2 * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/crypto.h>
11 #include <openssl/aes.h>
12 #include <openssl/rand.h>
15 #include "internal/nelem.h"
20 # define TEST_SIZE 128
21 # define BIG_TEST_SIZE 10240
23 # if BIG_TEST_SIZE < TEST_SIZE
24 # error BIG_TEST_SIZE is smaller than TEST_SIZE
27 static unsigned char rkey[16];
28 static unsigned char rkey2[16];
29 static unsigned char plaintext[BIG_TEST_SIZE];
30 static unsigned char saved_iv[AES_BLOCK_SIZE * 4];
32 # define MAX_VECTOR_SIZE 64
35 const unsigned char key[16];
36 const unsigned char iv[32];
37 const unsigned char in[MAX_VECTOR_SIZE];
38 const unsigned char out[MAX_VECTOR_SIZE];
43 static struct ige_test const ige_test_vectors[] = {
44 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
45 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key */
46 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
47 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
48 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
49 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* iv */
50 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
51 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
52 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
53 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
54 {0x1a, 0x85, 0x19, 0xa6, 0x55, 0x7b, 0xe6, 0x52,
55 0xe9, 0xda, 0x8e, 0x43, 0xda, 0x4e, 0xf4, 0x45,
56 0x3c, 0xf4, 0x56, 0xb4, 0xca, 0x48, 0x8a, 0xa3,
57 0x83, 0xc7, 0x9c, 0x98, 0xb3, 0x47, 0x97, 0xcb}, /* out */
58 32, AES_ENCRYPT}, /* test vector 0 */
60 {{0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
61 0x61, 0x6e, 0x20, 0x69, 0x6d, 0x70, 0x6c, 0x65}, /* key */
62 {0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f,
63 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x49, 0x47, 0x45,
64 0x20, 0x6d, 0x6f, 0x64, 0x65, 0x20, 0x66, 0x6f,
65 0x72, 0x20, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53}, /* iv */
66 {0x4c, 0x2e, 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73,
67 0x20, 0x68, 0x6f, 0x70, 0x65, 0x20, 0x42, 0x65,
68 0x6e, 0x20, 0x67, 0x6f, 0x74, 0x20, 0x69, 0x74,
69 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x0a}, /* in */
70 {0x99, 0x70, 0x64, 0x87, 0xa1, 0xcd, 0xe6, 0x13,
71 0xbc, 0x6d, 0xe0, 0xb6, 0xf2, 0x4b, 0x1c, 0x7a,
72 0xa4, 0x48, 0xc8, 0xb9, 0xc3, 0x40, 0x3e, 0x34,
73 0x67, 0xa8, 0xca, 0xd8, 0x93, 0x40, 0xf5, 0x3b}, /* out */
74 32, AES_DECRYPT}, /* test vector 1 */
78 const unsigned char key1[32];
79 const unsigned char key2[32];
80 const unsigned char iv[64];
81 const unsigned char in[MAX_VECTOR_SIZE];
82 const unsigned char out[MAX_VECTOR_SIZE];
88 static struct bi_ige_test const bi_ige_test_vectors[] = {
89 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
90 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key1 */
91 {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
92 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* key2 */
93 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
94 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
95 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
96 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
97 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
98 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
99 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
100 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}, /* iv */
101 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
105 {0x14, 0x40, 0x6f, 0xae, 0xa2, 0x79, 0xf2, 0x56,
