1 /**********************************************************************
2 Copyright(c) 2024 Intel Corporation All rights reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions
6 are met:
7 * Redistributions of source code must retain the above copyright
8 notice, this list of conditions and the following disclaimer.
9 * Redistributions in binary form must reproduce the above copyright
10 notice, this list of conditions and the following disclaimer in
11 the documentation and/or other materials provided with the
12 distribution.
13 * Neither the name of Intel Corporation nor the names of its
14 contributors may be used to endorse or promote products derived
15 from this software without specific prior written permission.
16
17 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
20 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
21 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
23 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 **********************************************************************/
29
30 /*
31 * AES self tests
32 */
33
34 #include <stdlib.h>
35 #include <stdio.h>
36 #include <stdint.h>
37 #include <string.h>
38
39 #include "aes_cbc.h"
40 #include "aes_cbc_internal.h"
41 #include "aes_xts_internal.h"
42 #include "aes_gcm.h"
43 #include "aes_gcm_internal.h"
44 #include "aes_keyexp_internal.h"
45
46 #include "internal_fips.h"
47 #include "types.h"
48 #include "test.h"
49
50 struct self_test_cbc_vector {
51 const uint8_t *cipher_key; /* Cipher key */
52 size_t cipher_key_size; /* Key size in bytes */
53 uint8_t *cipher_iv; /* Initialization vector */
54 const uint8_t *plaintext; /* Plaintext */
55 size_t plaintext_size; /* Plaintext length in bytes */
56 const uint8_t *ciphertext; /* Ciphertext */
57 const char *description; /* Description of vector */
58 };
59
60 struct self_test_xts_vector {
61 uint8_t *cipher_key1; /* Cipher key 1 */
62 uint8_t *cipher_key2; /* Cipher key 2 */
63 size_t cipher_key_size; /* Key size in bytes */
64 uint8_t *tweak; /* 16-byte tweak */
65 const uint8_t *plaintext; /* Plaintext */
66 size_t plaintext_size; /* Plaintext length in bytes */
67 const uint8_t *ciphertext; /* Ciphertext */
68 const char *description; /* Description of vector */
69 };
70
71 struct self_test_gcm_vector {
72 const uint8_t *key; /* Cipher key */
73 size_t cipher_key_size; /* Key size in bytes */
74 uint8_t *cipher_iv; /* Initialization vector */
75 const uint8_t *plaintext; /* Plaintext */
76 size_t plaintext_size; /* Plaintext length in bytes */
77 const uint8_t *ciphertext; /* Ciphertext */
78 const uint8_t *aad; /* AAD */
79 size_t aad_size; /* AAD size */
80 uint8_t *tag; /* Authenticationg tag */
81 size_t tag_size; /* Authenticationg tag size */
82 const char *description; /* Description of vector */
83 };
84
85 /*
86 * AES-CBC Test vectors from
87 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
88 */
89
90 static const uint8_t aes_cbc_128_key[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
91 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
92
93 static uint8_t aes_cbc_128_iv[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
94 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
95
96 static const uint8_t aes_cbc_128_plaintext[] = {
97 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73,
98 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7,
99 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4,
100 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45,
101 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
102 };
103
104 static const uint8_t aes_cbc_128_ciphertext[] = {
105 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12,
