1 /* mbedTLS GCM test
2 */
3
4 #include <string.h>
5 #include <stdio.h>
6 #include <stdbool.h>
7 #include <esp_system.h>
8 #include "mbedtls/aes.h"
9 #include "mbedtls/gcm.h"
10 #include "unity.h"
11 #include "sdkconfig.h"
12 #include "esp_heap_caps.h"
13 #include "test_utils.h"
14 #include "ccomp_timer.h"
15 #include "sys/param.h"
16
17 #if CONFIG_MBEDTLS_HARDWARE_GCM
18
19 /*
20 Python example code for generating test vectors
21
22 import os, binascii
23 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
24
25 def as_c_array(byte_arr):
26 hex_str = ''
27 for idx, byte in enumerate(byte_arr):
28 hex_str += "0x{:02x}, ".format(byte)
29 bytes_per_line = 8
30 if idx % bytes_per_line == bytes_per_line - 1:
31 hex_str += '\n'
32
33 return hex_str
34
35 key = b'\x44' * 16
36 iv = b'\xEE' * 16
37 data = b'\xAA' * 3200
38 aad = b'\x76' * 16
39
40 aesgcm = AESGCM(key)
41
42 ct = aesgcm.encrypt(iv, data, aad)
43
44 print(as_c_array(ct))
45 */
46
47 TEST_CASE("mbedtls GCM stream test", "[aes-gcm]")
48 {
49
50 const unsigned SZ = 100;
51 mbedtls_gcm_context ctx;
52 uint8_t nonce[16];
53 uint8_t key[16];
54 uint8_t tag[16];
55 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
56
57 const uint8_t expected_cipher[] = {
58 0x03, 0x92, 0x13, 0x49, 0x1f, 0x1f, 0x24, 0x41,
59 0xe8, 0xeb, 0x89, 0x47, 0x50, 0x0a, 0xce, 0xa3,
60 0xc7, 0x1c, 0x10, 0x70, 0xb0, 0x89, 0x82, 0x5e,
61 0x0f, 0x4a, 0x23, 0xee, 0xd2, 0xfc, 0xff, 0x45,
62 0x61, 0x4c, 0xd1, 0xfb, 0x6d, 0xe2, 0xbe, 0x67,
63 0x6f, 0x94, 0x72, 0xa3, 0xe7, 0x04, 0x99, 0xb3,
64 0x4a, 0x46, 0xf9, 0x2b, 0xaf, 0xac, 0xa9, 0x0e,
65 0x43, 0x7e, 0x8b, 0xc4, 0xbf, 0x49, 0xa4, 0x83,
66 0x9c, 0x31, 0x11, 0x1c, 0x09, 0xac, 0x90, 0xdf,
67 0x00, 0x34, 0x08, 0xe5, 0x70, 0xa3, 0x7e, 0x4b,
68 0x36, 0x48, 0x5a, 0x3f, 0x28, 0xc7, 0x1c, 0xd9,
69 0x1b, 0x1b, 0x49, 0x96, 0xe9, 0x7c, 0xea, 0x54,
70 0x7c, 0x71, 0x29, 0x0d
71 };
72 const uint8_t expected_tag[] = {
73 0x35, 0x1c, 0x21, 0xc6, 0xbc, 0x6b, 0x18, 0x52,
74 0x90, 0xe1, 0xf2, 0x5b, 0xe1, 0xf6, 0x15, 0xee,
75 };
76
77
78 memset(nonce, 0x89, 16);
79 memset(key, 0x56, 16);
80
81 // allocate internal memory
82 uint8_t *chipertext = heap_caps_malloc(SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
83 uint8_t *plaintext = heap_caps_malloc(SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
84 uint8_t *decryptedtext = heap_caps_malloc(SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
85
86 TEST_ASSERT_NOT_NULL(chipertext);
87 TEST_ASSERT_NOT_NULL(plaintext);
88 TEST_ASSERT_NOT_NULL(decryptedtext);
89
90 memset(plaintext, 0xAB, SZ);
91 /* Test that all the end results are the same
92 no matter how many bytes we encrypt each call
93 */
94 for (int bytes_to_process = 16; bytes_to_process < SZ; bytes_to_process = bytes_to_process + 16) {
