1 /* ====================================================================
2 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
30 * 6. Redistributions of any form whatsoever must retain the following
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
49 /* --------------------------------------------
50 NIST AES Algorithm Validation Suite
53 Donated to OpenSSL by:
55 20250 Century Blvd, Suite 300
58 ----------------------------------------------*/
66 #include <openssl/aes.h>
67 #include <openssl/evp.h>
68 #include <openssl/bn.h>
70 #include <openssl/err.h>
75 int main(int argc, char *argv[])
77 printf("No FIPS AES support\n");
83 # include <openssl/fips.h>
84 # include "fips_utl.h"
86 # define AES_BLOCK_SIZE 16
90 /* ---------------------------------------------*/
92 static int AESTest(EVP_CIPHER_CTX *ctx,
93 char *amode, int akeysz, unsigned char *aKey,
95 /* 0 = decrypt, 1 = encrypt */
97 unsigned char *plaintext, unsigned char *ciphertext,
100 const EVP_CIPHER *cipher = NULL;
102 if (strcasecmp(amode, "CBC") == 0) {
105 cipher = EVP_aes_128_cbc();
109 cipher = EVP_aes_192_cbc();
113 cipher = EVP_aes_256_cbc();
117 } else if (strcasecmp(amode, "ECB") == 0) {
120 cipher = EVP_aes_128_ecb();
124 cipher = EVP_aes_192_ecb();
128 cipher = EVP_aes_256_ecb();
131 } else if (strcasecmp(amode, "CFB128") == 0) {
134 cipher = EVP_aes_128_cfb128();
138 cipher = EVP_aes_192_cfb128();
142 cipher = EVP_aes_256_cfb128();
146 } else if (strncasecmp(amode, "OFB", 3) == 0) {
149 cipher = EVP_aes_128_ofb();
153 cipher = EVP_aes_192_ofb();
157 cipher = EVP_aes_256_ofb();
160 } else if (!strcasecmp(amode, "CFB1")) {
163 cipher = EVP_aes_128_cfb1();
167 cipher = EVP_aes_192_cfb1();
171 cipher = EVP_aes_256_cfb1();
174 } else if (!strcasecmp(amode, "CFB8")) {
177 cipher = EVP_aes_128_cfb8();
181 cipher = EVP_aes_192_cfb8();
185 cipher = EVP_aes_256_cfb8();
189 printf("Unknown mode: %s\n", amode);
193 printf("Invalid key size: %d\n", akeysz);
196 if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
198 if (!strcasecmp(amode, "CFB1"))
199 M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
201 EVP_Cipher(ctx, ciphertext, plaintext, len);
203 EVP_Cipher(ctx, plaintext, ciphertext, len);
207 /* ---------------------------------------------*/
208 char *t_tag[2] = { "PLAINTEXT", "CIPHERTEXT" };
209 char *t_mode[6] = { "CBC", "ECB", "OFB", "CFB1", "CFB8", "CFB128" };
210 enum Mode { CBC, ECB, OFB, CFB1, CFB8, CFB128 };
211 enum XCrypt { XDECRYPT, XENCRYPT };
213 /*=============================*/
214 /* Monte Carlo Tests */
215 /* ---------------------------*/
218 * #define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)
221 * #define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) <<
225 # define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
226 # define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
228 static int do_mct(char *amode,
229 int akeysz, unsigned char *aKey, unsigned char *iVec,
230 int dir, unsigned char *text, int len, FILE *rfp)
233 unsigned char key[101][32];
234 unsigned char iv[101][AES_BLOCK_SIZE];
235 unsigned char ptext[1001][32];
236 unsigned char ctext[1001][32];
237 unsigned char ciphertext[64 + 4];
239 int imode = 0, nkeysz = akeysz / 8;
241 EVP_CIPHER_CTX_init(&ctx);
244 printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n", amode, akeysz);
247 for (imode = 0; imode < 6; ++imode)
248 if (strcmp(amode, t_mode[imode]) == 0)
251 printf("Unrecognized mode: %s\n", amode);
255 memcpy(key[0], aKey, nkeysz);
257 memcpy(iv[0], iVec, AES_BLOCK_SIZE);
259 memcpy(ptext[0], text, len);
261 memcpy(ctext[0], text, len);
262 for (i = 0; i < 100; ++i) {
263 /* printf("Iteration %d\n", i); */
265 fprintf(rfp, "COUNT = %d\n", i);
266 OutputValue("KEY", key[i], nkeysz, rfp, 0);
267 if (imode != ECB) /* ECB */
268 OutputValue("IV", iv[i], AES_BLOCK_SIZE, rfp, 0);
269 /* Output Ciphertext | Plaintext */
270 OutputValue(t_tag[dir ^ 1], dir ? ptext[0] : ctext[0], len, rfp,
273 for (j = 0; j < 1000; ++j) {
276 if (j == 0) { /* set up encryption */
277 ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
278 /* 0 = decrypt, 1 = encrypt */
279 dir, ptext[j], ctext[j], len);
281 memcpy(ptext[j + 1], ctext[j], len);
283 memcpy(ctext[j + 1], ptext[j], len);
285 if (dir == XENCRYPT) {
286 EVP_Cipher(&ctx, ctext[j], ptext[j], len);
287 memcpy(ptext[j + 1], ctext[j], len);
289 EVP_Cipher(&ctx, ptext[j], ctext[j], len);
290 memcpy(ctext[j + 1], ptext[j], len);
299 ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
300 /* 0 = decrypt, 1 = encrypt */
301 dir, ptext[j], ctext[j], len);
303 memcpy(ptext[j + 1], iv[i], len);
305 memcpy(ctext[j + 1], iv[i], len);
307 if (dir == XENCRYPT) {
308 EVP_Cipher(&ctx, ctext[j], ptext[j], len);
309 memcpy(ptext[j + 1], ctext[j - 1], len);
311 EVP_Cipher(&ctx, ptext[j], ctext[j], len);
312 memcpy(ctext[j + 1], ptext[j - 1], len);
319 ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
320 /* 0 = decrypt, 1 = encrypt */
321 dir, ptext[j], ctext[j], len);
324 EVP_Cipher(&ctx, ctext[j], ptext[j], len);
326 EVP_Cipher(&ctx, ptext[j], ctext[j], len);
328 if (dir == XENCRYPT) {
330 memcpy(ptext[j + 1], &iv[i][j], len);
332 memcpy(ptext[j + 1], ctext[j - 16], len);
335 memcpy(ctext[j + 1], &iv[i][j], len);
337 memcpy(ctext[j + 1], ptext[j - 16], len);
344 /* compensate for wrong endianness of input file */
348 ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], dir,
349 ptext[j], ctext[j], len);
352 EVP_Cipher(&ctx, ctext[j], ptext[j], len);
354 EVP_Cipher(&ctx, ptext[j], ctext[j], len);
357 if (dir == XENCRYPT) {
359 sb(ptext[j + 1], 0, gb(iv[i], j));
361 sb(ptext[j + 1], 0, gb(ctext[j - 128], 0));
364 sb(ctext[j + 1], 0, gb(iv[i], j));
366 sb(ctext[j + 1], 0, gb(ptext[j - 128], 0));
371 --j; /* reset to last of range */
372 /* Output Ciphertext | Plaintext */
373 OutputValue(t_tag[dir], dir ? ctext[j] : ptext[j], len, rfp,
375 fprintf(rfp, "\n"); /* add separator */
377 /* Compute next KEY */
378 if (dir == XENCRYPT) {
380 /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
381 for (n1 = 0, n2 = nkeysz - 1; n1 < nkeysz; ++n1, --n2)
382 ciphertext[n1] = ctext[j - n2][0];
383 } else if (imode == CFB1) {
384 for (n1 = 0, n2 = akeysz - 1; n1 < akeysz; ++n1, --n2)
385 sb(ciphertext, n1, gb(ctext[j - n2], 0));
389 memcpy(ciphertext, ctext[j], 16);
392 memcpy(ciphertext, ctext[j - 1] + 8, 8);
393 memcpy(ciphertext + 8, ctext[j], 16);
396 memcpy(ciphertext, ctext[j - 1], 16);
397 memcpy(ciphertext + 16, ctext[j], 16);
402 /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
403 for (n1 = 0, n2 = nkeysz - 1; n1 < nkeysz; ++n1, --n2)
404 ciphertext[n1] = ptext[j - n2][0];
405 } else if (imode == CFB1) {
406 for (n1 = 0, n2 = akeysz - 1; n1 < akeysz; ++n1, --n2)
407 sb(ciphertext, n1, gb(ptext[j - n2], 0));
411 memcpy(ciphertext, ptext[j], 16);
414 memcpy(ciphertext, ptext[j - 1] + 8, 8);
415 memcpy(ciphertext + 8, ptext[j], 16);
