Only use PSA_ALG_AEAD_WITH_SHORTENED_TAG with the default tag length when
it's part of a series or when the tag length is a critical part of the test.
Don't use it when the tag length is secondary, to make the test data easier
to read.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.
A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.
This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:
* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
was not properly checking the result of an AES operation:
* In library code: on failure, goto exit and return ret.
* In pkey programs: goto exit.
* In the benchmark program: exit (not ideal since there's no error
message, but it's what the code currently does for failures).
* In test code: TEST_ASSERT.
* Changelog entry.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is no longer required, as both PolyChaCha and GCM now support
both chunked body data and additional data.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Also fiixed the following merge problems:
crypto_struct.h : Added MBEDTLS_PRIVATE to psa_aead_operation_s
members (merge conflict)
psa_crypto_aead.c : Added ciphertext_length to mbedtls_gcm_finish
call (change of API during development)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Multipart decrypt now always expects positive result (i.e. the plaintext
that is passed in). Added new test that expects fail, and does no
multipart versions and concentrates on aead_verify.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Previous tests only tested when the expected lengths were set to zero.
New test sends all data/ad then goes over by one byte.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
i.e Check correct buffer size +1 and correct buffer size -1 (where
applicable) to check too big and too small cases, and hopefully catch
edge cases.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
