tests/suites/test_suite_cipher.function

/* BEGIN_HEADER */
#include "mbedtls/cipher.h"
#include "mbedtls/aes.h"

#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
#endif

#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
#define MBEDTLS_CIPHER_AUTH_CRYPT
#endif

#if defined(MBEDTLS_CIPHER_AUTH_CRYPT)
/* Helper for resetting key/direction
 *
 * The documentation doesn't explicitly say whether calling
 * mbedtls_cipher_setkey() twice is allowed or not. This currently works with
 * the default software implementation, but only by accident. It isn't
 * guaranteed to work with new ciphers or with alternative implementations of
 * individual ciphers, and it doesn't work with the PSA wrappers. So don't do
 * it, and instead start with a fresh context.
 */
static int cipher_reset_key(mbedtls_cipher_context_t *ctx, int cipher_id,
                            int use_psa, size_t tag_len, const data_t *key, int direction)
{
    mbedtls_cipher_free(ctx);
    mbedtls_cipher_init(ctx);

#if !defined(MBEDTLS_USE_PSA_CRYPTO)
    (void) use_psa;
    (void) tag_len;
#else
    if (use_psa == 1) {
        TEST_ASSERT(0 == mbedtls_cipher_setup_psa(ctx,
                                                  mbedtls_cipher_info_from_type(cipher_id),
                                                  tag_len));
    } else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
    {
        TEST_ASSERT(0 == mbedtls_cipher_setup(ctx,
                                              mbedtls_cipher_info_from_type(cipher_id)));
    }

    TEST_ASSERT(0 == mbedtls_cipher_setkey(ctx, key->x, 8 * key->len,
                                           direction));
    return 1;

exit:
    return 0;
}

/*
 * Check if a buffer is all-0 bytes:
 * return   1 if it is,
 *          0 if it isn't.
 */
int buffer_is_all_zero(const uint8_t *buf, size_t size)
{
    for (size_t i = 0; i < size; i++) {
        if (buf[i] != 0) {
            return 0;
        }
    }
    return 1;
}
#endif /* MBEDTLS_CIPHER_AUTH_CRYPT */

/* END_HEADER */

/* BEGIN_DEPENDENCIES
 * depends_on:MBEDTLS_CIPHER_C
 * END_DEPENDENCIES
 */

/* BEGIN_CASE */
void mbedtls_cipher_list()
{
    const int *cipher_type;

    for (cipher_type = mbedtls_cipher_list(); *cipher_type != 0; cipher_type++) {
        TEST_ASSERT(mbedtls_cipher_info_from_type(*cipher_type) != NULL);
    }
}
/* END_CASE */

/* BEGIN_CASE */
void cipher_invalid_param_unconditional()
{
    mbedtls_cipher_context_t valid_ctx;
    mbedtls_cipher_context_t invalid_ctx;
    mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT;
    mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS;
    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
    int valid_size = sizeof(valid_buffer);
    int valid_bitlen = valid_size * 8;
    const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type(
        *(mbedtls_cipher_list()));
    size_t size_t_var;

    (void) valid_mode; /* In some configurations this is unused */

    mbedtls_cipher_init(&valid_ctx);
    mbedtls_cipher_init(&invalid_ctx);

    TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, valid_info) == 0);

    /* mbedtls_cipher_setup() */
    TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, NULL) ==
                MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    /* mbedtls_cipher_get_block_size() */
    TEST_ASSERT(mbedtls_cipher_get_block_size(&invalid_ctx) == 0);

    /* mbedtls_cipher_get_cipher_mode() */
    TEST_ASSERT(mbedtls_cipher_get_cipher_mode(&invalid_ctx) ==
                MBEDTLS_MODE_NONE);

    /* mbedtls_cipher_get_iv_size() */
    TEST_ASSERT(mbedtls_cipher_get_iv_size(&invalid_ctx) == 0);

    /* mbedtls_cipher_get_type() */
    TEST_ASSERT(
        mbedtls_cipher_get_type(&invalid_ctx) ==
        MBEDTLS_CIPHER_NONE);

    /* mbedtls_cipher_get_name() */
    TEST_ASSERT(mbedtls_cipher_get_name(&invalid_ctx) == 0);

    /* mbedtls_cipher_get_key_bitlen() */
    TEST_ASSERT(mbedtls_cipher_get_key_bitlen(&invalid_ctx) ==
                MBEDTLS_KEY_LENGTH_NONE);

    /* mbedtls_cipher_get_operation() */
    TEST_ASSERT(mbedtls_cipher_get_operation(&invalid_ctx) ==
                MBEDTLS_OPERATION_NONE);

    /* mbedtls_cipher_setkey() */
    TEST_ASSERT(
        mbedtls_cipher_setkey(&invalid_ctx,
                              valid_buffer,
                              valid_bitlen,
                              valid_operation) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    /* mbedtls_cipher_set_iv() */
    TEST_ASSERT(
        mbedtls_cipher_set_iv(&invalid_ctx,
                              valid_buffer,
                              valid_size) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    /* mbedtls_cipher_reset() */
    TEST_ASSERT(mbedtls_cipher_reset(&invalid_ctx) ==
                MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    /* mbedtls_cipher_update_ad() */
    TEST_ASSERT(
        mbedtls_cipher_update_ad(&invalid_ctx,
                                 valid_buffer,
                                 valid_size) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */

#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    /* mbedtls_cipher_set_padding_mode() */
    TEST_ASSERT(mbedtls_cipher_set_padding_mode(&invalid_ctx, valid_mode) ==
                MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
#endif

    /* mbedtls_cipher_update() */
    TEST_ASSERT(
        mbedtls_cipher_update(&invalid_ctx,
                              valid_buffer,
                              valid_size,
                              valid_buffer,
                              &size_t_var) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    /* mbedtls_cipher_finish() */
    TEST_ASSERT(
        mbedtls_cipher_finish(&invalid_ctx,
                              valid_buffer,
                              &size_t_var) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    /* mbedtls_cipher_write_tag() */
    TEST_ASSERT(
        mbedtls_cipher_write_tag(&invalid_ctx,
                                 valid_buffer,
                                 valid_size) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    /* mbedtls_cipher_check_tag() */
    TEST_ASSERT(
        mbedtls_cipher_check_tag(&invalid_ctx,
                                 valid_buffer,
                                 valid_size) ==
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */

exit:
    mbedtls_cipher_free(&invalid_ctx);
    mbedtls_cipher_free(&valid_ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
void cipher_invalid_param_conditional()
{
    mbedtls_cipher_context_t valid_ctx;

    mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT;
    mbedtls_operation_t invalid_operation = 100;
    mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS;
    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
    int valid_size = sizeof(valid_buffer);
    int valid_bitlen = valid_size * 8;
    const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type(
        *(mbedtls_cipher_list()));

    size_t size_t_var;

    (void) valid_mode; /* In some configurations this is unused */

    /* mbedtls_cipher_init() */
    TEST_VALID_PARAM(mbedtls_cipher_init(&valid_ctx));
    TEST_INVALID_PARAM(mbedtls_cipher_init(NULL));

    /* mbedtls_cipher_setup() */
    TEST_VALID_PARAM(mbedtls_cipher_setup(&valid_ctx, valid_info));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_setup(NULL, valid_info));

    /* mbedtls_cipher_get_block_size() */
    TEST_INVALID_PARAM_RET(0, mbedtls_cipher_get_block_size(NULL));

    /* mbedtls_cipher_get_cipher_mode() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_MODE_NONE,
        mbedtls_cipher_get_cipher_mode(NULL));

    /* mbedtls_cipher_get_iv_size() */
    TEST_INVALID_PARAM_RET(0, mbedtls_cipher_get_iv_size(NULL));

    /* mbedtls_cipher_get_type() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_CIPHER_NONE,
        mbedtls_cipher_get_type(NULL));

    /* mbedtls_cipher_get_name() */
    TEST_INVALID_PARAM_RET(0, mbedtls_cipher_get_name(NULL));

    /* mbedtls_cipher_get_key_bitlen() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_KEY_LENGTH_NONE,
        mbedtls_cipher_get_key_bitlen(NULL));

    /* mbedtls_cipher_get_operation() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_OPERATION_NONE,
        mbedtls_cipher_get_operation(NULL));

    /* mbedtls_cipher_setkey() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_setkey(NULL,
                              valid_buffer,
                              valid_bitlen,
                              valid_operation));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_setkey(&valid_ctx,
                              NULL,
                              valid_bitlen,
                              valid_operation));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_setkey(&valid_ctx,
                              valid_buffer,
                              valid_bitlen,
                              invalid_operation));

    /* mbedtls_cipher_set_iv() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_set_iv(NULL,
                              valid_buffer,
                              valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_set_iv(&valid_ctx,
                              NULL,
                              valid_size));

    /* mbedtls_cipher_reset() */
    TEST_INVALID_PARAM_RET(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
                           mbedtls_cipher_reset(NULL));

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    /* mbedtls_cipher_update_ad() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update_ad(NULL,
                                 valid_buffer,
                                 valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update_ad(&valid_ctx,
                                 NULL,
                                 valid_size));
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */

#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    /* mbedtls_cipher_set_padding_mode() */
    TEST_INVALID_PARAM_RET(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
                           mbedtls_cipher_set_padding_mode(NULL, valid_mode));
#endif

    /* mbedtls_cipher_update() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update(NULL,
                              valid_buffer,
                              valid_size,
                              valid_buffer,
                              &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update(&valid_ctx,
                              NULL, valid_size,
                              valid_buffer,
                              &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update(&valid_ctx,
                              valid_buffer, valid_size,
                              NULL,
                              &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_update(&valid_ctx,
                              valid_buffer, valid_size,
                              valid_buffer,
                              NULL));

    /* mbedtls_cipher_finish() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_finish(NULL,
                              valid_buffer,
                              &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_finish(&valid_ctx,
                              NULL,
                              &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_finish(&valid_ctx,
                              valid_buffer,
                              NULL));

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    /* mbedtls_cipher_write_tag() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_write_tag(NULL,
                                 valid_buffer,
                                 valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_write_tag(&valid_ctx,
                                 NULL,
                                 valid_size));

    /* mbedtls_cipher_check_tag() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_check_tag(NULL,
                                 valid_buffer,
                                 valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_check_tag(&valid_ctx,
                                 NULL,
                                 valid_size));
#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */

    /* mbedtls_cipher_crypt() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_crypt(NULL,
                             valid_buffer, valid_size,
                             valid_buffer, valid_size,
                             valid_buffer, &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_crypt(&valid_ctx,
                             NULL, valid_size,
                             valid_buffer, valid_size,
                             valid_buffer, &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_crypt(&valid_ctx,
                             valid_buffer, valid_size,
                             NULL, valid_size,
                             valid_buffer, &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_crypt(&valid_ctx,
                             valid_buffer, valid_size,
                             valid_buffer, valid_size,
                             NULL, &size_t_var));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_crypt(&valid_ctx,
                             valid_buffer, valid_size,
                             valid_buffer, valid_size,
                             valid_buffer, NULL));

#if defined(MBEDTLS_CIPHER_MODE_AEAD)
    /* mbedtls_cipher_auth_encrypt() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(NULL,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    NULL, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    NULL, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    NULL, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    NULL, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, NULL,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    NULL, valid_size));

    /* mbedtls_cipher_auth_decrypt() */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(NULL,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    NULL, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    NULL, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    NULL, valid_size,
                                    valid_buffer, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    NULL, &size_t_var,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, NULL,
                                    valid_buffer, valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt(&valid_ctx,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, valid_size,
                                    valid_buffer, &size_t_var,
                                    NULL, valid_size));
#endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */

#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
    /* mbedtls_cipher_auth_encrypt_ext */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(NULL,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(&valid_ctx,
                                        NULL, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        NULL, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        NULL, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        NULL, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_encrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, NULL,
                                        valid_size));

    /* mbedtls_cipher_auth_decrypt_ext */
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(NULL,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(&valid_ctx,
                                        NULL, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        NULL, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        NULL, valid_size,
                                        valid_buffer, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        NULL, valid_size, &size_t_var,
                                        valid_size));
    TEST_INVALID_PARAM_RET(
        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
        mbedtls_cipher_auth_decrypt_ext(&valid_ctx,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size,
                                        valid_buffer, valid_size, NULL,
                                        valid_size));
#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */

    /* mbedtls_cipher_free() */
    TEST_VALID_PARAM(mbedtls_cipher_free(NULL));
exit:
    TEST_VALID_PARAM(mbedtls_cipher_free(&valid_ctx));
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
void cipher_special_behaviours()
{
    const mbedtls_cipher_info_t *cipher_info;
    mbedtls_cipher_context_t ctx;
    unsigned char input[32];
    unsigned char output[32];
#if defined(MBEDTLS_CIPHER_MODE_CBC)
    unsigned char iv[32];
#endif
    size_t olen = 0;

    mbedtls_cipher_init(&ctx);
    memset(input, 0, sizeof(input));
    memset(output, 0, sizeof(output));
#if defined(MBEDTLS_CIPHER_MODE_CBC)
    memset(iv, 0, sizeof(iv));

    /* Check and get info structures */
    cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CBC);
    TEST_ASSERT(NULL != cipher_info);

    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));

    /* IV too big */
    TEST_ASSERT(mbedtls_cipher_set_iv(&ctx, iv, MBEDTLS_MAX_IV_LENGTH + 1)
                == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);

    /* IV too small */
    TEST_ASSERT(mbedtls_cipher_set_iv(&ctx, iv, 0)
                == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

    mbedtls_cipher_free(&ctx);
    mbedtls_cipher_init(&ctx);
#endif /* MBEDTLS_CIPHER_MODE_CBC */
    cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
    TEST_ASSERT(NULL != cipher_info);

    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));

    /* Update ECB with partial block */
    TEST_ASSERT(mbedtls_cipher_update(&ctx, input, 1, output, &olen)
                == MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED);

exit:
    mbedtls_cipher_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE */
void enc_dec_buf(int cipher_id, char *cipher_string, int key_len,
                 int length_val, int pad_mode)
{
    size_t length = length_val, outlen, total_len, i, block_size, iv_len;
    unsigned char key[64];
    unsigned char iv[16];
    unsigned char ad[13];
    unsigned char tag[16];
    unsigned char inbuf[64];
    unsigned char encbuf[64];
    unsigned char decbuf[64];

    const mbedtls_cipher_info_t *cipher_info;
    mbedtls_cipher_context_t ctx_dec;
    mbedtls_cipher_context_t ctx_enc;

    /*
     * Prepare contexts
     */
    mbedtls_cipher_init(&ctx_dec);
    mbedtls_cipher_init(&ctx_enc);

    memset(key, 0x2a, sizeof(key));

    /* Check and get info structures */
    cipher_info = mbedtls_cipher_info_from_type(cipher_id);
    TEST_ASSERT(NULL != cipher_info);
    TEST_ASSERT(mbedtls_cipher_info_from_string(cipher_string) == cipher_info);

    /* Initialise enc and dec contexts */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));

    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec, key, key_len, MBEDTLS_DECRYPT));
    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_enc, key, key_len, MBEDTLS_ENCRYPT));

#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    if (-1 != pad_mode) {
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_dec, pad_mode));
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_enc, pad_mode));
    }
#else
    (void) pad_mode;
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */

    /*
     * Do a few encode/decode cycles
     */
    for (i = 0; i < 3; i++) {
        memset(iv, 0x00 + i, sizeof(iv));
        memset(ad, 0x10 + i, sizeof(ad));
        memset(inbuf, 0x20 + i, sizeof(inbuf));

        memset(encbuf, 0, sizeof(encbuf));
        memset(decbuf, 0, sizeof(decbuf));
        memset(tag, 0, sizeof(tag));

        if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
            cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
            iv_len = 12;
        } else {
            iv_len = sizeof(iv);
        }

        TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
        TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));

        TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));
        TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_enc));

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
        TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx_dec, ad, sizeof(ad) - i));
        TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx_enc, ad, sizeof(ad) - i));
#endif

        block_size = mbedtls_cipher_get_block_size(&ctx_enc);
        TEST_ASSERT(block_size != 0);

        /* encode length number of bytes from inbuf */
        TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_enc, inbuf, length, encbuf, &outlen));
        total_len = outlen;

        TEST_ASSERT(total_len == length ||
                    (total_len % block_size == 0 &&
                     total_len < length &&
                     total_len + block_size > length));

        TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_enc, encbuf + outlen, &outlen));
        total_len += outlen;

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
        TEST_ASSERT(0 == mbedtls_cipher_write_tag(&ctx_enc, tag, sizeof(tag)));
#endif

        TEST_ASSERT(total_len == length ||
                    (total_len % block_size == 0 &&
                     total_len > length &&
                     total_len <= length + block_size));

        /* decode the previously encoded string */
        TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_dec, encbuf, total_len, decbuf, &outlen));
        total_len = outlen;

        TEST_ASSERT(total_len == length ||
                    (total_len % block_size == 0 &&
                     total_len < length &&
                     total_len + block_size >= length));

        TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_dec, decbuf + outlen, &outlen));
        total_len += outlen;

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
        TEST_ASSERT(0 == mbedtls_cipher_check_tag(&ctx_dec, tag, sizeof(tag)));
#endif

        /* check result */
        TEST_ASSERT(total_len == length);
        TEST_ASSERT(0 == memcmp(inbuf, decbuf, length));
    }

    /*
     * Done
     */
exit:
    mbedtls_cipher_free(&ctx_dec);
    mbedtls_cipher_free(&ctx_enc);
}
/* END_CASE */

/* BEGIN_CASE */
void enc_fail(int cipher_id, int pad_mode, int key_len, int length_val,
              int ret)
{
    size_t length = length_val;
    unsigned char key[32];
    unsigned char iv[16];

    const mbedtls_cipher_info_t *cipher_info;
    mbedtls_cipher_context_t ctx;

    unsigned char inbuf[64];
    unsigned char encbuf[64];

    size_t outlen = 0;

    memset(key, 0, 32);
    memset(iv, 0, 16);

    mbedtls_cipher_init(&ctx);

    memset(inbuf, 5, 64);
    memset(encbuf, 0, 64);

    /* Check and get info structures */
    cipher_info = mbedtls_cipher_info_from_type(cipher_id);
    TEST_ASSERT(NULL != cipher_info);

    /* Initialise context */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));
    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key, key_len, MBEDTLS_ENCRYPT));
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
#else
    (void) pad_mode;
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
    TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv, 16));
    TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx, NULL, 0));
#endif

    /* encode length number of bytes from inbuf */
    TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, inbuf, length, encbuf, &outlen));
    TEST_ASSERT(ret == mbedtls_cipher_finish(&ctx, encbuf + outlen, &outlen));

    /* done */
exit:
    mbedtls_cipher_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE */
void dec_empty_buf(int cipher,
                   int expected_update_ret,
                   int expected_finish_ret)
{
    unsigned char key[32];
    unsigned char iv[16];
    size_t iv_len = sizeof(iv);

    mbedtls_cipher_context_t ctx_dec;
    const mbedtls_cipher_info_t *cipher_info;

    unsigned char encbuf[64];
    unsigned char decbuf[64];

    size_t outlen = 0;

    memset(key, 0, 32);
    memset(iv, 0, 16);

    mbedtls_cipher_init(&ctx_dec);

    memset(encbuf, 0, 64);
    memset(decbuf, 0, 64);

    /* Initialise context */
    cipher_info = mbedtls_cipher_info_from_type(cipher);
    TEST_ASSERT(NULL != cipher_info);

    if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
        cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
        iv_len = 12;
    }

    TEST_ASSERT(sizeof(key) * 8 >= cipher_info->key_bitlen);

    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));

    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec,
                                           key, cipher_info->key_bitlen,
                                           MBEDTLS_DECRYPT));

    TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));

    TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx_dec, NULL, 0));
#endif

    /* decode 0-byte string */
    TEST_ASSERT(expected_update_ret ==
                mbedtls_cipher_update(&ctx_dec, encbuf, 0, decbuf, &outlen));
    TEST_ASSERT(0 == outlen);

    if (expected_finish_ret == 0 &&
        (cipher_info->mode == MBEDTLS_MODE_CBC ||
         cipher_info->mode == MBEDTLS_MODE_ECB)) {
        /* Non-CBC and non-ECB ciphers are OK with decrypting empty buffers and
         * return success, not MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED, when
         * decrypting an empty buffer.
         * On the other hand, CBC and ECB ciphers need a full block of input.
         */
        expected_finish_ret = MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
    }

