You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
strongswan/scripts/aes-test.c

657 lines
15 KiB

/*
* Copyright (C) 2013 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <errno.h>
#include <library.h>
/** plugins to load */
#undef PLUGINS
#define PLUGINS "openssl"
/**
* Context
*/
static struct {
/** input file */
FILE *in;
/** output file */
FILE *out;
/** whether to use GCM or CBC */
bool use_gcm;
/** whether to run the Monte Carlo Test */
bool use_mct;
/** whether to test encryption or decryption */
bool decrypt;
/** IV length in bits in case of GCM */
int ivlen;
/** ICV length in bits in case of GCM */
int icvlen;
} ctx;
/**
* Types of parameters of a test vector
*/
typedef enum {
PARAM_UNKNOWN,
PARAM_COUNT,
PARAM_KEY,
PARAM_IV,
PARAM_PLAINTEXT,
PARAM_CIPHERTEXT,
PARAM_AAD,
PARAM_ICV,
} param_t;
static param_t parse_parameter(char *param)
{
if (strcaseeq(param, "COUNT"))
{
return PARAM_COUNT;
}
if (strcaseeq(param, "KEY"))
{
return PARAM_KEY;
}
if (strcaseeq(param, "IV"))
{
return PARAM_IV;
}
if (strcaseeq(param, "PLAINTEXT") ||
strcaseeq(param, "PT"))
{
return PARAM_PLAINTEXT;
}
if (strcaseeq(param, "CIPHERTEXT") ||
strcaseeq(param, "CT"))
{
return PARAM_CIPHERTEXT;
}
if (strcaseeq(param, "AAD"))
{
return PARAM_AAD;
}
if (strcaseeq(param, "TAG"))
{
return PARAM_ICV;
}
return PARAM_UNKNOWN;
}
/**
* Test vector
*/
typedef struct {
/** encryption/decryption key */
chunk_t key;
/** initialization vector */
chunk_t iv;
/** plain text */
chunk_t plain;
/** cipher text */
chunk_t cipher;
/** associated data */
chunk_t aad;
/** ICV/tag */
chunk_t icv;
/** whether the IV was provided */
bool external_iv;
/** whether the decryption/verification in GCM mode was successful */
bool success;
} test_vector_t;
static void test_vector_free(test_vector_t *test)
{
chunk_free(&test->key);
chunk_free(&test->iv);
chunk_free(&test->plain);
chunk_free(&test->cipher);
chunk_free(&test->aad);
chunk_free(&test->icv);
}
static void print_result(test_vector_t *test)
{
if (ctx.use_gcm)
{
if (ctx.decrypt)
{
if (test->success)
{
fprintf(ctx.out, "PT = %+B\n", &test->plain);
}
else
{
fprintf(ctx.out, "FAIL\n");
}
return;
}
if (!test->external_iv)
{
fprintf(ctx.out, "IV = %+B\n", &test->iv);
}
fprintf(ctx.out, "CT = %+B\n", &test->cipher);
fprintf(ctx.out, "Tag = %+B\n", &test->icv);
}
else
{
fprintf(ctx.out, "%s = %+B\n", ctx.decrypt ? "PLAINTEXT" : "CIPHERTEXT",
ctx.decrypt ? &test->plain : &test->cipher);
}
}
static bool get_next_test_vector(test_vector_t *test)
{
param_t param = PARAM_UNKNOWN;
char line[512];
memset(test, 0, sizeof(test_vector_t));
while (fgets(line, sizeof(line), ctx.in))
{
enumerator_t *enumerator;
chunk_t value = chunk_empty;
char *token;
int i;
switch (line[0])
{
case '\n':
case '\r':
case '#':
case '\0':
/* copy comments, empty lines etc. directly to the output */
if (param != PARAM_UNKNOWN)
{ /* seems we got a complete test vector */
return TRUE;
}
fputs(line, ctx.out);
continue;
case '[':
/* control directives */
fputs(line, ctx.out);
if (strpfx(line, "[ENCRYPT]"))
{
ctx.decrypt = FALSE;
}
else if (strpfx(line, "[DECRYPT]"))
{
ctx.decrypt = TRUE;
}
else if (strcasepfx(line, "[IVlen = "))
{
ctx.ivlen = atoi(line + strlen("[IVlen = "));
}
