AES GCM selftests.

author: Dr. Stephen Henson <steve@openssl.org> 2011-02-18 17:09:33 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-02-18 17:09:33 +0000
commit: acf254f86efe94788827bc7da9ae167ecc19e6b1 (patch)
tree: fe5d0721f2135622e6b041961cfd9067b37111e3 /fips
parent: 5d439d69552e753debc48461293517b66b0b94b4 (diff)
download: openssl-acf254f86efe94788827bc7da9ae167ecc19e6b1.tar.gz
4 files changed, 144 insertions, 1 deletions
diff --git a/fips/aes/fips_aes_selftest.c b/fips/aes/fips_aes_selftest.c
index 119ddfad50..05f18d1484 100644
--- a/fips/aes/fips_aes_selftest.c
+++ b/fips/aes/fips_aes_selftest.c
@@ -100,4 +100,96 @@ int FIPS_selftest_aes()
 	    FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
     return ret;
     }
+
+/* AES-GCM test data from NIST public test vectors */
+
+static const unsigned char gcm_key[] = {
+	0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66,
+	0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69,
+	0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f
+};
+static const unsigned char gcm_iv[] = {
+	0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84
+};
+static const unsigned char gcm_pt[] = {
+	0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea,
+	0xcc,0x2b,0xf2,0xa5
+};
+static const unsigned char gcm_aad[] = {
+	0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43,
+	0x7f,0xec,0x78,0xde
+};
+static const unsigned char gcm_ct[] = {
+	0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e,
+	0xb9,0xf2,0x17,0x36
+};
+static const unsigned char gcm_tag[] = {
+	0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62,
+	0x98,0xf7,0x7e,0x0c
+};
+
+static int corrupt_aes_gcm = 0;
+
+void FIPS_corrupt_aes_gcm(void)
+    {
+    corrupt_aes_gcm = 1;
+    }
+
+int FIPS_selftest_aes_gcm(void)
+	{
+	int ret = 0;
+	unsigned char out[128], tag[16];
+	EVP_CIPHER_CTX ctx;
+	FIPS_cipher_ctx_init(&ctx);
+	FIPS_cipherinit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 1);
+	FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
+					sizeof(gcm_iv), NULL);
+	if (!FIPS_cipherinit(&ctx, NULL, gcm_key, gcm_iv, 1))
+		goto err;
+	if (FIPS_cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+		goto err;
+	if (FIPS_cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
+		goto err;
+	if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
+		goto err;
+
+	if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+		goto err;
+
+	if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
+		goto err;
+
+	/* Modify expected tag value */
+	if (corrupt_aes_gcm)
+		tag[0]++;
+
+	FIPS_cipherinit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 0);
+	FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
+					sizeof(gcm_iv), NULL);
+	if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
+		goto err;
+	if (!FIPS_cipherinit(&ctx, NULL, gcm_key, gcm_iv, 0))
+		goto err;
+	if (FIPS_cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+		goto err;
+	if (FIPS_cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
+		goto err;
+	if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
+		goto err;
+
+	if (memcmp(out, gcm_pt, 16))
+		goto err;
+
+	ret = 1;
+
+	err:
+
+	if (ret == 0)
+		FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED);
+
+	FIPS_cipher_ctx_cleanup(&ctx);
+
+	return ret;
+	}
+
 #endif
diff --git a/fips/fips.c b/fips/fips.c
index 6b5e4d4ccb..4b66537342 100644
--- a/fips/fips.c
+++ b/fips/fips.c
@@ -175,6 +175,7 @@ int FIPS_selftest(void)
     return FIPS_selftest_sha1()
 	&& FIPS_selftest_hmac()
 	&& FIPS_selftest_aes()
+	&& FIPS_selftest_aes_gcm()
 	&& FIPS_selftest_des()
 	&& FIPS_selftest_rsa()
 	&& FIPS_selftest_dsa();
diff --git a/fips/fips.h b/fips/fips.h
index 8087fa178b..dab9bbe45d 100644
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -75,6 +75,8 @@ void FIPS_selftest_check(void);
 void FIPS_corrupt_sha1(void);
 int FIPS_selftest_sha1(void);
 void FIPS_corrupt_aes(void);
+int FIPS_selftest_aes_gcm(void);
+void FIPS_corrupt_aes_gcm(void);
 int FIPS_selftest_aes(void);
 void FIPS_corrupt_des(void);
 int FIPS_selftest_des(void);
@@ -190,6 +192,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_FIPS_MODE_SET				 108
 #define FIPS_F_FIPS_PKEY_SIGNATURE_TEST			 109
 #define FIPS_F_FIPS_SELFTEST_AES			 110
+#define FIPS_F_FIPS_SELFTEST_AES_GCM			 130
 #define FIPS_F_FIPS_SELFTEST_DES			 111
 #define FIPS_F_FIPS_SELFTEST_DSA			 112
 #define FIPS_F_FIPS_SELFTEST_HMAC			 113
diff --git a/fips/fips_test_suite.c b/fips/fips_test_suite.c
index c02168c309..12970abe58 100644
--- a/fips/fips_test_suite.c
+++ b/fips/fips_test_suite.c
@@ -69,6 +69,47 @@ static int FIPS_aes_test(void)
 	return ret;
 	}
 
+static int FIPS_aes_gcm_test(void)
+	{
+	int ret = 0;
+	unsigned char pltmp[16];
+	unsigned char citmp[16];
+	unsigned char tagtmp[16];
+	unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
+	unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32};
+	unsigned char aad[] = "Some text AAD";
+	unsigned char plaintext[16] = "etaonrishdlcu";
+	EVP_CIPHER_CTX ctx;
+	FIPS_cipher_ctx_init(&ctx);
+	if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 1) <= 0)
+		goto err;
+	FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
+	FIPS_cipher(&ctx, citmp, plaintext, 16);
+	FIPS_cipher(&ctx, NULL, NULL, 0);
+	if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp))
+		goto err;
+
+	if (FIPS_cipherinit(&ctx, EVP_aes_128_gcm(), key, iv, 0) <= 0)
+		goto err;
+	if (!FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp))
+		goto err;
+
+	FIPS_cipher(&ctx, NULL, aad, sizeof(aad));
+
+	FIPS_cipher(&ctx, pltmp, citmp, 16);
+
+	if (FIPS_cipher(&ctx, NULL, NULL, 0) < 0)
+		goto err;
+
+	if (memcmp(pltmp, plaintext, 16))
+		goto err;
+
+	ret = 1;
+	err:
+	FIPS_cipher_ctx_cleanup(&ctx);
+	return ret;
+	}
+
 static int FIPS_des3_test(void)
 	{
 	int ret = 0;
@@ -440,6 +481,9 @@ int main(int argc,char **argv)
         if (!strcmp(argv[1], "aes")) {
             FIPS_corrupt_aes();
             printf("AES encryption/decryption with corrupted KAT...\n");
+        } else if (!strcmp(argv[1], "aes-gcm")) {
+            FIPS_corrupt_aes_gcm();
+            printf("AES-GCM encryption/decryption with corrupted KAT...\n");
         } else if (!strcmp(argv[1], "des")) {
             FIPS_corrupt_des();
             printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
@@ -508,7 +552,10 @@ int main(int argc,char **argv)
 
     /* AES encryption/decryption
     */
-    test_msg("3. AES encryption/decryption", FIPS_aes_test());
+    test_msg("3a. AES encryption/decryption", FIPS_aes_test());
+    /* AES GCM encryption/decryption
+    */
+    test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test());
 
     /* RSA key generation and encryption/decryption
     */
author	Dr. Stephen Henson <steve@openssl.org>	2011-02-18 17:09:33 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-02-18 17:09:33 +0000
commit	acf254f86efe94788827bc7da9ae167ecc19e6b1 (patch)
tree	fe5d0721f2135622e6b041961cfd9067b37111e3 /fips
parent	5d439d69552e753debc48461293517b66b0b94b4 (diff)
download	openssl-acf254f86efe94788827bc7da9ae167ecc19e6b1.tar.gz