418 memcpy(ciphertext, ptext[j - 1], 16);
419 memcpy(ciphertext + 16, ptext[j], 16);
423 /* Compute next key: Key[i+1] = Key[i] xor ct */
424 for (n = 0; n < nkeysz; ++n)
425 key[i + 1][n] = key[i][n] ^ ciphertext[n];
427 /* Compute next IV and text */
428 if (dir == XENCRYPT) {
431 memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
436 memcpy(iv[i + 1], ctext[j], AES_BLOCK_SIZE);
437 memcpy(ptext[0], ctext[j - 1], AES_BLOCK_SIZE);
441 for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
442 iv[i + 1][n1] = ctext[j - n2][0];
443 ptext[0][0] = ctext[j - 16][0];
446 for (n1 = 0, n2 = 127; n1 < 128; ++n1, --n2)
447 sb(iv[i + 1], n1, gb(ctext[j - n2], 0));
448 ptext[0][0] = ctext[j - 128][0] & 0x80;
454 memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
459 memcpy(iv[i + 1], ptext[j], AES_BLOCK_SIZE);
460 memcpy(ctext[0], ptext[j - 1], AES_BLOCK_SIZE);
463 for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
464 iv[i + 1][n1] = ptext[j - n2][0];
465 ctext[0][0] = ptext[j - 16][0];
468 for (n1 = 0, n2 = 127; n1 < 128; ++n1, --n2)
469 sb(iv[i + 1], n1, gb(ptext[j - n2], 0));
470 ctext[0][0] = ptext[j - 128][0] & 0x80;
479 /*================================================*/
480 /* ---------------------------
481 # Config info for v-one
482 # AESVS MMT test data for ECB
483 # State : Encrypt and Decrypt
485 # Fri Aug 30 04:07:22 PM
486 ----------------------------*/
488 static int proc_file(char *rqfile, char *rspfile)
490 char afn[256], rfn[256];
491 FILE *afp = NULL, *rfp = NULL;
494 int ilen, len, ret = 0;
499 unsigned char iVec[20], aKey[40];
500 int dir = -1, err = 0, step = 0;
501 unsigned char plaintext[2048];
502 unsigned char ciphertext[2048];
505 EVP_CIPHER_CTX_init(&ctx);
507 if (!rqfile || !(*rqfile)) {
508 printf("No req file\n");
513 if ((afp = fopen(afn, "r")) == NULL) {
514 printf("Cannot open file: %s, %s\n", afn, strerror(errno));
519 rp = strstr(rfn, "req/");
520 # ifdef OPENSSL_SYS_WIN32
522 rp = strstr(rfn, "req\\");
525 memcpy(rp, "rsp", 3);
526 rp = strstr(rfn, ".req");
527 memcpy(rp, ".rsp", 4);
530 if ((rfp = fopen(rspfile, "w")) == NULL) {
531 printf("Cannot open file: %s, %s\n", rfn, strerror(errno));
536 while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) {
537 tidy_line(tbuf, ibuf);
539 /* printf("step=%d ibuf=%s",step,ibuf); */
541 case 0: /* read preamble */
542 if (ibuf[0] == '\n') { /* end of preamble */
543 if ((*algo == '\0') || (*amode == '\0') || (akeysz == 0)) {
544 printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
545 algo, amode, akeysz);
551 } else if (ibuf[0] != '#') {
552 printf("Invalid preamble item: %s\n", ibuf);
554 } else { /* process preamble */
555 char *xp, *pp = ibuf + 2;
557 if (akeysz) { /* insert current time & date */
558 time_t rtim = time(0);
559 fprintf(rfp, "# %s", ctime(&rtim));
562 if (strncmp(pp, "AESVS ", 6) == 0) {
566 xp = strchr(pp, ' ');
568 strncpy(atest, pp, n);
571 xp = strrchr(pp, ' '); /* get mode" */
572 n = strlen(xp + 1) - 1;
573 strncpy(amode, xp + 1, n);
575 /* amode[3] = '\0'; */
577 printf("Test = %s, Mode = %s\n", atest, amode);
578 } else if (strncasecmp(pp, "Key Length : ", 13) == 0) {
579 akeysz = atoi(pp + 13);
581 printf("Key size = %d\n", akeysz);
587 case 1: /* [ENCRYPT] | [DECRYPT] */
588 if (ibuf[0] == '[') {
591 if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
593 else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
596 printf("Invalid keyword: %s\n", ibuf);
600 } else if (dir == -1) {
