default: return EncryptionError::OTHER;
}
}
+
+int CipherApi::crypt(ckmc_cipher_ctx_h ctx,
+ unsigned char *ptr,
+ size_t left,
+ CKM::RawBuffer& output)
+{
+ const size_t CHUNK_SIZE = 80;
+ ckmc_raw_buffer_s* out = nullptr;
+ ckmc_raw_buffer_s* in = nullptr;
+ size_t size = CHUNK_SIZE;
+ int ret = CKMC_ERROR_NONE;
+
+ while (left > 0) {
+ if (left < CHUNK_SIZE)
+ size = left;
+
+ ret = ckmc_buffer_new(ptr, size, &in);
+ if (ret != CKMC_ERROR_NONE)
+ goto crypt_fail;
+
+ ret = ckmc_cipher_update(ctx, *in, &out);
+ if (ret != CKMC_ERROR_NONE)
+ goto crypt_fail;
+
+ ckmc_buffer_free(in);
+ in = nullptr;
+ if (out != nullptr)
+ std::copy(out->data, out->data + out->size, std::back_inserter(output));
+
+ ckmc_buffer_free(out);
+ out = nullptr;
+
+ left -= size;
+ ptr += size;
+ }
+
+crypt_fail:
+ ckmc_buffer_free(out);
+ ckmc_buffer_free(in);
+ return ret;
+}
+
+EncryptionError CipherApi::encrypt(ckmc_param_list_h params,
+ const char *key_alias,
+ const char *password,
+ const ckmc_raw_buffer_s& plain,
+ ckmc_raw_buffer_s **ppencrypted)
+{
+ ckmc_cipher_ctx_h ctx = nullptr;
+ size_t left = plain.size;
+ unsigned char* ptr = plain.data;
+ CKM::RawBuffer encrypted;
+ ckmc_raw_buffer_s* out = nullptr;
+ ckmc_raw_buffer_s* encrypted_c = nullptr;
+ uint64_t algo;
+
+ int ret = ckmc_param_list_get_integer(params, CKMC_PARAM_ALGO_TYPE, &algo);
+ if (ret != CKMC_ERROR_NONE)
+ goto encrypt_fail;
+
+ // encrypt
+ ret = ckmc_cipher_initialize(params, key_alias, password, true, &ctx);
+ if (ret != CKMC_ERROR_NONE)
+ goto encrypt_fail;
+
+ ret = crypt(ctx, ptr, left, encrypted);
+ if (ret != CKMC_ERROR_NONE)
+ goto encrypt_fail;
+
+ ret = ckmc_cipher_finalize(ctx, nullptr, &out);
+ if (ret != CKMC_ERROR_NONE)
+ goto encrypt_fail;
+
+ // make sure finalize returns exactly the tag
+ if (algo == CKMC_ALGO_AES_GCM) {
+ uint64_t tagLen = 128;
+ ret = ckmc_param_list_get_integer(params, CKMC_PARAM_ED_TAG_LEN, &tagLen);
+ if (ret != CKMC_ERROR_NONE && ret != CKMC_ERROR_INVALID_PARAMETER)
+ goto encrypt_fail;
+
+ if (tagLen / 8 != out->size) {
+ ret = CKMC_ERROR_SERVER_ERROR;
+ goto encrypt_fail;
+ }
+ }
+
+ if (out != nullptr)
+ std::copy(out->data, out->data + out->size, std::back_inserter(encrypted));
+ out = nullptr;
+
+ ret = ckmc_buffer_new(encrypted.data(), encrypted.size(), &encrypted_c);
+ if (ret != CKMC_ERROR_NONE)
+ goto encrypt_fail;
+
+ *ppencrypted = encrypted_c;
+
+encrypt_fail:
+ ckmc_buffer_free(out);
+ ckmc_cipher_free(ctx);
+
+ return ckmcError2Result(ret);
+}
+
+EncryptionError CipherApi::decrypt(ckmc_param_list_h params,
+ const char *key_alias,
+ const char *password,
+ const ckmc_raw_buffer_s& encrypted,
+ ckmc_raw_buffer_s **ppdecrypted)
+{
+ ckmc_cipher_ctx_h ctx = nullptr;
+ size_t left = encrypted.size;
+ unsigned char* ptr = encrypted.data;
+ CKM::RawBuffer decrypted;
+ ckmc_raw_buffer_s* out = nullptr;
+ ckmc_raw_buffer_s* decrypted_c = nullptr;
+ ckmc_raw_buffer_s* tag = nullptr;
+ uint64_t algo;
+
+ int ret = ckmc_param_list_get_integer(params, CKMC_PARAM_ALGO_TYPE, &algo);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ // extract the tag to pass in finalize
+ if (algo == CKMC_ALGO_AES_GCM) {
+ uint64_t tagLen = 128;
+ ret = ckmc_param_list_get_integer(params, CKMC_PARAM_ED_TAG_LEN, &tagLen);
+ if (ret != CKMC_ERROR_NONE && ret != CKMC_ERROR_INVALID_PARAMETER)
+ goto decrypt_fail;
+
+ tagLen /= 8;
+ if (tagLen > left) {
+ ret = CKMC_ERROR_INVALID_PARAMETER;
+ goto decrypt_fail;
+ }
+
+ ret = ckmc_buffer_new(encrypted.data + encrypted.size - tagLen, tagLen, &tag);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ left -= tagLen;
+ }
+
+ // decrypt
+ ret = ckmc_cipher_initialize(params, key_alias, password, false, &ctx);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ ret = crypt(ctx, ptr, left, decrypted);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ ret = ckmc_cipher_finalize(ctx, tag, &out);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ if (out != nullptr)
+ std::copy(out->data, out->data + out->size, std::back_inserter(decrypted));
+ out = nullptr;
+
+ ret = ckmc_buffer_new(decrypted.data(), decrypted.size(), &decrypted_c);
+ if (ret != CKMC_ERROR_NONE)
+ goto decrypt_fail;
+
+ *ppdecrypted = decrypted_c;
+
+decrypt_fail:
+ ckmc_cipher_free(ctx);
+ ckmc_buffer_free(out);
+ ckmc_buffer_free(tag);
+
+ return ckmcError2Result(ret);
+}
+
+EncryptionError CipherApi::ckmcError2Result(int error)
+{
+ switch (error) {
+ case CKMC_ERROR_NONE: return EncryptionError::SUCCESS;
+ case CKMC_ERROR_INVALID_PARAMETER: return EncryptionError::INVALID_PARAM;
+ case CKMC_ERROR_SERVER_ERROR: return EncryptionError::SERVER_ERROR;
+ case CKMC_ERROR_DB_ALIAS_UNKNOWN: return EncryptionError::ALIAS_UNKNOWN;
+ case CKMC_ERROR_AUTHENTICATION_FAILED: return EncryptionError::AUTH_FAILED;
+ default: return EncryptionError::OTHER;
+ }
+}
// Environment
SyncApi g_syncApi;
AsyncApi g_asyncApi;
+CipherApi g_cipherApi;
EncryptionApi* g_api = &g_syncApi;
static std::string suffix() { return "_async"; }
};
+struct CipherEnv {
+ void init(const std::string&) {
+ g_api = &g_cipherApi;
+ }
+
+ void finish() {
+ g_api = nullptr;
+ }
+
+ static std::string suffix() { return "_cipher"; }
+};
+
struct Algo {
ckmc_algo_type_e type;
size_t keyLen;
#ifdef TZ_BACKEND
BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000));
#else
- BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
+ BIG_DATA = create_raw_buffer(createRandomBufferCAPI(500000));
#endif
DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
IV1 = createRandomBufferCAPI(1);
return ret;
}
-void testAllAlgorithms(
- const std::function<void(const Algo& algo)>& test)
+void testAllAlgorithms(const std::function<void(const Algo& algo)>& test)
{
test( { CKMC_ALGO_AES_CBC, 128 });
test( { CKMC_ALGO_AES_CBC, 192 });
test( { CKMC_ALGO_AES_CFB, 128 });
test( { CKMC_ALGO_AES_CFB, 192 });
test( { CKMC_ALGO_AES_CFB, 256 });
- test( { CKMC_ALGO_RSA_OAEP, 1024 });
- test( { CKMC_ALGO_RSA_OAEP, 2048 });
- test( { CKMC_ALGO_RSA_OAEP, 4096 });
+
+ if (!g_api->symmetricOnly()) {
+ test( { CKMC_ALGO_RSA_OAEP, 1024 });
+ test( { CKMC_ALGO_RSA_OAEP, 2048 });
+ test( { CKMC_ALGO_RSA_OAEP, 4096 });
+ }
}
void testNoIvEnc(const Algo& algo)
&encrypted);
}
+std::pair<Alias, ParamListPtr> defaultGcmCipherSetup()
+{
+ Algo algo = {CKMC_ALGO_AES_GCM, 256};
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
+
+ ckmc_param_list_h handle = NULL;
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
+ auto params = ParamListPtr(handle, ckmc_param_list_free);
+ setParam(params, CKMC_PARAM_ED_IV, IV12);
+
+ return std::make_pair(aliases.prv, params);
+}
+
} // namespace anonymous
RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
// Generic encryption decryption tests
/////////////////////////////////////////
-RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
});
}
-RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
});
}
-RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
});
}
-RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
});
}
-RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
- testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
- testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
- testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
+
+ if (!g_api->symmetricOnly()) {
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
+ }
}
-RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
});
}
-RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv, CipherEnv)
{
testAllAlgorithms([](const Algo& algo){
// prepare buffers
}
// long test split into smaller ones
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv, CipherEnv)
{
testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
}
// Algorithm specific tests
/////////////////////////////////////////
-RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv, CipherEnv)
{
testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv, CipherEnv)
{
testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv, CipherEnv)
{
testNoIvDec({CKMC_ALGO_AES_CTR, 128});
testNoIvDec({CKMC_ALGO_AES_CTR, 192});
testNoIvDec({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv, CipherEnv)
{
testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv, CipherEnv)
{
testIntegrity({CKMC_ALGO_AES_CTR, 128});
testIntegrity({CKMC_ALGO_AES_CTR, 192});
testIntegrity({CKMC_ALGO_AES_CFB, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv, CipherEnv)
{
testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv, CipherEnv)
{
RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv, CipherEnv)
{
testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv, CipherEnv)
{
RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv, CipherEnv)
{
testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv, CipherEnv)
{
testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv, CipherEnv)
{
testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv, CipherEnv)
{
testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv, CipherEnv)
{
encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
/////////////////////////////////////////
// Mulithreaded test for synchronous API
/////////////////////////////////////////
-RUNNER_TEST(TED_3000_muliple_threads, SyncEnv)
+RUNNER_TEST_MULTIPLE(TED_3000_multiple_threads, SyncEnv, CipherEnv)
{
std::vector<std::thread> threads;
threads.reserve(10);
for (auto& thread : threads)
thread.join();
}
+
+/////////////////////////////////////////
+// Cipher API only
+/////////////////////////////////////////
+RUNNER_TEST(TED_4000_cipher_missing_arguments)
+{
+ ckmc_raw_buffer_s* encrypted = nullptr;
+
+ auto [alias, params] = defaultGcmCipherSetup();
+
+ ckmc_cipher_ctx_h ctx = nullptr;
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ auto ctxPtr = create_cipher_ctx(ctx);
+
+ // no AAD
+ assert_invalid_param(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+
+ // missing arguments
+ assert_invalid_param(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, nullptr);
+ assert_invalid_param(ckmc_cipher_update, nullptr, *PLAIN_DATA.get(), &encrypted);
+ assert_invalid_param(ckmc_cipher_update, ctx, *PLAIN_DATA.get(), nullptr);
+ assert_invalid_param(ckmc_cipher_finalize, nullptr, nullptr, &encrypted);
+ assert_invalid_param(ckmc_cipher_finalize, nullptr, nullptr, nullptr);
+}
+
+RUNNER_TEST(TED_4010_cipher_reinitialize_without_aad)
+{
+ auto [alias, params] = defaultGcmCipherSetup();
+
+ ckmc_cipher_ctx_h ctx = nullptr;
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ auto ctxPtr = create_cipher_ctx(ctx);
+
+ // no AAD
+ assert_invalid_param(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+}
+
+RUNNER_TEST(TED_4020_cipher_tag_during_encryption)
+{
+ ckmc_raw_buffer_s* encrypted = nullptr;
+
+ auto [alias, params] = defaultGcmCipherSetup();
+
+ ckmc_cipher_ctx_h ctx = nullptr;
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ auto ctxPtr = create_cipher_ctx(ctx);
+
+ // tag input during encryption
+ assert_invalid_param(ckmc_cipher_finalize, ctx, PLAIN_DATA.get(), &encrypted);
+}
+
+RUNNER_TEST(TED_4030_cipher_wrong_order)
+{
+ ckmc_raw_buffer_s* encrypted = nullptr;
+
+ auto [alias, params] = defaultGcmCipherSetup();
+
+ ckmc_cipher_ctx_h ctx = nullptr;
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ auto ctxPtr = create_cipher_ctx(ctx);
+
+ assert_positive(ckmc_cipher_update, ctx, *PLAIN_DATA.get(), &encrypted);
+ ckmc_buffer_free(encrypted);
+
+ // initialize after update
+ setParam(params, CKMC_PARAM_ED_AAD, AAD32);
+ assert_invalid_param(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, nullptr);
+
+ assert_positive(ckmc_cipher_finalize, ctx, nullptr, &encrypted);
+ ckmc_buffer_free(encrypted);
+
+ // initialize after finalize
+ assert_invalid_param(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, nullptr);
+
+ // update after finalize
+ assert_invalid_param(ckmc_cipher_update, ctx, *PLAIN_DATA.get(), &encrypted);
+}
+
+RUNNER_TEST(TED_4040_cipher_gcm_aad_and_tag)
+{
+ ckmc_raw_buffer_s* encrypted = nullptr;
+
+ auto [alias, params] = defaultGcmCipherSetup();
+ setParam(params, CKMC_PARAM_ED_AAD, AAD32);
+
+ ckmc_cipher_ctx_h ctx = nullptr;
+
+ // encrypt
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ auto ctxPtr = create_cipher_ctx(ctx);
+
+ // 2 more AAD chunks
+ setParam(params, CKMC_PARAM_ED_AAD, AAD64);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+ setParam(params, CKMC_PARAM_ED_AAD, AAD32);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, true, &ctx);
+
+ ckmc_raw_buffer_s* tag = nullptr;
+
+ assert_positive(ckmc_cipher_update, ctx, *PLAIN_DATA.get(), &encrypted);
+ auto encryptedPtr = create_raw_buffer(encrypted);
+ assert_positive(ckmc_cipher_finalize, ctx, nullptr, &tag);
+
+ ctxPtr.reset();
+ ctx = nullptr;
+
+ ckmc_raw_buffer_s* decrypted = nullptr;
+ ckmc_raw_buffer_s* empty = nullptr;
+
+ // decrypt with invalid AAD
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+ ctxPtr = create_cipher_ctx(ctx);
+
+ assert_positive(ckmc_cipher_update, ctx, *encrypted, &decrypted);
+ ckmc_buffer_free(decrypted);
+ assert_invalid_param(ckmc_cipher_finalize, ctx, tag, &empty);
+
+ ctxPtr.reset();
+ ctx = nullptr;
+
+ // decrypt without TAG
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+ ctxPtr = create_cipher_ctx(ctx);
+ setParam(params, CKMC_PARAM_ED_AAD, AAD64);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+ setParam(params, CKMC_PARAM_ED_AAD, AAD32);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+
+ assert_positive(ckmc_cipher_update, ctx, *encrypted, &decrypted);
+ ckmc_buffer_free(decrypted);
+ assert_invalid_param(ckmc_cipher_finalize, ctx, nullptr, &empty);
+
+ ctxPtr.reset();
+ ctx = nullptr;
+
+ // correct decrypt
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+ ctxPtr = create_cipher_ctx(ctx);
+ setParam(params, CKMC_PARAM_ED_AAD, AAD64);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+ setParam(params, CKMC_PARAM_ED_AAD, AAD32);
+ assert_positive(ckmc_cipher_initialize, params.get(), alias.c_str(), nullptr, false, &ctx);
+
+ assert_positive(ckmc_cipher_update, ctx, *encrypted, &decrypted);
+ auto decryptedPtr = create_raw_buffer(decrypted);
+ assert_positive(ckmc_cipher_finalize, ctx, tag, &empty);
+
+ RUNNER_ASSERT(empty == nullptr);
+
+ assert_buffers_equal(PLAIN_DATA.get(), decrypted);
+}
projects / platform / core / test / security-tests.git / commitdiff