106 0x1f, 0x86, 0xeb, 0x3b, 0x7d, 0xff, 0x53, 0xdc,
107 0x4e, 0x27, 0x0c, 0x03, 0xde, 0x7c, 0xe5, 0x16,
108 0x6a, 0x9c, 0x20, 0x33, 0x9d, 0x33, 0xfe, 0x12}, /* out */
109 16, 32, AES_ENCRYPT}, /* test vector 0 */
110 {{0x58, 0x0a, 0x06, 0xe9, 0x97, 0x07, 0x59, 0x5c,
111 0x9e, 0x19, 0xd2, 0xa7, 0xbb, 0x40, 0x2b, 0x7a,
112 0xc7, 0xd8, 0x11, 0x9e, 0x4c, 0x51, 0x35, 0x75,
113 0x64, 0x28, 0x0f, 0x23, 0xad, 0x74, 0xac, 0x37}, /* key1 */
114 {0xd1, 0x80, 0xa0, 0x31, 0x47, 0xa3, 0x11, 0x13,
115 0x86, 0x26, 0x9e, 0x6d, 0xff, 0xaf, 0x72, 0x74,
116 0x5b, 0xa2, 0x35, 0x81, 0xd2, 0xa6, 0x3d, 0x21,
117 0x67, 0x7b, 0x58, 0xa8, 0x18, 0xf9, 0x72, 0xe4}, /* key2 */
118 {0x80, 0x3d, 0xbd, 0x4c, 0xe6, 0x7b, 0x06, 0xa9,
119 0x53, 0x35, 0xd5, 0x7e, 0x71, 0xc1, 0x70, 0x70,
120 0x74, 0x9a, 0x00, 0x28, 0x0c, 0xbf, 0x6c, 0x42,
121 0x9b, 0xa4, 0xdd, 0x65, 0x11, 0x77, 0x7c, 0x67,
122 0xfe, 0x76, 0x0a, 0xf0, 0xd5, 0xc6, 0x6e, 0x6a,
123 0xe7, 0x5e, 0x4c, 0xf2, 0x7e, 0x9e, 0xf9, 0x20,
124 0x0e, 0x54, 0x6f, 0x2d, 0x8a, 0x8d, 0x7e, 0xbd,
125 0x48, 0x79, 0x37, 0x99, 0xff, 0x27, 0x93, 0xa3}, /* iv */
126 {0xf1, 0x54, 0x3d, 0xca, 0xfe, 0xb5, 0xef, 0x1c,
127 0x4f, 0xa6, 0x43, 0xf6, 0xe6, 0x48, 0x57, 0xf0,
128 0xee, 0x15, 0x7f, 0xe3, 0xe7, 0x2f, 0xd0, 0x2f,
129 0x11, 0x95, 0x7a, 0x17, 0x00, 0xab, 0xa7, 0x0b,
130 0xbe, 0x44, 0x09, 0x9c, 0xcd, 0xac, 0xa8, 0x52,
131 0xa1, 0x8e, 0x7b, 0x75, 0xbc, 0xa4, 0x92, 0x5a,
132 0xab, 0x46, 0xd3, 0x3a, 0xa0, 0xd5, 0x35, 0x1c,
133 0x55, 0xa4, 0xb3, 0xa8, 0x40, 0x81, 0xa5, 0x0b}, /* in */
134 {0x42, 0xe5, 0x28, 0x30, 0x31, 0xc2, 0xa0, 0x23,
135 0x68, 0x49, 0x4e, 0xb3, 0x24, 0x59, 0x92, 0x79,
136 0xc1, 0xa5, 0xcc, 0xe6, 0x76, 0x53, 0xb1, 0xcf,
137 0x20, 0x86, 0x23, 0xe8, 0x72, 0x55, 0x99, 0x92,
138 0x0d, 0x16, 0x1c, 0x5a, 0x2f, 0xce, 0xcb, 0x51,
139 0xe2, 0x67, 0xfa, 0x10, 0xec, 0xcd, 0x3d, 0x67,
140 0xa5, 0xe6, 0xf7, 0x31, 0x26, 0xb0, 0x0d, 0x76,
141 0x5e, 0x28, 0xdc, 0x7f, 0x01, 0xc5, 0xa5, 0x4c}, /* out */
142 32, 64, AES_ENCRYPT}, /* test vector 1 */
146 static int test_ige_vectors(int n)
148 const struct ige_test *const v = &ige_test_vectors[n];
150 unsigned char buf[MAX_VECTOR_SIZE];
151 unsigned char iv[AES_BLOCK_SIZE * 2];
154 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
157 if (v->encrypt == AES_ENCRYPT)
158 AES_set_encrypt_key(v->key, 8 * sizeof(v->key), &key);
160 AES_set_decrypt_key(v->key, 8 * sizeof(v->key), &key);
161 memcpy(iv, v->iv, sizeof(iv));
162 AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt);
164 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
165 TEST_info("IGE test vector %d failed", n);
166 test_output_memory("key", v->key, sizeof(v->key));
167 test_output_memory("iv", v->iv, sizeof(v->iv));
168 test_output_memory("in", v->in, v->length);
172 /* try with in == out */
173 memcpy(iv, v->iv, sizeof(iv));
174 memcpy(buf, v->in, v->length);
175 AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt);
177 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
178 TEST_info("IGE test vector %d failed (with in == out)", n);
179 test_output_memory("key", v->key, sizeof(v->key));
180 test_output_memory("iv", v->iv, sizeof(v->iv));
181 test_output_memory("in", v->in, v->length);
188 static int test_bi_ige_vectors(int n)
190 const struct bi_ige_test *const v = &bi_ige_test_vectors[n];
193 unsigned char buf[MAX_VECTOR_SIZE];
195 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
198 if (v->encrypt == AES_ENCRYPT) {
199 AES_set_encrypt_key(v->key1, 8 * v->keysize, &key1);
200 AES_set_encrypt_key(v->key2, 8 * v->keysize, &key2);
202 AES_set_decrypt_key(v->key1, 8 * v->keysize, &key1);