    TEST_ASSERT(expected_finish_ret == mbedtls_cipher_finish(
                    &ctx_dec, decbuf + outlen, &outlen));
    TEST_ASSERT(0 == outlen);

exit:
    mbedtls_cipher_free(&ctx_dec);
}
/* END_CASE */

/* BEGIN_CASE */
void enc_dec_buf_multipart(int cipher_id, int key_len, int first_length_val,
                           int second_length_val, int pad_mode,
                           int first_encrypt_output_len, int second_encrypt_output_len,
                           int first_decrypt_output_len, int second_decrypt_output_len)
{
    size_t first_length = first_length_val;
    size_t second_length = second_length_val;
    size_t length = first_length + second_length;
    size_t block_size, iv_len;
    unsigned char key[32];
    unsigned char iv[16];

    mbedtls_cipher_context_t ctx_dec;
    mbedtls_cipher_context_t ctx_enc;
    const mbedtls_cipher_info_t *cipher_info;

    unsigned char inbuf[64];
    unsigned char encbuf[64];
    unsigned char decbuf[64];

    size_t outlen = 0;
    size_t totaloutlen = 0;

    memset(key, 0, 32);
    memset(iv, 0, 16);

    mbedtls_cipher_init(&ctx_dec);
    mbedtls_cipher_init(&ctx_enc);

    memset(inbuf, 5, 64);
    memset(encbuf, 0, 64);
    memset(decbuf, 0, 64);

    /* Initialise enc and dec contexts */
    cipher_info = mbedtls_cipher_info_from_type(cipher_id);
    TEST_ASSERT(NULL != cipher_info);

    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));

    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_dec, key, key_len, MBEDTLS_DECRYPT));
    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx_enc, key, key_len, MBEDTLS_ENCRYPT));

#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    if (-1 != pad_mode) {
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_dec, pad_mode));
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx_enc, pad_mode));
    }
#else
    (void) pad_mode;
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */

    if (cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ||
        cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
        iv_len = 12;
    } else {
        iv_len = sizeof(iv);
    }

    TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
    TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));

    TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_dec));
    TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx_enc));

#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx_dec, NULL, 0));
    TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx_enc, NULL, 0));
#endif

    block_size = mbedtls_cipher_get_block_size(&ctx_enc);
    TEST_ASSERT(block_size != 0);

    /* encode length number of bytes from inbuf */
    TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_enc, inbuf, first_length, encbuf, &outlen));
    TEST_ASSERT((size_t) first_encrypt_output_len == outlen);
    totaloutlen = outlen;
    TEST_ASSERT(0 ==
                mbedtls_cipher_update(&ctx_enc, inbuf + first_length, second_length,
                                      encbuf + totaloutlen,
                                      &outlen));
    TEST_ASSERT((size_t) second_encrypt_output_len == outlen);
    totaloutlen += outlen;
    TEST_ASSERT(totaloutlen == length ||
                (totaloutlen % block_size == 0 &&
                 totaloutlen < length &&
                 totaloutlen + block_size > length));

    TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_enc, encbuf + totaloutlen, &outlen));
    totaloutlen += outlen;
    TEST_ASSERT(totaloutlen == length ||
                (totaloutlen % block_size == 0 &&
                 totaloutlen > length &&
                 totaloutlen <= length + block_size));

    /* decode the previously encoded string */
    second_length = totaloutlen - first_length;
    TEST_ASSERT(0 == mbedtls_cipher_update(&ctx_dec, encbuf, first_length, decbuf, &outlen));
    TEST_ASSERT((size_t) first_decrypt_output_len == outlen);
    totaloutlen = outlen;
    TEST_ASSERT(0 ==
                mbedtls_cipher_update(&ctx_dec, encbuf + first_length, second_length,
                                      decbuf + totaloutlen,
                                      &outlen));
    TEST_ASSERT((size_t) second_decrypt_output_len == outlen);
    totaloutlen += outlen;

    TEST_ASSERT(totaloutlen == length ||
                (totaloutlen % block_size == 0 &&
                 totaloutlen < length &&
                 totaloutlen + block_size >= length));

    TEST_ASSERT(0 == mbedtls_cipher_finish(&ctx_dec, decbuf + totaloutlen, &outlen));
    totaloutlen += outlen;

    TEST_ASSERT(totaloutlen == length);

    TEST_ASSERT(0 == memcmp(inbuf, decbuf, length));

exit:
    mbedtls_cipher_free(&ctx_dec);
    mbedtls_cipher_free(&ctx_enc);
}
/* END_CASE */

/* BEGIN_CASE */
void decrypt_test_vec(int cipher_id, int pad_mode, data_t *key,
                      data_t *iv, data_t *cipher,
                      data_t *clear, data_t *ad, data_t *tag,
                      int finish_result, int tag_result)
{
    unsigned char output[265];
    mbedtls_cipher_context_t ctx;
    size_t outlen, total_len;

    mbedtls_cipher_init(&ctx);

    memset(output, 0x00, sizeof(output));

#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
    ((void) ad);
    ((void) tag);
#endif

    /* Prepare context */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
                                          mbedtls_cipher_info_from_type(cipher_id)));
    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT));
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
    if (pad_mode != -1) {
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
    }
#else
    (void) pad_mode;
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
    TEST_ASSERT(0 == mbedtls_cipher_set_iv(&ctx, iv->x, iv->len));
    TEST_ASSERT(0 == mbedtls_cipher_reset(&ctx));
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    TEST_ASSERT(0 == mbedtls_cipher_update_ad(&ctx, ad->x, ad->len));
#endif

    /* decode buffer and check tag->x */
    total_len = 0;
    TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, cipher->x, cipher->len, output, &outlen));
    total_len += outlen;
    TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen,
                                                       &outlen));
    total_len += outlen;
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
    TEST_ASSERT(tag_result == mbedtls_cipher_check_tag(&ctx, tag->x, tag->len));
#endif

