1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3
4 /**
5 @file ocb3_test.c
6 OCB implementation, self-test by Tom St Denis
7 */
8 #include "tomcrypt_private.h"
9
10 #ifdef LTC_OCB3_MODE
11
12 /**
13 Test the OCB protocol
14 @return CRYPT_OK if successful
15 */
ocb3_test(void)16 int ocb3_test(void)
17 {
18 #ifndef LTC_TEST
19 return CRYPT_NOP;
20 #else
21 /* test vectors from: http://tools.ietf.org/html/draft-krovetz-ocb-03 */
22 unsigned char key[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F };
23 unsigned char nonce[12] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B };
24 const struct {
25 int ptlen;
26 int aadlen;
27 unsigned char pt[64], aad[64], ct[64], tag[16];
28 } tests[] = {
29
30 { /* index:0 */
31 0, /* PLAINTEXT length */
32 0, /* AAD length */
33 { 0 }, /* PLAINTEXT */
34 { 0 }, /* AAD */
35 { 0 }, /* CIPHERTEXT */
36 { 0x19,0x7b,0x9c,0x3c,0x44,0x1d,0x3c,0x83,0xea,0xfb,0x2b,0xef,0x63,0x3b,0x91,0x82 }, /* TAG */
37 },
38 { /* index:1 */
39 8, /* PLAINTEXT length */
40 8, /* AAD length */
41 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* PLAINTEXT */
42 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* AAD */
43 { 0x92,0xb6,0x57,0x13,0x0a,0x74,0xb8,0x5a }, /* CIPHERTEXT */
44 { 0x16,0xdc,0x76,0xa4,0x6d,0x47,0xe1,0xea,0xd5,0x37,0x20,0x9e,0x8a,0x96,0xd1,0x4e }, /* TAG */
45 },
46 { /* index:2 */
47 0, /* PLAINTEXT length */
48 8, /* AAD length */
49 { 0 }, /* PLAINTEXT */
50 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* AAD */
51 { 0 }, /* CIPHERTEXT */
52 { 0x98,0xb9,0x15,0x52,0xc8,0xc0,0x09,0x18,0x50,0x44,0xe3,0x0a,0x6e,0xb2,0xfe,0x21 }, /* TAG */
53 },
54 { /* index:3 */
55 8, /* PLAINTEXT length */
56 0, /* AAD length */
57 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* PLAINTEXT */
58 { 0 }, /* AAD */
59 { 0x92,0xb6,0x57,0x13,0x0a,0x74,0xb8,0x5a }, /* CIPHERTEXT */
60 { 0x97,0x1e,0xff,0xca,0xe1,0x9a,0xd4,0x71,0x6f,0x88,0xe8,0x7b,0x87,0x1f,0xbe,0xed }, /* TAG */
61 },
62 { /* index:4 */
63 16, /* PLAINTEXT length */
64 16, /* AAD length */
65 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* PLAINTEXT */
66 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* AAD */
67 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22 }, /* CIPHERTEXT */
68 { 0x77,0x6c,0x99,0x24,0xd6,0x72,0x3a,0x1f,0xc4,0x52,0x45,0x32,0xac,0x3e,0x5b,0xeb }, /* TAG */
69 },
70 { /* index:5 */
71 0, /* PLAINTEXT length */
72 16, /* AAD length */
73 { 0 }, /* PLAINTEXT */
74 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* AAD */
75 { 0 }, /* CIPHERTEXT */
76 { 0x7d,0xdb,0x8e,0x6c,0xea,0x68,0x14,0x86,0x62,0x12,0x50,0x96,0x19,0xb1,0x9c,0xc6 }, /* TAG */
77 },
78 { /* index:6 */
79 16, /* PLAINTEXT length */
80 0, /* AAD length */
81 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* PLAINTEXT */
82 { 0 }, /* AAD */
83 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22 }, /* CIPHERTEXT */
84 { 0x13,0xcc,0x8b,0x74,0x78,0x07,0x12,0x1a,0x4c,0xbb,0x3e,0x4b,0xd6,0xb4,0x56,0xaf }, /* TAG */
85 },
86 { /* index:7 */
87 24, /* PLAINTEXT length */
88 24, /* AAD length */
89 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* PLAINTEXT */
90 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* AAD */
91 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xfc,0xfc,0xee,0x7a,0x2a,0x8d,0x4d,0x48 }, /* CIPHERTEXT */
92 { 0x5f,0xa9,0x4f,0xc3,0xf3,0x88,0x20,0xf1,0xdc,0x3f,0x3d,0x1f,0xd4,0xe5,0x5e,0x1c }, /* TAG */
93 },
94 { /* index:8 */
95 0, /* PLAINTEXT length */
96 24, /* AAD length */
97 { 0 }, /* PLAINTEXT */
98 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* AAD */
99 { 0 }, /* CIPHERTEXT */
100 { 0x28,0x20,0x26,0xda,0x30,0x68,0xbc,0x9f,0xa1,0x18,0x68,0x1d,0x55,0x9f,0x10,0xf6 }, /* TAG */
101 },
102 { /* index:9 */
103 24, /* PLAINTEXT length */
104 0, /* AAD length */
105 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* PLAINTEXT */
106 { 0 }, /* AAD */
107 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xfc,0xfc,0xee,0x7a,0x2a,0x8d,0x4d,0x48 }, /* CIPHERTEXT */
108 { 0x6e,0xf2,0xf5,0x25,0x87,0xfd,0xa0,0xed,0x97,0xdc,0x7e,0xed,0xe2,0x41,0xdf,0x68 }, /* TAG */
109 },
110 { /* index:10 */
111 32, /* PLAINTEXT length */
112 32, /* AAD length */
113 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* PLAINTEXT */
114 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* AAD */
115 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb }, /* CIPHERTEXT */
116 { 0xb2,0xa0,0x40,0xdd,0x3b,0xd5,0x16,0x43,0x72,0xd7,0x6d,0x7b,0xb6,0x82,0x42,0x40 }, /* TAG */
117 },
118 { /* index:11 */
119 0, /* PLAINTEXT length */
120 32, /* AAD length */
121 { 0 }, /* PLAINTEXT */
122 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* AAD */
123 { 0 }, /* CIPHERTEXT */
124 { 0xe1,0xe0,0x72,0x63,0x3b,0xad,0xe5,0x1a,0x60,0xe8,0x59,0x51,0xd9,0xc4,0x2a,0x1b }, /* TAG */
125 },
126 { /* index:12 */
127 32, /* PLAINTEXT length */
128 0, /* AAD length */
129 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* PLAINTEXT */
130 { 0 }, /* AAD */
131 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb }, /* CIPHERTEXT */
132 { 0x4a,0x3b,0xae,0x82,0x44,0x65,0xcf,0xda,0xf8,0xc4,0x1f,0xc5,0x0c,0x7d,0xf9,0xd9 }, /* TAG */
133 },
134 { /* index:13 */
135 40, /* PLAINTEXT length */
136 40, /* AAD length */
137 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* PLAINTEXT */
138 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* AAD */
139 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb,0x68,0xc6,0x57,0x78,0xb0,0x58,0xa6,0x35 }, /* CIPHERTEXT */
140 { 0x65,0x9c,0x62,0x32,0x11,0xde,0xea,0x0d,0xe3,0x0d,0x2c,0x38,0x18,0x79,0xf4,0xc8 }, /* TAG */
141 },
142 { /* index:14 */
143 0, /* PLAINTEXT length */
144 40, /* AAD length */
145 { 0 }, /* PLAINTEXT */
146 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* AAD */
147 { 0 }, /* CIPHERTEXT */
148 { 0x7a,0xeb,0x7a,0x69,0xa1,0x68,0x7d,0xd0,0x82,0xca,0x27,0xb0,0xd9,0xa3,0x70,0x96 }, /* TAG */
149 },
150 { /* index:15 */
151 40, /* PLAINTEXT length */
152 0, /* AAD length */
153 { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* PLAINTEXT */
154 { 0 }, /* AAD */
155 { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb,0x68,0xc6,0x57,0x78,0xb0,0x58,0xa6,0x35 }, /* CIPHERTEXT */
156 { 0x06,0x0c,0x84,0x67,0xf4,0xab,0xab,0x5e,0x8b,0x3c,0x20,0x67,0xa2,0xe1,0x15,0xdc }, /* TAG */
157 },
158
159 };
160 /* As of RFC 7253 - 'Appendix A. Sample Results'
161 * The next tuple shows a result with a tag length of 96 bits and a
162 different key.
163
164 K: 0F0E0D0C0B0A09080706050403020100
165
166 N: BBAA9988776655443322110D
167 A: 000102030405060708090A0B0C0D0E0F1011121314151617
168 18191A1B1C1D1E1F2021222324252627
169 P: 000102030405060708090A0B0C0D0E0F1011121314151617
170 18191A1B1C1D1E1F2021222324252627
171 C: 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1
172 A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FD
173 AC4F02AA
174
175 The C has been split up in C and T (tag)
176 */
177 const unsigned char K[] = { 0x0F,0x0E,0x0D,0x0C,0x0B,0x0A,0x09,0x08,
178 0x07,0x06,0x05,0x04,0x03,0x02,0x01,0x00 };
179 const unsigned char N[] = { 0xBB,0xAA,0x99,0x88,0x77,0x66,0x55,0x44,
180 0x33,0x22,0x11,0x0D };
181 const unsigned char A[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
182 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
183 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
184 0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
185 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
186 const unsigned char P[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
187 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
188 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
189 0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
190 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
191 const unsigned char C[] = { 0x17,0x92,0xA4,0xE3,0x1E,0x07,0x55,0xFB,
192 0x03,0xE3,0x1B,0x22,0x11,0x6E,0x6C,0x2D,
193 0xDF,0x9E,0xFD,0x6E,0x33,0xD5,0x36,0xF1,
194 0xA0,0x12,0x4B,0x0A,0x55,0xBA,0xE8,0x84,
195 0xED,0x93,0x48,0x15,0x29,0xC7,0x6B,0x6A };
196 const unsigned char T[] = { 0xD0,0xC5,0x15,0xF4,0xD1,0xCD,0xD4,0xFD,
197 0xAC,0x4F,0x02,0xAA };
198
199 int err, x, idx, res;
200 unsigned long len;
201 unsigned char outct[MAXBLOCKSIZE] = { 0 };
202 unsigned char outtag[MAXBLOCKSIZE] = { 0 };
203 ocb3_state ocb;
204
205 /* AES can be under rijndael or aes... try to find it */
206 if ((idx = find_cipher("aes")) == -1) {
207 if ((idx = find_cipher("rijndael")) == -1) {
208 return CRYPT_NOP;
209 }
210 }
211
212 for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
213 len = 16; /* must be the same as the required taglen */
214 if ((err = ocb3_encrypt_authenticate_memory(idx,
215 key, sizeof(key),
216 nonce, sizeof(nonce),
217 tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
218 tests[x].ptlen != 0 ? tests[x].pt : NULL, tests[x].ptlen,
219 tests[x].ptlen != 0 ? outct : NULL, outtag, &len)) != CRYPT_OK) {
220 return err;
221 }
222
223 if (compare_testvector(outtag, len, tests[x].tag, sizeof(tests[x].tag), "OCB3 Tag", x) ||
224 compare_testvector(outct, tests[x].ptlen, tests[x].ct, tests[x].ptlen, "OCB3 CT", x)) {
225 return CRYPT_FAIL_TESTVECTOR;
226 }
227
228 if ((err = ocb3_decrypt_verify_memory(idx,
229 key, sizeof(key),
230 nonce, sizeof(nonce),
231 tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
232 tests[x].ptlen != 0 ? outct : NULL, tests[x].ptlen,
233 tests[x].ptlen != 0 ? outct : NULL, tests[x].tag, len, &res)) != CRYPT_OK) {
234 return err;
235 }
236 if ((res != 1) || compare_testvector(outct, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "OCB3", x)) {
237 #ifdef LTC_TEST_DBG
238 printf("\n\nOCB3: Failure-decrypt - res = %d\n", res);
239 #endif
240 return CRYPT_FAIL_TESTVECTOR;
241 }
242 }
243
244 /* RFC 7253 - test vector with a tag length of 96 bits - part 1 */
245 x = 99;
246 len = 12;
247 if ((err = ocb3_encrypt_authenticate_memory(idx,
248 K, sizeof(K),
249 N, sizeof(N),
250 A, sizeof(A),
251 P, sizeof(P),
252 outct, outtag, &len)) != CRYPT_OK) {
253 return err;
254 }
255
256 if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag", x) ||
257 compare_testvector(outct, sizeof(P), C, sizeof(C), "OCB3 CT", x)) {
258 return CRYPT_FAIL_TESTVECTOR;
259 }
260
261 if ((err = ocb3_decrypt_verify_memory(idx,
262 K, sizeof(K),
263 N, sizeof(N),
264 A, sizeof(A),
265 C, sizeof(C),
266 outct, T, sizeof(T), &res)) != CRYPT_OK) {
267 return err;
268 }
269 if ((res != 1) || compare_testvector(outct, sizeof(C), P, sizeof(P), "OCB3", x)) {
270 #ifdef LTC_TEST_DBG
271 printf("\n\nOCB3: Failure-decrypt - res = %d\n", res);
272 #endif
273 return CRYPT_FAIL_TESTVECTOR;
274 }
275
276 /* RFC 7253 - test vector with a tag length of 96 bits - part 2 */
277 x = 100;
278 if ((err = ocb3_init(&ocb, idx, K, sizeof(K), N, sizeof(N), 12)) != CRYPT_OK) return err;
279 if ((err = ocb3_add_aad(&ocb, A, sizeof(A))) != CRYPT_OK) return err;
280 if ((err = ocb3_encrypt(&ocb, P, 32, outct)) != CRYPT_OK) return err;
281 if ((err = ocb3_encrypt_last(&ocb, P+32, sizeof(P)-32, outct+32)) != CRYPT_OK) return err;
282 len = sizeof(outtag); /* intentionally more than 12 */
283 if ((err = ocb3_done(&ocb, outtag, &len)) != CRYPT_OK) return err;
284 if (compare_testvector(outct, sizeof(P), C, sizeof(C), "OCB3 CT", x)) return CRYPT_FAIL_TESTVECTOR;
285 if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag.enc", x)) return CRYPT_FAIL_TESTVECTOR;
286 if ((err = ocb3_init(&ocb, idx, K, sizeof(K), N, sizeof(N), 12)) != CRYPT_OK) return err;
287 if ((err = ocb3_add_aad(&ocb, A, sizeof(A))) != CRYPT_OK) return err;
288 if ((err = ocb3_decrypt(&ocb, C, 32, outct)) != CRYPT_OK) return err;
289 if ((err = ocb3_decrypt_last(&ocb, C+32, sizeof(C)-32, outct+32)) != CRYPT_OK) return err;
290 len = sizeof(outtag); /* intentionally more than 12 */
291 if ((err = ocb3_done(&ocb, outtag, &len)) != CRYPT_OK) return err;
292 if (compare_testvector(outct, sizeof(C), P, sizeof(P), "OCB3 PT", x)) return CRYPT_FAIL_TESTVECTOR;
293 if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag.dec", x)) return CRYPT_FAIL_TESTVECTOR;
294
295 return CRYPT_OK;
296 #endif /* LTC_TEST */
297 }
298
299 #endif /* LTC_OCB3_MODE */
300