add AEAD bad tag tests

JeremiahM37 · JeremiahM37 · commit ca5a9531d9fe · 2026-04-24T16:02:16.000Z
diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c
@@ -4392,6 +4392,72 @@ int test_wc_AesGcmStream_ReinitAfterFinal(void)
     return EXPECT_RESULT();
 } /* END test_wc_AesGcmStream_ReinitAfterFinal */
 
+int test_wc_AesGcmStream_BadAuthTag(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT) && \
+    defined(WOLFSSL_AES_128) && defined(WOLFSSL_AESGCM_STREAM)
+    static const byte key[AES_128_KEY_SIZE] = {
+        0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
+        0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
+    };
+    static const byte iv[GCM_NONCE_MID_SZ] = {
+        0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
+        0xde,0xca,0xf8,0x88
+    };
+    static const byte aad[20] = {
+        0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
+        0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
+        0xab,0xad,0xda,0xd2
+    };
+    static const byte plain[16] = {
+        0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
+        0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a
+    };
+    Aes enc[1];
+    Aes dec[1];
+    byte ct[sizeof(plain)];
+    byte pt[sizeof(plain)];
+    byte tag[WC_AES_BLOCK_SIZE];
+
+    XMEMSET(enc, 0, sizeof(Aes));
+    XMEMSET(dec, 0, sizeof(Aes));
+    XMEMSET(tag, 0, sizeof(tag));
+
+    ExpectIntEQ(wc_AesInit(enc, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv, sizeof(iv)), 0);
+    ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct, plain, sizeof(plain),
+        aad, sizeof(aad)), 0);
+    ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag, sizeof(tag)), 0);
+    wc_AesFree(enc);
+
+    tag[0] ^= 0x01;
+
+    ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
+    ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
+        aad, sizeof(aad)), 0);
+    ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
+        WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
+    wc_AesFree(dec);
+
+    tag[0] ^= 0x01;
+    ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
+    {
+        byte bad_aad[sizeof(aad)];
+        XMEMCPY(bad_aad, aad, sizeof(aad));
+        bad_aad[0] ^= 0x01;
+        ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
+            bad_aad, sizeof(bad_aad)), 0);
+    }
+    ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
+        WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
+    wc_AesFree(dec);
+#endif
+    return EXPECT_RESULT();
+}
+
 /*******************************************************************************
  * GMAC
  ******************************************************************************/
diff --git a/tests/api/test_aes.h b/tests/api/test_aes.h
@@ -54,6 +54,7 @@ int test_wc_AesGcmNonStdNonce(void);
 int test_wc_AesGcmStream(void);
 int test_wc_AesGcmStream_MidStreamState(void);
 int test_wc_AesGcmStream_ReinitAfterFinal(void);
+int test_wc_AesGcmStream_BadAuthTag(void);
 int test_wc_AesCcmSetKey(void);
 int test_wc_AesCcmEncryptDecrypt(void);
 int test_wc_AesCcmEncryptDecrypt_InPlace(void);
@@ -133,6 +134,7 @@ int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void);
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream),               \
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream_MidStreamState),  \
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream_ReinitAfterFinal), \
+    TEST_DECL_GROUP("aes", test_wc_AesGcmStream_BadAuthTag),       \
     TEST_DECL_GROUP("aes", test_wc_AesCcmSetKey),               \
     TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt),        \
     TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt_InPlace),            \
diff --git a/tests/api/test_chacha20_poly1305.c b/tests/api/test_chacha20_poly1305.c
@@ -284,6 +284,68 @@ int test_wc_XChaCha20Poly1305_aead(void)
     return EXPECT_RESULT();
 } /* END test_wc_XChaCha20Poly1305_aead */
 
+int test_wc_XChaCha20Poly1305_BadAuthTag(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_POLY1305) && defined(HAVE_XCHACHA)
+    const byte key[32] = {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    };
+    const byte nonce[24] = {
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+        0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+        0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57
+    };
+    const byte plaintext[] = {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x73
+    };
+    const byte aad[] = {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3
+    };
+    byte ct[sizeof(plaintext) + 16];
+    byte pt[sizeof(plaintext)];
+    byte ct_bad[sizeof(ct)];
+
+    XMEMSET(ct, 0, sizeof(ct));
+
+    ExpectIntEQ(wc_XChaCha20Poly1305_Encrypt(ct, sizeof(ct),
+        plaintext, sizeof(plaintext), aad, sizeof(aad),
+        nonce, sizeof(nonce), key, sizeof(key)), 0);
+
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct),
+        aad, sizeof(aad), nonce, sizeof(nonce), key, sizeof(key)), 0);
+
+    XMEMCPY(ct_bad, ct, sizeof(ct));
+    ct_bad[sizeof(ct) - 1] ^= 0x01;
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad,
+        sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce),
+        key, sizeof(key)),
+        WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+
+    XMEMCPY(ct_bad, ct, sizeof(ct));
+    ct_bad[0] ^= 0x01;
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad,
+        sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce),
+        key, sizeof(key)),
+        WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+
+    {
+        byte aad_bad[sizeof(aad)];
+        XMEMCPY(aad_bad, aad, sizeof(aad));
+        aad_bad[0] ^= 0x01;
+        ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct),
+            aad_bad, sizeof(aad_bad), nonce, sizeof(nonce),
+            key, sizeof(key)),
+            WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 #include <wolfssl/wolfcrypt/random.h>
 
 #define MC_CIPHER_TEST_COUNT     100
diff --git a/tests/api/test_chacha20_poly1305.h b/tests/api/test_chacha20_poly1305.h
@@ -26,6 +26,7 @@
 
 int test_wc_ChaCha20Poly1305_aead(void);
 int test_wc_XChaCha20Poly1305_aead(void);
+int test_wc_XChaCha20Poly1305_BadAuthTag(void);
 int test_wc_ChaCha20Poly1305_MonteCarlo(void);
 int test_wc_ChaCha20Poly1305_Stream(void);
 int test_wc_ChaCha20Poly1305_AeadEdgeCases(void);
@@ -38,6 +39,7 @@ int test_wc_ChaCha20Poly1305_CrossCipher(void);
 #define TEST_CHACHA20_POLY1305_DECLS                                                        \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_aead),                   \
     TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_aead),                 \
+    TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_BadAuthTag),           \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_MonteCarlo),             \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_Stream),                 \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_AeadEdgeCases),          \