203 AES_set_decrypt_key(v->key2, 8 * v->keysize, &key2);
206 AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv,
209 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
210 test_output_memory("key 1", v->key1, sizeof(v->key1));
211 test_output_memory("key 2", v->key2, sizeof(v->key2));
212 test_output_memory("iv", v->iv, sizeof(v->iv));
213 test_output_memory("in", v->in, v->length);
220 static int test_ige_enc_dec(void)
223 unsigned char iv[AES_BLOCK_SIZE * 4];
224 unsigned char ciphertext[BIG_TEST_SIZE];
225 unsigned char checktext[BIG_TEST_SIZE];
227 memcpy(iv, saved_iv, sizeof(iv));
228 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
229 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv, AES_ENCRYPT);
231 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
232 memcpy(iv, saved_iv, sizeof(iv));
233 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
235 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
238 static int test_ige_enc_chaining(void)
241 unsigned char iv[AES_BLOCK_SIZE * 4];
242 unsigned char ciphertext[BIG_TEST_SIZE];
243 unsigned char checktext[BIG_TEST_SIZE];
245 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
246 memcpy(iv, saved_iv, sizeof(iv));
247 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
249 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
250 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
251 &key, iv, AES_ENCRYPT);
253 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
254 memcpy(iv, saved_iv, sizeof(iv));
255 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
257 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
260 static int test_ige_dec_chaining(void)
263 unsigned char iv[AES_BLOCK_SIZE * 4];
264 unsigned char ciphertext[BIG_TEST_SIZE];
265 unsigned char checktext[BIG_TEST_SIZE];
267 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
268 memcpy(iv, saved_iv, sizeof(iv));
269 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
271 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
272 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
273 &key, iv, AES_ENCRYPT);
275 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
276 memcpy(iv, saved_iv, sizeof(iv));
277 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE / 2, &key, iv,
279 AES_ige_encrypt(ciphertext + TEST_SIZE / 2,
280 checktext + TEST_SIZE / 2, TEST_SIZE / 2, &key, iv,
283 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
286 static int test_ige_garble_forwards(void)
289 unsigned char iv[AES_BLOCK_SIZE * 4];
290 unsigned char ciphertext[BIG_TEST_SIZE];
291 unsigned char checktext[BIG_TEST_SIZE];
294 const size_t ctsize = sizeof(checktext);
297 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
298 memcpy(iv, saved_iv, sizeof(iv));
299 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
302 /* corrupt halfway through */
303 ++ciphertext[sizeof(ciphertext) / 2];
304 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
305 memcpy(iv, saved_iv, sizeof(iv));
306 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
310 for (n = 0; n < sizeof(checktext); ++n)
311 if (checktext[n] == plaintext[n])
314 /* Fail if there is more than 51% matching bytes */
315 if (!TEST_size_t_le(matches, ctsize / 2 + ctsize / 100))
318 /* Fail if the garble goes backwards */
319 if (!TEST_size_t_gt(matches, ctsize / 2))
324 static int test_bi_ige_enc_dec(void)
327 unsigned char iv[AES_BLOCK_SIZE * 4];
328 unsigned char ciphertext[BIG_TEST_SIZE];
329 unsigned char checktext[BIG_TEST_SIZE];
331 memcpy(iv, saved_iv, sizeof(iv));
332 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
333 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
334 AES_bi_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, &key2, iv,
337 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
338 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
339 AES_bi_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, &key2, iv,
342 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
345 static int test_bi_ige_garble1(void)
348 unsigned char iv[AES_BLOCK_SIZE * 4];
349 unsigned char ciphertext[BIG_TEST_SIZE];
350 unsigned char checktext[BIG_TEST_SIZE];
354 memcpy(iv, saved_iv, sizeof(iv));
355 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
356 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
357 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
360 /* corrupt halfway through */
361 ++ciphertext[sizeof(ciphertext) / 2];
362 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
363 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
364 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
368 for (n = 0; n < sizeof(checktext); ++n)
369 if (checktext[n] == plaintext[n])
372 /* Fail if there is more than 1% matching bytes */
373 return TEST_size_t_le(matches, sizeof(checktext) / 100);
376 static int test_bi_ige_garble2(void)
379 unsigned char iv[AES_BLOCK_SIZE * 4];
380 unsigned char ciphertext[BIG_TEST_SIZE];
381 unsigned char checktext[BIG_TEST_SIZE];
385 memcpy(iv, saved_iv, sizeof(iv));
386 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
387 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
388 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
391 /* corrupt right at the end */
392 ++ciphertext[sizeof(ciphertext) - 1];
393 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
394 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
395 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
399 for (n = 0; n < sizeof(checktext); ++n)
400 if (checktext[n] == plaintext[n])
403 /* Fail if there is more than 1% matching bytes */
404 return TEST_size_t_le(matches, sizeof(checktext) / 100);
407 static int test_bi_ige_garble3(void)
410 unsigned char iv[AES_BLOCK_SIZE * 4];
411 unsigned char ciphertext[BIG_TEST_SIZE];
412 unsigned char checktext[BIG_TEST_SIZE];
416 memcpy(iv, saved_iv, sizeof(iv));
417 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
418 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
419 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
422 /* corrupt right at the start */
424 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
425 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
426 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
430 for (n = 0; n < sizeof(checktext); ++n)
431 if (checktext[n] == plaintext[n])
434 /* Fail if there is more than 1% matching bytes */
435 return TEST_size_t_le(matches, sizeof(checktext) / 100);
439 int setup_tests(void)
442 RAND_bytes(rkey, sizeof(rkey));
443 RAND_bytes(rkey2, sizeof(rkey2));
444 RAND_bytes(plaintext, sizeof(plaintext));
445 RAND_bytes(saved_iv, sizeof(saved_iv));
447 ADD_TEST(test_ige_enc_dec);
448 ADD_TEST(test_ige_enc_chaining);
449 ADD_TEST(test_ige_dec_chaining);
450 ADD_TEST(test_ige_garble_forwards);
451 ADD_TEST(test_bi_ige_enc_dec);
452 ADD_TEST(test_bi_ige_garble1);
453 ADD_TEST(test_bi_ige_garble2);
454 ADD_TEST(test_bi_ige_garble3);
455 ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors));
456 ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors));