test_wc_AesGcmStream(void)
3976{
3977 EXPECT_DECLS;
3978#if !defined(NO_AES) && defined(WOLFSSL_AES_128) && defined(HAVE_AESGCM) && \
3979 defined(WOLFSSL_AESGCM_STREAM)
3980 int i;
3981 WC_RNG rng[1];
3982 Aes aesEnc[1];
3983 Aes aesDec[1];
3984 byte tag[WC_AES_BLOCK_SIZE];
3985 byte in[WC_AES_BLOCK_SIZE * 3 + 2] = { 0, };
3986 byte out[WC_AES_BLOCK_SIZE * 3 + 2];
3987 byte plain[WC_AES_BLOCK_SIZE * 3 + 2];
3988 byte aad[WC_AES_BLOCK_SIZE * 3 + 2] = { 0, };
3989 byte key[AES_128_KEY_SIZE] = { 0, };
3990 byte iv[AES_IV_SIZE] = { 1, };
3991 byte ivOut[AES_IV_SIZE];
3992 static const byte expTagAAD1[WC_AES_BLOCK_SIZE] = {
3993 0x6c, 0x35, 0xe6, 0x7f, 0x59, 0x9e, 0xa9, 0x2f,
3994 0x27, 0x2d, 0x5f, 0x8e, 0x7e, 0x42, 0xd3, 0x05
3995 };
3996 static const byte expTagPlain1[WC_AES_BLOCK_SIZE] = {
3997 0x24, 0xba, 0x57, 0x95, 0xd0, 0x27, 0x9e, 0x78,
3998 0x3a, 0x88, 0x4c, 0x0a, 0x5d, 0x50, 0x23, 0xd1
3999 };
4000 static const byte expTag[WC_AES_BLOCK_SIZE] = {
4001 0x22, 0x91, 0x70, 0xad, 0x42, 0xc3, 0xad, 0x96,
4002 0xe0, 0x31, 0x57, 0x60, 0xb7, 0x92, 0xa3, 0x6d
4003 };
4004
4005 XMEMSET(&rng, 0, sizeof(WC_RNG));
4006 XMEMSET(&aesEnc, 0, sizeof(Aes));
4007 XMEMSET(&aesDec, 0, sizeof(Aes));
4008
4009 /* Create a random for generating IV/nonce. */
4010 ExpectIntEQ(wc_InitRng(rng), 0);
4011
4012 /* Initialize data structures. */
4013 ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
4014 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4015
4016 /* BadParameters to streaming init. */
4017 ExpectIntEQ(wc_AesGcmEncryptInit(NULL, NULL, 0, NULL, 0),
4018 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4019 ExpectIntEQ(wc_AesGcmDecryptInit(NULL, NULL, 0, NULL, 0),
4020 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4021 ExpectIntEQ(wc_AesGcmDecryptInit(aesEnc, NULL, AES_128_KEY_SIZE, NULL,
4022 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4023 ExpectIntEQ(wc_AesGcmDecryptInit(aesEnc, NULL, 0, NULL, GCM_NONCE_MID_SZ),
4024 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4025
4026 /* Bad parameters to encrypt update. */
4027 ExpectIntEQ(wc_AesGcmEncryptUpdate(NULL, NULL, NULL, 0, NULL, 0),
4028 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4029 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 1, NULL, 0),
4030 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4031 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, in, 1, NULL, 0),
4032 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4033 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, NULL, 1, NULL, 0),
4034 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4035 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, NULL, 1),
4036 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4037 /* Bad parameters to decrypt update. */
4038 ExpectIntEQ(wc_AesGcmDecryptUpdate(NULL, NULL, NULL, 0, NULL, 0),
4039 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4040 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 1, NULL, 0),
4041 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4042 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, in, 1, NULL, 0),
4043 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4044 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, out, NULL, 1, NULL, 0),
4045 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4046 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, NULL, 1),
4047 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4048
4049 /* Bad parameters to encrypt final. */
4050 ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, NULL, 0),
4051 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4052 ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, tag, 0),
4053 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4054 ExpectIntEQ(wc_AesGcmEncryptFinal(NULL, NULL, WC_AES_BLOCK_SIZE),
4055 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4056 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, 0),
4057 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4058 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, NULL, WC_AES_BLOCK_SIZE),
4059 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4060 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE + 1),
4061 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4062 /* Bad parameters to decrypt final. */
4063 ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, NULL, 0),
4064 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4065 ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, tag, 0),
4066 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4067 ExpectIntEQ(wc_AesGcmDecryptFinal(NULL, NULL, WC_AES_BLOCK_SIZE),
4068 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4069 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, 0),
4070 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4071 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, NULL, WC_AES_BLOCK_SIZE),
4072 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4073 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE + 1),
4074 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4075
4076 /* Check calling final before setting key fails. */
4077 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, sizeof(tag)),
4078 WC_NO_ERR_TRACE(MISSING_KEY));
4079 ExpectIntEQ(wc_AesGcmEncryptFinal(aesDec, tag, sizeof(tag)),
4080 WC_NO_ERR_TRACE(MISSING_KEY));
4081 /* Check calling update before setting key else fails. */
4082 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1),
4083 WC_NO_ERR_TRACE(MISSING_KEY));
4084 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1),
4085 WC_NO_ERR_TRACE(MISSING_KEY));
4086
4087 /* Set key but not IV. */
4088 ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), NULL, 0), 0);
4089 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), NULL, 0), 0);
4090 /* Check calling final before setting IV fails. */
4091 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, sizeof(tag)),
4092 WC_NO_ERR_TRACE(MISSING_IV));
4093 ExpectIntEQ(wc_AesGcmEncryptFinal(aesDec, tag, sizeof(tag)),
4094 WC_NO_ERR_TRACE(MISSING_IV));
4095 /* Check calling update before setting IV else fails. */
4096 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1),
4097 WC_NO_ERR_TRACE(MISSING_IV));
4098 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1),
4099 WC_NO_ERR_TRACE(MISSING_IV));
4100
4101 /* Set IV using fixed part IV and external IV APIs. */
4102 ExpectIntEQ(wc_AesGcmSetIV(aesEnc, GCM_NONCE_MID_SZ, iv, AES_IV_FIXED_SZ,
4103 rng), 0);
4104 ExpectIntEQ(wc_AesGcmEncryptInit_ex(aesEnc, NULL, 0, ivOut,
4105 GCM_NONCE_MID_SZ), 0);
4106 ExpectIntEQ(wc_AesGcmSetExtIV(aesDec, ivOut, GCM_NONCE_MID_SZ), 0);
4107 ExpectIntEQ(wc_AesGcmInit(aesDec, NULL, 0, NULL, 0), 0);
4108 /* Encrypt and decrypt data. */
4109 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, 1, aad, 1), 0);
4110 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, 1, aad, 1), 0);
4111 ExpectIntEQ(XMEMCMP(plain, in, 1), 0);
4112 /* Finalize and check tag matches. */
4113 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
4114 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
4115
4116 /* Set key and IV through streaming init API. */
4117 wc_AesFree(aesEnc);
4118 wc_AesFree(aesDec);
4119 ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
4120 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4121 ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
4122 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
4123 /* Encrypt/decrypt one block and AAD of one block. */
4124 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, WC_AES_BLOCK_SIZE, aad,
4125 WC_AES_BLOCK_SIZE), 0);
4126 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, WC_AES_BLOCK_SIZE,
4127 aad, WC_AES_BLOCK_SIZE), 0);
4128 ExpectIntEQ(XMEMCMP(plain, in, WC_AES_BLOCK_SIZE), 0);
4129 /* Finalize and check tag matches. */
4130 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
4131 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
4132
4133 /* Set key and IV through streaming init API. */
4134 wc_AesFree(aesEnc);
4135 wc_AesFree(aesDec);
4136 ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
4137 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4138 ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
4139 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
4140 /* No data to encrypt/decrypt one byte of AAD. */
4141 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad, 1), 0);
4142 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad, 1), 0);
4143 /* Finalize and check tag matches. */
4144 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
4145 ExpectIntEQ(XMEMCMP(tag, expTagAAD1, WC_AES_BLOCK_SIZE), 0);
4146 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
4147
4148 /* Set key and IV through streaming init API. */
4149 wc_AesFree(aesEnc);
4150 wc_AesFree(aesDec);
4151 ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
4152 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4153 ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
4154 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
4155 /* Encrypt/decrypt one byte and no AAD. */
4156 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out, in, 1, NULL, 0), 0);
4157 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain, out, 1, NULL, 0), 0);
4158 ExpectIntEQ(XMEMCMP(plain, in, 1), 0);
4159 /* Finalize and check tag matches. */
4160 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
4161 ExpectIntEQ(XMEMCMP(tag, expTagPlain1, WC_AES_BLOCK_SIZE), 0);
4162 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
4163
4164 /* Set key and IV through streaming init API. */
4165 wc_AesFree(aesEnc);
4166 wc_AesFree(aesDec);
4167 ExpectIntEQ(wc_AesInit(aesEnc, NULL, INVALID_DEVID), 0);
4168 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4169 ExpectIntEQ(wc_AesGcmInit(aesEnc, key, sizeof(key), iv, AES_IV_SIZE), 0);
4170 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
4171 /* Encryption AES is one byte at a time */
4172 for (i = 0; i < (int)sizeof(aad); i++) {
4173 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, NULL, NULL, 0, aad + i, 1),
4174 0);
4175 }
4176 for (i = 0; i < (int)sizeof(in); i++) {
4177 ExpectIntEQ(wc_AesGcmEncryptUpdate(aesEnc, out + i, in + i, 1, NULL, 0),
4178 0);
4179 }
4180 /* Decryption AES is two bytes at a time */
4181 for (i = 0; i < (int)sizeof(aad); i += 2) {
4182 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, NULL, NULL, 0, aad + i, 2),
4183 0);
4184 }
4185 for (i = 0; i < (int)sizeof(aad); i += 2) {
4186 ExpectIntEQ(wc_AesGcmDecryptUpdate(aesDec, plain + i, out + i, 2, NULL,
4187 0), 0);
4188 }
4189 ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
4190 /* Finalize and check tag matches. */
4191 ExpectIntEQ(wc_AesGcmEncryptFinal(aesEnc, tag, WC_AES_BLOCK_SIZE), 0);
4192 ExpectIntEQ(XMEMCMP(tag, expTag, WC_AES_BLOCK_SIZE), 0);
4193 ExpectIntEQ(wc_AesGcmDecryptFinal(aesDec, tag, WC_AES_BLOCK_SIZE), 0);
4194
4195 /* Check streaming encryption can be decrypted with one shot. */
4196 wc_AesFree(aesDec);
4197 ExpectIntEQ(wc_AesInit(aesDec, NULL, INVALID_DEVID), 0);
4198 ExpectIntEQ(wc_AesGcmInit(aesDec, key, sizeof(key), iv, AES_IV_SIZE), 0);
4199 ExpectIntEQ(wc_AesGcmSetKey(aesDec, key, sizeof(key)), 0);
4200 ExpectIntEQ(wc_AesGcmDecrypt(aesDec, plain, out, sizeof(in), iv,
4201 AES_IV_SIZE, tag, WC_AES_BLOCK_SIZE, aad, sizeof(aad)), 0);
4202 ExpectIntEQ(XMEMCMP(plain, in, sizeof(in)), 0);
4203
4204 wc_AesFree(aesEnc);
4205 wc_AesFree(aesDec);
4206 wc_FreeRng(rng);
4207#endif
4208 return EXPECT_RESULT();
4209} /* END test_wc_AesGcmStream */
4210
4211/*******************************************************************************
4212 * AES-GCM streaming mid-stream state corruption
4213 ******************************************************************************/
4214
4215/*
4216 * Verify that the AES-GCM streaming API enforces its state flags even when
4217 * they are cleared after a streaming session has already been started.
4218 *
4219 * The state is represented by three bitfields in struct Aes:
4220 * gcmKeySet - set by wc_AesGcmInit/SetKey
4221 * nonceSet - set by wc_AesGcmInit (when an IV is provided)
4222 * ctrSet - set once the keystream counter has been initialised
4223 *
4224 * Clearing these fields mid-stream simulates either a software bug or a
4225 * deliberate tampering attempt, and the API must detect and reject it.
4226 */
4227int test_wc_AesGcmStream_MidStreamState(void)
4228{
4229 EXPECT_DECLS;
4230#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
4231 defined(WOLFSSL_AESGCM_STREAM)
4232 static const byte key[AES_128_KEY_SIZE] = { 0 };
4233 static const byte iv[GCM_NONCE_MID_SZ] = { 1 };
4234 static const byte aad[4] = { 0xfe, 0xed, 0xfa, 0xce };
4235 static const byte in[4] = { 0x00, 0x01, 0x02, 0x03 };
4236 Aes aes[1];
4237 byte out[4];
4238 byte tag[WC_AES_BLOCK_SIZE];
4239
4240 XMEMSET(aes, 0, sizeof(Aes));
4241 ExpectIntEQ(wc_AesInit(aes, NULL, INVALID_DEVID), 0);
4242
4243 /* ------------------------------------------------------------------
4244 * Test 1: clear gcmKeySet after streaming has started -> MISSING_KEY
4245 * ------------------------------------------------------------------ */
4246 ExpectIntEQ(wc_AesGcmInit(aes, key, sizeof(key), iv, sizeof(iv)), 0);
4247 ExpectIntEQ(wc_AesGcmEncryptUpdate(aes, out, in, sizeof(in),
4248 aad, sizeof(aad)), 0);
4249 /* Corrupt the key-set flag mid-stream. */
4250 aes->gcmKeySet = 0;
4251 ExpectIntEQ(wc_AesGcmEncryptFinal(aes, tag, sizeof(tag)),
4252 WC_NO_ERR_TRACE(MISSING_KEY));
4253
4254 /* ------------------------------------------------------------------
4255 * Test 2: clear nonceSet after streaming has started -> MISSING_IV
4256 * ------------------------------------------------------------------ */
4257 ExpectIntEQ(wc_AesGcmInit(aes, key, sizeof(key), iv, sizeof(iv)), 0);
4258 ExpectIntEQ(wc_AesGcmEncryptUpdate(aes, out, in, sizeof(in),
4259 aad, sizeof(aad)), 0);
4260 /* Corrupt the nonce-set flag mid-stream. */
4261 aes->nonceSet = 0;
4262 ExpectIntEQ(wc_AesGcmEncryptFinal(aes, tag, sizeof(tag)),
4263 WC_NO_ERR_TRACE(MISSING_IV));
4264
4265#ifdef HAVE_AES_DECRYPT
4266 /* ------------------------------------------------------------------
4267 * Test 3: clear gcmKeySet during a decrypt session -> MISSING_KEY
4268 * ------------------------------------------------------------------ */
4269 ExpectIntEQ(wc_AesGcmDecryptInit(aes, key, sizeof(key), iv, sizeof(iv)), 0);
4270 ExpectIntEQ(wc_AesGcmDecryptUpdate(aes, out, in, sizeof(in),
4271 aad, sizeof(aad)), 0);
4272 aes->gcmKeySet = 0;
4273 ExpectIntEQ(wc_AesGcmDecryptFinal(aes, tag, sizeof(tag)),
4274 WC_NO_ERR_TRACE(MISSING_KEY));
4275#endif
4276
4277 wc_AesFree(aes);
4278#endif
4279 return EXPECT_RESULT();
4280} /* END test_wc_AesGcmStream_MidStreamState */
4281
4282/*******************************************************************************
4283 * AES-GCM streaming re-initialization after Final
4284 ******************************************************************************/
4285
4286/*
4287 * Verify that an AES-GCM streaming context can be re-initialized and reused
4288 * after wc_AesGcmEncryptFinal / wc_AesGcmDecryptFinal.
4289 *
4290 * wc_AesGcmInit resets the GHASH accumulator and running-length counters
4291 * (aSz, cSz, over) and re-initialises the keystream counter, so calling it
4292 * again after Final must produce a clean new session.
4293 *
4294 * 1. Re-init with the same key and IV produces identical ciphertext and tag.
4295 * 2. Re-init with a different IV produces different ciphertext and tag.
4296 * 3. Re-init after an abandoned session (Init but no Final) also works.
4297 * 4. Decrypt re-init: re-initialise the decrypt context and recover plaintext.
4298 */
4299int test_wc_AesGcmStream_ReinitAfterFinal(void)
4300{
4301 EXPECT_DECLS;
4302#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
4303 defined(WOLFSSL_AESGCM_STREAM)
4304 static const byte key[AES_128_KEY_SIZE] = {
4305 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
4306 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
4307 };
4308 static const byte iv1[GCM_NONCE_MID_SZ] = {
4309 0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
4310 0xde,0xca,0xf8,0x88
4311 };
4312 /* Different IV - last byte changed. */
4313 static const byte iv2[GCM_NONCE_MID_SZ] = {
4314 0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
4315 0xde,0xca,0xf8,0x89
4316 };
4317 static const byte aad[20] = {
4318 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
4319 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
4320 0xab,0xad,0xda,0xd2
4321 };
4322 static const byte plain[16] = {
4323 0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
4324 0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a
4325 };
4326 Aes enc[1];
4327#ifdef HAVE_AES_DECRYPT
4328 Aes dec[1];
4329#endif
4330 byte ct1[sizeof(plain)], ct2[sizeof(plain)], ct3[sizeof(plain)];
4331 byte tag1[WC_AES_BLOCK_SIZE], tag2[WC_AES_BLOCK_SIZE],
4332 tag3[WC_AES_BLOCK_SIZE];
4333#ifdef HAVE_AES_DECRYPT
4334 byte pt[sizeof(plain)];
4335#endif
4336
4337 XMEMSET(enc, 0, sizeof(Aes));
4338 ExpectIntEQ(wc_AesInit(enc, NULL, INVALID_DEVID), 0);
4339
4340 /* ---- Session 1: baseline ---- */
4341 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv1, sizeof(iv1)), 0);
4342 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct1, plain, sizeof(plain),
4343 aad, sizeof(aad)), 0);
4344 ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag1, sizeof(tag1)), 0);
4345
4346 /* ---- Session 2: re-init with same key and IV -> must match ---- */
4347 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv1, sizeof(iv1)), 0);
4348 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct2, plain, sizeof(plain),
4349 aad, sizeof(aad)), 0);
4350 ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag2, sizeof(tag2)), 0);
4351 ExpectBufEQ(ct2, ct1, sizeof(ct1));
4352 ExpectBufEQ(tag2, tag1, sizeof(tag1));
4353
4354 /* ---- Session 3: re-init with different IV -> must differ ---- */
4355 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv2, sizeof(iv2)), 0);
4356 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct3, plain, sizeof(plain),
4357 aad, sizeof(aad)), 0);
4358 ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag3, sizeof(tag3)), 0);
4359 ExpectIntNE(XMEMCMP(ct3, ct1, sizeof(ct1)), 0);
4360 ExpectIntNE(XMEMCMP(tag3, tag1, sizeof(tag1)), 0);
4361
4362 /* ---- Session 4: re-init after abandoned session ----
4363 * Start a session (Init + Update) but never call Final, then re-init. */
4364 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv2, sizeof(iv2)), 0);
4365 /* partial update - abandon without Final */
4366 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct3, plain, sizeof(plain),
4367 aad, sizeof(aad)), 0);
4368 /* Re-init with iv1 - must produce session-1 output. */
4369 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv1, sizeof(iv1)), 0);
4370 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct2, plain, sizeof(plain),
4371 aad, sizeof(aad)), 0);
4372 ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag2, sizeof(tag2)), 0);
4373 ExpectBufEQ(ct2, ct1, sizeof(ct1));
4374 ExpectBufEQ(tag2, tag1, sizeof(tag1));
4375
4376 wc_AesFree(enc);
4377
4378#ifdef HAVE_AES_DECRYPT
4379 /* ---- Decrypt: re-init recovers plaintext on each session ---- */
4380 XMEMSET(dec, 0, sizeof(Aes));
4381 ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
4382
4383 /* Session A: decrypt ct1 with iv1 -> plaintext. */
4384 ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv1, sizeof(iv1)), 0);
4385 ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct1, sizeof(ct1),
4386 aad, sizeof(aad)), 0);
4387 ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag1, sizeof(tag1)), 0);
4388 ExpectBufEQ(pt, plain, sizeof(plain));
4389
4390 /* Session B: re-init and decrypt again -> same plaintext. */
4391 ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv1, sizeof(iv1)), 0);
4392 ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct1, sizeof(ct1),
4393 aad, sizeof(aad)), 0);
4394 ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag1, sizeof(tag1)), 0);
4395 ExpectBufEQ(pt, plain, sizeof(plain));
4396
4397 wc_AesFree(dec);
4398#endif
4399#endif
4400 return EXPECT_RESULT();
4401} /* END test_wc_AesGcmStream_ReinitAfterFinal */
4402
4403int test_wc_AesGcmStream_BadAuthTag(void)
4404{
4405 EXPECT_DECLS;
4406#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT) && \
4407 defined(WOLFSSL_AES_128) && defined(WOLFSSL_AESGCM_STREAM)
4408 static const byte key[AES_128_KEY_SIZE] = {
4409 0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
4410 0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
4411 };
4412 static const byte iv[GCM_NONCE_MID_SZ] = {
4413 0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
4414 0xde,0xca,0xf8,0x88
4415 };
4416 static const byte aad[20] = {
4417 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
4418 0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
4419 0xab,0xad,0xda,0xd2
4420 };
4421 static const byte plain[16] = {
4422 0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
4423 0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a
4424 };
4425 Aes enc[1];
4426 Aes dec[1];
4427 byte ct[sizeof(plain)];
4428 byte pt[sizeof(plain)];
4429 byte tag[WC_AES_BLOCK_SIZE];
4430 byte bad_aad[sizeof(aad)];
4431
4432 XMEMSET(enc, 0, sizeof(Aes));
4433 XMEMSET(dec, 0, sizeof(Aes));
4434 XMEMSET(tag, 0, sizeof(tag));
4435
4436 ExpectIntEQ(wc_AesInit(enc, NULL, INVALID_DEVID), 0);
4437 ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv, sizeof(iv)), 0);
4438 ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct, plain, sizeof(plain),
4439 aad, sizeof(aad)), 0);
4440 ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag, sizeof(tag)), 0);
4441 wc_AesFree(enc);
4442
4443 tag[0] ^= 0x01;
4444
4445 ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
4446 ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
4447 ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
4448 aad, sizeof(aad)), 0);
4449 ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
4450 WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
4451 wc_AesFree(dec);
4452
4453 tag[0] ^= 0x01;
4454 XMEMCPY(bad_aad, aad, sizeof(aad));
4455 bad_aad[0] ^= 0x01;
4456 ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
4457 ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
4458 ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
4459 bad_aad, sizeof(bad_aad)), 0);
4460 ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
4461 WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
4462 wc_AesFree(dec);
4463#endif
4464 return EXPECT_RESULT();
4465}
4466
4467/*******************************************************************************
4468 * GMAC
4469 ******************************************************************************/
4470
4471/*
4472 * unit test for wc_GmacSetKey()
4473 */
4474int test_wc_GmacSetKey(void)
4475{
4476 EXPECT_DECLS;
4477#if !defined(NO_AES) && defined(HAVE_AESGCM)
4478 Gmac gmac;
4479 byte key16[] = {
4480 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4481 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
4482 };
4483#ifdef WOLFSSL_AES_192
4484 byte key24[] = {
4485 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4486 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
4487 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
4488 };
4489#endif
4490#ifdef WOLFSSL_AES_256
4491 byte key32[] = {
4492 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4493 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
4494 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4495 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
4496 };
4497#endif
4498 byte badKey16[] = {
4499 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4500 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x66
4501 };
4502 byte badKey24[] = {
4503 0x30, 0x31, 0x32, 0x33, 0x34, 0x36, 0x37,
4504 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
4505 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
4506 };
4507 byte badKey32[] = {
4508 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4509 0x38, 0x39, 0x61, 0x62, 0x64, 0x65, 0x66,
4510 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4511 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
4512 };
4513
4514 XMEMSET(&gmac, 0, sizeof(Gmac));
4515
4516 ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
4517
4518#ifdef WOLFSSL_AES_128
4519 ExpectIntEQ(wc_GmacSetKey(&gmac, key16, sizeof(key16)/sizeof(byte)), 0);
4520#endif
4521#ifdef WOLFSSL_AES_192
4522 ExpectIntEQ(wc_GmacSetKey(&gmac, key24, sizeof(key24)/sizeof(byte)), 0);
4523#endif
4524#ifdef WOLFSSL_AES_256
4525 ExpectIntEQ(wc_GmacSetKey(&gmac, key32, sizeof(key32)/sizeof(byte)), 0);
4526#endif
4527
4528 /* Pass in bad args. */
4529 ExpectIntEQ(wc_GmacSetKey(NULL, key16, sizeof(key16)/sizeof(byte)),
4530 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4531 ExpectIntEQ(wc_GmacSetKey(&gmac, NULL, sizeof(key16)/sizeof(byte)),
4532 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4533 ExpectIntEQ(wc_GmacSetKey(&gmac, badKey16, sizeof(badKey16)/sizeof(byte)),
4534 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4535 ExpectIntEQ(wc_GmacSetKey(&gmac, badKey24, sizeof(badKey24)/sizeof(byte)),
4536 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4537 ExpectIntEQ(wc_GmacSetKey(&gmac, badKey32, sizeof(badKey32)/sizeof(byte)),
4538 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4539
4540 wc_AesFree(&gmac.aes);
4541#endif
4542 return EXPECT_RESULT();
4543} /* END test_wc_GmacSetKey */
4544
4545/*
4546 * unit test for wc_GmacUpdate
4547 */
4548int test_wc_GmacUpdate(void)
4549{
4550 EXPECT_DECLS;
4551#if !defined(NO_AES) && defined(HAVE_AESGCM)
4552 Gmac gmac;
4553#ifdef WOLFSSL_AES_128
4554 const byte key16[] = {
4555 0x89, 0xc9, 0x49, 0xe9, 0xc8, 0x04, 0xaf, 0x01,
4556 0x4d, 0x56, 0x04, 0xb3, 0x94, 0x59, 0xf2, 0xc8
4557 };
4558#endif
4559#ifdef WOLFSSL_AES_192
4560 byte key24[] = {
4561 0x41, 0xc5, 0xda, 0x86, 0x67, 0xef, 0x72, 0x52,
4562 0x20, 0xff, 0xe3, 0x9a, 0xe0, 0xac, 0x59, 0x0a,
4563 0xc9, 0xfc, 0xa7, 0x29, 0xab, 0x60, 0xad, 0xa0
4564 };
4565#endif
4566#ifdef WOLFSSL_AES_256
4567 byte key32[] = {
4568 0x78, 0xdc, 0x4e, 0x0a, 0xaf, 0x52, 0xd9, 0x35,
4569 0xc3, 0xc0, 0x1e, 0xea, 0x57, 0x42, 0x8f, 0x00,
4570 0xca, 0x1f, 0xd4, 0x75, 0xf5, 0xda, 0x86, 0xa4,
4571 0x9c, 0x8d, 0xd7, 0x3d, 0x68, 0xc8, 0xe2, 0x23
4572 };
4573#endif
4574#ifdef WOLFSSL_AES_128
4575 const byte authIn[] = {
4576 0x82, 0xad, 0xcd, 0x63, 0x8d, 0x3f, 0xa9, 0xd9,
4577 0xf3, 0xe8, 0x41, 0x00, 0xd6, 0x1e, 0x07, 0x77
4578 };
4579#endif
4580#ifdef WOLFSSL_AES_192
4581 const byte authIn2[] = {
4582 0x8b, 0x5c, 0x12, 0x4b, 0xef, 0x6e, 0x2f, 0x0f,
4583 0xe4, 0xd8, 0xc9, 0x5c, 0xd5, 0xfa, 0x4c, 0xf1
4584 };
4585#endif
4586 const byte authIn3[] = {
4587 0xb9, 0x6b, 0xaa, 0x8c, 0x1c, 0x75, 0xa6, 0x71,
4588 0xbf, 0xb2, 0xd0, 0x8d, 0x06, 0xbe, 0x5f, 0x36
4589 };
4590#ifdef WOLFSSL_AES_128
4591 const byte tag1[] = { /* Known. */
4592 0x88, 0xdb, 0x9d, 0x62, 0x17, 0x2e, 0xd0, 0x43,
4593 0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
4594 };
4595#endif
4596#ifdef WOLFSSL_AES_192
4597 const byte tag2[] = { /* Known */
4598 0x20, 0x4b, 0xdb, 0x1b, 0xd6, 0x21, 0x54, 0xbf,
4599 0x08, 0x92, 0x2a, 0xaa, 0x54, 0xee, 0xd7, 0x05
4600 };
4601#endif
4602 const byte tag3[] = { /* Known */
4603 0x3e, 0x5d, 0x48, 0x6a, 0xa2, 0xe3, 0x0b, 0x22,
4604 0xe0, 0x40, 0xb8, 0x57, 0x23, 0xa0, 0x6e, 0x76
4605 };
4606#ifdef WOLFSSL_AES_128
4607 const byte iv[] = {
4608 0xd1, 0xb1, 0x04, 0xc8, 0x15, 0xbf, 0x1e, 0x94,
4609 0xe2, 0x8c, 0x8f, 0x16
4610 };
4611#endif
4612#ifdef WOLFSSL_AES_192
4613 const byte iv2[] = {
4614 0x05, 0xad, 0x13, 0xa5, 0xe2, 0xc2, 0xab, 0x66,
4615 0x7e, 0x1a, 0x6f, 0xbc
4616 };
4617#endif
4618 const byte iv3[] = {
4619 0xd7, 0x9c, 0xf2, 0x2d, 0x50, 0x4c, 0xc7, 0x93,
4620 0xc3, 0xfb, 0x6c, 0x8a
4621 };
4622 byte tagOut[16];
4623 byte tagOut2[24];
4624 byte tagOut3[32];
4625
4626 /* Init stack variables. */
4627 XMEMSET(&gmac, 0, sizeof(Gmac));
4628 XMEMSET(tagOut, 0, sizeof(tagOut));
4629 XMEMSET(tagOut2, 0, sizeof(tagOut2));
4630 XMEMSET(tagOut3, 0, sizeof(tagOut3));
4631
4632#ifdef WOLFSSL_AES_128
4633 ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
4634 ExpectIntEQ(wc_GmacSetKey(&gmac, key16, sizeof(key16)), 0);
4635 ExpectIntEQ(wc_GmacUpdate(&gmac, iv, sizeof(iv), authIn, sizeof(authIn),
4636 tagOut, sizeof(tag1)), 0);
4637 ExpectIntEQ(XMEMCMP(tag1, tagOut, sizeof(tag1)), 0);
4638 wc_AesFree(&gmac.aes);
4639#endif
4640
4641#ifdef WOLFSSL_AES_192
4642 ExpectNotNull(XMEMSET(&gmac, 0, sizeof(Gmac)));
4643 ExpectIntEQ(wc_AesInit(&gmac.aes, HEAP_HINT, INVALID_DEVID), 0);
4644 ExpectIntEQ(wc_GmacSetKey(&gmac, key24, sizeof(key24)/sizeof(byte)), 0);
4645 ExpectIntEQ(wc_GmacUpdate(&gmac, iv2, sizeof(iv2), authIn2, sizeof(authIn2),
4646 tagOut2, sizeof(tag2)), 0);
4647 ExpectIntEQ(XMEMCMP(tagOut2, tag2, sizeof(tag2)), 0);
4648 wc_AesFree(&gmac.aes);
4649#endif
4650
4651#ifdef WOLFSSL_AES_256
4652 ExpectNotNull(XMEMSET(&gmac, 0, sizeof(Gmac)));
4653 ExpectIntEQ(wc_AesInit(&gmac.aes, HEAP_HINT, INVALID_DEVID), 0);
4654 ExpectIntEQ(wc_GmacSetKey(&gmac, key32, sizeof(key32)/sizeof(byte)), 0);
4655 ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
4656 tagOut3, sizeof(tag3)), 0);
4657 ExpectIntEQ(XMEMCMP(tag3, tagOut3, sizeof(tag3)), 0);
4658 wc_AesFree(&gmac.aes);
4659#endif
4660
4661 /* Pass bad args. */
4662 ExpectIntEQ(wc_AesInit(&gmac.aes, NULL, INVALID_DEVID), 0);
4663 ExpectIntEQ(wc_GmacUpdate(NULL, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
4664 tagOut3, sizeof(tag3)), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4665 ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
4666 tagOut3, sizeof(tag3) - 5), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4667 ExpectIntEQ(wc_GmacUpdate(&gmac, iv3, sizeof(iv3), authIn3, sizeof(authIn3),
4668 tagOut3, sizeof(tag3) + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4669 wc_AesFree(&gmac.aes);
4670
4671#endif
4672 return EXPECT_RESULT();
4673} /* END test_wc_GmacUpdate */
4674
4675/*******************************************************************************
4676 * AES-CCM
4677 ******************************************************************************/
4678
4679/*
4680 * unit test for wc_AesCcmSetKey
4681 */
4682int test_wc_AesCcmSetKey(void)
4683{
4684 EXPECT_DECLS;
4685#ifdef HAVE_AESCCM
4686 Aes aes;
4687 const byte key16[] = {
4688 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
4689 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
4690 };
4691 const byte key24[] = {
4692 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4693 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
4694 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
4695 };
4696 const byte key32[] = {
4697 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4698 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
4699 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
4700 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
4701 };
4702
4703 XMEMSET(&aes, 0, sizeof(Aes));
4704
4705 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
4706
4707#ifdef WOLFSSL_AES_128
4708 ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16)), 0);
4709#endif
4710#ifdef WOLFSSL_AES_192
4711 ExpectIntEQ(wc_AesCcmSetKey(&aes, key24, sizeof(key24)), 0);
4712#endif
4713#ifdef WOLFSSL_AES_256
4714 ExpectIntEQ(wc_AesCcmSetKey(&aes, key32, sizeof(key32)), 0);
4715#endif
4716
4717 /* Test bad args. */
4718 ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16) - 1),
4719 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4720 ExpectIntEQ(wc_AesCcmSetKey(&aes, key24, sizeof(key24) - 1),
4721 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4722 ExpectIntEQ(wc_AesCcmSetKey(&aes, key32, sizeof(key32) - 1),
4723 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4724
4725 wc_AesFree(&aes);
4726#endif
4727 return EXPECT_RESULT();
4728
4729} /* END test_wc_AesCcmSetKey */
4730
4731/*
4732 * Unit test function for wc_AesCcmEncrypt and wc_AesCcmDecrypt
4733 */
4734int test_wc_AesCcmEncryptDecrypt(void)
4735{
4736 EXPECT_DECLS;
4737#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
4738 Aes aes;
4739 const byte key16[] = {
4740 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
4741 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
4742 };
4743 /* plaintext */
4744 const byte plainT[] = {
4745 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
4746 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4747 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
4748 };
4749 /* nonce */
4750 const byte iv[] = {
4751 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
4752 0xa1, 0xa2, 0xa3, 0xa4, 0xa5
4753 };
4754 const byte c[] = { /* cipher text. */
4755 0x58, 0x8c, 0x97, 0x9a, 0x61, 0xc6, 0x63, 0xd2,
4756 0xf0, 0x66, 0xd0, 0xc2, 0xc0, 0xf9, 0x89, 0x80,
4757 0x6d, 0x5f, 0x6b, 0x61, 0xda, 0xc3, 0x84
4758 };
4759 const byte t[] = { /* Auth tag */
4760 0x17, 0xe8, 0xd1, 0x2c, 0xfd, 0xf9, 0x26, 0xe0
4761 };
4762 const byte authIn[] = {
4763 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
4764 };
4765 byte cipherOut[sizeof(plainT)];
4766 byte authTag[sizeof(t)];
4767#ifdef HAVE_AES_DECRYPT
4768 byte plainOut[sizeof(cipherOut)];
4769#endif
4770
4771 XMEMSET(&aes, 0, sizeof(Aes));
4772
4773 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
4774 ExpectIntEQ(wc_AesCcmSetKey(&aes, key16, sizeof(key16)), 0);
4775
4776 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
4777 iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)), 0);
4778 ExpectIntEQ(XMEMCMP(cipherOut, c, sizeof(c)), 0);
4779 ExpectIntEQ(XMEMCMP(t, authTag, sizeof(t)), 0);
4780#ifdef HAVE_AES_DECRYPT
4781 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
4782 iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)), 0);
4783 ExpectIntEQ(XMEMCMP(plainOut, plainT, sizeof(plainT)), 0);
4784#endif
4785
4786 /* Pass in bad args. Encrypt*/
4787 ExpectIntEQ(wc_AesCcmEncrypt(NULL, cipherOut, plainT, sizeof(cipherOut),
4788 iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
4789 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4790 ExpectIntEQ(wc_AesCcmEncrypt(&aes, NULL, plainT, sizeof(cipherOut),
4791 iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
4792 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4793 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, NULL, sizeof(cipherOut),
4794 iv, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
4795 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4796 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
4797 NULL, sizeof(iv), authTag, sizeof(authTag), authIn , sizeof(authIn)),
4798 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4799 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
4800 iv, sizeof(iv), NULL, sizeof(authTag), authIn , sizeof(authIn)),
4801 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4802 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
4803 iv, sizeof(iv) + 1, authTag, sizeof(authTag), authIn , sizeof(authIn)),
4804 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4805 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(cipherOut),
4806 iv, sizeof(iv) - 7, authTag, sizeof(authTag), authIn , sizeof(authIn)),
4807 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4808
4809#ifdef HAVE_AES_DECRYPT
4810 /* Pass in bad args. Decrypt*/
4811 ExpectIntEQ(wc_AesCcmDecrypt(NULL, plainOut, cipherOut, sizeof(plainOut),
4812 iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
4813 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4814 ExpectIntEQ(wc_AesCcmDecrypt(&aes, NULL, cipherOut, sizeof(plainOut),
4815 iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
4816 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4817 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, NULL, sizeof(plainOut),
4818 iv, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
4819 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4820 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
4821 NULL, sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)),
4822 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4823 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
4824 iv, sizeof(iv), NULL, sizeof(authTag), authIn, sizeof(authIn)),
4825 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4826 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
4827 iv, sizeof(iv) + 1, authTag, sizeof(authTag), authIn, sizeof(authIn)),
4828 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4829 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(plainOut),
4830 iv, sizeof(iv) - 7, authTag, sizeof(authTag), authIn, sizeof(authIn)),
4831 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4832 #endif
4833
4834 wc_AesFree(&aes);
4835#endif /* HAVE_AESCCM */
4836 return EXPECT_RESULT();
4837} /* END test_wc_AesCcmEncryptDecrypt */
4838
4839/*******************************************************************************
4840 * AES-CCM overlapping (in-place) buffers
4841 ******************************************************************************/
4842
4843/*
4844 * Verify that wc_AesCcmEncrypt / wc_AesCcmDecrypt work correctly when the
4845 * plaintext/ciphertext pointer is the same buffer (in == out). AES-CCM uses
4846 * CTR mode for encryption (XOR keystream), so in-place operation is safe.
4847 *
4848 * Vectors are the IEEE 802.15.4 / RFC 3610 test case used in
4849 * test_wc_AesCcmEncryptDecrypt.
4850 */
4851int test_wc_AesCcmEncryptDecrypt_InPlace(void)
4852{
4853 EXPECT_DECLS;
4854#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && defined(HAVE_AES_DECRYPT)
4855 Aes aes;
4856 static const byte key[AES_128_KEY_SIZE] = {
4857 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
4858 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
4859 };
4860 static const byte nonce[13] = {
4861 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
4862 0xa1, 0xa2, 0xa3, 0xa4, 0xa5
4863 };
4864 static const byte aad[8] = {
4865 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
4866 };
4867 static const byte plain[23] = {
4868 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
4869 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4870 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
4871 };
4872 byte ref_ct[sizeof(plain)], ref_tag[8];
4873 byte buf[sizeof(plain)], tag[8];
4874
4875 XMEMSET(&aes, 0, sizeof(aes));
4876 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
4877 ExpectIntEQ(wc_AesCcmSetKey(&aes, key, sizeof(key)), 0);
4878
4879 /* Reference ciphertext with separate in/out buffers */
4880 ExpectIntEQ(wc_AesCcmEncrypt(&aes, ref_ct, plain, sizeof(plain),
4881 nonce, sizeof(nonce), ref_tag, sizeof(ref_tag),
4882 aad, sizeof(aad)), 0);
4883
4884 /* Encrypt in-place (out == in) - must produce the same ciphertext/tag */
4885 XMEMCPY(buf, plain, sizeof(buf));
4886 ExpectIntEQ(wc_AesCcmEncrypt(&aes, buf, buf, sizeof(buf),
4887 nonce, sizeof(nonce), tag, sizeof(tag),
4888 aad, sizeof(aad)), 0);
4889 ExpectBufEQ(buf, ref_ct, sizeof(buf));
4890 ExpectBufEQ(tag, ref_tag, sizeof(tag));
4891
4892 /* Decrypt in-place - must recover original plaintext */
4893 ExpectIntEQ(wc_AesCcmDecrypt(&aes, buf, buf, sizeof(buf),
4894 nonce, sizeof(nonce), tag, sizeof(tag),
4895 aad, sizeof(aad)), 0);
4896 ExpectBufEQ(buf, plain, sizeof(buf));
4897
4898 wc_AesFree(&aes);
4899#endif
4900 return EXPECT_RESULT();
4901} /* END test_wc_AesCcmEncryptDecrypt_InPlace */
4902
4903/*******************************************************************************
4904 * AES-CCM unaligned buffers
4905 ******************************************************************************/
4906
4907/*
4908 * Verify that wc_AesCcmEncrypt / wc_AesCcmDecrypt produce correct results
4909 * when plaintext, ciphertext, and AAD buffers are byte-offset (unaligned).
4910 * Tests offsets 1, 2, and 3. Same vectors as the InPlace test.
4911 */
4912int test_wc_AesCcmEncryptDecrypt_UnalignedBuffers(void)
4913{
4914 EXPECT_DECLS;
4915#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && defined(HAVE_AES_DECRYPT)
4916 Aes aes;
4917 static const byte key[AES_128_KEY_SIZE] = {
4918 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
4919 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
4920 };
4921 static const byte nonce[13] = {
4922 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
4923 0xa1, 0xa2, 0xa3, 0xa4, 0xa5
4924 };
4925 static const byte aad[8] = {
4926 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
4927 };
4928 static const byte plain[23] = {
4929 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
4930 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4931 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
4932 };
4933 byte ref_ct[sizeof(plain)], ref_tag[8];
4934 byte in_buf[sizeof(plain) + 3], out_buf[sizeof(plain) + 3];
4935 byte aad_buf[sizeof(aad) + 3];
4936 byte tag[8];
4937 int off;
4938
4939 XMEMSET(&aes, 0, sizeof(aes));
4940 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
4941 ExpectIntEQ(wc_AesCcmSetKey(&aes, key, sizeof(key)), 0);
4942
4943 /* Reference ciphertext/tag with naturally-aligned buffers */
4944 ExpectIntEQ(wc_AesCcmEncrypt(&aes, ref_ct, plain, sizeof(plain),
4945 nonce, sizeof(nonce), ref_tag, sizeof(ref_tag),
4946 aad, sizeof(aad)), 0);
4947
4948 /* Encrypt with byte offsets 1, 2, 3 on plaintext, ciphertext, and AAD */
4949 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
4950 XMEMCPY(in_buf + off, plain, sizeof(plain));
4951 XMEMCPY(aad_buf + off, aad, sizeof(aad));
4952 XMEMSET(out_buf, 0, sizeof(out_buf));
4953 ExpectIntEQ(wc_AesCcmEncrypt(&aes, out_buf + off, in_buf + off,
4954 sizeof(plain), nonce, sizeof(nonce), tag, sizeof(tag),
4955 aad_buf + off, sizeof(aad)), 0);
4956 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
4957 ExpectBufEQ(tag, ref_tag, sizeof(tag));
4958 }
4959
4960 /* Decrypt with byte offsets 1, 2, 3 */
4961 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
4962 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
4963 XMEMCPY(aad_buf + off, aad, sizeof(aad));
4964 XMEMSET(out_buf, 0, sizeof(out_buf));
4965 ExpectIntEQ(wc_AesCcmDecrypt(&aes, out_buf + off, in_buf + off,
4966 sizeof(plain), nonce, sizeof(nonce), ref_tag, sizeof(ref_tag),
4967 aad_buf + off, sizeof(aad)), 0);
4968 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
4969 }
4970
4971 wc_AesFree(&aes);
4972#endif
4973 return EXPECT_RESULT();
4974} /* END test_wc_AesCcmEncryptDecrypt_UnalignedBuffers */
4975
4976/*
4977 * AES-CCM AEAD edge cases:
4978 * - invalid auth tag rejection
4979 * - empty AAD (NULL / 0-length)
4980 * - empty plaintext with non-empty AAD
4981 */
4982int test_wc_AesCcmAeadEdgeCases(void)
4983{
4984 EXPECT_DECLS;
4985#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
4986 static const byte key[] = {
4987 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
4988 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
4989 };
4990 static const byte nonce[] = {
4991 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
4992 0xa1, 0xa2, 0xa3, 0xa4, 0xa5
4993 };
4994 static const byte plainT[] = {
4995 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
4996 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4997 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
4998 };
4999 static const byte authIn[] = {
5000 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
5001 };
5002 Aes aes;
5003 byte cipherOut[sizeof(plainT)];
5004 byte authTag[8];
5005#ifdef HAVE_AES_DECRYPT
5006 byte plainOut[sizeof(plainT)];
5007#endif
5008
5009 XMEMSET(&aes, 0, sizeof(aes));
5010 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
5011 ExpectIntEQ(wc_AesCcmSetKey(&aes, key, sizeof(key)), 0);
5012
5013 /* --- Empty AAD (NULL/0): encrypt with no additional data --- */
5014 XMEMSET(cipherOut, 0, sizeof(cipherOut));
5015 XMEMSET(authTag, 0, sizeof(authTag));
5016 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(plainT),
5017 nonce, sizeof(nonce), authTag, sizeof(authTag), NULL, 0), 0);
5018#ifdef HAVE_AES_DECRYPT
5019 XMEMSET(plainOut, 0, sizeof(plainOut));
5020 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(cipherOut),
5021 nonce, sizeof(nonce), authTag, sizeof(authTag), NULL, 0), 0);
5022 ExpectBufEQ(plainOut, plainT, sizeof(plainT));
5023#endif /* HAVE_AES_DECRYPT */
5024
5025 /* --- Empty plaintext with non-empty AAD --- */
5026 XMEMSET(authTag, 0, sizeof(authTag));
5027#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS_VERSION) && \
5028 (HAVE_FIPS_VERSION <= 2))
5029 ExpectIntEQ(wc_AesCcmEncrypt(&aes, NULL, NULL, 0,
5030 nonce, sizeof(nonce), authTag, sizeof(authTag),
5031 authIn, sizeof(authIn)), BAD_FUNC_ARG);
5032#else
5033 ExpectIntEQ(wc_AesCcmEncrypt(&aes, NULL, NULL, 0,
5034 nonce, sizeof(nonce), authTag, sizeof(authTag),
5035 authIn, sizeof(authIn)), 0);
5036#ifdef HAVE_AES_DECRYPT
5037 /* Correct tag must pass */
5038 ExpectIntEQ(wc_AesCcmDecrypt(&aes, NULL, NULL, 0,
5039 nonce, sizeof(nonce), authTag, sizeof(authTag),
5040 authIn, sizeof(authIn)), 0);
5041 /* Tampered tag must fail */
5042 authTag[0] ^= 0xff;
5043 ExpectIntEQ(wc_AesCcmDecrypt(&aes, NULL, NULL, 0,
5044 nonce, sizeof(nonce), authTag, sizeof(authTag),
5045 authIn, sizeof(authIn)),
5046 WC_NO_ERR_TRACE(AES_CCM_AUTH_E));
5047#endif /* HAVE_AES_DECRYPT */
5048#endif
5049
5050 /* --- Invalid tag rejection: encrypt then tamper auth tag --- */
5051 XMEMSET(cipherOut, 0, sizeof(cipherOut));
5052 XMEMSET(authTag, 0, sizeof(authTag));
5053 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipherOut, plainT, sizeof(plainT),
5054 nonce, sizeof(nonce), authTag, sizeof(authTag),
5055 authIn, sizeof(authIn)), 0);
5056#ifdef HAVE_AES_DECRYPT
5057 authTag[0] ^= 0xff;
5058 ExpectIntEQ(wc_AesCcmDecrypt(&aes, plainOut, cipherOut, sizeof(cipherOut),
5059 nonce, sizeof(nonce), authTag, sizeof(authTag),
5060 authIn, sizeof(authIn)),
5061 WC_NO_ERR_TRACE(AES_CCM_AUTH_E));
5062#endif /* HAVE_AES_DECRYPT */
5063
5064 wc_AesFree(&aes);
5065#endif /* HAVE_AESCCM && WOLFSSL_AES_128 */
5066 return EXPECT_RESULT();
5067} /* END test_wc_AesCcmAeadEdgeCases */
5068
5069/*******************************************************************************
5070 * AES-XTS
5071 ******************************************************************************/
5072
5073/*
5074 * test function for wc_AesXtsSetKey()
5075 */
5076int test_wc_AesXtsSetKey(void)
5077{
5078 EXPECT_DECLS;
5079#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS)
5080 XtsAes aes;
5081#ifdef WOLFSSL_AES_128
5082 byte key16[] = {
5083 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5084 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5085 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5086 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5087 };
5088#endif
5089#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
5090 byte key24[] = {
5091 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5092 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5093 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5094 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5095 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5096 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5097 };
5098#endif
5099#ifdef WOLFSSL_AES_256
5100 byte key32[] = {
5101 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5102 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5103 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5104 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5105 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5106 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5107 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5108 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5109 };
5110#endif
5111 byte badKey16[] = {
5112 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5113 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5114 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5115 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
5116 };
5117 byte badKey24[] = {
5118 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5119 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5120 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5121 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5122 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5123 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36
5124 };
5125 byte badKey32[] = {
5126 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5127 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5128 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5129 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5130 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x37, 0x37,
5131 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5132 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5133 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
5134 };
5135 byte* key;
5136 word32 keyLen;
5137
5138#ifdef WOLFSSL_AES_128
5139 key = key16;
5140 keyLen = sizeof(key16)/sizeof(byte);
5141#elif defined(WOLFSSL_AES_192)
5142 key = key24;
5143 keyLen = sizeof(key24)/sizeof(byte);
5144#else
5145 key = key32;
5146 keyLen = sizeof(key32)/sizeof(byte);
5147#endif
5148
5149#ifdef WOLFSSL_AES_128
5150 ExpectIntEQ(wc_AesXtsSetKey(&aes, key16, sizeof(key16)/sizeof(byte),
5151 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5152 wc_AesXtsFree(&aes);
5153#endif
5154#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
5155 ExpectIntEQ(wc_AesXtsSetKey(&aes, key24, sizeof(key24)/sizeof(byte),
5156 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5157 wc_AesXtsFree(&aes);
5158#endif
5159#ifdef WOLFSSL_AES_256
5160 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5161 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5162 wc_AesXtsFree(&aes);
5163#endif
5164
5165 /* Pass in bad args. */
5166 ExpectIntEQ(wc_AesXtsSetKey(NULL, NULL, keyLen, AES_ENCRYPTION, NULL,
5167 INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5168 ExpectIntEQ(wc_AesXtsSetKey(NULL, key, keyLen, AES_ENCRYPTION, NULL,
5169 INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5170 ExpectIntEQ(wc_AesXtsSetKey(&aes, NULL, keyLen, AES_ENCRYPTION, NULL,
5171 INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5172 ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey16, sizeof(badKey16)/sizeof(byte),
5173 AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
5174 ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey24, sizeof(badKey24)/sizeof(byte),
5175 AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
5176 ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey32, sizeof(badKey32)/sizeof(byte),
5177 AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
5178 ExpectIntEQ(wc_AesXtsSetKey(&aes, key, keyLen, -2, NULL, INVALID_DEVID),
5179 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5180#endif
5181 return EXPECT_RESULT();
5182} /* END test_wc_AesXtsSetKey */
5183
5184int test_wc_AesXtsEncryptDecrypt_Sizes(void)
5185{
5186 EXPECT_DECLS;
5187#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5188 defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
5189 !defined(WOLFSSL_KCAPI)
5190 #define XTS_LEN (WC_AES_BLOCK_SIZE * 16)
5191 byte key32[] = {
5192 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5193 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5194 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5195 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5196 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5197 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5198 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5199 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5200 };
5201 byte tweak[] = {
5202 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5203 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5204 };
5205 XtsAes aes;
5206 word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
5207 int sz;
5208 WC_DECLARE_VAR(plain, byte, XTS_LEN, NULL);
5209 WC_DECLARE_VAR(cipher, byte, XTS_LEN, NULL);
5210#ifdef HAVE_AES_DECRYPT
5211 WC_DECLARE_VAR(decrypted, byte, XTS_LEN, NULL);
5212#endif
5213
5214 WC_ALLOC_VAR(plain, byte, XTS_LEN, NULL);
5215 WC_ALLOC_VAR(cipher, byte, XTS_LEN, NULL);
5216#ifdef HAVE_AES_DECRYPT
5217 WC_ALLOC_VAR(decrypted, byte, XTS_LEN, NULL);
5218#endif
5219
5220#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
5221 ExpectNotNull(plain);
5222 ExpectNotNull(cipher);
5223#ifdef HAVE_AES_DECRYPT
5224 ExpectNotNull(decrypted);
5225#endif
5226#endif
5227
5228 XMEMSET(&aes, 0, sizeof(Aes));
5229 XMEMSET(plain, 0xa5, XTS_LEN);
5230
5231 for (sz = WC_AES_BLOCK_SIZE; sz <= XTS_LEN; sz *= 2) {
5232 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5233 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5234 XMEMSET(cipher, 0, XTS_LEN);
5235 ExpectIntEQ(wc_AesXtsEncrypt(&aes, cipher, plain, sz, tweak, tweakLen),
5236 0);
5237 wc_AesXtsFree(&aes);
5238
5239#ifdef HAVE_AES_DECRYPT
5240 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5241 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5242 XMEMSET(decrypted, 0xff, XTS_LEN);
5243 ExpectIntEQ(wc_AesXtsDecrypt(&aes, decrypted, cipher, sz, tweak,
5244 tweakLen), 0);
5245 ExpectBufEQ(decrypted, plain, sz);
5246 wc_AesXtsFree(&aes);
5247#endif
5248 }
5249
5250 WC_FREE_VAR(plain, NULL);
5251 WC_FREE_VAR(cipher, NULL);
5252#ifdef HAVE_AES_DECRYPT
5253 WC_FREE_VAR(decrypted, NULL);
5254#endif
5255#endif
5256 return EXPECT_RESULT();
5257}
5258
5259/*
5260 * test function for wc_AesXtsEncrypt and wc_AesXtsDecrypt
5261 */
5262int test_wc_AesXtsEncryptDecrypt(void)
5263{
5264 EXPECT_DECLS;
5265#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5266 defined(WOLFSSL_AES_256)
5267 XtsAes aes;
5268 byte key32[] = {
5269 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5270 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5271 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5272 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5273 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5274 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5275 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5276 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5277 };
5278 byte vector[] = { /* Now is the time for all w/o trailing 0 */
5279 0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
5280 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
5281 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
5282 };
5283 byte tweak[] = {
5284 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5285 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5286 };
5287 word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
5288 byte enc[sizeof(vector)];
5289 byte resultT[WC_AES_BLOCK_SIZE];
5290 byte dec[sizeof(vector)];
5291
5292 /* Init stack variables. */
5293 XMEMSET(&aes, 0, sizeof(Aes));
5294 XMEMSET(enc, 0, sizeof(vector));
5295 XMEMSET(dec, 0, sizeof(vector));
5296 XMEMSET(resultT, 0, WC_AES_BLOCK_SIZE);
5297
5298 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5299 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5300 ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, vector, sizeof(vector), tweak,
5301 tweakLen), 0);
5302 wc_AesXtsFree(&aes);
5303 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5304 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5305 ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, enc, sizeof(vector), tweak,
5306 tweakLen), 0);
5307 ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);
5308 wc_AesXtsFree(&aes);
5309
5310 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5311 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5312 /* Test bad args for wc_AesXtsEncrypt and wc_AesXtsDecrypt */
5313 ExpectIntEQ(wc_AesXtsEncrypt(NULL, enc, vector, sizeof(vector), tweak,
5314 tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5315 ExpectIntEQ(wc_AesXtsEncrypt(&aes, NULL, vector, sizeof(vector), tweak,
5316 tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5317 ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, NULL, sizeof(vector), tweak,
5318 tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5319 wc_AesXtsFree(&aes);
5320 /* END wc_AesXtsEncrypt */
5321
5322#ifdef HAVE_AES_DECRYPT
5323 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
5324 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5325 ExpectIntEQ(wc_AesXtsDecrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte),
5326 tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5327 ExpectIntEQ(wc_AesXtsDecrypt(&aes, NULL, enc, sizeof(enc)/sizeof(byte),
5328 tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5329 ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, NULL, sizeof(enc)/sizeof(byte),
5330 tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5331 wc_AesXtsFree(&aes);
5332#endif /* HAVE_AES_DECRYPT */
5333#endif
5334
5335 return EXPECT_RESULT();
5336} /* END test_wc_AesXtsEncryptDecrypt */
5337
5338/*******************************************************************************
5339 * AES-XTS overlapping (in-place) buffers
5340 ******************************************************************************/
5341
5342/*
5343 * Verify that wc_AesXtsEncrypt / wc_AesXtsDecrypt work correctly when the
5344 * plaintext/ciphertext pointer is the same buffer (in == out). The software
5345 * path explicitly handles this case by reading each input block into a local
5346 * copy before XOR-and-encrypt, so in-place operation is safe.