    /* check plaintext only if everything went fine */
    if (0 == finish_result && 0 == tag_result) {
        TEST_ASSERT(total_len == clear->len);
        TEST_ASSERT(0 == memcmp(output, clear->x, clear->len));
    }

exit:
    mbedtls_cipher_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */
void auth_crypt_tv(int cipher_id, data_t *key, data_t *iv,
                   data_t *ad, data_t *cipher, data_t *tag,
                   char *result, data_t *clear, int use_psa)
{
    /*
     * Take an AEAD ciphertext + tag and perform a pair
     * of AEAD decryption and AEAD encryption. Check that
     * this results in the expected plaintext, and that
     * decryption and encryption are inverse to one another.
     *
     * Do that twice:
     * - once with legacy functions auth_decrypt/auth_encrypt
     * - once with new functions auth_decrypt_ext/auth_encrypt_ext
     * This allows testing both without duplicating test cases.
     */

    int ret;
    int using_nist_kw, using_nist_kw_padding;

    mbedtls_cipher_context_t ctx;
    size_t outlen;

    unsigned char *cipher_plus_tag = NULL;
    size_t cipher_plus_tag_len;
    unsigned char *decrypt_buf = NULL;
    size_t decrypt_buf_len = 0;
    unsigned char *encrypt_buf = NULL;
    size_t encrypt_buf_len = 0;

#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
    !defined(MBEDTLS_DEPRECATED_REMOVED)
    unsigned char *tmp_tag    = NULL;
    unsigned char *tmp_cipher = NULL;
    unsigned char *tag_buf = NULL;
#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */

    /* Null pointers are documented as valid for inputs of length 0.
     * The test framework passes non-null pointers, so set them to NULL.
     * key, cipher and tag can't be empty. */
    if (iv->len == 0) {
        iv->x = NULL;
    }
    if (ad->len == 0) {
        ad->x = NULL;
    }
    if (clear->len == 0) {
        clear->x = NULL;
    }

    mbedtls_cipher_init(&ctx);

    /* Initialize PSA Crypto */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (use_psa == 1) {
        PSA_ASSERT(psa_crypto_init());
    }
#else
    (void) use_psa;
#endif

    /*
     * Are we using NIST_KW? with padding?
     */
    using_nist_kw_padding = cipher_id == MBEDTLS_CIPHER_AES_128_KWP ||
                            cipher_id == MBEDTLS_CIPHER_AES_192_KWP ||
                            cipher_id == MBEDTLS_CIPHER_AES_256_KWP;
    using_nist_kw = cipher_id == MBEDTLS_CIPHER_AES_128_KW ||
                    cipher_id == MBEDTLS_CIPHER_AES_192_KW ||
                    cipher_id == MBEDTLS_CIPHER_AES_256_KW ||
                    using_nist_kw_padding;

    /****************************************************************
     *                                                              *
     *  Part 1: non-deprecated API                                  *
     *                                                              *
     ****************************************************************/

    /*
     * Prepare context for decryption
     */
    if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
                          MBEDTLS_DECRYPT)) {
        goto exit;
    }

    /*
     * prepare buffer for decryption
     * (we need the tag appended to the ciphertext)
     */
    cipher_plus_tag_len = cipher->len + tag->len;
    TEST_CALLOC(cipher_plus_tag, cipher_plus_tag_len);
    memcpy(cipher_plus_tag, cipher->x, cipher->len);
    memcpy(cipher_plus_tag + cipher->len, tag->x, tag->len);

    /*
     * Compute length of output buffer according to the documentation
     */
    if (using_nist_kw) {
        decrypt_buf_len = cipher_plus_tag_len - 8;
    } else {
        decrypt_buf_len = cipher_plus_tag_len - tag->len;
    }


    /*
     * Try decrypting to a buffer that's 1B too small
     */
    if (decrypt_buf_len != 0) {
        TEST_CALLOC(decrypt_buf, decrypt_buf_len - 1);

        outlen = 0;
        ret = mbedtls_cipher_auth_decrypt_ext(&ctx, iv->x, iv->len,
                                              ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
                                              decrypt_buf, decrypt_buf_len - 1, &outlen, tag->len);
        TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);

        mbedtls_free(decrypt_buf);
        decrypt_buf = NULL;
    }

    /*
     * Authenticate and decrypt, and check result
     */
    TEST_CALLOC(decrypt_buf, decrypt_buf_len);

    outlen = 0;
    ret = mbedtls_cipher_auth_decrypt_ext(&ctx, iv->x, iv->len,
                                          ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
                                          decrypt_buf, decrypt_buf_len, &outlen, tag->len);

    if (strcmp(result, "FAIL") == 0) {
        TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED);
        TEST_ASSERT(buffer_is_all_zero(decrypt_buf, decrypt_buf_len));
    } else {
        TEST_ASSERT(ret == 0);
        TEST_MEMORY_COMPARE(decrypt_buf, outlen, clear->x, clear->len);
    }

    /* Free this, but keep cipher_plus_tag for deprecated function with PSA */
    mbedtls_free(decrypt_buf);
    decrypt_buf = NULL;

    /*
     * Encrypt back if test data was authentic
     */
    if (strcmp(result, "FAIL") != 0) {
        /* prepare context for encryption */
        if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
                              MBEDTLS_ENCRYPT)) {
            goto exit;
        }

