X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=test%2Ftest_crypto.c;h=46f208cf3af5f99211bb705427eb7c77e3e73b39;hp=ce0f64ff27873dd7ca1d560a79717cccc7885a3b;hb=7d313ccce746ed413f22ed0dc83402efb17488e6;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb diff --git a/test/test_crypto.c b/test/test_crypto.c index ce0f64f..46f208c 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -47,9 +47,9 @@ hextobin(unsigned char *dst, const char *src) if (c >= '0' && c <= '9') { c -= '0'; } else if (c >= 'A' && c <= 'F') { - c -= ('A' - 10); \ + c -= ('A' - 10); } else if (c >= 'a' && c <= 'f') { - c -= ('a' - 10); \ + c -= ('a' - 10); } else { continue; } @@ -65,7 +65,7 @@ hextobin(unsigned char *dst, const char *src) } static void -check_equals(char *banner, const void *v1, const void *v2, size_t len) +check_equals(const char *banner, const void *v1, const void *v2, size_t len) { size_t u; const unsigned char *b; @@ -591,7 +591,7 @@ test_HMAC_CT(const br_hash_class *digest_class, br_hmac_key_init(&kc, digest_class, key, key_len); - for (u = 0; u < 130; u ++) { + for (u = 0; u < 2; u ++) { for (v = 0; v < 130; v ++) { size_t min_len, max_len; size_t w; @@ -1075,21 +1075,43 @@ test_HMAC_DRBG(void) } static void -do_KAT_PRF( - void (*prf)(void *dst, size_t len, - const void *secret, size_t secret_len, - const char *label, const void *seed, size_t seed_len), +do_KAT_PRF(br_tls_prf_impl prf, const char *ssecret, const char *label, const char *sseed, const char *sref) { unsigned char secret[100], seed[100], ref[500], out[500]; size_t secret_len, seed_len, ref_len; + br_tls_prf_seed_chunk chunks[2]; secret_len = hextobin(secret, ssecret); seed_len = hextobin(seed, sseed); ref_len = hextobin(ref, sref); - prf(out, ref_len, secret, secret_len, label, seed, seed_len); - check_equals("TLS PRF KAT", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len; + prf(out, ref_len, secret, secret_len, label, 1, chunks); + check_equals("TLS PRF KAT 1", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len; + chunks[1].data = NULL; + chunks[1].len = 0; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 2", out, ref, ref_len); + + chunks[0].data = NULL; + chunks[0].len = 0; + chunks[1].data = seed; + chunks[1].len = seed_len; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 3", out, ref, ref_len); + + chunks[0].data = seed; + chunks[0].len = seed_len >> 1; + chunks[1].data = seed + chunks[0].len; + chunks[1].len = seed_len - chunks[0].len; + prf(out, ref_len, secret, secret_len, label, 2, chunks); + check_equals("TLS PRF KAT 4", out, ref, ref_len); } static void @@ -3133,6 +3155,71 @@ test_AES_generic(char *name, check_equals("KAT CBC AES decrypt (2)", buf, plain, data_len); } + + /* + * We want to check proper IV management for CBC: + * encryption and decryption must properly copy the _last_ + * encrypted block as new IV, for all sizes. + */ + for (u = 1; u <= 35; u ++) { + br_hmac_drbg_context rng; + unsigned char x; + size_t key_len, data_len; + size_t v; + + br_hmac_drbg_init(&rng, &br_sha256_vtable, + "seed for AES/CBC", 16); + x = u; + br_hmac_drbg_update(&rng, &x, 1); + data_len = u << 4; + for (key_len = 16; key_len <= 32; key_len += 16) { + unsigned char key[32]; + unsigned char iv[16], iv1[16], iv2[16]; + unsigned char plain[35 * 16]; + unsigned char tmp1[sizeof plain]; + unsigned char tmp2[sizeof plain]; + br_aes_gen_cbcenc_keys v_ec; + br_aes_gen_cbcdec_keys v_dc; + const br_block_cbcenc_class **ec; + const br_block_cbcdec_class **dc; + + br_hmac_drbg_generate(&rng, key, key_len); + br_hmac_drbg_generate(&rng, iv, sizeof iv); + br_hmac_drbg_generate(&rng, plain, data_len); + + ec = &v_ec.vtable; + ve->init(ec, key, key_len); + memcpy(iv1, iv, sizeof iv); + memcpy(tmp1, plain, data_len); + ve->run(ec, iv1, tmp1, data_len); + check_equals("IV CBC AES (1)", + tmp1 + data_len - 16, iv1, 16); + memcpy(iv2, iv, sizeof iv); + memcpy(tmp2, plain, data_len); + for (v = 0; v < data_len; v += 16) { + ve->run(ec, iv2, tmp2 + v, 16); + } + check_equals("IV CBC AES (2)", + tmp2 + data_len - 16, iv2, 16); + check_equals("IV CBC AES (3)", + tmp1, tmp2, data_len); + + dc = &v_dc.vtable; + vd->init(dc, key, key_len); + memcpy(iv1, iv, sizeof iv); + vd->run(dc, iv1, tmp1, data_len); + check_equals("IV CBC AES (4)", iv1, iv2, 16); + check_equals("IV CBC AES (5)", + tmp1, plain, data_len); + memcpy(iv2, iv, sizeof iv); + for (v = 0; v < data_len; v += 16) { + vd->run(dc, iv2, tmp2 + v, 16); + } + check_equals("IV CBC AES (6)", iv1, iv2, 16); + check_equals("IV CBC AES (7)", + tmp2, plain, data_len); + } + } } if (vc != NULL) { @@ -3157,7 +3244,6 @@ test_AES_generic(char *name, data_len = hextobin(plain, KAT_AES_CTR[u + 2]); hextobin(cipher, KAT_AES_CTR[u + 3]); vc->init(xc, key, key_len); - memcpy(buf, plain, data_len); vc->run(xc, iv, 1, buf, data_len); check_equals("KAT CTR AES (1)", buf, cipher, data_len); @@ -3271,6 +3357,278 @@ test_AES_ct64(void) 1, 1); } +static void +test_AES_x86ni(void) +{ + const br_block_cbcenc_class *x_cbcenc; + const br_block_cbcdec_class *x_cbcdec; + const br_block_ctr_class *x_ctr; + int hcbcenc, hcbcdec, hctr; + + x_cbcenc = br_aes_x86ni_cbcenc_get_vtable(); + x_cbcdec = br_aes_x86ni_cbcdec_get_vtable(); + x_ctr = br_aes_x86ni_ctr_get_vtable(); + hcbcenc = (x_cbcenc != NULL); + hcbcdec = (x_cbcdec != NULL); + hctr = (x_ctr != NULL); + if (hcbcenc != hctr || hcbcdec != hctr) { + fprintf(stderr, "AES_x86ni availability mismatch (%d/%d/%d)\n", + hcbcenc, hcbcdec, hctr); + exit(EXIT_FAILURE); + } + if (hctr) { + test_AES_generic("AES_x86ni", + x_cbcenc, x_cbcdec, x_ctr, 1, 1); + } else { + printf("Test AES_x86ni: UNAVAILABLE\n"); + } +} + +static void +test_AES_pwr8(void) +{ + const br_block_cbcenc_class *x_cbcenc; + const br_block_cbcdec_class *x_cbcdec; + const br_block_ctr_class *x_ctr; + int hcbcenc, hcbcdec, hctr; + + x_cbcenc = br_aes_pwr8_cbcenc_get_vtable(); + x_cbcdec = br_aes_pwr8_cbcdec_get_vtable(); + x_ctr = br_aes_pwr8_ctr_get_vtable(); + hcbcenc = (x_cbcenc != NULL); + hcbcdec = (x_cbcdec != NULL); + hctr = (x_ctr != NULL); + if (hcbcenc != hctr || hcbcdec != hctr) { + fprintf(stderr, "AES_pwr8 availability mismatch (%d/%d/%d)\n", + hcbcenc, hcbcdec, hctr); + exit(EXIT_FAILURE); + } + if (hctr) { + test_AES_generic("AES_pwr8", + x_cbcenc, x_cbcdec, x_ctr, 1, 1); + } else { + printf("Test AES_pwr8: UNAVAILABLE\n"); + } +} + +/* + * Custom CTR + CBC-MAC AES implementation. Can also do CTR-only, and + * CBC-MAC-only. The 'aes_big' implementation (CTR) is used. This is + * meant for comparisons. + * + * If 'ctr' is NULL then no encryption/decryption is done; otherwise, + * CTR encryption/decryption is performed (full-block counter) and the + * 'ctr' array is updated with the new counter value. + * + * If 'cbcmac' is NULL then no CBC-MAC is done; otherwise, CBC-MAC is + * applied on the encrypted data, with 'cbcmac' as IV and destination + * buffer for the output. If 'ctr' is not NULL and 'encrypt' is non-zero, + * then CBC-MAC is computed over the result of CTR processing; otherwise, + * CBC-MAC is computed over the input data itself. + */ +static void +do_aes_ctrcbc(const void *key, size_t key_len, int encrypt, + void *ctr, void *cbcmac, unsigned char *data, size_t len) +{ + br_aes_big_ctr_keys bc; + int i; + + br_aes_big_ctr_init(&bc, key, key_len); + for (i = 0; i < 2; i ++) { + /* + * CBC-MAC is computed on the encrypted data, so in + * first pass if decrypting, second pass if encrypting. + */ + if (cbcmac != NULL + && ((encrypt && i == 1) || (!encrypt && i == 0))) + { + unsigned char zz[16]; + size_t u; + + memcpy(zz, cbcmac, sizeof zz); + for (u = 0; u < len; u += 16) { + unsigned char tmp[16]; + size_t v; + + for (v = 0; v < 16; v ++) { + tmp[v] = zz[v] ^ data[u + v]; + } + memset(zz, 0, sizeof zz); + br_aes_big_ctr_run(&bc, + tmp, br_dec32be(tmp + 12), zz, 16); + } + memcpy(cbcmac, zz, sizeof zz); + } + + /* + * CTR encryption/decryption is done only in the first pass. + * We process data block per block, because the CTR-only + * class uses a 32-bit counter, while the CTR+CBC-MAC + * class uses a 128-bit counter. + */ + if (ctr != NULL && i == 0) { + unsigned char zz[16]; + size_t u; + + memcpy(zz, ctr, sizeof zz); + for (u = 0; u < len; u += 16) { + int i; + + br_aes_big_ctr_run(&bc, + zz, br_dec32be(zz + 12), data + u, 16); + for (i = 15; i >= 0; i --) { + zz[i] = (zz[i] + 1) & 0xFF; + if (zz[i] != 0) { + break; + } + } + } + memcpy(ctr, zz, sizeof zz); + } + } +} + +static void +test_AES_CTRCBC_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + br_hmac_drbg_context rng; + size_t key_len; + + printf("Test AES CTR/CBC-MAC %s: ", name); + fflush(stdout); + + br_hmac_drbg_init(&rng, &br_sha256_vtable, name, strlen(name)); + for (key_len = 16; key_len <= 32; key_len += 8) { + br_aes_gen_ctrcbc_keys bc; + unsigned char key[32]; + size_t data_len; + + br_hmac_drbg_generate(&rng, key, key_len); + vt->init(&bc.vtable, key, key_len); + for (data_len = 0; data_len <= 512; data_len += 16) { + unsigned char plain[512]; + unsigned char data1[sizeof plain]; + unsigned char data2[sizeof plain]; + unsigned char ctr[16], cbcmac[16]; + unsigned char ctr1[16], cbcmac1[16]; + unsigned char ctr2[16], cbcmac2[16]; + int i; + + br_hmac_drbg_generate(&rng, plain, data_len); + + for (i = 0; i <= 16; i ++) { + if (i == 0) { + br_hmac_drbg_generate(&rng, ctr, 16); + } else { + memset(ctr, 0, i - 1); + memset(ctr + i - 1, 0xFF, 17 - i); + } + br_hmac_drbg_generate(&rng, cbcmac, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + vt->ctr(&bc.vtable, ctr1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, NULL, data2, data_len); + check_equals("CTR-only data", + data1, data2, data_len); + check_equals("CTR-only counter", + ctr1, ctr2, 16); + + memcpy(data1, plain, data_len); + memcpy(cbcmac1, cbcmac, 16); + vt->mac(&bc.vtable, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + NULL, cbcmac2, data2, data_len); + check_equals("CBC-MAC-only", + cbcmac1, cbcmac2, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->encrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, cbcmac2, data2, data_len); + check_equals("encrypt: combined data", + data1, data2, data_len); + check_equals("encrypt: combined counter", + ctr1, ctr2, 16); + check_equals("encrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->decrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 0, + ctr2, cbcmac2, data2, data_len); + check_equals("decrypt: combined data", + data1, data2, data_len); + check_equals("decrypt: combined counter", + ctr1, ctr2, 16); + check_equals("decrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + } + + printf("."); + fflush(stdout); + } + + printf(" "); + fflush(stdout); + } + + printf("done.\n"); + fflush(stdout); +} + +static void +test_AES_CTRCBC_big(void) +{ + test_AES_CTRCBC_inner("big", &br_aes_big_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_small(void) +{ + test_AES_CTRCBC_inner("small", &br_aes_small_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct(void) +{ + test_AES_CTRCBC_inner("ct", &br_aes_ct_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct64(void) +{ + test_AES_CTRCBC_inner("ct64", &br_aes_ct64_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_x86ni(void) +{ + const br_block_ctrcbc_class *vt; + + vt = br_aes_x86ni_ctrcbc_get_vtable(); + if (vt != NULL) { + test_AES_CTRCBC_inner("x86ni", vt); + } else { + printf("Test AES CTR/CBC-MAC x86ni: UNAVAILABLE\n"); + } +} + /* * DES known-answer tests. Order: plaintext, key, ciphertext. * (mostly from NIST SP 800-20). @@ -4006,6 +4364,253 @@ test_DES_ct(void) 1, 1); } +static const struct { + const char *skey; + const char *snonce; + uint32_t counter; + const char *splain; + const char *scipher; +} KAT_CHACHA20[] = { + { + "0000000000000000000000000000000000000000000000000000000000000000", + "000000000000000000000000", + 0, + "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586" + }, + { + "0000000000000000000000000000000000000000000000000000000000000001", + "000000000000000000000002", + 1, + "416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f", + "a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221" + }, + { + "1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0", + "000000000000000000000002", + 42, + "2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e", + "62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1" + }, + { 0, 0, 0, 0, 0 } +}; + +static void +test_ChaCha20_generic(const char *name, br_chacha20_run cr) +{ + size_t u; + + printf("Test %s: ", name); + fflush(stdout); + if (cr == 0) { + printf("UNAVAILABLE\n"); + return; + } + + for (u = 0; KAT_CHACHA20[u].skey; u ++) { + unsigned char key[32], nonce[12], plain[400], cipher[400]; + uint32_t cc; + size_t v, len; + + hextobin(key, KAT_CHACHA20[u].skey); + hextobin(nonce, KAT_CHACHA20[u].snonce); + cc = KAT_CHACHA20[u].counter; + len = hextobin(plain, KAT_CHACHA20[u].splain); + hextobin(cipher, KAT_CHACHA20[u].scipher); + + for (v = 0; v < len; v ++) { + unsigned char tmp[400]; + size_t w; + uint32_t cc2; + + memset(tmp, 0, sizeof tmp); + memcpy(tmp, plain, v); + if (cr(key, nonce, cc, tmp, v) + != cc + (uint32_t)((v + 63) >> 6)) + { + fprintf(stderr, "ChaCha20: wrong counter\n"); + exit(EXIT_FAILURE); + } + if (memcmp(tmp, cipher, v) != 0) { + fprintf(stderr, "ChaCha20 KAT fail (1)\n"); + exit(EXIT_FAILURE); + } + for (w = v; w < sizeof tmp; w ++) { + if (tmp[w] != 0) { + fprintf(stderr, "ChaCha20: overrun\n"); + exit(EXIT_FAILURE); + } + } + for (w = 0, cc2 = cc; w < v; w += 64, cc2 ++) { + size_t x; + + x = v - w; + if (x > 64) { + x = 64; + } + if (cr(key, nonce, cc2, tmp + w, x) + != (cc2 + 1)) + { + fprintf(stderr, "ChaCha20:" + " wrong counter (2)\n"); + exit(EXIT_FAILURE); + } + } + if (memcmp(tmp, plain, v) != 0) { + fprintf(stderr, "ChaCha20 KAT fail (2)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_ChaCha20_ct(void) +{ + test_ChaCha20_generic("ChaCha20_ct", &br_chacha20_ct_run); +} + +static void +test_ChaCha20_sse2(void) +{ + test_ChaCha20_generic("ChaCha20_sse2", br_chacha20_sse2_get()); +} + +static const struct { + const char *splain; + const char *saad; + const char *skey; + const char *snonce; + const char *scipher; + const char *stag; +} KAT_POLY1305[] = { + { + "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e", + "50515253c0c1c2c3c4c5c6c7", + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "070000004041424344454647", + "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116", + "1ae10b594f09e26a7e902ecbd0600691" + }, + { 0, 0, 0, 0, 0, 0 } +}; + +static void +test_Poly1305_inner(const char *name, br_poly1305_run ipoly, + br_poly1305_run iref) +{ + size_t u; + br_hmac_drbg_context rng; + + printf("Test %s: ", name); + fflush(stdout); + + for (u = 0; KAT_POLY1305[u].skey; u ++) { + unsigned char key[32], nonce[12], plain[400], cipher[400]; + unsigned char aad[400], tag[16], data[400], tmp[16]; + size_t len, aad_len; + + len = hextobin(plain, KAT_POLY1305[u].splain); + aad_len = hextobin(aad, KAT_POLY1305[u].saad); + hextobin(key, KAT_POLY1305[u].skey); + hextobin(nonce, KAT_POLY1305[u].snonce); + hextobin(cipher, KAT_POLY1305[u].scipher); + hextobin(tag, KAT_POLY1305[u].stag); + + memcpy(data, plain, len); + ipoly(key, nonce, data, len, + aad, aad_len, tmp, br_chacha20_ct_run, 1); + check_equals("ChaCha20+Poly1305 KAT (1)", data, cipher, len); + check_equals("ChaCha20+Poly1305 KAT (2)", tmp, tag, 16); + ipoly(key, nonce, data, len, + aad, aad_len, tmp, br_chacha20_ct_run, 0); + check_equals("ChaCha20+Poly1305 KAT (3)", data, plain, len); + check_equals("ChaCha20+Poly1305 KAT (4)", tmp, tag, 16); + + printf("."); + fflush(stdout); + } + + printf(" "); + fflush(stdout); + + /* + * We compare the "ipoly" and "iref" implementations together on + * a bunch of pseudo-random messages. + */ + br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for Poly1305", 17); + for (u = 0; u < 100; u ++) { + unsigned char plain[100], aad[100], tmp[100]; + unsigned char key[32], iv[12], tag1[16], tag2[16]; + + br_hmac_drbg_generate(&rng, key, sizeof key); + br_hmac_drbg_generate(&rng, iv, sizeof iv); + br_hmac_drbg_generate(&rng, plain, u); + br_hmac_drbg_generate(&rng, aad, u); + memcpy(tmp, plain, u); + memset(tmp + u, 0xFF, (sizeof tmp) - u); + ipoly(key, iv, tmp, u, aad, u, tag1, + &br_chacha20_ct_run, 1); + memset(tmp + u, 0x00, (sizeof tmp) - u); + iref(key, iv, tmp, u, aad, u, tag2, + &br_chacha20_ct_run, 0); + if (memcmp(tmp, plain, u) != 0) { + fprintf(stderr, "cross enc/dec failed\n"); + exit(EXIT_FAILURE); + } + if (memcmp(tag1, tag2, sizeof tag1) != 0) { + fprintf(stderr, "cross MAC failed\n"); + exit(EXIT_FAILURE); + } + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_Poly1305_ctmul(void) +{ + test_Poly1305_inner("Poly1305_ctmul", &br_poly1305_ctmul_run, + &br_poly1305_i15_run); +} + +static void +test_Poly1305_ctmul32(void) +{ + test_Poly1305_inner("Poly1305_ctmul32", &br_poly1305_ctmul32_run, + &br_poly1305_i15_run); +} + +static void +test_Poly1305_i15(void) +{ + test_Poly1305_inner("Poly1305_i15", &br_poly1305_i15_run, + &br_poly1305_ctmul_run); +} + +static void +test_Poly1305_ctmulq(void) +{ + br_poly1305_run bp; + + bp = br_poly1305_ctmulq_get(); + if (bp == 0) { + printf("Test Poly1305_ctmulq: UNAVAILABLE\n"); + } else { + test_Poly1305_inner("Poly1305_ctmulq", bp, + &br_poly1305_ctmul_run); + } +} + /* * A 1024-bit RSA key, generated with OpenSSL. */ @@ -4116,7 +4721,7 @@ static const br_rsa_private_key RSA_SK = { }; static void -test_RSA_core(char *name, br_rsa_public fpub, br_rsa_private fpriv) +test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv) { unsigned char t1[128], t2[128], t3[128]; @@ -4144,83 +4749,182 @@ test_RSA_core(char *name, br_rsa_public fpub, br_rsa_private fpriv) fflush(stdout); } -static void -test_RSA_i31(void) -{ - test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private); - /* FIXME - test_RSA_sign("RSA i31 sign", - &br_rsa_i31_pkcs1_vrfy, &br_rsa_i31_pkcs1_sign); - */ -} - -static void -test_RSA_i32(void) -{ - test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private); - /* FIXME - test_RSA_sign("RSA i32 sign", - &br_rsa_i32_pkcs1_vrfy, &br_rsa_i32_pkcs1_sign); - */ -} +static const unsigned char SHA1_OID[] = { + 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A +}; -#if 0 static void -test_RSA_signatures(void) +test_RSA_sign(const char *name, br_rsa_private fpriv, + br_rsa_pkcs1_sign fsign, br_rsa_pkcs1_vrfy fvrfy) { - uint32_t n[40], e[2], p[20], q[20], dp[20], dq[20], iq[20], x[40]; - unsigned char hv[20], sig[128]; - unsigned char ref[128], tmp[128]; + unsigned char t1[128], t2[128]; + unsigned char hv[20], tmp[20]; br_sha1_context hc; + size_t u; - printf("Test RSA signatures: "); + printf("Test %s: ", name); fflush(stdout); /* - * Decode RSA key elements. - */ - br_int_decode(n, sizeof n / sizeof n[0], RSA_N, sizeof RSA_N); - br_int_decode(e, sizeof e / sizeof e[0], RSA_E, sizeof RSA_E); - br_int_decode(p, sizeof p / sizeof p[0], RSA_P, sizeof RSA_P); - br_int_decode(q, sizeof q / sizeof q[0], RSA_Q, sizeof RSA_Q); - br_int_decode(dp, sizeof dp / sizeof dp[0], RSA_DP, sizeof RSA_DP); - br_int_decode(dq, sizeof dq / sizeof dq[0], RSA_DQ, sizeof RSA_DQ); - br_int_decode(iq, sizeof iq / sizeof iq[0], RSA_IQ, sizeof RSA_IQ); - - /* - * Decode reference signature (computed with OpenSSL). - */ - hextobin(ref, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); - - /* - * Recompute signature. Since PKCS#1 v1.5 signatures are - * deterministic, we should get the same as the reference signature. + * Verify the KAT test (computed with OpenSSL). */ + hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); br_sha1_init(&hc); br_sha1_update(&hc, "test", 4); br_sha1_out(&hc, hv); - if (!br_rsa_sign(sig, sizeof sig, p, q, dp, dq, iq, br_sha1_ID, hv)) { - fprintf(stderr, "RSA-1024/SHA-1 sig generate failed\n"); + if (!fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) { + fprintf(stderr, "Signature verification failed\n"); exit(EXIT_FAILURE); } - check_equals("KAT RSA-sign 1", sig, ref, sizeof sig); + check_equals("Extracted hash value", hv, tmp, sizeof tmp); /* - * Verify signature. + * Regenerate the signature. This should yield the same value as + * the KAT test, since PKCS#1 v1.5 signatures are deterministic + * (except the usual detail about hash function parameter + * encoding, but OpenSSL uses the same convention as BearSSL). */ - if (!br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) { - fprintf(stderr, "RSA-1024/SHA-1 sig verify failed\n"); - exit(EXIT_FAILURE); - } - hv[5] ^= 0x01; - if (br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) { - fprintf(stderr, "RSA-1024/SHA-1 sig verify should have failed\n"); + if (!fsign(SHA1_OID, hv, 20, &RSA_SK, t2)) { + fprintf(stderr, "Signature generation failed\n"); exit(EXIT_FAILURE); } - hv[5] ^= 0x01; + check_equals("Regenerated signature", t1, t2, sizeof t1); /* - * Generate a signature with the alternate encoding (no NULL) and + * Use the raw private core to generate fake signatures, where + * one byte of the padded hash value is altered. They should all be + * rejected. + */ + hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3"); + for (u = 0; u < (sizeof t2) - 20; u ++) { + memcpy(t1, t2, sizeof t2); + t1[u] ^= 0x01; + if (!fpriv(t1, &RSA_SK)) { + fprintf(stderr, "RSA private key operation failed\n"); + exit(EXIT_FAILURE); + } + if (fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) { + fprintf(stderr, + "Signature verification should have failed\n"); + exit(EXIT_FAILURE); + } + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_RSA_i15(void) +{ + test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private); + test_RSA_sign("RSA i15 sign", &br_rsa_i15_private, + &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy); +} + +static void +test_RSA_i31(void) +{ + test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private); + test_RSA_sign("RSA i31 sign", &br_rsa_i31_private, + &br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy); +} + +static void +test_RSA_i32(void) +{ + test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private); + test_RSA_sign("RSA i32 sign", &br_rsa_i32_private, + &br_rsa_i32_pkcs1_sign, &br_rsa_i32_pkcs1_vrfy); +} + +static void +test_RSA_i62(void) +{ + br_rsa_public pub; + br_rsa_private priv; + br_rsa_pkcs1_sign sign; + br_rsa_pkcs1_vrfy vrfy; + + pub = br_rsa_i62_public_get(); + priv = br_rsa_i62_private_get(); + sign = br_rsa_i62_pkcs1_sign_get(); + vrfy = br_rsa_i62_pkcs1_vrfy_get(); + if (pub) { + if (!priv || !sign || !vrfy) { + fprintf(stderr, "Inconsistent i62 availability\n"); + exit(EXIT_FAILURE); + } + test_RSA_core("RSA i62 core", pub, priv); + test_RSA_sign("RSA i62 sign", priv, sign, vrfy); + } else { + if (priv || sign || vrfy) { + fprintf(stderr, "Inconsistent i62 availability\n"); + exit(EXIT_FAILURE); + } + printf("Test RSA i62: UNAVAILABLE\n"); + } +} + +#if 0 +static void +test_RSA_signatures(void) +{ + uint32_t n[40], e[2], p[20], q[20], dp[20], dq[20], iq[20], x[40]; + unsigned char hv[20], sig[128]; + unsigned char ref[128], tmp[128]; + br_sha1_context hc; + + printf("Test RSA signatures: "); + fflush(stdout); + + /* + * Decode RSA key elements. + */ + br_int_decode(n, sizeof n / sizeof n[0], RSA_N, sizeof RSA_N); + br_int_decode(e, sizeof e / sizeof e[0], RSA_E, sizeof RSA_E); + br_int_decode(p, sizeof p / sizeof p[0], RSA_P, sizeof RSA_P); + br_int_decode(q, sizeof q / sizeof q[0], RSA_Q, sizeof RSA_Q); + br_int_decode(dp, sizeof dp / sizeof dp[0], RSA_DP, sizeof RSA_DP); + br_int_decode(dq, sizeof dq / sizeof dq[0], RSA_DQ, sizeof RSA_DQ); + br_int_decode(iq, sizeof iq / sizeof iq[0], RSA_IQ, sizeof RSA_IQ); + + /* + * Decode reference signature (computed with OpenSSL). + */ + hextobin(ref, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D"); + + /* + * Recompute signature. Since PKCS#1 v1.5 signatures are + * deterministic, we should get the same as the reference signature. + */ + br_sha1_init(&hc); + br_sha1_update(&hc, "test", 4); + br_sha1_out(&hc, hv); + if (!br_rsa_sign(sig, sizeof sig, p, q, dp, dq, iq, br_sha1_ID, hv)) { + fprintf(stderr, "RSA-1024/SHA-1 sig generate failed\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT RSA-sign 1", sig, ref, sizeof sig); + + /* + * Verify signature. + */ + if (!br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) { + fprintf(stderr, "RSA-1024/SHA-1 sig verify failed\n"); + exit(EXIT_FAILURE); + } + hv[5] ^= 0x01; + if (br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) { + fprintf(stderr, "RSA-1024/SHA-1 sig verify should have failed\n"); + exit(EXIT_FAILURE); + } + hv[5] ^= 0x01; + + /* + * Generate a signature with the alternate encoding (no NULL) and * verify it. */ hextobin(tmp, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00301F300706052B0E03021A0414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3"); @@ -4294,96 +4998,949 @@ static const char *const KAT_GHASH[] = { "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710", "ed2ce3062e4a8ec06db8b4c490e8a268", - "466923ec9ae682214f2c082badb39249", - "feedfacedeadbeeffeedfacedeadbeefabaddad2", - "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7", - "1e6a133806607858ee80eaf237064089", + "466923ec9ae682214f2c082badb39249", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7", + "1e6a133806607858ee80eaf237064089", + + "466923ec9ae682214f2c082badb39249", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b", + "82567fb0b4cc371801eadec005968e94", + + "dc95c078a2408989ad48a21492842087", + "", + "cea7403d4d606b6e074ec5d3baf39d18", + "83de425c5edc5d498f382c441041ca92", + + "acbef20579b4b8ebce889bac8732dad7", + "", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad", + "4db870d37cb75fcb46097c36230d1612", + + "acbef20579b4b8ebce889bac8732dad7", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662", + "8bd0c4d8aacd391e67cca447e8c38f65", + + "acbef20579b4b8ebce889bac8732dad7", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f", + "75a34288b8c68f811c52b2e9a2f97f63", + + "acbef20579b4b8ebce889bac8732dad7", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f", + "d5ffcf6fc5ac4d69722187421a7f170b", + + NULL, +}; + +static void +test_GHASH(const char *name, br_ghash gh) +{ + size_t u; + + printf("Test %s: ", name); + fflush(stdout); + + for (u = 0; KAT_GHASH[u]; u += 4) { + unsigned char h[16]; + unsigned char a[100]; + size_t a_len; + unsigned char c[100]; + size_t c_len; + unsigned char p[16]; + unsigned char y[16]; + unsigned char ref[16]; + + hextobin(h, KAT_GHASH[u]); + a_len = hextobin(a, KAT_GHASH[u + 1]); + c_len = hextobin(c, KAT_GHASH[u + 2]); + hextobin(ref, KAT_GHASH[u + 3]); + memset(y, 0, sizeof y); + gh(y, h, a, a_len); + gh(y, h, c, c_len); + memset(p, 0, sizeof p); + br_enc32be(p + 4, (uint32_t)a_len << 3); + br_enc32be(p + 12, (uint32_t)c_len << 3); + gh(y, h, p, sizeof p); + check_equals("KAT GHASH", y, ref, sizeof ref); + } + + for (u = 0; u <= 1024; u ++) { + unsigned char key[32], iv[12]; + unsigned char buf[1024 + 32]; + unsigned char y0[16], y1[16]; + char tmp[100]; + + memset(key, 0, sizeof key); + memset(iv, 0, sizeof iv); + br_enc32be(key, u); + memset(buf, 0, sizeof buf); + br_chacha20_ct_run(key, iv, 1, buf, sizeof buf); + + memcpy(y0, buf, 16); + br_ghash_ctmul32(y0, buf + 16, buf + 32, u); + memcpy(y1, buf, 16); + gh(y1, buf + 16, buf + 32, u); + sprintf(tmp, "XREF %s (len = %u)", name, (unsigned)u); + check_equals(tmp, y0, y1, 16); + + if ((u & 31) == 0) { + printf("."); + fflush(stdout); + } + } + + printf("done.\n"); + fflush(stdout); +} + +static void +test_GHASH_ctmul(void) +{ + test_GHASH("GHASH_ctmul", br_ghash_ctmul); +} + +static void +test_GHASH_ctmul32(void) +{ + test_GHASH("GHASH_ctmul32", br_ghash_ctmul32); +} + +static void +test_GHASH_ctmul64(void) +{ + test_GHASH("GHASH_ctmul64", br_ghash_ctmul64); +} + +static void +test_GHASH_pclmul(void) +{ + br_ghash gh; + + gh = br_ghash_pclmul_get(); + if (gh == 0) { + printf("Test GHASH_pclmul: UNAVAILABLE\n"); + } else { + test_GHASH("GHASH_pclmul", gh); + } +} + +static void +test_GHASH_pwr8(void) +{ + br_ghash gh; + + gh = br_ghash_pwr8_get(); + if (gh == 0) { + printf("Test GHASH_pwr8: UNAVAILABLE\n"); + } else { + test_GHASH("GHASH_pwr8", gh); + } +} + +/* + * From: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf + * + * Order: key, plaintext, AAD, IV, ciphertext, tag + */ +static const char *const KAT_GCM[] = { + "00000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "58e2fccefa7e3061367f1d57a4e7455a", + + "00000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "0388dace60b6a392f328c2b971b2fe78", + "ab6e47d42cec13bdf53a67b21257bddf", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985", + "4d5c2af327cd64a62cf35abd2ba6fab4", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091", + "5bc94fbc3221a5db94fae95ae7121a47", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598", + "3612d2e79e3b0785561be14aaca2fccb", + + "feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5", + "619cc5aefffe0bfa462af43c1699d050", + + "000000000000000000000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "cd33b28ac773f74ba00ed1f312572435", + + "000000000000000000000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "98e7247c07f0fe411c267e4384b0f600", + "2ff58d80033927ab8ef4d4587514f0fb", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256", + "9924a7c8587336bfb118024db8674a14", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710", + "2519498e80f1478f37ba55bd6d27618c", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7", + "65dcc57fcf623a24094fcca40d3533f8", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b", + "dcf566ff291c25bbb8568fc3d376a6d9", + + "0000000000000000000000000000000000000000000000000000000000000000", + "", + "", + "000000000000000000000000", + "", + "530f8afbc74536b9a963b4f1c4cb738b", + + "0000000000000000000000000000000000000000000000000000000000000000", + "00000000000000000000000000000000", + "", + "000000000000000000000000", + "cea7403d4d606b6e074ec5d3baf39d18", + "d0d1c8a799996bf0265b98b5d48ab919", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255", + "", + "cafebabefacedbaddecaf888", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad", + "b094dac5d93471bdec1a502270e3cc6c", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbaddecaf888", + "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662", + "76fc6ece0f4e1768cddf8853bb2d551b", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "cafebabefacedbad", + "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f", + "3a337dbf46a792c45e454913fe2ea8f2", + + "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", + "d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39", + "feedfacedeadbeeffeedfacedeadbeefabaddad2", + "9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b", + "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f", + "a44a8266ee1c8eb0c8b5d4cf5ae9f19a", + + NULL +}; + +static void +test_GCM(void) +{ + size_t u; + + printf("Test GCM: "); + fflush(stdout); + + for (u = 0; KAT_GCM[u]; u += 6) { + unsigned char key[32]; + unsigned char plain[100]; + unsigned char aad[100]; + unsigned char iv[100]; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t key_len, plain_len, aad_len, iv_len; + br_aes_ct_ctr_keys bc; + br_gcm_context gc; + unsigned char tmp[100], out[16]; + size_t v, tag_len; + + key_len = hextobin(key, KAT_GCM[u]); + plain_len = hextobin(plain, KAT_GCM[u + 1]); + aad_len = hextobin(aad, KAT_GCM[u + 2]); + iv_len = hextobin(iv, KAT_GCM[u + 3]); + hextobin(cipher, KAT_GCM[u + 4]); + hextobin(tag, KAT_GCM[u + 5]); + + br_aes_ct_ctr_init(&bc, key, key_len); + br_gcm_init(&gc, &bc.vtable, br_ghash_ctmul32); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + br_gcm_get_tag(&gc, out); + check_equals("KAT GCM 1", tmp, cipher, plain_len); + check_equals("KAT GCM 2", out, tag, 16); + + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 0, tmp, plain_len); + check_equals("KAT GCM 3", tmp, plain, plain_len); + if (!br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_gcm_reset(&gc, iv, iv_len); + for (v = 0; v < aad_len; v ++) { + br_gcm_aad_inject(&gc, aad + v, 1); + } + br_gcm_flip(&gc); + for (v = 0; v < plain_len; v ++) { + br_gcm_run(&gc, 1, tmp + v, 1); + } + check_equals("KAT GCM 4", tmp, cipher, plain_len); + if (!br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_gcm_reset(&gc, iv, iv_len); + for (v = 0; v < aad_len; v ++) { + br_gcm_aad_inject(&gc, aad + v, 1); + } + br_gcm_flip(&gc); + for (v = 0; v < plain_len; v ++) { + br_gcm_run(&gc, 0, tmp + v, 1); + } + br_gcm_get_tag(&gc, out); + check_equals("KAT GCM 5", tmp, plain, plain_len); + check_equals("KAT GCM 6", out, tag, 16); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_gcm_reset(&gc, iv, iv_len); + aad[v] ^= 0x04; + br_gcm_aad_inject(&gc, aad, aad_len); + aad[v] ^= 0x04; + br_gcm_flip(&gc); + br_gcm_run(&gc, 0, tmp, plain_len); + check_equals("KAT GCM 7", tmp, plain, plain_len); + if (br_gcm_check_tag(&gc, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + br_gcm_get_tag_trunc(&gc, out, tag_len); + check_equals("KAT GCM 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + if (!br_gcm_check_tag_trunc(&gc, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +/* + * From "The EAX Mode of Operation (A Two-Pass Authenticated Encryption + * Scheme Optimized for Simplicity and Efficiency)" (Bellare, Rogaway, + * Wagner), presented at FSE 2004. Full article is available at: + * http://web.cs.ucdavis.edu/~rogaway/papers/eax.html + * + * EAX specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: plaintext, key, nonce, header, ciphertext, tag. + */ +static const char *const KAT_EAX[] = { + "", + "233952dee4d5ed5f9b9c6d6ff80ff478", + "62ec67f9c3a4a407fcb2a8c49031a8b3", + "6bfb914fd07eae6b", + "", + "e037830e8389f27b025a2d6527e79d01", + + "f7fb", + "91945d3f4dcbee0bf45ef52255f095a4", + "becaf043b0a23d843194ba972c66debd", + "fa3bfd4806eb53fa", + "19dd", + "5c4c9331049d0bdab0277408f67967e5", + + "1a47cb4933", + "01f74ad64077f2e704c0f60ada3dd523", + "70c3db4f0d26368400a10ed05d2bff5e", + "234a3463c1264ac6", + "d851d5bae0", + "3a59f238a23e39199dc9266626c40f80", + + "481c9e39b1", + "d07cf6cbb7f313bdde66b727afd3c5e8", + "8408dfff3c1a2b1292dc199e46b7d617", + "33cce2eabff5a79d", + "632a9d131a", + "d4c168a4225d8e1ff755939974a7bede", + + "40d0c07da5e4", + "35b6d0580005bbc12b0587124557d2c2", + "fdb6b06676eedc5c61d74276e1f8e816", + "aeb96eaebe2970e9", + "071dfe16c675", + "cb0677e536f73afe6a14b74ee49844dd", + + "4de3b35c3fc039245bd1fb7d", + "bd8e6e11475e60b268784c38c62feb22", + "6eac5c93072d8e8513f750935e46da1b", + "d4482d1ca78dce0f", + "835bb4f15d743e350e728414", + "abb8644fd6ccb86947c5e10590210a4f", + + "8b0a79306c9ce7ed99dae4f87f8dd61636", + "7c77d6e813bed5ac98baa417477a2e7d", + "1a8c98dcd73d38393b2bf1569deefc19", + "65d2017990d62528", + "02083e3979da014812f59f11d52630da30", + "137327d10649b0aa6e1c181db617d7f2", + + "1bda122bce8a8dbaf1877d962b8592dd2d56", + "5fff20cafab119ca2fc73549e20f5b0d", + "dde59b97d722156d4d9aff2bc7559826", + "54b9f04e6a09189a", + "2ec47b2c4954a489afc7ba4897edcdae8cc3", + "3b60450599bd02c96382902aef7f832a", + + "6cf36720872b8513f6eab1a8a44438d5ef11", + "a4a4782bcffd3ec5e7ef6d8c34a56123", + "b781fcf2f75fa5a8de97a9ca48e522ec", + "899a175897561d7e", + "0de18fd0fdd91e7af19f1d8ee8733938b1e8", + "e7f6d2231618102fdb7fe55ff1991700", + + "ca40d7446e545ffaed3bd12a740a659ffbbb3ceab7", + "8395fcf1e95bebd697bd010bc766aac3", + "22e7add93cfc6393c57ec0b3c17d6b44", + "126735fcc320d25a", + "cb8920f87a6c75cff39627b56e3ed197c552d295a7", + "cfc46afc253b4652b1af3795b124ab6e", + + NULL +}; + +static void +test_EAX_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + size_t u; + + printf("Test EAX %s: ", name); + fflush(stdout); + + for (u = 0; KAT_EAX[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad[100]; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len; + br_aes_gen_ctrcbc_keys bc; + br_eax_context ec; + br_eax_state st; + unsigned char tmp[100], out[16]; + size_t v, tag_len; + + plain_len = hextobin(plain, KAT_EAX[u]); + key_len = hextobin(key, KAT_EAX[u + 1]); + nonce_len = hextobin(nonce, KAT_EAX[u + 2]); + aad_len = hextobin(aad, KAT_EAX[u + 3]); + hextobin(cipher, KAT_EAX[u + 4]); + hextobin(tag, KAT_EAX[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_eax_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 1", tmp, cipher, plain_len); + check_equals("KAT EAX 2", out, tag, 16); + + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 3", tmp, plain, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT EAX 4", tmp, cipher, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 0, tmp + v, 1); + } + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 5", tmp, plain, plain_len); + check_equals("KAT EAX 6", out, tag, 16); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + aad[v] ^= 0x04; + br_eax_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 7", tmp, plain, plain_len); + if (br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag_trunc(&ec, out, tag_len); + check_equals("KAT EAX 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + if (!br_eax_check_tag_trunc(&ec, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + + /* + * For capture tests, we need the message to be non-empty. + */ + if (plain_len == 0) { + continue; + } + + /* + * Captured state, pre-AAD. This requires the AAD and the + * message to be non-empty. + */ + br_eax_capture(&ec, &st); + + if (aad_len > 0) { + br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + memcpy(tmp, plain, plain_len); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 9", tmp, cipher, plain_len); + check_equals("KAT EAX 10", out, tag, 16); + + br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 11", tmp, plain, plain_len); + check_equals("KAT EAX 12", out, tag, 16); + } - "466923ec9ae682214f2c082badb39249", - "feedfacedeadbeeffeedfacedeadbeefabaddad2", - "d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b", - "82567fb0b4cc371801eadec005968e94", + /* + * Captured state, post-AAD. This requires the message to + * be non-empty. + */ + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_get_aad_mac(&ec, &st); + + br_eax_reset_post_aad(&ec, &st, nonce, nonce_len); + memcpy(tmp, plain, plain_len); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 13", tmp, cipher, plain_len); + check_equals("KAT EAX 14", out, tag, 16); + + br_eax_reset_post_aad(&ec, &st, nonce, nonce_len); + br_eax_run(&ec, 0, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 15", tmp, plain, plain_len); + check_equals("KAT EAX 16", out, tag, 16); - "dc95c078a2408989ad48a21492842087", - "", - "cea7403d4d606b6e074ec5d3baf39d18", - "83de425c5edc5d498f382c441041ca92", + printf("."); + fflush(stdout); + } - "acbef20579b4b8ebce889bac8732dad7", - "", - "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad", - "4db870d37cb75fcb46097c36230d1612", + printf(" done.\n"); + fflush(stdout); +} - "acbef20579b4b8ebce889bac8732dad7", - "feedfacedeadbeeffeedfacedeadbeefabaddad2", - "522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662", - "8bd0c4d8aacd391e67cca447e8c38f65", +static void +test_EAX(void) +{ + const br_block_ctrcbc_class *x_ctrcbc; - "acbef20579b4b8ebce889bac8732dad7", - "feedfacedeadbeeffeedfacedeadbeefabaddad2", - "c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f", - "75a34288b8c68f811c52b2e9a2f97f63", + test_EAX_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_EAX_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_EAX_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_EAX_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); - "acbef20579b4b8ebce889bac8732dad7", - "feedfacedeadbeeffeedfacedeadbeefabaddad2", - "5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f", - "d5ffcf6fc5ac4d69722187421a7f170b", + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_EAX_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test EAX aes_x86ni: UNAVAILABLE\n"); + } +} +/* + * From NIST SP 800-38C, appendix C. + * + * CCM specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: key, nonce, aad, plaintext, ciphertext, tag. + */ +static const char *const KAT_CCM[] = { + "404142434445464748494a4b4c4d4e4f", + "10111213141516", + "0001020304050607", + "20212223", + "7162015b", + "4dac255d", + + "404142434445464748494a4b4c4d4e4f", + "1011121314151617", + "000102030405060708090a0b0c0d0e0f", + "202122232425262728292a2b2c2d2e2f", + "d2a1f0e051ea5f62081a7792073d593d", + "1fc64fbfaccd", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b", + "000102030405060708090a0b0c0d0e0f10111213", + "202122232425262728292a2b2c2d2e2f3031323334353637", + "e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5", + "484392fbc1b09951", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b1c", NULL, + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72", + "b4ac6bec93e8598e7f0dadbcea5b", + + NULL }; static void -test_GHASH(char *name, br_ghash gh) +test_CCM_inner(const char *name, const br_block_ctrcbc_class *vt) { size_t u; - printf("Test %s: ", name); + printf("Test CCM %s: ", name); fflush(stdout); - for (u = 0; KAT_GHASH[u]; u += 4) { - unsigned char h[16]; - unsigned char a[100]; - size_t a_len; - unsigned char c[100]; - size_t c_len; - unsigned char p[16]; - unsigned char y[16]; - unsigned char ref[16]; + for (u = 0; KAT_CCM[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad_buf[100], *aad; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len, tag_len; + br_aes_gen_ctrcbc_keys bc; + br_ccm_context ec; + unsigned char tmp[100], out[16]; + size_t v; - hextobin(h, KAT_GHASH[u]); - a_len = hextobin(a, KAT_GHASH[u + 1]); - c_len = hextobin(c, KAT_GHASH[u + 2]); - hextobin(ref, KAT_GHASH[u + 3]); - memset(y, 0, sizeof y); - gh(y, h, a, a_len); - gh(y, h, c, c_len); - memset(p, 0, sizeof p); - br_enc32be(p + 