95 memset(nonce, 0x89, 16);
96 memset(chipertext, 0x0, SZ);
97 memset(decryptedtext, 0x0, SZ);
98 memset(tag, 0x0, 16);
99
100 mbedtls_gcm_init(&ctx);
101 mbedtls_gcm_setkey(&ctx, cipher, key, 128);
102 mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, nonce, sizeof(nonce), NULL, 0 );
103
104 // Encrypt
105 for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
106 // Limit length of last call to avoid exceeding buffer size
107 size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
108 mbedtls_gcm_update(&ctx, length, plaintext + idx, chipertext + idx );
109 }
110 mbedtls_gcm_finish( &ctx, tag, sizeof(tag) );
111 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, chipertext, SZ);
112 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag, sizeof(tag));
113
114 // Decrypt
115 memset(nonce, 0x89, 16);
116 mbedtls_gcm_free( &ctx );
117 mbedtls_gcm_init(&ctx);
118 mbedtls_gcm_setkey(&ctx, cipher, key, 128);
119 mbedtls_gcm_starts( &ctx, MBEDTLS_AES_DECRYPT, nonce, sizeof(nonce), NULL, 0 );
120
121 for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
122 // Limit length of last call to avoid exceeding buffer size
123
124 size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
125 mbedtls_gcm_update(&ctx, length, chipertext + idx, decryptedtext + idx );
126 }
127 mbedtls_gcm_finish( &ctx, tag, sizeof(tag) );
128 TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
129 mbedtls_gcm_free( &ctx );
130 }
131 free(plaintext);
132 free(chipertext);
133 free(decryptedtext);
134 }
135
136 TEST_CASE("mbedtls AES GCM self-tests", "[aes-gcm]")
137 {
138 TEST_ASSERT_FALSE_MESSAGE(mbedtls_gcm_self_test(1), "AES GCM self-test should pass.");
139 }
140
141 typedef struct {
142 uint8_t *plaintext;
143 size_t plaintext_length;
144 uint32_t output_caps;
145 uint8_t *add_buf;
146 size_t add_length;
147 uint8_t *iv;
148 size_t iv_length;
149 uint8_t *key;
150 size_t key_bits;
151 size_t tag_len;
152 } aes_gcm_test_cfg_t;
153
154 typedef struct {
155 const uint8_t *expected_tag;
156 const uint8_t *ciphertext_last_block; // Last block of the chipertext
157 } aes_gcm_test_expected_res_t;
158
159
160 typedef enum {
161 AES_GCM_TEST_CRYPT_N_TAG,
162 AES_GCM_TEST_START_UPDATE_FINISH,
163 } aes_gcm_test_type_t;
164
aes_gcm_test(aes_gcm_test_cfg_t * cfg,aes_gcm_test_expected_res_t * res,aes_gcm_test_type_t aes_gcm_type)165 static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *res, aes_gcm_test_type_t aes_gcm_type)
166 {
167 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
168 mbedtls_gcm_context ctx;
169
170 uint8_t tag_buf_encrypt[16] = {};
171 uint8_t tag_buf_decrypt[16] = {};
172 uint8_t iv_buf[16] = {};
173
174 uint8_t *ciphertext = heap_caps_malloc(cfg->plaintext_length, cfg->output_caps);