else if (strcasepfx(line, "[Taglen = "))
{
ctx.icvlen = atoi(line + strlen("[Taglen = "));
}
continue;
default:
/* we assume the rest of the lines are PARAM = VALUE pairs*/
fputs(line, ctx.out);
break;
}
i = 0;
enumerator = enumerator_create_token(line, "=", " \n\r");
while (enumerator->enumerate(enumerator, &token))
{
switch (i++)
{
case 0: /* PARAM */
param = parse_parameter(token);
continue;
case 1: /* VALUE */
if (param != PARAM_UNKNOWN && param != PARAM_COUNT)
{
value = chunk_from_hex(chunk_from_str(token), NULL);
}
else
{
value = chunk_empty;
}
continue;
default:
break;
}
break;
}
enumerator->destroy(enumerator);
if (i < 2)
{
value = chunk_empty;
}
switch (param)
{
case PARAM_KEY:
test->key = value;
break;
case PARAM_IV:
test->iv = value;
test->external_iv = TRUE;
break;
case PARAM_PLAINTEXT:
test->plain = value;
break;
case PARAM_CIPHERTEXT:
test->cipher = value;
break;
case PARAM_AAD:
test->aad = value;
break;
case PARAM_ICV:
test->icv = value;
break;
default:
chunk_free(&value);
break;
}
}
if (param != PARAM_UNKNOWN)
{ /* could be that the file ended with a complete test vector */
return TRUE;
}
return FALSE;
}
static bool verify_test_vector(test_vector_t *test)
{
if (ctx.use_gcm)
{
if (ctx.decrypt)
{
return test->key.ptr && test->iv.ptr && test->cipher.ptr &&
test->icv.ptr;
}
return test->key.ptr && test->plain.ptr;
}
if (ctx.decrypt)
{
return test->key.ptr && test->iv.ptr && test->cipher.ptr;
}
return test->key.ptr && test->iv.ptr && test->plain.ptr;
}
static bool do_test_gcm(test_vector_t *test)
{
encryption_algorithm_t alg;
chunk_t key, iv;
aead_t *aead;
size_t saltlen, ivlen;
switch (ctx.icvlen / 8)
{
case 8:
alg = ENCR_AES_GCM_ICV8;
break;
case 12:
alg = ENCR_AES_GCM_ICV12;
break;
case 16:
alg = ENCR_AES_GCM_ICV16;
break;
default:
DBG1(DBG_APP, "unsupported ICV length: %d", ctx.icvlen);
return FALSE;
}
aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len, 4);
if (!aead)
{
DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported",
encryption_algorithm_names, alg, test->key.len * 8);
return FALSE;
}
/* our API is quite RFC 4106 specific, that is, part of the IV is provided
* at the end of the key. */
saltlen = aead->get_key_size(aead) - test->key.len;
ivlen = aead->get_iv_size(aead);
if (ctx.ivlen / 8 != saltlen + ivlen)
{
DBG1(DBG_APP, "unsupported IV length: %d", ctx.ivlen);
aead->destroy(aead);
return FALSE;
}
if (!test->external_iv)
{
rng_t *rng;
/* the IV consists of saltlen random bytes (usually additional keymat)
* followed by a counter, zero here */
test->iv = chunk_alloc(saltlen + ivlen);
memset(test->iv.ptr, 0, test->iv.len);
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (!rng || !rng->get_bytes(rng, saltlen, test->iv.ptr))
{
DBG1(DBG_APP, "failed to generate IV");
DESTROY_IF(rng);
aead->destroy(aead);
return FALSE;
}
rng->destroy(rng);
}
key = chunk_alloca(test->key.len + saltlen);
memcpy(key.ptr, test->key.ptr, test->key.len);
memcpy(key.ptr + test->key.len, test->iv.ptr, saltlen);
iv = chunk_alloca(ivlen);
memcpy(iv.ptr, test->iv.ptr + saltlen, iv.len);
if (!aead->set_key(aead, key))
{
DBG1(DBG_APP, "failed to set key");
aead->destroy(aead);
return FALSE;
}
if (ctx.decrypt)
{
/* the ICV is expected to follow the cipher text */
chunk_t cipher = chunk_cata("cc", test->cipher, test->icv);
/* store if the verification of the ICV verification is successful */
test->success = aead->decrypt(aead, cipher, test->aad, iv,
&test->plain);
}
else
{
if (!aead->encrypt(aead, test->plain, test->aad, iv, &test->cipher))
{
DBG1(DBG_APP, "encryption failed");
aead->destroy(aead);
return FALSE;
}
/* copy ICV from the end of the cipher text */
test->icv = chunk_alloc(ctx.icvlen / 8);
test->cipher.len -= test->icv.len;
memcpy(test->icv.ptr, test->cipher.ptr + test->cipher.len,
test->icv.len);
}
aead->destroy(aead);
return TRUE;
}
static bool do_crypt(crypter_t *crypter, test_vector_t *test)
{
if (ctx.decrypt)
{
if (!crypter->decrypt(crypter, test->cipher, test->iv, &test->plain))
{
DBG1(DBG_APP, "decryption failed");
return FALSE;
}
}
else
{
if (!crypter->encrypt(crypter, test->plain, test->iv, &test->cipher))
{
DBG1(DBG_APP, "encryption failed");
return FALSE;
}
}
return TRUE;
}
static bool do_test_cbc(test_vector_t *test)
{
crypter_t *crypter;
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC,
test->key.len);
if (!crypter)
{
DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported",
encryption_algorithm_names, ENCR_AES_CBC, test->key.len * 8);
return FALSE;
}
if (!crypter->set_key(crypter, test->key))
{
DBG1(DBG_APP, "failed to set key");
crypter->destroy(crypter);
return FALSE;
}
if (!do_crypt(crypter, test))
{
crypter->destroy(crypter);
return FALSE;
}
crypter->destroy(crypter);
return TRUE;
}
static bool do_test_mct(test_vector_t *test)
{
crypter_t *crypter;
chunk_t prev, *input, *output;
int i, j;
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC,
test->key.len);
if (!crypter)
{
DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported",
encryption_algorithm_names, ENCR_AES_CBC, test->key.len * 8);
return FALSE;
}
input = ctx.decrypt ? &test->cipher : &test->plain;
output = ctx.decrypt ? &test->plain : &test->cipher;
if (crypter->get_block_size(crypter) != input->len)
{
DBG1(DBG_APP, "MCT only works for input with a length of one block");
crypter->destroy(crypter);
return FALSE;
}
prev = chunk_alloca(input->len);
/* assume initial IV as previous output */
*output = chunk_clone(test->iv);
for (i = 0; i < 100; i++)
{
if (i > 0)
{ /* we copied the original lines already */
fprintf(ctx.out, "COUNT = %d\n", i);
fprintf(ctx.out, "KEY = %+B\n", &test->key);
fprintf(ctx.out, "IV = %+B\n", &test->iv);
fprintf(ctx.out, "%s = %+B\n",
ctx.decrypt ? "CIPHERTEXT" : "PLAINTEXT", input);
}
if (!crypter->set_key(crypter, test->key))
{
DBG1(DBG_APP, "failed to set key");
return FALSE;
}
for (j = 0; j < 1000; j++)
{
/* store previous output as it is used as input after next */
memcpy(prev.ptr, output->ptr, prev.len);
chunk_free(output);
if (!do_crypt(crypter, test))
{
crypter->destroy(crypter);
return FALSE;
}
/* prepare the next IV (our API does not allow incremental calls) */
if (ctx.decrypt)
{
memcpy(test->iv.ptr, input->ptr, test->iv.len);
}
else
{
memcpy(test->iv.ptr, output->ptr, test->iv.len);
}
/* the previous output is the next input */
memcpy(input->ptr, prev.ptr, input->len);
}
fprintf(ctx.out, "%s = %+B\n\n",
ctx.decrypt ? "PLAINTEXT" : "CIPHERTEXT", output);
/* derive key for next round */
switch (test->key.len)
{
case 16:
memxor(test->key.ptr, output->ptr, output->len);
break;
case 24:
memxor(test->key.ptr, prev.ptr + 8, 8);
memxor(test->key.ptr + 8, output->ptr, output->len);
break;
case 32:
memxor(test->key.ptr, prev.ptr, prev.len);
memxor(test->key.ptr + prev.len, output->ptr, output->len);
break;
}
/* the current output is used as IV for the next round */
memcpy(test->iv.ptr, output->ptr, test->iv.len);
}
crypter->destroy(crypter);
/* we return FALSE as we print the output ourselves */
return FALSE;
}
static bool do_test(test_vector_t *test)
{
if (ctx.use_gcm)
{
return do_test_gcm(test);
}
if (ctx.use_mct)
{
return do_test_mct(test);
}
return do_test_cbc(test);
}
static void usage(FILE *out, char *name)
{
fprintf(out, "Test AES implementation according to the AES Algorithm Validation Suite (AESAVS)\n");
fprintf(out, "and the GCM Validation System (GCMVS)\n\n");
fprintf(out, "%s [OPTIONS]\n\n", name);
fprintf(out, "Options:\n");
fprintf(out, " -h, --help print this help.\n");
fprintf(out, " -d, --debug=LEVEL set debug level (default 1).\n");
fprintf(out, " -m, --mode=MODE mode to test, either CBC or GCM (default CBC).\n");
fprintf(out, " -t, --mct run Monte Carlo Test (MCT), only for CBC.\n");
fprintf(out, " -x, --decrypt test decryption (not needed for CBC as files contain control directives).\n");
fprintf(out, " -i, --in=FILE request file (default STDIN).\n");
fprintf(out, " -o, --out=FILE response file (default STDOUT).\n");
fprintf(out, "\n");
}
int main(int argc, char *argv[])
{
test_vector_t test;
ctx.in = stdin;
ctx.out = stdout;
library_init(NULL, "aes-test");
atexit(library_deinit);
while (true)
{
struct option long_opts[] = {
{"help", no_argument, NULL, 'h' },
{"debug", required_argument, NULL, 'd' },
{"mode", required_argument, NULL, 'm' },
{"mct", no_argument, NULL, 't' },
{"decrypt", no_argument, NULL, 'x' },
{"in", required_argument, NULL, 'i' },
{"out", required_argument, NULL, 'o' },
{0,0,0,0 },
};
switch (getopt_long(argc, argv, "hd:m:txi:o:", long_opts, NULL))
{
case EOF:
break;
case 'h':
usage(stdout, argv[0]);
return 0;
case 'd':
dbg_default_set_level(atoi(optarg));
continue;
case 'm':
if (strcaseeq(optarg, "GCM"))
{
ctx.use_gcm = TRUE;
}
else if (!strcaseeq(optarg, "CBC"))
{
usage(stderr, argv[0]);
return 1;
}
continue;
case 't':
ctx.use_mct = TRUE;
continue;
case 'x':
ctx.decrypt = TRUE;
continue;
case 'i':
ctx.in = fopen(optarg, "r");
if (!ctx.in)
{
fprintf(stderr, "failed to open '%s': %s\n", optarg,
strerror(errno));
usage(stderr, argv[0]);
return 1;
}
continue;
case 'o':
ctx.out = fopen(optarg, "w");
if (!ctx.out)
{
fprintf(stderr, "failed to open '%s': %s\n", optarg,
strerror(errno));
usage(stderr, argv[0]);
return 1;
}
continue;
default:
usage(stderr, argv[0]);
return 1;
}
break;
}
/* TODO: maybe make plugins configurable */
lib->plugins->load(lib->plugins, PLUGINS);
lib->plugins->status(lib->plugins, LEVEL_CTRL);
while (get_next_test_vector(&test))
{
if (verify_test_vector(&test))
{
if (do_test(&test))
{
print_result(&test);
}
}
else
{
DBG1(DBG_APP, "test vector with missing data encountered");
}
fprintf(ctx.out, "\n");
test_vector_free(&test);
}
if (ctx.in != stdin)
{
fclose(ctx.in);
}
if (ctx.out != stdout)
{
fclose(ctx.out);
}
return 0;
}