4, (uint32_t)a_len << 3); - br_enc32be(p + 12, (uint32_t)c_len << 3); - gh(y, h, p, sizeof p); - check_equals("KAT GHASH", y, ref, sizeof ref); + key_len = hextobin(key, KAT_CCM[u]); + nonce_len = hextobin(nonce, KAT_CCM[u + 1]); + if (KAT_CCM[u + 2] == NULL) { + aad_len = 65536; + aad = malloc(aad_len); + if (aad == NULL) { + fprintf(stderr, "OOM error\n"); + exit(EXIT_FAILURE); + } + for (v = 0; v < 65536; v ++) { + aad[v] = (unsigned char)v; + } + } else { + aad = aad_buf; + aad_len = hextobin(aad, KAT_CCM[u + 2]); + } + plain_len = hextobin(plain, KAT_CCM[u + 3]); + hextobin(cipher, KAT_CCM[u + 4]); + tag_len = hextobin(tag, KAT_CCM[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_ccm_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + if (!br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len)) + { + fprintf(stderr, "CCM reset failed\n"); + exit(EXIT_FAILURE); + } + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 1, tmp, plain_len); + if (br_ccm_get_tag(&ec, out) != tag_len) { + fprintf(stderr, "CCM returned wrong tag length\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT CCM 1", tmp, cipher, plain_len); + check_equals("KAT CCM 2", out, tag, tag_len); + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 3", tmp, plain, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT CCM 4", tmp, cipher, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 0, tmp + v, 1); + } + br_ccm_get_tag(&ec, out); + check_equals("KAT CCM 5", tmp, plain, plain_len); + check_equals("KAT CCM 6", out, tag, tag_len); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + aad[v] ^= 0x04; + br_ccm_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 7", tmp, plain, plain_len); + if (br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + + /* + * When the AAD is really big, we don't want to do + * the complete quadratic operation. + */ + if (v >= 32) { + break; + } + } + + if (aad != aad_buf) { + free(aad); + } + + printf("."); + fflush(stdout); } - printf("done.\n"); + printf(" done.\n"); fflush(stdout); } static void -test_GHASH_ctmul(void) +test_CCM(void) { - test_GHASH("GHASH_ctmul", br_ghash_ctmul); -} + const br_block_ctrcbc_class *x_ctrcbc; -static void -test_GHASH_ctmul32(void) -{ - test_GHASH("GHASH_ctmul32", br_ghash_ctmul32); -} + test_CCM_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_CCM_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_CCM_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_CCM_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); -static void -test_GHASH_ctmul64(void) -{ - test_GHASH("GHASH_ctmul64", br_ghash_ctmul64); + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_CCM_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test CCM aes_x86ni: UNAVAILABLE\n"); + } } static void @@ -4505,6 +6062,20 @@ test_EC_inner(const char *sk, const char *sU, exit(EXIT_FAILURE); } + /* + * Also recomputed D = z*G with mulgen(). This must + * again match. + */ + memset(eD, 0, ulen); + if (impl->mulgen(eD, bz, nlen, cd->curve) != ulen) { + fprintf(stderr, "mulgen() failed: wrong length\n"); + exit(EXIT_FAILURE); + } + if (memcmp(eC, eD, nlen) != 0) { + fprintf(stderr, "mulgen() / muladd() mismatch\n"); + exit(EXIT_FAILURE); + } + /* * Check with x*A = y*B. We do so by setting b = x and y = a. */ @@ -4564,6 +6135,39 @@ test_EC_inner(const char *sk, const char *sU, fflush(stdout); } +static void +test_EC_P256_carry_inner(const br_ec_impl *impl, const char *sP, const char *sQ) +{ + unsigned char P[65], Q[sizeof P], k[1]; + size_t plen, qlen; + + plen = hextobin(P, sP); + qlen = hextobin(Q, sQ); + if (plen != sizeof P || qlen != sizeof P) { + fprintf(stderr, "KAT is incorrect\n"); + exit(EXIT_FAILURE); + } + k[0] = 0x10; + if (impl->mul(P, plen, k, 1, BR_EC_secp256r1) != 1) { + fprintf(stderr, "P-256 multiplication failed\n"); + exit(EXIT_FAILURE); + } + check_equals("P256_carry", P, Q, plen); + printf("."); + fflush(stdout); +} + +static void +test_EC_P256_carry(const br_ec_impl *impl) +{ + test_EC_P256_carry_inner(impl, + "0435BAA24B2B6E1B3C88E22A383BD88CC4B9A3166E7BCF94FF6591663AE066B33B821EBA1B4FC8EA609A87EB9A9C9A1CCD5C9F42FA1365306F64D7CAA718B8C978", + "0447752A76CA890328D34E675C4971EC629132D1FC4863EDB61219B72C4E58DC5E9D51E7B293488CFD913C3CF20E438BB65C2BA66A7D09EABB45B55E804260C5EB"); + test_EC_P256_carry_inner(impl, + "04DCAE9D9CE211223602024A6933BD42F77B6BF4EAB9C8915F058C149419FADD2CC9FC0707B270A1B5362BA4D249AFC8AC3DA1EFCA8270176EEACA525B49EE19E6", + "048DAC7B0BE9B3206FCE8B24B6B4AEB122F2A67D13E536B390B6585CA193427E63F222388B5F51D744D6F5D47536D89EEEC89552BCB269E7828019C4410DFE980A"); +} + static void test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask) { @@ -4576,6 +6180,7 @@ test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask) "C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721", "0460FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB67903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299", impl, BR_EC_secp256r1); + test_EC_P256_carry(impl); } if (curve_mask & ((uint32_t)1 << BR_EC_secp384r1)) { test_EC_inner( @@ -4594,6 +6199,15 @@ test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask) fflush(stdout); } +static void +test_EC_prime_i15(void) +{ + test_EC_KAT("EC_prime_i15", &br_ec_prime_i15, + (uint32_t)1 << BR_EC_secp256r1 + | (uint32_t)1 << BR_EC_secp384r1 + | (uint32_t)1 << BR_EC_secp521r1); +} + static void test_EC_prime_i31(void) { @@ -4603,6 +6217,124 @@ test_EC_prime_i31(void) | (uint32_t)1 << BR_EC_secp521r1); } +static void +test_EC_p256_m15(void) +{ + test_EC_KAT("EC_p256_m15", &br_ec_p256_m15, + (uint32_t)1 << BR_EC_secp256r1); +} + +static void +test_EC_p256_m31(void) +{ + test_EC_KAT("EC_p256_m31", &br_ec_p256_m31, + (uint32_t)1 << BR_EC_secp256r1); +} + +const struct { + const char *scalar; + const char *u_in; + const char *u_out; +} C25519_KAT[] = { + { "A546E36BF0527C9D3B16154B82465EDD62144C0AC1FC5A18506A2244BA449AC4", + "E6DB6867583030DB3594C1A424B15F7C726624EC26B3353B10A903A6D0AB1C4C", + "C3DA55379DE9C6908E94EA4DF28D084F32ECCF03491C71F754B4075577A28552" }, + { "4B66E9D4D1B4673C5AD22691957D6AF5C11B6421E0EA01D42CA4169E7918BA0D", + "E5210F12786811D3F4B7959D0538AE2C31DBE7106FC03C3EFC4CD549C715A493", + "95CBDE9476E8907D7AADE45CB4B873F88B595A68799FA152E6F8F7647AAC7957" }, + { 0, 0, 0 } +}; + +static void +test_EC_c25519(const char *name, const br_ec_impl *iec) +{ + unsigned char bu[32], bk[32], br[32]; + size_t v; + int i; + + printf("Test %s: ", name); + fflush(stdout); + for (v = 0; C25519_KAT[v].scalar; v ++) { + hextobin(bk, C25519_KAT[v].scalar); + hextobin(bu, C25519_KAT[v].u_in); + hextobin(br, C25519_KAT[v].u_out); + if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) { + fprintf(stderr, "Curve25519 multiplication failed\n"); + exit(EXIT_FAILURE); + } + if (memcmp(bu, br, sizeof bu) != 0) { + fprintf(stderr, "Curve25519 failed KAT\n"); + exit(EXIT_FAILURE); + } + printf("."); + fflush(stdout); + } + printf(" "); + fflush(stdout); + + memset(bu, 