beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-21 23:20:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

LibCrypto: Implement GCM mode

Browse source
This commit is contained in:
AnotherTest 2020-11-11 13:17:23 +03:30 committed by Andreas Kling
parent 2cc867bcba
commit d3c52cef86
Notes: sideshowbarker 2024-07-19 02:28:46 +09:00 
Author: https://github.com/alimpfard
Commit: https://github.com/SerenityOS/serenity/commit/d3c52cef865
Pull-request: https://github.com/SerenityOS/serenity/pull/4067
6 changed files with 657 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

148
Libraries/LibCrypto/Authentication/GHash.cpp Normal file
View file

@ -0,0 +1,148 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/MemoryStream.h>
#include <AK/Types.h>
#include <AK/Vector.h>
#include <LibCrypto/Authentication/GHash.h>
#include <LibCrypto/BigInt/UnsignedBigInteger.h>
namespace {
static u32 to_u32(const u8* b)
{
return AK::convert_between_host_and_big_endian(*(const u32*)b);
}
static void to_u8s(u8* b, const u32* w)
{
for (auto i = 0; i < 4; ++i) {
auto& e = *((u32*)(b + i * 4));
e = AK::convert_between_host_and_big_endian(w[i]);
}
}
}
namespace Crypto {
namespace Authentication {
GHash::TagType GHash::process(ReadonlyBytes aad, ReadonlyBytes cipher)
{
u32 tag[4] { 0, 0, 0, 0 };
auto transform_one = [&](auto& buf) {
size_t i = 0;
for (; i < buf.size(); i += 16) {
if (i + 16 <= buf.size()) {
for (auto j = 0; j < 4; ++j) {
tag[j] ^= to_u32(buf.offset(i + j * 4));
}
galois_multiply(tag, m_key, tag);
}
}
if (i > buf.size()) {
static u8 buffer[16];
Bytes buffer_bytes { buffer, 16 };
OutputMemoryStream stream { buffer_bytes };
stream.write(buf.slice(i - 16));
stream.fill_to_end(0);
for (auto j = 0; j < 4; ++j) {
tag[j] ^= to_u32(buffer_bytes.offset(j * 4));
}
galois_multiply(tag, m_key, tag);
}
};
transform_one(aad);
transform_one(cipher);
auto aad_bits = 8 * (u64)aad.size();
auto cipher_bits = 8 * (u64)cipher.size();
auto high = [](u64 value) -> u32 { return value >> 32; };
auto low = [](u64 value) -> u32 { return value & 0xffffffff; };
#ifdef GHASH_PROCESS_DEBUG
dbg() << "AAD bits: " << high(aad_bits) << " : " << low(aad_bits);
dbg() << "Cipher bits: " << high(cipher_bits) << " : " << low(cipher_bits);
dbg() << "Tag bits: " << tag[0] << " : " << tag[1] << " : " << tag[2] << " : " << tag[3];
#endif
tag[0] ^= high(aad_bits);
tag[1] ^= low(aad_bits);
tag[2] ^= high(cipher_bits);
tag[3] ^= low(cipher_bits);
#ifdef GHASH_PROCESS_DEBUG
dbg() << "Tag bits: " << tag[0] << " : " << tag[1] << " : " << tag[2] << " : " << tag[3];
#endif
galois_multiply(tag, m_key, tag);
TagType digest;
to_u8s(digest.data, tag);
return digest;
}
/// Galois Field multiplication using <x^127 + x^7 + x^2 + x + 1>.
/// Note that x, y, and z are strictly BE.
void galois_multiply(u32 (&z)[4], const u32 (&_x)[4], const u32 (&_y)[4])
{
u32 x[4] { _x[0], _x[1], _x[2], _x[3] };
u32 y[4] { _y[0], _y[1], _y[2], _y[3] };
__builtin_memset(z, 0, sizeof(z));
for (ssize_t i = 127; i > -1; --i) {
if ((y[3 - (i / 32)] >> (i % 32)) & 1) {
z[0] ^= x[0];
z[1] ^= x[1];
z[2] ^= x[2];
z[3] ^= x[3];
}
auto a0 = x[0] & 1;
x[0] >>= 1;
auto a1 = x[1] & 1;
x[1] >>= 1;
x[1] |= a0 << 31;
auto a2 = x[2] & 1;
x[2] >>= 1;
x[2] |= a1 << 31;
auto a3 = x[3] & 1;
x[3] >>= 1;
x[3] |= a2 << 31;
if (a3)
x[0] ^= 0xe1000000;
}
}
}
}

76
Libraries/LibCrypto/Authentication/GHash.h Normal file
View file

@ -0,0 +1,76 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include <AK/String.h>
#include <AK/Types.h>
#include <LibCrypto/Hash/HashFunction.h>
namespace Crypto {
namespace Authentication {
void galois_multiply(u32 (&z)[4], const u32 (&x)[4], const u32 (&y)[4]);
struct GHashDigest {
constexpr static size_t Size = 16;
u8 data[Size];
const u8* immutable_data() const { return data; }
size_t data_length() { return Size; }
};
class GHash final {
public:
using TagType = GHashDigest;
template<size_t N>
explicit GHash(const char (&key)[N])
: GHash({ key, N })
{
}
explicit GHash(const ReadonlyBytes& key)
{
for (size_t i = 0; i < 16; i += 4)
m_key[i / 4] = AK::convert_between_host_and_big_endian(*(const u32*)(key.offset(i)));
}
constexpr static size_t digest_size() { return TagType::Size; }
String class_name() const { return "GHash"; }
TagType process(ReadonlyBytes aad, ReadonlyBytes cipher);
private:
inline void transform(ReadonlyBytes, ReadonlyBytes);
u32 m_key[4];
};
}
}

1
Libraries/LibCrypto/CMakeLists.txt
View file

@ -1,4 +1,5 @@
set(SOURCES
Authentication/GHash.cpp
BigInt/SignedBigInteger.cpp
BigInt/UnsignedBigInteger.cpp
Checksum/Adler32.cpp

3
Libraries/LibCrypto/Cipher/AES.h
View file

@ -31,6 +31,7 @@
#include <LibCrypto/Cipher/Cipher.h>
#include <LibCrypto/Cipher/Mode/CBC.h>
#include <LibCrypto/Cipher/Mode/CTR.h>
#include <LibCrypto/Cipher/Mode/GCM.h>
namespace Crypto {
namespace Cipher {
@ -53,6 +54,7 @@ public:
virtual ByteBuffer get() const override { return m_data; };
virtual const ByteBuffer& data() const override { return m_data; };
ReadonlyBytes bytes() const { return m_data; }
virtual void overwrite(ReadonlyBytes) override;
virtual void overwrite(const ByteBuffer& buffer) override { overwrite(buffer.bytes()); }
@ -113,6 +115,7 @@ class AESCipher final : public Cipher<AESCipherKey, AESCipherBlock> {
public:
using CBCMode = CBC<AESCipher>;
using CTRMode = CTR<AESCipher>;
using GCMMode = GCM<AESCipher>;
constexpr static size_t BlockSizeInBits = BlockType::BlockSizeInBits;

154
Libraries/LibCrypto/Cipher/Mode/GCM.h Normal file
View file

@ -0,0 +1,154 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include <AK/OwnPtr.h>
#include <AK/String.h>
#include <AK/StringBuilder.h>
#include <AK/StringView.h>
#include <LibCrypto/Authentication/GHash.h>
#include <LibCrypto/Cipher/Mode/CTR.h>
#include <LibCrypto/Verification.h>
namespace Crypto {
namespace Cipher {
using IncrementFunction = IncrementInplace;
template<typename T>
class GCM : public CTR<T, IncrementFunction> {
public:
constexpr static size_t IVSizeInBits = 128;
virtual ~GCM() { }
template<typename... Args>
explicit constexpr GCM<T>(Args... args)
: CTR<T>(args...)
{
static_assert(T::BlockSizeInBits == 128u, "GCM Mode is only available for 128-bit Ciphers");
__builtin_memset(m_auth_key_storage, 0, block_size);
typename T::BlockType key_block(m_auth_key_storage, block_size);
this->cipher().encrypt_block(key_block, key_block);
key_block.bytes().copy_to(m_auth_key);
m_ghash = make<Authentication::GHash>(m_auth_key);
}
virtual String class_name() const override
{
StringBuilder builder;
builder.append(this->cipher().class_name());
builder.append("_GCM");
return builder.build();
}
virtual size_t IV_length() const override { return IVSizeInBits / 8; }
// FIXME: This overload throws away the auth stuff, think up a better way to return more than a single bytebuffer.
virtual void encrypt(const ReadonlyBytes& in, Bytes& out, const Bytes& ivec = {}, Bytes* = nullptr) override
{
ASSERT(!ivec.is_empty());
static ByteBuffer dummy;
encrypt(in, out, ivec, dummy, dummy);
}
virtual void decrypt(const ReadonlyBytes& in, Bytes& out, const Bytes& ivec = {}) override
{
encrypt(in, out, ivec);
}
void encrypt(const ReadonlyBytes& in, Bytes out, const ReadonlyBytes& iv_in, const ReadonlyBytes& aad, Bytes tag)
{
auto iv_buf = ByteBuffer::copy(iv_in.data(), iv_in.size());
auto iv = iv_buf.bytes();
// Increment the IV for block 0
CTR<T>::increment(iv);
typename T::BlockType block0;
block0.overwrite(iv);
this->cipher().encrypt_block(block0, block0);
// Skip past block 0
CTR<T>::increment(iv);
if (in.is_empty())
CTR<T>::key_stream(out, iv);
else
CTR<T>::encrypt(in, out, iv);
auto auth_tag = m_ghash->process(aad, out);
block0.apply_initialization_vector(auth_tag.data);
block0.get().bytes().copy_to(tag);
}
VerificationConsistency decrypt(const ReadonlyBytes& in, Bytes out, const ReadonlyBytes& iv_in, const ReadonlyBytes& aad, const ReadonlyBytes& tag)
{
auto iv_buf = ByteBuffer::copy(iv_in.data(), iv_in.size());
auto iv = iv_buf.bytes();
// Increment the IV for block 0
CTR<T>::increment(iv);
typename T::BlockType block0;
block0.overwrite(iv);
this->cipher().encrypt_block(block0, block0);
// Skip past block 0
CTR<T>::increment(iv);
auto auth_tag = m_ghash->process(aad, in);
block0.apply_initialization_vector(auth_tag.data);
auto test_consistency = [&] {
if (block0.block_size() != tag.size() || __builtin_memcmp(block0.bytes().data(), tag.data(), tag.size()) != 0)
return VerificationConsistency::Inconsistent;
return VerificationConsistency::Consistent;
};
// FIXME: This block needs constant-time comparisons.
if (in.is_empty()) {
out = {};
return test_consistency();
}
CTR<T>::encrypt(in, out, iv);
return test_consistency();
}
private:
static constexpr auto block_size = T::BlockType::BlockSizeInBits / 8;
u8 m_auth_key_storage[block_size];
Bytes m_auth_key { m_auth_key_storage, block_size };
OwnPtr<Authentication::GHash> m_ghash;
};
}
}

275
Userland/test-crypto.cpp
View file

@ -29,6 +29,7 @@
#include <LibCore/ConfigFile.h>
#include <LibCore/EventLoop.h>
#include <LibCore/File.h>
#include <LibCrypto/Authentication/GHash.h>
#include <LibCrypto/Authentication/HMAC.h>
#include <LibCrypto/BigInt/SignedBigInteger.h>
#include <LibCrypto/BigInt/UnsignedBigInteger.h>
@ -75,6 +76,7 @@ static Vector<Certificate> s_root_ca_certificates;
// Cipher
static int aes_cbc_tests();
static int aes_ctr_tests();
static int aes_gcm_tests();
// Hash
static int md5_tests();
@ -87,6 +89,7 @@ static int hmac_md5_tests();
static int hmac_sha256_tests();
static int hmac_sha512_tests();
static int hmac_sha1_tests();
static int ghash_tests();
// Public-Key
static int rsa_tests();
@ -409,6 +412,10 @@ auto main(int argc, char** argv) -> int
if (run_tests)
return hmac_sha1_tests();
}
if (suite_sv == "GHash") {
if (run_tests)
return ghash_tests();
}
printf("unknown hash function '%s'\n", suite);
return 1;
}
@ -439,10 +446,12 @@ auto main(int argc, char** argv) -> int
encrypting = true;
aes_cbc_tests();
aes_ctr_tests();
aes_gcm_tests();
encrypting = false;
aes_cbc_tests();
aes_ctr_tests();
aes_gcm_tests();
md5_tests();
sha1_tests();
@ -454,6 +463,8 @@ auto main(int argc, char** argv) -> int
hmac_sha512_tests();
hmac_sha1_tests();
ghash_tests();
rsa_tests();
if (!in_ci) {
@ -496,6 +507,12 @@ auto main(int argc, char** argv) -> int
return 1;
}
return run(aes_cbc);
}
if (StringView(suite) == "AES_GCM") {
if (run_tests)
return aes_gcm_tests();
return 1;
} else {
printf("Unknown cipher suite '%s'\n", suite);
return 1;
@ -545,6 +562,9 @@ static void aes_cbc_test_decrypt();
static void aes_ctr_test_name();
static void aes_ctr_test_encrypt();
static void aes_ctr_test_decrypt();
static void aes_gcm_test_name();
static void aes_gcm_test_encrypt();
static void aes_gcm_test_decrypt();
static void md5_test_name();
static void md5_test_hash();
@ -559,6 +579,9 @@ static void sha256_test_hash();
static void sha512_test_name();
static void sha512_test_hash();
static void ghash_test_name();
static void ghash_test_process();
static void hmac_md5_test_name();
static void hmac_md5_test_process();
@ -993,6 +1016,207 @@ static void aes_ctr_test_decrypt()
// If encryption works, then decryption works, too.
}
static int aes_gcm_tests()
{
aes_gcm_test_name();
if (encrypting) {
aes_gcm_test_encrypt();
} else {
aes_gcm_test_decrypt();
}
return g_some_test_failed ? 1 : 0;
}
static void aes_gcm_test_name()
{
I_TEST((AES GCM class name));
Crypto::Cipher::AESCipher::GCMMode cipher("WellHelloFriends"_b, 128, Crypto::Cipher::Intent::Encryption);
if (cipher.class_name() != "AES_GCM")
FAIL(Invalid class name);
else
PASS;
}
static void aes_gcm_test_encrypt()
{
{
I_TEST((AES GCM Encrypt | Empty));
Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 result_tag[] { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a };
Bytes out;
auto tag = ByteBuffer::create_uninitialized(16);
cipher.encrypt({}, out, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, tag);
if (memcmp(result_tag, tag.data(), tag.size()) != 0) {
FAIL(Invalid auth tag);
print_buffer(tag, -1);
} else
PASS;
}
{
I_TEST((AES GCM Encrypt | Zeros));
Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 result_tag[] { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd, 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf };
u8 result_ct[] { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 };
auto tag = ByteBuffer::create_uninitialized(16);
auto out = ByteBuffer::create_uninitialized(16);
auto out_bytes = out.bytes();
cipher.encrypt("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), out_bytes, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, tag);
if (memcmp(result_ct, out.data(), out.size()) != 0) {
FAIL(Invalid ciphertext);
print_buffer(out, -1);
} else if (memcmp(result_tag, tag.data(), tag.size()) != 0) {
FAIL(Invalid auth tag);
print_buffer(tag, -1);
} else
PASS;
}
{
I_TEST((AES GCM Encrypt | Multiple Blocks With IV));
Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 result_tag[] { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 };
u8 result_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 };
auto tag = ByteBuffer::create_uninitialized(16);
auto out = ByteBuffer::create_uninitialized(64);
auto out_bytes = out.bytes();
cipher.encrypt(
"\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55"_b.bytes(),
out_bytes,
"\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(),
{},
tag);
if (memcmp(result_ct, out.data(), out.size()) != 0) {
FAIL(Invalid ciphertext);
print_buffer(out, -1);
} else if (memcmp(result_tag, tag.data(), tag.size()) != 0) {
FAIL(Invalid auth tag);
print_buffer(tag, -1);
} else
PASS;
}
{
I_TEST((AES GCM Encrypt | With AAD));
Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 result_tag[] { 0x93, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 };
u8 result_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 };
auto tag = ByteBuffer::create_uninitialized(16);
auto out = ByteBuffer::create_uninitialized(64);
auto out_bytes = out.bytes();
cipher.encrypt(
"\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55"_b.bytes(),
out_bytes,
"\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(),
"\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(),
tag);
if (memcmp(result_ct, out.data(), out.size()) != 0) {
FAIL(Invalid ciphertext);
print_buffer(out, -1);
} else if (memcmp(result_tag, tag.data(), tag.size()) != 0) {
FAIL(Invalid auth tag);
print_buffer(tag, -1);
} else
PASS;
}
}
static void aes_gcm_test_decrypt()
{
{
I_TEST((AES GCM Decrypt | Empty));
Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 input_tag[] { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a };
Bytes out;
auto consistency = cipher.decrypt({}, out, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, { input_tag, 16 });
if (consistency != Crypto::VerificationConsistency::Consistent) {
FAIL(Verification reported inconsistent);
} else if (out.size() != 0) {
FAIL(Invalid plain text);
} else
PASS;
}
{
I_TEST((AES GCM Decrypt | Zeros));
Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 input_tag[] { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd, 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf };
u8 input_ct[] { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 };
u8 result_pt[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
auto out = ByteBuffer::create_uninitialized(16);
auto out_bytes = out.bytes();
auto consistency = cipher.decrypt({ input_ct, 16 }, out_bytes, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, { input_tag, 16 });
if (consistency != Crypto::VerificationConsistency::Consistent) {
FAIL(Verification reported inconsistent);
} else if (memcmp(result_pt, out.data(), out.size()) != 0) {
FAIL(Invalid plaintext);
print_buffer(out, -1);
} else
PASS;
}
{
I_TEST((AES GCM Decrypt | Multiple Blocks With IV));
Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 input_tag[] { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 };
u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 };
u8 result_pt[] { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 };
auto out = ByteBuffer::create_uninitialized(64);
auto out_bytes = out.bytes();
auto consistency = cipher.decrypt(
{ input_ct, 64 },
out_bytes,
"\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(),
{},
{ input_tag, 16 });
if (memcmp(result_pt, out.data(), out.size()) != 0) {
FAIL(Invalid plaintext);
print_buffer(out, -1);
} else if (consistency != Crypto::VerificationConsistency::Consistent) {
FAIL(Verification reported inconsistent);
} else
PASS;
}
{
I_TEST((AES GCM Decrypt | With AAD));
Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 input_tag[] { 0x93, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 };
u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 };
u8 result_pt[] { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 };
auto out = ByteBuffer::create_uninitialized(64);
auto out_bytes = out.bytes();
auto consistency = cipher.decrypt(
{ input_ct, 64 },
out_bytes,
"\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(),
"\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(),
{ input_tag, 16 });
if (memcmp(result_pt, out.data(), out.size()) != 0) {
FAIL(Invalid plaintext);
print_buffer(out, -1);
} else if (consistency != Crypto::VerificationConsistency::Consistent) {
FAIL(Verification reported inconsistent);
} else
PASS;
}
{
I_TEST((AES GCM Decrypt | With AAD - Invalid Tag));
Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption);
u8 input_tag[] { 0x94, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 };
u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 };
auto out = ByteBuffer::create_uninitialized(64);
auto out_bytes = out.bytes();
auto consistency = cipher.decrypt(
{ input_ct, 64 },
out_bytes,
"\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(),
"\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(),
{ input_tag, 16 });
if (consistency != Crypto::VerificationConsistency::Inconsistent)
FAIL(Verification reported consistent);
else
PASS;
}
}
static int md5_tests()
{
md5_test_name();
@ -1193,6 +1417,23 @@ static void hmac_md5_test_process()
}
}
static int ghash_tests()
{
ghash_test_name();
ghash_test_process();
return g_some_test_failed ? 1 : 0;
}
static void ghash_test_name()
{
I_TEST((GHash class name));
Crypto::Authentication::GHash ghash("WellHelloFriends");
if (ghash.class_name() != "GHash")
FAIL(Invalid class name);
else
PASS;
}
static void hmac_sha1_test_name()
{
I_TEST((HMAC - SHA1 | Class name));
@ -1244,6 +1485,40 @@ static void hmac_sha1_test_process()
}
}
static void ghash_test_process()
{
{
I_TEST((GHash | Galois Field Multiply));
u32 x[4] { 0x42831ec2, 0x21777424, 0x4b7221b7, 0x84d0d49c },
y[4] { 0xb83b5337, 0x08bf535d, 0x0aa6e529, 0x80d53b78 }, z[4] { 0, 0, 0, 0 };
static constexpr u32 result[4] { 0x59ed3f2b, 0xb1a0aaa0, 0x7c9f56c6, 0xa504647b };
Crypto::Authentication::galois_multiply(z, x, y);
if (memcmp(result, z, 4 * sizeof(u32)) != 0) {
FAIL(Invalid multiply value);
print_buffer({ z, 4 * sizeof(u32) }, -1);
print_buffer({ result, 4 * sizeof(u32) }, -1);
} else
PASS;
}
{
I_TEST((GHash | Galois Field Multiply #2));
u32 x[4] { 59300558, 1622582162, 4079534777, 1907555960 },
y[4] { 1726565332, 4018809915, 2286746201, 3392416558 }, z[4];
constexpr static u32 result[4] { 1580123974, 2440061576, 746958952, 1398005431 };
Crypto::Authentication::galois_multiply(z, x, y);
if (memcmp(result, z, 4 * sizeof(u32)) != 0) {
FAIL(Invalid multiply value);
print_buffer({ z, 4 * sizeof(u32) }, -1);
print_buffer({ result, 4 * sizeof(u32) }, -1);
} else
PASS;
}
// TODO: Add some GHash tests?
// Kinda hard, as there are no vectors and existing tools don't have an interface to it.
}
static int sha1_tests()
{
sha1_test_name();