602 printf("Missing ENCRYPT/DECRYPT keyword\n");
607 case 2: /* KEY = xxxx */
611 if (!strncasecmp(ibuf, "COUNT = ", 8))
614 if (strncasecmp(ibuf, "KEY = ", 6) != 0) {
615 printf("Missing KEY\n");
618 len = hex2bin((char *)ibuf + 6, aKey);
620 printf("Invalid KEY\n");
624 PrintValue("KEY", aKey, len);
625 if (strcmp(amode, "ECB") == 0) {
626 memset(iVec, 0, sizeof(iVec));
627 step = (dir) ? 4 : 5; /* no ivec for ECB */
633 case 3: /* IV = xxxx */
635 if (strncasecmp(ibuf, "IV = ", 5) != 0) {
636 printf("Missing IV\n");
639 len = hex2bin((char *)ibuf + 5, iVec);
641 printf("Invalid IV\n");
645 PrintValue("IV", iVec, len);
646 step = (dir) ? 4 : 5;
650 case 4: /* PLAINTEXT = xxxx */
652 if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) {
653 printf("Missing PLAINTEXT\n");
656 int nn = strlen(ibuf + 12);
657 if (!strcmp(amode, "CFB1"))
658 len = bint2bin(ibuf + 12, nn - 1, plaintext);
660 len = hex2bin(ibuf + 12, plaintext);
662 printf("Invalid PLAINTEXT: %s", ibuf + 12);
666 if (len >= (int)sizeof(plaintext)) {
667 printf("Buffer overflow\n");
669 PrintValue("PLAINTEXT", (unsigned char *)plaintext, len);
670 if (strcmp(atest, "MCT") == 0) { /* Monte Carlo Test */
671 if (do_mct(amode, akeysz, aKey, iVec,
672 dir, (unsigned char *)plaintext, len, rfp) < 0)
675 ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
676 /* 0 = decrypt, 1 = encrypt */
677 dir, plaintext, ciphertext, len);
678 OutputValue("CIPHERTEXT", ciphertext, len, rfp,
679 !strcmp(amode, "CFB1"));
685 case 5: /* CIPHERTEXT = xxxx */
687 if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) {
688 printf("Missing KEY\n");
691 if (!strcmp(amode, "CFB1"))
693 bint2bin(ibuf + 13, strlen(ibuf + 13) - 1,
696 len = hex2bin(ibuf + 13, ciphertext);
698 printf("Invalid CIPHERTEXT\n");
703 PrintValue("CIPHERTEXT", ciphertext, len);
704 if (strcmp(atest, "MCT") == 0) { /* Monte Carlo Test */
705 do_mct(amode, akeysz, aKey, iVec,
706 dir, ciphertext, len, rfp);
708 ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
709 /* 0 = decrypt, 1 = encrypt */
710 dir, plaintext, ciphertext, len);
711 OutputValue("PLAINTEXT", (unsigned char *)plaintext, len,
712 rfp, !strcmp(amode, "CFB1"));
719 if (ibuf[0] != '\n') {
721 printf("Missing terminator\n");
722 } else if (strcmp(atest, "MCT") != 0) { /* MCT already added
737 /* -------------------------------------------------
738 Processes either a single file or
739 a set of files whose names are passed in a file.
740 A single file is specified as:
742 A set of files is specified as:
743 aes_test -d xxxxx.xxx
744 The default is: -d req.txt
745 --------------------------------------------------*/
746 int main(int argc, char **argv)
748 char *rqlist = "req.txt", *rspfile = NULL;
750 char fn[250] = "", rfn[256] = "";
751 int f_opt = 0, d_opt = 1;
754 if (!FIPS_mode_set(1)) {
760 if (strcasecmp(argv[1], "-d") == 0) {
762 } else if (strcasecmp(argv[1], "-f") == 0) {
766 printf("Invalid parameter: %s\n", argv[1]);
770 printf("Missing parameter\n");
780 if (d_opt) { /* list of files (directory) */
781 if (!(fp = fopen(rqlist, "r"))) {
782 printf("Cannot open req list file\n");
785 while (fgets(fn, sizeof(fn), fp)) {
789 printf("Processing: %s\n", rfn);
790 if (proc_file(rfn, rspfile)) {
791 printf(">>> Processing failed for: %s <<<\n", rfn);
796 } else { /* single file */
799 printf("Processing: %s\n", fn);
800 if (proc_file(fn, rspfile)) {
801 printf(">>> Processing failed for: %s <<<\n", fn);