0, sizeof bu); + bu[0] = 0x09; + memcpy(bk, bu, sizeof bu); + for (i = 1; i <= 1000; i ++) { + if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) { + fprintf(stderr, "Curve25519 multiplication failed" + " (iter=%d)\n", i); + exit(EXIT_FAILURE); + } + for (v = 0; v < sizeof bu; v ++) { + unsigned t; + + t = bu[v]; + bu[v] = bk[v]; + bk[v] = t; + } + if (i == 1 || i == 1000) { + const char *sref; + + sref = (i == 1) + ? "422C8E7A6227D7BCA1350B3E2BB7279F7897B87BB6854B783C60E80311AE3079" + : "684CF59BA83309552800EF566F2F4D3C1C3887C49360E3875F2EB94D99532C51"; + hextobin(br, sref); + if (memcmp(bk, br, sizeof bk) != 0) { + fprintf(stderr, + "Curve25519 failed KAT (iter=%d)\n", i); + exit(EXIT_FAILURE); + } + } + if (i % 100 == 0) { + printf("."); + fflush(stdout); + } + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_EC_c25519_i15(void) +{ + test_EC_c25519("EC_c25519_i15", &br_ec_c25519_i15); +} + +static void +test_EC_c25519_i31(void) +{ + test_EC_c25519("EC_c25519_i31", &br_ec_c25519_i31); +} + +static void +test_EC_c25519_m15(void) +{ + test_EC_c25519("EC_c25519_m15", &br_ec_c25519_m15); +} + +static void +test_EC_c25519_m31(void) +{ + test_EC_c25519("EC_c25519_m31", &br_ec_c25519_m31); +} + static const unsigned char EC_P256_PUB_POINT[] = { 0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D, 0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D, @@ -4975,7 +6707,8 @@ const ecdsa_kat_vector ECDSA_KAT[] = { }; static void -test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1) +test_ECDSA_KAT(const br_ec_impl *iec, + br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1) { size_t u; @@ -5002,28 +6735,28 @@ test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1) sig_len = hextobin(sig, kv->sraw); } - if (vrfy(&br_ec_prime_i31, hash, hash_len, + if (vrfy(iec, hash, hash_len, kv->pub, sig, sig_len) != 1) { fprintf(stderr, "ECDSA KAT verify failed (1)\n"); exit(EXIT_FAILURE); } hash[0] ^= 0x80; - if (vrfy(&br_ec_prime_i31, hash, hash_len, + if (vrfy(iec, hash, hash_len, kv->pub, sig, sig_len) != 0) { fprintf(stderr, "ECDSA KAT verify shoud have failed\n"); exit(EXIT_FAILURE); } hash[0] ^= 0x80; - if (vrfy(&br_ec_prime_i31, hash, hash_len, + if (vrfy(iec, hash, hash_len, kv->pub, sig, sig_len) != 1) { fprintf(stderr, "ECDSA KAT verify failed (2)\n"); exit(EXIT_FAILURE); } - sig2_len = sign(&br_ec_prime_i31, kv->hf, hash, kv->priv, sig2); + sig2_len = sign(iec, kv->hf, hash, kv->priv, sig2); if (sig2_len == 0) { fprintf(stderr, "ECDSA KAT sign failed\n"); exit(EXIT_FAILURE); @@ -5045,10 +6778,131 @@ test_ECDSA_i31(void) fflush(stdout); printf("[raw]"); fflush(stdout); - test_ECDSA_KAT(&br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0); + test_ECDSA_KAT(&br_ec_prime_i31, + &br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0); + printf(" [asn1]"); + fflush(stdout); + test_ECDSA_KAT(&br_ec_prime_i31, + &br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1); + printf(" done.\n"); + fflush(stdout); +} + +static void +test_ECDSA_i15(void) +{ + printf("Test ECDSA/i15: "); + fflush(stdout); + printf("[raw]"); + fflush(stdout); + test_ECDSA_KAT(&br_ec_prime_i15, + &br_ecdsa_i15_sign_raw, &br_ecdsa_i15_vrfy_raw, 0); printf(" [asn1]"); fflush(stdout); - test_ECDSA_KAT(&br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1); + test_ECDSA_KAT(&br_ec_prime_i31, + &br_ecdsa_i15_sign_asn1, &br_ecdsa_i15_vrfy_asn1, 1); + printf(" done.\n"); + fflush(stdout); +} + +static void +test_modpow_i31(void) +{ + br_hmac_drbg_context hc; + int k; + + printf("Test ModPow/i31: "); + + br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11); + for (k = 10; k <= 500; k ++) { + size_t blen; + unsigned char bm[128], bx[128], bx1[128], bx2[128]; + unsigned char be[128]; + unsigned mask; + uint32_t x1[35], m1[35]; + uint16_t x2[70], m2[70]; + uint32_t tmp1[1000]; + uint16_t tmp2[2000]; + + blen = (k + 7) >> 3; + br_hmac_drbg_generate(&hc, bm, blen); + br_hmac_drbg_generate(&hc, bx, blen); + br_hmac_drbg_generate(&hc, be, blen); + bm[blen - 1] |= 0x01; + mask = 0xFF >> ((int)(blen << 3) - k); + bm[0] &= mask; + bm[0] |= (mask - (mask >> 1)); + bx[0] &= (mask >> 1); + + br_i31_decode(m1, bm, blen); + br_i31_decode_mod(x1, bx, blen, m1); + br_i31_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]), + tmp1, (sizeof tmp1) / (sizeof tmp1[0])); + br_i31_encode(bx1, blen, x1); + + br_i15_decode(m2, bm, blen); + br_i15_decode_mod(x2, bx, blen, m2); + br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]), + tmp2, (sizeof tmp2) / (sizeof tmp2[0])); + br_i15_encode(bx2, blen, x2); + + check_equals("ModPow i31/i15", bx1, bx2, blen); + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_modpow_i62(void) +{ + br_hmac_drbg_context hc; + int k; + + printf("Test ModPow/i62: "); + + br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11); + for (k = 10; k <= 500; k ++) { + size_t blen; + unsigned char bm[128], bx[128], bx1[128], bx2[128]; + unsigned char be[128]; + unsigned mask; + uint32_t x1[35], m1[35]; + uint16_t x2[70], m2[70]; + uint64_t tmp1[500]; + uint16_t tmp2[2000]; + + blen = (k + 7) >> 3; + br_hmac_drbg_generate(&hc, bm, blen); + br_hmac_drbg_generate(&hc, bx, blen); + br_hmac_drbg_generate(&hc, be, blen); + bm[blen - 1] |= 0x01; + mask = 0xFF >> ((int)(blen << 3) - k); + bm[0] &= mask; + bm[0] |= (mask - (mask >> 1)); + bx[0] &= (mask >> 1); + + br_i31_decode(m1, bm, blen); + br_i31_decode_mod(x1, bx, blen, m1); + br_i62_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]), + tmp1, (sizeof tmp1) / (sizeof tmp1[0])); + br_i31_encode(bx1, blen, x1); + + br_i15_decode(m2, bm, blen); + br_i15_decode_mod(x2, bx, blen, m2); + br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]), + tmp2, (sizeof tmp2) / (sizeof tmp2[0])); + br_i15_encode(bx2, blen, x2); + + check_equals("ModPow i62/i15", bx1, bx2, blen); + + printf("."); + fflush(stdout); + } + printf(" done.\n"); fflush(stdout); } @@ -5096,7 +6950,7 @@ eq_name(const char *s1, const char *s2) static const struct { void (*fn)(void); - char *name; + const char *name; } tfns[] = { STU(MD5), STU(SHA1), @@ -5113,16 +6967,45 @@ static const struct { STU(AES_small), STU(AES_ct), STU(AES_ct64), + STU(AES_pwr8), + STU(AES_x86ni), + STU(AES_CTRCBC_big), + STU(AES_CTRCBC_small), + STU(AES_CTRCBC_ct), + STU(AES_CTRCBC_ct64), + STU(AES_CTRCBC_x86ni), STU(DES_tab), STU(DES_ct), + STU(ChaCha20_ct), + STU(ChaCha20_sse2), + STU(Poly1305_ctmul), + STU(Poly1305_ctmul32), + STU(Poly1305_ctmulq), + STU(Poly1305_i15), + STU(RSA_i15), STU(RSA_i31), STU(RSA_i32), + STU(RSA_i62), STU(GHASH_ctmul), STU(GHASH_ctmul32), STU(GHASH_ctmul64), + STU(GHASH_pclmul), + STU(GHASH_pwr8), + STU(CCM), + STU(EAX), + STU(GCM), + STU(EC_prime_i15), STU(EC_prime_i31), - /* STU(EC_prime_i32), */ + STU(EC_p256_m15), + STU(EC_p256_m31), + STU(EC_c25519_i15), + STU(EC_c25519_i31), + STU(EC_c25519_m15), + STU(EC_c25519_m31), + STU(ECDSA_i15), STU(ECDSA_i31), + STU(modpow_i31), + STU(modpow_i62), { 0, 0 } };