mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'bugfix/s2_gcm_hw' into 'master'
aes: Fixed tag sometime being wrong for HW GCM See merge request espressif/esp-idf!8009
This commit is contained in:
commit
9b20b76ae6
@ -208,7 +208,7 @@ menu "mbedTLS"
|
||||
config MBEDTLS_HARDWARE_GCM
|
||||
bool "Enable partially hardware accelerated GCM"
|
||||
depends on IDF_TARGET_ESP32S2 && MBEDTLS_HARDWARE_AES
|
||||
default n
|
||||
default y
|
||||
help
|
||||
Enable partially hardware accelerated GCM. GHASH calculation is still done
|
||||
in software.
|
||||
|
@ -345,7 +345,6 @@ static int esp_aes_process_dma_ext_ram(esp_aes_context *ctx, const unsigned char
|
||||
unsigned char *input_buf = NULL;
|
||||
unsigned char *output_buf = NULL;
|
||||
const unsigned char *dma_input;
|
||||
|
||||
chunk_len = MIN(AES_MAX_CHUNK_WRITE_SIZE, len);
|
||||
|
||||
if (realloc_input) {
|
||||
@ -1290,6 +1289,8 @@ void esp_aes_gcm_init( esp_gcm_context *ctx)
|
||||
}
|
||||
|
||||
bzero(ctx, sizeof(esp_gcm_context));
|
||||
|
||||
ctx->gcm_state = ESP_AES_GCM_STATE_INIT;
|
||||
}
|
||||
|
||||
/* Function to clear AES-GCM context */
|
||||
@ -1298,7 +1299,6 @@ void esp_aes_gcm_free( esp_gcm_context *ctx)
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
bzero(ctx, sizeof(esp_gcm_context));
|
||||
}
|
||||
|
||||
@ -1333,28 +1333,35 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/* Initialize AES-GCM context */
|
||||
memset(ctx->ghash, 0, sizeof(ctx->ghash));
|
||||
ctx->data_len = 0;
|
||||
|
||||
ctx->iv = iv;
|
||||
ctx->iv_len = iv_len;
|
||||
ctx->aad = aad;
|
||||
ctx->aad_len = aad_len;
|
||||
ctx->gcm_state = ESP_AES_GCM_STATE_INIT;
|
||||
ctx->mode = mode;
|
||||
|
||||
/* Lock the AES engine to calculate ghash key H in hardware */
|
||||
esp_aes_acquire_hardware();
|
||||
esp_aes_setkey_hardware( &ctx->aes_ctx, mode);
|
||||
esp_aes_mode_init(ESP_AES_BLOCK_MODE_GCM);
|
||||
/* Enable DMA mode */
|
||||
REG_WRITE(AES_DMA_ENABLE_REG, 1);
|
||||
REG_WRITE(AES_TRIGGER_REG, 1);
|
||||
while (REG_READ(AES_STATE_REG) != AES_STATE_IDLE);
|
||||
/* H and the lookup table are only generated once per ctx */
|
||||
if (ctx->gcm_state == ESP_AES_GCM_STATE_INIT) {
|
||||
/* Lock the AES engine to calculate ghash key H in hardware */
|
||||
esp_aes_acquire_hardware();
|
||||
esp_aes_setkey_hardware( &ctx->aes_ctx, mode);
|
||||
esp_aes_mode_init(ESP_AES_BLOCK_MODE_GCM);
|
||||
/* Enable DMA mode */
|
||||
REG_WRITE(AES_DMA_ENABLE_REG, 1);
|
||||
REG_WRITE(AES_TRIGGER_REG, 1);
|
||||
while (REG_READ(AES_STATE_REG) != AES_STATE_IDLE);
|
||||
|
||||
memcpy(ctx->H, (uint8_t *)AES_H_BASE, AES_BLOCK_BYTES);
|
||||
memcpy(ctx->H, (uint8_t *)AES_H_BASE, AES_BLOCK_BYTES);
|
||||
|
||||
esp_aes_release_hardware();
|
||||
gcm_gen_table(ctx);
|
||||
esp_aes_release_hardware();
|
||||
|
||||
gcm_gen_table(ctx);
|
||||
}
|
||||
|
||||
ctx->gcm_state = ESP_AES_GCM_STATE_START;
|
||||
|
||||
/* Once H is obtained we need to derive J0 (Initial Counter Block) */
|
||||
esp_gcm_derive_J0(ctx);
|
||||
@ -1367,7 +1374,6 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