175 uint8_t *output = heap_caps_malloc(cfg->plaintext_length, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
176
177 if (cfg->plaintext_length != 0) {
178 TEST_ASSERT_NOT_NULL(ciphertext);
179 TEST_ASSERT_NOT_NULL(output);
180 }
181
182 memset(ciphertext, 0, cfg->plaintext_length);
183 memset(output, 0, cfg->plaintext_length);
184 memcpy(iv_buf, cfg->iv, cfg->iv_length);
185
186 mbedtls_gcm_init(&ctx);
187 mbedtls_gcm_setkey(&ctx, cipher, cfg->key, cfg->key_bits);
188
189 /* Encrypt and tag */
190 if (aes_gcm_type == AES_GCM_TEST_CRYPT_N_TAG) {
191 mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_AES_ENCRYPT, cfg->plaintext_length, iv_buf, cfg->iv_length, cfg->add_buf, cfg->add_length, cfg->plaintext, ciphertext, cfg->tag_len, tag_buf_encrypt);
192 } else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH){
193 TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv_buf, cfg->iv_length, cfg->add_buf, cfg->add_length) == 0 );
194 TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext_length, cfg->plaintext, ciphertext) == 0 );
195 TEST_ASSERT(mbedtls_gcm_finish( &ctx, tag_buf_encrypt, cfg->tag_len) == 0 );
196 }
197 size_t offset = cfg->plaintext_length > 16 ? cfg->plaintext_length - 16 : 0;
198 /* Sanity check: make sure the last ciphertext block matches what we expect to see. */
199 TEST_ASSERT_EQUAL_HEX8_ARRAY(res->ciphertext_last_block, ciphertext + offset, MIN(16, cfg->plaintext_length));
200 TEST_ASSERT_EQUAL_HEX8_ARRAY(res->expected_tag, tag_buf_encrypt, cfg->tag_len);
201
202
203 /* Decrypt and authenticate */
204 if (aes_gcm_type == AES_GCM_TEST_CRYPT_N_TAG) {
205 TEST_ASSERT(mbedtls_gcm_auth_decrypt(&ctx, cfg->plaintext_length, iv_buf, cfg->iv_length, cfg->add_buf, cfg->add_length, res->expected_tag, cfg->tag_len, ciphertext, output) == 0);
206 } else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH){
207 TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_DECRYPT, iv_buf, cfg->iv_length, cfg->add_buf, cfg->add_length) == 0 );
208 TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext_length, ciphertext, output) == 0 );
209 TEST_ASSERT(mbedtls_gcm_finish( &ctx, tag_buf_decrypt, cfg->tag_len) == 0 );
210
211 /* mbedtls_gcm_auth_decrypt already checks tag so only needed for AES_GCM_TEST_START_UPDATE_FINISH */
212 TEST_ASSERT_EQUAL_HEX8_ARRAY(res->expected_tag, tag_buf_decrypt, cfg->tag_len);
213 }
214
215 TEST_ASSERT_EQUAL_HEX8_ARRAY(cfg->plaintext, output, cfg->plaintext_length);
216
217 free(ciphertext);
218 free(output);
219 }
220
221
222
223 TEST_CASE("mbedtls AES GCM", "[aes-gcm]")
224 {
225 uint8_t iv[16];
226 uint8_t key[16];
227 uint8_t add[30];
228
229 memset(iv, 0xB1, sizeof(iv));
230 memset(key, 0x27, sizeof(key));
231 memset(add, 0x90, sizeof(add));
232
233 size_t length[] = {10, 16, 500, 5000, 12345};
234
235 const uint8_t expected_last_block[][16] = {
236
237 {0x37, 0x99, 0x4b, 0x16, 0x5f, 0x8d, 0x27, 0xb1,
238 0x60, 0x72},
239
240 {0x37, 0x99, 0x4b, 0x16, 0x5f, 0x8d, 0x27, 0xb1,
241 0x60, 0x72, 0x9a, 0x81, 0x8d, 0x3c, 0x69, 0x66},
242
243 {0x9d, 0x7a, 0xac, 0x84,0xe3, 0x70, 0x43, 0x0f,
244 0xa7, 0x83, 0x43, 0xc9, 0x04, 0xf8, 0x7d, 0x48},
245
246 {0xee, 0xfd, 0xab, 0x2a, 0x09, 0x44, 0x41, 0x6a,
247 0x91, 0xb0, 0x74, 0x24, 0xee, 0x35, 0xb1, 0x39},
248
249 {0x51, 0xf7, 0x1f, 0x67, 0x1a, 0x4a, 0x12, 0x37,
250 0x60, 0x3b, 0x68, 0x01, 0x20, 0x4f, 0xf3, 0xd9},
251 };
252
253 const uint8_t expected_tag[][16] = {
254
255 {0x06, 0x4f, 0xb5, 0x91, 0x12, 0x24, 0xb4, 0x24,
256 0x0b, 0xc2, 0x85, 0x59, 0x6a, 0x7c, 0x1f, 0xc9},
257
258 {0x45, 0xc2, 0xa8, 0xfe, 0xff, 0x49, 0x1f, 0x45,
259 0x8e, 0x29, 0x74, 0x41, 0xed, 0x9b, 0x54, 0x28},
260
261 {0xe1, 0xf9, 0x40, 0xfa, 0x29, 0x6f, 0x30, 0xae,
262 0xb6, 0x9b, 0x33, 0xdb, 0x8a, 0xf9, 0x70, 0xc4},
263
264 {0x22, 0xe1, 0x22, 0x34, 0x0c, 0x91, 0x0b, 0xcf,
265 0xa3, 0x42, 0xe0, 0x48, 0xe6, 0xfe, 0x2e, 0x28},
266
267 {0xfb, 0xfe, 0x5a, 0xed, 0x26, 0x5c, 0x5e, 0x66,
268 0x4e, 0xb2, 0x48, 0xce, 0xe9, 0x88, 0x1c, 0xe0},
269 };
270
271 aes_gcm_test_cfg_t cfg = {
272 .output_caps = MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL,
273 .iv = iv,
274 .iv_length = sizeof(iv),
275 .key = key,
276 .key_bits = 8*sizeof(key),
277 .add_buf = add,
278 .add_length = sizeof(add),
279 .tag_len = 16
280 };
281
282 aes_gcm_test_expected_res_t res = {
283 };
284
285 for (int i = 0; i < sizeof(length)/sizeof(length[0]); i++) {
286 printf("Test AES-GCM with plaintext length = %d\n", length[i]);
287 uint8_t *input = heap_caps_malloc(length[i], MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
288 TEST_ASSERT(input != NULL || length[i] == 0);
289 memset(input, 0x36, length[i]);
290
291 cfg.plaintext = input;
292 cfg.plaintext_length = length[i];
293 res.expected_tag = expected_tag[i];
294 res.ciphertext_last_block = expected_last_block[i],
295
296 aes_gcm_test(&cfg, &res, AES_GCM_TEST_CRYPT_N_TAG);
297 aes_gcm_test(&cfg, &res, AES_GCM_TEST_START_UPDATE_FINISH);
298
299 free(input);
300 }
301 }
302
303
304 TEST_CASE("mbedtls AES GCM - Different add messages", "[aes-gcm]")
305 {
306 const unsigned CALL_SZ = 160;
307 uint8_t iv[16];
308 uint8_t key[16];
309 uint8_t *input = heap_caps_malloc(CALL_SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
310 TEST_ASSERT_NOT_NULL(input);
311
312 memset(input, 0x67, CALL_SZ);
313 memset(iv, 0xA2, sizeof(iv));
314 memset(key, 0x48, sizeof(key));
315
316 const uint8_t expected_last_block[] = {
317 0xcd, 0xb9, 0xad, 0x6f, 0xc9, 0x35, 0x21, 0x0d,
318 0xc9, 0x5d, 0xea, 0xd9, 0xf7, 0x1d, 0x43, 0xed
319 };
320
321 size_t add_len[] = {0, 10, 16, 500, 5000};
322
323 const uint8_t expected_tag[][16] = {
324 {0xe3, 0x91, 0xad, 0x40, 0x96, 0xb7, 0x8c, 0x53,
325 0x4d, 0x15, 0x7d, 0x55, 0x15, 0xdf, 0x10, 0x69},
326
327 {0xc2, 0x38, 0x36, 0xe9, 0x12, 0x72, 0x5b, 0x31,
328 0x0c, 0xde, 0xb5, 0xc9, 0x8c, 0xa3, 0xcb, 0xe7},
329
330 {0x57, 0x10, 0x22, 0x91, 0x65, 0xfa, 0x89, 0xba,
331 0x0a, 0x3e, 0xc1, 0x7c, 0x93, 0x6e, 0x35, 0xac},
332
333 {0x3c, 0x28, 0x03, 0xc2, 0x14, 0x40, 0xec, 0xb6,
334 0x25, 0xfb, 0xdd, 0x55, 0xa0, 0xb2, 0x47, 0x7b},
335
336 {0xfa, 0x66, 0x4a, 0x97, 0x2d, 0x02, 0x32, 0x5b,
337 0x92, 0x94, 0xf1, 0x00, 0x1c, 0xfa, 0xe3, 0x07}
338 };
339
340 aes_gcm_test_cfg_t cfg = {
341 .plaintext = input,
342 .plaintext_length = CALL_SZ,
343 .output_caps = MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL,
344 .iv = iv,
345 .iv_length = sizeof(iv),
346 .key = key,
347 .key_bits = 8*sizeof(key),
348 .tag_len = 16
349 };
350
351 aes_gcm_test_expected_res_t res = {
352 .ciphertext_last_block = expected_last_block,
353 };
354
355 for (int i = 0; i < sizeof(add_len)/sizeof(add_len[0]); i++) {
356 printf("Test AES-GCM with add length = %d\n", add_len[i]);
357 uint8_t *add = heap_caps_malloc(add_len[i], MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
358 TEST_ASSERT(add != NULL || add_len[i] == 0);
359 memset(add, 0x12, add_len[i]);
360
361 cfg.add_buf = add;
362 cfg.add_length = add_len[i];
363 res.expected_tag = expected_tag[i];
364
365 aes_gcm_test(&cfg, &res, AES_GCM_TEST_CRYPT_N_TAG);
366 aes_gcm_test(&cfg, &res, AES_GCM_TEST_START_UPDATE_FINISH);
367
368 free(add);
369 }
370 free(input);
371 }
372
373
374
375 TEST_CASE("mbedtls AES GCM performance, start, update, ret", "[aes-gcm]")
376 {
377 const unsigned CALL_SZ = 16*3200;
378 mbedtls_gcm_context ctx;
379 float elapsed_usec;
380 unsigned char tag_buf[16];
381 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
382 uint8_t iv[16];
383 uint8_t key[16];
384 uint8_t aad[16];
385
386 memset(iv, 0xEE, 16);
387 memset(key, 0x44, 16);
388 memset(aad, 0x76, 16);
389
390 // allocate internal memory
391 uint8_t *buf = heap_caps_malloc(CALL_SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
392 TEST_ASSERT_NOT_NULL(buf);
393
394 mbedtls_gcm_init(&ctx);
395 mbedtls_gcm_setkey( &ctx, cipher, key, 128);
396
397 ccomp_timer_start();
398
399 memset(buf, 0xAA, CALL_SZ);
400
401 TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv, sizeof(iv), aad, sizeof(aad) ) == 0 );
402 TEST_ASSERT(mbedtls_gcm_update( &ctx, CALL_SZ, buf, buf ) == 0 );
403 TEST_ASSERT(mbedtls_gcm_finish( &ctx, tag_buf, 16 ) == 0 );
404
405 elapsed_usec = ccomp_timer_stop();
406
407 /* Sanity check: make sure the last ciphertext block matches
408 what we expect to see.
409 */
410 const uint8_t expected_last_block[] = {
411 0xd4, 0x25, 0x88, 0xd4, 0x32, 0x52, 0x3d, 0x6f,
412 0xae, 0x49, 0x19, 0xb5, 0x95, 0x01, 0xde, 0x7d,
413 };
414
415 const uint8_t expected_tag[] = {
416 0xf5, 0x10, 0x1f, 0x21, 0x5b, 0x07, 0x0d, 0x3f,
417 0xac, 0xc9, 0xd0, 0x42, 0x45, 0xef, 0xc7, 0xfa,
418 };
419
420 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_last_block, buf + CALL_SZ - 16 , 16);
421 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag_buf, 16);
422
423 free(buf);
424
425 // bytes/usec = MB/sec
426 float mb_sec = CALL_SZ / elapsed_usec;
427 printf("GCM encryption rate %.3fMB/sec\n", mb_sec);
428
429 #ifdef CONFIG_MBEDTLS_HARDWARE_GCM
430 // Don't put a hard limit on software AES performance
431 TEST_PERFORMANCE_GREATER_THAN(AES_GCM_UPDATE_THROUGHPUT_MBSEC, "%.3fMB/sec", mb_sec);
432 #endif
433 }
434
435
436 TEST_CASE("mbedtls AES GCM performance, crypt-and-tag", "[aes-gcm]")
437 {
438 const unsigned CALL_SZ = 16*3200;
439 mbedtls_gcm_context ctx;
440 float elapsed_usec;
441 unsigned char tag_buf[16] = {};
442 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
443 uint8_t iv[16];
444 uint8_t key[16];
445 uint8_t aad[16];
446
447 memset(iv, 0xEE, 16);
448 memset(key, 0x44, 16);
449 memset(aad, 0x76, 16);
450
451 // allocate internal memory
452 uint8_t *buf = heap_caps_malloc(CALL_SZ, MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
453 TEST_ASSERT_NOT_NULL(buf);
454
455 mbedtls_gcm_init(&ctx);
456 mbedtls_gcm_setkey( &ctx, cipher, key, 128);
457
458 memset(buf, 0xAA, CALL_SZ);
459
460 ccomp_timer_start();
461 mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_AES_ENCRYPT, CALL_SZ, iv, sizeof(iv), aad, sizeof(aad), buf, buf, 16, tag_buf);
462
463 elapsed_usec = ccomp_timer_stop();
464
465 /* Sanity check: make sure the last ciphertext block matches
466 what we expect to see.
467 */
468
469 const uint8_t expected_last_block[] = {
470 0xd4, 0x25, 0x88, 0xd4, 0x32, 0x52, 0x3d, 0x6f,
471 0xae, 0x49, 0x19, 0xb5, 0x95, 0x01, 0xde, 0x7d,
472 };
473
474 const uint8_t expected_tag[] = {
475 0xf5, 0x10, 0x1f, 0x21, 0x5b, 0x07, 0x0d, 0x3f,
476 0xac, 0xc9, 0xd0, 0x42, 0x45, 0xef, 0xc7, 0xfa,
477 };
478
479 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_last_block, buf + CALL_SZ - 16 , 16);
480 TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag_buf, 16);
481
482 free(buf);
483
484 // bytes/usec = MB/sec
485 float mb_sec = CALL_SZ / elapsed_usec;
486 printf("GCM encryption rate %.3fMB/sec\n", mb_sec);
487
488 #ifdef CONFIG_MBEDTLS_HARDWARE_GCM
489 // Don't put a hard limit on software AES performance
490 TEST_PERFORMANCE_GREATER_THAN(AES_GCM_CRYPT_TAG_THROUGHPUT_MBSEC, "%.3fMB/sec", mb_sec);
491 #endif
492 }
493
494 #endif //CONFIG_MBEDTLS_HARDWARE_GCM
495
