From acf254f86efe94788827bc7da9ae167ecc19e6b1 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 18 Feb 2011 17:09:33 +0000 Subject: [PATCH] AES GCM selftests. --- crypto/fips_err.h | 1 + fips/aes/fips_aes_selftest.c | 92 ++++++++++++++++++++++++++++++++++++ fips/fips.c | 1 + fips/fips.h | 3 ++ fips/fips_test_suite.c | 49 ++++++++++++++++++- 5 files changed, 145 insertions(+), 1 deletion(-) diff --git a/crypto/fips_err.h b/crypto/fips_err.h index 00406ba8ac..de2f0d5254 100644 --- a/crypto/fips_err.h +++ b/crypto/fips_err.h @@ -87,6 +87,7 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"}, {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, +{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, diff --git a/fips/aes/fips_aes_selftest.c b/fips/aes/fips_aes_selftest.c index 119ddfad50..05f18d1484 100644 --- a/fips/aes/fips_aes_selftest.c +++ b/fips/aes/fips_aes_selftest.c @@ -100,4 +100,96 @@ int FIPS_selftest_aes() FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED); return ret; } + +/* AES-GCM test data from NIST public test vectors */ + +static const unsigned char gcm_key[] = { + 0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66, + 0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69, + 0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f +}; +static const unsigned char gcm_iv[] = { + 0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84 +}; +static const unsigned char gcm_pt[] = { + 0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea, + 0xcc,0x2b,0xf2,0xa5 +}; +static const unsigned char gcm_aad[] = { + 0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43, + 0x7f,0xec,0x78,0xde +}; +static const unsigned char gcm_ct[] = { + 0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e, + 0xb9,0xf2,0x17,0x36 +}; +static const unsigned char gcm_tag[] = { + 0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62, + 0x98,0xf7,0x7e,0x0c +}; + +static int corrupt_aes_gcm = 0; + +void FIPS_corrupt_aes_gcm(void) + { + corrupt_aes_gcm = 1; + } + +int FIPS_selftest_aes_gcm(void) + { + int ret = 0; + unsigned char out[128], tag[16]; + EVP_CIPHER_CTX ctx; + FIPS_cipher_ctx_init(&ctx); + FIPS_cipherinit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 1); + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, + sizeof(gcm_iv), NULL); + if (!FIPS_cipherinit(&ctx, NULL, gcm_key, gcm_iv, 1)) + goto err; + if (FIPS_cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) + goto err; + if (FIPS_cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) + goto err; + if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0) + goto err; + + if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) + goto err; + + if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) + goto err; + + /* Modify expected tag value */ + if (corrupt_aes_gcm) + tag[0]++; + + FIPS_cipherinit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 0); + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, + sizeof(gcm_iv), NULL); + if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) + goto err; + if (!FIPS_cipherinit(&ctx, NULL, gcm_key, gcm_iv, 0)) + goto err; + if (FIPS_cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) + goto err; + if (FIPS_cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) + goto err; + if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0) + goto err; + + if (memcmp(out, gcm_pt, 16)) + goto err; + + ret = 1; + + err: + + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED); + + FIPS_cipher_ctx_cleanup(&ctx); + + return ret; + } + #endif diff --git a/fips/fips.c b/fips/fips.c index 6b5e4d4ccb..4b66537342 100644 --- a/fips/fips.c +++ b/fips/fips.c @@ -175,6 +175,7 @@ int FIPS_selftest(void) return FIPS_selftest_sha1() && FIPS_selftest_hmac() && FIPS_selftest_aes() + && FIPS_selftest_aes_gcm() && FIPS_selftest_des() && FIPS_selftest_rsa() && FIPS_selftest_dsa(); diff --git a/fips/fips.h b/fips/fips.h index 8087fa178b..dab9bbe45d 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -75,6 +75,8 @@ void FIPS_selftest_check(void); void FIPS_corrupt_sha1(void); int FIPS_selftest_sha1(void); void FIPS_corrupt_aes(void); +int FIPS_selftest_aes_gcm(void); +void FIPS_corrupt_aes_gcm(void); int FIPS_selftest_aes(void); void FIPS_corrupt_des(void); int FIPS_selftest_des(void); @@ -190,6 +192,7 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_FIPS_MODE_SET 108 #define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 #define FIPS_F_FIPS_SELFTEST_AES 110 +#define FIPS_F_FIPS_SELFTEST_AES_GCM 130 #define FIPS_F_FIPS_SELFTEST_DES 111 #define FIPS_F_FIPS_SELFTEST_DSA 112 #define FIPS_F_FIPS_SELFTEST_HMAC 113 diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c index c02168c309..12970abe58 100644 --- a/fips/fips_test_suite.c +++ b/fips/fips_test_suite.c @@ -69,6 +69,47 @@ static int FIPS_aes_test(void) return ret; } +static int FIPS_aes_gcm_test(void) + { + int ret = 0; + unsigned char pltmp[16]; + unsigned char citmp[16]; + unsigned char tagtmp[16]; + unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; + unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32}; + unsigned char aad[] = "Some text AAD"; + unsigned char plaintext[16] = "etaonrishdlcu"; + EVP_CIPHER_CTX ctx; + FIPS_cipher_ctx_init(&ctx); + if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0) + goto err; + FIPS_cipher(&ctx, NULL, aad, sizeof(aad)); + FIPS_cipher(&ctx, citmp, plaintext, 16); + FIPS_cipher(&ctx, NULL, NULL, 0); + if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp)) + goto err; + + if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0) + goto err; + if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp)) + goto err; + + FIPS_cipher(&ctx, NULL, aad, sizeof(aad)); + + FIPS_cipher(&ctx, pltmp, citmp, 16); + + if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0) + goto err; + + if (memcmp(pltmp, plaintext, 16)) + goto err; + + ret = 1; + err: + FIPS_cipher_ctx_cleanup(&ctx); + return ret; + } + static int FIPS_des3_test(void) { int ret = 0; @@ -440,6 +481,9 @@ int main(int argc,char **argv) if (!strcmp(argv[1], "aes")) { FIPS_corrupt_aes(); printf("AES encryption/decryption with corrupted KAT...\n"); + } else if (!strcmp(argv[1], "aes-gcm")) { + FIPS_corrupt_aes_gcm(); + printf("AES-GCM encryption/decryption with corrupted KAT...\n"); } else if (!strcmp(argv[1], "des")) { FIPS_corrupt_des(); printf("DES3-ECB encryption/decryption with corrupted KAT...\n"); @@ -508,7 +552,10 @@ int main(int argc,char **argv) /* AES encryption/decryption */ - test_msg("3. AES encryption/decryption", FIPS_aes_test()); + test_msg("3a. AES encryption/decryption", FIPS_aes_test()); + /* AES GCM encryption/decryption + */ + test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test()); /* RSA key generation and encryption/decryption */ -- GitLab