2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/crypto.h>
11 #include <openssl/aes.h>
12 #include <openssl/rand.h>
19 #define BIG_TEST_SIZE 10240
21 #if BIG_TEST_SIZE < TEST_SIZE
22 #error BIG_TEST_SIZE is smaller than TEST_SIZE
25 static unsigned char rkey[16];
26 static unsigned char rkey2[16];
27 static unsigned char plaintext[BIG_TEST_SIZE];
28 static unsigned char saved_iv[AES_BLOCK_SIZE * 4];
30 #define MAX_VECTOR_SIZE 64
33 const unsigned char key[16];
34 const unsigned char iv[32];
35 const unsigned char in[MAX_VECTOR_SIZE];
36 const unsigned char out[MAX_VECTOR_SIZE];
41 static struct ige_test const ige_test_vectors[] = {
42 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
43 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key */
44 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
45 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
46 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
47 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* iv */
48 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
49 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
50 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
51 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
52 {0x1a, 0x85, 0x19, 0xa6, 0x55, 0x7b, 0xe6, 0x52,
53 0xe9, 0xda, 0x8e, 0x43, 0xda, 0x4e, 0xf4, 0x45,
54 0x3c, 0xf4, 0x56, 0xb4, 0xca, 0x48, 0x8a, 0xa3,
55 0x83, 0xc7, 0x9c, 0x98, 0xb3, 0x47, 0x97, 0xcb}, /* out */
56 32, AES_ENCRYPT}, /* test vector 0 */
58 {{0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
59 0x61, 0x6e, 0x20, 0x69, 0x6d, 0x70, 0x6c, 0x65}, /* key */
60 {0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f,
61 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x49, 0x47, 0x45,
62 0x20, 0x6d, 0x6f, 0x64, 0x65, 0x20, 0x66, 0x6f,
63 0x72, 0x20, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53}, /* iv */
64 {0x4c, 0x2e, 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73,
65 0x20, 0x68, 0x6f, 0x70, 0x65, 0x20, 0x42, 0x65,
66 0x6e, 0x20, 0x67, 0x6f, 0x74, 0x20, 0x69, 0x74,
67 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x0a}, /* in */
68 {0x99, 0x70, 0x64, 0x87, 0xa1, 0xcd, 0xe6, 0x13,
69 0xbc, 0x6d, 0xe0, 0xb6, 0xf2, 0x4b, 0x1c, 0x7a,
70 0xa4, 0x48, 0xc8, 0xb9, 0xc3, 0x40, 0x3e, 0x34,
71 0x67, 0xa8, 0xca, 0xd8, 0x93, 0x40, 0xf5, 0x3b}, /* out */
72 32, AES_DECRYPT}, /* test vector 1 */
76 const unsigned char key1[32];
77 const unsigned char key2[32];
78 const unsigned char iv[64];
79 const unsigned char in[MAX_VECTOR_SIZE];
80 const unsigned char out[MAX_VECTOR_SIZE];
86 static struct bi_ige_test const bi_ige_test_vectors[] = {
87 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
88 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key1 */
89 {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
90 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* key2 */
91 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
92 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
93 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
94 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
95 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
96 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
97 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
98 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}, /* iv */
99 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
103 {0x14, 0x40, 0x6f, 0xae, 0xa2, 0x79, 0xf2, 0x56,
104 0x1f, 0x86, 0xeb, 0x3b, 0x7d, 0xff, 0x53, 0xdc,
