1 /* $OpenBSD: aeadtest.c,v 1.23 2022/08/20 19:25:14 jsing Exp $ */ 2 /* 3 * Copyright (c) 2022 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014, Google Inc. 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <ctype.h> 20 #include <stdint.h> 21 #include <stdio.h> 22 #include <stdlib.h> 23 #include <string.h> 24 #include <unistd.h> 25 26 #include <openssl/err.h> 27 #include <openssl/evp.h> 28 29 /* 30 * This program tests an AEAD against a series of test vectors from a file. The 31 * test vector file consists of key-value lines where the key and value are 32 * separated by a colon and optional whitespace. The keys are listed in 33 * NAMES, below. The values are hex-encoded data. 34 * 35 * After a number of key-value lines, a blank line indicates the end of the 36 * test case. 37 * 38 * For example, here's a valid test case: 39 * 40 * AEAD: chacha20-poly1305 41 * KEY: bcb2639bf989c6251b29bf38d39a9bdce7c55f4b2ac12a39c8a37b5d0a5cc2b5 42 * NONCE: 1e8b4c510f5ca083 43 * IN: 8c8419bc27 44 * AD: 34ab88c265 45 * CT: 1a7c2f33f5 46 * TAG: 2875c659d0f2808de3a40027feff91a4 47 */ 48 49 #define BUF_MAX 1024 50 51 /* These are the different types of line that are found in the input file. */ 52 enum { 53 AEAD = 0, /* name of the AEAD algorithm. */ 54 KEY, /* hex encoded key. */ 55 NONCE, /* hex encoded nonce. */ 56 IN, /* hex encoded plaintext. */ 57 AD, /* hex encoded additional data. */ 58 CT, /* hex encoded ciphertext (not including the 59 * authenticator, which is next. */ 60 TAG, /* hex encoded authenticator. */ 61 NUM_TYPES 62 }; 63 64 static const char NAMES[NUM_TYPES][6] = { 65 "AEAD", 66 "KEY", 67 "NONCE", 68 "IN", 69 "AD", 70 "CT", 71 "TAG", 72 }; 73 74 static unsigned char 75 hex_digit(char h) 76 { 77 if (h >= '0' && h <= '9') 78 return h - '0'; 79 else if (h >= 'a' && h <= 'f') 80 return h - 'a' + 10; 81 else if (h >= 'A' && h <= 'F') 82 return h - 'A' + 10; 83 else 84 return 16; 85 } 86 87 static int 88 aead_from_name(const EVP_AEAD **aead, const EVP_CIPHER **cipher, 89 const char *name) 90 { 91 *aead = NULL; 92 *cipher = NULL; 93 94 if (strcmp(name, "aes-128-gcm") == 0) { 95 *aead = EVP_aead_aes_128_gcm(); 96 *cipher = EVP_aes_128_gcm(); 97 } else if (strcmp(name, "aes-192-gcm") == 0) { 98 *cipher = EVP_aes_192_gcm(); 99 } else if (strcmp(name, "aes-256-gcm") == 0) { 100 *aead = EVP_aead_aes_256_gcm(); 101 *cipher = EVP_aes_256_gcm(); 102 } else if (strcmp(name, "chacha20-poly1305") == 0) { 103 *aead = EVP_aead_chacha20_poly1305(); 104 *cipher = EVP_chacha20_poly1305(); 105 } else if (strcmp(name, "xchacha20-poly1305") == 0) { 106 *aead = EVP_aead_xchacha20_poly1305(); 107 } else { 108 fprintf(stderr, "Unknown AEAD: %s\n", name); 109 return 0; 110 } 111 112 return 1; 113 } 114 115 static int 116 run_aead_test(const EVP_AEAD *aead, unsigned char bufs[NUM_TYPES][BUF_MAX], 117 const unsigned int lengths[NUM_TYPES], unsigned int line_no) 118 { 119 EVP_AEAD_CTX *ctx; 120 unsigned char out[BUF_MAX + EVP_AEAD_MAX_TAG_LENGTH], out2[BUF_MAX]; 121 size_t out_len, out_len2; 122 int ret = 0; 123 124 if ((ctx = EVP_AEAD_CTX_new()) == NULL) { 125 fprintf(stderr, "Failed to allocate AEAD context on line %u\n", 126 line_no); 127 goto err; 128 } 129 130 if (!EVP_AEAD_CTX_init(ctx, aead, bufs[KEY], lengths[KEY], 131 lengths[TAG], NULL)) { 132 fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); 133 goto err; 134 } 135 136 if (!EVP_AEAD_CTX_seal(ctx, out, &out_len, sizeof(out), bufs[NONCE], 137 lengths[NONCE], bufs[IN], lengths[IN], bufs[AD], lengths[AD])) { 138 fprintf(stderr, "Failed to run AEAD on line %u\n", line_no); 139 goto err; 140 } 141 142 if (out_len != lengths[CT] + lengths[TAG]) { 143 fprintf(stderr, "Bad output length on line %u: %zu vs %u\n", 144 line_no, out_len, (unsigned)(lengths[CT] + lengths[TAG])); 145 goto err; 146 } 147 148 if (memcmp(out, bufs[CT], lengths[CT]) != 0) { 149 fprintf(stderr, "Bad output on line %u\n", line_no); 150 goto err; 151 } 152 153 if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { 154 fprintf(stderr, "Bad tag on line %u\n", line_no); 155 goto err; 156 } 157 158 if (!EVP_AEAD_CTX_open(ctx, out2, &out_len2, lengths[IN], bufs[NONCE], 159 lengths[NONCE], out, out_len, bufs[AD], lengths[AD])) { 160 fprintf(stderr, "Failed to decrypt on line %u\n", line_no); 161 goto err; 162 } 163 164 if (out_len2 != lengths[IN]) { 165 fprintf(stderr, "Bad decrypt on line %u: %zu\n", 166 line_no, out_len2); 167 goto err; 168 } 169 170 if (memcmp(out2, bufs[IN], out_len2) != 0) { 171 fprintf(stderr, "Plaintext mismatch on line %u\n", line_no); 172 goto err; 173 } 174 175 out[0] ^= 0x80; 176 if (EVP_AEAD_CTX_open(ctx, out2, &out_len2, lengths[IN], bufs[NONCE], 177 lengths[NONCE], out, out_len, bufs[AD], lengths[AD])) { 178 fprintf(stderr, "Decrypted bad data on line %u\n", line_no); 179 goto err; 180 } 181 182 ret = 1; 183 184 err: 185 EVP_AEAD_CTX_free(ctx); 186 187 return ret; 188 } 189 190 static int 191 run_cipher_aead_encrypt_test(const EVP_CIPHER *cipher, 192 unsigned char bufs[NUM_TYPES][BUF_MAX], 193 const unsigned int lengths[NUM_TYPES], unsigned int line_no) 194 { 195 unsigned char out[BUF_MAX + EVP_AEAD_MAX_TAG_LENGTH]; 196 EVP_CIPHER_CTX *ctx; 197 size_t out_len; 198 int len; 199 int ret = 0; 200 201 if ((ctx = EVP_CIPHER_CTX_new()) == NULL) { 202 fprintf(stderr, "FAIL: EVP_CIPHER_CTX_new\n"); 203 goto err; 204 } 205 206 if (!EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL)) { 207 fprintf(stderr, "FAIL: EVP_EncryptInit_ex with cipher\n"); 208 goto err; 209 } 210 211 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, lengths[NONCE], NULL)) { 212 fprintf(stderr, "FAIL: EVP_CTRL_AEAD_SET_IVLEN\n"); 213 goto err; 214 } 215 216 if (!EVP_EncryptInit_ex(ctx, NULL, NULL, bufs[KEY], NULL)) { 217 fprintf(stderr, "FAIL: EVP_EncryptInit_ex with key\n"); 218 goto err; 219 } 220 if (!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, bufs[NONCE])) { 221 fprintf(stderr, "FAIL: EVP_EncryptInit_ex with nonce\n"); 222 goto err; 223 } 224 225 if (!EVP_EncryptUpdate(ctx, NULL, &len, bufs[AD], lengths[AD])) { 226 fprintf(stderr, "FAIL: EVP_EncryptUpdate with AD\n"); 227 goto err; 228 } 229 if ((unsigned int)len != lengths[AD]) { 230 fprintf(stderr, "FAIL: EVP_EncryptUpdate with AD length = %u, " 231 "want %u\n", len, lengths[AD]); 232 goto err; 233 } 234 if (!EVP_EncryptUpdate(ctx, out, &len, bufs[IN], lengths[IN])) { 235 fprintf(stderr, "FAIL: EVP_EncryptUpdate with plaintext\n"); 236 goto err; 237 } 238 out_len = len; 239 if (!EVP_EncryptFinal_ex(ctx, out + out_len, &len)) { 240 fprintf(stderr, "FAIL: EVP_EncryptFinal_ex\n"); 241 goto err; 242 } 243 out_len += len; 244 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, lengths[TAG], 245 out + out_len)) { 246 fprintf(stderr, "FAIL: EVP_EncryptInit_ex with cipher\n"); 247 goto err; 248 } 249 out_len += lengths[TAG]; 250 251 if (out_len != lengths[CT] + lengths[TAG]) { 252 fprintf(stderr, "Bad output length on line %u: %zu vs %u\n", 253 line_no, out_len, (unsigned)(lengths[CT] + lengths[TAG])); 254 goto err; 255 } 256 257 if (memcmp(out, bufs[CT], lengths[CT]) != 0) { 258 fprintf(stderr, "Bad output on line %u\n", line_no); 259 goto err; 260 } 261 262 if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { 263 fprintf(stderr, "Bad tag on line %u\n", line_no); 264 goto err; 265 } 266 267 ret = 1; 268 269 err: 270 EVP_CIPHER_CTX_free(ctx); 271 272 return ret; 273 } 274 275 static int 276 run_cipher_aead_decrypt_test(const EVP_CIPHER *cipher, int invalid, 277 unsigned char bufs[NUM_TYPES][BUF_MAX], 278 const unsigned int lengths[NUM_TYPES], unsigned int line_no) 279 { 280 unsigned char in[BUF_MAX], out[BUF_MAX + EVP_AEAD_MAX_TAG_LENGTH]; 281 EVP_CIPHER_CTX *ctx; 282 size_t out_len; 283 int len; 284 int ret = 0; 285 286 if ((ctx = EVP_CIPHER_CTX_new()) == NULL) { 287 fprintf(stderr, "FAIL: EVP_CIPHER_CTX_new\n"); 288 goto err; 289 } 290 291 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL)) { 292 fprintf(stderr, "FAIL: EVP_DecryptInit_ex with cipher\n"); 293 goto err; 294 } 295 296 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, lengths[NONCE], 297 NULL)) { 298 fprintf(stderr, "FAIL: EVP_CTRL_AEAD_SET_IVLEN\n"); 299 goto err; 300 } 301 302 memcpy(in, bufs[TAG], lengths[TAG]); 303 if (invalid && lengths[CT] == 0) 304 in[0] ^= 0x80; 305 306 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, lengths[TAG], in)) { 307 fprintf(stderr, "FAIL: EVP_CTRL_AEAD_SET_TAG\n"); 308 goto err; 309 } 310 311 if (!EVP_DecryptInit_ex(ctx, NULL, NULL, bufs[KEY], NULL)) { 312 fprintf(stderr, "FAIL: EVP_DecryptInit_ex with key\n"); 313 goto err; 314 } 315 if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, bufs[NONCE])) { 316 fprintf(stderr, "FAIL: EVP_DecryptInit_ex with nonce\n"); 317 goto err; 318 } 319 320 if (!EVP_DecryptUpdate(ctx, NULL, &len, bufs[AD], lengths[AD])) { 321 fprintf(stderr, "FAIL: EVP_DecryptUpdate with AD\n"); 322 goto err; 323 } 324 if ((unsigned int)len != lengths[AD]) { 325 fprintf(stderr, "FAIL: EVP_EncryptUpdate with AD length = %u, " 326 "want %u\n", len, lengths[AD]); 327 goto err; 328 } 329 330 memcpy(in, bufs[CT], lengths[CT]); 331 if (invalid && lengths[CT] > 0) 332 in[0] ^= 0x80; 333 334 if (!EVP_DecryptUpdate(ctx, out, &len, in, lengths[CT])) { 335 fprintf(stderr, "FAIL: EVP_DecryptUpdate with ciphertext\n"); 336 goto err; 337 } 338 out_len = len; 339 340 if (invalid) { 341 if (EVP_DecryptFinal_ex(ctx, out + out_len, &len)) { 342 fprintf(stderr, "FAIL: EVP_DecryptFinal_ex succeeded " 343 "with invalid ciphertext on line %u\n", line_no); 344 goto err; 345 } 346 goto done; 347 } 348 349 if (!EVP_DecryptFinal_ex(ctx, out + out_len, &len)) { 350 fprintf(stderr, "FAIL: EVP_DecryptFinal_ex\n"); 351 goto err; 352 } 353 out_len += len; 354 355 if (out_len != lengths[IN]) { 356 fprintf(stderr, "Bad decrypt on line %u: %zu\n", 357 line_no, out_len); 358 goto err; 359 } 360 361 if (memcmp(out, bufs[IN], out_len) != 0) { 362 fprintf(stderr, "Plaintext mismatch on line %u\n", line_no); 363 goto err; 364 } 365 366 done: 367 ret = 1; 368 369 err: 370 EVP_CIPHER_CTX_free(ctx); 371 372 return ret; 373 } 374 375 static int 376 run_cipher_aead_test(const EVP_CIPHER *cipher, 377 unsigned char bufs[NUM_TYPES][BUF_MAX], 378 const unsigned int lengths[NUM_TYPES], unsigned int line_no) 379 { 380 if (!run_cipher_aead_encrypt_test(cipher, bufs, lengths, line_no)) 381 return 0; 382 if (!run_cipher_aead_decrypt_test(cipher, 0, bufs, lengths, line_no)) 383 return 0; 384 if (!run_cipher_aead_decrypt_test(cipher, 1, bufs, lengths, line_no)) 385 return 0; 386 387 return 1; 388 } 389 390 int 391 main(int argc, char **argv) 392 { 393 FILE *f; 394 const EVP_AEAD *aead = NULL; 395 const EVP_CIPHER *cipher = NULL; 396 unsigned int line_no = 0, num_tests = 0, j; 397 unsigned char bufs[NUM_TYPES][BUF_MAX]; 398 unsigned int lengths[NUM_TYPES]; 399 const char *aeadname; 400 401 if (argc != 3) { 402 fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]); 403 return 1; 404 } 405 406 if ((f = fopen(argv[2], "r")) == NULL) { 407 perror("failed to open input"); 408 return 1; 409 } 410 411 for (j = 0; j < NUM_TYPES; j++) 412 lengths[j] = 0; 413 414 for (;;) { 415 char line[4096]; 416 unsigned int i, type_len = 0; 417 418 unsigned char *buf = NULL; 419 unsigned int *buf_len = NULL; 420 421 if (!fgets(line, sizeof(line), f)) 422 break; 423 424 line_no++; 425 if (line[0] == '#') 426 continue; 427 428 if (line[0] == '\n' || line[0] == 0) { 429 /* Run a test, if possible. */ 430 char any_values_set = 0; 431 for (j = 0; j < NUM_TYPES; j++) { 432 if (lengths[j] != 0) { 433 any_values_set = 1; 434 break; 435 } 436 } 437 438 if (!any_values_set) 439 continue; 440 441 aeadname = argv[1]; 442 if (lengths[AEAD] != 0) 443 aeadname = bufs[AEAD]; 444 445 if (!aead_from_name(&aead, &cipher, aeadname)) { 446 fprintf(stderr, "Aborting...\n"); 447 return 4; 448 } 449 450 if (aead != NULL) { 451 if (!run_aead_test(aead, bufs, lengths, 452 line_no)) 453 return 4; 454 } 455 if (cipher != NULL) { 456 if (!run_cipher_aead_test(cipher, bufs, lengths, 457 line_no)) 458 return 4; 459 } 460 461 for (j = 0; j < NUM_TYPES; j++) 462 lengths[j] = 0; 463 464 num_tests++; 465 continue; 466 } 467 468 /* 469 * Each line looks like: 470 * TYPE: 0123abc 471 * Where "TYPE" is the type of the data on the line, 472 * e.g. "KEY". 473 */ 474 for (i = 0; line[i] != 0 && line[i] != '\n'; i++) { 475 if (line[i] == ':') { 476 type_len = i; 477 break; 478 } 479 } 480 i++; 481 482 if (type_len == 0) { 483 fprintf(stderr, "Parse error on line %u\n", line_no); 484 return 3; 485 } 486 487 /* After the colon, there's optional whitespace. */ 488 for (; line[i] != 0 && line[i] != '\n'; i++) { 489 if (line[i] != ' ' && line[i] != '\t') 490 break; 491 } 492 493 line[type_len] = 0; 494 for (j = 0; j < NUM_TYPES; j++) { 495 if (strcmp(line, NAMES[j]) != 0) 496 continue; 497 if (lengths[j] != 0) { 498 fprintf(stderr, "Duplicate value on line %u\n", 499 line_no); 500 return 3; 501 } 502 buf = bufs[j]; 503 buf_len = &lengths[j]; 504 break; 505 } 506 507 if (buf == NULL) { 508 fprintf(stderr, "Unknown line type on line %u\n", 509 line_no); 510 return 3; 511 } 512 513 if (j == AEAD) { 514 *buf_len = strlcpy(buf, line + i, BUF_MAX); 515 for (j = 0; j < BUF_MAX; j++) { 516 if (buf[j] == '\n') 517 buf[j] = '\0'; 518 } 519 continue; 520 } 521 522 if (line[i] == '"') { 523 i++; 524 for (j = 0; line[i] != 0 && line[i] != '\n'; i++) { 525 if (line[i] == '"') 526 break; 527 if (j == BUF_MAX) { 528 fprintf(stderr, "Too much data on " 529 "line %u (max is %u bytes)\n", 530 line_no, (unsigned) BUF_MAX); 531 return 3; 532 } 533 buf[j++] = line[i]; 534 *buf_len = *buf_len + 1; 535 } 536 if (line[i + 1] != 0 && line[i + 1] != '\n') { 537 fprintf(stderr, "Trailing data on line %u\n", 538 line_no); 539 return 3; 540 } 541 } else { 542 for (j = 0; line[i] != 0 && line[i] != '\n'; i++) { 543 unsigned char v, v2; 544 v = hex_digit(line[i++]); 545 if (line[i] == 0 || line[i] == '\n') { 546 fprintf(stderr, "Odd-length hex data " 547 "on line %u\n", line_no); 548 return 3; 549 } 550 v2 = hex_digit(line[i]); 551 if (v > 15 || v2 > 15) { 552 fprintf(stderr, "Invalid hex char on " 553 "line %u\n", line_no); 554 return 3; 555 } 556 v <<= 4; 557 v |= v2; 558 559 if (j == BUF_MAX) { 560 fprintf(stderr, "Too much hex data on " 561 "line %u (max is %u bytes)\n", 562 line_no, (unsigned) BUF_MAX); 563 return 3; 564 } 565 buf[j++] = v; 566 *buf_len = *buf_len + 1; 567 } 568 } 569 } 570 571 printf("Completed %u test cases\n", num_tests); 572 printf("PASS\n"); 573 fclose(f); 574 575 return 0; 576 } 577