        /*
         * Compute size of output buffer according to documentation
         */
        if (using_nist_kw) {
            encrypt_buf_len = clear->len + 8;
            if (using_nist_kw_padding && encrypt_buf_len % 8 != 0) {
                encrypt_buf_len += 8 - encrypt_buf_len % 8;
            }
        } else {
            encrypt_buf_len = clear->len + tag->len;
        }

        /*
         * Try encrypting with an output buffer that's 1B too small
         */
        TEST_CALLOC(encrypt_buf, encrypt_buf_len - 1);

        outlen = 0;
        ret = mbedtls_cipher_auth_encrypt_ext(&ctx, iv->x, iv->len,
                                              ad->x, ad->len, clear->x, clear->len,
                                              encrypt_buf, encrypt_buf_len - 1, &outlen, tag->len);
        TEST_ASSERT(ret != 0);

        mbedtls_free(encrypt_buf);
        encrypt_buf = NULL;

        /*
         * Encrypt and check the result
         */
        TEST_CALLOC(encrypt_buf, encrypt_buf_len);

        outlen = 0;
        ret = mbedtls_cipher_auth_encrypt_ext(&ctx, iv->x, iv->len,
                                              ad->x, ad->len, clear->x, clear->len,
                                              encrypt_buf, encrypt_buf_len, &outlen, tag->len);
        TEST_ASSERT(ret == 0);

        TEST_ASSERT(outlen == cipher->len + tag->len);
        TEST_ASSERT(memcmp(encrypt_buf, cipher->x, cipher->len) == 0);
        TEST_ASSERT(memcmp(encrypt_buf + cipher->len,
                           tag->x, tag->len) == 0);

        mbedtls_free(encrypt_buf);
        encrypt_buf = NULL;
    }

    /****************************************************************
     *                                                              *
     *  Part 2: deprecated API                                      *
     *                                                              *
     ****************************************************************/

#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
    !defined(MBEDTLS_DEPRECATED_REMOVED)

    /*
     * Prepare context for decryption
     */
    if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
                          MBEDTLS_DECRYPT)) {
        goto exit;
    }

    /*
     * Prepare pointers for decryption
     */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (use_psa == 1) {
        /* PSA requires that the tag immediately follows the ciphertext.
         * Fortunately, we already have that from testing the new API. */
        tmp_cipher = cipher_plus_tag;
        tmp_tag = tmp_cipher + cipher->len;
    } else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
    {
        tmp_cipher = cipher->x;
        tmp_tag = tag->x;
    }

    /*
     * Authenticate and decrypt, and check result
     */

    TEST_CALLOC(decrypt_buf, cipher->len);
    outlen = 0;
    ret = mbedtls_cipher_auth_decrypt(&ctx, iv->x, iv->len, ad->x, ad->len,
                                      tmp_cipher, cipher->len, decrypt_buf, &outlen,
                                      tmp_tag, tag->len);

    if (using_nist_kw) {
        /* NIST_KW with legacy API */
        TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
    } else if (strcmp(result, "FAIL") == 0) {
        /* unauthentic message */
        TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED);
        TEST_ASSERT(buffer_is_all_zero(decrypt_buf, cipher->len));
    } else {
        /* authentic message: is the plaintext correct? */
        TEST_ASSERT(ret == 0);
        TEST_MEMORY_COMPARE(decrypt_buf, outlen, clear->x, clear->len);
    }

    mbedtls_free(decrypt_buf);
    decrypt_buf = NULL;
    mbedtls_free(cipher_plus_tag);
    cipher_plus_tag = NULL;

    /*
     * Encrypt back if test data was authentic
     */
    if (strcmp(result, "FAIL") != 0) {
        /* prepare context for encryption */
        if (!cipher_reset_key(&ctx, cipher_id, use_psa, tag->len, key,
                              MBEDTLS_ENCRYPT)) {
            goto exit;
        }

        /* prepare buffers for encryption */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
        if (use_psa) {
            TEST_CALLOC(cipher_plus_tag, cipher->len + tag->len);
            tmp_cipher = cipher_plus_tag;
            tmp_tag = cipher_plus_tag + cipher->len;
        } else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
        {
            TEST_CALLOC(encrypt_buf, cipher->len);
            TEST_CALLOC(tag_buf, tag->len);
            tmp_cipher = encrypt_buf;
            tmp_tag = tag_buf;
        }

        /*
         * Encrypt and check the result
         */
        outlen = 0;
        ret = mbedtls_cipher_auth_encrypt(&ctx, iv->x, iv->len, ad->x, ad->len,
                                          clear->x, clear->len, tmp_cipher, &outlen,
                                          tmp_tag, tag->len);

        if (using_nist_kw) {
            TEST_ASSERT(ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
        } else {
            TEST_ASSERT(ret == 0);

            TEST_ASSERT(outlen == cipher->len);
            if (cipher->len != 0) {
                TEST_ASSERT(memcmp(tmp_cipher, cipher->x, cipher->len) == 0);
            }
            TEST_ASSERT(memcmp(tmp_tag, tag->x, tag->len) == 0);
        }
    }

#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */

exit:

    mbedtls_cipher_free(&ctx);
    mbedtls_free(decrypt_buf);
    mbedtls_free(encrypt_buf);
    mbedtls_free(cipher_plus_tag);
#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
    !defined(MBEDTLS_DEPRECATED_REMOVED)
    mbedtls_free(tag_buf);
#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (use_psa == 1) {
        PSA_DONE();
    }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
/* END_CASE */

/* BEGIN_CASE */
void test_vec_ecb(int cipher_id, int operation, data_t *key,
                  data_t *input, data_t *result, int finish_result
                  )
{
    mbedtls_cipher_context_t ctx;
    unsigned char output[32];
    size_t outlen;

    mbedtls_cipher_init(&ctx);

    memset(output, 0x00, sizeof(output));

    /* Prepare context */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
                                          mbedtls_cipher_info_from_type(cipher_id)));


    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));

    TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, input->x,
                                           mbedtls_cipher_get_block_size(&ctx),
                                           output, &outlen));
    TEST_ASSERT(outlen == mbedtls_cipher_get_block_size(&ctx));
    TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen,
                                                       &outlen));
    TEST_ASSERT(0 == outlen);

    /* check plaintext only if everything went fine */
    if (0 == finish_result) {
        TEST_ASSERT(0 == memcmp(output, result->x,
                                mbedtls_cipher_get_block_size(&ctx)));
    }

exit:
    mbedtls_cipher_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
void test_vec_crypt(int cipher_id, int operation, data_t *key,
                    data_t *iv, data_t *input, data_t *result,
                    int finish_result, int use_psa)
{
    mbedtls_cipher_context_t ctx;
    unsigned char output[32];
    size_t outlen;

    mbedtls_cipher_init(&ctx);

    memset(output, 0x00, sizeof(output));

    /* Prepare context */
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
    (void) use_psa;
#else
    if (use_psa == 1) {
        PSA_ASSERT(psa_crypto_init());
        TEST_ASSERT(0 == mbedtls_cipher_setup_psa(&ctx,
                                                  mbedtls_cipher_info_from_type(cipher_id), 0));
    } else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx,
                                          mbedtls_cipher_info_from_type(cipher_id)));

    TEST_ASSERT(0 == mbedtls_cipher_setkey(&ctx, key->x, 8 * key->len, operation));
    if (MBEDTLS_MODE_CBC == ctx.cipher_info->mode) {
        TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, MBEDTLS_PADDING_NONE));
    }

    TEST_ASSERT(finish_result == mbedtls_cipher_crypt(&ctx, iv->len ? iv->x : NULL,
                                                      iv->len, input->x, input->len,
                                                      output, &outlen));
    TEST_ASSERT(result->len == outlen);
    /* check plaintext only if everything went fine */
    if (0 == finish_result) {
        TEST_ASSERT(0 == memcmp(output, result->x, outlen));
    }

exit:
    mbedtls_cipher_free(&ctx);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
    PSA_DONE();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_WITH_PADDING */
void set_padding(int cipher_id, int pad_mode, int ret)
{
    const mbedtls_cipher_info_t *cipher_info;
    mbedtls_cipher_context_t ctx;

    mbedtls_cipher_init(&ctx);

    cipher_info = mbedtls_cipher_info_from_type(cipher_id);
    TEST_ASSERT(NULL != cipher_info);
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx, cipher_info));

    TEST_ASSERT(ret == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));

exit:
    mbedtls_cipher_free(&ctx);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
void check_padding(int pad_mode, data_t *input, int ret, int dlen_check
                   )
{
    mbedtls_cipher_info_t cipher_info;
    mbedtls_cipher_context_t ctx;
    size_t dlen;

    /* build a fake context just for getting access to get_padding */
    mbedtls_cipher_init(&ctx);
    cipher_info.mode = MBEDTLS_MODE_CBC;
    ctx.cipher_info = &cipher_info;

    TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));


    TEST_ASSERT(ret == ctx.get_padding(input->x, input->len, &dlen));
    if (0 == ret) {
        TEST_ASSERT(dlen == (size_t) dlen_check);
    }
}
/* END_CASE */

/* BEGIN_CASE */
void iv_len_validity(int cipher_id, char *cipher_string,
                     int iv_len_val, int ret)
{
    size_t iv_len = iv_len_val;
    unsigned char iv[16];

    /* Initialise iv buffer */
    memset(iv, 0, sizeof(iv));

    const mbedtls_cipher_info_t *cipher_info;
    mbedtls_cipher_context_t ctx_dec;
    mbedtls_cipher_context_t ctx_enc;

    /*
     * Prepare contexts
     */
    mbedtls_cipher_init(&ctx_dec);
    mbedtls_cipher_init(&ctx_enc);

    /* Check and get info structures */
    cipher_info = mbedtls_cipher_info_from_type(cipher_id);
    TEST_ASSERT(NULL != cipher_info);
    TEST_ASSERT(mbedtls_cipher_info_from_string(cipher_string) == cipher_info);

    /* Initialise enc and dec contexts */
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_dec, cipher_info));
    TEST_ASSERT(0 == mbedtls_cipher_setup(&ctx_enc, cipher_info));

    TEST_ASSERT(ret == mbedtls_cipher_set_iv(&ctx_dec, iv, iv_len));
    TEST_ASSERT(ret == mbedtls_cipher_set_iv(&ctx_enc, iv, iv_len));

exit:
    mbedtls_cipher_free(&ctx_dec);
    mbedtls_cipher_free(&ctx_enc);
}
/* END_CASE */