/* FIXME: Lots of almost duplicated code with siv tests. */
/* AEAD ciphers */
typedef void
-nettle_encrypt_message_func(const void *ctx,
- size_t nlength, const uint8_t *nonce,
- size_t alength, const uint8_t *adata,
- size_t tlength,
- size_t clength, uint8_t *dst, const uint8_t *src);
+ocb_encrypt_message_func(const void *ctx,
+ size_t nlength, const uint8_t *nonce,
+ size_t alength, const uint8_t *adata,
+ size_t tlength,
+ size_t clength, uint8_t *dst, const uint8_t *src);
typedef int
-nettle_decrypt_message_func(const void *encrypt_ctx, const void *decrypt_ctx,
- size_t nlength, const uint8_t *nonce,
- size_t alength, const uint8_t *adata,
- size_t tlength,
- size_t mlength, uint8_t *dst, const uint8_t *src);
+ocb_decrypt_message_func(const void *encrypt_ctx, const void *decrypt_ctx,
+ size_t nlength, const uint8_t *nonce,
+ size_t alength, const uint8_t *adata,
+ size_t tlength,
+ size_t mlength, uint8_t *dst, const uint8_t *src);
static void
test_compare_results(const char *name,
test_ocb_message(const char *name,
nettle_set_key_func *set_encrypt_key,
nettle_set_key_func *set_decrypt_key,
- nettle_encrypt_message_func *encrypt,
- nettle_decrypt_message_func *decrypt,
+ ocb_encrypt_message_func *encrypt,
+ ocb_decrypt_message_func *decrypt,
size_t encrypt_context_size, size_t decrypt_context_size,
size_t key_size, size_t digest_size,
const struct tstring *key,
test_ocb_message("ocb_aes128", \
(nettle_set_key_func*)ocb_aes128_set_encrypt_key, \
(nettle_set_key_func*)aes128_set_decrypt_key, \
- (nettle_encrypt_message_func*)ocb_aes128_encrypt_message, \
- (nettle_decrypt_message_func*)ocb_aes128_decrypt_message, \
+ (ocb_encrypt_message_func*)ocb_aes128_encrypt_message, \
+ (ocb_decrypt_message_func*)ocb_aes128_decrypt_message, \
sizeof(struct ocb_aes128_ctx), sizeof(struct aes128_ctx), \
AES128_KEY_SIZE, OCB_DIGEST_SIZE, \
key, nonce, authdata, cleartext, ciphertext)
#include "siv-cmac.h"
#include "knuth-lfib.h"
-/* AEAD ciphers */
-typedef void
-nettle_encrypt_message_func(void *ctx,
- size_t nlength, const uint8_t *nonce,
- size_t alength, const uint8_t *adata,
- size_t clength, uint8_t *dst, const uint8_t *src);
-
-typedef int
-nettle_decrypt_message_func(void *ctx,
- size_t nlength, const uint8_t *nonce,
- size_t alength, const uint8_t *adata,
- size_t mlength, uint8_t *dst, const uint8_t *src);
-
-static void
-test_compare_results(const char *name,
- const struct tstring *adata,
- /* Expected results. */
- const struct tstring *e_clear,
- const struct tstring *e_cipher,
- /* Actual results. */
- const void *clear,
- const void *cipher)
-{
- if (!MEMEQ(e_cipher->length, e_cipher->data, cipher))
- {
- fprintf(stderr, "%s: encryption failed\nAdata: ", name);
- tstring_print_hex(adata);
- fprintf(stderr, "\nInput: ");
- tstring_print_hex(e_clear);
- fprintf(stderr, "\nOutput: ");
- print_hex(e_cipher->length, cipher);
- fprintf(stderr, "\nExpected:");
- tstring_print_hex(e_cipher);
- fprintf(stderr, "\n");
- FAIL();
- }
- if (!MEMEQ(e_clear->length, e_clear->data, clear))
- {
- fprintf(stderr, "%s decrypt failed:\nAdata:", name);
- tstring_print_hex(adata);
- fprintf(stderr, "\nInput: ");
- tstring_print_hex(e_cipher);
- fprintf(stderr, "\nOutput: ");
- print_hex(e_clear->length, clear);
- fprintf(stderr, "\nExpected:");
- tstring_print_hex(e_clear);
- fprintf(stderr, "\n");
- FAIL();
- }
-} /* test_compare_results */
-
-static void
-test_cipher_siv(const char *name,
- nettle_set_key_func *siv_set_key,
- nettle_encrypt_message_func *siv_encrypt,
- nettle_decrypt_message_func *siv_decrypt,
- size_t context_size, size_t key_size,
- const struct tstring *key,
- const struct tstring *nonce,
- const struct tstring *authdata,
- const struct tstring *cleartext,
- const struct tstring *ciphertext)
-{
- void *ctx = xalloc(context_size);
- uint8_t *en_data;
- uint8_t *de_data;
- int ret;
-
- ASSERT (key->length == key_size);
- ASSERT (cleartext->length + SIV_DIGEST_SIZE == ciphertext->length);
-
- de_data = xalloc(cleartext->length);
- en_data = xalloc(ciphertext->length);
-
- /* Ensure we get the same answers using the all-in-one API. */
- memset(de_data, 0, cleartext->length);
- memset(en_data, 0, ciphertext->length);
-
- siv_set_key(ctx, key->data);
- siv_encrypt(ctx, nonce->length, nonce->data,
- authdata->length, authdata->data,
- ciphertext->length, en_data, cleartext->data);
-
- ret = siv_decrypt(ctx, nonce->length, nonce->data,
- authdata->length, authdata->data,
- cleartext->length, de_data, ciphertext->data);
-
- if (ret != 1)
- {
- fprintf(stderr, "siv_decrypt_message failed to validate message\n");
- FAIL();
- }
- test_compare_results(name, authdata,
- cleartext, ciphertext, de_data, en_data);
-
- /* Ensure that we can detect corrupted message or tag data. */
- en_data[0] ^= 1;
- ret = siv_decrypt(ctx, nonce->length, nonce->data,
- authdata->length, authdata->data,
- cleartext->length, de_data, en_data);
- if (ret != 0)
- {
- fprintf(stderr, "siv_decrypt_message failed to detect corrupted message\n");
- FAIL();
- }
-
- /* Ensure we can detect corrupted adata. */
- if (authdata->length) {
- en_data[0] ^= 1;
- ret = siv_decrypt(ctx, nonce->length, nonce->data,
- authdata->length-1, authdata->data,
- cleartext->length, de_data, en_data);
- if (ret != 0)
- {
- fprintf(stderr, "siv_decrypt_message failed to detect corrupted message\n");
- FAIL();
- }
- }
-
- free(ctx);
- free(en_data);
- free(de_data);
-}
-
-#define test_siv_aes128(name, key, nonce, authdata, cleartext, ciphertext) \
- test_cipher_siv(name, (nettle_set_key_func*)siv_cmac_aes128_set_key, \
- (nettle_encrypt_message_func*)siv_cmac_aes128_encrypt_message, \
- (nettle_decrypt_message_func*)siv_cmac_aes128_decrypt_message, \
- sizeof(struct siv_cmac_aes128_ctx), SIV_CMAC_AES128_KEY_SIZE, \
- key, nonce, authdata, cleartext, ciphertext)
-
-#define test_siv_aes256(name, key, nonce, authdata, cleartext, ciphertext) \
- test_cipher_siv(name, (nettle_set_key_func*)siv_cmac_aes256_set_key, \
- (nettle_encrypt_message_func*)siv_cmac_aes256_encrypt_message, \
- (nettle_decrypt_message_func*)siv_cmac_aes256_decrypt_message, \
- sizeof(struct siv_cmac_aes256_ctx), SIV_CMAC_AES256_KEY_SIZE, \
- key, nonce, authdata, cleartext, ciphertext)
+static const struct nettle_aead_message
+siv_cmac_aes128 = {
+ "siv_cmac_aes128",
+ sizeof(struct siv_cmac_aes128_ctx),
+ SIV_CMAC_AES128_KEY_SIZE,
+ SIV_DIGEST_SIZE,
+ (nettle_set_key_func*) siv_cmac_aes128_set_key,
+ (nettle_set_key_func*) siv_cmac_aes128_set_key,
+ (nettle_encrypt_message_func*) siv_cmac_aes128_encrypt_message,
+ (nettle_decrypt_message_func*) siv_cmac_aes128_decrypt_message,
+};
+
+static const struct nettle_aead_message
+siv_cmac_aes256 = {
+ "siv_cmac_aes256",
+ sizeof(struct siv_cmac_aes256_ctx),
+ SIV_CMAC_AES256_KEY_SIZE,
+ SIV_DIGEST_SIZE,
+ (nettle_set_key_func*) siv_cmac_aes256_set_key,
+ (nettle_set_key_func*) siv_cmac_aes256_set_key,
+ (nettle_encrypt_message_func*) siv_cmac_aes256_encrypt_message,
+ (nettle_decrypt_message_func*) siv_cmac_aes256_decrypt_message,
+};
void
test_main(void)
/*
* Example with small nonce, no AD and no plaintext
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0"
"f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"),
SHEX("01"),
/*
* Example with small nonce, no AD and plaintext
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0"
"f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"),
SHEX("02"),
/*
* Example with length < 16
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0"
"f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"),
SHEX("02"),
/*
* Example with length > 16
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("7f7e7d7c 7b7a7978 77767574 73727170"
"40414243 44454647 48494a4b 4c4d4e4f"),
SHEX("020304"),
/*
* Example with single AAD, length > 16
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("7f7e7d7c 7b7a7978 77767574 73727170"
"40414243 44454647 48494a4b 4c4d4e4f"),
SHEX("09f91102 9d74e35b d84156c5 635688c0"),
/*
* Example with single AAD, length < 16
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("7f7e7d7c 7b7a7978 77767574 73727170"
"40414243 44454647 48494a4b 4c4d4e4f"),
SHEX("09f91102 9d74e35b d84156c5 635688c0"),
/* AES-SIV-CMAC-512 (AES-256) from dchest/siv repo
*/
- test_siv_aes256("SIV_CMAC_AES256",
+ test_aead_message(&siv_cmac_aes256,
SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0"
"6f6e6d6c 6b6a6968 67666564 63626160"
"f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"
/* AES-SIV-CMAC-512 (AES-256)
*/
- test_siv_aes256("SIV_CMAC_AES256",
+ test_aead_message(&siv_cmac_aes256,
SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d"
"2d568e91 a38e5414 8abdc0b6 e86caf87"
"695c0a8a df4c5f8e b2c6c8b1 36529864"
/*
* Example with length > 16
*/
- test_siv_aes256("SIV_CMAC_AES256",
+ test_aead_message(&siv_cmac_aes256,
SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d"
"2d568e91 a38e5414 8abdc0b6 e86caf87"
"695c0a8a df4c5f8e b2c6c8b1 36529864"
/*
* Example with single AAD, length > 16
*/
- test_siv_aes256("SIV_CMAC_AES256",
+ test_aead_message(&siv_cmac_aes256,
SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d"
"2d568e91 a38e5414 8abdc0b6 e86caf87"
"695c0a8a df4c5f8e b2c6c8b1 36529864"
* Example from miscreant.js with no AD
* https://github.com/miscreant/miscreant.js/blob/master/vectors/aes_siv_aead.tjson
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0"
"f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"),
SHEX("10111213 1415161718191a1b1 c1d1e1f2"
/*
* Example from miscreant.js with AD
*/
- test_siv_aes128("SIV_CMAC_AES128",
+ test_aead_message(&siv_cmac_aes128,
SHEX("7f7e7d7c 7b7a7978 77767574 73727170"
"40414243 44454647 48494a4b 4c4d4e4f"),
SHEX("09f91102 9d74e35b d84156c5 635688c0"),
free(buffer);
}
+void
+test_aead_message (const struct nettle_aead_message *aead,
+ const struct tstring *key,
+ const struct tstring *nonce,
+ const struct tstring *adata,
+ const struct tstring *clear,
+ const struct tstring *cipher)
+{
+ void *ctx = xalloc (aead->context_size);
+ uint8_t *buf = xalloc (cipher->length + 1);
+ int res;
+
+ ASSERT (key->length == aead->key_size);
+ ASSERT (cipher->length > clear->length);
+ ASSERT (cipher->length - clear->length == aead->digest_size);
+
+ aead->set_encrypt_key (ctx, key->data);
+ buf[cipher->length] = 0xae;
+ aead->encrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ cipher->length, buf, clear->data);
+ if (!MEMEQ (cipher->length, cipher->data, buf))
+ {
+ fprintf(stderr, "aead->encrypt (message) failed:\n got: ");
+ print_hex (cipher->length, buf);
+ fprintf (stderr, " exp: ");
+ tstring_print_hex (cipher);
+ FAIL();
+ }
+ if (buf[cipher->length] != 0xae)
+ {
+ fprintf (stderr, "aead->encrypt (message) wrote too much.\n ");
+ FAIL();
+ }
+ aead->set_decrypt_key (ctx, key->data);
+#if 0
+ /* First try in-place decrypt. FIXME: Not supported for SIV. */
+ res = aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ clear->length, buf, buf);
+ if (!res)
+ {
+ fprintf (stderr, "in-place decrypting valid ciphertext failed:\n ");
+ tstring_print_hex (cipher);
+ }
+ if (!MEMEQ (clear->length, clear->data, buf))
+ {
+ fprintf(stderr, "aead->decrypt (in place message) failed:\n got: ");
+ print_hex (clear->length, buf);
+ fprintf (stderr, " exp: ");
+ tstring_print_hex (clear);
+ FAIL();
+ }
+#endif
+ memset (buf, 0xae, clear->length + 1);
+
+ res = aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ clear->length, buf, cipher->data);
+ if (!res)
+ {
+ fprintf (stderr, "decrypting valid ciphertext failed:\n ");
+ tstring_print_hex (cipher);
+ }
+ if (!MEMEQ (clear->length, clear->data, buf))
+ {
+ fprintf(stderr, "aead->decrypt (message) failed:\n got: ");
+ print_hex (clear->length, buf);
+ fprintf (stderr, " exp: ");
+ tstring_print_hex (clear);
+ FAIL();
+ }
+
+ /* Invalid messages */
+ if (clear->length > 0
+ && aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ clear->length - 1, buf, cipher->data))
+ {
+ fprintf (stderr, "Invalid message (truncated) not rejected\n");
+ FAIL();
+ }
+ memcpy (buf, cipher->data, cipher->length);
+ buf[0] ^= 4;
+ if (aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ clear->length, buf, buf))
+ {
+ fprintf (stderr, "Invalid message (first byte modified) not rejected\n");
+ FAIL();
+ }
+
+ memcpy (buf, cipher->data, cipher->length);
+ buf[cipher->length - 1] ^= 4;
+ if (aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length, adata->data,
+ clear->length, buf, buf))
+ {
+ fprintf (stderr, "Invalid message (last byte modified) not rejected\n");
+ FAIL();
+ }
+
+ memcpy (buf, adata->data, adata->length);
+ if (adata->length == 0)
+ buf[0] = 0;
+ if (aead->decrypt (ctx,
+ nonce->length, nonce->data,
+ adata->length ? adata->length /* - 1 */ : 1, buf,
+ clear->length, buf, cipher->data))
+ {
+ fprintf (stderr, "Invalid adata not rejected\n");
+ FAIL();
+ }
+}
+
void
test_hash(const struct nettle_hash *hash,
const struct tstring *msg,
projects / thirdparty / nettle.git / commitdiff