5347 */
5348int test_wc_AesXtsEncryptDecrypt_InPlace(void)
5349{
5350 EXPECT_DECLS;
5351#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5352 defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
5353 !defined(WOLFSSL_KCAPI)
5354 XtsAes aes;
5355 static const byte key64[64] = {
5356 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5357 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5358 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5359 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5360 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5361 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5362 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5363 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5364 };
5365 static const byte tweak[WC_AES_BLOCK_SIZE] = {
5366 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5367 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5368 };
5369 /* 24 bytes: one full block + 8-byte partial block (CTS-style steal) */
5370 static const byte plain[24] = {
5371 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
5372 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,
5373 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20
5374 };
5375 byte ref_ct[sizeof(plain)];
5376 byte buf[sizeof(plain)];
5377
5378 XMEMSET(&aes, 0, sizeof(aes));
5379
5380 /* Reference ciphertext with separate in/out buffers */
5381 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5382 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5383 ExpectIntEQ(wc_AesXtsEncrypt(&aes, ref_ct, plain, sizeof(plain),
5384 tweak, sizeof(tweak)), 0);
5385 wc_AesXtsFree(&aes);
5386
5387 /* Encrypt in-place (out == in) - must produce the same ciphertext */
5388 XMEMCPY(buf, plain, sizeof(buf));
5389 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5390 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5391 ExpectIntEQ(wc_AesXtsEncrypt(&aes, buf, buf, sizeof(buf),
5392 tweak, sizeof(tweak)), 0);
5393 wc_AesXtsFree(&aes);
5394 ExpectBufEQ(buf, ref_ct, sizeof(buf));
5395
5396#ifdef HAVE_AES_DECRYPT
5397 /* Decrypt in-place - must recover original plaintext */
5398 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5399 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5400 ExpectIntEQ(wc_AesXtsDecrypt(&aes, buf, buf, sizeof(buf),
5401 tweak, sizeof(tweak)), 0);
5402 wc_AesXtsFree(&aes);
5403 ExpectBufEQ(buf, plain, sizeof(buf));
5404#endif
5405#endif
5406 return EXPECT_RESULT();
5407} /* END test_wc_AesXtsEncryptDecrypt_InPlace */
5408
5409/*******************************************************************************
5410 * AES-XTS unaligned buffers
5411 ******************************************************************************/
5412
5413/*
5414 * Verify that wc_AesXtsEncrypt / wc_AesXtsDecrypt produce correct results
5415 * when plaintext and ciphertext buffers are byte-offset (unaligned). Tests
5416 * offsets 1, 2, and 3. Same key/tweak/plain as InPlace test.
5417 */
5418int test_wc_AesXtsEncryptDecrypt_UnalignedBuffers(void)
5419{
5420 EXPECT_DECLS;
5421#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5422 defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
5423 !defined(WOLFSSL_KCAPI)
5424 XtsAes aes;
5425 static const byte key64[64] = {
5426 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5427 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5428 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5429 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5430 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5431 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5432 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5433 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5434 };
5435 static const byte tweak[WC_AES_BLOCK_SIZE] = {
5436 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5437 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5438 };
5439 static const byte plain[24] = {
5440 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
5441 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,
5442 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20
5443 };
5444 byte ref_ct[sizeof(plain)];
5445 byte in_buf[sizeof(plain) + 3], out_buf[sizeof(plain) + 3];
5446 int off;
5447
5448 XMEMSET(&aes, 0, sizeof(aes));
5449
5450 /* Reference ciphertext with naturally-aligned buffers */
5451 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5452 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5453 ExpectIntEQ(wc_AesXtsEncrypt(&aes, ref_ct, plain, sizeof(plain),
5454 tweak, sizeof(tweak)), 0);
5455 wc_AesXtsFree(&aes);
5456
5457 /* Encrypt with byte offsets 1, 2, 3 on both in and out */
5458 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
5459 XMEMCPY(in_buf + off, plain, sizeof(plain));
5460 XMEMSET(out_buf, 0, sizeof(out_buf));
5461 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5462 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5463 ExpectIntEQ(wc_AesXtsEncrypt(&aes, out_buf + off, in_buf + off,
5464 sizeof(plain), tweak, sizeof(tweak)), 0);
5465 wc_AesXtsFree(&aes);
5466 ExpectBufEQ(out_buf + off, ref_ct, sizeof(plain));
5467 }
5468
5469#ifdef HAVE_AES_DECRYPT
5470 /* Decrypt with byte offsets 1, 2, 3 */
5471 for (off = 1; off <= 3 && EXPECT_SUCCESS(); off++) {
5472 XMEMCPY(in_buf + off, ref_ct, sizeof(plain));
5473 XMEMSET(out_buf, 0, sizeof(out_buf));
5474 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5475 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5476 ExpectIntEQ(wc_AesXtsDecrypt(&aes, out_buf + off, in_buf + off,
5477 sizeof(plain), tweak, sizeof(tweak)), 0);
5478 wc_AesXtsFree(&aes);
5479 ExpectBufEQ(out_buf + off, plain, sizeof(plain));
5480 }
5481#endif
5482#endif
5483 return EXPECT_RESULT();
5484} /* END test_wc_AesXtsEncryptDecrypt_UnalignedBuffers */
5485
5486/*******************************************************************************
5487 * AES-XTS streaming (Init/Update/Final)
5488 ******************************************************************************/
5489
5490/*
5491 * test function for AES-XTS streaming encrypt/decrypt
5492 */
5493int test_wc_AesXtsStream(void)
5494{
5495 EXPECT_DECLS;
5496#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5497 defined(WOLFSSL_AES_256) && defined(WOLFSSL_AESXTS_STREAM) && \
5498 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
5499 /* Same key as test_wc_AesXtsEncryptDecrypt */
5500 static const byte key32[] = {
5501 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5502 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5503 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5504 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5505 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5506 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5507 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5508 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5509 };
5510 static const byte tweak[] = {
5511 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5512 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5513 };
5514 /* Non-block-aligned plaintext from test_wc_AesXtsEncryptDecrypt (24 bytes) */
5515 static const byte vector[] = {
5516 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
5517 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20,
5518 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20
5519 };
5520 const word32 tweakLen = (word32)sizeof(tweak);
5521 XtsAes aes;
5522 XtsAesStreamData xtsStream;
5523 byte plain3[WC_AES_BLOCK_SIZE * 3]; /* block-aligned plaintext */
5524 byte expEnc[sizeof(vector)]; /* expected ciphertext (non-aligned) */
5525 byte expEnc3[WC_AES_BLOCK_SIZE * 3]; /* expected ciphertext (3 blocks) */
5526 byte enc[WC_AES_BLOCK_SIZE * 3];
5527 byte dec[WC_AES_BLOCK_SIZE * 3];
5528
5529 XMEMSET(&aes, 0, sizeof(aes));
5530 XMEMSET(plain3, 0xa5, sizeof(plain3));
5531
5532 /* Get expected ciphertext for non-aligned vector via single-shot */
5533 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5534 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5535 ExpectIntEQ(wc_AesXtsEncrypt(&aes, expEnc, vector, sizeof(vector), tweak,
5536 tweakLen), 0);
5537 wc_AesXtsFree(&aes);
5538
5539 /* Get expected ciphertext for 3-block plain via single-shot */
5540 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5541 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5542 ExpectIntEQ(wc_AesXtsEncrypt(&aes, expEnc3, plain3, sizeof(plain3), tweak,
5543 tweakLen), 0);
5544 wc_AesXtsFree(&aes);
5545
5546 /* --- Stream encrypt: Init + Final(non-aligned, 24 bytes) --- */
5547 XMEMSET(enc, 0, sizeof(enc));
5548 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5549 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5550 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5551 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak, tweakLen, &xtsStream), 0);
5552 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, enc, vector, sizeof(vector),
5553 &xtsStream), 0);
5554 ExpectBufEQ(enc, expEnc, sizeof(expEnc));
5555 wc_AesXtsFree(&aes);
5556
5557 /* --- Stream encrypt: Init + Update(2 blocks) + Final(1 block) --- */
5558 XMEMSET(enc, 0, sizeof(enc));
5559 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5560 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5561 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5562 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak, tweakLen, &xtsStream), 0);
5563 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, enc, plain3,
5564 WC_AES_BLOCK_SIZE * 2, &xtsStream), 0);
5565 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes,
5566 enc + WC_AES_BLOCK_SIZE * 2,
5567 plain3 + WC_AES_BLOCK_SIZE * 2,
5568 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5569 ExpectBufEQ(enc, expEnc3, sizeof(expEnc3));
5570 wc_AesXtsFree(&aes);
5571
5572 /* --- Stream encrypt: Init + Update(1 block) x3 via individual calls +
5573 * Final(0 bytes) --- */
5574 XMEMSET(enc, 0, sizeof(enc));
5575 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5576 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5577 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5578 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak, tweakLen, &xtsStream), 0);
5579 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, enc,
5580 plain3, WC_AES_BLOCK_SIZE, &xtsStream), 0);
5581 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes,
5582 enc + WC_AES_BLOCK_SIZE,
5583 plain3 + WC_AES_BLOCK_SIZE, WC_AES_BLOCK_SIZE, &xtsStream), 0);
5584 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes,
5585 enc + WC_AES_BLOCK_SIZE * 2,
5586 plain3 + WC_AES_BLOCK_SIZE * 2, WC_AES_BLOCK_SIZE, &xtsStream), 0);
5587 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, NULL, NULL, 0, &xtsStream), 0);
5588 ExpectBufEQ(enc, expEnc3, sizeof(expEnc3));
5589 wc_AesXtsFree(&aes);
5590
5591#ifdef HAVE_AES_DECRYPT
5592 /* --- Stream decrypt: Init + Final(non-aligned, 24 bytes) --- */
5593 XMEMSET(dec, 0, sizeof(dec));
5594 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5595 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5596 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5597 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak, tweakLen, &xtsStream), 0);
5598 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes, dec, expEnc, sizeof(expEnc),
5599 &xtsStream), 0);
5600 ExpectBufEQ(dec, vector, sizeof(vector));
5601 wc_AesXtsFree(&aes);
5602
5603 /* --- Stream decrypt: Init + Update(2 blocks) + Final(1 block) --- */
5604 XMEMSET(dec, 0, sizeof(dec));
5605 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5606 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5607 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5608 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak, tweakLen, &xtsStream), 0);
5609 ExpectIntEQ(wc_AesXtsDecryptUpdate(&aes, dec, expEnc3,
5610 WC_AES_BLOCK_SIZE * 2, &xtsStream), 0);
5611 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes,
5612 dec + WC_AES_BLOCK_SIZE * 2,
5613 expEnc3 + WC_AES_BLOCK_SIZE * 2,
5614 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5615 ExpectBufEQ(dec, plain3, sizeof(plain3));
5616 wc_AesXtsFree(&aes);
5617#endif /* HAVE_AES_DECRYPT */
5618
5619 /* --- Bad args --- */
5620 XMEMSET(&xtsStream, 0, sizeof(xtsStream));
5621 /* NULL aes */
5622 ExpectIntEQ(wc_AesXtsEncryptInit(NULL, tweak, tweakLen, &xtsStream),
5623 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5624 /* NULL tweak */
5625 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, NULL, tweakLen, &xtsStream),
5626 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5627 /* NULL stream */
5628 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak, tweakLen, NULL),
5629 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5630 /* sz not a multiple of block size */
5631 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, enc, plain3, 1, &xtsStream),
5632 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5633 /* NULL stream to Update */
5634 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, enc, plain3,
5635 WC_AES_BLOCK_SIZE, NULL),
5636 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5637 /* NULL stream to Final */
5638 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, enc, vector, sizeof(vector), NULL),
5639 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5640#ifdef HAVE_AES_DECRYPT
5641 ExpectIntEQ(wc_AesXtsDecryptInit(NULL, tweak, tweakLen, &xtsStream),
5642 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5643 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, NULL, tweakLen, &xtsStream),
5644 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5645 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak, tweakLen, NULL),
5646 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5647 ExpectIntEQ(wc_AesXtsDecryptUpdate(&aes, dec, expEnc3,
5648 WC_AES_BLOCK_SIZE, NULL),
5649 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5650 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes, dec, expEnc3, sizeof(plain3), NULL),
5651 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5652#endif /* HAVE_AES_DECRYPT */
5653#endif
5654 return EXPECT_RESULT();
5655} /* END test_wc_AesXtsStream */
5656
5657/*******************************************************************************
5658 * AES-XTS streaming mid-stream state corruption
5659 ******************************************************************************/
5660
5661/*
5662 * Verify that calling wc_AesXtsEncryptUpdate / wc_AesXtsDecryptUpdate after
5663 * wc_AesXtsEncryptFinal / wc_AesXtsDecryptFinal is rejected.
5664 *
5665 * AES-XTS tracks state through stream->bytes_crypted_with_this_tweak. After
5666 * a Final call that processed a non-block-aligned chunk, this field is left
5667 * with a value whose low bits are non-zero. A subsequent Update call checks
5668 * this condition and returns BAD_FUNC_ARG to prevent reuse of a completed
5669 * streaming session.
5670 */
5671int test_wc_AesXtsStream_MidStreamState(void)
5672{
5673 EXPECT_DECLS;
5674#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5675 defined(WOLFSSL_AES_256) && defined(WOLFSSL_AESXTS_STREAM) && \
5676 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
5677 static const byte key64[64] = {
5678 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5679 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5680 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5681 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5682 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5683 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5684 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5685 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66
5686 };
5687 static const byte tweak[WC_AES_BLOCK_SIZE] = {
5688 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5689 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66
5690 };
5691 /* 24-byte (non-block-aligned) vector - ensures Final leaves
5692 * bytes_crypted_with_this_tweak with a value whose low 4 bits are
5693 * non-zero, triggering the guard on the next Update call. */
5694 static const byte plain24[24] = {
5695 0x4e,0x6f,0x77,0x20, 0x69,0x73,0x20,0x74,
5696 0x68,0x65,0x20,0x74, 0x69,0x6d,0x65,0x20,
5697 0x66,0x6f,0x72,0x20, 0x61,0x6c,0x6c,0x20
5698 };
5699 /* One full block for the subsequent (illegal) Update call. */
5700 static const byte oneBlock[WC_AES_BLOCK_SIZE] = { 0 };
5701 XtsAes aes;
5702 XtsAesStreamData xtsStream;
5703 byte enc[24];
5704 byte dummy[WC_AES_BLOCK_SIZE];
5705
5706 XMEMSET(&aes, 0, sizeof(aes));
5707
5708 /* ------------------------------------------------------------------
5709 * Encrypt: Init -> Final (non-aligned 24 B) -> Update must fail
5710 * ------------------------------------------------------------------ */
5711 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5712 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5713 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak, sizeof(tweak), &xtsStream), 0);
5714 /* Final processes all 24 bytes; bytes_crypted_with_this_tweak becomes 24
5715 * (not a multiple of WC_AES_BLOCK_SIZE=16). */
5716 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, enc, plain24, sizeof(plain24),
5717 &xtsStream), 0);
5718 /* The subsequent Update must be rejected because the stream is "done". */
5719 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, dummy, oneBlock, sizeof(oneBlock),
5720 &xtsStream), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5721 wc_AesXtsFree(&aes);
5722
5723#ifdef HAVE_AES_DECRYPT
5724 /* ------------------------------------------------------------------
5725 * Decrypt: Init -> Final (non-aligned 24 B) -> Update must fail
5726 * ------------------------------------------------------------------ */
5727 XMEMSET(&aes, 0, sizeof(aes));
5728 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5729 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5730 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak, sizeof(tweak), &xtsStream), 0);
5731 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes, enc, enc, sizeof(enc),
5732 &xtsStream), 0);
5733 ExpectIntEQ(wc_AesXtsDecryptUpdate(&aes, dummy, oneBlock, sizeof(oneBlock),
5734 &xtsStream), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
5735 wc_AesXtsFree(&aes);
5736#endif
5737#endif
5738 return EXPECT_RESULT();
5739} /* END test_wc_AesXtsStream_MidStreamState */
5740
5741/*******************************************************************************
5742 * AES-XTS streaming re-initialization after Final
5743 ******************************************************************************/
5744
5745/*
5746 * Verify that an AES-XTS streaming context can be re-initialized and reused
5747 * after wc_AesXtsEncryptFinal / wc_AesXtsDecryptFinal.
5748 *
5749 * wc_AesXtsEncryptInit unconditionally resets stream->bytes_crypted_with_this_tweak
5750 * to 0 and reloads the tweak, so it is safe to call it again after Final.
5751 *
5752 * 1. Re-init with the same key and tweak produces identical ciphertext.
5753 * 2. Re-init with a different tweak produces different ciphertext.
5754 * 3. Re-init after an abandoned session (Init + Update but no Final) works.
5755 * 4. Decrypt re-init: recover plaintext across two separate sessions.
5756 */
5757int test_wc_AesXtsStream_ReinitAfterFinal(void)
5758{
5759 EXPECT_DECLS;
5760#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5761 defined(WOLFSSL_AES_256) && defined(WOLFSSL_AESXTS_STREAM) && \
5762 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
5763 static const byte key64[64] = {
5764 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5765 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5766 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5767 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5768 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5769 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5770 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66,
5771 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66
5772 };
5773 /* Two distinct tweaks (sector numbers). */
5774 static const byte tweak1[WC_AES_BLOCK_SIZE] = {
5775 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5776 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x66
5777 };
5778 static const byte tweak2[WC_AES_BLOCK_SIZE] = {
5779 0x30,0x31,0x32,0x33, 0x34,0x35,0x36,0x37,
5780 0x38,0x39,0x61,0x62, 0x63,0x64,0x65,0x67 /* last byte differs */
5781 };
5782 /* Two-block-aligned plaintext + a partial tail (40 bytes total). */
5783 static const byte plain[40] = {
5784 0x4e,0x6f,0x77,0x20, 0x69,0x73,0x20,0x74,
5785 0x68,0x65,0x20,0x74, 0x69,0x6d,0x65,0x20,
5786 0x66,0x6f,0x72,0x20, 0x61,0x6c,0x6c,0x20,
5787 0x67,0x6f,0x6f,0x64, 0x20,0x6d,0x65,0x6e,
5788 0x20,0x74,0x6f,0x20, 0x63,0x6f,0x6d,0x65
5789 };
5790 XtsAes aes;
5791 XtsAesStreamData xtsStream;
5792 byte ct1[sizeof(plain)], ct2[sizeof(plain)], ct3[sizeof(plain)];
5793#ifdef HAVE_AES_DECRYPT
5794 byte pt[sizeof(plain)];
5795#endif
5796
5797 XMEMSET(&aes, 0, sizeof(aes));
5798 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5799 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5800
5801 /* ---- Session 1: baseline ----
5802 * One full block via Update, the remaining 24 bytes via Final.
5803 * Note: AesXtsEncryptFinal forwards to the Update path, so the Final
5804 * size must be >= WC_AES_BLOCK_SIZE when sz > 0. */
5805 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak1, sizeof(tweak1), &xtsStream), 0);
5806 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, ct1, plain,
5807 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5808 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, ct1 + WC_AES_BLOCK_SIZE,
5809 plain + WC_AES_BLOCK_SIZE,
5810 sizeof(plain) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5811
5812 /* ---- Session 2: re-init with same tweak -> must match ---- */
5813 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak1, sizeof(tweak1), &xtsStream), 0);
5814 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, ct2, plain,
5815 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5816 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, ct2 + WC_AES_BLOCK_SIZE,
5817 plain + WC_AES_BLOCK_SIZE,
5818 sizeof(plain) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5819 ExpectBufEQ(ct2, ct1, sizeof(ct1));
5820
5821 /* ---- Session 3: re-init with different tweak -> must differ ---- */
5822 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak2, sizeof(tweak2), &xtsStream), 0);
5823 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, ct3, plain,
5824 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5825 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, ct3 + WC_AES_BLOCK_SIZE,
5826 plain + WC_AES_BLOCK_SIZE,
5827 sizeof(plain) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5828 ExpectIntNE(XMEMCMP(ct3, ct1, sizeof(ct1)), 0);
5829
5830 /* ---- Session 4: re-init after abandoned (no Final) session ---- */
5831 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak2, sizeof(tweak2), &xtsStream), 0);
5832 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, ct3, plain,
5833 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5834 /* Abandon - re-init with tweak1, must give session-1 output. */
5835 ExpectIntEQ(wc_AesXtsEncryptInit(&aes, tweak1, sizeof(tweak1), &xtsStream), 0);
5836 ExpectIntEQ(wc_AesXtsEncryptUpdate(&aes, ct2, plain,
5837 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5838 ExpectIntEQ(wc_AesXtsEncryptFinal(&aes, ct2 + WC_AES_BLOCK_SIZE,
5839 plain + WC_AES_BLOCK_SIZE,
5840 sizeof(plain) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5841 ExpectBufEQ(ct2, ct1, sizeof(ct1));
5842
5843 wc_AesXtsFree(&aes);
5844
5845#ifdef HAVE_AES_DECRYPT
5846 /* ---- Decrypt: re-init recovers plaintext on each session ---- */
5847 XMEMSET(&aes, 0, sizeof(aes));
5848 ExpectIntEQ(wc_AesXtsSetKey(&aes, key64, sizeof(key64),
5849 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5850
5851 /* Session A: decrypt ct1 with tweak1 -> plaintext. */
5852 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak1, sizeof(tweak1), &xtsStream), 0);
5853 ExpectIntEQ(wc_AesXtsDecryptUpdate(&aes, pt, ct1,
5854 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5855 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes, pt + WC_AES_BLOCK_SIZE,
5856 ct1 + WC_AES_BLOCK_SIZE,
5857 sizeof(ct1) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5858 ExpectBufEQ(pt, plain, sizeof(plain));
5859
5860 /* Session B: re-init and decrypt again -> same plaintext. */
5861 ExpectIntEQ(wc_AesXtsDecryptInit(&aes, tweak1, sizeof(tweak1), &xtsStream), 0);
5862 ExpectIntEQ(wc_AesXtsDecryptUpdate(&aes, pt, ct1,
5863 WC_AES_BLOCK_SIZE, &xtsStream), 0);
5864 ExpectIntEQ(wc_AesXtsDecryptFinal(&aes, pt + WC_AES_BLOCK_SIZE,
5865 ct1 + WC_AES_BLOCK_SIZE,
5866 sizeof(ct1) - WC_AES_BLOCK_SIZE, &xtsStream), 0);
5867 ExpectBufEQ(pt, plain, sizeof(plain));
5868
5869 wc_AesXtsFree(&aes);
5870#endif
5871#endif
5872 return EXPECT_RESULT();
5873} /* END test_wc_AesXtsStream_ReinitAfterFinal */
5874
5875/*******************************************************************************
5876 * AES-XTS sector APIs
5877 ******************************************************************************/
5878
5879/*
5880 * test function for wc_AesXtsEncryptSector, wc_AesXtsDecryptSector,
5881 * wc_AesXtsEncryptConsecutiveSectors, and wc_AesXtsDecryptConsecutiveSectors
5882 */
5883int test_wc_AesXtsEncryptDecryptSector(void)
5884{
5885 EXPECT_DECLS;
5886#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
5887 defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
5888 !defined(WOLFSSL_KCAPI)
5889 /* Sector size used for consecutive-sector tests (2 AES blocks) */
5890 #define SECTOR_SZ (WC_AES_BLOCK_SIZE * 2)
5891 #define NUM_SECTORS 3
5892 #define TOTAL_SZ (SECTOR_SZ * NUM_SECTORS)
5893
5894 static const byte key32[] = {
5895 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5896 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5897 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5898 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
5899 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5900 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5901 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
5902 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
5903 };
5904 XtsAes aes;
5905 byte plain[TOTAL_SZ];
5906 byte enc[TOTAL_SZ];
5907 byte dec[TOTAL_SZ];
5908 byte encRef[TOTAL_SZ]; /* sector-by-sector reference */
5909 byte zeroTweak[WC_AES_BLOCK_SIZE];
5910 byte encZeroTweak[SECTOR_SZ];
5911 byte encSector0[SECTOR_SZ];
5912 byte encSector1[SECTOR_SZ];
5913 int i;
5914
5915 XMEMSET(&aes, 0, sizeof(aes));
5916 XMEMSET(zeroTweak, 0, sizeof(zeroTweak));
5917
5918 /* Fill plaintext with a recognisable pattern */
5919 for (i = 0; i < (int)sizeof(plain); i++)
5920 plain[i] = (byte)i;
5921
5922 /*
5923 * 1. wc_AesXtsEncryptSector / wc_AesXtsDecryptSector
5924 */
5925
5926 /* Encrypt sector 0 and verify it matches wc_AesXtsEncrypt with zero tweak */
5927 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5928 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5929 ExpectIntEQ(wc_AesXtsEncryptSector(&aes, encSector0, plain,
5930 SECTOR_SZ, 0), 0);
5931 ExpectIntEQ(wc_AesXtsEncrypt(&aes, encZeroTweak, plain, SECTOR_SZ,
5932 zeroTweak, WC_AES_BLOCK_SIZE), 0);
5933 ExpectBufEQ(encSector0, encZeroTweak, SECTOR_SZ);
5934 wc_AesXtsFree(&aes);
5935
5936 /* Encrypt sector 1 and verify it differs from sector 0 */
5937 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5938 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5939 ExpectIntEQ(wc_AesXtsEncryptSector(&aes, encSector1, plain,
5940 SECTOR_SZ, 1), 0);
5941 ExpectIntNE(XMEMCMP(encSector0, encSector1, SECTOR_SZ), 0);
5942 wc_AesXtsFree(&aes);
5943
5944#ifdef HAVE_AES_DECRYPT
5945 /* Decrypt sector 0 and verify roundtrip */
5946 XMEMSET(dec, 0, sizeof(dec));
5947 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5948 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5949 ExpectIntEQ(wc_AesXtsDecryptSector(&aes, dec, encSector0,
5950 SECTOR_SZ, 0), 0);
5951 ExpectBufEQ(dec, plain, SECTOR_SZ);
5952 wc_AesXtsFree(&aes);
5953
5954 /* Decrypt sector 1 and verify roundtrip */
5955 XMEMSET(dec, 0, sizeof(dec));
5956 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5957 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5958 ExpectIntEQ(wc_AesXtsDecryptSector(&aes, dec, encSector1,
5959 SECTOR_SZ, 1), 0);
5960 ExpectBufEQ(dec, plain, SECTOR_SZ);
5961 wc_AesXtsFree(&aes);
5962#endif /* HAVE_AES_DECRYPT */
5963
5964 /*
5965 * 2. wc_AesXtsEncryptConsecutiveSectors
5966 */
5967
5968 /* Build reference ciphertext by encrypting each sector individually */
5969 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5970 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5971 for (i = 0; i < NUM_SECTORS; i++) {
5972 ExpectIntEQ(wc_AesXtsEncryptSector(&aes,
5973 encRef + i * SECTOR_SZ,
5974 plain + i * SECTOR_SZ,
5975 SECTOR_SZ, (word64)(5 + i)), 0);
5976 }
5977 wc_AesXtsFree(&aes);
5978
5979 /* Encrypt all sectors in one call and compare against reference */
5980 XMEMSET(enc, 0, sizeof(enc));
5981 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5982 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
5983 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, enc, plain,
5984 TOTAL_SZ, 5, SECTOR_SZ), 0);
5985 ExpectBufEQ(enc, encRef, TOTAL_SZ);
5986 wc_AesXtsFree(&aes);
5987
5988#ifdef HAVE_AES_DECRYPT
5989 /* Decrypt all sectors at once and verify roundtrip */
5990 XMEMSET(dec, 0, sizeof(dec));
5991 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
5992 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
5993 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, dec, enc,
5994 TOTAL_SZ, 5, SECTOR_SZ), 0);
5995 ExpectBufEQ(dec, plain, TOTAL_SZ);
5996 wc_AesXtsFree(&aes);
5997#endif /* HAVE_AES_DECRYPT */
5998
5999 /*
6000 * 3. ConsecutiveSectors with a remainder (total not a multiple of sectorSz)
6001 * TOTAL_SZ + WC_AES_BLOCK_SIZE bytes: NUM_SECTORS full sectors plus one
6002 * partial sector of exactly WC_AES_BLOCK_SIZE bytes.
