diff options
| -rw-r--r-- | src/crypto/aes.c | 5 | ||||
| -rw-r--r-- | src/crypto/gcm.c | 531 | ||||
| -rw-r--r-- | src/include/ipxe/aes.h | 1 | ||||
| -rw-r--r-- | src/include/ipxe/crypto.h | 1 | ||||
| -rw-r--r-- | src/include/ipxe/gcm.h | 132 | ||||
| -rw-r--r-- | src/tests/gcm_test.c | 401 | ||||
| -rw-r--r-- | src/tests/tests.c | 1 |
7 files changed, 1072 insertions, 0 deletions
diff --git a/src/crypto/aes.c b/src/crypto/aes.c index 4a7668b6b..aeeaa1d2c 100644 --- a/src/crypto/aes.c +++ b/src/crypto/aes.c @@ -38,6 +38,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/crypto.h> #include <ipxe/ecb.h> #include <ipxe/cbc.h> +#include <ipxe/gcm.h> #include <ipxe/aes.h> /** AES strides @@ -798,3 +799,7 @@ ECB_CIPHER ( aes_ecb, aes_ecb_algorithm, /* AES in Cipher Block Chaining mode */ CBC_CIPHER ( aes_cbc, aes_cbc_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE ); + +/* AES in Galois/Counter mode */ +GCM_CIPHER ( aes_gcm, aes_gcm_algorithm, + aes_algorithm, struct aes_context, AES_BLOCKSIZE ); diff --git a/src/crypto/gcm.c b/src/crypto/gcm.c new file mode 100644 index 000000000..dfccd16ef --- /dev/null +++ b/src/crypto/gcm.c @@ -0,0 +1,531 @@ +/* + * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +/** @file + * + * Galois/Counter Mode (GCM) + * + * The GCM algorithm is specified in + * + * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf + * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf + * + */ + +#include <stdint.h> +#include <string.h> +#include <byteswap.h> +#include <ipxe/crypto.h> +#include <ipxe/gcm.h> + +/** + * GCM field polynomial + * + * GCM treats 128-bit blocks as polynomials in GF(2^128) with the + * field polynomial f(x) = 1 + x + x^2 + x^7 + x^128. + * + * In a somewhat bloody-minded interpretation of "big-endian", the + * constant term (with degree zero) is arbitrarily placed in the + * leftmost bit of the big-endian binary representation (i.e. the most + * significant bit of byte 0), thereby failing to correspond to the + * bit ordering in any CPU architecture in existence. This + * necessitates some wholly gratuitous byte reversals when + * constructing the multiplication tables, since all CPUs will treat + * bit 0 as being the least significant bit within a byte. + * + * The field polynomial maps to the 128-bit constant + * 0xe1000000000000000000000000000000 (with the x^128 term outside the + * 128-bit range), and can therefore be treated as a single-byte + * value. + */ +#define GCM_POLY 0xe1 + +/** + * Hash key for which multiplication tables are cached + * + * GCM operates much more efficiently with a cached multiplication + * table, which costs 4kB per hash key. Since this exceeds the + * available stack space, we place a single 4kB cache in .bss and + * recalculate the cached values as required. In the common case of a + * single HTTPS connection being used to download a (relatively) large + * file, the same key will be used repeatedly for almost all GCM + * operations, and so the overhead of recalculation is negligible. + */ +static const union gcm_block *gcm_cached_key; + +/** + * Cached multiplication table (M0) for Shoup's method + * + * Each entry within this table represents the result of multiplying + * the cached hash key by an arbitrary 8-bit polynomial. + */ +static union gcm_block gcm_cached_mult[256]; + +/** + * Cached reduction table (R) for Shoup's method + * + * Each entry within this table represents the result of multiplying + * the fixed polynomial x^128 by an arbitrary 8-bit polynomial. Only + * the leftmost 16 bits are stored, since all other bits within the + * result will always be zero. + */ +static uint16_t gcm_cached_reduce[256]; + +/** + * Reverse bits in a byte + * + * @v byte Byte + * @ret etyb Bit-reversed byte + */ +static inline __attribute__ (( always_inline )) uint8_t +gcm_reverse ( const uint8_t byte ) { + uint8_t etyb = etyb; + uint8_t mask; + + for ( mask = 1 ; mask ; mask <<= 1 ) { + etyb <<= 1; + if ( byte & mask ) + etyb |= 1; + } + return etyb; +} + +/** + * Update GCM counter + * + * @v ctr Counter + * @v delta Amount to add to counter + */ +static inline __attribute__ (( always_inline )) void +gcm_count ( union gcm_block *ctr, uint32_t delta ) { + uint32_t *value = &ctr->ctr.value; + + /* Update counter modulo 2^32 */ + *value = cpu_to_be32 ( be32_to_cpu ( *value ) + delta ); +} + +/** + * XOR partial data block + * + * @v src1 Source buffer 1 + * @v src2 Source buffer 2 + * @v dst Destination buffer + * @v len Length + */ +static inline void gcm_xor ( const void *src1, const void *src2, void *dst, + size_t len ) { + uint8_t *dst_bytes = dst; + const uint8_t *src1_bytes = src1; + const uint8_t *src2_bytes = src2; + + /* XOR one byte at a time */ + while ( len-- ) + *(dst_bytes++) = ( *(src1_bytes++) ^ *(src2_bytes++) ); +} + +/** + * XOR whole data block in situ + * + * @v src Source block + * @v dst Destination block + */ +static inline void gcm_xor_block ( const union gcm_block *src, + union gcm_block *dst ) { + + /* XOR whole dwords */ + dst->dword[0] ^= src->dword[0]; + dst->dword[1] ^= src->dword[1]; + dst->dword[2] ^= src->dword[2]; + dst->dword[3] ^= src->dword[3]; +} + +/** + * Multiply polynomial by (x) + * + * @v mult Multiplicand + * @v res Result + */ +static void gcm_multiply_x ( const union gcm_block *mult, + union gcm_block *res ) { + unsigned int i; + uint8_t byte; + uint8_t carry; + + /* Multiply by (x) by shifting all bits rightward */ + for ( i = 0, carry = 0 ; i < sizeof ( res->byte ) ; i++ ) { + byte = mult->byte[i]; + res->byte[i] = ( ( carry << 7 ) | ( byte >> 1 ) ); + carry = ( byte & 0x01 ); + } + + /* If result overflows, reduce modulo the field polynomial */ + if ( carry ) + res->byte[0] ^= GCM_POLY; +} + +/** + * Construct cached tables + * + * @v key Hash key + * @v context Context + */ +static void gcm_cache ( const union gcm_block *key ) { + union gcm_block *mult; + uint16_t reduce; + unsigned int this; + unsigned int other; + unsigned int i; + + /* Calculate M0[1..255] and R[1..255] + * + * The R[] values are independent of the key, but the overhead + * of recalculating them here is negligible and saves on + * overall code size since the calculations are related. + */ + for ( i = 1 ; i < 256 ; i++ ) { + + /* Reverse bit order to compensate for poor life choices */ + this = gcm_reverse ( i ); + + /* Construct entries */ + mult = &gcm_cached_mult[this]; + if ( this & 0x80 ) { + + /* Odd number: entry[i] = entry[i - 1] + poly */ + other = ( this & 0x7f ); /* bit-reversed (i - 1) */ + gcm_xor ( key, &gcm_cached_mult[other], mult, + sizeof ( *mult ) ); + reduce = gcm_cached_reduce[other]; + reduce ^= be16_to_cpu ( GCM_POLY << 8 ); + gcm_cached_reduce[this] = reduce; + + } else { + + /* Even number: entry[i] = entry[i/2] * (x) */ + other = ( this << 1 ); /* bit-reversed (i / 2) */ + gcm_multiply_x ( &gcm_cached_mult[other], mult ); + reduce = be16_to_cpu ( gcm_cached_reduce[other] ); + reduce >>= 1; + gcm_cached_reduce[this] = cpu_to_be16 ( reduce ); + } + } + + /* Record cached key */ + gcm_cached_key = key; +} + +/** + * Multiply polynomial by (x^8) in situ + * + * @v poly Multiplicand and result + */ +static void gcm_multiply_x_8 ( union gcm_block *poly ) { + uint8_t *byte; + uint8_t msb; + + /* Reduction table must already have been calculated */ + assert ( gcm_cached_key != NULL ); + + /* Record most significant byte */ + byte = &poly->byte[ sizeof ( poly->byte ) - 1 ]; + msb = *byte; + + /* Multiply least significant bytes by shifting */ + for ( ; byte > &poly->byte[0] ; byte-- ) + *byte = *( byte - 1 ); + *byte = 0; + + /* Multiply most significant byte via reduction table */ + poly->word[0] ^= gcm_cached_reduce[msb]; +} + +/** + * Multiply polynomial by hash key in situ + * + * @v key Hash key + * @v poly Multiplicand and result + */ +static void gcm_multiply_key ( const union gcm_block *key, + union gcm_block *poly ) { + union gcm_block res; + uint8_t *byte; + + /* Construct tables, if necessary */ + if ( gcm_cached_key != key ) + gcm_cache ( key ); + + /* Multiply using Shoup's algorithm */ + byte = &poly->byte[ sizeof ( poly->byte ) - 1 ]; + memcpy ( &res, &gcm_cached_mult[ *byte ], sizeof ( res ) ); + for ( byte-- ; byte >= &poly->byte[0] ; byte-- ) { + gcm_multiply_x_8 ( &res ); + gcm_xor_block ( &gcm_cached_mult[ *byte ], &res ); + } + + /* Overwrite result */ + memcpy ( poly, &res, sizeof ( *poly ) ); +} + +/** + * Encrypt/decrypt/authenticate data + * + * @v context Context + * @v src Input data, or NULL to process additional data + * @v dst Output data, or NULL to process additional data + * @v hash Hash input data + * @v len Length of data + */ +static void gcm_process ( struct gcm_context *context, const void *src, + void *dst, const void *hash, size_t len ) { + union gcm_block tmp; + uint64_t *total; + size_t frag_len; + unsigned int block; + + /* Sanity checks */ + assert ( hash != NULL ); + assert ( ( ( src == NULL ) && ( dst == NULL ) ) || + ( ( hash == src ) || ( hash == dst ) ) ); + + /* Calculate block number (for debugging) */ + block = ( ( ( context->len.len.add + 8 * sizeof ( tmp ) - 1 ) / + ( 8 * sizeof ( tmp ) ) ) + + ( ( context->len.len.data + 8 * sizeof ( tmp ) - 1 ) / + ( 8 * sizeof ( tmp ) ) ) + 1 ); + + /* Update total length (in bits) */ + total = ( src ? &context->len.len.data : &context->len.len.add ); + *total += ( len * 8 ); + + /* Process data */ + for ( ; len ; hash += frag_len, len -= frag_len, block++ ) { + + /* Calculate fragment length */ + frag_len = len; + if ( frag_len > sizeof ( tmp ) ) + frag_len = sizeof ( tmp ); + + /* Encrypt/decrypt block, if applicable */ + if ( dst ) { + + /* Increment counter */ + gcm_count ( &context->ctr, 1 ); + + /* Encrypt counter */ + DBGC2 ( context, "GCM %p Y[%d]:\n", context, block ); + DBGC2_HDA ( context, 0, &context->ctr, + sizeof ( context->ctr ) ); + cipher_encrypt ( context->raw_cipher, &context->raw_ctx, + &context->ctr, &tmp, sizeof ( tmp ) ); + DBGC2 ( context, "GCM %p E(K,Y[%d]):\n", + context, block ); + DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) ); + + /* Encrypt/decrypt data */ + gcm_xor ( src, &tmp, dst, frag_len ); + src += frag_len; + dst += frag_len; + } + + /* Update hash */ + gcm_xor ( hash, &context->hash, &context->hash, frag_len ); + gcm_multiply_key ( &context->key, &context->hash ); + DBGC2 ( context, "GCM %p X[%d]:\n", context, block ); + DBGC2_HDA ( context, 0, &context->hash, + sizeof ( context->hash ) ); + } +} + +/** + * Construct hash + * + * @v context Context + * @v hash Hash to fill in + */ +static void gcm_hash ( struct gcm_context *context, union gcm_block *hash ) { + + /* Construct big-endian lengths block */ + hash->len.add = cpu_to_be64 ( context->len.len.add ); + hash->len.data = cpu_to_be64 ( context->len.len.data ); + DBGC2 ( context, "GCM %p len(A)||len(C):\n", context ); + DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) ); + + /* Update hash */ + gcm_xor_block ( &context->hash, hash ); + gcm_multiply_key ( &context->key, hash ); + DBGC2 ( context, "GCM %p GHASH(H,A,C):\n", context ); + DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) ); +} + +/** + * Construct tag + * + * @v context Context + * @v tag Tag + */ +void gcm_tag ( struct gcm_context *context, union gcm_block *tag ) { + union gcm_block tmp; + uint32_t offset; + + /* Construct hash */ + gcm_hash ( context, tag ); + + /* Construct encrypted initial counter value */ + memcpy ( &tmp, &context->ctr, sizeof ( tmp ) ); + offset = ( ( -context->len.len.data ) / ( 8 * sizeof ( tmp ) ) ); + gcm_count ( &tmp, offset ); + cipher_encrypt ( context->raw_cipher, &context->raw_ctx, &tmp, + &tmp, sizeof ( tmp ) ); + DBGC2 ( context, "GCM %p E(K,Y[0]):\n", context ); + DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) ); + + /* Construct tag */ + gcm_xor_block ( &tmp, tag ); + DBGC2 ( context, "GCM %p T:\n", context ); + DBGC2_HDA ( context, 0, tag, sizeof ( *tag ) ); +} + +/** + * Set key + * + * @v context Context + * @v key Key + * @v keylen Key length + * @v raw_cipher Underlying cipher + * @ret rc Return status code + */ +int gcm_setkey ( struct gcm_context *context, const void *key, size_t keylen, + struct cipher_algorithm *raw_cipher ) { + int rc; + + /* Initialise GCM context */ + memset ( context, 0, sizeof ( *context ) ); + context->raw_cipher = raw_cipher; + + /* Set underlying block cipher key */ + if ( ( rc = cipher_setkey ( raw_cipher, context->raw_ctx, key, + keylen ) ) != 0 ) + return rc; + + /* Construct GCM hash key */ + cipher_encrypt ( raw_cipher, context->raw_ctx, &context->ctr, + &context->key, sizeof ( context->key ) ); + DBGC2 ( context, "GCM %p H:\n", context ); + DBGC2_HDA ( context, 0, &context->key, sizeof ( context->key ) ); + + /* Reset counter */ + context->ctr.ctr.value = cpu_to_be32 ( 1 ); + + /* Construct cached tables */ + gcm_cache ( &context->key ); + + return 0; +} + +/** + * Set initialisation vector + * + * @v ctx Context + * @v iv Initialisation vector + * @v ivlen Initialisation vector length + */ +void gcm_setiv ( struct gcm_context *context, const void *iv, size_t ivlen ) { + + /* Reset counter */ + memset ( context->ctr.ctr.iv, 0, sizeof ( context->ctr.ctr.iv ) ); + context->ctr.ctr.value = cpu_to_be32 ( 1 ); + + /* Process initialisation vector */ + if ( ivlen == sizeof ( context->ctr.ctr.iv ) ) { + + /* Initialisation vector is exactly 96 bits, use it as-is */ + memcpy ( context->ctr.ctr.iv, iv, ivlen ); + + } else { + + /* Calculate hash over initialisation vector */ + gcm_process ( context, iv, NULL, iv, ivlen ); + gcm_hash ( context, &context->ctr ); + + /* Reset accumulated hash */ + memset ( &context->hash, 0, sizeof ( context->hash ) ); + + /* Reset data lengths */ + assert ( context->len.len.add == 0 ); + context->len.len.data = 0; + } + + DBGC2 ( context, "GCM %p Y[0]:\n", context ); + DBGC2_HDA ( context, 0, &context->ctr, sizeof ( context->ctr ) ); +} + +/** + * Encrypt data + * + * @v context Context + * @v src Data to encrypt + * @v dst Buffer for encrypted data, or NULL for additional data + * @v len Length of data + */ +void gcm_encrypt ( struct gcm_context *context, const void *src, void *dst, + size_t len ) { + const void *hash; + + /* Determine hash input */ + if ( dst ) { + /* Encrypting: hash the encrypted data */ + hash = dst; + } else { + /* Authenticating: hash the input data */ + hash = src; + src = NULL; + } + + /* Process data */ + gcm_process ( context, src, dst, hash, len ); +} + +/** + * Decrypt data + * + * @v context Context + * @v src Data to decrypt + * @v dst Buffer for decrypted data, or NULL for additional data + * @v len Length of data + */ +void gcm_decrypt ( struct gcm_context *context, const void *src, void *dst, + size_t len ) { + const void *hash; + + /* Determine hash input */ + hash = src; + if ( ! dst ) { + /* Authenticating: only hash */ + src = NULL; + } + + /* Process data */ + gcm_process ( context, src, dst, hash, len ); +} diff --git a/src/include/ipxe/aes.h b/src/include/ipxe/aes.h index 0432e43ee..8731de6ba 100644 --- a/src/include/ipxe/aes.h +++ b/src/include/ipxe/aes.h @@ -47,6 +47,7 @@ struct aes_context { extern struct cipher_algorithm aes_algorithm; extern struct cipher_algorithm aes_ecb_algorithm; extern struct cipher_algorithm aes_cbc_algorithm; +extern struct cipher_algorithm aes_gcm_algorithm; int aes_wrap ( const void *kek, const void *src, void *dest, int nblk ); int aes_unwrap ( const void *kek, const void *src, void *dest, int nblk ); diff --git a/src/include/ipxe/crypto.h b/src/include/ipxe/crypto.h index e807aeb52..842f2f633 100644 --- a/src/include/ipxe/crypto.h +++ b/src/include/ipxe/crypto.h @@ -11,6 +11,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <stdint.h> #include <stddef.h> +#include <assert.h> /** A message digest algorithm */ struct digest_algorithm { diff --git a/src/include/ipxe/gcm.h b/src/include/ipxe/gcm.h new file mode 100644 index 000000000..658685486 --- /dev/null +++ b/src/include/ipxe/gcm.h @@ -0,0 +1,132 @@ +#ifndef _IPXE_GCM_H +#define _IPXE_GCM_H + +/** @file + * + * Galois/Counter Mode (GCM) + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <stdint.h> +#include <ipxe/crypto.h> + +/** A GCM counter */ +struct gcm_counter { + /** Initialisation vector */ + uint8_t iv[12]; + /** Counter value */ + uint32_t value; +} __attribute__ (( packed )); + +/** A GCM length pair */ +struct gcm_lengths { + /** Additional data length */ + uint64_t add; + /** Data length */ + uint64_t data; +} __attribute__ (( packed )); + +/** A GCM block */ +union gcm_block { + /** Raw bytes */ + uint8_t byte[16]; + /** Raw words */ + uint16_t word[8]; + /** Raw dwords */ + uint32_t dword[4]; + /** Counter */ + struct gcm_counter ctr; + /** Lengths */ + struct gcm_lengths len; +} __attribute__ (( packed )); + +/** GCM context */ +struct gcm_context { + /** Hash key (H) */ + union gcm_block key; + /** Counter (Y) */ + union gcm_block ctr; + /** Accumulated hash (X) */ + union gcm_block hash; + /** Accumulated lengths */ + union gcm_block len; + /** Underlying block cipher */ + struct cipher_algorithm *raw_cipher; + /** Underlying block cipher context */ + uint8_t raw_ctx[0]; +}; + +extern void gcm_tag ( struct gcm_context *context, union gcm_block *tag ); +extern int gcm_setkey ( struct gcm_context *context, const void *key, + size_t keylen, struct cipher_algorithm *raw_cipher ); +extern void gcm_setiv ( struct gcm_context *context, const void *iv, + size_t ivlen ); +extern void gcm_encrypt ( struct gcm_context *context, const void *src, + void *dst, size_t len ); +extern void gcm_decrypt ( struct gcm_context *context, const void *src, + void *dst, size_t len ); + +/** + * Create a GCM mode of behaviour of an existing cipher + * + * @v _cbc_name Name for the new CBC cipher + * @v _cbc_cipher New cipher algorithm + * @v _raw_cipher Underlying cipher algorithm + * @v _raw_context Context structure for the underlying cipher + * @v _blocksize Cipher block size + */ +#define GCM_CIPHER( _gcm_name, _gcm_cipher, _raw_cipher, _raw_context, \ + _blocksize ) \ +struct _gcm_name ## _context { \ + /** GCM context */ \ + struct gcm_context gcm; \ + /** Underlying block cipher context */ \ + _raw_context raw; \ +}; \ +static int _gcm_name ## _setkey ( void *ctx, const void *key, \ + size_t keylen ) { \ + struct _gcm_name ## _context *context = ctx; \ + linker_assert ( _blocksize == sizeof ( context->gcm.key ), \ + _gcm_name ## _unsupported_blocksize ); \ + linker_assert ( ( ( void * ) &context->gcm ) == ctx, \ + _gcm_name ## _context_layout_error ); \ + linker_assert ( ( ( void * ) &context->raw ) == \ + ( ( void * ) context->gcm.raw_ctx ), \ + _gcm_name ## _context_layout_error ); \ + return gcm_setkey ( &context->gcm, key, keylen, &_raw_cipher ); \ +} \ +static void _gcm_name ## _setiv ( void *ctx, const void *iv, \ + size_t ivlen ) { \ + struct _gcm_name ## _context *context = ctx; \ + gcm_setiv ( &context->gcm, iv, ivlen ); \ +} \ +static void _gcm_name ## _encrypt ( void *ctx, const void *src, \ + void *dst, size_t len ) { \ + struct _gcm_name ## _context *context = ctx; \ + gcm_encrypt ( &context->gcm, src, dst, len ); \ +} \ +static void _gcm_name ## _decrypt ( void *ctx, const void *src, \ + void *dst, size_t len ) { \ + struct _gcm_name ## _context *context = ctx; \ + gcm_decrypt ( &context->gcm, src, dst, len ); \ +} \ +static void _gcm_name ## _auth ( void *ctx, void *auth ) { \ + struct _gcm_name ## _context *context = ctx; \ + union gcm_block *tag = auth; \ + gcm_tag ( &context->gcm, tag ); \ +} \ +struct cipher_algorithm _gcm_cipher = { \ + .name = #_gcm_name, \ + .ctxsize = sizeof ( struct _gcm_name ## _context ), \ + .blocksize = 1, \ + .authsize = sizeof ( union gcm_block ), \ + .setkey = _gcm_name ## _setkey, \ + .setiv = _gcm_name ## _setiv, \ + .encrypt = _gcm_name ## _encrypt, \ + .decrypt = _gcm_name ## _decrypt, \ + .auth = _gcm_name ## _auth, \ +}; + +#endif /* _IPXE_GCM_H */ diff --git a/src/tests/gcm_test.c b/src/tests/gcm_test.c new file mode 100644 index 000000000..04a42b5c9 --- /dev/null +++ b/src/tests/gcm_test.c @@ -0,0 +1,401 @@ +/* + * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +/** @file + * + * Galois/Counter Mode (GCM) tests + * + * These test vectors are provided by NIST as part of the GCM proposed + * specification document (which, unlike the final published + * specification document, includes test vectors with intermediate + * values): + * + * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf + * + */ + +/* Forcibly enable assertions */ +#undef NDEBUG + +#include <string.h> +#include <ipxe/gcm.h> +#include <ipxe/aes.h> +#include <ipxe/test.h> +#include "cipher_test.h" + +/** 128-bit zero key */ +#define GCM_KEY_128_ZERO \ + KEY ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) + +/** 128-bit key */ +#define GCM_KEY_128 \ + KEY ( 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, \ + 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 ) + +/** 192-bit zero key */ +#define GCM_KEY_192_ZERO \ + KEY ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) + +/** 192-bit key */ +#define GCM_KEY_192 \ + KEY ( 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, \ + 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, \ + 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c ) + +/** 256-bit zero key */ +#define GCM_KEY_256_ZERO \ + KEY ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00 ) + +/** 256-bit key */ +#define GCM_KEY_256 \ + KEY ( 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, \ + 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, \ + 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, \ + 0x94, 0x67, 0x30, 0x83, 0x08 ) + +/** 64-bit IV */ +#define GCM_IV_64 \ + IV ( 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad ) + +/** 96-bit zero IV */ +#define GCM_IV_96_ZERO \ + IV ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00 ) + +/** 96-bit IV */ +#define GCM_IV_96 \ + IV ( 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, \ + 0xca, 0xf8, 0x88 ) + +/** 480-bit IV */ +#define GCM_IV_480 \ + IV ( 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5, 0x55, \ + 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa, 0x6a, 0x7a, \ + 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1, 0xe4, 0xc3, 0x03, \ + 0xd2, 0xa3, 0x18, 0xa7, 0x28, 0xc3, 0xc0, 0xc9, 0x51, \ + 0x56, 0x80, 0x95, 0x39, 0xfc, 0xf0, 0xe2, 0x42, 0x9a, \ + 0x6b, 0x52, 0x54, 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, \ + 0x6a, 0x57, 0xa6, 0x37, 0xb3, 0x9b ) + +/** Empty additional data */ +#define GCM_ADDITIONAL_EMPTY ADDITIONAL() + +/** 160-bit additional data */ +#define GCM_ADDITIONAL_160 \ + ADDITIONAL ( 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, \ + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, \ + 0xab, 0xad, 0xda, 0xd2 ) + +/** Empty plaintext */ +#define GCM_PLAINTEXT_EMPTY PLAINTEXT() + +/** 128-bit zero plaintext */ +#define GCM_PLAINTEXT_128_ZERO \ + PLAINTEXT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) + +/** 512-bit plaintext */ +#define GCM_PLAINTEXT_512 \ + PLAINTEXT ( 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, \ + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, \ + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, \ + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, \ + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, \ + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, \ + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, \ + 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 ) + +/** 480-bit plaintext */ +#define GCM_PLAINTEXT_480 \ + PLAINTEXT ( 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, \ + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, \ + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, \ + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, \ + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, \ + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, \ + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, \ + 0xba, 0x63, 0x7b, 0x39 ) + +/** Test 1 */ +CIPHER_TEST ( gcm_test_1, &aes_gcm_algorithm, GCM_KEY_128_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_EMPTY, + CIPHERTEXT(), + AUTH ( 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, + 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a ) ); + +/** Test 2 */ +CIPHER_TEST ( gcm_test_2, &aes_gcm_algorithm, GCM_KEY_128_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_128_ZERO, + CIPHERTEXT ( 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, + 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 ), + AUTH ( 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd, 0xf5, + 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf ) ); + +/** Test 3 */ +CIPHER_TEST ( gcm_test_3, &aes_gcm_algorithm, GCM_KEY_128, + GCM_IV_96, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_512, + CIPHERTEXT ( 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, + 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, + 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, + 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, + 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, + 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, + 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, + 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 ), + AUTH ( 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, + 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 ) ); + +/** Test 4 */ +CIPHER_TEST ( gcm_test_4, &aes_gcm_algorithm, GCM_KEY_128, + GCM_IV_96, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, + 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, + 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, + 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, + 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, + 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, + 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, + 0x3d, 0x58, 0xe0, 0x91 ), + AUTH ( 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb, 0x94, + 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 ) ); + +/** Test 5 */ +CIPHER_TEST ( gcm_test_5, &aes_gcm_algorithm, GCM_KEY_128, + GCM_IV_64, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a, + 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55, + 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8, + 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23, + 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2, + 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42, + 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07, + 0xc2, 0x3f, 0x45, 0x98 ), + AUTH ( 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85, 0x56, + 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb ) ); + +/** Test 6 */ +CIPHER_TEST ( gcm_test_6, &aes_gcm_algorithm, GCM_KEY_128, + GCM_IV_480, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6, + 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94, + 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8, + 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7, + 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90, + 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f, + 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03, + 0x4c, 0x34, 0xae, 0xe5 ), + AUTH ( 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa, 0x46, + 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 ) ); + +/** Test 7 */ +CIPHER_TEST ( gcm_test_7, &aes_gcm_algorithm, GCM_KEY_192_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_EMPTY, + CIPHERTEXT(), + AUTH ( 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b, 0xa0, + 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 ) ); + +/** Test 8 */ +CIPHER_TEST ( gcm_test_8, &aes_gcm_algorithm, GCM_KEY_192_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_128_ZERO, + CIPHERTEXT ( 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, + 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 ), + AUTH ( 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab, 0x8e, + 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb ) ); + +/** Test 9 */ +CIPHER_TEST ( gcm_test_9, &aes_gcm_algorithm, GCM_KEY_192, + GCM_IV_96, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_512, + CIPHERTEXT ( 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41, + 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57, + 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84, + 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c, + 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25, + 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47, + 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9, + 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 ), + AUTH ( 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf, 0xb1, + 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 ) ); + +/** Test 10 */ +CIPHER_TEST ( gcm_test_10, &aes_gcm_algorithm, GCM_KEY_192, + GCM_IV_96, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41, + 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57, + 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84, + 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c, + 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25, + 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47, + 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9, + 0xcc, 0xda, 0x27, 0x10 ), + AUTH ( 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f, 0x37, + 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c ) ); + +/** Test 11 */ +CIPHER_TEST ( gcm_test_11, &aes_gcm_algorithm, GCM_KEY_192, + GCM_IV_64, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54, + 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8, + 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f, + 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57, + 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75, + 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9, + 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f, + 0xa0, 0xf0, 0x62, 0xf7 ), + AUTH ( 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24, 0x09, + 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 ) ); + +/** Test 12 */ +CIPHER_TEST ( gcm_test_12, &aes_gcm_algorithm, GCM_KEY_192, + GCM_IV_480, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c, + 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff, + 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef, + 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45, + 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9, + 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3, + 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7, + 0xe9, 0xb7, 0x37, 0x3b ), + AUTH ( 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb, 0xb8, + 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 ) ); + +/** Test 13 */ +CIPHER_TEST ( gcm_test_13, &aes_gcm_algorithm, GCM_KEY_256_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_EMPTY, + CIPHERTEXT(), + AUTH ( 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9, 0xa9, + 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b ) ); + +/** Test 14 */ +CIPHER_TEST ( gcm_test_14, &aes_gcm_algorithm, GCM_KEY_256_ZERO, + GCM_IV_96_ZERO, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_128_ZERO, + CIPHERTEXT ( 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, + 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 ), + AUTH ( 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0, 0x26, + 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 ) ); + +/** Test 15 */ +CIPHER_TEST ( gcm_test_15, &aes_gcm_algorithm, GCM_KEY_256, + GCM_IV_96, GCM_ADDITIONAL_EMPTY, GCM_PLAINTEXT_512, + CIPHERTEXT ( 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, + 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d, + 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9, + 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, + 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d, + 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38, + 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, + 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad ), + AUTH ( 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd, 0xec, + 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c ) ); + +/** Test 16 */ +CIPHER_TEST ( gcm_test_16, &aes_gcm_algorithm, GCM_KEY_256, + GCM_IV_96, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, + 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d, + 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9, + 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, + 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d, + 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38, + 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, + 0xbc, 0xc9, 0xf6, 0x62 ), + AUTH ( 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, + 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b ) ); + +/** Test 17 */ +CIPHER_TEST ( gcm_test_17, &aes_gcm_algorithm, GCM_KEY_256, + GCM_IV_64, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32, + 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb, + 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa, + 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, + 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0, + 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78, + 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99, + 0xf4, 0x7c, 0x9b, 0x1f ), + AUTH ( 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4, 0x5e, + 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 ) ); + +/** Test 18 */ +CIPHER_TEST ( gcm_test_18, &aes_gcm_algorithm, GCM_KEY_256, + GCM_IV_480, GCM_ADDITIONAL_160, GCM_PLAINTEXT_480, + CIPHERTEXT ( 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1, + 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20, + 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19, + 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4, + 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45, + 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde, + 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e, + 0x44, 0xae, 0x7e, 0x3f ), + AUTH ( 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0, 0xc8, + 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a ) ); + +/** + * Perform Galois/Counter Mode self-test + * + */ +static void gcm_test_exec ( void ) { + struct cipher_algorithm *gcm = &aes_gcm_algorithm; + unsigned int keylen; + + /* Correctness tests */ + cipher_ok ( &gcm_test_1 ); + cipher_ok ( &gcm_test_2 ); + cipher_ok ( &gcm_test_3 ); + cipher_ok ( &gcm_test_4 ); + cipher_ok ( &gcm_test_5 ); + cipher_ok ( &gcm_test_6 ); + cipher_ok ( &gcm_test_7 ); + cipher_ok ( &gcm_test_8 ); + cipher_ok ( &gcm_test_9 ); + cipher_ok ( &gcm_test_10 ); + cipher_ok ( &gcm_test_11 ); + cipher_ok ( &gcm_test_12 ); + cipher_ok ( &gcm_test_13 ); + cipher_ok ( &gcm_test_14 ); + cipher_ok ( &gcm_test_15 ); + cipher_ok ( &gcm_test_16 ); + cipher_ok ( &gcm_test_17 ); + cipher_ok ( &gcm_test_18 ); + + /* Speed tests */ + for ( keylen = 128 ; keylen <= 256 ; keylen += 64 ) { + DBG ( "AES-%d-GCM encryption required %ld cycles per byte\n", + keylen, cipher_cost_encrypt ( gcm, ( keylen / 8 ) ) ); + DBG ( "AES-%d-GCM decryption required %ld cycles per byte\n", + keylen, cipher_cost_decrypt ( gcm, ( keylen / 8 ) ) ); + } +} + +/** Galois/Counter Mode self-test */ +struct self_test gcm_test __self_test = { + .name = "gcm", + .exec = gcm_test_exec, +}; diff --git a/src/tests/tests.c b/src/tests/tests.c index 54694fa45..187037d1b 100644 --- a/src/tests/tests.c +++ b/src/tests/tests.c @@ -79,3 +79,4 @@ REQUIRE_OBJECT ( utf8_test ); REQUIRE_OBJECT ( acpi_test ); REQUIRE_OBJECT ( hmac_test ); REQUIRE_OBJECT ( dhe_test ); +REQUIRE_OBJECT ( gcm_test ); |