err_status_t
aes_128_cbc_hmac_sha1_96_enc(void *key,
const void *clear,
unsigned clear_len,
void *iv,
void *opaque,
unsigned *opaque_len) {
aes_cbc_ctx_t aes_ctx;
hmac_ctx_t hmac_ctx;
unsigned char enc_key[ENC_KEY_LEN];
unsigned char mac_key[MAC_KEY_LEN];
unsigned char *auth_tag;
err_status_t status;
/* check if we're doing authentication only */
if ((iv == NULL) && (opaque == NULL) && (opaque_len == NULL)) {
/* perform authentication only */
} else if ((iv == NULL) || (opaque == NULL) || (opaque_len == NULL)) {
/*
* bad parameter - we expect either all three pointers to be NULL,
* or none of those pointers to be NULL
*/
return err_status_fail;
} else {
#if DEBUG
printf("ENC using key %s\n", octet_string_hex_string(key, KEY_LEN));
#endif
/* derive encryption and authentication keys from the input key */
status = hmac_init(&hmac_ctx, key, KEY_LEN);
if (status) return status;
status = hmac_compute(&hmac_ctx, "ENC", 3, ENC_KEY_LEN, enc_key);
if (status) return status;
status = hmac_init(&hmac_ctx, key, KEY_LEN);
if (status) return status;
status = hmac_compute(&hmac_ctx, "MAC", 3, MAC_KEY_LEN, mac_key);
if (status) return status;
/* perform encryption and authentication */
/* set aes key */
status = aes_cbc_context_init(&aes_ctx, key, direction_encrypt);
if (status) return status;
/* set iv */
status = rand_source_get_octet_string(iv, IV_LEN);
if (status) return status;
status = aes_cbc_set_iv(&aes_ctx, iv);
if (status) return status;
#if DEBUG
printf("plaintext len: %d\n", *opaque_len);
printf("iv: %s\n", octet_string_hex_string(iv, IV_LEN));
printf("plaintext: %s\n", octet_string_hex_string(opaque, *opaque_len));
#endif
#if ENC
/* encrypt the opaque data */
status = aes_cbc_nist_encrypt(&aes_ctx, opaque, opaque_len);
if (status) return status;
#endif
#if DEBUG
printf("ciphertext len: %d\n", *opaque_len);
printf("ciphertext: %s\n", octet_string_hex_string(opaque, *opaque_len));
#endif
/*
* authenticate clear and opaque data, then write the
* authentication tag to the location immediately following the
* ciphertext
*/
status = hmac_init(&hmac_ctx, mac_key, MAC_KEY_LEN);
if (status) return status;
status = hmac_start(&hmac_ctx);
if (status) return status;
status = hmac_update(&hmac_ctx, clear, clear_len);
if (status) return status;
#if DEBUG
printf("hmac input: %s\n",
octet_string_hex_string(clear, clear_len));
#endif
auth_tag = (unsigned char *)opaque;
auth_tag += *opaque_len;
status = hmac_compute(&hmac_ctx, opaque, *opaque_len, TAG_LEN, auth_tag);
if (status) return status;
#if DEBUG
printf("hmac input: %s\n",
octet_string_hex_string(opaque, *opaque_len));
#endif
/* bump up the opaque_len to reflect the authentication tag */
*opaque_len += TAG_LEN;
#if DEBUG
printf("prot data len: %d\n", *opaque_len);
printf("prot data: %s\n", octet_string_hex_string(opaque, *opaque_len));
#endif
}
return err_status_ok;
}
err_status_t
aes_128_cbc_hmac_sha1_96_inv(void *key,
void *clear,
unsigned clear_len,
void *iv,
void *opaque,
unsigned *opaque_len,
void *auth_tag) {
aes_cbc_ctx_t aes_ctx;
hmac_ctx_t hmac_ctx;
unsigned char enc_key[ENC_KEY_LEN];
unsigned char mac_key[MAC_KEY_LEN];
unsigned char tmp_tag[TAG_LEN];
unsigned char *tag = auth_tag;
err_status_t status;
int i;
/* check if we're doing authentication only */
if ((iv == NULL) && (opaque == NULL) && (opaque_len == NULL)) {
/* perform authentication only */
} else if ((iv == NULL) || (opaque == NULL) || (opaque_len == NULL)) {
/*
* bad parameter - we expect either all three pointers to be NULL,
* or none of those pointers to be NULL
*/
return err_status_fail;
} else {
/* derive encryption and authentication keys from the input key */
status = hmac_init(&hmac_ctx, key, KEY_LEN);
if (status) return status;
status = hmac_compute(&hmac_ctx, "ENC", 3, ENC_KEY_LEN, enc_key);
if (status) return status;
status = hmac_init(&hmac_ctx, key, KEY_LEN);
if (status) return status;
status = hmac_compute(&hmac_ctx, "MAC", 3, MAC_KEY_LEN, mac_key);
if (status) return status;
/* perform encryption and authentication */
/* set aes key */
status = aes_cbc_context_init(&aes_ctx, key, direction_decrypt);
if (status) return status;
/* set iv */
status = rand_source_get_octet_string(iv, IV_LEN);
if (status) return status;
status = aes_cbc_set_iv(&aes_ctx, iv);
/* encrypt the opaque data */
status = aes_cbc_nist_decrypt(&aes_ctx, opaque, opaque_len);
if (status) return status;
/* authenticate clear and opaque data */
status = hmac_init(&hmac_ctx, mac_key, MAC_KEY_LEN);
if (status) return status;
status = hmac_start(&hmac_ctx);
if (status) return status;
status = hmac_update(&hmac_ctx, clear, clear_len);
if (status) return status;
status = hmac_compute(&hmac_ctx, opaque, *opaque_len, TAG_LEN, tmp_tag);
if (status) return status;
/* compare the computed tag with the one provided as input */
for (i=0; i < TAG_LEN; i++)
if (tmp_tag[i] != tag[i])
return err_status_auth_fail;
}
return err_status_ok;
}
err_status_t
cipher_type_test(const cipher_type_t *ct, const cipher_test_case_t *test_data) {
const cipher_test_case_t *test_case = test_data;
cipher_t *c;
err_status_t status;
uint8_t buffer[SELF_TEST_BUF_OCTETS];
uint8_t buffer2[SELF_TEST_BUF_OCTETS];
unsigned int len;
int i, j, case_num = 0;
debug_print(mod_cipher, "running self-test for cipher %s",
ct->description);
/*
* check to make sure that we have at least one test case, and
* return an error if we don't - we need to be paranoid here
*/
if (test_case == NULL)
return err_status_cant_check;
/*
* loop over all test cases, perform known-answer tests of both the
* encryption and decryption functions
*/
while (test_case != NULL) {
/* allocate cipher */
status = cipher_type_alloc(ct, &c, test_case->key_length_octets);
if (status)
return status;
/*
* test the encrypt function
*/
debug_print(mod_cipher, "testing encryption", NULL);
/* initialize cipher */
status = cipher_init(c, test_case->key, direction_encrypt);
if (status) {
cipher_dealloc(c);
return status;
}
/* copy plaintext into test buffer */
if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
cipher_dealloc(c);
return err_status_bad_param;
}
for (i=0; i < test_case->plaintext_length_octets; i++)
buffer[i] = test_case->plaintext[i];
debug_print(mod_cipher, "plaintext: %s",
octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* set the initialization vector */
status = cipher_set_iv(c, test_case->idx);
if (status) {
cipher_dealloc(c);
return status;
}
/* encrypt */
len = test_case->plaintext_length_octets;
status = cipher_encrypt(c, buffer, &len);
if (status) {
cipher_dealloc(c);
return status;
}
debug_print(mod_cipher, "ciphertext: %s",
octet_string_hex_string(buffer,
test_case->ciphertext_length_octets));
/* compare the resulting ciphertext with that in the test case */
if (len != (unsigned int)test_case->ciphertext_length_octets)
return err_status_algo_fail;
status = err_status_ok;
for (i=0; i < test_case->ciphertext_length_octets; i++)
if (buffer[i] != test_case->ciphertext[i]) {
status = err_status_algo_fail;
debug_print(mod_cipher, "test case %d failed", case_num);
debug_print(mod_cipher, "(failure at byte %d)", i);
break;
}
if (status) {
debug_print(mod_cipher, "c computed: %s",
octet_string_hex_string(buffer,
2*test_case->plaintext_length_octets));
debug_print(mod_cipher, "c expected: %s",
octet_string_hex_string(test_case->ciphertext,
2*test_case->plaintext_length_octets));
cipher_dealloc(c);
return err_status_algo_fail;
}
/*
* test the decrypt function
*/
debug_print(mod_cipher, "testing decryption", NULL);
/* re-initialize cipher for decryption */
status = cipher_init(c, test_case->key, direction_decrypt);
if (status) {
cipher_dealloc(c);
return status;
}
/* copy ciphertext into test buffer */
if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
cipher_dealloc(c);
return err_status_bad_param;
}
for (i=0; i < test_case->ciphertext_length_octets; i++)
buffer[i] = test_case->ciphertext[i];
debug_print(mod_cipher, "ciphertext: %s",
octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* set the initialization vector */
status = cipher_set_iv(c, test_case->idx);
if (status) {
cipher_dealloc(c);
return status;
}
/* decrypt */
len = test_case->ciphertext_length_octets;
status = cipher_decrypt(c, buffer, &len);
if (status) {
cipher_dealloc(c);
return status;
}
debug_print(mod_cipher, "plaintext: %s",
octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* compare the resulting plaintext with that in the test case */
if (len != (unsigned int)test_case->plaintext_length_octets)
return err_status_algo_fail;
status = err_status_ok;
for (i=0; i < test_case->plaintext_length_octets; i++)
if (buffer[i] != test_case->plaintext[i]) {
status = err_status_algo_fail;
debug_print(mod_cipher, "test case %d failed", case_num);
debug_print(mod_cipher, "(failure at byte %d)", i);
}
if (status) {
debug_print(mod_cipher, "p computed: %s",
octet_string_hex_string(buffer,
2*test_case->plaintext_length_octets));
debug_print(mod_cipher, "p expected: %s",
octet_string_hex_string(test_case->plaintext,
2*test_case->plaintext_length_octets));
cipher_dealloc(c);
return err_status_algo_fail;
}
/* deallocate the cipher */
status = cipher_dealloc(c);
if (status)
return status;
/*
* the cipher passed the test case, so move on to the next test
* case in the list; if NULL, we'l proceed to the next test
*/
test_case = test_case->next_test_case;
++case_num;
}
/* now run some random invertibility tests */
/* allocate cipher, using paramaters from the first test case */
test_case = test_data;
status = cipher_type_alloc(ct, &c, test_case->key_length_octets);
if (status)
return status;
rand_source_init();
for (j=0; j < NUM_RAND_TESTS; j++) {
unsigned length;
int plaintext_len;
uint8_t key[MAX_KEY_LEN];
uint8_t iv[MAX_KEY_LEN];
/* choose a length at random (leaving room for IV and padding) */
length = rand() % (SELF_TEST_BUF_OCTETS - 64);
debug_print(mod_cipher, "random plaintext length %d\n", length);
status = rand_source_get_octet_string(buffer, length);
if (status) return status;
debug_print(mod_cipher, "plaintext: %s",
octet_string_hex_string(buffer, length));
/* copy plaintext into second buffer */
for (i=0; (unsigned int)i < length; i++)
buffer2[i] = buffer[i];
/* choose a key at random */
if (test_case->key_length_octets > MAX_KEY_LEN)
return err_status_cant_check;
status = rand_source_get_octet_string(key, test_case->key_length_octets);
if (status) return status;
/* chose a random initialization vector */
status = rand_source_get_octet_string(iv, MAX_KEY_LEN);
if (status) return status;
/* initialize cipher */
status = cipher_init(c, key, direction_encrypt);
if (status) {
cipher_dealloc(c);
return status;
}
/* set initialization vector */
status = cipher_set_iv(c, test_case->idx);
if (status) {
cipher_dealloc(c);
return status;
}
/* encrypt buffer with cipher */
plaintext_len = length;
status = cipher_encrypt(c, buffer, &length);
if (status) {
cipher_dealloc(c);
return status;
}
debug_print(mod_cipher, "ciphertext: %s",
octet_string_hex_string(buffer, length));
/*
* re-initialize cipher for decryption, re-set the iv, then
* decrypt the ciphertext
*/
status = cipher_init(c, key, direction_decrypt);
if (status) {
cipher_dealloc(c);
return status;
}
status = cipher_set_iv(c, test_case->idx);
if (status) {
cipher_dealloc(c);
return status;
}
status = cipher_decrypt(c, buffer, &length);
if (status) {
cipher_dealloc(c);
return status;
}
debug_print(mod_cipher, "plaintext[2]: %s",
octet_string_hex_string(buffer, length));
/* compare the resulting plaintext with the original one */
if (length != (unsigned int)plaintext_len)
return err_status_algo_fail;
status = err_status_ok;
for (i=0; i < plaintext_len; i++)
if (buffer[i] != buffer2[i]) {
status = err_status_algo_fail;
debug_print(mod_cipher, "random test case %d failed", case_num);
debug_print(mod_cipher, "(failure at byte %d)", i);
}
if (status) {
cipher_dealloc(c);
return err_status_algo_fail;
}
}
status = cipher_dealloc(c);
if (status)
return status;
return err_status_ok;
}