|
||||
|
||||
esp_gcm_ghash(ctx, ctx->aad, ctx->aad_len, ctx->ghash);
|
||||
|
||||
|
||||
return ( 0 );
|
||||
}
|
||||
|
||||
@ -1400,7 +1406,7 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
|
||||
/* If this is the first time esp_gcm_update is getting called
|
||||
* calculate GHASH on aad and preincrement the ICB
|
||||
*/
|
||||
if (ctx->gcm_state == ESP_AES_GCM_STATE_INIT) {
|
||||
if (ctx->gcm_state == ESP_AES_GCM_STATE_START) {
|
||||
/* Jo needs to be incremented first time, later the CTR
|
||||
* operation will auto update it
|
||||
*/
|
||||
@ -1410,20 +1416,23 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
|
||||
memcpy(nonce_counter, ctx->J0, AES_BLOCK_BYTES);
|
||||
}
|
||||
|
||||
/* Perform intermediate GHASH on "encrypted" data during decryption */
|
||||
if (ctx->mode == ESP_AES_DECRYPT) {
|
||||
esp_gcm_ghash(ctx, input, length, ctx->ghash);
|
||||
}
|
||||
|
||||
/* Output = GCTR(J0, Input): Encrypt/Decrypt the input */
|
||||
esp_aes_crypt_ctr(&ctx->aes_ctx, length, &nc_off, nonce_counter, stream, input, output);
|
||||
|
||||
/* ICB gets auto incremented after GCTR operation here so update the context */
|
||||
memcpy(ctx->J0, nonce_counter, AES_BLOCK_BYTES);
|
||||
|
||||
/* Keep updating the length counter for final tag calculation */
|
||||
ctx->data_len += length;
|
||||
|
||||
/* Perform intermediate GHASH on "encrypted" data irrespective of mode */
|
||||
if (ctx->mode == ESP_AES_DECRYPT) {
|
||||
esp_gcm_ghash(ctx, input, length, ctx->ghash);
|
||||
} else {
|
||||
/* Perform intermediate GHASH on "encrypted" data during encryption*/
|
||||
if (ctx->mode == ESP_AES_ENCRYPT) {
|
||||
esp_gcm_ghash(ctx, output, length, ctx->ghash);
|
||||
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -36,6 +36,7 @@ extern "C" {
|
||||
|
||||
typedef enum {
|
||||
ESP_AES_GCM_STATE_INIT,
|
||||
ESP_AES_GCM_STATE_START,
|
||||
ESP_AES_GCM_STATE_UPDATE,
|
||||
ESP_AES_GCM_STATE_FINISH
|
||||
} esp_aes_gcm_state;
|
||||
|
@ -57,9 +57,9 @@ TEST_CASE("mbedtls CTR stream test", "[aes]")
|
||||
memset(key, 0x44, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(chipertext);
|
||||
TEST_ASSERT_NOT_NULL(plaintext);
|
||||
@ -85,7 +85,7 @@ TEST_CASE("mbedtls CTR stream test", "[aes]")
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_ctr(&ctx, length, &offset, nonce,
|
||||
stream_block, plaintext+idx, chipertext+idx );
|
||||
stream_block, plaintext + idx, chipertext + idx );
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, chipertext, SZ);
|
||||
|
||||
@ -96,7 +96,7 @@ TEST_CASE("mbedtls CTR stream test", "[aes]")
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_ctr(&ctx, length, &offset, nonce,
|
||||
stream_block, chipertext+idx, decryptedtext+idx );
|
||||
stream_block, chipertext + idx, decryptedtext + idx );
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
|
||||
}
|
||||
@ -159,9 +159,9 @@ TEST_CASE("mbedtls GCM stream test", "[aes]")
|
||||
memset(key, 0x56, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(chipertext);
|
||||