6003 */
6004 {
6005 #define REMAINDER_SZ (TOTAL_SZ + WC_AES_BLOCK_SIZE)
6006 byte plainR[REMAINDER_SZ];
6007 byte encR[REMAINDER_SZ];
6008 byte decR[REMAINDER_SZ];
6009 byte encRref[REMAINDER_SZ];
6010
6011 for (i = 0; i < (int)sizeof(plainR); i++)
6012 plainR[i] = (byte)(i ^ 0xA5);
6013
6014 /* Build reference: NUM_SECTORS full + 1 partial */
6015 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
6016 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
6017 for (i = 0; i < NUM_SECTORS; i++) {
6018 ExpectIntEQ(wc_AesXtsEncryptSector(&aes,
6019 encRref + i * SECTOR_SZ,
6020 plainR + i * SECTOR_SZ,
6021 SECTOR_SZ, (word64)(10 + i)), 0);
6022 }
6023 /* Partial final sector */
6024 ExpectIntEQ(wc_AesXtsEncryptSector(&aes,
6025 encRref + TOTAL_SZ,
6026 plainR + TOTAL_SZ,
6027 WC_AES_BLOCK_SIZE, (word64)(10 + NUM_SECTORS)), 0);
6028 wc_AesXtsFree(&aes);
6029
6030 /* ConsecutiveSectors with same data */
6031 XMEMSET(encR, 0, sizeof(encR));
6032 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
6033 AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
6034 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, encR, plainR,
6035 REMAINDER_SZ, 10, SECTOR_SZ), 0);
6036 ExpectBufEQ(encR, encRref, REMAINDER_SZ);
6037 wc_AesXtsFree(&aes);
6038
6039#ifdef HAVE_AES_DECRYPT
6040 XMEMSET(decR, 0, sizeof(decR));
6041 ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32),
6042 AES_DECRYPTION, NULL, INVALID_DEVID), 0);
6043 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, decR, encR,
6044 REMAINDER_SZ, 10, SECTOR_SZ), 0);
6045 ExpectBufEQ(decR, plainR, REMAINDER_SZ);
6046 wc_AesXtsFree(&aes);
6047#endif /* HAVE_AES_DECRYPT */
6048
6049 #undef REMAINDER_SZ
6050 }
6051
6052 /*
6053 * 4. Bad args for ConsecutiveSectors
6054 */
6055 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(NULL, enc, plain,
6056 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6057 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, NULL, plain,
6058 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6059 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, enc, NULL,
6060 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6061 /* sectorSz == 0 */
6062 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, enc, plain,
6063 TOTAL_SZ, 0, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6064 /* sz < WC_AES_BLOCK_SIZE */
6065 ExpectIntEQ(wc_AesXtsEncryptConsecutiveSectors(&aes, enc, plain,
6066 WC_AES_BLOCK_SIZE - 1, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6067#ifdef HAVE_AES_DECRYPT
6068 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(NULL, dec, enc,
6069 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6070 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, NULL, enc,
6071 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6072 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, dec, NULL,
6073 TOTAL_SZ, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6074 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, dec, enc,
6075 TOTAL_SZ, 0, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6076 ExpectIntEQ(wc_AesXtsDecryptConsecutiveSectors(&aes, dec, enc,
6077 WC_AES_BLOCK_SIZE - 1, 0, SECTOR_SZ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
6078#endif /* HAVE_AES_DECRYPT */
6079
6080 #undef SECTOR_SZ
6081 #undef NUM_SECTORS
6082 #undef TOTAL_SZ
6083#endif
6084 return EXPECT_RESULT();
6085} /* END test_wc_AesXtsEncryptDecryptSector */
6086
6087#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \
6088 (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
6089
6090/*******************************************************************************
6091 * AES-EAX
6092 ******************************************************************************/
6093
6094/*
6095 * Testing test_wc_AesEaxVectors()
6096 */
6097int test_wc_AesEaxVectors(void)
6098{
6099 EXPECT_DECLS;
6100
6101 typedef struct {
6102 byte key[AES_256_KEY_SIZE];
6103 int key_length;
6104 byte iv[WC_AES_BLOCK_SIZE];
6105 int iv_length;
6106 byte aad[WC_AES_BLOCK_SIZE * 2];
6107 int aad_length;
6108 byte msg[WC_AES_BLOCK_SIZE * 5];
6109 int msg_length;
6110 byte ct[WC_AES_BLOCK_SIZE * 5];
6111 int ct_length;
6112 byte tag[WC_AES_BLOCK_SIZE];
6113 int tag_length;
6114 int valid;
6115 } AadVector;
6116
6117 /* Test vectors obtained from Google wycheproof project
6118 * https://github.com/google/wycheproof
6119 * from testvectors/aes_eax_test.json
6120 */
6121 const AadVector vectors[] = {
6122 #ifdef WOLFSSL_AES_128
6123 {
6124 /* key, key length */
6125 {0x23, 0x39, 0x52, 0xde, 0xe4, 0xd5, 0xed, 0x5f,
6126 0x9b, 0x9c, 0x6d, 0x6f, 0xf8, 0x0f, 0xf4, 0x78}, 16,
6127 /* iv, iv length */
6128 {0x62, 0xec, 0x67, 0xf9, 0xc3, 0xa4, 0xa4, 0x07,
6129 0xfc, 0xb2, 0xa8, 0xc4, 0x90, 0x31, 0xa8, 0xb3}, 16,
6130 /* aad, aad length */
6131 {0x6b, 0xfb, 0x91, 0x4f, 0xd0, 0x7e, 0xae, 0x6b}, 8,
6132 /* msg, msg length */
6133 {0x00}, 0,
6134 /* ct, ct length */
6135 {0x00}, 0,
6136 /* tag, tag length */
6137 {0xe0, 0x37, 0x83, 0x0e, 0x83, 0x89, 0xf2, 0x7b,
6138 0x02, 0x5a, 0x2d, 0x65, 0x27, 0xe7, 0x9d, 0x01}, 16,
6139 /* valid */
6140 1,
6141 },
6142 {
6143 /* key, key length */
6144 {0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
6145 0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4}, 16,
6146 /* iv, iv length */
6147 {0xbe, 0xca, 0xf0, 0x43, 0xb0, 0xa2, 0x3d, 0x84,
6148 0x31, 0x94, 0xba, 0x97, 0x2c, 0x66, 0xde, 0xbd}, 16,
6149 /* aad, aad length */
6150 {0xfa, 0x3b, 0xfd, 0x48, 0x06, 0xeb, 0x53, 0xfa}, 8,
6151 /* msg, msg length */
6152 {0xf7, 0xfb}, 2,
6153 /* ct, ct length */
6154 {0x19, 0xdd}, 2,
6155 /* tag, tag length */
6156 {0x5c, 0x4c, 0x93, 0x31, 0x04, 0x9d, 0x0b, 0xda,
6157 0xb0, 0x27, 0x74, 0x08, 0xf6, 0x79, 0x67, 0xe5}, 16,
6158 /* valid */
6159 1,
6160 },
6161 {
6162 /* key, key length */
6163 {0x01, 0xf7, 0x4a, 0xd6, 0x40, 0x77, 0xf2, 0xe7,
6164 0x04, 0xc0, 0xf6, 0x0a, 0xda, 0x3d, 0xd5, 0x23}, 16,
6165 /* iv, iv length */
6166 {0x70, 0xc3, 0xdb, 0x4f, 0x0d, 0x26, 0x36, 0x84,
6167 0x00, 0xa1, 0x0e, 0xd0, 0x5d, 0x2b, 0xff, 0x5e}, 16,
6168 /* aad, aad length */
6169 {0x23, 0x4a, 0x34, 0x63, 0xc1, 0x26, 0x4a, 0xc6}, 8,
6170 /* msg, msg length */
6171 {0x1a, 0x47, 0xcb, 0x49, 0x33}, 5,
6172 /* ct, ct length */
6173 {0xd8, 0x51, 0xd5, 0xba, 0xe0}, 5,
6174 /* tag, tag length */
6175 {0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
6176 0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80}, 16,
6177 /* valid */
6178 1,
6179 },
6180 {
6181 /* key, key length */
6182 {0xd0, 0x7c, 0xf6, 0xcb, 0xb7, 0xf3, 0x13, 0xbd,
6183 0xde, 0x66, 0xb7, 0x27, 0xaf, 0xd3, 0xc5, 0xe8}, 16,
6184 /* iv, iv length */
6185 {0x84, 0x08, 0xdf, 0xff, 0x3c, 0x1a, 0x2b, 0x12,
6186 0x92, 0xdc, 0x19, 0x9e, 0x46, 0xb7, 0xd6, 0x17}, 16,
6187 /* aad, aad length */
6188 {0x33, 0xcc, 0xe2, 0xea, 0xbf, 0xf5, 0xa7, 0x9d}, 8,
6189 /* msg, msg length */
6190 {0x48, 0x1c, 0x9e, 0x39, 0xb1}, 5,
6191 /* ct, ct length */
6192 {0x63, 0x2a, 0x9d, 0x13, 0x1a}, 5,
6193 /* tag, tag length */
6194 {0xd4, 0xc1, 0x68, 0xa4, 0x22, 0x5d, 0x8e, 0x1f,
6195 0xf7, 0x55, 0x93, 0x99, 0x74, 0xa7, 0xbe, 0xde}, 16,
6196 /* valid */
6197 1,
6198 },
6199 {
6200 /* key, key length */
6201 {0x35, 0xb6, 0xd0, 0x58, 0x00, 0x05, 0xbb, 0xc1,
6202 0x2b, 0x05, 0x87, 0x12, 0x45, 0x57, 0xd2, 0xc2}, 16,
6203 /* iv, iv length */
6204 {0xfd, 0xb6, 0xb0, 0x66, 0x76, 0xee, 0xdc, 0x5c,
6205 0x61, 0xd7, 0x42, 0x76, 0xe1, 0xf8, 0xe8, 0x16}, 16,
6206 /* aad, aad length */
6207 {0xae, 0xb9, 0x6e, 0xae, 0xbe, 0x29, 0x70, 0xe9}, 8,
6208 /* msg, msg length */
6209 {0x40, 0xd0, 0xc0, 0x7d, 0xa5, 0xe4}, 6,
6210 /* ct, ct length */
6211 {0x07, 0x1d, 0xfe, 0x16, 0xc6, 0x75}, 6,
6212 /* tag, tag length */
6213 {0xcb, 0x06, 0x77, 0xe5, 0x36, 0xf7, 0x3a, 0xfe,
6214 0x6a, 0x14, 0xb7, 0x4e, 0xe4, 0x98, 0x44, 0xdd}, 16,
6215 /* valid */
6216 1,
6217 },
6218 {
6219 /* key, key length */
6220 {0xbd, 0x8e, 0x6e, 0x11, 0x47, 0x5e, 0x60, 0xb2,
6221 0x68, 0x78, 0x4c, 0x38, 0xc6, 0x2f, 0xeb, 0x22}, 16,
6222 /* iv, iv length */
6223 {0x6e, 0xac, 0x5c, 0x93, 0x07, 0x2d, 0x8e, 0x85,
6224 0x13, 0xf7, 0x50, 0x93, 0x5e, 0x46, 0xda, 0x1b}, 16,
6225 /* aad, aad length */
6226 {0xd4, 0x48, 0x2d, 0x1c, 0xa7, 0x8d, 0xce, 0x0f}, 8,
6227 /* msg, msg length */
6228 {0x4d, 0xe3, 0xb3, 0x5c, 0x3f, 0xc0, 0x39, 0x24,
6229 0x5b, 0xd1, 0xfb, 0x7d}, 12,
6230 /* ct, ct length */
6231 {0x83, 0x5b, 0xb4, 0xf1, 0x5d, 0x74, 0x3e, 0x35,
6232 0x0e, 0x72, 0x84, 0x14}, 12,
6233 /* tag, tag length */
6234 {0xab, 0xb8, 0x64, 0x4f, 0xd6, 0xcc, 0xb8, 0x69,
6235 0x47, 0xc5, 0xe1, 0x05, 0x90, 0x21, 0x0a, 0x4f}, 16,
6236 /* valid */
6237 1,
6238 },
6239 {
6240 /* key, key length */
6241 {0x7c, 0x77, 0xd6, 0xe8, 0x13, 0xbe, 0xd5, 0xac,
6242 0x98, 0xba, 0xa4, 0x17, 0x47, 0x7a, 0x2e, 0x7d}, 16,
6243 /* iv, iv length */
6244 {0x1a, 0x8c, 0x98, 0xdc, 0xd7, 0x3d, 0x38, 0x39,
6245 0x3b, 0x2b, 0xf1, 0x56, 0x9d, 0xee, 0xfc, 0x19}, 16,
6246 /* aad, aad length */
6247 {0x65, 0xd2, 0x01, 0x79, 0x90, 0xd6, 0x25, 0x28}, 8,
6248 /* msg, msg length */
6249 {0x8b, 0x0a, 0x79, 0x30, 0x6c, 0x9c, 0xe7, 0xed,
6250 0x99, 0xda, 0xe4, 0xf8, 0x7f, 0x8d, 0xd6, 0x16,
6251 0x36}, 17,
6252 /* ct, ct length */
6253 {0x02, 0x08, 0x3e, 0x39, 0x79, 0xda, 0x01, 0x48,
6254 0x12, 0xf5, 0x9f, 0x11, 0xd5, 0x26, 0x30, 0xda,
6255 0x30}, 17,
6256 /* tag, tag length */
6257 {0x13, 0x73, 0x27, 0xd1, 0x06, 0x49, 0xb0, 0xaa,
6258 0x6e, 0x1c, 0x18, 0x1d, 0xb6, 0x17, 0xd7, 0xf2}, 16,
6259 /* valid */
6260 1,
6261 },
6262 {
6263 /* key, key length */
6264 {0x5f, 0xff, 0x20, 0xca, 0xfa, 0xb1, 0x19, 0xca,
6265 0x2f, 0xc7, 0x35, 0x49, 0xe2, 0x0f, 0x5b, 0x0d}, 16,
6266 /* iv, iv length */
6267 {0xdd, 0xe5, 0x9b, 0x97, 0xd7, 0x22, 0x15, 0x6d,
6268 0x4d, 0x9a, 0xff, 0x2b, 0xc7, 0x55, 0x98, 0x26}, 16,
6269 /* aad, aad length */
6270 {0x54, 0xb9, 0xf0, 0x4e, 0x6a, 0x09, 0x18, 0x9a}, 8,
6271 /* msg, msg length */
6272 {0x1b, 0xda, 0x12, 0x2b, 0xce, 0x8a, 0x8d, 0xba,
6273 0xf1, 0x87, 0x7d, 0x96, 0x2b, 0x85, 0x92, 0xdd,
6274 0x2d, 0x56}, 18,
6275 /* ct, ct length */
6276 {0x2e, 0xc4, 0x7b, 0x2c, 0x49, 0x54, 0xa4, 0x89,
6277 0xaf, 0xc7, 0xba, 0x48, 0x97, 0xed, 0xcd, 0xae,
6278 0x8c, 0xc3}, 18,
6279 /* tag, tag length */
6280 {0x3b, 0x60, 0x45, 0x05, 0x99, 0xbd, 0x02, 0xc9,
6281 0x63, 0x82, 0x90, 0x2a, 0xef, 0x7f, 0x83, 0x2a}, 16,
6282 /* valid */
6283 1,
6284 },
6285 {
6286 /* key, key length */
6287 {0xa4, 0xa4, 0x78, 0x2b, 0xcf, 0xfd, 0x3e, 0xc5,
6288 0xe7, 0xef, 0x6d, 0x8c, 0x34, 0xa5, 0x61, 0x23}, 16,
6289 /* iv, iv length */
6290 {0xb7, 0x81, 0xfc, 0xf2, 0xf7, 0x5f, 0xa5, 0xa8,
6291 0xde, 0x97, 0xa9, 0xca, 0x48, 0xe5, 0x22, 0xec}, 16,
6292 /* aad, aad length */
6293 {0x89, 0x9a, 0x17, 0x58, 0x97, 0x56, 0x1d, 0x7e}, 8,
6294 /* msg, msg length */
6295 {0x6c, 0xf3, 0x67, 0x20, 0x87, 0x2b, 0x85, 0x13,
6296 0xf6, 0xea, 0xb1, 0xa8, 0xa4, 0x44, 0x38, 0xd5,
6297 0xef, 0x11}, 18,
6298 /* ct, ct length */
6299 {0x0d, 0xe1, 0x8f, 0xd0, 0xfd, 0xd9, 0x1e, 0x7a,
6300 0xf1, 0x9f, 0x1d, 0x8e, 0xe8, 0x73, 0x39, 0x38,
6301 0xb1, 0xe8}, 18,
6302 /* tag, tag length */
6303 {0xe7, 0xf6, 0xd2, 0x23, 0x16, 0x18, 0x10, 0x2f,
6304 0xdb, 0x7f, 0xe5, 0x5f, 0xf1, 0x99, 0x17, 0x00}, 16,
6305 /* valid */
6306 1,
6307 },
6308 {
6309 /* key, key length */
6310 {0x83, 0x95, 0xfc, 0xf1, 0xe9, 0x5b, 0xeb, 0xd6,
6311 0x97, 0xbd, 0x01, 0x0b, 0xc7, 0x66, 0xaa, 0xc3}, 16,
6312 /* iv, iv length */
6313 {0x22, 0xe7, 0xad, 0xd9, 0x3c, 0xfc, 0x63, 0x93,
6314 0xc5, 0x7e, 0xc0, 0xb3, 0xc1, 0x7d, 0x6b, 0x44}, 16,
6315 /* aad, aad length */
6316 {0x12, 0x67, 0x35, 0xfc, 0xc3, 0x20, 0xd2, 0x5a}, 8,
6317 /* msg, msg length */
6318 {0xca, 0x40, 0xd7, 0x44, 0x6e, 0x54, 0x5f, 0xfa,
6319 0xed, 0x3b, 0xd1, 0x2a, 0x74, 0x0a, 0x65, 0x9f,
6320 0xfb, 0xbb, 0x3c, 0xea, 0xb7}, 21,
6321 /* ct, ct length */
6322 {0xcb, 0x89, 0x20, 0xf8, 0x7a, 0x6c, 0x75, 0xcf,
6323 0xf3, 0x96, 0x27, 0xb5, 0x6e, 0x3e, 0xd1, 0x97,
6324 0xc5, 0x52, 0xd2, 0x95, 0xa7}, 21,
6325 /* tag, tag length */
6326 {0xcf, 0xc4, 0x6a, 0xfc, 0x25, 0x3b, 0x46, 0x52,
6327 0xb1, 0xaf, 0x37, 0x95, 0xb1, 0x24, 0xab, 0x6e}, 16,
6328 /* valid */
6329 1,
6330 },
6331 {
6332 /* key, key length */
6333 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6334 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6335 /* iv, iv length */
6336 {0x3c, 0x8c, 0xc2, 0x97, 0x0a, 0x00, 0x8f, 0x75,
6337 0xcc, 0x5b, 0xea, 0xe2, 0x84, 0x72, 0x58, 0xc2}, 16,
6338 /* aad, aad length */
6339 {0x00}, 0,
6340 /* msg, msg length */
6341 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6343 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6344 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6345 /* ct, ct length */
6346 {0x3c, 0x44, 0x1f, 0x32, 0xce, 0x07, 0x82, 0x23,
6347 0x64, 0xd7, 0xa2, 0x99, 0x0e, 0x50, 0xbb, 0x13,
6348 0xd7, 0xb0, 0x2a, 0x26, 0x96, 0x9e, 0x4a, 0x93,
6349 0x7e, 0x5e, 0x90, 0x73, 0xb0, 0xd9, 0xc9, 0x68}, 32,
6350 /* tag, tag length */
6351 {0xdb, 0x90, 0xbd, 0xb3, 0xda, 0x3d, 0x00, 0xaf,
6352 0xd0, 0xfc, 0x6a, 0x83, 0x55, 0x1d, 0xa9, 0x5e}, 16,
6353 /* valid */
6354 1,
6355 },
6356 {
6357 /* key, key length */
6358 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6359 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6360 /* iv, iv length */
6361 {0xae, 0xf0, 0x3d, 0x00, 0x59, 0x84, 0x94, 0xe9,
6362 0xfb, 0x03, 0xcd, 0x7d, 0x8b, 0x59, 0x08, 0x66}, 16,
6363 /* aad, aad length */
6364 {0x00}, 0,
6365 /* msg, msg length */
6366 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6368 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6369 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6370 /* ct, ct length */
6371 {0xd1, 0x9a, 0xc5, 0x98, 0x49, 0x02, 0x6a, 0x91,
6372 0xaa, 0x1b, 0x9a, 0xec, 0x29, 0xb1, 0x1a, 0x20,
6373 0x2a, 0x4d, 0x73, 0x9f, 0xd8, 0x6c, 0x28, 0xe3,
6374 0xae, 0x3d, 0x58, 0x8e, 0xa2, 0x1d, 0x70, 0xc6}, 32,
6375 /* tag, tag length */
6376 {0xc3, 0x0f, 0x6c, 0xd9, 0x20, 0x20, 0x74, 0xed,
6377 0x6e, 0x2a, 0x2a, 0x36, 0x0e, 0xac, 0x8c, 0x47}, 16,
6378 /* valid */
6379 1,
6380 },
6381 {
6382 /* key, key length */
6383 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6384 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6385 /* iv, iv length */
6386 {0x55, 0xd1, 0x25, 0x11, 0xc6, 0x96, 0xa8, 0x0d,
6387 0x05, 0x14, 0xd1, 0xff, 0xba, 0x49, 0xca, 0xda}, 16,
6388 /* aad, aad length */
6389 {0x00}, 0,
6390 /* msg, msg length */
6391 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6393 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6394 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6395 /* ct, ct length */
6396 {0x21, 0x08, 0x55, 0x8a, 0xc4, 0xb2, 0xc2, 0xd5,
6397 0xcc, 0x66, 0xce, 0xa5, 0x1d, 0x62, 0x10, 0xe0,
6398 0x46, 0x17, 0x7a, 0x67, 0x63, 0x1c, 0xd2, 0xdd,
6399 0x8f, 0x09, 0x46, 0x97, 0x33, 0xac, 0xb5, 0x17}, 32,
6400 /* tag, tag length */
6401 {0xfc, 0x35, 0x5e, 0x87, 0xa2, 0x67, 0xbe, 0x3a,
6402 0xe3, 0xe4, 0x4c, 0x0b, 0xf3, 0xf9, 0x9b, 0x2b}, 16,
6403 /* valid */
6404 1,
6405 },
6406 {
6407 /* key, key length */
6408 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6409 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6410 /* iv, iv length */
6411 {0x79, 0x42, 0x2d, 0xdd, 0x91, 0xc4, 0xee, 0xe2,
6412 0xde, 0xae, 0xf1, 0xf9, 0x68, 0x30, 0x53, 0x04}, 16,
6413 /* aad, aad length */
6414 {0x00}, 0,
6415 /* msg, msg length */
6416 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6418 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6419 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6420 /* ct, ct length */
6421 {0x4d, 0x2c, 0x15, 0x24, 0xca, 0x4b, 0xaa, 0x4e,
6422 0xef, 0xcc, 0xe6, 0xb9, 0x1b, 0x22, 0x7e, 0xe8,
6423 0x3a, 0xba, 0xff, 0x81, 0x05, 0xdc, 0xaf, 0xa2,
6424 0xab, 0x19, 0x1f, 0x5d, 0xf2, 0x57, 0x50, 0x35}, 32,
6425 /* tag, tag length */
6426 {0xe2, 0xc8, 0x65, 0xce, 0x2d, 0x7a, 0xbd, 0xac,
6427 0x02, 0x4c, 0x6f, 0x99, 0x1a, 0x84, 0x83, 0x90}, 16,
6428 /* valid */
6429 1,
6430 },
6431 {
6432 /* key, key length */
6433 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6434 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6435 /* iv, iv length */
6436 {0x0a, 0xf5, 0xaa, 0x7a, 0x76, 0x76, 0xe2, 0x83,
6437 0x06, 0x30, 0x6b, 0xcd, 0x9b, 0xf2, 0x00, 0x3a}, 16,
6438 /* aad, aad length */
6439 {0x00}, 0,
6440 /* msg, msg length */
6441 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6443 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6444 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6445 /* ct, ct length */
6446 {0x8e, 0xb0, 0x1e, 0x62, 0x18, 0x5d, 0x78, 0x2e,
6447 0xb9, 0x28, 0x7a, 0x34, 0x1a, 0x68, 0x62, 0xac,
6448 0x52, 0x57, 0xd6, 0xf9, 0xad, 0xc9, 0x9e, 0xe0,
6449 0xa2, 0x4d, 0x9c, 0x22, 0xb3, 0xe9, 0xb3, 0x8a}, 32,
6450 /* tag, tag length */
6451 {0x39, 0xc3, 0x39, 0xbc, 0x8a, 0x74, 0xc7, 0x5e,
6452 0x2c, 0x65, 0xc6, 0x11, 0x95, 0x44, 0xd6, 0x1e}, 16,
6453 /* valid */
6454 1,
6455 },
6456 {
6457 /* key, key length */
6458 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6459 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6460 /* iv, iv length */
6461 {0xaf, 0x5a, 0x03, 0xae, 0x7e, 0xdd, 0x73, 0x47,
6462 0x1b, 0xdc, 0xdf, 0xac, 0x5e, 0x19, 0x4a, 0x60}, 16,
6463 /* aad, aad length */
6464 {0x00}, 0,
6465 /* msg, msg length */
6466 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6468 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6469 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, 32,
6470 /* ct, ct length */
6471 {0x94, 0xc5, 0xd2, 0xac, 0xa6, 0xdb, 0xbc, 0xe8,
6472 0xc2, 0x45, 0x13, 0xa2, 0x5e, 0x09, 0x5c, 0x0e,
6473 0x54, 0xa9, 0x42, 0x86, 0x0d, 0x32, 0x7a, 0x22,
6474 0x2a, 0x81, 0x5c, 0xc7, 0x13, 0xb1, 0x63, 0xb4}, 32,
6475 /* tag, tag length */
6476 {0xf5, 0x0b, 0x30, 0x30, 0x4e, 0x45, 0xc9, 0xd4,
6477 0x11, 0xe8, 0xdf, 0x45, 0x08, 0xa9, 0x86, 0x12}, 16,
6478 /* valid */
6479 1,
6480 },
6481 {
6482 /* key, key length */
6483 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6484 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6485 /* iv, iv length */
6486 {0xb3, 0x70, 0x87, 0x68, 0x0f, 0x0e, 0xdd, 0x5a,
6487 0x52, 0x22, 0x8b, 0x8c, 0x7a, 0xae, 0xa6, 0x64}, 16,
6488 /* aad, aad length */
6489 {0x00}, 0,
6490 /* msg, msg length */
6491 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6493 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6494 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6495 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
6496 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
6497 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
6498 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33}, 64,
6499 /* ct, ct length */
6500 {0x3b, 0xb6, 0x17, 0x3e, 0x37, 0x72, 0xd4, 0xb6,
6501 0x2e, 0xef, 0x37, 0xf9, 0xef, 0x07, 0x81, 0xf3,
6502 0x60, 0xb6, 0xc7, 0x4b, 0xe3, 0xbf, 0x6b, 0x37,
6503 0x10, 0x67, 0xbc, 0x1b, 0x09, 0x0d, 0x9d, 0x66,
6504 0x22, 0xa1, 0xfb, 0xec, 0x6a, 0xc4, 0x71, 0xb3,
6505 0x34, 0x9c, 0xd4, 0x27, 0x7a, 0x10, 0x1d, 0x40,
6506 0x89, 0x0f, 0xbf, 0x27, 0xdf, 0xdc, 0xd0, 0xb4,
6507 0xe3, 0x78, 0x1f, 0x98, 0x06, 0xda, 0xab, 0xb6}, 64,
6508 /* tag, tag length */
6509 {0xa0, 0x49, 0x87, 0x45, 0xe5, 0x99, 0x99, 0xdd,
6510 0xc3, 0x2d, 0x5b, 0x14, 0x02, 0x41, 0x12, 0x4e}, 16,
6511 /* valid */
6512 1,
6513 },
6514 {
6515 /* key, key length */
6516 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6517 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6518 /* iv, iv length */
6519 {0x4f, 0x80, 0x2d, 0xa6, 0x2a, 0x38, 0x45, 0x55,
6520 0xa1, 0x9b, 0xc2, 0xb3, 0x82, 0xeb, 0x25, 0xaf}, 16,
6521 /* aad, aad length */
6522 {0x00}, 0,
6523 /* msg, msg length */
6524 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6526 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6527 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
6528 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
6529 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
6530 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
6531 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
6532 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
6533 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44}, 80,
6534 /* ct, ct length */
6535 {0xe9, 0xb0, 0xbb, 0x88, 0x57, 0x81, 0x8c, 0xe3,
6536 0x20, 0x1c, 0x36, 0x90, 0xd2, 0x1d, 0xaa, 0x7f,
6537 0x26, 0x4f, 0xb8, 0xee, 0x93, 0xcc, 0x7a, 0x46,
6538 0x74, 0xea, 0x2f, 0xc3, 0x2b, 0xf1, 0x82, 0xfb,
6539 0x2a, 0x7e, 0x8a, 0xd5, 0x15, 0x07, 0xad, 0x4f,
6540 0x31, 0xce, 0xfc, 0x23, 0x56, 0xfe, 0x79, 0x36,
6541 0xa7, 0xf6, 0xe1, 0x9f, 0x95, 0xe8, 0x8f, 0xdb,
6542 0xf1, 0x76, 0x20, 0x91, 0x6d, 0x3a, 0x6f, 0x3d,
6543 0x01, 0xfc, 0x17, 0xd3, 0x58, 0x67, 0x2f, 0x77,
6544 0x7f, 0xd4, 0x09, 0x92, 0x46, 0xe4, 0x36, 0xe1}, 80,
6545 /* tag, tag length */
6546 {0x67, 0x91, 0x0b, 0xe7, 0x44, 0xb8, 0x31, 0x5a,
6547 0xe0, 0xeb, 0x61, 0x24, 0x59, 0x0c, 0x5d, 0x8b}, 16,
6548 /* valid */
6549 1,
6550 },
6551 {
6552 /* key, key length */
6553 {0xb6, 0x7b, 0x1a, 0x6e, 0xfd, 0xd4, 0x0d, 0x37,
6554 0x08, 0x0f, 0xbe, 0x8f, 0x80, 0x47, 0xae, 0xb9}, 16,
6555 /* iv, iv length */
6556 {0xfa, 0x29, 0x4b, 0x12, 0x99, 0x72, 0xf7, 0xfc,
6557 0x5b, 0xbd, 0x5b, 0x96, 0xbb, 0xa8, 0x37, 0xc9}, 16,
6558 /* aad, aad length */
6559 {0x00}, 0,
6560 /* msg, msg length */
6561 {0x00}, 0,
6562 /* ct, ct length */
6563 {0x00}, 0,
6564 /* tag, tag length */
6565 {0xb1, 0x4b, 0x64, 0xfb, 0x58, 0x98, 0x99, 0x69,
6566 0x95, 0x70, 0xcc, 0x91, 0x60, 0xe3, 0x98, 0x96}, 16,
6567 /* valid */
6568 1,
6569 },
6570 {
6571 /* key, key length */
6572 {0x20, 0x9e, 0x6d, 0xbf, 0x2a, 0xd2, 0x6a, 0x10,
6573 0x54, 0x45, 0xfc, 0x02, 0x07, 0xcd, 0x9e, 0x9a}, 16,
6574 /* iv, iv length */
6575 {0x94, 0x77, 0x84, 0x9d, 0x6c, 0xcd, 0xfc, 0xa1,
6576 0x12, 0xd9, 0x2e, 0x53, 0xfa, 0xe4, 0xa7, 0xca}, 16,
6577 /* aad, aad length */
6578 {0x00}, 0,
6579 /* msg, msg length */
6580 {0x01}, 1,
6581 /* ct, ct length */
6582 {0x1d}, 1,
6583 /* tag, tag length */
6584 {0x52, 0xa5, 0xf6, 0x00, 0xfe, 0x53, 0x38, 0x02,
6585 0x6a, 0x7c, 0xb0, 0x9c, 0x11, 0x64, 0x00, 0x82}, 16,
6586 /* valid */
6587 1,
6588 },
6589 {
6590 /* key, key length */
6591 {0xa5, 0x49, 0x44, 0x2e, 0x35, 0x15, 0x40, 0x32,
6592 0xd0, 0x7c, 0x86, 0x66, 0x00, 0x6a, 0xa6, 0xa2}, 16,
6593 /* iv, iv length */
6594 {0x51, 0x71, 0x52, 0x45, 0x68, 0xe8, 0x1d, 0x97,
6595 0xe8, 0xc4, 0xde, 0x4b, 0xa5, 0x6c, 0x10, 0xa0}, 16,
6596 /* aad, aad length */
6597 {0x00}, 0,
6598 /* msg, msg length */
6599 {0x11, 0x82, 0xe9, 0x35, 0x96, 0xca, 0xc5, 0x60,
6600 0x89, 0x46, 0x40, 0x0b, 0xc7, 0x3f, 0x3a}, 15,
6601 /* ct, ct length */
6602 {0xd7, 0xb8, 0xa6, 0xb4, 0x3d, 0x2e, 0x9f, 0x98,
6603 0xc2, 0xb4, 0x4c, 0xe5, 0xe3, 0xcf, 0xdb}, 15,
6604 /* tag, tag length */
6605 {0x1b, 0xdd, 0x52, 0xfc, 0x98, 0x7d, 0xaf, 0x0e,
6606 0xe1, 0x92, 0x34, 0xc9, 0x05, 0xea, 0x64, 0x5f}, 16,
6607 /* valid */
6608 1,
6609 },
6610 {
6611 /* key, key length */
6612 {0x95, 0x8b, 0xcd, 0xb6, 0x6a, 0x39, 0x52, 0xb5,
6613 0x37, 0x01, 0x58, 0x2a, 0x68, 0xa0, 0xe4, 0x74}, 16,
6614 /* iv, iv length */
6615 {0x0e, 0x6e, 0xc8, 0x79, 0xb0, 0x2c, 0x6f, 0x51,
6616 0x69, 0x76, 0xe3, 0x58, 0x98, 0x42, 0x8d, 0xa7}, 16,
6617 /* aad, aad length */
6618 {0x00}, 0,
6619 /* msg, msg length */
6620 {0x14, 0x04, 0x15, 0x82, 0x3e, 0xcc, 0x89, 0x32,
6621 0xa0, 0x58, 0x38, 0x4b, 0x73, 0x8e, 0xa6, 0xea,
6622 0x6d, 0x4d, 0xfe, 0x3b, 0xbe, 0xee}, 22,
6623 /* ct, ct length */
6624 {0x73, 0xe5, 0xc6, 0xf0, 0xe7, 0x03, 0xa5, 0x2d,
6625 0x02, 0xf7, 0xf7, 0xfa, 0xeb, 0x1b, 0x77, 0xfd,
6626 0x4f, 0xd0, 0xcb, 0x42, 0x1e, 0xaf}, 22,
6627 /* tag, tag length */
6628 {0x6c, 0x15, 0x4a, 0x85, 0x96, 0x8e, 0xdd, 0x74,
6629 0x77, 0x65, 0x75, 0xa4, 0x45, 0x0b, 0xd8, 0x97}, 16,
6630 /* valid */
6631 1,
6632 },
6633 {
6634 /* key, key length */
6635 {0x96, 0x5b, 0x75, 0x7b, 0xa5, 0x01, 0x8a, 0x8d,
6636 0x66, 0xed, 0xc7, 0x8e, 0x0c, 0xee, 0xe8, 0x6b}, 16,
6637 /* iv, iv length */
6638 {0x2e, 0x35, 0x90, 0x1a, 0xe7, 0xd4, 0x91, 0xee,
6639 0xcc, 0x88, 0x38, 0xfe, 0xdd, 0x63, 0x14, 0x05}, 16,
6640 /* aad, aad length */
6641 {0xdf, 0x10, 0xd0, 0xd2, 0x12, 0x24, 0x24, 0x50}, 8,
6642 /* msg, msg length */
6643 {0x36, 0xe5, 0x7a, 0x76, 0x39, 0x58, 0xb0, 0x2c,
6644 0xea, 0x9d, 0x6a, 0x67, 0x6e, 0xbc, 0xe8, 0x1f}, 16,
6645 /* ct, ct length */
6646 {0x93, 0x6b, 0x69, 0xb6, 0xc9, 0x55, 0xad, 0xfd,
6647 0x15, 0x53, 0x9b, 0x9b, 0xe4, 0x98, 0x9c, 0xb6}, 16,
6648 /* tag, tag length */
6649 {0xee, 0x15, 0xa1, 0x45, 0x4e, 0x88, 0xfa, 0xad,
6650 0x8e, 0x48, 0xa8, 0xdf, 0x29, 0x83, 0xb4, 0x25}, 16,
6651 /* valid */
6652 1,
6653 },
6654 {
6655 /* key, key length */
6656 {0x88, 0xd0, 0x20, 0x33, 0x78, 0x1c, 0x7b, 0x41,
6657 0x64, 0x71, 0x1a, 0x05, 0x42, 0x0f, 0x25, 0x6e}, 16,
6658 /* iv, iv length */
6659 {0x7f, 0x29, 0x85, 0x29, 0x63, 0x15, 0x50, 0x7a,
6660 0xa4, 0xc0, 0xa9, 0x3d, 0x5c, 0x12, 0xbd, 0x77}, 16,
6661 /* aad, aad length */
6662 {0x7c, 0x57, 0x1d, 0x2f, 0xbb, 0x5f, 0x62, 0x52,
6663 0x3c, 0x0e, 0xb3, 0x38, 0xbe, 0xf9, 0xa9}, 15,
6664 /* msg, msg length */
6665 {0xd9, 0x8a, 0xdc, 0x03, 0xd9, 0xd5, 0x82, 0x73,
6666 0x2e, 0xb0, 0x7d, 0xf2, 0x3d, 0x7b, 0x9f, 0x74}, 16,
6667 /* ct, ct length */
6668 {0x67, 0xca, 0xac, 0x35, 0x44, 0x3a, 0x31, 0x38,
6669 0xd2, 0xcb, 0x81, 0x1f, 0x0c, 0xe0, 0x4d, 0xd2}, 16,
6670 /* tag, tag length */
6671 {0xb7, 0x96, 0x8e, 0x0b, 0x56, 0x40, 0xe3, 0xb2,
6672 0x36, 0x56, 0x96, 0x53, 0x20, 0x8b, 0x9d, 0xeb}, 16,
6673 /* valid */
6674 1,
6675 },
6676 {
6677 /* key, key length */
6678 {0x51, 0x58, 0x40, 0xcf, 0x67, 0xd2, 0xe4, 0x0e,
6679 0xb6, 0x5e, 0x54, 0xa2, 0x4c, 0x72, 0xcb, 0xf2}, 16,
