1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4
5 /**
6 @file ccm_test.c
7 CCM support, process a block of memory, Tom St Denis
8 */
9
10 #ifdef LTC_CCM_MODE
11
ccm_test(void)12 int ccm_test(void)
13 {
14 #ifndef LTC_TEST
15 return CRYPT_NOP;
16 #else
17 static const struct {
18 unsigned char key[16];
19 unsigned char nonce[16];
20 int noncelen;
21 unsigned char header[64];
22 int headerlen;
23 unsigned char pt[64];
24 int ptlen;
25 unsigned char ct[64];
26 unsigned char tag[16];
27 unsigned long taglen;
28 } tests[] = {
29
30 /* 13 byte nonce, 8 byte auth, 23 byte pt */
31 {
32 { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
33 0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF },
34 { 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xA0,
35 0xA1, 0xA2, 0xA3, 0xA4, 0xA5 },
36 13,
37 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 },
38 8,
39 { 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
40 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
41 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E },
42 23,
43 { 0x58, 0x8C, 0x97, 0x9A, 0x61, 0xC6, 0x63, 0xD2,
44 0xF0, 0x66, 0xD0, 0xC2, 0xC0, 0xF9, 0x89, 0x80,
45 0x6D, 0x5F, 0x6B, 0x61, 0xDA, 0xC3, 0x84 },
46 { 0x17, 0xe8, 0xd1, 0x2c, 0xfd, 0xf9, 0x26, 0xe0 },
47 8
48 },
49
50 /* 13 byte nonce, 12 byte header, 19 byte pt */
51 {
52 { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
53 0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF },
54 { 0x00, 0x00, 0x00, 0x06, 0x05, 0x04, 0x03, 0xA0,
55 0xA1, 0xA2, 0xA3, 0xA4, 0xA5 },
56 13,
57 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
58 0x08, 0x09, 0x0A, 0x0B },
59 12,
60 { 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13,
61 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B,
62 0x1C, 0x1D, 0x1E },
63 19,
64 { 0xA2, 0x8C, 0x68, 0x65, 0x93, 0x9A, 0x9A, 0x79,
65 0xFA, 0xAA, 0x5C, 0x4C, 0x2A, 0x9D, 0x4A, 0x91,
66 0xCD, 0xAC, 0x8C },
67 { 0x96, 0xC8, 0x61, 0xB9, 0xC9, 0xE6, 0x1E, 0xF1 },
68 8
69 },
70
71 /* supplied by Brian Gladman */
72 {
73 { 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
74 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f },
75 { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 },
76 7,
77 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 },
78 8,
79 { 0x20, 0x21, 0x22, 0x23 },
80 4,
81 { 0x71, 0x62, 0x01, 0x5b },
82 { 0x4d, 0xac, 0x25, 0x5d },
83 4
84 },
85
86 {
87 { 0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85,
88 0x51, 0x4a, 0x8a, 0x19, 0xf2, 0xbd, 0xd5, 0x2f },
89 { 0x00, 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xb5,
90 0x03, 0x97, 0x76, 0xe7, 0x0c },
91 13,
92 { 0x08, 0x40, 0x0f, 0xd2, 0xe1, 0x28, 0xa5, 0x7c,
93 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xab, 0xae,
94 0xa5, 0xb8, 0xfc, 0xba, 0x00, 0x00 },
95 22,
96 { 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
97 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
98 0x7e, 0x78, 0xa0, 0x50 },
99 20,
100 { 0xf3, 0xd0, 0xa2, 0xfe, 0x9a, 0x3d, 0xbf, 0x23,
101 0x42, 0xa6, 0x43, 0xe4, 0x32, 0x46, 0xe8, 0x0c,
102 0x3c, 0x04, 0xd0, 0x19 },
103 { 0x78, 0x45, 0xce, 0x0b, 0x16, 0xf9, 0x76, 0x23 },
104 8
105 },
106
107 };
108 unsigned long taglen, x, y;
109 unsigned char buf[64], buf2[64], tag[16], tag2[16], tag3[16], zero[64];
110 int err, idx;
111 symmetric_key skey;
112 ccm_state ccm;
113
114 zeromem(zero, 64);
115
116 idx = find_cipher("aes");
117 if (idx == -1) {
118 idx = find_cipher("rijndael");
119 if (idx == -1) {
120 return CRYPT_NOP;
121 }
122 }
123
124 for (x = 0; x < (sizeof(tests)/sizeof(tests[0])); x++) {
125 for (y = 0; y < 2; y++) {
126 taglen = tests[x].taglen;
127 if (y == 0) {
128 if ((err = cipher_descriptor[idx]->setup(tests[x].key, 16, 0, &skey)) != CRYPT_OK) {
129 return err;
130 }
131
132 if ((err = ccm_memory(idx,
133 tests[x].key, 16,
134 &skey,
135 tests[x].nonce, tests[x].noncelen,
136 tests[x].header, tests[x].headerlen,
137 (unsigned char*)tests[x].pt, tests[x].ptlen,
138 buf,
139 tag, &taglen, 0)) != CRYPT_OK) {
140 return err;
141 }
142 /* run a second time to make sure skey is not touched */
143 if ((err = ccm_memory(idx,
144 tests[x].key, 16,
145 &skey,
146 tests[x].nonce, tests[x].noncelen,
147 tests[x].header, tests[x].headerlen,
148 (unsigned char*)tests[x].pt, tests[x].ptlen,
149 buf,
150 tag, &taglen, 0)) != CRYPT_OK) {
151 return err;
152 }
153 } else {
154 if ((err = ccm_init(&ccm, idx, tests[x].key, 16, tests[x].ptlen, tests[x].taglen, tests[x].headerlen)) != CRYPT_OK) {
155 return err;
156 }
157 if ((err = ccm_add_nonce(&ccm, tests[x].nonce, tests[x].noncelen)) != CRYPT_OK) {
158 return err;
159 }
160 if ((err = ccm_add_aad(&ccm, tests[x].header, tests[x].headerlen)) != CRYPT_OK) {
161 return err;
162 }
163 if ((err = ccm_process(&ccm, (unsigned char*)tests[x].pt, tests[x].ptlen, buf, CCM_ENCRYPT)) != CRYPT_OK) {
164 return err;
165 }
166 if ((err = ccm_done(&ccm, tag, &taglen)) != CRYPT_OK) {
167 return err;
168 }
169 }
170
171 if (compare_testvector(buf, tests[x].ptlen, tests[x].ct, tests[x].ptlen, "CCM encrypt data", x)) {
172 return CRYPT_FAIL_TESTVECTOR;
173 }
174 if (compare_testvector(tag, taglen, tests[x].tag, tests[x].taglen, "CCM encrypt tag", x)) {
175 return CRYPT_FAIL_TESTVECTOR;
176 }
177
178 if (y == 0) {
179 XMEMCPY(tag3, tests[x].tag, tests[x].taglen);
180 taglen = tests[x].taglen;
181 if ((err = ccm_memory(idx,
182 tests[x].key, 16,
183 NULL,
184 tests[x].nonce, tests[x].noncelen,
185 tests[x].header, tests[x].headerlen,
186 buf2, tests[x].ptlen,
187 buf,
188 tag3, &taglen, 1 )) != CRYPT_OK) {
189 return err;
190 }
191 } else {
192 if ((err = ccm_init(&ccm, idx, tests[x].key, 16, tests[x].ptlen, tests[x].taglen, tests[x].headerlen)) != CRYPT_OK) {
193 return err;
194 }
195 if ((err = ccm_add_nonce(&ccm, tests[x].nonce, tests[x].noncelen)) != CRYPT_OK) {
196 return err;
197 }
198 if ((err = ccm_add_aad(&ccm, tests[x].header, tests[x].headerlen)) != CRYPT_OK) {
199 return err;
200 }
201 if ((err = ccm_process(&ccm, buf2, tests[x].ptlen, buf, CCM_DECRYPT)) != CRYPT_OK) {
202 return err;
203 }
204 if ((err = ccm_done(&ccm, tag2, &taglen)) != CRYPT_OK) {
205 return err;
206 }
207 }
208
209
210 if (compare_testvector(buf2, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "CCM decrypt data", x)) {
211 return CRYPT_FAIL_TESTVECTOR;
212 }
213 if (y == 0) {
214 /* check if decryption with the wrong tag does not reveal the plaintext */
215 XMEMCPY(tag3, tests[x].tag, tests[x].taglen);
216 tag3[0] ^= 0xff; /* set the tag to the wrong value */
217 taglen = tests[x].taglen;
218 if ((err = ccm_memory(idx,
219 tests[x].key, 16,
220 NULL,
221 tests[x].nonce, tests[x].noncelen,
222 tests[x].header, tests[x].headerlen,
223 buf2, tests[x].ptlen,
224 buf,
225 tag3, &taglen, 1 )) != CRYPT_ERROR) {
226 return CRYPT_FAIL_TESTVECTOR;
227 }
228 if (compare_testvector(buf2, tests[x].ptlen, zero, tests[x].ptlen, "CCM decrypt wrong tag", x)) {
229 return CRYPT_FAIL_TESTVECTOR;
230 }
231 } else {
232 if (compare_testvector(tag2, taglen, tests[x].tag, tests[x].taglen, "CCM decrypt tag", x)) {
233 return CRYPT_FAIL_TESTVECTOR;
234 }
235 }
236
237 if (y == 0) {
238 cipher_descriptor[idx]->done(&skey);
239 }
240 }
241 }
242
243 /* wycheproof failing test - https://github.com/libtom/libtomcrypt/pull/452 */
244 {
245 unsigned char key[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f };
246 unsigned char iv[] = { 0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51 };
247 unsigned char valid_tag[] = { 0x23,0x1a,0x2d,0x8f };
248 unsigned char invalid_tag[] = { 0x23,0x1a,0x2d,0x8f,0x6a };
249 unsigned char msg[] = { 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f };
250 unsigned char ct[] = { 0xd3,0xda,0xb1,0xee,0x49,0x4c,0xc2,0x29,0x09,0x9d,0x6c,0xac,0x7d,0xf1,0x4a,0xdd };
251 unsigned char pt[20] = { 0 };
252
253 /* VALID tag */
254 taglen = sizeof(valid_tag);
255 err = ccm_memory(idx, key, sizeof(key), NULL, iv, sizeof(iv), NULL, 0,
256 pt, sizeof(ct), ct, valid_tag, &taglen, CCM_DECRYPT);
257 if ((err != CRYPT_OK) || (XMEMCMP(msg, pt, sizeof(msg)) != 0)) {
258 return CRYPT_FAIL_TESTVECTOR;
259 }
260
261 /* INVALID tag */
262 taglen = sizeof(invalid_tag);
263 err = ccm_memory(idx, key, sizeof(key), NULL, iv, sizeof(iv), NULL, 0,
264 pt, sizeof(ct), ct, invalid_tag, &taglen, CCM_DECRYPT);
265 if (err == CRYPT_OK) {
266 return CRYPT_FAIL_TESTVECTOR; /* should fail */
267 }
268 }
269
270 return CRYPT_OK;
271 #endif
272 }
273
274 #endif
275