2 * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/crypto.h>
11 #include <openssl/aes.h>
12 #include <openssl/rand.h>
15 #include "internal/nelem.h"
19 #define BIG_TEST_SIZE 10240
21 #if BIG_TEST_SIZE < TEST_SIZE
22 #error BIG_TEST_SIZE is smaller than TEST_SIZE
25 static unsigned char rkey[16];
26 static unsigned char rkey2[16];
27 static unsigned char plaintext[BIG_TEST_SIZE];
28 static unsigned char saved_iv[AES_BLOCK_SIZE * 4];
30 #define MAX_VECTOR_SIZE 64
33 const unsigned char key[16];
34 const unsigned char iv[32];
35 const unsigned char in[MAX_VECTOR_SIZE];
36 const unsigned char out[MAX_VECTOR_SIZE];
41 static struct ige_test const ige_test_vectors[] = {
42 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
43 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key */
44 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
45 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
46 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
47 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* iv */
48 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
49 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
50 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
51 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
52 {0x1a, 0x85, 0x19, 0xa6, 0x55, 0x7b, 0xe6, 0x52,
53 0xe9, 0xda, 0x8e, 0x43, 0xda, 0x4e, 0xf4, 0x45,
54 0x3c, 0xf4, 0x56, 0xb4, 0xca, 0x48, 0x8a, 0xa3,
55 0x83, 0xc7, 0x9c, 0x98, 0xb3, 0x47, 0x97, 0xcb}, /* out */
56 32, AES_ENCRYPT}, /* test vector 0 */
58 {{0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
59 0x61, 0x6e, 0x20, 0x69, 0x6d, 0x70, 0x6c, 0x65}, /* key */
60 {0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f,
61 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x49, 0x47, 0x45,
62 0x20, 0x6d, 0x6f, 0x64, 0x65, 0x20, 0x66, 0x6f,
63 0x72, 0x20, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53}, /* iv */
64 {0x4c, 0x2e, 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73,
65 0x20, 0x68, 0x6f, 0x70, 0x65, 0x20, 0x42, 0x65,
66 0x6e, 0x20, 0x67, 0x6f, 0x74, 0x20, 0x69, 0x74,
67 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x0a}, /* in */
68 {0x99, 0x70, 0x64, 0x87, 0xa1, 0xcd, 0xe6, 0x13,
69 0xbc, 0x6d, 0xe0, 0xb6, 0xf2, 0x4b, 0x1c, 0x7a,
70 0xa4, 0x48, 0xc8, 0xb9, 0xc3, 0x40, 0x3e, 0x34,
71 0x67, 0xa8, 0xca, 0xd8, 0x93, 0x40, 0xf5, 0x3b}, /* out */
72 32, AES_DECRYPT}, /* test vector 1 */
76 const unsigned char key1[32];
77 const unsigned char key2[32];
78 const unsigned char iv[64];
79 const unsigned char in[MAX_VECTOR_SIZE];
80 const unsigned char out[MAX_VECTOR_SIZE];
86 static struct bi_ige_test const bi_ige_test_vectors[] = {
87 {{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
88 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, /* key1 */
89 {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
90 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, /* key2 */
91 {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
92 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
93 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
94 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
95 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
96 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
97 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
98 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}, /* iv */
99 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, /* in */
103 {0x14, 0x40, 0x6f, 0xae, 0xa2, 0x79, 0xf2, 0x56,
104 0x1f, 0x86, 0xeb, 0x3b, 0x7d, 0xff, 0x53, 0xdc,