TEST_ASSERT_NOT_NULL(plaintext);
|
||||
@ -185,7 +185,7 @@ TEST_CASE("mbedtls GCM stream test", "[aes]")
|
||||
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_gcm_update(&ctx, length, plaintext+idx, chipertext+idx );
|
||||
mbedtls_gcm_update(&ctx, length, plaintext + idx, chipertext + idx );
|
||||
}
|
||||
mbedtls_gcm_finish( &ctx, tag, sizeof(tag) );
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, chipertext, SZ);
|
||||
@ -202,7 +202,7 @@ TEST_CASE("mbedtls GCM stream test", "[aes]")
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
|
||||
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_gcm_update(&ctx, length, chipertext+idx, decryptedtext + idx );
|
||||
mbedtls_gcm_update(&ctx, length, chipertext + idx, decryptedtext + idx );
|
||||
}
|
||||
mbedtls_gcm_finish( &ctx, tag, sizeof(tag) );
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
|
||||
@ -256,9 +256,9 @@ TEST_CASE("mbedtls OFB stream test", "[aes]")
|
||||
memset(key, 0x44, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(chipertext);
|
||||
TEST_ASSERT_NOT_NULL(plaintext);
|
||||
@ -342,9 +342,9 @@ TEST_CASE("mbedtls CFB8 stream test", "[aes]")
|
||||
memset(key, 0x44, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(chipertext);
|
||||
TEST_ASSERT_NOT_NULL(plaintext);
|
||||
@ -425,9 +425,9 @@ TEST_CASE("mbedtls CFB128 stream test", "[aes]")
|
||||
memset(key, 0x44, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT|MALLOC_CAP_INTERNAL);
|
||||
uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(chipertext);
|
||||
TEST_ASSERT_NOT_NULL(plaintext);
|
||||
@ -442,26 +442,26 @@ TEST_CASE("mbedtls CFB128 stream test", "[aes]")
|
||||
*/
|
||||
|
||||
//for (int bytes_to_process = 1; bytes_to_process < SZ; bytes_to_process++) {
|
||||
int bytes_to_process = 17;
|
||||
size_t offset = 0;
|
||||
memset(iv, 0xEE, 16);
|
||||
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = ( (idx + bytes_to_process) > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_cfb128(&ctx, MBEDTLS_AES_ENCRYPT, length, &offset, iv, plaintext + idx, chipertext + idx);
|
||||
int bytes_to_process = 17;
|
||||
size_t offset = 0;
|
||||
memset(iv, 0xEE, 16);
|
||||
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = ( (idx + bytes_to_process) > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_cfb128(&ctx, MBEDTLS_AES_ENCRYPT, length, &offset, iv, plaintext + idx, chipertext + idx);
|
||||
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, chipertext, SZ);
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, chipertext, SZ);
|
||||
|
||||
offset = 0;
|
||||
memset(iv, 0xEE, 16);
|
||||
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = ( (idx + bytes_to_process) > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_cfb128(&ctx, MBEDTLS_AES_DECRYPT, length, &offset, iv, chipertext + idx, decryptedtext + idx);
|
||||
offset = 0;
|
||||
memset(iv, 0xEE, 16);
|
||||
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
|
||||
// Limit length of last call to avoid exceeding buffer size
|
||||
size_t length = ( (idx + bytes_to_process) > SZ) ? (SZ - idx) : bytes_to_process;
|
||||
mbedtls_aes_crypt_cfb128(&ctx, MBEDTLS_AES_DECRYPT, length, &offset, iv, chipertext + idx, decryptedtext + idx);
|
||||
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
|
||||
}
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
|
||||
|
||||
free(plaintext);
|
||||
free(chipertext);
|
||||
@ -491,11 +491,11 @@ TEST_CASE("mbedtls CFB128 stream test", "[aes]")
|
||||
#ifdef CONFIG_SPIRAM_USE_MALLOC
|
||||
|
||||
const uint8_t expected_cipher_psram_end[] = {
|
||||
0x7e, 0xdf, 0x13, 0xf3, 0x56, 0xef, 0x67, 0x01,
|
||||
0xfc, 0x08, 0x49, 0x62, 0xfa, 0xfe, 0x0c, 0x8b,
|
||||
0x99, 0x39, 0x09, 0x51, 0x2c, 0x9a, 0xd5, 0x48,
|
||||
0x4f, 0x76, 0xa2, 0x19, 0x2c, 0x08, 0x9d, 0x6a,
|
||||
};
|
||||
0x7e, 0xdf, 0x13, 0xf3, 0x56, 0xef, 0x67, 0x01,
|
||||
0xfc, 0x08, 0x49, 0x62, 0xfa, 0xfe, 0x0c, 0x8b,
|
||||
0x99, 0x39, 0x09, 0x51, 0x2c, 0x9a, 0xd5, 0x48,
|
||||
0x4f, 0x76, 0xa2, 0x19, 0x2c, 0x08, 0x9d, 0x6a,
|
||||
};
|
||||
|
||||
|
||||
void aes_psram_ctr_test(uint32_t input_buf_caps, uint32_t output_buf_caps)
|
||||
@ -547,6 +547,50 @@ void aes_psram_ctr_test(uint32_t input_buf_caps, uint32_t output_buf_caps)
|
||||
free(decryptedtext);
|
||||
}
|
||||
|
||||
void aes_psram_one_buf_ctr_test(void)
|
||||
{
|
||||
mbedtls_aes_context ctx;
|
||||
uint8_t nonce[16];
|
||||
uint8_t key[16];
|
||||
uint8_t stream_block[16];
|
||||
size_t SZ = 6000;
|
||||
size_t ALIGNMENT_SIZE_BYTES = 16;
|
||||
memset(nonce, 0x2F, 16);
|
||||
memset(key, 0x1E, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *buf = heap_caps_malloc(SZ + ALIGNMENT_SIZE_BYTES, MALLOC_CAP_SPIRAM);
|
||||
|
||||
TEST_ASSERT_NOT_NULL(buf);
|
||||
|
||||
mbedtls_aes_init(&ctx);
|
||||
mbedtls_aes_setkey_enc(&ctx, key, 128);
|
||||
memset(buf, 0x26, SZ + ALIGNMENT_SIZE_BYTES);
|
||||
|
||||
size_t offset;
|
||||
|
||||
/* Shift buffers and test for all different misalignments */
|
||||
for (int i = 0; i < ALIGNMENT_SIZE_BYTES; i++ ) {
|
||||
// Encrypt with input buffer in external ram
|
||||
offset = 0;
|
||||
memset(buf, 0x26, SZ + ALIGNMENT_SIZE_BYTES);
|
||||
memset(nonce, 0x2F, 16);
|
||||
mbedtls_aes_crypt_ctr(&ctx, SZ, &offset, nonce, stream_block, buf + i, buf + i);
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher_psram_end, buf + i + SZ - 32, 32);
|
||||
|
||||
// Decrypt
|
||||
offset = 0;
|
||||
memset(nonce, 0x2F, 16);
|
||||
// Decrypt with input buffer in instruction memory, the crypto DMA can't access this
|
||||
mbedtls_aes_crypt_ctr(&ctx, SZ, &offset, nonce, stream_block, buf + i, buf);
|
||||
|
||||
TEST_ASSERT_EACH_EQUAL_HEX8(0x26, buf + i, SZ - i);
|
||||
|
||||
}
|
||||
free(buf);
|
||||
}
|
||||
|
||||
|
||||
const uint8_t long_input[] = {
|
||||
0xf7, 0xe6, 0x6b, 0x8d, 0x2e, 0xbf, 0x88, 0xd6,
|
||||
0xb0, 0x77, 0xdf, 0x72, 0xbf, 0xa8, 0x0, 0x55,
|
||||
@ -1068,7 +1112,7 @@ const uint8_t expected_cipher_long_input_end[] = {
|
||||
0x32, 0x9f, 0x38, 0xcc, 0x98, 0x1b, 0xbe, 0x10, 0xa5, 0x06, 0x67, 0xae, 0x38,
|
||||
0xbd, 0x7d, 0xb5, 0xcd, 0x58, 0x32, 0xdd, 0x9e,
|
||||
0x6a, 0xde, 0xe3, 0x53,
|
||||
};
|
||||
};
|
||||
|
||||
void aes_icache_ctr_test(uint32_t output_buf_caps)
|
||||
{
|
||||
@ -1116,6 +1160,7 @@ TEST_CASE("mbedtls AES PSRAM tests", "[aes]")
|
||||
aes_psram_ctr_test(MALLOC_CAP_INTERNAL, MALLOC_CAP_SPIRAM);
|
||||
aes_psram_ctr_test(MALLOC_CAP_SPIRAM, MALLOC_CAP_INTERNAL);
|
||||
aes_psram_ctr_test(MALLOC_CAP_SPIRAM, MALLOC_CAP_SPIRAM);
|
||||
aes_psram_one_buf_ctr_test();
|
||||
}
|
||||
|
||||
/* Tests how crypto DMA handles data from iCache */
|
||||
@ -1131,3 +1176,69 @@ TEST_CASE("mbedtls AES GCM self-tests", "[aes]")
|
||||
TEST_ASSERT_FALSE_MESSAGE(mbedtls_gcm_self_test(1), "AES GCM self-test should pass.");
|
||||
}
|
||||
|
||||
|
||||
TEST_CASE("mbedtls AES GCM crypt-and-tag", "[aes]")
|
||||
{
|
||||
const unsigned CALL_SZ = 32 * 1024;
|
||||
mbedtls_gcm_context ctx;
|
||||
unsigned char tag_buf[16];
|
||||
mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
|
||||
uint8_t iv[16];
|
||||
uint8_t key[16];
|
||||
|
||||
memset(iv, 0xEE, 16);
|
||||
memset(key, 0x44, 16);
|
||||
|
||||
// allocate internal memory
|
||||
uint8_t *buf = heap_caps_malloc(CALL_SZ, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
|
||||
TEST_ASSERT_NOT_NULL(buf);
|
||||
uint8_t aad[16];
|
||||
memset(aad, 0x22, 16);
|
||||
|
||||
mbedtls_gcm_init(&ctx);
|
||||
mbedtls_gcm_setkey( &ctx, cipher, key, 128);
|
||||
|
||||
memset(buf, 0xAA, CALL_SZ);
|
||||
mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_AES_ENCRYPT, CALL_SZ, iv, sizeof(iv), aad, sizeof(aad), buf, buf, 16, tag_buf);
|
||||
|
||||
|
||||
/* Sanity check: make sure the last ciphertext block matches
|
||||
what we expect to see.
|
||||
|
||||
Last block and tag produced via this Python:
|
||||
|
||||
import os, binascii
|
||||
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
|
||||
|
||||
key = b'\x44' * 16
|
||||
iv = b'\xEE' * 16
|
||||
data = b'\xAA' * 100
|
||||
aad = b'\x22 * 16
|
||||
|
||||
aesgcm = AESGCM(key)
|
||||
|
||||
ct = aesgcm.encrypt(iv, data, aad)
|
||||
*/
|
||||
const uint8_t expected_last_block[] = {
|
||||
0x7d, 0x3d, 0x16, 0x84, 0xd0, 0xb4, 0x38, 0x30,
|
||||
0xd1, 0x24, 0x6f, 0x7e, 0x9a, 0x9c, 0x81, 0x58,
|
||||
};
|
||||
|
||||
const uint8_t expected_tag[] = {
|
||||
0x7e, 0x16, 0x04, 0x07, 0x4b, 0x7e, 0x6b, 0xf7,
|
||||
0x5d, 0xce, 0x9e, 0x7d, 0x3f, 0x85, 0xc5, 0xa5,
|
||||
};
|
||||
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_last_block, buf + CALL_SZ - 16, 16);
|
||||
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag_buf, 16);
|
||||
|
||||
|
||||
memset(iv, 0xEE, 16);
|
||||
|
||||
TEST_ASSERT_EQUAL(mbedtls_gcm_auth_decrypt(&ctx, CALL_SZ, iv, sizeof(iv), aad, sizeof(aad), expected_tag, sizeof(expected_tag), buf, buf), 0);
|
||||
TEST_ASSERT_EACH_EQUAL_HEX8(0xAA, buf, CALL_SZ);
|
||||
|
||||
|
||||
free(buf);
|
||||
}
|
||||
|
||||
|
@ -495,7 +495,7 @@ UT_034:
|
||||
|
||||
UT_035:
|
||||
extends: .unit_test_s2_template
|
||||
parallel: 29
|
||||
parallel: 30
|
||||
tags:
|
||||
- ESP32S2_IDF
|
||||
- UT_T1_1
|
||||
|
Loading…
Reference in New Issue
Block a user