6680 /* iv, iv length */
6681 {0xbf, 0x47, 0xaf, 0xdf, 0xd4, 0x92, 0x13, 0x7a,
6682 0x24, 0x23, 0x6b, 0xc3, 0x67, 0x97, 0xa8, 0x8e}, 16,
6683 /* aad, aad length */
6684 {0x16, 0x84, 0x3c, 0x09, 0x1d, 0x43, 0xb0, 0xa1,
6685 0x91, 0xd0, 0xc7, 0x3d, 0x15, 0x60, 0x1b, 0xe9}, 16,
6686 /* msg, msg length */
6687 {0xc8, 0x34, 0x58, 0x8c, 0xb6, 0xda, 0xf9, 0xf0,
6688 0x6d, 0xd2, 0x35, 0x19, 0xf4, 0xbe, 0x9f, 0x56}, 16,
6689 /* ct, ct length */
6690 {0x20, 0x0a, 0xc4, 0x51, 0xfb, 0xeb, 0x0f, 0x61,
6691 0x51, 0xd6, 0x15, 0x83, 0xa4, 0x3b, 0x73, 0x43}, 16,
6692 /* tag, tag length */
6693 {0x2a, 0xd4, 0x3e, 0x4c, 0xaa, 0x51, 0x98, 0x3a,
6694 0x9d, 0x4d, 0x24, 0x48, 0x1b, 0xf4, 0xc8, 0x39}, 16,
6695 /* valid */
6696 1,
6697 },
6698 {
6699 /* key, key length */
6700 {0x2e, 0x44, 0x92, 0xd4, 0x44, 0xe5, 0xb6, 0xf4,
6701 0xce, 0xc8, 0xc2, 0xd3, 0x61, 0x5a, 0xc8, 0x58}, 16,
6702 /* iv, iv length */
6703 {0xd0, 0x2b, 0xf0, 0x76, 0x3a, 0x9f, 0xef, 0xbf,
6704 0x70, 0xc3, 0x3a, 0xee, 0x1e, 0x9d, 0xa1, 0xd6}, 16,
6705 /* aad, aad length */
6706 {0x90, 0x4d, 0x86, 0xf1, 0x33, 0xce, 0xc1, 0x5a,
6707 0x0c, 0x3c, 0xaf, 0x14, 0xd7, 0xe0, 0x29, 0xc8,
6708 0x2a, 0x07, 0x70, 0x5a, 0x23, 0xf0, 0xd0, 0x80}, 24,
6709 /* msg, msg length */
6710 {0x9e, 0x62, 0xd6, 0x51, 0x1b, 0x0b, 0xda, 0x7d,
6711 0xd7, 0x74, 0x0b, 0x61, 0x4d, 0x97, 0xba, 0xe0}, 16,
6712 /* ct, ct length */
6713 {0x27, 0xc6, 0xe9, 0xa6, 0x53, 0xc5, 0x25, 0x3c,
6714 0xa1, 0xc5, 0x67, 0x3f, 0x97, 0xb9, 0xb3, 0x3e}, 16,
6715 /* tag, tag length */
6716 {0x2d, 0x58, 0x12, 0x71, 0xe1, 0xfa, 0x9e, 0x36,
6717 0x86, 0x13, 0x6c, 0xaa, 0x8f, 0x4d, 0x6c, 0x8e}, 16,
6718 /* valid */
6719 1,
6720 },
6721 {
6722 /* key, key length */
6723 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6724 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6725 /* iv, iv length */
6726 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6727 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6728 /* aad, aad length */
6729 {0x00}, 0,
6730 /* msg, msg length */
6731 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6732 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6733 /* ct, ct length */
6734 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6735 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6736 /* tag, tag length */
6737 {0xe7, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6738 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6739 /* valid */
6740 0,
6741 },
6742 {
6743 /* key, key length */
6744 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6745 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6746 /* iv, iv length */
6747 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6748 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6749 /* aad, aad length */
6750 {0x00}, 0,
6751 /* msg, msg length */
6752 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6753 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6754 /* ct, ct length */
6755 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6756 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6757 /* tag, tag length */
6758 {0xe4, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6759 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6760 /* valid */
6761 0,
6762 },
6763 {
6764 /* key, key length */
6765 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6766 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6767 /* iv, iv length */
6768 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6769 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6770 /* aad, aad length */
6771 {0x00}, 0,
6772 /* msg, msg length */
6773 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6774 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6775 /* ct, ct length */
6776 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6777 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6778 /* tag, tag length */
6779 {0x66, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6780 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6781 /* valid */
6782 0,
6783 },
6784 {
6785 /* key, key length */
6786 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6787 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6788 /* iv, iv length */
6789 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6790 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6791 /* aad, aad length */
6792 {0x00}, 0,
6793 /* msg, msg length */
6794 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6795 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6796 /* ct, ct length */
6797 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6798 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6799 /* tag, tag length */
6800 {0xe6, 0x0f, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6801 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6802 /* valid */
6803 0,
6804 },
6805 {
6806 /* key, key length */
6807 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6808 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6809 /* iv, iv length */
6810 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6811 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6812 /* aad, aad length */
6813 {0x00}, 0,
6814 /* msg, msg length */
6815 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6816 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6817 /* ct, ct length */
6818 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6819 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6820 /* tag, tag length */
6821 {0xe6, 0x0e, 0x7c, 0xd0, 0x13, 0xa6, 0xdb, 0xf2,
6822 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6823 /* valid */
6824 0,
6825 },
6826 {
6827 /* key, key length */
6828 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6829 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6830 /* iv, iv length */
6831 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6832 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6833 /* aad, aad length */
6834 {0x00}, 0,
6835 /* msg, msg length */
6836 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6837 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6838 /* ct, ct length */
6839 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6840 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6841 /* tag, tag length */
6842 {0xe6, 0x0e, 0x7c, 0x50, 0x12, 0xa6, 0xdb, 0xf2,
6843 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6844 /* valid */
6845 0,
6846 },
6847 {
6848 /* key, key length */
6849 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6850 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6851 /* iv, iv length */
6852 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6853 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6854 /* aad, aad length */
6855 {0x00}, 0,
6856 /* msg, msg length */
6857 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6858 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6859 /* ct, ct length */
6860 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6861 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6862 /* tag, tag length */
6863 {0xe6, 0x0e, 0x7c, 0x50, 0x11, 0xa6, 0xdb, 0xf2,
6864 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6865 /* valid */
6866 0,
6867 },
6868 {
6869 /* key, key length */
6870 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6871 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6872 /* iv, iv length */
6873 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6874 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6875 /* aad, aad length */
6876 {0x00}, 0,
6877 /* msg, msg length */
6878 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6879 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6880 /* ct, ct length */
6881 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6882 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6883 /* tag, tag length */
6884 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0x72,
6885 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6886 /* valid */
6887 0,
6888 },
6889 {
6890 /* key, key length */
6891 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6892 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6893 /* iv, iv length */
6894 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6895 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6896 /* aad, aad length */
6897 {0x00}, 0,
6898 /* msg, msg length */
6899 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6900 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6901 /* ct, ct length */
6902 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6903 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6904 /* tag, tag length */
6905 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6906 0x53, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6907 /* valid */
6908 0,
6909 },
6910 {
6911 /* key, key length */
6912 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6913 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6914 /* iv, iv length */
6915 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6916 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6917 /* aad, aad length */
6918 {0x00}, 0,
6919 /* msg, msg length */
6920 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6921 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6922 /* ct, ct length */
6923 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6924 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6925 /* tag, tag length */
6926 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6927 0xd2, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6928 /* valid */
6929 0,
6930 },
6931 {
6932 /* key, key length */
6933 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6934 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6935 /* iv, iv length */
6936 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6937 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6938 /* aad, aad length */
6939 {0x00}, 0,
6940 /* msg, msg length */
6941 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6942 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6943 /* ct, ct length */
6944 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6945 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6946 /* tag, tag length */
6947 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6948 0x52, 0xb8, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6949 /* valid */
6950 0,
6951 },
6952 {
6953 /* key, key length */
6954 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6955 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6956 /* iv, iv length */
6957 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6958 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6959 /* aad, aad length */
6960 {0x00}, 0,
6961 /* msg, msg length */
6962 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6963 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6964 /* ct, ct length */
6965 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6966 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6967 /* tag, tag length */
6968 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6969 0x52, 0x98, 0xb0, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
6970 /* valid */
6971 0,
6972 },
6973 {
6974 /* key, key length */
6975 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6976 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6977 /* iv, iv length */
6978 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
6979 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
6980 /* aad, aad length */
6981 {0x00}, 0,
6982 /* msg, msg length */
6983 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
6984 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
6985 /* ct, ct length */
6986 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
6987 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
6988 /* tag, tag length */
6989 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
6990 0x52, 0x98, 0xb1, 0x92, 0x9a, 0xc3, 0x56, 0xa7}, 16,
6991 /* valid */
6992 0,
6993 },
6994 {
6995 /* key, key length */
6996 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
6997 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
6998 /* iv, iv length */
6999 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7000 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7001 /* aad, aad length */
7002 {0x00}, 0,
7003 /* msg, msg length */
7004 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7005 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7006 /* ct, ct length */
7007 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7008 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7009 /* tag, tag length */
7010 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7011 0x52, 0x98, 0xb1, 0x92, 0x99, 0xc3, 0x56, 0xa7}, 16,
7012 /* valid */
7013 0,
7014 },
7015 {
7016 /* key, key length */
7017 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7018 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7019 /* iv, iv length */
7020 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7021 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7022 /* aad, aad length */
7023 {0x00}, 0,
7024 /* msg, msg length */
7025 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7026 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7027 /* ct, ct length */
7028 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7029 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7030 /* tag, tag length */
7031 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7032 0x52, 0x98, 0xb1, 0x92, 0x1b, 0xc3, 0x56, 0xa7}, 16,
7033 /* valid */
7034 0,
7035 },
7036 {
7037 /* key, key length */
7038 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7039 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7040 /* iv, iv length */
7041 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7042 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7043 /* aad, aad length */
7044 {0x00}, 0,
7045 /* msg, msg length */
7046 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7047 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7048 /* ct, ct length */
7049 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7050 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7051 /* tag, tag length */
7052 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7053 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa6}, 16,
7054 /* valid */
7055 0,
7056 },
7057 {
7058 /* key, key length */
7059 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7060 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7061 /* iv, iv length */
7062 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7063 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7064 /* aad, aad length */
7065 {0x00}, 0,
7066 /* msg, msg length */
7067 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7068 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7069 /* ct, ct length */
7070 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7071 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7072 /* tag, tag length */
7073 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7074 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa5}, 16,
7075 /* valid */
7076 0,
7077 },
7078 {
7079 /* key, key length */
7080 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7081 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7082 /* iv, iv length */
7083 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7084 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7085 /* aad, aad length */
7086 {0x00}, 0,
7087 /* msg, msg length */
7088 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7089 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7090 /* ct, ct length */
7091 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7092 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7093 /* tag, tag length */
7094 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7095 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xe7}, 16,
7096 /* valid */
7097 0,
7098 },
7099 {
7100 /* key, key length */
7101 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7102 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7103 /* iv, iv length */
7104 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7105 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7106 /* aad, aad length */
7107 {0x00}, 0,
7108 /* msg, msg length */
7109 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7110 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7111 /* ct, ct length */
7112 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7113 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7114 /* tag, tag length */
7115 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7116 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0x27}, 16,
7117 /* valid */
7118 0,
7119 },
7120 {
7121 /* key, key length */
7122 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7123 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7124 /* iv, iv length */
7125 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7126 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7127 /* aad, aad length */
7128 {0x00}, 0,
7129 /* msg, msg length */
7130 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7131 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7132 /* ct, ct length */
7133 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7134 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7135 /* tag, tag length */
7136 {0xe7, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0xf2,
7137 0x53, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
7138 /* valid */
7139 0,
7140 },
7141 {
7142 /* key, key length */
7143 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7144 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7145 /* iv, iv length */
7146 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7147 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7148 /* aad, aad length */
7149 {0x00}, 0,
7150 /* msg, msg length */
7151 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7152 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7153 /* ct, ct length */
7154 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7155 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7156 /* tag, tag length */
7157 {0xe6, 0x0e, 0x7c, 0xd0, 0x13, 0xa6, 0xdb, 0x72,
7158 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0xa7}, 16,
7159 /* valid */
7160 0,
7161 },
7162 {
7163 /* key, key length */
7164 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7165 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7166 /* iv, iv length */
7167 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7168 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7169 /* aad, aad length */
7170 {0x00}, 0,
7171 /* msg, msg length */
7172 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7173 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7174 /* ct, ct length */
7175 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7176 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7177 /* tag, tag length */
7178 {0xe6, 0x0e, 0x7c, 0x50, 0x13, 0xa6, 0xdb, 0x72,
7179 0x52, 0x98, 0xb1, 0x92, 0x9b, 0xc3, 0x56, 0x27}, 16,
7180 /* valid */
7181 0,
7182 },
7183 {
7184 /* key, key length */
7185 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7186 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7187 /* iv, iv length */
7188 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7189 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7190 /* aad, aad length */
7191 {0x00}, 0,
7192 /* msg, msg length */
7193 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7194 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7195 /* ct, ct length */
7196 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7197 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7198 /* tag, tag length */
7199 {0x19, 0xf1, 0x83, 0xaf, 0xec, 0x59, 0x24, 0x0d,
7200 0xad, 0x67, 0x4e, 0x6d, 0x64, 0x3c, 0xa9, 0x58}, 16,
7201 /* valid */
7202 0,
7203 },
7204 {
7205 /* key, key length */
7206 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7207 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7208 /* iv, iv length */
7209 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7210 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7211 /* aad, aad length */
7212 {0x00}, 0,
7213 /* msg, msg length */
7214 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7215 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7216 /* ct, ct length */
7217 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7218 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7219 /* tag, tag length */
7220 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 16,
7222 /* valid */
7223 0,
7224 },
7225 {
7226 /* key, key length */
7227 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7228 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7229 /* iv, iv length */
7230 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7231 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7232 /* aad, aad length */
7233 {0x00}, 0,
7234 /* msg, msg length */
7235 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7236 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7237 /* ct, ct length */
7238 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7239 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7240 /* tag, tag length */
7241 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7242 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 16,
7243 /* valid */
7244 0,
7245 },
7246 {
7247 /* key, key length */
7248 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7249 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7250 /* iv, iv length */
7251 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7252 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7253 /* aad, aad length */
7254 {0x00}, 0,
7255 /* msg, msg length */
7256 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7257 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7258 /* ct, ct length */
7259 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7260 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7261 /* tag, tag length */
7262 {0x66, 0x8e, 0xfc, 0xd0, 0x93, 0x26, 0x5b, 0x72,
7263 0xd2, 0x18, 0x31, 0x12, 0x1b, 0x43, 0xd6, 0x27}, 16,
7264 /* valid */
7265 0,
7266 },
7267 {
7268 /* key, key length */
7269 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7270 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16,
7271 /* iv, iv length */
7272 {0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
7273 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f}, 16,
7274 /* aad, aad length */
7275 {0x00}, 0,
7276 /* msg, msg length */
7277 {0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
7278 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, 16,
7279 /* ct, ct length */
7280 {0x29, 0xa0, 0x91, 0x4f, 0xec, 0x4b, 0xef, 0x54,
7281 0xba, 0xbf, 0x66, 0x13, 0xa9, 0xf9, 0xcd, 0x70}, 16,
7282 /* tag, tag length */
7283 {0xe7, 0x0f, 0x7d, 0x51, 0x12, 0xa7, 0xda, 0xf3,
7284 0x53, 0x99, 0xb0, 0x93, 0x9a, 0xc2, 0x57, 0xa6}, 16,
7285 /* valid */
7286 0,
7287 },
7288 #endif
7289 };
7290
7291 byte ciphertext[sizeof(vectors[0].ct)];
7292 byte authtag[sizeof(vectors[0].tag)];
7293 int i;
7294 int len;
7295 int ret;
7296
7297
7298 for (i = 0; i < (int)(sizeof(vectors)/sizeof(vectors[0])); i++) {
7299
7300 XMEMSET(ciphertext, 0, sizeof(ciphertext));
7301
7302 len = sizeof(authtag);
7303 ExpectIntEQ(wc_AesEaxEncryptAuth(vectors[i].key, vectors[i].key_length,
7304 ciphertext,
7305 vectors[i].msg, vectors[i].msg_length,
7306 vectors[i].iv, vectors[i].iv_length,
7307 authtag, len,
7308 vectors[i].aad, vectors[i].aad_length),
7309 0);
7310
7311 /* check ciphertext matches vector */
7312 ExpectIntEQ(XMEMCMP(ciphertext, vectors[i].ct, vectors[i].ct_length),
7313 0);
7314
7315 /* check that computed tag matches vector only for vectors marked asx
7316 * valid */
7317 ret = XMEMCMP(authtag, vectors[i].tag, len);
7318 if (vectors[i].valid) {
7319 ExpectIntEQ(ret, 0);
7320 }
7321 else {
7322 ExpectIntNE(ret, 0);
7323 }
7324
7325 XMEMSET(ciphertext, 0, sizeof(ciphertext));
7326
7327 /* Decrypt, checking that the computed auth tags match */
7328 ExpectIntEQ(wc_AesEaxDecryptAuth(vectors[i].key, vectors[i].key_length,
7329 ciphertext,
7330 vectors[i].ct, vectors[i].ct_length,
7331 vectors[i].iv, vectors[i].iv_length,
7332 authtag, len,
7333 vectors[i].aad, vectors[i].aad_length),
7334 0);
7335
7336 /* check decrypted ciphertext matches vector plaintext */
7337 ExpectIntEQ(XMEMCMP(ciphertext, vectors[i].msg, vectors[i].msg_length),
7338 0);
7339 }
7340 return EXPECT_RESULT();
7341} /* END test_wc_AesEaxVectors */
7342
7343/*
7344 * Testing test_wc_AesEaxEncryptAuth()
7345 */
7346int test_wc_AesEaxEncryptAuth(void)
7347{
7348 EXPECT_DECLS;
7349
7350 const byte key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7351 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
7352 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
7353 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
7354 const byte iv[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7355 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
7356 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
7357 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
7358 const byte aad[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
7359 const byte msg[] = {0x00, 0x01, 0x02, 0x03, 0x04};
7360
7361 byte ciphertext[sizeof(msg)];
7362 byte authtag[WC_AES_BLOCK_SIZE];
7363 int i;
7364 int len;
7365
7366 len = sizeof(authtag);
7367 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7368 ciphertext,
7369 msg, sizeof(msg),
7370 iv, sizeof(iv),
7371 authtag, (word32)len,
7372 aad, sizeof(aad)),
7373 0);
7374
7375 /* Test null checking */
7376 ExpectIntEQ(wc_AesEaxEncryptAuth(NULL, sizeof(key),
7377 ciphertext,
7378 msg, sizeof(msg),
7379 iv, sizeof(iv),
7380 authtag, (word32)len,
7381 aad, sizeof(aad)),
7382 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7383 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7384 NULL,
7385 msg, sizeof(msg),
7386 iv, sizeof(iv),
7387 authtag, (word32)len,
7388 aad, sizeof(aad)),
7389 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7390 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7391 ciphertext,
7392 NULL, sizeof(msg),
7393 iv, sizeof(iv),
7394 authtag, (word32)len,
7395 aad, sizeof(aad)),
7396 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7397 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7398 ciphertext,
7399 msg, sizeof(msg),
7400 NULL, sizeof(iv),
7401 authtag, (word32)len,
7402 aad, sizeof(aad)),
7403 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7404 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7405 ciphertext,
7406 msg, sizeof(msg),
7407 iv, sizeof(iv),
7408 NULL, (word32)len,
7409 aad, sizeof(aad)),
7410 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7411 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7412 ciphertext,
7413 msg, sizeof(msg),
7414 iv, sizeof(iv),
7415 authtag, (word32)len,
7416 NULL, sizeof(aad)),
7417 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7418
7419 /* Test bad key lengths */
7420 for (i = 0; i <= 32; i++) {
7421 int exp_ret;
7422 #ifdef WOLFSSL_AES_128
7423 if (i == AES_128_KEY_SIZE) {
7424 exp_ret = 0;
7425 }
7426 else
7427 #endif
7428 #ifdef WOLFSSL_AES_192
7429 if (i == AES_192_KEY_SIZE) {
7430 exp_ret = 0;
7431 }
7432 else
7433 #endif
7434 #ifdef WOLFSSL_AES_256
7435 if (i == AES_256_KEY_SIZE) {
7436 exp_ret = 0;
7437 }
7438 else
7439 #endif
7440 {
7441 exp_ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
7442 }
7443
7444 ExpectIntEQ(wc_AesEaxEncryptAuth(key, (word32)i,
7445 ciphertext,
7446 msg, sizeof(msg),
7447 iv, sizeof(iv),
7448 authtag, (word32)len,
7449 aad, sizeof(aad)),
7450 exp_ret);
7451 }
7452
7453
7454 /* Test auth tag size out of range */
7455 len = WC_AES_BLOCK_SIZE + 1;
7456 ExpectIntEQ(wc_AesEaxEncryptAuth(key, sizeof(key),
7457 ciphertext,
7458 msg, sizeof(msg),
7459 iv, sizeof(iv),
7460 authtag, (word32)len,
7461 aad, sizeof(aad)),
7462 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7463
7464 return EXPECT_RESULT();
7465} /* END test_wc_AesEaxEncryptAuth() */
7466
7467/*
7468 * Testing test_wc_AesEaxDecryptAuth()
7469 */
7470int test_wc_AesEaxDecryptAuth(void)
7471{
7472 EXPECT_DECLS;
7473
7474 const byte key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7475 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
7476 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
7477 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
7478 const byte iv[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
7479 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
7480 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
7481 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
7482 const byte aad[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
7483 const byte ct[] = {0x00, 0x01, 0x02, 0x03, 0x04};
7484 /* Garbage tag that should always fail for above aad */
7485 const byte tag[] = {0xFE, 0xED, 0xBE, 0xEF, 0xDE, 0xAD, 0xC0, 0xDE,
7486 0xCA, 0xFE, 0xBE, 0xEF, 0xDE, 0xAF, 0xBE, 0xEF};
7487
7488 byte plaintext[sizeof(ct)];
7489 int i;
7490 int len;
7491
7492 len = sizeof(tag);
7493 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7494 plaintext,
7495 ct, sizeof(ct),
7496 iv, sizeof(iv),
7497 tag, (word32)len,
7498 aad, sizeof(aad)),
7499 WC_NO_ERR_TRACE(AES_EAX_AUTH_E));
7500
7501 /* Test null checking */
7502 ExpectIntEQ(wc_AesEaxDecryptAuth(NULL, sizeof(key),
7503 plaintext,
7504 ct, sizeof(ct),
7505 iv, sizeof(iv),
7506 tag, (word32)len,
7507 aad, sizeof(aad)),
7508 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7509 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7510 NULL,
7511 ct, sizeof(ct),
7512 iv, sizeof(iv),
7513 tag, (word32)len,
7514 aad, sizeof(aad)),
7515 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7516 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7517 plaintext,
7518 NULL, sizeof(ct),
7519 iv, sizeof(iv),
7520 tag, (word32)len,
7521 aad, sizeof(aad)),
7522 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7523 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7524 plaintext,
7525 ct, sizeof(ct),
7526 NULL, sizeof(iv),
7527 tag, (word32)len,
7528 aad, sizeof(aad)),
7529 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7530 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7531 plaintext,
7532 ct, sizeof(ct),
7533 iv, sizeof(iv),
7534 NULL, (word32)len,
7535 aad, sizeof(aad)),
7536 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7537 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7538 plaintext,
7539 ct, sizeof(ct),
7540 iv, sizeof(iv),
7541 tag, (word32)len,
7542 NULL, sizeof(aad)),
7543 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7544
7545 /* Test bad key lengths */
7546 for (i = 0; i <= 32; i++) {
7547 int exp_ret;
7548 #ifdef WOLFSSL_AES_128
7549 if (i == AES_128_KEY_SIZE) {
7550 exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
7551 }
7552 else
7553 #endif
7554 #ifdef WOLFSSL_AES_192
7555 if (i == AES_192_KEY_SIZE) {
7556 exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
7557 }
7558 else
7559 #endif
7560 #ifdef WOLFSSL_AES_256
7561 if (i == AES_256_KEY_SIZE) {
7562 exp_ret = WC_NO_ERR_TRACE(AES_EAX_AUTH_E);
7563 }
7564 else
7565 #endif
7566 {
7567 exp_ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
7568 }
7569
7570 ExpectIntEQ(wc_AesEaxDecryptAuth(key, (word32)i,
7571 plaintext,
7572 ct, sizeof(ct),
7573 iv, sizeof(iv),
7574 tag, (word32)len,
7575 aad, sizeof(aad)),
7576 exp_ret);
7577 }
7578
7579
7580 /* Test auth tag size out of range */
7581 len = WC_AES_BLOCK_SIZE + 1;
7582 ExpectIntEQ(wc_AesEaxDecryptAuth(key, sizeof(key),
7583 plaintext,
7584 ct, sizeof(ct),
7585 iv, sizeof(iv),
7586 tag, (word32)len,
7587 aad, sizeof(aad)),
7588 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7589
7590 return EXPECT_RESULT();
7591} /* END test_wc_AesEaxDecryptAuth() */
7592
7593/*
7594 * Testing AES-EAX streaming (incremental) API:
7595 * wc_AesEaxInit, wc_AesEaxEncryptUpdate, wc_AesEaxAuthDataUpdate,
7596 * wc_AesEaxEncryptFinal, wc_AesEaxDecryptUpdate, wc_AesEaxDecryptFinal,
7597 * wc_AesEaxFree
7598 */
7599int test_wc_AesEaxStream(void)
7600{
7601 EXPECT_DECLS;
7602
7603#ifdef WOLFSSL_AES_128
7604 /* Wycheproof AES-EAX 128-bit key vectors */
7605
7606 /* Vector 1: empty plaintext - AAD passed via Init */
7607 const byte key1[] = {0x23, 0x39, 0x52, 0xde, 0xe4, 0xd5, 0xed, 0x5f,
7608 0x9b, 0x9c, 0x6d, 0x6f, 0xf8, 0x0f, 0xf4, 0x78};
7609 const byte nonce1[] = {0x62, 0xec, 0x67, 0xf9, 0xc3, 0xa4, 0xa4, 0x07,
7610 0xfc, 0xb2, 0xa8, 0xc4, 0x90, 0x31, 0xa8, 0xb3};
7611 const byte aad1[] = {0x6b, 0xfb, 0x91, 0x4f, 0xd0, 0x7e, 0xae, 0x6b};
7612 const byte tag1[] = {0xe0, 0x37, 0x83, 0x0e, 0x83, 0x89, 0xf2, 0x7b,
7613 0x02, 0x5a, 0x2d, 0x65, 0x27, 0xe7, 0x9d, 0x01};
7614
7615 /* Vector 2: 2-byte plaintext - AAD passed via EncryptUpdate */
7616 const byte key2[] = {0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
7617 0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4};
7618 const byte nonce2[] = {0xbe, 0xca, 0xf0, 0x43, 0xb0, 0xa2, 0x3d, 0x84,
7619 0x31, 0x94, 0xba, 0x97, 0x2c, 0x66, 0xde, 0xbd};
7620 const byte aad2[] = {0xfa, 0x3b, 0xfd, 0x48, 0x06, 0xeb, 0x53, 0xfa};
7621 const byte pt2[] = {0xf7, 0xfb};
7622 const byte ct2[] = {0x19, 0xdd};
7623 const byte tag2[] = {0x5c, 0x4c, 0x93, 0x31, 0x04, 0x9d, 0x0b, 0xda,
7624 0xb0, 0x27, 0x74, 0x08, 0xf6, 0x79, 0x67, 0xe5};
7625
7626 /* Vector 3: 5-byte plaintext - multi-chunk, AAD via AuthDataUpdate */
7627 const byte key3[] = {0x01, 0xf7, 0x4a, 0xd6, 0x40, 0x77, 0xf2, 0xe7,
7628 0x04, 0xc0, 0xf6, 0x0a, 0xda, 0x3d, 0xd5, 0x23};
7629 const byte nonce3[] = {0x70, 0xc3, 0xdb, 0x4f, 0x0d, 0x26, 0x36, 0x84,
7630 0x00, 0xa1, 0x0e, 0xd0, 0x5d, 0x2b, 0xff, 0x5e};
7631 const byte aad3[] = {0x23, 0x4a, 0x34, 0x63, 0xc1, 0x26, 0x4a, 0xc6};
7632 const byte pt3[] = {0x1a, 0x47, 0xcb, 0x49, 0x33};
7633 const byte ct3[] = {0xd8, 0x51, 0xd5, 0xba, 0xe0};
7634 const byte tag3[] = {0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
7635 0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80};
7636
7637 AesEax eax;
7638 byte out[16];
7639 byte tagBuf[WC_AES_BLOCK_SIZE];
7640
7641 XMEMSET(&eax, 0, sizeof(eax));
7642 XMEMSET(out, 0, sizeof(out));
7643 XMEMSET(tagBuf, 0, sizeof(tagBuf));
7644
7645 /* --- Test 1: empty plaintext, AAD passed to Init --- */
7646 ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
7647 nonce1, sizeof(nonce1),
7648 aad1, sizeof(aad1)), 0);
7649 ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag1)), 0);
7650 ExpectBufEQ(tagBuf, tag1, sizeof(tag1));
7651 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7652
7653 /* --- Test 1d: empty plaintext decrypt --- */
7654 ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
7655 nonce1, sizeof(nonce1),
7656 aad1, sizeof(aad1)), 0);
7657 ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag1, sizeof(tag1)), 0);
7658 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7659
7660 /* --- Test 2: 2-byte plaintext, single EncryptUpdate with inline AAD --- */
7661 ExpectIntEQ(wc_AesEaxInit(&eax, key2, sizeof(key2),
7662 nonce2, sizeof(nonce2),
7663 NULL, 0), 0);
7664 ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out, pt2, sizeof(pt2),
7665 aad2, sizeof(aad2)), 0);
7666 ExpectBufEQ(out, ct2, sizeof(ct2));
7667 ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag2)), 0);
7668 ExpectBufEQ(tagBuf, tag2, sizeof(tag2));
7669 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7670
7671 /* --- Test 2d: 2-byte ciphertext, single DecryptUpdate with inline AAD --- */
7672 ExpectIntEQ(wc_AesEaxInit(&eax, key2, sizeof(key2),
7673 nonce2, sizeof(nonce2),
7674 NULL, 0), 0);
7675 ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out, ct2, sizeof(ct2),
7676 aad2, sizeof(aad2)), 0);
7677 ExpectBufEQ(out, pt2, sizeof(pt2));
7678 ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag2, sizeof(tag2)), 0);
7679 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7680
7681 /* --- Test 3: 5-byte plaintext, multi-chunk encrypt with AuthDataUpdate --- */
7682 ExpectIntEQ(wc_AesEaxInit(&eax, key3, sizeof(key3),
7683 nonce3, sizeof(nonce3),
7684 NULL, 0), 0);
7685 /* Feed AAD via AuthDataUpdate split into two calls */
7686 ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3, 4), 0);
7687 ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3 + 4, sizeof(aad3) - 4), 0);
7688 /* Encrypt plaintext in two chunks */
7689 ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out, pt3, 2, NULL, 0), 0);
7690 ExpectBufEQ(out, ct3, 2);
7691 ExpectIntEQ(wc_AesEaxEncryptUpdate(&eax, out + 2, pt3 + 2,
7692 (word32)(sizeof(pt3) - 2), NULL, 0), 0);
7693 ExpectBufEQ(out + 2, ct3 + 2, sizeof(ct3) - 2);
7694 ExpectIntEQ(wc_AesEaxEncryptFinal(&eax, tagBuf, sizeof(tag3)), 0);
7695 ExpectBufEQ(tagBuf, tag3, sizeof(tag3));
7696 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7697
7698 /* --- Test 3d: 5-byte ciphertext, multi-chunk decrypt with AuthDataUpdate --- */
7699 ExpectIntEQ(wc_AesEaxInit(&eax, key3, sizeof(key3),
7700 nonce3, sizeof(nonce3),
7701 NULL, 0), 0);
7702 ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3, 4), 0);
7703 ExpectIntEQ(wc_AesEaxAuthDataUpdate(&eax, aad3 + 4, sizeof(aad3) - 4), 0);
7704 /* Decrypt ciphertext in two chunks */
7705 ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out, ct3, 2, NULL, 0), 0);
7706 ExpectBufEQ(out, pt3, 2);
7707 ExpectIntEQ(wc_AesEaxDecryptUpdate(&eax, out + 2, ct3 + 2,
7708 (word32)(sizeof(ct3) - 2), NULL, 0), 0);
7709 ExpectBufEQ(out + 2, pt3 + 2, sizeof(pt3) - 2);
7710 ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag3, sizeof(tag3)), 0);
7711 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7712
7713 /* --- Bad args --- */
7714 /* wc_AesEaxInit */
7715 ExpectIntEQ(wc_AesEaxInit(NULL, key1, sizeof(key1),
7716 nonce1, sizeof(nonce1), NULL, 0),
7717 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7718 ExpectIntEQ(wc_AesEaxInit(&eax, NULL, sizeof(key1),
7719 nonce1, sizeof(nonce1), NULL, 0),
7720 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7721 ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
7722 NULL, sizeof(nonce1), NULL, 0),
7723 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7724
7725 /* wc_AesEaxAuthDataUpdate */
7726 ExpectIntEQ(wc_AesEaxAuthDataUpdate(NULL, aad1, sizeof(aad1)),
7727 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7728
7729 /* wc_AesEaxEncryptFinal */
7730 ExpectIntEQ(wc_AesEaxEncryptFinal(NULL, tagBuf, WC_AES_BLOCK_SIZE),
7731 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7732
7733 /* wc_AesEaxDecryptFinal NULL eax */
7734 ExpectIntEQ(wc_AesEaxDecryptFinal(NULL, tag1, sizeof(tag1)),
7735 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7736
7737 /* wc_AesEaxDecryptFinal authInSz > WC_AES_BLOCK_SIZE */
7738 ExpectIntEQ(wc_AesEaxInit(&eax, key1, sizeof(key1),
7739 nonce1, sizeof(nonce1), NULL, 0), 0);
7740 ExpectIntEQ(wc_AesEaxDecryptFinal(&eax, tag1, WC_AES_BLOCK_SIZE + 1),
7741 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7742 ExpectIntEQ(wc_AesEaxFree(&eax), 0);
7743
7744 /* wc_AesEaxFree NULL */
7745 ExpectIntEQ(wc_AesEaxFree(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
7746
7747#endif /* WOLFSSL_AES_128 */
7748
7749 return EXPECT_RESULT();
7750} /* END test_wc_AesEaxStream() */
7751
7752#endif /* WOLFSSL_AES_EAX && WOLFSSL_AES_256
7753 * (!HAVE_FIPS || FIPS_VERSION_GE(5, 3)) && !HAVE_SELFTEST
7754 */
7755
7756/*----------------------------------------------------------------------------*
7757 | AES-SIV Test
7758 *----------------------------------------------------------------------------*/
7759
7760#if defined(WOLFSSL_AES_SIV) && defined(WOLFSSL_AES_128)
7761
7762/*
7763 * Testing wc_AesSivEncrypt, wc_AesSivDecrypt,
7764 * wc_AesSivEncrypt_ex, wc_AesSivDecrypt_ex.
7765 * Uses RFC 5297 Example A.1 (single assoc) and A.2 (two assocs).
7766 */
7767int test_wc_AesSivEncryptDecrypt(void)
7768{
7769 EXPECT_DECLS;
7770
7771 /* RFC 5297 Example A.1: single associated data buffer */
7772 const byte key_a1[] = {
7773 0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9,0xf8,
7774 0xf7,0xf6,0xf5,0xf4,0xf3,0xf2,0xf1,0xf0,
7775 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
7776 0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
7777 };
7778 const byte assoc_a1[] = {
7779 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
7780 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
7781 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27
7782 };
7783 const byte pt_a1[] = {
7784 0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,
7785 0x99,0xaa,0xbb,0xcc,0xdd,0xee
7786 };
7787 const byte siv_a1[] = {
7788 0x85,0x63,0x2d,0x07,0xc6,0xe8,0xf3,0x7f,
7789 0x95,0x0a,0xcd,0x32,0x0a,0x2e,0xcc,0x93
7790 };
7791 const byte ct_a1[] = {
7792 0x40,0xc0,0x2b,0x96,0x90,0xc4,0xdc,0x04,
7793 0xda,0xef,0x7f,0x6a,0xfe,0x5c
7794 };
7795
7796 /* RFC 5297 Example A.2: two associated data buffers, no nonce */
7797 const byte key_a2[] = {
7798 0x7f,0x7e,0x7d,0x7c,0x7b,0x7a,0x79,0x78,
7799 0x77,0x76,0x75,0x74,0x73,0x72,0x71,0x70,
7800 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,
7801 0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f
7802 };
7803 const byte assoc2_1_a2[] = {
7804 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
7805 0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff,
7806 0xde,0xad,0xda,0xda,0xde,0xad,0xda,0xda,
7807 0xff,0xee,0xdd,0xcc,0xbb,0xaa,0x99,0x88,
7808 0x77,0x66,0x55,0x44,0x33,0x22,0x11,0x00
7809 };
7810 const byte assoc2_2_a2[] = {
7811 0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,
7812 0x90,0xa0
7813 };
7814 const byte nonce_a2[] = {
7815 0x09,0xf9,0x11,0x02,0x9d,0x74,0xe3,0x5b,
7816 0xd8,0x41,0x56,0xc5,0x63,0x56,0x88,0xc0
7817 };
7818 const byte pt_a2[] = {
7819 0x74,0x68,0x69,0x73,0x20,0x69,0x73,0x20,
7820 0x73,0x6f,0x6d,0x65,0x20,0x70,0x6c,0x61,
7821 0x69,0x6e,0x74,0x65,0x78,0x74,0x20,0x74,
7822 0x6f,0x20,0x65,0x6e,0x63,0x72,0x79,0x70,
7823 0x74,0x20,0x75,0x73,0x69,0x6e,0x67,0x20,
7824 0x53,0x49,0x56,0x2d,0x41,0x45,0x53
7825 };
7826 const byte siv_a2[] = {
7827 0x7b,0xdb,0x6e,0x3b,0x43,0x26,0x67,0xeb,
7828 0x06,0xf4,0xd1,0x4b,0xff,0x2f,0xbd,0x0f
7829 };
7830 const byte ct_a2[] = {
7831 0xcb,0x90,0x0f,0x2f,0xdd,0xbe,0x40,0x43,
7832 0x26,0x60,0x19,0x65,0xc8,0x89,0xbf,0x17,
7833 0xdb,0xa7,0x7c,0xeb,0x09,0x4f,0xa6,0x63,
7834 0xb7,0xa3,0xf7,0x48,0xba,0x8a,0xf8,0x29,
7835 0xea,0x64,0xad,0x54,0x4a,0x27,0x2e,0x9c,
7836 0x48,0x5b,0x62,0xa3,0xfd,0x5c,0x0d
7837 };
7838
7839 byte siv[WC_AES_BLOCK_SIZE];
7840 byte ct[sizeof(pt_a2)]; /* large enough for both tests */
7841 byte pt[sizeof(pt_a2)];
7842
7843 /* --- A.1: wc_AesSivEncrypt (single assoc, no nonce) --- */
7844 XMEMSET(siv, 0, sizeof(siv));
7845 XMEMSET(ct, 0, sizeof(ct));
7846 ExpectIntEQ(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
7847 assoc_a1, sizeof(assoc_a1),
7848 NULL, 0,
7849 pt_a1, sizeof(pt_a1),
7850 siv, ct), 0);
7851 ExpectBufEQ(siv, siv_a1, sizeof(siv_a1));
7852 ExpectBufEQ(ct, ct_a1, sizeof(ct_a1));
7853
7854 /* --- A.1: wc_AesSivDecrypt --- */
7855 XMEMSET(pt, 0, sizeof(pt));
7856 XMEMCPY(siv, siv_a1, sizeof(siv_a1));
7857 ExpectIntEQ(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
7858 assoc_a1, sizeof(assoc_a1),
7859 NULL, 0,
7860 ct_a1, sizeof(ct_a1),
7861 siv, pt), 0);
7862 ExpectBufEQ(pt, pt_a1, sizeof(pt_a1));
7863
7864 /* Corrupt SIV: decrypt must fail */
7865 siv[0] ^= 0xff;
7866 ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
7867 assoc_a1, sizeof(assoc_a1),
7868 NULL, 0,
7869 ct_a1, sizeof(ct_a1),
7870 siv, pt), 0);
7871
7872 /* --- A.2: wc_AesSivEncrypt_ex (two assocs + nonce) --- */
7873 {
7874 const AesSivAssoc assocs[2] = {
7875 { assoc2_1_a2, sizeof(assoc2_1_a2) },
7876 { assoc2_2_a2, sizeof(assoc2_2_a2) }
7877 };
7878 XMEMSET(siv, 0, sizeof(siv));
7879 XMEMSET(ct, 0, sizeof(ct));
7880 ExpectIntEQ(wc_AesSivEncrypt_ex(key_a2, sizeof(key_a2),
7881 assocs, 2,
7882 nonce_a2, sizeof(nonce_a2),
7883 pt_a2, sizeof(pt_a2),
7884 siv, ct), 0);
7885 ExpectBufEQ(siv, siv_a2, sizeof(siv_a2));
7886 ExpectBufEQ(ct, ct_a2, sizeof(ct_a2));
7887
7888 /* wc_AesSivDecrypt_ex */
7889 XMEMSET(pt, 0, sizeof(pt));
7890 XMEMCPY(siv, siv_a2, sizeof(siv_a2));
7891 ExpectIntEQ(wc_AesSivDecrypt_ex(key_a2, sizeof(key_a2),
7892 assocs, 2,
7893 nonce_a2, sizeof(nonce_a2),
7894 ct_a2, sizeof(ct_a2),
7895 siv, pt), 0);
7896 ExpectBufEQ(pt, pt_a2, sizeof(pt_a2));
7897 }
7898
7899 /* --- Bad args: wc_AesSivEncrypt --- */
7900 ExpectIntNE(wc_AesSivEncrypt(NULL, sizeof(key_a1),
7901 assoc_a1, sizeof(assoc_a1),
7902 NULL, 0, pt_a1, sizeof(pt_a1), siv, ct), 0);
7903 ExpectIntNE(wc_AesSivEncrypt(key_a1, 0,
7904 assoc_a1, sizeof(assoc_a1),
7905 NULL, 0, pt_a1, sizeof(pt_a1), siv, ct), 0);
7906 ExpectIntNE(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
7907 assoc_a1, sizeof(assoc_a1),
7908 NULL, 0, pt_a1, sizeof(pt_a1), NULL, ct), 0);
7909 ExpectIntNE(wc_AesSivEncrypt(key_a1, sizeof(key_a1),
7910 assoc_a1, sizeof(assoc_a1),
7911 NULL, 0, pt_a1, sizeof(pt_a1), siv, NULL), 0);
7912
7913 /* --- Bad args: wc_AesSivDecrypt --- */
7914 XMEMCPY(siv, siv_a1, sizeof(siv_a1));
7915 ExpectIntNE(wc_AesSivDecrypt(NULL, sizeof(key_a1),
7916 assoc_a1, sizeof(assoc_a1),
7917 NULL, 0, ct_a1, sizeof(ct_a1), siv, pt), 0);
7918 ExpectIntNE(wc_AesSivDecrypt(key_a1, 0,
7919 assoc_a1, sizeof(assoc_a1),
7920 NULL, 0, ct_a1, sizeof(ct_a1), siv, pt), 0);
7921 ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
7922 assoc_a1, sizeof(assoc_a1),
7923 NULL, 0, ct_a1, sizeof(ct_a1), NULL, pt), 0);
7924 ExpectIntNE(wc_AesSivDecrypt(key_a1, sizeof(key_a1),
7925 assoc_a1, sizeof(assoc_a1),
7926 NULL, 0, ct_a1, sizeof(ct_a1), siv, NULL), 0);
7927
7928 return EXPECT_RESULT();
7929} /* END test_wc_AesSivEncryptDecrypt */
7930
7931#endif /* WOLFSSL_AES_SIV && WOLFSSL_AES_128 */
7932
7933/*----------------------------------------------------------------------------*
7934 | CryptoCB AES SetKey Test
7935 *----------------------------------------------------------------------------*/
7936
7937#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
7938 !defined(NO_AES) && defined(HAVE_AESGCM)
7939
7940#include <wolfssl/wolfcrypt/cryptocb.h>
7941
7942/* Test CryptoCB device IDs (must be unique across test_aes.c):
7943 * 7 = AES setkey + AES-GCM offload (see TEST_CRYPTOCB_AES_DEVID)
7944 * 9 = TLS 1.3 key-zeroing offload (see TEST_TLS13_ZERO_DEVID) */
7945#define TEST_CRYPTOCB_AES_DEVID 7
7946
7947/* Test state tracking */
7948static int cryptoCbAesSetKeyCalled = 0;
7949static int cryptoCbAesFreeCalled = 0;
7950
7951/* Simulated SE key storage - in real SE this would be in secure hardware */
7952typedef struct {
7953 byte key[AES_256_KEY_SIZE];
7954 word32 keySz;
7955 int valid;
7956} MockSeKeySlot;
7957
7958static MockSeKeySlot mockSeKey = {0};
7959
7960/* Mock handle pointing to our key slot */
7961static void* cryptoCbAesMockHandle = (void*)&mockSeKey;
7962
7963/* Test CryptoCB callback for AES key import operations
7964 * This emulates a Secure Element by:
7965 * - Storing the key on SetKey (simulating SE key import)
7966 * - Using stored key for encrypt/decrypt (simulating SE crypto)
7967 * - Clearing key on Free (simulating SE key deletion)
7968 */
7969static int test_CryptoCb_Aes_Cb(int devId, wc_CryptoInfo* info, void* ctx)
7970{
7971 (void)ctx;
7972
7973 if (devId != TEST_CRYPTOCB_AES_DEVID)
7974 return CRYPTOCB_UNAVAILABLE;
7975
7976 /* AES SetKey operation - simulate SE key import */
7977 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
7978 info->cipher.type == WC_CIPHER_AES &&
7979 info->cipher.aessetkey.aes != NULL) {
7980
7981 Aes* aes = info->cipher.aessetkey.aes;
7982 const byte* key = info->cipher.aessetkey.key;
7983 word32 keySz = info->cipher.aessetkey.keySz;
7984
7985 /* Validate key */
7986 if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE) {
7987 return BAD_FUNC_ARG;
7988 }
7989
7990 /* "Import" key to simulated SE storage */
7991 XMEMCPY(mockSeKey.key, key, keySz);
7992 mockSeKey.keySz = keySz;
7993 mockSeKey.valid = 1;
7994
7995 /* Store handle in aes->devCtx - this is what wolfSSL will use */
7996 aes->devCtx = cryptoCbAesMockHandle;
7997
7998
7999 cryptoCbAesSetKeyCalled++;
8000
8001 return 0;
8002 }
8003
8004 /* AES-GCM Encrypt - simulate SE encryption using stored key */
8005 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8006 info->cipher.type == WC_CIPHER_AES_GCM &&
8007 info->cipher.enc) {
8008
8009 Aes* aes = info->cipher.aesgcm_enc.aes;
8010 MockSeKeySlot* slot;
8011 Aes tempAes;
8012 int ret;
8013
8014 /* Verify handle points to our key slot */
8015 if (aes == NULL || aes->devCtx != cryptoCbAesMockHandle) {
8016 return BAD_FUNC_ARG;
8017 }
8018
8019 slot = (MockSeKeySlot*)aes->devCtx;
8020 if (!slot->valid) {
8021 return BAD_STATE_E;
8022 }
8023
8024 /* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
8025 XMEMSET(&tempAes, 0, sizeof(tempAes));
8026 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID); /* No CryptoCB for internal use */
8027 if (ret != 0) return ret;
8028
8029 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8030 if (ret != 0) {
8031 wc_AesFree(&tempAes);
8032 return ret;
8033 }
8034
8035 /* Perform the actual encryption */
8036 ret = wc_AesGcmEncrypt(&tempAes,
8037 info->cipher.aesgcm_enc.out,
8038 info->cipher.aesgcm_enc.in,
8039 info->cipher.aesgcm_enc.sz,
8040 info->cipher.aesgcm_enc.iv,
8041 info->cipher.aesgcm_enc.ivSz,
8042 info->cipher.aesgcm_enc.authTag,
8043 info->cipher.aesgcm_enc.authTagSz,
8044 info->cipher.aesgcm_enc.authIn,
8045 info->cipher.aesgcm_enc.authInSz);
8046
8047 wc_AesFree(&tempAes);
8048
8049 return ret;
8050 }
8051
8052 /* AES-GCM Decrypt - simulate SE decryption using stored key */
8053 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8054 info->cipher.type == WC_CIPHER_AES_GCM &&
8055 !info->cipher.enc) {
8056
8057 Aes* aes = info->cipher.aesgcm_dec.aes;
8058 MockSeKeySlot* slot;
8059 Aes tempAes;
8060 int ret;
8061
8062 /* Verify handle points to our key slot */
8063 if (aes == NULL || aes->devCtx != cryptoCbAesMockHandle) {
8064 return BAD_FUNC_ARG;
8065 }
8066
8067 slot = (MockSeKeySlot*)aes->devCtx;
8068 if (!slot->valid) {
8069 return BAD_STATE_E;
8070 }
8071
8072 /* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
8073 XMEMSET(&tempAes, 0, sizeof(tempAes));
8074 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
8075 if (ret != 0) return ret;
8076
8077 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8078 if (ret != 0) {
8079 wc_AesFree(&tempAes);
8080 return ret;
8081 }
8082
8083 /* Perform the actual decryption */
8084 ret = wc_AesGcmDecrypt(&tempAes,
8085 info->cipher.aesgcm_dec.out,
8086 info->cipher.aesgcm_dec.in,
8087 info->cipher.aesgcm_dec.sz,
8088 info->cipher.aesgcm_dec.iv,
8089 info->cipher.aesgcm_dec.ivSz,
8090 info->cipher.aesgcm_dec.authTag,
8091 info->cipher.aesgcm_dec.authTagSz,
8092 info->cipher.aesgcm_dec.authIn,
8093 info->cipher.aesgcm_dec.authInSz);
8094
8095 wc_AesFree(&tempAes);
8096
8097 return ret;
8098 }
8099
8100#ifdef WOLF_CRYPTO_CB_FREE
8101 /* Free operation - simulate SE key deletion */
8102 if (info->algo_type == WC_ALGO_TYPE_FREE &&
8103 info->free.algo == WC_ALGO_TYPE_CIPHER &&
8104 info->free.type == WC_CIPHER_AES) {
8105
8106 Aes* aes = (Aes*)info->free.obj;
8107
8108 if (aes != NULL && aes->devCtx == cryptoCbAesMockHandle) {
8109 /* "Delete" key from simulated SE */
8110 ForceZero(&mockSeKey, sizeof(mockSeKey));
8111 cryptoCbAesFreeCalled++;
8112 }
8113
8114 return 0;
8115 }
8116#endif
8117
8118 return CRYPTOCB_UNAVAILABLE;
8119}
8120
8121/*
8122 * Test: CryptoCB AES SetKey hook for key import / secure element support
8123 */
8124int test_wc_CryptoCb_AesSetKey(void)
8125{
8126 EXPECT_DECLS;
8127#ifdef WOLFSSL_SMALL_STACK
8128 Aes* aes = NULL;
8129 byte* key = NULL;
8130 byte* iv = NULL;
8131 byte* plain = NULL;
8132 byte* cipher = NULL;
8133 byte* decrypted = NULL;
8134 byte* authTag = NULL;
8135#else
8136 Aes aes[1];
8137 byte key[AES_128_KEY_SIZE];
8138 byte iv[GCM_NONCE_MID_SZ];
8139 byte plain[16];
8140 byte cipher[16];
8141 byte decrypted[16];
8142 byte authTag[AES_BLOCK_SIZE];
8143#endif
8144 int ret;
8145
8146#ifdef WOLFSSL_SMALL_STACK
8147 aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
8148 key = (byte*)XMALLOC(AES_128_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8149 iv = (byte*)XMALLOC(GCM_NONCE_MID_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8150 plain = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8151 cipher = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8152 decrypted = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8153 authTag = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8154
8155 if (aes == NULL || key == NULL || iv == NULL || plain == NULL ||
8156 cipher == NULL || decrypted == NULL || authTag == NULL) {
8157 ret = MEMORY_E;
8158 goto out;
8159 }
8160#endif
8161
8162 /* Initialize key, iv, plain arrays */
8163 {
8164 static const byte keyData[AES_128_KEY_SIZE] = {
8165 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
8166 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
8167 };
8168 static const byte plainData[16] = {
8169 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x77,
8170 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x21, 0x00
8171 };
8172 XMEMCPY(key, keyData, AES_128_KEY_SIZE);
8173 XMEMSET(iv, 0, GCM_NONCE_MID_SZ);
8174 XMEMCPY(plain, plainData, 16);
8175 }
8176
8177 XMEMSET(aes, 0, sizeof(Aes));
8178 XMEMSET(&mockSeKey, 0, sizeof(mockSeKey));
8179
8180 /* Reset test state */
8181 cryptoCbAesSetKeyCalled = 0;
8182 cryptoCbAesFreeCalled = 0;
8183
8184 /* Register test callback */
8185 ret = wc_CryptoCb_RegisterDevice(TEST_CRYPTOCB_AES_DEVID,
8186 test_CryptoCb_Aes_Cb, NULL);
8187 ExpectIntEQ(ret, 0);
8188
8189 /* Initialize Aes with device ID */
8190 ret = wc_AesInit(aes, NULL, TEST_CRYPTOCB_AES_DEVID);
8191 ExpectIntEQ(ret, 0);
8192 ExpectIntEQ(aes->devId, TEST_CRYPTOCB_AES_DEVID);
8193
8194 /* Set key - should trigger CryptoCB and "import" to mock SE */
8195 ret = wc_AesGcmSetKey(aes, key, sizeof(key));
8196 ExpectIntEQ(ret, 0);
8197
8198 /* Verify callback was invoked */
8199 ExpectIntEQ(cryptoCbAesSetKeyCalled, 1);
8200
8201 /* Verify handle stored in devCtx */
8202 ExpectPtrEq(aes->devCtx, cryptoCbAesMockHandle);
8203
8204 /* Verify key was "imported" to mock SE */
8205 ExpectIntEQ(mockSeKey.valid, 1);
8206 ExpectIntEQ(mockSeKey.keySz, (int)sizeof(key));
8207
8208 /* Verify keylen metadata stored in Aes struct */
8209 ExpectIntEQ(aes->keylen, (int)sizeof(key));
8210
8211 /* After SetKey succeeds via CryptoCB, verify key NOT in devKey */
8212 {
8213 byte zeroKey[AES_128_KEY_SIZE] = {0};
8214 /* Key should NOT be copied to devKey - SE owns it */
8215 ExpectIntEQ(XMEMCMP(aes->devKey, zeroKey, sizeof(key)), 0);
8216 }
8217
8218 /* Test encrypt - callback performs crypto using stored key */
8219 ret = wc_AesGcmEncrypt(aes, cipher, plain, sizeof(plain),
8220 iv, sizeof(iv), authTag, sizeof(authTag),
8221 NULL, 0);
8222 ExpectIntEQ(ret, 0);
8223
8224 /* Test decrypt - callback performs crypto using stored key */
8225 ret = wc_AesGcmDecrypt(aes, decrypted, cipher, sizeof(cipher),
8226 iv, sizeof(iv), authTag, sizeof(authTag),
8227 NULL, 0);
8228 ExpectIntEQ(ret, 0);
8229
8230 /* Verify round-trip */
8231 ExpectIntEQ(XMEMCMP(plain, decrypted, sizeof(plain)), 0);
8232
8233#ifdef WOLF_CRYPTO_CB_FREE
8234 /* Free should trigger callback and "delete" key from mock SE */
8235 cryptoCbAesFreeCalled = 0;
8236 wc_AesFree(aes);
8237
8238 /* Verify free callback invoked */
8239 ExpectIntEQ(cryptoCbAesFreeCalled, 1);
8240
8241 /* Verify devCtx cleared */
8242 ExpectPtrEq(aes->devCtx, NULL);
8243
8244 /* Verify key was "deleted" from mock SE */
8245 ExpectIntEQ(mockSeKey.valid, 0);
8246#else
8247 wc_AesFree(aes);
8248#endif
8249
8250 /* Cleanup */
8251 wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_AES_DEVID);
8252
8253 /* Test software path (no devId) still works */
8254 XMEMSET(aes, 0, sizeof(Aes));
8255 cryptoCbAesSetKeyCalled = 0;
8256
8257 ret = wc_AesInit(aes, NULL, INVALID_DEVID);
8258 ExpectIntEQ(ret, 0);
8259
8260 ret = wc_AesGcmSetKey(aes, key, sizeof(key));
8261 ExpectIntEQ(ret, 0);
8262
8263 /* Callback should NOT have been invoked */
8264 ExpectIntEQ(cryptoCbAesSetKeyCalled, 0);
8265
8266 /* devCtx should be NULL */
8267 ExpectPtrEq(aes->devCtx, NULL);
8268
8269 wc_AesFree(aes);
8270
8271#ifdef WOLFSSL_SMALL_STACK
8272out:
8273 XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8274 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8275 XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8276 XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8277 XFREE(cipher, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8278 XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8279 XFREE(authTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8280#endif
8281
8282 return EXPECT_RESULT();
8283}
8284
8285#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM */
8286
8287/*----------------------------------------------------------------------------*
8288 | CryptoCB AES-GCM End-to-End Offload Test
8289 *----------------------------------------------------------------------------*/
8290
8291#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
8292 !defined(NO_AES) && defined(HAVE_AESGCM)
8293
8294#define TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID 8
8295
8296/* Test state tracking for end-to-end offload test */
8297static int cryptoCbAesGcmSetKeyCalled = 0;
8298static int cryptoCbAesGcmEncryptCalled = 0;
8299static int cryptoCbAesGcmDecryptCalled = 0;
8300static int cryptoCbAesGcmFreeCalled = 0;
8301
8302/* Mock SE key storage for offload test */
8303typedef struct {
8304 byte key[AES_256_KEY_SIZE];
8305 word32 keySz;
8306 int valid;
8307} MockSeKeySlotOffload;
8308
8309static MockSeKeySlotOffload mockSeKeyOffload = {0};
8310
8311/* Mock handle pointing to our key slot */
8312static void* cryptoCbAesGcmMockHandle = (void*)&mockSeKeyOffload;
8313
8314/* Mock CryptoCB callback for end-to-end AES-GCM offload test
8315 * This emulates a Secure Element that:
8316 * - Stores the key on SetKey (simulating SE key import)
8317 * - Performs encryption/decryption using stored key (simulating SE crypto)
8318 * - Tracks all callback invocations to verify offload is working
8319 * - Uses software AES internally (simulating SE internal operation)
8320 */
8321static int test_CryptoCb_AesGcm_Offload_Cb(int devId, wc_CryptoInfo* info, void* ctx)
8322{
8323 (void)ctx;
8324
8325 if (devId != TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID)
8326 return CRYPTOCB_UNAVAILABLE;
8327
8328 /* AES SetKey operation - simulate SE key import */
8329 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8330 info->cipher.type == WC_CIPHER_AES &&
8331 info->cipher.aessetkey.aes != NULL) {
8332
8333 Aes* aes = info->cipher.aessetkey.aes;
8334 const byte* key = info->cipher.aessetkey.key;
8335 word32 keySz = info->cipher.aessetkey.keySz;
8336
8337 /* Validate key */
8338 if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE) {
8339 return BAD_FUNC_ARG;
8340 }
8341
8342 /* "Import" key to simulated SE storage */
8343 XMEMCPY(mockSeKeyOffload.key, key, keySz);
8344 mockSeKeyOffload.keySz = keySz;
8345 mockSeKeyOffload.valid = 1;
8346
8347 /* Store handle in aes->devCtx - this is what wolfSSL will use */
8348 aes->devCtx = cryptoCbAesGcmMockHandle;
8349
8350
8351 cryptoCbAesGcmSetKeyCalled++;
8352
8353 return 0;
8354 }
8355
8356 /* AES-GCM Encrypt - simulate SE encryption using stored key */
8357 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8358 info->cipher.type == WC_CIPHER_AES_GCM &&
8359 info->cipher.enc) {
8360
8361 Aes* aes = info->cipher.aesgcm_enc.aes;
8362 MockSeKeySlotOffload* slot;
8363 Aes tempAes;
8364 int ret;
8365
8366 /* Verify handle points to our key slot */
8367 if (aes == NULL || aes->devCtx != cryptoCbAesGcmMockHandle) {
8368 return BAD_FUNC_ARG;
8369 }
8370
8371 slot = (MockSeKeySlotOffload*)aes->devCtx;
8372 if (!slot->valid) {
8373 return BAD_STATE_E;
8374 }
8375
8376 /* Track that encrypt callback was invoked */
8377 cryptoCbAesGcmEncryptCalled++;
8378
8379 /* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
8380 XMEMSET(&tempAes, 0, sizeof(tempAes));
8381 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID); /* No CryptoCB for internal use */
8382 if (ret != 0) return ret;
8383
8384 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8385 if (ret != 0) {
8386 wc_AesFree(&tempAes);
8387 return ret;
8388 }
8389
8390 /* Perform the actual encryption using software AES (simulating SE internal operation) */
8391 ret = wc_AesGcmEncrypt(&tempAes,
8392 info->cipher.aesgcm_enc.out,
8393 info->cipher.aesgcm_enc.in,
8394 info->cipher.aesgcm_enc.sz,
8395 info->cipher.aesgcm_enc.iv,
8396 info->cipher.aesgcm_enc.ivSz,
8397 info->cipher.aesgcm_enc.authTag,
8398 info->cipher.aesgcm_enc.authTagSz,
8399 info->cipher.aesgcm_enc.authIn,
8400 info->cipher.aesgcm_enc.authInSz);
8401
8402 wc_AesFree(&tempAes);
8403
8404 return ret;
8405 }
8406
8407 /* AES-GCM Decrypt - simulate SE decryption using stored key */
8408 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8409 info->cipher.type == WC_CIPHER_AES_GCM &&
8410 !info->cipher.enc) {
8411
8412 Aes* aes = info->cipher.aesgcm_dec.aes;
8413 MockSeKeySlotOffload* slot;
8414 Aes tempAes;
8415 int ret;
8416
8417 /* Verify handle points to our key slot */
8418 if (aes == NULL || aes->devCtx != cryptoCbAesGcmMockHandle) {
8419 return BAD_FUNC_ARG;
8420 }
8421
8422 slot = (MockSeKeySlotOffload*)aes->devCtx;
8423 if (!slot->valid) {
8424 return BAD_STATE_E;
8425 }
8426
8427 /* Track that decrypt callback was invoked */
8428 cryptoCbAesGcmDecryptCalled++;
8429
8430 /* Initialize a temporary Aes for software crypto (simulating SE internal operation) */
8431 XMEMSET(&tempAes, 0, sizeof(tempAes));
8432 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
8433 if (ret != 0) return ret;
8434
8435 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8436 if (ret != 0) {
8437 wc_AesFree(&tempAes);
8438 return ret;
8439 }
8440
8441 /* Perform the actual decryption using software AES (simulating SE internal operation) */
8442 ret = wc_AesGcmDecrypt(&tempAes,
8443 info->cipher.aesgcm_dec.out,
8444 info->cipher.aesgcm_dec.in,
8445 info->cipher.aesgcm_dec.sz,
8446 info->cipher.aesgcm_dec.iv,
8447 info->cipher.aesgcm_dec.ivSz,
8448 info->cipher.aesgcm_dec.authTag,
8449 info->cipher.aesgcm_dec.authTagSz,
8450 info->cipher.aesgcm_dec.authIn,
8451 info->cipher.aesgcm_dec.authInSz);
8452
8453 wc_AesFree(&tempAes);
8454
8455 return ret;
8456 }
8457
8458#ifdef WOLF_CRYPTO_CB_FREE
8459 /* Free operation - simulate SE key deletion */
8460 if (info->algo_type == WC_ALGO_TYPE_FREE &&
8461 info->free.algo == WC_ALGO_TYPE_CIPHER &&
8462 info->free.type == WC_CIPHER_AES) {
8463
8464 Aes* aes = (Aes*)info->free.obj;
8465
8466 if (aes != NULL && aes->devCtx == cryptoCbAesGcmMockHandle) {
8467 /* "Delete" key from simulated SE */
8468 ForceZero(&mockSeKeyOffload, sizeof(mockSeKeyOffload));
8469 cryptoCbAesGcmFreeCalled++;
8470 }
8471
8472 return 0;
8473 }
8474#endif
8475
8476 return CRYPTOCB_UNAVAILABLE;
8477}
8478
8479/*
8480 * Test: End-to-End AES-GCM Offload via CryptoCB
8481 * This test verifies that:
8482 * - AES-GCM encryption/decryption operations are routed through CryptoCb
8483 * - Software AES is bypassed when offload is enabled
8484 * - Encrypted output and auth tag are correct
8485 * - Decryption via CryptoCb restores the original plaintext
8486 */
8487int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void)
8488{
8489 EXPECT_DECLS;
8490#ifdef WOLFSSL_SMALL_STACK
8491 Aes* aes = NULL;
8492 byte* key = NULL;
8493 byte* iv = NULL;
8494 byte* aad = NULL;
8495 byte* plaintext = NULL;
8496 byte* ciphertext = NULL;
8497 byte* decrypted = NULL;
8498 byte* authTag = NULL;
8499#else
8500 Aes aes[1];
8501 byte key[AES_128_KEY_SIZE];
8502 byte iv[GCM_NONCE_MID_SZ];
8503 byte aad[16];
8504 byte plaintext[32];
8505 byte ciphertext[32];
8506 byte decrypted[32];
8507 byte authTag[AES_BLOCK_SIZE];
8508#endif
8509 int ret;
8510 int i;
8511 int hasNonZero = 0;
8512
8513#ifdef WOLFSSL_SMALL_STACK
8514 aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
8515 key = (byte*)XMALLOC(AES_128_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8516 iv = (byte*)XMALLOC(GCM_NONCE_MID_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8517 aad = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8518 plaintext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8519 ciphertext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8520 decrypted = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8521 authTag = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8522
8523 if (aes == NULL || key == NULL || iv == NULL || aad == NULL ||
8524 plaintext == NULL || ciphertext == NULL || decrypted == NULL ||
8525 authTag == NULL) {
8526 ret = MEMORY_E;
8527 goto out;
8528 }
8529#endif
8530
8531 /* Initialize key, iv, aad, plaintext arrays */
8532 {
8533 static const byte keyData[AES_128_KEY_SIZE] = {
8534 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
8535 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
8536 };
8537 static const byte ivData[GCM_NONCE_MID_SZ] = {
8538 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
8539 0x08, 0x09, 0x0a, 0x0b
8540 };
8541 static const byte aadData[16] = {
8542 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
8543 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
8544 };
8545 static const byte plaintextData[32] = {
8546 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x77,
8547 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x21, 0x00,
8548 0x54, 0x65, 0x73, 0x74, 0x20, 0x6d, 0x65, 0x73,
8549 0x73, 0x61, 0x67, 0x65, 0x20, 0x32, 0x21, 0x00
8550 };
8551 XMEMCPY(key, keyData, AES_128_KEY_SIZE);
8552 XMEMCPY(iv, ivData, GCM_NONCE_MID_SZ);
8553 XMEMCPY(aad, aadData, 16);
8554 XMEMCPY(plaintext, plaintextData, 32);
8555 }
8556
8557 XMEMSET(aes, 0, sizeof(Aes));
8558 XMEMSET(&mockSeKeyOffload, 0, sizeof(mockSeKeyOffload));
8559 XMEMSET(ciphertext, 0, 32);
8560 XMEMSET(decrypted, 0, 32);
8561 XMEMSET(authTag, 0, AES_BLOCK_SIZE);
8562
8563 /* Reset test state */
8564 cryptoCbAesGcmSetKeyCalled = 0;
8565 cryptoCbAesGcmEncryptCalled = 0;
8566 cryptoCbAesGcmDecryptCalled = 0;
8567 cryptoCbAesGcmFreeCalled = 0;
8568
8569 /* Register test callback */
8570 ret = wc_CryptoCb_RegisterDevice(TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID,
8571 test_CryptoCb_AesGcm_Offload_Cb, NULL);
8572 ExpectIntEQ(ret, 0);
8573
8574 /* Initialize Aes with device ID */
8575 ret = wc_AesInit(aes, NULL, TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
8576 ExpectIntEQ(ret, 0);
8577 ExpectIntEQ(aes->devId, TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
8578
8579 /* Set key - should trigger CryptoCB and "import" to mock SE */
8580 ret = wc_AesGcmSetKey(aes, key, sizeof(key));
8581 ExpectIntEQ(ret, 0);
8582
8583 /* Verify SetKey callback was invoked */
8584 ExpectIntEQ(cryptoCbAesGcmSetKeyCalled, 1);
8585
8586 /* Verify handle stored in devCtx */
8587 ExpectPtrEq(aes->devCtx, cryptoCbAesGcmMockHandle);
8588
8589 /* Verify key was "imported" to mock SE */
8590 ExpectIntEQ(mockSeKeyOffload.valid, 1);
8591 ExpectIntEQ(mockSeKeyOffload.keySz, (int)sizeof(key));
8592
8593 /* Verify keylen metadata stored in Aes struct */
8594 ExpectIntEQ(aes->keylen, (int)sizeof(key));
8595
8596 /* Encrypt via wolfCrypt API - should route through CryptoCb */
8597 ret = wc_AesGcmEncrypt(aes, ciphertext, plaintext, 32,
8598 iv, sizeof(iv), authTag, sizeof(authTag),
8599 aad, 16);
8600 ExpectIntEQ(ret, 0);
8601
8602 /* Assert: Encrypt callback was invoked */
8603 ExpectIntEQ(cryptoCbAesGcmEncryptCalled, 1);
8604
8605 /* Assert: Ciphertext is different from plaintext */
8606 ExpectIntNE(XMEMCMP(plaintext, ciphertext, 32), 0);
8607
8608 /* Assert: Auth tag is non-zero */
8609 hasNonZero = 0;
8610 for (i = 0; i < (int)sizeof(authTag); i++) {
8611 if (authTag[i] != 0) {
8612 hasNonZero = 1;
8613 break;
8614 }
8615 }
8616 ExpectIntEQ(hasNonZero, 1);
8617
8618 /* Decrypt via wolfCrypt API - should route through CryptoCb */
8619 ret = wc_AesGcmDecrypt(aes, decrypted, ciphertext, 32,
8620 iv, sizeof(iv), authTag, sizeof(authTag),
8621 aad, 16);
8622 ExpectIntEQ(ret, 0);
8623
8624 /* Assert: Decrypt callback was invoked */
8625 ExpectIntEQ(cryptoCbAesGcmDecryptCalled, 1);
8626
8627 /* Assert: Decrypted plaintext matches original */
8628 ExpectIntEQ(XMEMCMP(plaintext, decrypted, 32), 0);
8629
8630#ifdef WOLF_CRYPTO_CB_FREE
8631 /* Free should trigger callback and "delete" key from mock SE */
8632 cryptoCbAesGcmFreeCalled = 0;
8633 wc_AesFree(aes);
8634
8635 /* Verify free callback invoked */
8636 ExpectIntEQ(cryptoCbAesGcmFreeCalled, 1);
8637
8638 /* Verify devCtx cleared */
8639 ExpectPtrEq(aes->devCtx, NULL);
8640
8641 /* Verify key was "deleted" from mock SE */
8642 ExpectIntEQ(mockSeKeyOffload.valid, 0);
8643#else
8644 wc_AesFree(aes);
8645#endif
8646
8647 /* Cleanup */
8648 wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_AESGCM_OFFLOAD_DEVID);
8649
8650 /* Verify lifecycle: SetKey -> Encrypt -> Decrypt -> Free */
8651 ExpectIntEQ(cryptoCbAesGcmSetKeyCalled, 1);
8652 ExpectIntEQ(cryptoCbAesGcmEncryptCalled, 1);
8653 ExpectIntEQ(cryptoCbAesGcmDecryptCalled, 1);
8654#ifdef WOLF_CRYPTO_CB_FREE
8655 ExpectIntEQ(cryptoCbAesGcmFreeCalled, 1);
8656#endif
8657
8658#ifdef WOLFSSL_SMALL_STACK
8659out:
8660 XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8661 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8662 XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8663 XFREE(aad, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8664 XFREE(plaintext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8665 XFREE(ciphertext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8666 XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8667 XFREE(authTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
8668#endif
8669
8670 return EXPECT_RESULT();
8671}
8672
8673#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM */
8674
8675
8676/*----------------------------------------------------------------------------*
8677 | CryptoCB AES-GCM TLS 1.3 Key Zeroing Tests
8678 *----------------------------------------------------------------------------*/
8679
8680#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
8681 !defined(NO_AES) && defined(HAVE_AESGCM) && \
8682 defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
8683 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
8684
8685#define TEST_TLS13_ZERO_DEVID 9
8686#define TEST_TLS13_ZERO_MAX_SLOTS 16
8687
8688typedef struct {
8689 byte key[AES_256_KEY_SIZE];
8690 word32 keySz;
8691 int valid;
8692} Tls13ZeroKeySlot;
8693
8694static Tls13ZeroKeySlot tls13ZeroSlots[TEST_TLS13_ZERO_MAX_SLOTS];
8695static word32 tls13ZeroSlotCount = 0;
8696
8697/* Try to reclaim a slot previously invalidated by the FREE path
8698 * (valid == 0) before expanding the pool. Without this, a long-running
8699 * handshake + multiple KeyUpdate cycles can exhaust TEST_TLS13_ZERO_MAX_SLOTS
8700 * even though most slots have been freed. */
8701static Tls13ZeroKeySlot* tls13Zero_AllocSlot(void)
8702{
8703 word32 i;
8704 for (i = 0; i < tls13ZeroSlotCount; i++) {
8705 if (!tls13ZeroSlots[i].valid)
8706 return &tls13ZeroSlots[i];
8707 }
8708 if (tls13ZeroSlotCount >= (word32)TEST_TLS13_ZERO_MAX_SLOTS)
8709 return NULL;
8710 return &tls13ZeroSlots[tls13ZeroSlotCount++];
8711}
8712
8713static int test_Tls13Zero_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
8714{
8715 (void)ctx;
8716
8717 if (devId != TEST_TLS13_ZERO_DEVID)
8718 return CRYPTOCB_UNAVAILABLE;
8719
8720 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8721 info->cipher.type == WC_CIPHER_AES &&
8722 info->cipher.aessetkey.aes != NULL) {
8723
8724 Aes* aes = info->cipher.aessetkey.aes;
8725 const byte* key = info->cipher.aessetkey.key;
8726 word32 keySz = info->cipher.aessetkey.keySz;
8727 Tls13ZeroKeySlot* slot;
8728
8729 if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE)
8730 return BAD_FUNC_ARG;
8731
8732 slot = tls13Zero_AllocSlot();
8733 if (slot == NULL)
8734 return MEMORY_E;
8735
8736 XMEMCPY(slot->key, key, keySz);
8737 slot->keySz = keySz;
8738 slot->valid = 1;
8739 aes->devCtx = slot;
8740 return 0;
8741 }
8742
8743 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8744 info->cipher.type == WC_CIPHER_AES_GCM &&
8745 info->cipher.enc) {
8746
8747 Aes* aes = info->cipher.aesgcm_enc.aes;
8748 Tls13ZeroKeySlot* slot;
8749 Aes tempAes;
8750 int ret;
8751
8752 if (aes == NULL || aes->devCtx == NULL)
8753 return BAD_FUNC_ARG;
8754
8755 slot = (Tls13ZeroKeySlot*)aes->devCtx;
8756 if (!slot->valid)
8757 return BAD_STATE_E;
8758
8759 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
8760 if (ret != 0) return ret;
8761 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8762 if (ret != 0) { wc_AesFree(&tempAes); return ret; }
8763 ret = wc_AesGcmEncrypt(&tempAes,
8764 info->cipher.aesgcm_enc.out,
8765 info->cipher.aesgcm_enc.in,
8766 info->cipher.aesgcm_enc.sz,
8767 info->cipher.aesgcm_enc.iv,
8768 info->cipher.aesgcm_enc.ivSz,
8769 info->cipher.aesgcm_enc.authTag,
8770 info->cipher.aesgcm_enc.authTagSz,
8771 info->cipher.aesgcm_enc.authIn,
8772 info->cipher.aesgcm_enc.authInSz);
8773 wc_AesFree(&tempAes);
8774 return ret;
8775 }
8776
8777 if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
8778 info->cipher.type == WC_CIPHER_AES_GCM &&
8779 !info->cipher.enc) {
8780
8781 Aes* aes = info->cipher.aesgcm_dec.aes;
8782 Tls13ZeroKeySlot* slot;
8783 Aes tempAes;
8784 int ret;
8785
8786 if (aes == NULL || aes->devCtx == NULL)
8787 return BAD_FUNC_ARG;
8788
8789 slot = (Tls13ZeroKeySlot*)aes->devCtx;
8790 if (!slot->valid)
8791 return BAD_STATE_E;
8792
8793 ret = wc_AesInit(&tempAes, NULL, INVALID_DEVID);
8794 if (ret != 0) return ret;
8795 ret = wc_AesGcmSetKey(&tempAes, slot->key, slot->keySz);
8796 if (ret != 0) { wc_AesFree(&tempAes); return ret; }
8797 ret = wc_AesGcmDecrypt(&tempAes,
8798 info->cipher.aesgcm_dec.out,
8799 info->cipher.aesgcm_dec.in,
8800 info->cipher.aesgcm_dec.sz,
8801 info->cipher.aesgcm_dec.iv,
8802 info->cipher.aesgcm_dec.ivSz,
8803 info->cipher.aesgcm_dec.authTag,
8804 info->cipher.aesgcm_dec.authTagSz,
8805 info->cipher.aesgcm_dec.authIn,
8806 info->cipher.aesgcm_dec.authInSz);
8807 wc_AesFree(&tempAes);
8808 return ret;
8809 }
8810
8811#ifdef WOLF_CRYPTO_CB_FREE
8812 if (info->algo_type == WC_ALGO_TYPE_FREE &&
8813 info->free.algo == WC_ALGO_TYPE_CIPHER &&
8814 info->free.type == WC_CIPHER_AES) {
8815
8816 Aes* aes = (Aes*)info->free.obj;
8817 if (aes != NULL && aes->devCtx != NULL) {
8818 Tls13ZeroKeySlot* slot = (Tls13ZeroKeySlot*)aes->devCtx;
8819 ForceZero(slot, sizeof(*slot));
8820 aes->devCtx = NULL;
8821 }
8822 return 0;
8823 }
8824#endif
8825
8826 return CRYPTOCB_UNAVAILABLE;
8827}
8828
8829/* Test helper; not constant-time. Fine for zero-fill assertions in unit
8830 * tests, NOT for comparing secrets. */
8831static int isBufferAllZero(const byte* buf, word32 sz)
8832{
8833 word32 i;
8834 for (i = 0; i < sz; i++) {
8835 if (buf[i] != 0)
8836 return 0;
8837 }
8838 return 1;
8839}
8840
8841#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM
8842 * && WOLFSSL_TLS13 && HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES
8843 * && !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
8844
8845int test_wc_CryptoCb_Tls13_Key_Zero_After_Offload(void)
8846{
8847 EXPECT_DECLS;
8848#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
8849 !defined(NO_AES) && defined(HAVE_AESGCM) && \
8850 defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
8851 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
8852 WOLFSSL_CTX* ctx_c = NULL;
8853 WOLFSSL_CTX* ctx_s = NULL;
8854 WOLFSSL* ssl_c = NULL;
8855 WOLFSSL* ssl_s = NULL;
8856 struct test_memio_ctx test_ctx;
8857 byte msg[] = "hello";
8858 byte reply[sizeof(msg)];
8859 word32 keySz;
8860 word32 ivSz;
8861
8862 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
8863 XMEMSET(tls13ZeroSlots, 0, sizeof(tls13ZeroSlots));
8864 tls13ZeroSlotCount = 0;
8865
8866 ExpectIntEQ(wc_CryptoCb_RegisterDevice(TEST_TLS13_ZERO_DEVID,
8867 test_Tls13Zero_CryptoCb, NULL), 0);
8868
8869 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
8870 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
8871
8872 ExpectIntEQ(wolfSSL_CTX_SetDevId(ctx_c, TEST_TLS13_ZERO_DEVID),
8873 WOLFSSL_SUCCESS);
8874 ExpectIntEQ(wolfSSL_CTX_SetDevId(ctx_s, TEST_TLS13_ZERO_DEVID),
8875 WOLFSSL_SUCCESS);
8876 ExpectIntEQ(wolfSSL_SetDevId(ssl_c, TEST_TLS13_ZERO_DEVID),
8877 WOLFSSL_SUCCESS);
8878 ExpectIntEQ(wolfSSL_SetDevId(ssl_s, TEST_TLS13_ZERO_DEVID),
8879 WOLFSSL_SUCCESS);
8880
8881 /* Pin the ciphersuite to AES-GCM. The zeroing under test is gated on
8882 * AES offload (devCtx set by our CryptoCB); negotiating ChaCha20 or
8883 * any non-AES suite leaves encrypt.aes / decrypt.aes unset and turns
8884 * the test into either a no-op (offload never runs) or a crash when
8885 * we later dereference ssl_c->encrypt.aes. Offer both AES-GCM sizes
8886 * so the pin succeeds regardless of WOLFSSL_AES_128 / WOLFSSL_AES_256
8887 * build configuration. */
8888 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_c,
8889 "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384"), WOLFSSL_SUCCESS);
8890 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_s,
8891 "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384"), WOLFSSL_SUCCESS);
8892
8893 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
8894
8895 if (ssl_c != NULL && ssl_s != NULL) {
8896 keySz = ssl_c->specs.key_size;
8897 ivSz = ssl_c->specs.iv_size;
8898 ExpectTrue(keySz > 0);
8899 ExpectTrue(ivSz > 0);
8900
8901 ExpectTrue(isBufferAllZero(ssl_c->keys.client_write_key, keySz));
8902 ExpectTrue(isBufferAllZero(ssl_c->keys.server_write_key, keySz));
8903 ExpectTrue(isBufferAllZero(ssl_s->keys.client_write_key, keySz));
8904 ExpectTrue(isBufferAllZero(ssl_s->keys.server_write_key, keySz));
8905
8906 /* The static IVs must be preserved: BuildTls13Nonce() reads
8907 * keys->aead_{enc,dec}_imp_IV on every AEAD record to build the
8908 * per-record nonce (RFC 8446 Section 5.3). If a future change
8909 * starts zeroing these, both peers in this memio test would
8910 * silently agree on a degenerate all-zero IV and the handshake
8911 * would still pass, but the resulting wire format is
8912 * non-interoperable with any unpatched TLS 1.3 peer. Assert
8913 * both the source buffers (client/server_write_IV) and the
8914 * AEAD copies BuildTls13Nonce() actually reads stay populated,
8915 * so a regression that zeroes either one is caught here. */
8916 ExpectTrue(!isBufferAllZero(ssl_c->keys.client_write_IV, ivSz));
8917 ExpectTrue(!isBufferAllZero(ssl_c->keys.server_write_IV, ivSz));
8918 ExpectTrue(!isBufferAllZero(ssl_s->keys.client_write_IV, ivSz));
8919 ExpectTrue(!isBufferAllZero(ssl_s->keys.server_write_IV, ivSz));
8920
8921 ExpectTrue(!isBufferAllZero(ssl_c->keys.aead_enc_imp_IV, ivSz));
8922 ExpectTrue(!isBufferAllZero(ssl_c->keys.aead_dec_imp_IV, ivSz));
8923 ExpectTrue(!isBufferAllZero(ssl_s->keys.aead_enc_imp_IV, ivSz));
8924 ExpectTrue(!isBufferAllZero(ssl_s->keys.aead_dec_imp_IV, ivSz));
8925
8926 /* Guard the Aes pointer dereferences: even though the Expect*
8927 * macros short-circuit after a prior failure via EXPECT_SUCCESS(),
8928 * a handshake that succeeded but negotiated a non-AES suite
8929 * would leave these NULL while _ret is still TEST_SUCCESS. */
8930 ExpectNotNull(ssl_c->encrypt.aes);
8931 ExpectNotNull(ssl_c->decrypt.aes);
8932 ExpectNotNull(ssl_s->encrypt.aes);
8933 ExpectNotNull(ssl_s->decrypt.aes);
8934 if (ssl_c->encrypt.aes && ssl_c->decrypt.aes &&
8935 ssl_s->encrypt.aes && ssl_s->decrypt.aes) {
8936 ExpectPtrNE(ssl_c->encrypt.aes->devCtx, NULL);
8937 ExpectPtrNE(ssl_c->decrypt.aes->devCtx, NULL);
8938 ExpectPtrNE(ssl_s->encrypt.aes->devCtx, NULL);
8939 ExpectPtrNE(ssl_s->decrypt.aes->devCtx, NULL);
8940 }
8941
8942 ExpectIntEQ(wolfSSL_write(ssl_c, msg, sizeof(msg)),
8943 (int)sizeof(msg));
8944 ExpectIntEQ(wolfSSL_read(ssl_s, reply, sizeof(reply)),
8945 (int)sizeof(msg));
8946 ExpectIntEQ(XMEMCMP(msg, reply, sizeof(msg)), 0);
8947
8948 ExpectIntEQ(wolfSSL_write(ssl_s, msg, sizeof(msg)),
8949 (int)sizeof(msg));
8950 ExpectIntEQ(wolfSSL_read(ssl_c, reply, sizeof(reply)),
8951 (int)sizeof(msg));
8952 ExpectIntEQ(XMEMCMP(msg, reply, sizeof(msg)), 0);
8953
8954 /* Force a KeyUpdate so SetKeysSide runs again with a fresh
8955 * offload and we can re-check that the staging buffers remain
8956 * zeroed. wolfSSL_update_keys is always available when
8957 * WOLFSSL_TLS13 is defined, which is part of the test gate. */
8958 ExpectIntEQ(wolfSSL_update_keys(ssl_c), WOLFSSL_SUCCESS);
8959
8960 ExpectIntEQ(wolfSSL_write(ssl_c, msg, sizeof(msg)),
8961 (int)sizeof(msg));
8962 ExpectIntEQ(wolfSSL_read(ssl_s, reply, sizeof(reply)),
8963 (int)sizeof(msg));
8964 ExpectIntEQ(XMEMCMP(msg, reply, sizeof(msg)), 0);
8965
8966 ExpectIntEQ(wolfSSL_write(ssl_s, msg, sizeof(msg)),
8967 (int)sizeof(msg));
8968 ExpectIntEQ(wolfSSL_read(ssl_c, reply, sizeof(reply)),
8969 (int)sizeof(msg));
8970 ExpectIntEQ(XMEMCMP(msg, reply, sizeof(msg)), 0);
8971
8972 keySz = ssl_c->specs.key_size;
8973 ivSz = ssl_c->specs.iv_size;
8974 ExpectTrue(isBufferAllZero(ssl_c->keys.client_write_key, keySz));
8975 ExpectTrue(isBufferAllZero(ssl_c->keys.server_write_key, keySz));
8976 ExpectTrue(isBufferAllZero(ssl_s->keys.client_write_key, keySz));
8977 ExpectTrue(isBufferAllZero(ssl_s->keys.server_write_key, keySz));
8978
8979 /* Same invariant as the post-handshake block above: the static
8980 * IVs (both the source *_write_IV buffers and the AEAD copies
8981 * BuildTls13Nonce() actually reads) are required on every
8982 * record and must survive SetKeysSide after KeyUpdate. */
8983 ExpectTrue(!isBufferAllZero(ssl_c->keys.client_write_IV, ivSz));
8984 ExpectTrue(!isBufferAllZero(ssl_c->keys.server_write_IV, ivSz));
8985 ExpectTrue(!isBufferAllZero(ssl_s->keys.client_write_IV, ivSz));
8986 ExpectTrue(!isBufferAllZero(ssl_s->keys.server_write_IV, ivSz));
8987
8988 ExpectTrue(!isBufferAllZero(ssl_c->keys.aead_enc_imp_IV, ivSz));
8989 ExpectTrue(!isBufferAllZero(ssl_c->keys.aead_dec_imp_IV, ivSz));
8990 ExpectTrue(!isBufferAllZero(ssl_s->keys.aead_enc_imp_IV, ivSz));
8991 ExpectTrue(!isBufferAllZero(ssl_s->keys.aead_dec_imp_IV, ivSz));
8992 }
8993
8994 wolfSSL_free(ssl_c);
8995 wolfSSL_free(ssl_s);
8996 wolfSSL_CTX_free(ctx_c);
8997 wolfSSL_CTX_free(ctx_s);
8998 wc_CryptoCb_UnRegisterDevice(TEST_TLS13_ZERO_DEVID);
8999#endif
9000 return EXPECT_RESULT();
9001}
9002
9003int test_wc_CryptoCb_Tls13_Key_No_Zero_Without_Offload(void)
9004{
9005 EXPECT_DECLS;
9006#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
9007 !defined(NO_AES) && defined(HAVE_AESGCM) && \
9008 defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
9009 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
9010 WOLFSSL_CTX* ctx_c = NULL;
9011 WOLFSSL_CTX* ctx_s = NULL;
9012 WOLFSSL* ssl_c = NULL;
9013 WOLFSSL* ssl_s = NULL;
9014 struct test_memio_ctx test_ctx;
9015 word32 keySz;
9016 word32 ivSz;
9017
9018 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
9019
9020 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
9021 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
9022
9023 /* Pin the ciphersuite for the same reason as the offload test: so the
9024 * regression assertions below reference the same buffers the offload
9025 * test expects to see zeroed (or not zeroed, here). See the companion
9026 * comment in test_wc_CryptoCb_Tls13_Key_Zero_After_Offload. */
9027 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_c,
9028 "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384"), WOLFSSL_SUCCESS);
9029 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_s,
9030 "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384"), WOLFSSL_SUCCESS);
9031
9032 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
9033
9034 if (ssl_c != NULL && ssl_s != NULL) {
9035 keySz = ssl_c->specs.key_size;
9036 ivSz = ssl_c->specs.iv_size;
9037 ExpectTrue(keySz > 0);
9038 ExpectTrue(ivSz > 0);
9039
9040 /* Check each buffer independently. AND-combining these would
9041 * mask the case where one buffer was never populated, which
9042 * would produce a confusing "regression, keys were zeroed"
9043 * failure when the real issue is upstream. */
9044 ExpectTrue(!isBufferAllZero(ssl_c->keys.client_write_key, keySz));
9045 ExpectTrue(!isBufferAllZero(ssl_c->keys.server_write_key, keySz));
9046 ExpectTrue(!isBufferAllZero(ssl_s->keys.client_write_key, keySz));
9047 ExpectTrue(!isBufferAllZero(ssl_s->keys.server_write_key, keySz));
9048
9049 ExpectTrue(!isBufferAllZero(ssl_c->keys.client_write_IV, ivSz));
9050 ExpectTrue(!isBufferAllZero(ssl_c->keys.server_write_IV, ivSz));
9051 ExpectTrue(!isBufferAllZero(ssl_s->keys.client_write_IV, ivSz));
9052 ExpectTrue(!isBufferAllZero(ssl_s->keys.server_write_IV, ivSz));
9053 }
9054
9055 wolfSSL_free(ssl_c);
9056 wolfSSL_free(ssl_s);
9057 wolfSSL_CTX_free(ctx_c);
9058 wolfSSL_CTX_free(ctx_s);
9059#endif
9060 return EXPECT_RESULT();
9061}
9062
9063
9064/*******************************************************************************
9065 * Monte Carlo tests for AES modes
9066 ******************************************************************************/
9067
9068#define MC_CIPHER_TEST_COUNT 100
9069#define MC_AES_MAX_DATA_SZ 1024
9070
9071/* Monte Carlo test for AES-CBC: random key, IV, and plaintext each iteration */
9072int test_wc_AesCbc_MonteCarlo(void)
9073{
9074 EXPECT_DECLS;
9075#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(HAVE_AES_DECRYPT)
9076 static const word32 keySizes[] = {
9077#ifdef WOLFSSL_AES_128
9078 16,
9079#endif
9080#ifdef WOLFSSL_AES_192
9081 24,
9082#endif
9083#ifdef WOLFSSL_AES_256
9084 32,
9085#endif
9086 };
9087 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9088 Aes enc, dec;
9089 WC_RNG rng;
9090 byte key[AES_256_KEY_SIZE];
9091 byte iv[WC_AES_BLOCK_SIZE];
9092 word32 plainLen = 0, keyLen;
9093 int i;
9094 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9095 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9096 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9097
9098 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9099 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9100 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9101#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9102 ExpectNotNull(plain);
9103 ExpectNotNull(cipher);
9104 ExpectNotNull(decrypted);
9105#endif
9106
9107 XMEMSET(&enc, 0, sizeof(enc));
9108 XMEMSET(&dec, 0, sizeof(dec));
9109 XMEMSET(&rng, 0, sizeof(rng));
9110
9111 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
9112 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
9113 ExpectIntEQ(wc_InitRng(&rng), 0);
9114
9115 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9116 keyLen = keySizes[i % numKeySizes];
9117 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9118 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
9119 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9120 sizeof(plainLen)), 0);
9121 /* Length 1..1024, rounded up to AES block size */
9122 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9123 plainLen = (plainLen + WC_AES_BLOCK_SIZE - 1) &
9124 ~((word32)WC_AES_BLOCK_SIZE - 1);
9125 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9126
9127 ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, iv, AES_ENCRYPTION), 0);
9128 ExpectIntEQ(wc_AesCbcEncrypt(&enc, cipher, plain, plainLen), 0);
9129 ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, iv, AES_DECRYPTION), 0);
9130 ExpectIntEQ(wc_AesCbcDecrypt(&dec, decrypted, cipher, plainLen), 0);
9131 ExpectBufEQ(decrypted, plain, plainLen);
9132 }
9133
9134 wc_AesFree(&enc);
9135 wc_AesFree(&dec);
9136 wc_FreeRng(&rng);
9137 WC_FREE_VAR(plain, NULL);
9138 WC_FREE_VAR(cipher, NULL);
9139 WC_FREE_VAR(decrypted, NULL);
9140#endif
9141 return EXPECT_RESULT();
9142}
9143
9144/* Monte Carlo test for AES-CTR: random key, IV, and plaintext each iteration */
9145int test_wc_AesCtr_MonteCarlo(void)
9146{
9147 EXPECT_DECLS;
9148#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
9149 static const word32 keySizes[] = {
9150#ifdef WOLFSSL_AES_128
9151 16,
9152#endif
9153#ifdef WOLFSSL_AES_192
9154 24,
9155#endif
9156#ifdef WOLFSSL_AES_256
9157 32,
9158#endif
9159 };
9160 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9161 Aes enc, dec;
9162 WC_RNG rng;
9163 byte key[AES_256_KEY_SIZE];
9164 byte iv[WC_AES_BLOCK_SIZE];
9165 word32 plainLen = 0, keyLen;
9166 int i;
9167 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9168 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9169 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9170
9171 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9172 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9173 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9174#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9175 ExpectNotNull(plain);
9176 ExpectNotNull(cipher);
9177 ExpectNotNull(decrypted);
9178#endif
9179
9180 XMEMSET(&enc, 0, sizeof(enc));
9181 XMEMSET(&dec, 0, sizeof(dec));
9182 XMEMSET(&rng, 0, sizeof(rng));
9183
9184 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
9185 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
9186 ExpectIntEQ(wc_InitRng(&rng), 0);
9187
9188 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9189 keyLen = keySizes[i % numKeySizes];
9190 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9191 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
9192 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9193 sizeof(plainLen)), 0);
9194 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9195 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9196
9197 /* CTR mode: decrypt is the same operation as encrypt */
9198 ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, iv, AES_ENCRYPTION), 0);
9199 ExpectIntEQ(wc_AesCtrEncrypt(&enc, cipher, plain, plainLen), 0);
9200 ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, iv, AES_ENCRYPTION), 0);
9201 ExpectIntEQ(wc_AesCtrEncrypt(&dec, decrypted, cipher, plainLen), 0);
9202 ExpectBufEQ(decrypted, plain, plainLen);
9203 }
9204
9205 wc_AesFree(&enc);
9206 wc_AesFree(&dec);
9207 wc_FreeRng(&rng);
9208 WC_FREE_VAR(plain, NULL);
9209 WC_FREE_VAR(cipher, NULL);
9210 WC_FREE_VAR(decrypted, NULL);
9211#endif
9212 return EXPECT_RESULT();
9213}
9214
9215/* Monte Carlo test for AES-GCM: random key, nonce, and plaintext each
9216 * iteration */
9217int test_wc_AesGcm_MonteCarlo(void)
9218{
9219 EXPECT_DECLS;
9220#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT) && \
9221 !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO)
9222 static const word32 keySizes[] = {
9223#ifdef WOLFSSL_AES_128
9224 16,
9225#endif
9226#ifdef WOLFSSL_AES_192
9227 24,
9228#endif
9229#ifdef WOLFSSL_AES_256
9230 32,
9231#endif
9232 };
9233 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9234 Aes aes;
9235 WC_RNG rng;
9236 byte key[AES_256_KEY_SIZE];
9237 byte nonce[GCM_NONCE_MID_SZ];
9238 byte tag[WC_AES_BLOCK_SIZE];
9239 word32 plainLen = 0, keyLen;
9240 int i;
9241 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9242 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9243 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9244
9245 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9246 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9247 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9248#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9249 ExpectNotNull(plain);
9250 ExpectNotNull(cipher);
9251 ExpectNotNull(decrypted);
9252#endif
9253
9254 XMEMSET(&aes, 0, sizeof(aes));
9255 XMEMSET(&rng, 0, sizeof(rng));
9256
9257 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
9258 ExpectIntEQ(wc_InitRng(&rng), 0);
9259
9260 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9261 keyLen = keySizes[i % numKeySizes];
9262 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9263 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, nonce, sizeof(nonce)), 0);
9264 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9265 sizeof(plainLen)), 0);
9266 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9267 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9268
9269 ExpectIntEQ(wc_AesGcmSetKey(&aes, key, keyLen), 0);
9270 ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, plainLen,
9271 nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
9272 ExpectIntEQ(wc_AesGcmDecrypt(&aes, decrypted, cipher, plainLen,
9273 nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
9274 ExpectBufEQ(decrypted, plain, plainLen);
9275 }
9276
9277 wc_AesFree(&aes);
9278 wc_FreeRng(&rng);
9279 WC_FREE_VAR(plain, NULL);
9280 WC_FREE_VAR(cipher, NULL);
9281 WC_FREE_VAR(decrypted, NULL);
9282#endif /* !NO_AES && HAVE_AESGCM && HAVE_AES_DECRYPT && !WOLFSSL_AFALG && */
9283 /* !WOLFSSL_DEVCRYPTO */
9284
9285 return EXPECT_RESULT();
9286}
9287
9288/* Monte Carlo test for AES-CCM: random key, nonce, and plaintext each
9289 * iteration */
9290int test_wc_AesCcm_MonteCarlo(void)
9291{
9292 EXPECT_DECLS;
9293#if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(HAVE_AES_DECRYPT)
9294 static const word32 keySizes[] = {
9295#ifdef WOLFSSL_AES_128
9296 16,
9297#endif
9298#ifdef WOLFSSL_AES_192
9299 24,
9300#endif
9301#ifdef WOLFSSL_AES_256
9302 32,
9303#endif
9304 };
9305 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9306 Aes aes;
9307 WC_RNG rng;
9308 byte key[AES_256_KEY_SIZE];
9309 byte nonce[CCM_NONCE_MAX_SZ];
9310 byte tag[WC_AES_BLOCK_SIZE];
9311 word32 plainLen = 0, keyLen;
9312 int i;
9313 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9314 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9315 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9316
9317 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9318 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9319 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9320#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9321 ExpectNotNull(plain);
9322 ExpectNotNull(cipher);
9323 ExpectNotNull(decrypted);
9324#endif
9325
9326 XMEMSET(&aes, 0, sizeof(aes));
9327 XMEMSET(&rng, 0, sizeof(rng));
9328
9329 ExpectIntEQ(wc_AesInit(&aes, NULL, INVALID_DEVID), 0);
9330 ExpectIntEQ(wc_InitRng(&rng), 0);
9331
9332 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9333 keyLen = keySizes[i % numKeySizes];
9334 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9335 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, nonce, sizeof(nonce)), 0);
9336 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9337 sizeof(plainLen)), 0);
9338 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9339 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9340
9341 ExpectIntEQ(wc_AesCcmSetKey(&aes, key, keyLen), 0);
9342 ExpectIntEQ(wc_AesCcmEncrypt(&aes, cipher, plain, plainLen,
9343 nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
9344 ExpectIntEQ(wc_AesCcmDecrypt(&aes, decrypted, cipher, plainLen,
9345 nonce, sizeof(nonce), tag, sizeof(tag), NULL, 0), 0);
9346 ExpectBufEQ(decrypted, plain, plainLen);
9347 }
9348
9349 wc_AesFree(&aes);
9350 wc_FreeRng(&rng);
9351 WC_FREE_VAR(plain, NULL);
9352 WC_FREE_VAR(cipher, NULL);
9353 WC_FREE_VAR(decrypted, NULL);
9354#endif
9355 return EXPECT_RESULT();
9356}
9357
9358/* Monte Carlo test for AES-CFB: random key, IV, and plaintext each
9359 * iteration */
9360int test_wc_AesCfb_MonteCarlo(void)
9361{
9362 EXPECT_DECLS;
9363#if !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && defined(HAVE_AES_DECRYPT)
9364 static const word32 keySizes[] = {
9365#ifdef WOLFSSL_AES_128
9366 16,
9367#endif
9368#ifdef WOLFSSL_AES_192
9369 24,
9370#endif
9371#ifdef WOLFSSL_AES_256
9372 32,
9373#endif
9374 };
9375 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9376 Aes enc, dec;
9377 WC_RNG rng;
9378 byte key[AES_256_KEY_SIZE];
9379 byte iv[WC_AES_BLOCK_SIZE];
9380 word32 plainLen = 0, keyLen;
9381 int i;
9382 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9383 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9384 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9385
9386 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9387 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9388 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9389#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9390 ExpectNotNull(plain);
9391 ExpectNotNull(cipher);
9392 ExpectNotNull(decrypted);
9393#endif
9394
9395 XMEMSET(&enc, 0, sizeof(enc));
9396 XMEMSET(&dec, 0, sizeof(dec));
9397 XMEMSET(&rng, 0, sizeof(rng));
9398
9399 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
9400 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
9401 ExpectIntEQ(wc_InitRng(&rng), 0);
9402
9403 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9404 keyLen = keySizes[i % numKeySizes];
9405 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9406 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
9407 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9408 sizeof(plainLen)), 0);
9409 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9410 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9411
9412 ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, NULL, AES_ENCRYPTION), 0);
9413 ExpectIntEQ(wc_AesSetIV(&enc, iv), 0);
9414 ExpectIntEQ(wc_AesCfbEncrypt(&enc, cipher, plain, plainLen), 0);
9415 ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, NULL, AES_ENCRYPTION), 0);
9416 ExpectIntEQ(wc_AesSetIV(&dec, iv), 0);
9417 ExpectIntEQ(wc_AesCfbDecrypt(&dec, decrypted, cipher, plainLen), 0);
9418 if (XMEMCMP(decrypted, plain, plainLen) != 0) {
9419 PRINT_DATA("Key", key, keyLen);
9420 PRINT_DATA("IV", iv, sizeof(iv));
9421 PRINT_DATA("Plain", plain, plainLen);
9422 PRINT_DATA("Decrypted", decrypted, plainLen);
9423 }
9424 ExpectBufEQ(decrypted, plain, plainLen);
9425 }
9426
9427 wc_AesFree(&enc);
9428 wc_AesFree(&dec);
9429 wc_FreeRng(&rng);
9430 WC_FREE_VAR(plain, NULL);
9431 WC_FREE_VAR(cipher, NULL);
9432 WC_FREE_VAR(decrypted, NULL);
9433#endif
9434 return EXPECT_RESULT();
9435}
9436
9437/* Monte Carlo test for AES-OFB: random key, IV, and plaintext each
9438 * iteration */
9439int test_wc_AesOfb_MonteCarlo(void)
9440{
9441 EXPECT_DECLS;
9442#if !defined(NO_AES) && defined(WOLFSSL_AES_OFB) && defined(HAVE_AES_DECRYPT)
9443 static const word32 keySizes[] = {
9444#ifdef WOLFSSL_AES_128
9445 16,
9446#endif
9447#ifdef WOLFSSL_AES_192
9448 24,
9449#endif
9450#ifdef WOLFSSL_AES_256
9451 32,
9452#endif
9453 };
9454 int numKeySizes = (int)(sizeof(keySizes) / sizeof(keySizes[0]));
9455 Aes enc, dec;
9456 WC_RNG rng;
9457 byte key[AES_256_KEY_SIZE];
9458 byte iv[WC_AES_BLOCK_SIZE];
9459 word32 plainLen = 0, keyLen;
9460 int i;
9461 WC_DECLARE_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9462 WC_DECLARE_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9463 WC_DECLARE_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9464
9465 WC_ALLOC_VAR(plain, byte, MC_AES_MAX_DATA_SZ, NULL);
9466 WC_ALLOC_VAR(cipher, byte, MC_AES_MAX_DATA_SZ, NULL);
9467 WC_ALLOC_VAR(decrypted, byte, MC_AES_MAX_DATA_SZ, NULL);
9468#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
9469 ExpectNotNull(plain);
9470 ExpectNotNull(cipher);
9471 ExpectNotNull(decrypted);
9472#endif
9473
9474 XMEMSET(&enc, 0, sizeof(enc));
9475 XMEMSET(&dec, 0, sizeof(dec));
9476 XMEMSET(&rng, 0, sizeof(rng));
9477
9478 ExpectIntEQ(wc_AesInit(&enc, NULL, INVALID_DEVID), 0);
9479 ExpectIntEQ(wc_AesInit(&dec, NULL, INVALID_DEVID), 0);
9480 ExpectIntEQ(wc_InitRng(&rng), 0);
9481
9482 for (i = 0; i < MC_CIPHER_TEST_COUNT && EXPECT_SUCCESS(); i++) {
9483 keyLen = keySizes[i % numKeySizes];
9484 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, key, keyLen), 0);
9485 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, iv, sizeof(iv)), 0);
9486 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, (byte*)&plainLen,
9487 sizeof(plainLen)), 0);
9488 plainLen = (plainLen % MC_AES_MAX_DATA_SZ) + 1;
9489 ExpectIntEQ(wc_RNG_GenerateBlock(&rng, plain, plainLen), 0);
9490
9491 ExpectIntEQ(wc_AesSetKey(&enc, key, keyLen, NULL, AES_ENCRYPTION), 0);
9492 ExpectIntEQ(wc_AesSetIV(&enc, iv), 0);
9493 ExpectIntEQ(wc_AesOfbEncrypt(&enc, cipher, plain, plainLen), 0);
9494 ExpectIntEQ(wc_AesSetKey(&dec, key, keyLen, NULL, AES_ENCRYPTION), 0);
9495 ExpectIntEQ(wc_AesSetIV(&dec, iv), 0);
9496 ExpectIntEQ(wc_AesOfbDecrypt(&dec, decrypted, cipher, plainLen), 0);
9497 if (XMEMCMP(decrypted, plain, plainLen) != 0) {
9498 PRINT_DATA("Key", key, keyLen);
9499 PRINT_DATA("IV", iv, sizeof(iv));
9500 PRINT_DATA("Plain", plain, plainLen);
9501 PRINT_DATA("Decrypted", decrypted, plainLen);
9502 }
9503 ExpectBufEQ(decrypted, plain, plainLen);
9504 }
9505
9506 wc_AesFree(&enc);
9507 wc_AesFree(&dec);
9508 wc_FreeRng(&rng);
9509 WC_FREE_VAR(plain, NULL);
9510 WC_FREE_VAR(cipher, NULL);
9511 WC_FREE_VAR(decrypted, NULL);
9512#endif
9513 return EXPECT_RESULT();
9514}