105 0x4e, 0x27, 0x0c, 0x03, 0xde, 0x7c, 0xe5, 0x16,
106 0x6a, 0x9c, 0x20, 0x33, 0x9d, 0x33, 0xfe, 0x12}, /* out */
107 16, 32, AES_ENCRYPT}, /* test vector 0 */
108 {{0x58, 0x0a, 0x06, 0xe9, 0x97, 0x07, 0x59, 0x5c,
109 0x9e, 0x19, 0xd2, 0xa7, 0xbb, 0x40, 0x2b, 0x7a,
110 0xc7, 0xd8, 0x11, 0x9e, 0x4c, 0x51, 0x35, 0x75,
111 0x64, 0x28, 0x0f, 0x23, 0xad, 0x74, 0xac, 0x37}, /* key1 */
112 {0xd1, 0x80, 0xa0, 0x31, 0x47, 0xa3, 0x11, 0x13,
113 0x86, 0x26, 0x9e, 0x6d, 0xff, 0xaf, 0x72, 0x74,
114 0x5b, 0xa2, 0x35, 0x81, 0xd2, 0xa6, 0x3d, 0x21,
115 0x67, 0x7b, 0x58, 0xa8, 0x18, 0xf9, 0x72, 0xe4}, /* key2 */
116 {0x80, 0x3d, 0xbd, 0x4c, 0xe6, 0x7b, 0x06, 0xa9,
117 0x53, 0x35, 0xd5, 0x7e, 0x71, 0xc1, 0x70, 0x70,
118 0x74, 0x9a, 0x00, 0x28, 0x0c, 0xbf, 0x6c, 0x42,
119 0x9b, 0xa4, 0xdd, 0x65, 0x11, 0x77, 0x7c, 0x67,
120 0xfe, 0x76, 0x0a, 0xf0, 0xd5, 0xc6, 0x6e, 0x6a,
121 0xe7, 0x5e, 0x4c, 0xf2, 0x7e, 0x9e, 0xf9, 0x20,
122 0x0e, 0x54, 0x6f, 0x2d, 0x8a, 0x8d, 0x7e, 0xbd,
123 0x48, 0x79, 0x37, 0x99, 0xff, 0x27, 0x93, 0xa3}, /* iv */
124 {0xf1, 0x54, 0x3d, 0xca, 0xfe, 0xb5, 0xef, 0x1c,
125 0x4f, 0xa6, 0x43, 0xf6, 0xe6, 0x48, 0x57, 0xf0,
126 0xee, 0x15, 0x7f, 0xe3, 0xe7, 0x2f, 0xd0, 0x2f,
127 0x11, 0x95, 0x7a, 0x17, 0x00, 0xab, 0xa7, 0x0b,
128 0xbe, 0x44, 0x09, 0x9c, 0xcd, 0xac, 0xa8, 0x52,
129 0xa1, 0x8e, 0x7b, 0x75, 0xbc, 0xa4, 0x92, 0x5a,
130 0xab, 0x46, 0xd3, 0x3a, 0xa0, 0xd5, 0x35, 0x1c,
131 0x55, 0xa4, 0xb3, 0xa8, 0x40, 0x81, 0xa5, 0x0b}, /* in */
132 {0x42, 0xe5, 0x28, 0x30, 0x31, 0xc2, 0xa0, 0x23,
133 0x68, 0x49, 0x4e, 0xb3, 0x24, 0x59, 0x92, 0x79,
134 0xc1, 0xa5, 0xcc, 0xe6, 0x76, 0x53, 0xb1, 0xcf,
135 0x20, 0x86, 0x23, 0xe8, 0x72, 0x55, 0x99, 0x92,
136 0x0d, 0x16, 0x1c, 0x5a, 0x2f, 0xce, 0xcb, 0x51,
137 0xe2, 0x67, 0xfa, 0x10, 0xec, 0xcd, 0x3d, 0x67,
138 0xa5, 0xe6, 0xf7, 0x31, 0x26, 0xb0, 0x0d, 0x76,
139 0x5e, 0x28, 0xdc, 0x7f, 0x01, 0xc5, 0xa5, 0x4c}, /* out */
140 32, 64, AES_ENCRYPT}, /* test vector 1 */
144 static int test_ige_vectors(int n)
146 const struct ige_test *const v = &ige_test_vectors[n];
148 unsigned char buf[MAX_VECTOR_SIZE];
149 unsigned char iv[AES_BLOCK_SIZE * 2];
152 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
155 if (v->encrypt == AES_ENCRYPT)
156 AES_set_encrypt_key(v->key, 8 * sizeof(v->key), &key);
158 AES_set_decrypt_key(v->key, 8 * sizeof(v->key), &key);
159 memcpy(iv, v->iv, sizeof(iv));
160 AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt);
162 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
163 TEST_info("IGE test vector %d failed", n);
164 test_output_memory("key", v->key, sizeof(v->key));
165 test_output_memory("iv", v->iv, sizeof(v->iv));
166 test_output_memory("in", v->in, v->length);
170 /* try with in == out */
171 memcpy(iv, v->iv, sizeof(iv));
172 memcpy(buf, v->in, v->length);
173 AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt);
175 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
176 TEST_info("IGE test vector %d failed (with in == out)", n);
177 test_output_memory("key", v->key, sizeof(v->key));
178 test_output_memory("iv", v->iv, sizeof(v->iv));
179 test_output_memory("in", v->in, v->length);
186 static int test_bi_ige_vectors(int n)
188 const struct bi_ige_test *const v = &bi_ige_test_vectors[n];
191 unsigned char buf[MAX_VECTOR_SIZE];
193 if (!TEST_int_le(v->length, MAX_VECTOR_SIZE))
196 if (v->encrypt == AES_ENCRYPT) {
197 AES_set_encrypt_key(v->key1, 8 * v->keysize, &key1);
198 AES_set_encrypt_key(v->key2, 8 * v->keysize, &key2);
200 AES_set_decrypt_key(v->key1, 8 * v->keysize, &key1);