106 0xe9, 0x19, 0x7d, 0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb,
107 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2, 0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74,
108 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16, 0x3f, 0xf1, 0xca, 0xa1,
109 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7
110 };
111
112 static const uint8_t aes_cbc_192_key[] = { 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
113 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
114 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b };
115
116 static uint8_t aes_cbc_192_iv[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
117 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
118
119 static const uint8_t aes_cbc_192_plaintext[] = {
120 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73,
121 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7,
122 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4,
123 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45,
124 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
125 };
126
127 static const uint8_t aes_cbc_192_ciphertext[] = {
128 0x4f, 0x02, 0x1d, 0xb2, 0x43, 0xbc, 0x63, 0x3d, 0x71, 0x78, 0x18, 0x3a, 0x9f,
129 0xa0, 0x71, 0xe8, 0xb4, 0xd9, 0xad, 0xa9, 0xad, 0x7d, 0xed, 0xf4, 0xe5, 0xe7,
130 0x38, 0x76, 0x3f, 0x69, 0x14, 0x5a, 0x57, 0x1b, 0x24, 0x20, 0x12, 0xfb, 0x7a,
131 0xe0, 0x7f, 0xa9, 0xba, 0xac, 0x3d, 0xf1, 0x02, 0xe0, 0x08, 0xb0, 0xe2, 0x79,
132 0x88, 0x59, 0x88, 0x81, 0xd9, 0x20, 0xa9, 0xe6, 0x4f, 0x56, 0x15, 0xcd
133 };
134
135 static const uint8_t aes_cbc_256_key[] = { 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
136 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
137 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
138 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 };
139
140 static uint8_t aes_cbc_256_iv[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
141 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
142
143 static const uint8_t aes_cbc_256_plaintext[] = {
144 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73,
145 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7,
146 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4,
147 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45,
148 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
149 };
150
151 static const uint8_t aes_cbc_256_ciphertext[] = {
152 0xf5, 0x8c, 0x4c, 0x04, 0xd6, 0xe5, 0xf1, 0xba, 0x77, 0x9e, 0xab, 0xfb, 0x5f,
153 0x7b, 0xfb, 0xd6, 0x9c, 0xfc, 0x4e, 0x96, 0x7e, 0xdb, 0x80, 0x8d, 0x67, 0x9f,
154 0x77, 0x7b, 0xc6, 0x70, 0x2c, 0x7d, 0x39, 0xf2, 0x33, 0x69, 0xa9, 0xd9, 0xba,
155 0xcf, 0xa5, 0x30, 0xe2, 0x63, 0x04, 0x23, 0x14, 0x61, 0xb2, 0xeb, 0x05, 0xe2,
156 0xc3, 0x9b, 0xe9, 0xfc, 0xda, 0x6c, 0x19, 0x07, 0x8c, 0x6a, 0x9d, 0x1b
157 };
158
159 /*
160 * AES-XTS Test vectors from the standard:
161 * "IEEE Standard for Cryptographic Protection of Data on Block-Oriented
162 * Storage Devices"
163 * http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4493450
164 */
165 static uint8_t aes_xts_128_key1[16] = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
166 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11 };
167
168 static uint8_t aes_xts_128_key2[16] = { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
169 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 };
170
171 static uint8_t aes_xts_128_tweak[16] = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
172 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
173
174 static uint8_t aes_xts_128_plaintext[32] = { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
175 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
176 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
177 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 };
178
179 static uint8_t aes_xts_128_ciphertext[32] = { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
180 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
181 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
182 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 };
183
184 static uint8_t aes_xts_256_key1[32] = { 0x27, 0x18, 0x28, 0x18, 0x28, 0x45, 0x90, 0x45,
185 0x23, 0x53, 0x60, 0x28, 0x74, 0x71, 0x35, 0x26,
186 0x62, 0x49, 0x77, 0x57, 0x24, 0x70, 0x93, 0x69,
187 0x99, 0x59, 0x57, 0x49, 0x66, 0x96, 0x76, 0x27 };
188
189 static uint8_t aes_xts_256_key2[32] = { 0x31, 0x41, 0x59, 0x26, 0x53, 0x58, 0x97, 0x93,
190 0x23, 0x84, 0x62, 0x64, 0x33, 0x83, 0x27, 0x95,
191 0x02, 0x88, 0x41, 0x97, 0x16, 0x93, 0x99, 0x37,
192 0x51, 0x05, 0x82, 0x09, 0x74, 0x94, 0x45, 0x92 };
193
194 static uint8_t aes_xts_256_tweak[16] = { 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
196
197 static uint8_t aes_xts_256_plaintext[512] = {
198 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
199 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d,
200 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c,
201 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
202 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a,
203 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59,
204 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
205 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
206 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86,
207 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95,
208 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4,
209 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
210 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2,
211 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1,
212 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0,
213 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
214 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe,
215 0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
216 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c,
217 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
218 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a,
219 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49,
220 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
221 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
222 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
223 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85,
224 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94,
225 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3,
226 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2,
227 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1,
228 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0,
229 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
230 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee,
231 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd,
232 0xfe, 0xff
233 };
234
235 static uint8_t aes_xts_256_ciphertext[512] = {
236 0x1c, 0x3b, 0x3a, 0x10, 0x2f, 0x77, 0x03, 0x86, 0xe4, 0x83, 0x6c, 0x99, 0xe3, 0x70, 0xcf,
237 0x9b, 0xea, 0x00, 0x80, 0x3f, 0x5e, 0x48, 0x23, 0x57, 0xa4, 0xae, 0x12, 0xd4, 0x14, 0xa3,
238 0xe6, 0x3b, 0x5d, 0x31, 0xe2, 0x76, 0xf8, 0xfe, 0x4a, 0x8d, 0x66, 0xb3, 0x17, 0xf9, 0xac,
239 0x68, 0x3f, 0x44, 0x68, 0x0a, 0x86, 0xac, 0x35, 0xad, 0xfc, 0x33, 0x45, 0xbe, 0xfe, 0xcb,
240 0x4b, 0xb1, 0x88, 0xfd, 0x57, 0x76, 0x92, 0x6c, 0x49, 0xa3, 0x09, 0x5e, 0xb1, 0x08, 0xfd,
241 0x10, 0x98, 0xba, 0xec, 0x70, 0xaa, 0xa6, 0x69, 0x99, 0xa7, 0x2a, 0x82, 0xf2, 0x7d, 0x84,
242 0x8b, 0x21, 0xd4, 0xa7, 0x41, 0xb0, 0xc5, 0xcd, 0x4d, 0x5f, 0xff, 0x9d, 0xac, 0x89, 0xae,
243 0xba, 0x12, 0x29, 0x61, 0xd0, 0x3a, 0x75, 0x71, 0x23, 0xe9, 0x87, 0x0f, 0x8a, 0xcf, 0x10,
244 0x00, 0x02, 0x08, 0x87, 0x89, 0x14, 0x29, 0xca, 0x2a, 0x3e, 0x7a, 0x7d, 0x7d, 0xf7, 0xb1,
245 0x03, 0x55, 0x16, 0x5c, 0x8b, 0x9a, 0x6d, 0x0a, 0x7d, 0xe8, 0xb0, 0x62, 0xc4, 0x50, 0x0d,
246 0xc4, 0xcd, 0x12, 0x0c, 0x0f, 0x74, 0x18, 0xda, 0xe3, 0xd0, 0xb5, 0x78, 0x1c, 0x34, 0x80,
247 0x3f, 0xa7, 0x54, 0x21, 0xc7, 0x90, 0xdf, 0xe1, 0xde, 0x18, 0x34, 0xf2, 0x80, 0xd7, 0x66,
248 0x7b, 0x32, 0x7f, 0x6c, 0x8c, 0xd7, 0x55, 0x7e, 0x12, 0xac, 0x3a, 0x0f, 0x93, 0xec, 0x05,
249 0xc5, 0x2e, 0x04, 0x93, 0xef, 0x31, 0xa1, 0x2d, 0x3d, 0x92, 0x60, 0xf7, 0x9a, 0x28, 0x9d,
250 0x6a, 0x37, 0x9b, 0xc7, 0x0c, 0x50, 0x84, 0x14, 0x73, 0xd1, 0xa8, 0xcc, 0x81, 0xec, 0x58,
251 0x3e, 0x96, 0x45, 0xe0, 0x7b, 0x8d, 0x96, 0x70, 0x65, 0x5b, 0xa5, 0xbb, 0xcf, 0xec, 0xc6,
252 0xdc, 0x39, 0x66, 0x38, 0x0a, 0xd8, 0xfe, 0xcb, 0x17, 0xb6, 0xba, 0x02, 0x46, 0x9a, 0x02,
253 0x0a, 0x84, 0xe1, 0x8e, 0x8f, 0x84, 0x25, 0x20, 0x70, 0xc1, 0x3e, 0x9f, 0x1f, 0x28, 0x9b,
254 0xe5, 0x4f, 0xbc, 0x48, 0x14, 0x57, 0x77, 0x8f, 0x61, 0x60, 0x15, 0xe1, 0x32, 0x7a, 0x02,
255 0xb1, 0x40, 0xf1, 0x50, 0x5e, 0xb3, 0x09, 0x32, 0x6d, 0x68, 0x37, 0x8f, 0x83, 0x74, 0x59,
256 0x5c, 0x84, 0x9d, 0x84, 0xf4, 0xc3, 0x33, 0xec, 0x44, 0x23, 0x88, 0x51, 0x43, 0xcb, 0x47,
257 0xbd, 0x71, 0xc5, 0xed, 0xae, 0x9b, 0xe6, 0x9a, 0x2f, 0xfe, 0xce, 0xb1, 0xbe, 0xc9, 0xde,
258 0x24, 0x4f, 0xbe, 0x15, 0x99, 0x2b, 0x11, 0xb7, 0x7c, 0x04, 0x0f, 0x12, 0xbd, 0x8f, 0x6a,
259 0x97, 0x5a, 0x44, 0xa0, 0xf9, 0x0c, 0x29, 0xa9, 0xab, 0xc3, 0xd4, 0xd8, 0x93, 0x92, 0x72,
260 0x84, 0xc5, 0x87, 0x54, 0xcc, 0xe2, 0x94, 0x52, 0x9f, 0x86, 0x14, 0xdc, 0xd2, 0xab, 0xa9,
261 0x91, 0x92, 0x5f, 0xed, 0xc4, 0xae, 0x74, 0xff, 0xac, 0x6e, 0x33, 0x3b, 0x93, 0xeb, 0x4a,
262 0xff, 0x04, 0x79, 0xda, 0x9a, 0x41, 0x0e, 0x44, 0x50, 0xe0, 0xdd, 0x7a, 0xe4, 0xc6, 0xe2,
263 0x91, 0x09, 0x00, 0x57, 0x5d, 0xa4, 0x01, 0xfc, 0x07, 0x05, 0x9f, 0x64, 0x5e, 0x8b, 0x7e,
264 0x9b, 0xfd, 0xef, 0x33, 0x94, 0x30, 0x54, 0xff, 0x84, 0x01, 0x14, 0x93, 0xc2, 0x7b, 0x34,
265 0x29, 0xea, 0xed, 0xb4, 0xed, 0x53, 0x76, 0x44, 0x1a, 0x77, 0xed, 0x43, 0x85, 0x1a, 0xd7,
266 0x7f, 0x16, 0xf5, 0x41, 0xdf, 0xd2, 0x69, 0xd5, 0x0d, 0x6a, 0x5f, 0x14, 0xfb, 0x0a, 0xab,
267 0x1c, 0xbb, 0x4c, 0x15, 0x50, 0xbe, 0x97, 0xf7, 0xab, 0x40, 0x66, 0x19, 0x3c, 0x4c, 0xaa,
268 0x77, 0x3d, 0xad, 0x38, 0x01, 0x4b, 0xd2, 0x09, 0x2f, 0xa7, 0x55, 0xc8, 0x24, 0xbb, 0x5e,
269 0x54, 0xc4, 0xf3, 0x6f, 0xfd, 0xa9, 0xfc, 0xea, 0x70, 0xb9, 0xc6, 0xe6, 0x93, 0xe1, 0x48,
270 0xc1, 0x51
271 };
272
273 /* AES-GCM-128 vector, from
274 * http://www.ieee802.org/1/files/public/docs2011/bn-randall-test-vectors-0511-v1.pdf */
275 static const uint8_t aes_gcm_128_key[] = { 0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
276 0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45 };
277 static const uint8_t aes_gcm_128_plaintext[] = { 0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
278 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
279 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
280 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
281 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
282 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02 };
283 static uint8_t aes_gcm_128_iv[] = { 0x12, 0x15, 0x35, 0x24, 0xC0, 0x89,
284 0x5E, 0x81, 0xB2, 0xC2, 0x84, 0x65 };
285 static const uint8_t aes_gcm_128_aad[] = { 0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63, 0x7A,
286 0x0D, 0x46, 0xDF, 0x99, 0x8D, 0x88, 0xE5,
287 0x2E, 0x00, 0xB2, 0xC2, 0x84, 0x65, 0x12,
288 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81 };
289 static const uint8_t aes_gcm_128_ciphertext[] = { 0x70, 0x1A, 0xFA, 0x1C, 0xC0, 0x39, 0xC0, 0xD7,
290 0x65, 0x12, 0x8A, 0x66, 0x5D, 0xAB, 0x69, 0x24,
291 0x38, 0x99, 0xBF, 0x73, 0x18, 0xCC, 0xDC, 0x81,
292 0xC9, 0x93, 0x1D, 0xA1, 0x7F, 0xBE, 0x8E, 0xDD,
293 0x7D, 0x17, 0xCB, 0x8B, 0x4C, 0x26, 0xFC, 0x81,
294 0xE3, 0x28, 0x4F, 0x2B, 0x7F, 0xBA, 0x71, 0x3D };
295 static uint8_t aes_gcm_128_tag[] = { 0x4F, 0x8D, 0x55, 0xE7, 0xD3, 0xF0, 0x6F, 0xD5,
296 0xA1, 0x3C, 0x0C, 0x29, 0xB9, 0xD5, 0xB8, 0x80 };
297
298 /* AES-GCM-256 vector, from
299 * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf */
300 static const uint8_t aes_gcm_256_key[] = { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
301 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
302 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
303 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 };
304 static const uint8_t aes_gcm_256_plaintext[] = {
305 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26,
306 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31,
307 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49,
308 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39
309 };
310 static const uint8_t aes_gcm_256_aad[] = { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe,
311 0xef, 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad,
312 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2 };
313 static uint8_t aes_gcm_256_iv[] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce,
314 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 };
315 static const uint8_t aes_gcm_256_ciphertext[] = {
316 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42,
317 0x7d, 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9, 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55,
318 0xd1, 0xaa, 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d, 0xa7, 0xb0, 0x8b, 0x10, 0x56,
319 0x82, 0x88, 0x38, 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 0xbc, 0xc9, 0xf6, 0x62
320 };
321 static uint8_t aes_gcm_256_tag[] = { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
322 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b };
323
324 #define ADD_CBC_VECTOR(_key, _iv, _plain, _cipher, _descr) \
325 { _key, sizeof(_key), _iv, _plain, sizeof(_plain), _cipher, _descr }
326
327 static const struct self_test_cbc_vector cbc_vectors[] = {
328 ADD_CBC_VECTOR(aes_cbc_128_key, aes_cbc_128_iv, aes_cbc_128_plaintext,
329 aes_cbc_128_ciphertext, "AES128-CBC"),
330 ADD_CBC_VECTOR(aes_cbc_192_key, aes_cbc_192_iv, aes_cbc_192_plaintext,
331 aes_cbc_192_ciphertext, "AES192-CBC"),
332 ADD_CBC_VECTOR(aes_cbc_256_key, aes_cbc_256_iv, aes_cbc_256_plaintext,
333 aes_cbc_256_ciphertext, "AES256-CBC"),
334 };
335
336 static int
cbc_self_test_vector(const struct self_test_cbc_vector * v)337 cbc_self_test_vector(const struct self_test_cbc_vector *v)
338 {
339 struct {
340 DECLARE_ALIGNED(uint8_t expkey_enc[16 * 15], 16);
341 DECLARE_ALIGNED(uint8_t expkey_dec[16 * 15], 16);
342 } aes_keys;
343 uint8_t scratch[256];
344
345 /* message too long */
346 if (v->plaintext_size > sizeof(scratch))
347 return 0;
348
349 /* test encrypt direction */
350 memset(scratch, 0, sizeof(scratch));
351 memcpy(scratch, v->plaintext, v->plaintext_size);
352
353 switch (v->cipher_key_size) {
354 case ISAL_CBC_128_BITS:
355 _aes_keyexp_128(v->cipher_key, aes_keys.expkey_enc, aes_keys.expkey_dec);
356 _aes_cbc_enc_128(scratch, v->cipher_iv, aes_keys.expkey_enc, scratch,
357 v->plaintext_size);
358 break;
359 case ISAL_CBC_192_BITS:
360 _aes_keyexp_192(v->cipher_key, aes_keys.expkey_enc, aes_keys.expkey_dec);
361 _aes_cbc_enc_192(scratch, v->cipher_iv, aes_keys.expkey_enc, scratch,
362 v->plaintext_size);
363 break;
364 case ISAL_CBC_256_BITS:
365 _aes_keyexp_256(v->cipher_key, aes_keys.expkey_enc, aes_keys.expkey_dec);
366 _aes_cbc_enc_256(scratch, v->cipher_iv, aes_keys.expkey_enc, scratch,
367 v->plaintext_size);
368 break;
369 default:
370 /* invalid key size */
371 return 0;
372 }
373
374 /* check for cipher text mismatch */
375 if (memcmp(scratch, v->ciphertext, v->plaintext_size))
376 return 0;
377
378 /* test decrypt direction */
379 memset(scratch, 0, sizeof(scratch));
380 memcpy(scratch, v->ciphertext, v->plaintext_size);
381
382 switch (v->cipher_key_size) {
383 case ISAL_CBC_128_BITS:
384 _aes_cbc_dec_128(scratch, v->cipher_iv, aes_keys.expkey_dec, scratch,
385 v->plaintext_size);
386 break;
387 case ISAL_CBC_192_BITS:
388 _aes_cbc_dec_192(scratch, v->cipher_iv, aes_keys.expkey_dec, scratch,
389 v->plaintext_size);
390 break;
391 case ISAL_CBC_256_BITS:
392 _aes_cbc_dec_256(scratch, v->cipher_iv, aes_keys.expkey_dec, scratch,
393 v->plaintext_size);
394 break;
395 default:
396 /* invalid key size */
397 return 0;
398 }
399
400 /* check for plain text mismatch */
401 if (memcmp(scratch, v->plaintext, v->plaintext_size))
402 return 0;
403
404 return 1;
405 }
406
407 static int
_aes_cbc_self_test(void)408 _aes_cbc_self_test(void)
409 {
410 for (uint32_t i = 0; i < DIM(cbc_vectors); i++) {
411 const struct self_test_cbc_vector *v = &cbc_vectors[i];
412
413 if (cbc_self_test_vector(v) == 0)
414 return 1;
415 }
416
417 return 0;
418 }
419
420 #define ADD_XTS_VECTOR(_key1, _key2, _tweak, _plain, _cipher, _descr) \
421 { _key1, _key2, sizeof(_key1), _tweak, _plain, sizeof(_plain), _cipher, _descr }
422
423 static const struct self_test_xts_vector xts_vectors[] = {
424 ADD_XTS_VECTOR(aes_xts_128_key1, aes_xts_128_key2, aes_xts_128_tweak, aes_xts_128_plaintext,
425 aes_xts_128_ciphertext, "AES128-XTS"),
426 ADD_XTS_VECTOR(aes_xts_256_key1, aes_xts_256_key2, aes_xts_256_tweak, aes_xts_256_plaintext,
427 aes_xts_256_ciphertext, "AES256-XTS"),
428 };
429
430 static int
xts_self_test_vector(const struct self_test_xts_vector * v)431 xts_self_test_vector(const struct self_test_xts_vector *v)
432 {
433 struct {
434 DECLARE_ALIGNED(uint8_t expkey1_enc[16 * 15], 16);
435 DECLARE_ALIGNED(uint8_t expkey1_dec[16 * 15], 16);
436 DECLARE_ALIGNED(uint8_t expkey2_enc[16 * 15], 16);
437 DECLARE_ALIGNED(uint8_t expkey2_dec[16 * 15], 16);
438 } aes_keys;
439 uint8_t scratch[512];
440
441 /* message too long */
442 if (v->plaintext_size > sizeof(scratch))
443 return 0;
444
445 /* test encrypt direction */
446 memset(scratch, 0, sizeof(scratch));
447 memcpy(scratch, v->plaintext, v->plaintext_size);
448
449 switch (v->cipher_key_size) {
450 case 16:
451 _XTS_AES_128_enc(v->cipher_key2, v->cipher_key1, v->tweak, v->plaintext_size,
452 scratch, scratch);
453 break;
454 case 32:
455 _XTS_AES_256_enc(v->cipher_key2, v->cipher_key1, v->tweak, v->plaintext_size,
456 scratch, scratch);
457 break;
458 default:
459 /* invalid key size */
460 return 0;
461 }
462
463 /* check for ciphertext mismatch */
464 if (memcmp(scratch, v->ciphertext, v->plaintext_size))
465 return 0;
466
467 /* test encrypt direction (expanded keys) */
468 memset(scratch, 0, sizeof(scratch));
469 memcpy(scratch, v->plaintext, v->plaintext_size);
470 switch (v->cipher_key_size) {
471 case 16:
472 _aes_keyexp_128(v->cipher_key1, aes_keys.expkey1_enc, aes_keys.expkey1_dec);
473 _aes_keyexp_128(v->cipher_key2, aes_keys.expkey2_enc, aes_keys.expkey2_dec);
474 _XTS_AES_128_enc_expanded_key(aes_keys.expkey2_enc, aes_keys.expkey1_enc, v->tweak,
475 v->plaintext_size, scratch, scratch);
476 break;
477 case 32:
478 _aes_keyexp_256(v->cipher_key1, aes_keys.expkey1_enc, aes_keys.expkey1_dec);
479 _aes_keyexp_256(v->cipher_key2, aes_keys.expkey2_enc, aes_keys.expkey2_dec);
480 _XTS_AES_256_enc_expanded_key(aes_keys.expkey2_enc, aes_keys.expkey1_enc, v->tweak,
481 v->plaintext_size, scratch, scratch);
482 break;
483 default:
484 /* invalid key size */
485 return 0;
486 }
487
488 /* check for ciphertext mismatch */
489 if (memcmp(scratch, v->ciphertext, v->plaintext_size))
490 return 0;
491
492 /* test decrypt direction */
493 memset(scratch, 0, sizeof(scratch));
494 memcpy(scratch, v->ciphertext, v->plaintext_size);
495
496 switch (v->cipher_key_size) {
497 case 16:
498 _XTS_AES_128_dec(v->cipher_key2, v->cipher_key1, v->tweak, v->plaintext_size,
499 scratch, scratch);
500 break;
501 case 32:
502 _XTS_AES_256_dec(v->cipher_key2, v->cipher_key1, v->tweak, v->plaintext_size,
503 scratch, scratch);
504 break;
505 default:
506 /* invalid key size */
507 return 0;
508 }
509
510 /* check for plaintext mismatch */
511 if (memcmp(scratch, v->plaintext, v->plaintext_size))
512 return 0;
513
514 /* test decrypt direction (expanded keys) */
515 memset(scratch, 0, sizeof(scratch));
516 memcpy(scratch, v->ciphertext, v->plaintext_size);
517 switch (v->cipher_key_size) {
518 case 16:
519 _aes_keyexp_128(v->cipher_key1, aes_keys.expkey1_enc, aes_keys.expkey1_dec);
520 _aes_keyexp_128(v->cipher_key2, aes_keys.expkey2_enc, aes_keys.expkey2_dec);
521 _XTS_AES_128_dec_expanded_key(aes_keys.expkey2_enc, aes_keys.expkey1_dec, v->tweak,
522 v->plaintext_size, scratch, scratch);
523 break;
524 case 32:
525 _aes_keyexp_256(v->cipher_key1, aes_keys.expkey1_enc, aes_keys.expkey1_dec);
526 _aes_keyexp_256(v->cipher_key2, aes_keys.expkey2_enc, aes_keys.expkey2_dec);
527 _XTS_AES_256_dec_expanded_key(aes_keys.expkey2_enc, aes_keys.expkey1_dec, v->tweak,
528 v->plaintext_size, scratch, scratch);
529 break;
530 default:
531 /* invalid key size */
532 return 0;
533 }
534
535 /* check for plaintext mismatch */
536 if (memcmp(scratch, v->plaintext, v->plaintext_size))
537 return 0;
538
539 return 1;
540 }
541
542 static int
_aes_xts_self_test(void)543 _aes_xts_self_test(void)
544 {
545 for (uint32_t i = 0; i < DIM(xts_vectors); i++) {
546 const struct self_test_xts_vector *v = &xts_vectors[i];
547
548 if (xts_self_test_vector(v) == 0)
549 return 1;
550 }
551
552 return 0;
553 }
554
555 #define ADD_GCM_VECTOR(_key, _iv, _plain, _cipher, _aad, _tag, _descr) \
556 { _key, sizeof(_key), _iv, _plain, sizeof(_plain), _cipher, \
557 _aad, sizeof(_aad), _tag, sizeof(_tag), _descr }
558
559 static const struct self_test_gcm_vector gcm_vectors[] = {
560 ADD_GCM_VECTOR(aes_gcm_128_key, aes_gcm_128_iv, aes_gcm_128_plaintext,
561 aes_gcm_128_ciphertext, aes_gcm_128_aad, aes_gcm_128_tag, "AES128-GCM"),
562 ADD_GCM_VECTOR(aes_gcm_256_key, aes_gcm_256_iv, aes_gcm_256_plaintext,
563 aes_gcm_256_ciphertext, aes_gcm_256_aad, aes_gcm_256_tag, "AES256-GCM"),
564 };
565
566 static int
gcm_self_test_vector(const struct self_test_gcm_vector * v)567 gcm_self_test_vector(const struct self_test_gcm_vector *v)
568 {
569 struct isal_gcm_key_data gkey;
570 struct isal_gcm_context_data gctx;
571 uint8_t scratch[512];
572 uint8_t result_tag[16];
573
574 /* message too long */
575 if (v->plaintext_size > sizeof(scratch))
576 return 0;
577
578 /* Precompute AES and GHASH keys */
579 switch (v->cipher_key_size) {
580 case 16:
581 _aes_gcm_pre_128(v->key, &gkey);
582 break;
583 case 32:
584 _aes_gcm_pre_256(v->key, &gkey);
585 break;
586 default:
587 /* invalid key size */
588 return 0;
589 }
590
591 /* test encrypt direction (single call API) */
592 memset(scratch, 0, sizeof(scratch));
593 memcpy(scratch, v->plaintext, v->plaintext_size);
594 switch (v->cipher_key_size) {
595 case 16:
596 _aes_gcm_enc_128(&gkey, &gctx, scratch, scratch, v->plaintext_size, v->cipher_iv,
597 v->aad, v->aad_size, result_tag, v->tag_size);
598 break;
599 case 32:
600 _aes_gcm_enc_256(&gkey, &gctx, scratch, scratch, v->plaintext_size, v->cipher_iv,
601 v->aad, v->aad_size, result_tag, v->tag_size);
602 break;
603 default:
604 /* invalid key size */
605 return 0;
606 }
607
608 /* check for ciphertext mismatch */
609 if (memcmp(scratch, v->ciphertext, v->plaintext_size))
610 return 0;
611
612 /* check for authentication tag mismatch */
613 if (memcmp(result_tag, v->tag, v->tag_size))
614 return 0;
615
616 /* test encrypt direction (multi-call API) */
617 memset(scratch, 0, sizeof(scratch));
618 memcpy(scratch, v->plaintext, v->plaintext_size);
619 switch (v->cipher_key_size) {
620 case 16:
621 _aes_gcm_init_128(&gkey, &gctx, v->cipher_iv, v->aad, v->aad_size);
622 _aes_gcm_enc_128_update(&gkey, &gctx, scratch, scratch, v->plaintext_size);
623 _aes_gcm_enc_128_finalize(&gkey, &gctx, v->tag, v->tag_size);
624 break;
625 case 32:
626 _aes_gcm_init_256(&gkey, &gctx, v->cipher_iv, v->aad, v->aad_size);
627 _aes_gcm_enc_256_update(&gkey, &gctx, scratch, scratch, v->plaintext_size);
628 _aes_gcm_enc_256_finalize(&gkey, &gctx, v->tag, v->tag_size);
629 break;
630 default:
631 /* invalid key size */
632 return 0;
633 }
634
635 /* check for ciphertext mismatch */
636 if (memcmp(scratch, v->ciphertext, v->plaintext_size))
637 return 0;
638
639 /* check for authentication tag mismatch */
640 if (memcmp(result_tag, v->tag, v->tag_size))
641 return 0;
642
643 /* test decrypt direction (single-call API) */
644 memset(scratch, 0, sizeof(scratch));
645 memcpy(scratch, v->ciphertext, v->plaintext_size);
646
647 switch (v->cipher_key_size) {
648 case 16:
649 _aes_gcm_dec_128(&gkey, &gctx, scratch, scratch, v->plaintext_size, v->cipher_iv,
650 v->aad, v->aad_size, result_tag, v->tag_size);
651 break;
652 case 32:
653 _aes_gcm_dec_256(&gkey, &gctx, scratch, scratch, v->plaintext_size, v->cipher_iv,
654 v->aad, v->aad_size, result_tag, v->tag_size);
655 break;
656 default:
657 /* invalid key size */
658 return 0;
659 }
660
661 /* check for plaintext mismatch */
662 if (memcmp(scratch, v->plaintext, v->plaintext_size))
663 return 0;
664
665 /* check for authentication tag mismatch */
666 if (memcmp(result_tag, v->tag, v->tag_size))
667 return 0;
668
669 /* test decrypt direction (multi-call API) */
670 memset(scratch, 0, sizeof(scratch));
671 memcpy(scratch, v->ciphertext, v->plaintext_size);
672 switch (v->cipher_key_size) {
673 case 16:
674 _aes_gcm_init_128(&gkey, &gctx, v->cipher_iv, v->aad, v->aad_size);
675 _aes_gcm_dec_128_update(&gkey, &gctx, scratch, scratch, v->plaintext_size);
676 _aes_gcm_dec_128_finalize(&gkey, &gctx, v->tag, v->tag_size);
677 break;
678 case 32:
679 _aes_gcm_init_256(&gkey, &gctx, v->cipher_iv, v->aad, v->aad_size);
680 _aes_gcm_dec_256_update(&gkey, &gctx, scratch, scratch, v->plaintext_size);
681 _aes_gcm_dec_256_finalize(&gkey, &gctx, v->tag, v->tag_size);
682 break;
683 default:
684 /* invalid key size */
685 return 0;
686 }
687
688 /* check for plaintext mismatch */
689 if (memcmp(scratch, v->plaintext, v->plaintext_size))
690 return 0;
691
692 /* check for authentication tag mismatch */
693 if (memcmp(result_tag, v->tag, v->tag_size))
694 return 0;
695
696 return 1;
697 }
698
699 static int
_aes_gcm_self_test(void)700 _aes_gcm_self_test(void)
701 {
702 for (unsigned i = 0; i < DIM(gcm_vectors); i++) {
703 const struct self_test_gcm_vector *v = &gcm_vectors[i];
704
705 if (gcm_self_test_vector(v) == 0)
706 return 1;
707 }
708
709 return 0;
710 }
711
712 int
_aes_self_tests(void)713 _aes_self_tests(void)
714 {
715 int ret;
716
717 ret = _aes_cbc_self_test();
718 ret |= _aes_xts_self_test();
719 ret |= _aes_gcm_self_test();
720
721 return ret;
722 }
723