1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 // cavp_aes_test processes a NIST CAVP AES test vector request file and emits
16 // the corresponding response.
17 
18 #include <stdlib.h>
19 
20 #include <openssl/cipher.h>
21 #include <openssl/crypto.h>
22 #include <openssl/err.h>
23 
24 #include "../crypto/test/file_test.h"
25 #include "cavp_test_util.h"
26 
27 
28 namespace {
29 
30 struct TestCtx {
31   const EVP_CIPHER *cipher;
32   bool has_iv;
33   enum Mode {
34     kKAT,  // Known Answer Test
35     kMCT,  // Monte Carlo Test
36   };
37   Mode mode;
38 };
39 
40 }
41 
MonteCarlo(const TestCtx * ctx,FileTest * t,const EVP_CIPHER * cipher,std::vector<uint8_t> * out,bool encrypt,std::vector<uint8_t> key,std::vector<uint8_t> iv,std::vector<uint8_t> in)42 static bool MonteCarlo(const TestCtx *ctx, FileTest *t,
43                        const EVP_CIPHER *cipher, std::vector<uint8_t> *out,
44                        bool encrypt, std::vector<uint8_t> key,
45                        std::vector<uint8_t> iv, std::vector<uint8_t> in) {
46   const std::string in_label = encrypt ? "PLAINTEXT" : "CIPHERTEXT",
47                     result_label = encrypt ? "CIPHERTEXT" : "PLAINTEXT";
48   std::vector<uint8_t> prev_result, result, prev_in;
49   for (int i = 0; i < 100; i++) {
50     printf("COUNT = %d\r\nKEY = %s\r\n", i,
51            EncodeHex(key.data(), key.size()).c_str());
52     if (ctx->has_iv) {
53       printf("IV = %s\r\n", EncodeHex(iv.data(), iv.size()).c_str());
54     }
55     printf("%s = %s\r\n", in_label.c_str(),
56            EncodeHex(in.data(), in.size()).c_str());
57 
58     if (!ctx->has_iv) {  // ECB mode
59       for (int j = 0; j < 1000; j++) {
60         prev_result = result;
61         if (!CipherOperation(cipher, &result, encrypt, key, iv, in)) {
62           return false;
63         }
64         in = result;
65       }
66     } else {
67       for (int j = 0; j < 1000; j++) {
68         prev_result = result;
69         if (j > 0) {
70           if (encrypt) {
71             iv = result;
72           } else {
73             iv = prev_in;
74           }
75         }
76 
77         if (!CipherOperation(cipher, &result, encrypt, key, iv, in)) {
78           return false;
79         }
80 
81         prev_in = in;
82 
83         if (j == 0) {
84           in = iv;
85         } else {
86           in = prev_result;
87         }
88       }
89     }
90 
91     printf("%s = %s\r\n\r\n", result_label.c_str(),
92            EncodeHex(result.data(), result.size()).c_str());
93 
94     const size_t key_len = key.size() * 8;
95     if (key_len == 128) {
96       for (size_t k = 0; k < key.size(); k++) {
97         key[k] ^= result[k];
98       }
99     } else if (key_len == 192) {
100       for (size_t k = 0; k < key.size(); k++) {
101         // Key[i+1] = Key[i] xor (last 64-bits of CT[j-1] || CT[j])
102         if (k < 8) {
103           key[k] ^= prev_result[prev_result.size() - 8 + k];
104         } else {
105           key[k] ^= result[k - 8];
106         }
107       }
108     } else {  // key_len == 256
109       for (size_t k = 0; k < key.size(); k++) {
110         // Key[i+1] = Key[i] xor (CT[j-1] || CT[j])
111         if (k < 16) {
112           key[k] ^= prev_result[k];
113         } else {
114           key[k] ^= result[k - 16];
115         }
116       }
117     }
118 
119     if (ctx->has_iv) {
120       iv = result;
121       in = prev_result;
122     } else {
123       in = result;
124     }
125   }
126 
127   return true;
128 }
129 
TestCipher(FileTest * t,void * arg)130 static bool TestCipher(FileTest *t, void *arg) {
131   TestCtx *ctx = reinterpret_cast<TestCtx *>(arg);
132 
133   if (t->HasInstruction("ENCRYPT") == t->HasInstruction("DECRYPT")) {
134     t->PrintLine("Want either ENCRYPT or DECRYPT");
135     return false;
136   }
137   enum {
138     kEncrypt,
139     kDecrypt,
140   } operation = t->HasInstruction("ENCRYPT") ? kEncrypt : kDecrypt;
141 
142   std::string count;
143   std::vector<uint8_t> key, iv, in, result;
144   if (!t->GetAttribute(&count, "COUNT") ||
145       !t->GetBytes(&key, "KEY") ||
146       (ctx->has_iv && !t->GetBytes(&iv, "IV"))) {
147     return false;
148   }
149 
150   const EVP_CIPHER *cipher = ctx->cipher;
151   if (operation == kEncrypt) {
152     if (!t->GetBytes(&in, "PLAINTEXT")) {
153       return false;
154     }
155   } else {  // operation == kDecrypt
156     if (!t->GetBytes(&in, "CIPHERTEXT")) {
157       return false;
158     }
159   }
160 
161   if (ctx->mode == TestCtx::kKAT) {
162     if (!CipherOperation(cipher, &result, operation == kEncrypt, key, iv, in)) {
163       return false;
164     }
165     const std::string label =
166         operation == kEncrypt ? "CIPHERTEXT" : "PLAINTEXT";
167     printf("%s%s = %s\r\n\r\n", t->CurrentTestToString().c_str(), label.c_str(),
168            EncodeHex(result.data(), result.size()).c_str());
169   } else {  // ctx->mode == kMCT
170     const std::string op_label =
171         operation == kEncrypt ? "[ENCRYPT]" : "[DECRYPT]";
172     printf("%s\r\n\r\n", op_label.c_str());
173     if (!MonteCarlo(ctx, t, cipher, &result, operation == kEncrypt, key, iv,
174                     in)) {
175       return false;
176     }
177     if (operation == kEncrypt) {
178       // MCT tests contain a stray blank line after the ENCRYPT section.
179       printf("\r\n");
180     }
181   }
182 
183   return true;
184 }
185 
usage(char * arg)186 static int usage(char *arg) {
187   fprintf(stderr, "usage: %s (kat|mct) <cipher> <test file>\n", arg);
188   return 1;
189 }
190 
cavp_aes_test_main(int argc,char ** argv)191 int cavp_aes_test_main(int argc, char **argv) {
192   if (argc != 4) {
193     return usage(argv[0]);
194   }
195 
196   const std::string tm(argv[1]);
197   enum TestCtx::Mode test_mode;
198   if (tm == "kat") {
199     test_mode = TestCtx::kKAT;
200   } else if (tm == "mct") {
201     test_mode = TestCtx::kMCT;
202   } else {
203     fprintf(stderr, "invalid test_mode: %s\n", tm.c_str());
204     return usage(argv[0]);
205   }
206 
207   const std::string cipher_name(argv[2]);
208   const EVP_CIPHER *cipher = GetCipher(argv[2]);
209   if (cipher == nullptr) {
210     fprintf(stderr, "invalid cipher: %s\n", argv[2]);
211     return 1;
212   }
213   const bool has_iv =
214       (cipher_name != "aes-128-ecb" &&
215        cipher_name != "aes-192-ecb" &&
216        cipher_name != "aes-256-ecb");
217 
218   TestCtx ctx = {cipher, has_iv, test_mode};
219 
220   FileTest::Options opts;
221   opts.path = argv[3];
222   opts.callback = TestCipher;
223   opts.arg = &ctx;
224   opts.silent = true;
225   opts.comment_callback = EchoComment;
226   return FileTestMain(opts);
227 }
228