201 AES_set_decrypt_key(v->key2, 8 * v->keysize, &key2);
204 AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv,
207 if (!TEST_mem_eq(v->out, v->length, buf, v->length)) {
208 test_output_memory("key 1", v->key1, sizeof(v->key1));
209 test_output_memory("key 2", v->key2, sizeof(v->key2));
210 test_output_memory("iv", v->iv, sizeof(v->iv));
211 test_output_memory("in", v->in, v->length);
218 static int test_ige_enc_dec(void)
221 unsigned char iv[AES_BLOCK_SIZE * 4];
222 unsigned char ciphertext[BIG_TEST_SIZE];
223 unsigned char checktext[BIG_TEST_SIZE];
225 memcpy(iv, saved_iv, sizeof(iv));
226 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
227 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv, AES_ENCRYPT);
229 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
230 memcpy(iv, saved_iv, sizeof(iv));
231 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
233 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
236 static int test_ige_enc_chaining(void)
239 unsigned char iv[AES_BLOCK_SIZE * 4];
240 unsigned char ciphertext[BIG_TEST_SIZE];
241 unsigned char checktext[BIG_TEST_SIZE];
243 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
244 memcpy(iv, saved_iv, sizeof(iv));
245 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
247 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
248 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
249 &key, iv, AES_ENCRYPT);
251 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
252 memcpy(iv, saved_iv, sizeof(iv));
253 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT);
255 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
258 static int test_ige_dec_chaining(void)
261 unsigned char iv[AES_BLOCK_SIZE * 4];
262 unsigned char ciphertext[BIG_TEST_SIZE];
263 unsigned char checktext[BIG_TEST_SIZE];
265 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
266 memcpy(iv, saved_iv, sizeof(iv));
267 AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv,
269 AES_ige_encrypt(plaintext + TEST_SIZE / 2,
270 ciphertext + TEST_SIZE / 2, TEST_SIZE / 2,
271 &key, iv, AES_ENCRYPT);
273 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
274 memcpy(iv, saved_iv, sizeof(iv));
275 AES_ige_encrypt(ciphertext, checktext, TEST_SIZE / 2, &key, iv,
277 AES_ige_encrypt(ciphertext + TEST_SIZE / 2,
278 checktext + TEST_SIZE / 2, TEST_SIZE / 2, &key, iv,
281 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
284 static int test_ige_garble_forwards(void)
287 unsigned char iv[AES_BLOCK_SIZE * 4];
288 unsigned char ciphertext[BIG_TEST_SIZE];
289 unsigned char checktext[BIG_TEST_SIZE];
292 const size_t ctsize = sizeof(checktext);
295 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
296 memcpy(iv, saved_iv, sizeof(iv));
297 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
300 /* corrupt halfway through */
301 ++ciphertext[sizeof(ciphertext) / 2];
302 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
303 memcpy(iv, saved_iv, sizeof(iv));
304 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
308 for (n = 0; n < sizeof(checktext); ++n)
309 if (checktext[n] == plaintext[n])
312 /* Fail if there is more than 51% matching bytes */
313 if (!TEST_size_t_le(matches, ctsize / 2 + ctsize / 100))
316 /* Fail if the garble goes backwards */
317 if (!TEST_size_t_gt(matches, ctsize / 2))
322 static int test_bi_ige_enc_dec(void)
325 unsigned char iv[AES_BLOCK_SIZE * 4];
326 unsigned char ciphertext[BIG_TEST_SIZE];
327 unsigned char checktext[BIG_TEST_SIZE];
329 memcpy(iv, saved_iv, sizeof(iv));