105 0x4e, 0x27, 0x0c, 0x03, 0xde, 0x7c, 0xe5, 0x16,
106 0x6a, 0x9c, 0x20, 0x33, 0x9d, 0x33, 0xfe, 0x12}, /* out */
107 16, 32, AES_ENCRYPT}, /* test vector 0 */
108 {{0x58, 0x0a, 0x06, 0xe9, 0x97, 0x07, 0x59, 0x5c,
109 0x9e, 0x19, 0xd2, 0xa7, 0xbb, 0x40, 0x2b, 0x7a,
110 0xc7, 0xd8, 0x11, 0x9e, 0x4c, 0x51, 0x35, 0x75,
111 0x64, 0x28, 0x0f, 0x23, 0xad, 0x74, 0xac, 0x37}, /* key1 */
112 {0xd1, 0x80, 0xa0, 0x31, 0x47, 0xa3, 0x11, 0x13,
113 0x86, 0x26, 0x9e, 0x6d, 0xff, 0xaf, 0x72, 0x74,
114 0x5b, 0xa2, 0x35, 0x81, 0xd2, 0xa6, 0x3d, 0x21,
115 0x67, 0x7b, 0x58, 0xa8, 0x18, 0xf9, 0x72, 0xe4}, /* key2 */
116 {0x80, 0x3d, 0xbd, 0x4c, 0xe6, 0x7b, 0x06, 0xa9,
117 0x53, 0x35, 0xd5, 0x7e, 0x71, 0xc1, 0x70, 0x70,
118 0x74, 0x9a, 0x00, 0x28, 0x0c, 0xbf, 0x6c, 0x42,
119 0x9b, 0xa4, 0xdd, 0x65, 0x11, 0x77, 0x7c, 0x67,
120 0xfe, 0x76, 0x0a, 0xf0, 0xd5, 0xc6, 0x6e, 0x6a,
121 0xe7, 0x5e, 0x4c, 0xf2, 0x7e, 0x9e, 0xf9, 0x20,
122 0x0e, 0x54, 0x6f, 0x2d, 0x8a, 0x8d, 0x7e, 0xbd,
123 0x48, 0x79, 0x37, 0x99, 0xff, 0x27, 0x93, 0xa3}, /* iv */
124 {0xf1, 0x54, 0x3d, 0xca, 0xfe, 0xb5, 0xef, 0x1c,
125 0x4f, 0xa6, 0x43, 0xf6, 0xe6, 0x48, 0x57, 0xf0,
126 0xee, 0x15, 0x7f, 0xe3, 0xe7, 0x2f, 0xd0, 0x2f,
127 0x11, 0x95, 0x7a, 0x17, 0x00, 0xab, 0xa7, 0x0b,
128 0xbe, 0x44, 0x09, 0x9c, 0xcd, 0xac, 0xa8, 0x52,
129 0xa1, 0x8e, 0x7b, 0x75, 0xbc, 0xa4, 0x92, 0x5a,
130 0xab, 0x46, 0xd3, 0x3a, 0xa0, 0xd5, 0x35, 0x1c,
131 0x55, 0xa4, 0xb3, 0xa8, 0x40, 0x81, 0xa5, 0x0b}, /* in */
132 {0x42, 0xe5, 0x28, 0x30, 0x31, 0xc2, 0xa0, 0x23,
133 0x68, 0x49, 0x4e, 0xb3, 0x24, 0x59, 0x92, 0x79,
134 0xc1, 0xa5, 0xcc, 0xe6, 0x76, 0x53, 0xb1, 0xcf,
135 0x20, 0x86, 0x23, 0xe8, 0x72, 0x55, 0x99, 0x92,
136 0x0d, 0x16, 0x1c, 0x5a, 0x2f, 0xce, 0xcb, 0x51,
137 0xe2, 0x67, 0xfa, 0x10, 0xec, 0xcd, 0x3d, 0x67,
138 0xa5, 0xe6, 0xf7, 0x31, 0x26, 0xb0, 0x0d, 0x76,
139 0x5e, 0x28, 0xdc, 0x7f, 0x01, 0xc5, 0xa5, 0x4c}, /* out */
140 32, 64, AES_ENCRYPT}, /* test vector 1 */
144 static int test_ige_vectors(int n)
146 const struct ige_test *const v = &ige_test_vectors[n];
148 unsigned char buf[MAX_VECTOR_SIZE];
149 unsigned char iv[AES_BLOCK_SIZE * 2];
152 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
155 if (v->encrypt == AES_ENCRYPT)
156 AES_set_encrypt_key(v->key, 8 * sizeof v->key, &key);
158 AES_set_decrypt_key(v->key, 8 * sizeof v->key, &key);
159 memcpy(iv, v->iv, sizeof iv);
160 AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt);
162 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
163 TEST_info("IGE test vector %d failed", n);
164 test_output_memory("key", v->key, sizeof v->key);
165 test_output_memory("iv", v->iv, sizeof v->iv);
166 test_output_memory("in", v->in, v->length);
170 /* try with in == out */
171 memcpy(iv, v->iv, sizeof iv);
172 memcpy(buf, v->in, v->length);
173 AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt);
175 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
176 TEST_info("IGE test vector %d failed (with in == out)", n);
177 test_output_memory("key", v->key, sizeof v->key);
178 test_output_memory("iv", v->iv, sizeof v->iv);
179 test_output_memory("in", v->in, v->length);
186 static int test_bi_ige_vectors(int n)
188 const struct bi_ige_test *const v = &bi_ige_test_vectors[n];
191 unsigned char buf[MAX_VECTOR_SIZE];
193 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
196 if (v->encrypt == AES_ENCRYPT) {
197 AES_set_encrypt_key(v->key1, 8 * v->keysize, &key1);
198 AES_set_encrypt_key(v->key2, 8 * v->keysize, &key2);
200 AES_set_decrypt_key(v->key1, 8 * v->keysize, &key1);
201 AES_set_decrypt_key(v->key2, 8 * v->keysize, &key2);
204 AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv,
207 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
208 test_output_memory("key 1", v->key1, sizeof v->key1);
209 test_output_memory("key 2", v->key2, sizeof v->key2);
210 test_output_memory("iv", v->iv, sizeof v->iv);
211 test_output_memory("in", v->in, v->length);
218 static int test_ige_enc_dec(void)
221 unsigned char iv[AES_BLOCK_SIZE * 4];
222 unsigned char ciphertext[BIG_TEST_SIZE];
223 unsigned char checktext[BIG_TEST_SIZE];
225 memcpy(iv, saved_iv, sizeof iv);
226 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
227 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv, AES_ENCRYPT);
229 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
230 memcpy(iv, saved_iv, sizeof iv);
231 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
233 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
236 static int test_ige_enc_chaining(void)
239 unsigned char iv[AES_BLOCK_SIZE * 4];
240 unsigned char ciphertext[BIG_TEST_SIZE];
241 unsigned char checktext[BIG_TEST_SIZE];
243 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
244 memcpy(iv, saved_iv, sizeof iv);
245 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
247 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
248 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
249 &key, iv, AES_ENCRYPT);
251 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
252 memcpy(iv, saved_iv, sizeof iv);
253 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
255 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
258 static int test_ige_dec_chaining(void)
261 unsigned char iv[AES_BLOCK_SIZE * 4];
262 unsigned char ciphertext[BIG_TEST_SIZE];
263 unsigned char checktext[BIG_TEST_SIZE];
265 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
266 memcpy(iv, saved_iv, sizeof iv);
267 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
269 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
270 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
271 &key, iv, AES_ENCRYPT);
273 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
274 memcpy(iv, saved_iv, sizeof iv);
275 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE / 2, &key, iv,
277 AES_ige_encrypt(ciphertext + TEST_SIZE / 2,
278 checktext + TEST_SIZE / 2, TEST_SIZE / 2, &key, iv,
281 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
284 static int test_ige_garble_forwards(void)
287 unsigned char iv[AES_BLOCK_SIZE * 4];
288 unsigned char ciphertext[BIG_TEST_SIZE];
289 unsigned char checktext[BIG_TEST_SIZE];
292 const size_t ctsize = sizeof(checktext);
295 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
296 memcpy(iv, saved_iv, sizeof iv);
297 AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
300 /* corrupt halfway through */
301 ++ciphertext[sizeof ciphertext / 2];
302 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
303 memcpy(iv, saved_iv, sizeof iv);
304 AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
308 for (n = 0; n < sizeof checktext; ++n)
309 if (checktext[n] == plaintext[n])
312 /* Fail if there is more than 51% matching bytes */
313 if (!TEST_size_t_le(matches, ctsize / 2 + ctsize / 100))
316 /* Fail if the garble goes backwards */
317 if (!TEST_size_t_gt(matches, ctsize / 2))
322 static int test_bi_ige_enc_dec(void)
325 unsigned char iv[AES_BLOCK_SIZE * 4];
326 unsigned char ciphertext[BIG_TEST_SIZE];
327 unsigned char checktext[BIG_TEST_SIZE];
329 memcpy(iv, saved_iv, sizeof iv);
330 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
331 AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2);
332 AES_bi_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, &key2, iv,
335 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
336 AES_set_decrypt_key(rkey2, 8 * sizeof rkey2, &key2);
337 AES_bi_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, &key2, iv,
340 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
343 static int test_bi_ige_garble1(void)
346 unsigned char iv[AES_BLOCK_SIZE * 4];
347 unsigned char ciphertext[BIG_TEST_SIZE];
348 unsigned char checktext[BIG_TEST_SIZE];
352 memcpy(iv, saved_iv, sizeof iv);
353 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
354 AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2);
355 AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
358 /* corrupt halfway through */
359 ++ciphertext[sizeof ciphertext / 2];
360 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
361 AES_set_decrypt_key(rkey2, 8 * sizeof rkey2, &key2);
362 AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
366 for (n = 0; n < sizeof checktext; ++n)
367 if (checktext[n] == plaintext[n])
370 /* Fail if there is more than 1% matching bytes */
371 return TEST_size_t_le(matches, sizeof checktext / 100);
374 static int test_bi_ige_garble2(void)
377 unsigned char iv[AES_BLOCK_SIZE * 4];
378 unsigned char ciphertext[BIG_TEST_SIZE];
379 unsigned char checktext[BIG_TEST_SIZE];
383 memcpy(iv, saved_iv, sizeof iv);
384 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
385 AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2);
386 AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
389 /* corrupt right at the end */
390 ++ciphertext[sizeof ciphertext - 1];
391 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
392 AES_set_decrypt_key(rkey2, 8 * sizeof rkey2, &key2);
393 AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
397 for (n = 0; n < sizeof checktext; ++n)
398 if (checktext[n] == plaintext[n])
401 /* Fail if there is more than 1% matching bytes */
402 return TEST_size_t_le(matches, sizeof checktext / 100);
405 static int test_bi_ige_garble3(void)
408 unsigned char iv[AES_BLOCK_SIZE * 4];
409 unsigned char ciphertext[BIG_TEST_SIZE];
410 unsigned char checktext[BIG_TEST_SIZE];
414 memcpy(iv, saved_iv, sizeof iv);
415 AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
416 AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2);
417 AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
420 /* corrupt right at the start */
422 AES_set_decrypt_key(rkey, 8 * sizeof rkey, &key);
423 AES_set_decrypt_key(rkey2, 8 * sizeof rkey2, &key2);
424 AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
428 for (n = 0; n < sizeof checktext; ++n)
429 if (checktext[n] == plaintext[n])
432 /* Fail if there is more than 1% matching bytes */
433 return TEST_size_t_le(matches, sizeof checktext / 100);
436 void register_tests(void)
438 RAND_bytes(rkey, sizeof rkey);
439 RAND_bytes(rkey2, sizeof rkey2);
440 RAND_bytes(plaintext, sizeof plaintext);
441 RAND_bytes(saved_iv, sizeof saved_iv);
443 ADD_TEST(test_ige_enc_dec);
444 ADD_TEST(test_ige_enc_chaining);
445 ADD_TEST(test_ige_dec_chaining);
446 ADD_TEST(test_ige_garble_forwards);
447 ADD_TEST(test_bi_ige_enc_dec);
448 ADD_TEST(test_bi_ige_garble1);
449 ADD_TEST(test_bi_ige_garble2);
450 ADD_TEST(test_bi_ige_garble3);
451 ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors));
452 ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors));