xref: /openbsd-src/regress/lib/libcrypto/ige/igetest.c (revision 50b7afb2c2c0993b0894d4e34bf857cb13ed9c80) 
1 /* test/igetest.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  */
51 
52 #include <openssl/aes.h>
53 #include <openssl/rand.h>
54 #include <stdio.h>
55 #include <string.h>
56 #include <assert.h>
57 
58 #define TEST_SIZE	128
59 #define BIG_TEST_SIZE 10240
60 
61 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
62     {
63     int n=0;
64 
65     fprintf(f,"%s",title);
66     for( ; n < l ; ++n)
67 		{
68 		if((n%16) == 0)
69 			fprintf(f,"\n%04x",n);
70 		fprintf(f," %02x",s[n]);
71 		}
72     fprintf(f,"\n");
73     }
74 
75 #define MAX_VECTOR_SIZE	64
76 
77 struct ige_test
78 	{
79 	const unsigned char key[16];
80 	const unsigned char iv[32];
81 	const unsigned char in[MAX_VECTOR_SIZE];
82 	const unsigned char out[MAX_VECTOR_SIZE];
83 	const size_t length;
84 	const int encrypt;
85 	};
86 
87 static struct ige_test const ige_test_vectors[] = {
88 { { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
89     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, /* key */
90   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
91     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
92     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
93     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }, /* iv */
94   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
97     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /* in */
98   { 0x1a, 0x85, 0x19, 0xa6, 0x55, 0x7b, 0xe6, 0x52,
99     0xe9, 0xda, 0x8e, 0x43, 0xda, 0x4e, 0xf4, 0x45,
100     0x3c, 0xf4, 0x56, 0xb4, 0xca, 0x48, 0x8a, 0xa3,
101     0x83, 0xc7, 0x9c, 0x98, 0xb3, 0x47, 0x97, 0xcb }, /* out */
102   32, AES_ENCRYPT }, /* test vector 0 */
103 
104 { { 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
105     0x61, 0x6e, 0x20, 0x69, 0x6d, 0x70, 0x6c, 0x65 }, /* key */
106   { 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f,
107     0x6e, 0x20, 0x6f, 0x66, 0x20, 0x49, 0x47, 0x45,
108     0x20, 0x6d, 0x6f, 0x64, 0x65, 0x20, 0x66, 0x6f,
109     0x72, 0x20, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53 }, /* iv */
110   { 0x4c, 0x2e, 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73,
111     0x20, 0x68, 0x6f, 0x70, 0x65, 0x20, 0x42, 0x65,
112     0x6e, 0x20, 0x67, 0x6f, 0x74, 0x20, 0x69, 0x74,
113     0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x0a }, /* in */
114   { 0x99, 0x70, 0x64, 0x87, 0xa1, 0xcd, 0xe6, 0x13,
115     0xbc, 0x6d, 0xe0, 0xb6, 0xf2, 0x4b, 0x1c, 0x7a,
116     0xa4, 0x48, 0xc8, 0xb9, 0xc3, 0x40, 0x3e, 0x34,
117     0x67, 0xa8, 0xca, 0xd8, 0x93, 0x40, 0xf5, 0x3b }, /* out */
118   32, AES_DECRYPT }, /* test vector 1 */
119 };
120 
121 static int run_test_vectors(void)
122 	{
123 	unsigned int n;
124 	int errs = 0;
125 
126 	for(n=0 ; n < sizeof(ige_test_vectors)/sizeof(ige_test_vectors[0]) ; ++n)
127 		{
128 		const struct ige_test * const v = &ige_test_vectors[n];
129 		AES_KEY key;
130 		unsigned char buf[MAX_VECTOR_SIZE];
131 		unsigned char iv[AES_BLOCK_SIZE*2];
132 
133 		assert(v->length <= MAX_VECTOR_SIZE);
134 
135 		if(v->encrypt == AES_ENCRYPT)
136 			AES_set_encrypt_key(v->key, 8*sizeof v->key, &key);
137 		else
138 			AES_set_decrypt_key(v->key, 8*sizeof v->key, &key);
139 		memcpy(iv, v->iv, sizeof iv);
140 		AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt);
141 
142 		if(memcmp(v->out, buf, v->length))
143 			{
144 			printf("IGE test vector %d failed\n", n);
145 			hexdump(stdout, "key", v->key, sizeof v->key);
146 			hexdump(stdout, "iv", v->iv, sizeof v->iv);
147 			hexdump(stdout, "in", v->in, v->length);
148 			hexdump(stdout, "expected", v->out, v->length);
149 			hexdump(stdout, "got", buf, v->length);
150 
151 			++errs;
152 			}
153 
154                 /* try with in == out */
155 		memcpy(iv, v->iv, sizeof iv);
156                 memcpy(buf, v->in, v->length);
157 		AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt);
158 
159 		if(memcmp(v->out, buf, v->length))
160 			{
161 			printf("IGE test vector %d failed (with in == out)\n", n);
162 			hexdump(stdout, "key", v->key, sizeof v->key);
163 			hexdump(stdout, "iv", v->iv, sizeof v->iv);
164 			hexdump(stdout, "in", v->in, v->length);
165 			hexdump(stdout, "expected", v->out, v->length);
166 			hexdump(stdout, "got", buf, v->length);
167 
168 			++errs;
169 			}
170 		}
171 
172 	return errs;
173 	}
174 
175 int main(int argc, char **argv)
176 	{
177 	unsigned char rkey[16];
178 	unsigned char rkey2[16];
179 	AES_KEY key;
180 	AES_KEY key2;
181 	unsigned char plaintext[BIG_TEST_SIZE];
182 	unsigned char ciphertext[BIG_TEST_SIZE];
183 	unsigned char checktext[BIG_TEST_SIZE];
184 	unsigned char iv[AES_BLOCK_SIZE*4];
185 	unsigned char saved_iv[AES_BLOCK_SIZE*4];
186 	int err = 0;
187 	unsigned int n;
188 	unsigned matches;
189 
190 	assert(BIG_TEST_SIZE >= TEST_SIZE);
191 
192 	RAND_pseudo_bytes(rkey, sizeof rkey);
193 	RAND_pseudo_bytes(plaintext, sizeof plaintext);
194 	RAND_pseudo_bytes(iv, sizeof iv);
195 	memcpy(saved_iv, iv, sizeof saved_iv);
196 
197 	/* Forward IGE only... */
198 
199 	/* Straight encrypt/decrypt */
200 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
201 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv,
202 					AES_ENCRYPT);
203 
204 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
205 	memcpy(iv, saved_iv, sizeof iv);
206 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv,
207 					AES_DECRYPT);
208 
209 	if(memcmp(checktext, plaintext, TEST_SIZE))
210 		{
211 		printf("Encrypt+decrypt doesn't match\n");
212 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
213 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
214 		++err;
215 		}
216 
217 	/* Now check encrypt chaining works */
218 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
219 	memcpy(iv, saved_iv, sizeof iv);
220 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE/2, &key, iv,
221 					AES_ENCRYPT);
222 	AES_ige_encrypt(plaintext+TEST_SIZE/2,
223 					ciphertext+TEST_SIZE/2, TEST_SIZE/2,
224 					&key, iv, AES_ENCRYPT);
225 
226 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
227 	memcpy(iv, saved_iv, sizeof iv);
228 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv,
229 					AES_DECRYPT);
230 
231 	if(memcmp(checktext, plaintext, TEST_SIZE))
232 		{
233 		printf("Chained encrypt+decrypt doesn't match\n");
234 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
235 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
236 		++err;
237 		}
238 
239 	/* And check decrypt chaining */
240 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
241 	memcpy(iv, saved_iv, sizeof iv);
242 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE/2, &key, iv,
243 					AES_ENCRYPT);
244 	AES_ige_encrypt(plaintext+TEST_SIZE/2,
245 					ciphertext+TEST_SIZE/2, TEST_SIZE/2,
246 					&key, iv, AES_ENCRYPT);
247 
248 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
249 	memcpy(iv, saved_iv, sizeof iv);
250 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE/2, &key, iv,
251 					AES_DECRYPT);
252 	AES_ige_encrypt(ciphertext+TEST_SIZE/2,
253 					checktext+TEST_SIZE/2, TEST_SIZE/2, &key, iv,
254 					AES_DECRYPT);
255 
256 	if(memcmp(checktext, plaintext, TEST_SIZE))
257 		{
258 		printf("Chained encrypt+chained decrypt doesn't match\n");
259 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
260 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
261 		++err;
262 		}
263 
264 	/* make sure garble extends forwards only */
265 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
266 	memcpy(iv, saved_iv, sizeof iv);
267 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
268 					AES_ENCRYPT);
269 
270 	/* corrupt halfway through */
271 	++ciphertext[sizeof ciphertext/2];
272 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
273 	memcpy(iv, saved_iv, sizeof iv);
274 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
275 					AES_DECRYPT);
276 
277 	matches=0;
278 	for(n=0 ; n < sizeof checktext ; ++n)
279 		if(checktext[n] == plaintext[n])
280 			++matches;
281 
282 	if(matches > sizeof checktext/2+sizeof checktext/100)
283 		{
284 		printf("More than 51%% matches after garbling\n");
285 		++err;
286 		}
287 
288 	if(matches < sizeof checktext/2)
289 		{
290 		printf("Garble extends backwards!\n");
291 		++err;
292 		}
293 
294 	/* make sure garble extends both ways */
295 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
296 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
297 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
298 					AES_ENCRYPT);
299 
300 	/* corrupt halfway through */
301 	++ciphertext[sizeof ciphertext/2];
302 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
303 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
304 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
305 					AES_DECRYPT);
306 
307 	matches=0;
308 	for(n=0 ; n < sizeof checktext ; ++n)
309 		if(checktext[n] == plaintext[n])
310 			++matches;
311 
312 	if(matches > sizeof checktext/100)
313 		{
314 		printf("More than 1%% matches after bidirectional garbling\n");
315 		++err;
316 		}
317 
318 	/* make sure garble extends both ways (2) */
319 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
320 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
321 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
322 					AES_ENCRYPT);
323 
324 	/* corrupt right at the end */
325 	++ciphertext[sizeof ciphertext-1];
326 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
327 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
328 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
329 					AES_DECRYPT);
330 
331 	matches=0;
332 	for(n=0 ; n < sizeof checktext ; ++n)
333 		if(checktext[n] == plaintext[n])
334 			++matches;
335 
336 	if(matches > sizeof checktext/100)
337 		{
338 		printf("More than 1%% matches after bidirectional garbling (2)\n");
339 		++err;
340 		}
341 
342 	/* make sure garble extends both ways (3) */
343 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
344 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
345 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
346 					AES_ENCRYPT);
347 
348 	/* corrupt right at the start */
349 	++ciphertext[0];
350 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
351 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
352 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
353 					AES_DECRYPT);
354 
355 	matches=0;
356 	for(n=0 ; n < sizeof checktext ; ++n)
357 		if(checktext[n] == plaintext[n])
358 			++matches;
359 
360 	if(matches > sizeof checktext/100)
361 		{
362 		printf("More than 1%% matches after bidirectional garbling (3)\n");
363 		++err;
364 		}
365 
366 	err += run_test_vectors();
367 
368 	return err;
369 	}
370