330 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
331 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
332 AES_bi_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, &key2, iv,
335 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
336 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
337 AES_bi_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, &key2, iv,
340 return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE);
343 static int test_bi_ige_garble1(void)
346 unsigned char iv[AES_BLOCK_SIZE * 4];
347 unsigned char ciphertext[BIG_TEST_SIZE];
348 unsigned char checktext[BIG_TEST_SIZE];
352 memcpy(iv, saved_iv, sizeof(iv));
353 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
354 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
355 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
358 /* corrupt halfway through */
359 ++ciphertext[sizeof(ciphertext) / 2];
360 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
361 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
362 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
366 for (n = 0; n < sizeof(checktext); ++n)
367 if (checktext[n] == plaintext[n])
370 /* Fail if there is more than 1% matching bytes */
371 return TEST_size_t_le(matches, sizeof(checktext) / 100);
374 static int test_bi_ige_garble2(void)
377 unsigned char iv[AES_BLOCK_SIZE * 4];
378 unsigned char ciphertext[BIG_TEST_SIZE];
379 unsigned char checktext[BIG_TEST_SIZE];
383 memcpy(iv, saved_iv, sizeof(iv));
384 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
385 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
386 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
389 /* corrupt right at the end */
390 ++ciphertext[sizeof(ciphertext) - 1];
391 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
392 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
393 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
397 for (n = 0; n < sizeof(checktext); ++n)
398 if (checktext[n] == plaintext[n])
401 /* Fail if there is more than 1% matching bytes */
402 return TEST_size_t_le(matches, sizeof(checktext) / 100);
405 static int test_bi_ige_garble3(void)
408 unsigned char iv[AES_BLOCK_SIZE * 4];
409 unsigned char ciphertext[BIG_TEST_SIZE];
410 unsigned char checktext[BIG_TEST_SIZE];
414 memcpy(iv, saved_iv, sizeof(iv));
415 AES_set_encrypt_key(rkey, 8 * sizeof(rkey), &key);
416 AES_set_encrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
417 AES_ige_encrypt(plaintext, ciphertext, sizeof(plaintext), &key, iv,
420 /* corrupt right at the start */
422 AES_set_decrypt_key(rkey, 8 * sizeof(rkey), &key);
423 AES_set_decrypt_key(rkey2, 8 * sizeof(rkey2), &key2);
424 AES_ige_encrypt(ciphertext, checktext, sizeof(checktext), &key, iv,
428 for (n = 0; n < sizeof(checktext); ++n)
429 if (checktext[n] == plaintext[n])
432 /* Fail if there is more than 1% matching bytes */
433 return TEST_size_t_le(matches, sizeof(checktext) / 100);
436 int setup_tests(void)
438 RAND_bytes(rkey, sizeof(rkey));
439 RAND_bytes(rkey2, sizeof(rkey2));
440 RAND_bytes(plaintext, sizeof(plaintext));
441 RAND_bytes(saved_iv, sizeof(saved_iv));
443 ADD_TEST(test_ige_enc_dec);
444 ADD_TEST(test_ige_enc_chaining);
445 ADD_TEST(test_ige_dec_chaining);
446 ADD_TEST(test_ige_garble_forwards);
447 ADD_TEST(test_bi_ige_enc_dec);
448 ADD_TEST(test_bi_ige_garble1);
449 ADD_TEST(test_bi_ige_garble2);
450 ADD_TEST(test_bi_ige_garble3);
451 ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors));
452 ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors));