libgo/go/crypto/aes/aes_test.go

   1 // Copyright 2009 The Go Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 package aes
   6
   7 import (
   8         "testing"
   9 )
  10
  11 // See const.go for overview of math here.
  12
  13 // Test that powx is initialized correctly.
  14 // (Can adapt this code to generate it too.)
  15 func TestPowx(t *testing.T) {
  16         p := 1
  17         for i := 0; i < len(powx); i++ {
  18                 if powx[i] != byte(p) {
  19                         t.Errorf("powx[%d] = %#x, want %#x", i, powx[i], p)
  20                 }
  21                 p <<= 1
  22                 if p&0x100 != 0 {
  23                         p ^= poly
  24                 }
  25         }
  26 }
  27
  28 // Multiply b and c as GF(2) polynomials modulo poly
  29 func mul(b, c uint32) uint32 {
  30         i := b
  31         j := c
  32         s := uint32(0)
  33         for k := uint32(1); k < 0x100 && j != 0; k <<= 1 {
  34                 // Invariant: k == 1<<n, i == b * xⁿ
  35
  36                 if j&k != 0 {
  37                         // s += i in GF(2); xor in binary
  38                         s ^= i
  39                         j ^= k // turn off bit to end loop early
  40                 }
  41
  42                 // i *= x in GF(2) modulo the polynomial
  43                 i <<= 1
  44                 if i&0x100 != 0 {
  45                         i ^= poly
  46                 }
  47         }
  48         return s
  49 }
  50
  51 // Test all mul inputs against bit-by-bit n² algorithm.
  52 func TestMul(t *testing.T) {
  53         for i := uint32(0); i < 256; i++ {
  54                 for j := uint32(0); j < 256; j++ {
  55                         // Multiply i, j bit by bit.
  56                         s := uint8(0)
  57                         for k := uint(0); k < 8; k++ {
  58                                 for l := uint(0); l < 8; l++ {
  59                                         if i&(1<<k) != 0 && j&(1<<l) != 0 {
  60                                                 s ^= powx[k+l]
  61                                         }
  62                                 }
  63                         }
  64                         if x := mul(i, j); x != uint32(s) {
  65                                 t.Fatalf("mul(%#x, %#x) = %#x, want %#x", i, j, x, s)
  66                         }
  67                 }
  68         }
  69 }
  70
  71 // Check that S-boxes are inverses of each other.
  72 // They have more structure that we could test,
  73 // but if this sanity check passes, we'll assume
  74 // the cut and paste from the FIPS PDF worked.
  75 func TestSboxes(t *testing.T) {
  76         for i := 0; i < 256; i++ {
  77                 if j := sbox0[sbox1[i]]; j != byte(i) {
  78                         t.Errorf("sbox0[sbox1[%#x]] = %#x", i, j)
  79                 }
  80                 if j := sbox1[sbox0[i]]; j != byte(i) {
  81                         t.Errorf("sbox1[sbox0[%#x]] = %#x", i, j)
  82                 }
  83         }
  84 }
  85
  86 // Test that encryption tables are correct.
  87 // (Can adapt this code to generate them too.)
  88 func TestTe(t *testing.T) {
  89         for i := 0; i < 256; i++ {
  90                 s := uint32(sbox0[i])
  91                 s2 := mul(s, 2)
  92                 s3 := mul(s, 3)
  93                 w := s2<<24 | s<<16 | s<<8 | s3
  94                 te := [][256]uint32{te0, te1, te2, te3}
  95                 for j := 0; j < 4; j++ {
  96                         if x := te[j][i]; x != w {
  97                                 t.Fatalf("te[%d][%d] = %#x, want %#x", j, i, x, w)
  98                         }
  99                         w = w<<24 | w>>8
 100                 }
 101         }
 102 }
 103
 104 // Test that decryption tables are correct.
 105 // (Can adapt this code to generate them too.)
 106 func TestTd(t *testing.T) {
 107         for i := 0; i < 256; i++ {
 108                 s := uint32(sbox1[i])
 109                 s9 := mul(s, 0x9)
 110                 sb := mul(s, 0xb)
 111                 sd := mul(s, 0xd)
 112                 se := mul(s, 0xe)
 113                 w := se<<24 | s9<<16 | sd<<8 | sb
 114                 td := [][256]uint32{td0, td1, td2, td3}
 115                 for j := 0; j < 4; j++ {
 116                         if x := td[j][i]; x != w {
 117                                 t.Fatalf("td[%d][%d] = %#x, want %#x", j, i, x, w)
 118                         }
 119                         w = w<<24 | w>>8
 120                 }
 121         }
 122 }
 123
 124 // Test vectors are from FIPS 197:
 125 //      http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
 126
 127 // Appendix A of FIPS 197: Key expansion examples
 128 type KeyTest struct {
 129         key []byte
 130         enc []uint32
 131         dec []uint32 // decryption expansion; not in FIPS 197, computed from C implementation.
 132 }
 133
 134 var keyTests = []KeyTest{
 135         {
 136                 // A.1.  Expansion of a 128-bit Cipher Key
 137                 []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
 138                 []uint32{
 139                         0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c,
 140                         0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605,
 141                         0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f,
 142                         0x3d80477d, 0x4716fe3e, 0x1e237e44, 0x6d7a883b,
 143                         0xef44a541, 0xa8525b7f, 0xb671253b, 0xdb0bad00,
 144                         0xd4d1c6f8, 0x7c839d87, 0xcaf2b8bc, 0x11f915bc,
 145                         0x6d88a37a, 0x110b3efd, 0xdbf98641, 0xca0093fd,
 146                         0x4e54f70e, 0x5f5fc9f3, 0x84a64fb2, 0x4ea6dc4f,
 147                         0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f,
 148                         0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e,
 149                         0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
 150                 },
 151                 []uint32{
 152                         0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
 153                         0xc7b5a63, 0x1319eafe, 0xb0398890, 0x664cfbb4,
 154                         0xdf7d925a, 0x1f62b09d, 0xa320626e, 0xd6757324,
 155                         0x12c07647, 0xc01f22c7, 0xbc42d2f3, 0x7555114a,
 156                         0x6efcd876, 0xd2df5480, 0x7c5df034, 0xc917c3b9,
 157                         0x6ea30afc, 0xbc238cf6, 0xae82a4b4, 0xb54a338d,
 158                         0x90884413, 0xd280860a, 0x12a12842, 0x1bc89739,
 159                         0x7c1f13f7, 0x4208c219, 0xc021ae48, 0x969bf7b,
 160                         0xcc7505eb, 0x3e17d1ee, 0x82296c51, 0xc9481133,
 161                         0x2b3708a7, 0xf262d405, 0xbc3ebdbf, 0x4b617d62,
 162                         0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x9cf4f3c,
 163                 },
 164         },
 165         {
 166                 // A.2.  Expansion of a 192-bit Cipher Key
 167                 []byte{
 168                         0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
 169                         0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b,
 170                 },
 171                 []uint32{
 172                         0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
 173                         0x62f8ead2, 0x522c6b7b, 0xfe0c91f7, 0x2402f5a5,
 174                         0xec12068e, 0x6c827f6b, 0x0e7a95b9, 0x5c56fec2,
 175                         0x4db7b4bd, 0x69b54118, 0x85a74796, 0xe92538fd,
 176                         0xe75fad44, 0xbb095386, 0x485af057, 0x21efb14f,
 177                         0xa448f6d9, 0x4d6dce24, 0xaa326360, 0x113b30e6,
 178                         0xa25e7ed5, 0x83b1cf9a, 0x27f93943, 0x6a94f767,
 179                         0xc0a69407, 0xd19da4e1, 0xec1786eb, 0x6fa64971,
 180                         0x485f7032, 0x22cb8755, 0xe26d1352, 0x33f0b7b3,
 181                         0x40beeb28, 0x2f18a259, 0x6747d26b, 0x458c553e,
 182                         0xa7e1466c, 0x9411f1df, 0x821f750a, 0xad07d753,
 183                         0xca400538, 0x8fcc5006, 0x282d166a, 0xbc3ce7b5,
 184                         0xe98ba06f, 0x448c773c, 0x8ecc7204, 0x01002202,
 185                 },
 186                 nil,
 187         },
 188         {
 189                 // A.3.  Expansion of a 256-bit Cipher Key
 190                 []byte{
 191                         0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
 192                         0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4,
 193                 },
 194                 []uint32{
 195                         0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
 196                         0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4,
 197                         0x9ba35411, 0x8e6925af, 0xa51a8b5f, 0x2067fcde,
 198                         0xa8b09c1a, 0x93d194cd, 0xbe49846e, 0xb75d5b9a,
 199                         0xd59aecb8, 0x5bf3c917, 0xfee94248, 0xde8ebe96,
 200                         0xb5a9328a, 0x2678a647, 0x98312229, 0x2f6c79b3,
 201                         0x812c81ad, 0xdadf48ba, 0x24360af2, 0xfab8b464,
 202                         0x98c5bfc9, 0xbebd198e, 0x268c3ba7, 0x09e04214,
 203                         0x68007bac, 0xb2df3316, 0x96e939e4, 0x6c518d80,
 204                         0xc814e204, 0x76a9fb8a, 0x5025c02d, 0x59c58239,
 205                         0xde136967, 0x6ccc5a71, 0xfa256395, 0x9674ee15,
 206                         0x5886ca5d, 0x2e2f31d7, 0x7e0af1fa, 0x27cf73c3,
 207                         0x749c47ab, 0x18501dda, 0xe2757e4f, 0x7401905a,
 208                         0xcafaaae3, 0xe4d59b34, 0x9adf6ace, 0xbd10190d,
 209                         0xfe4890d1, 0xe6188d0b, 0x046df344, 0x706c631e,
 210                 },
 211                 nil,
 212         },
 213 }
 214
 215 // Test key expansion against FIPS 197 examples.
 216 func TestExpandKey(t *testing.T) {
 217 L:
 218         for i, tt := range keyTests {
 219                 enc := make([]uint32, len(tt.enc))
 220                 var dec []uint32
 221                 if tt.dec != nil {
 222                         dec = make([]uint32, len(tt.dec))
 223                 }
 224                 // This test could only test Go version of expandKey because asm
 225                 // version might use different memory layout for expanded keys
 226                 // This is OK because we don't expose expanded keys to the outside
 227                 expandKeyGo(tt.key, enc, dec)
 228                 for j, v := range enc {
 229                         if v != tt.enc[j] {
 230                                 t.Errorf("key %d: enc[%d] = %#x, want %#x", i, j, v, tt.enc[j])
 231                                 continue L
 232                         }
 233                 }
 234                 if dec != nil {
 235                         for j, v := range dec {
 236                                 if v != tt.dec[j] {
 237                                         t.Errorf("key %d: dec[%d] = %#x, want %#x", i, j, v, tt.dec[j])
 238                                         continue L
 239                                 }
 240                         }
 241                 }
 242         }
 243 }
 244
 245 // Appendix B, C of FIPS 197: Cipher examples, Example vectors.
 246 type CryptTest struct {
 247         key []byte
 248         in  []byte
 249         out []byte
 250 }
 251
 252 var encryptTests = []CryptTest{
 253         {
 254                 // Appendix B.
 255                 []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
 256                 []byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34},
 257                 []byte{0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32},
 258         },
 259         {
 260                 // Appendix C.1.  AES-128
 261                 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
 262                 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
 263                 []byte{0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a},
 264         },
 265         {
 266                 // Appendix C.2.  AES-192
 267                 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
 268                         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
 269                 },
 270                 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
 271                 []byte{0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91},
 272         },
 273         {
 274                 // Appendix C.3.  AES-256
 275                 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
 276                         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
 277                 },
 278                 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
 279                 []byte{0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89},
 280         },
 281 }
 282
 283 // Test encryptBlock against FIPS 197 examples.
 284 func TestEncryptBlock(t *testing.T) {
 285         for i, tt := range encryptTests {
 286                 n := len(tt.key) + 28
 287                 enc := make([]uint32, n)
 288                 dec := make([]uint32, n)
 289                 expandKey(tt.key, enc, dec)
 290                 out := make([]byte, len(tt.in))
 291                 encryptBlock(enc, out, tt.in)
 292                 for j, v := range out {
 293                         if v != tt.out[j] {
 294                                 t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j])
 295                                 break
 296                         }
 297                 }
 298         }
 299 }
 300
 301 // Test decryptBlock against FIPS 197 examples.
 302 func TestDecryptBlock(t *testing.T) {
 303         for i, tt := range encryptTests {
 304                 n := len(tt.key) + 28
 305                 enc := make([]uint32, n)
 306                 dec := make([]uint32, n)
 307                 expandKey(tt.key, enc, dec)
 308                 plain := make([]byte, len(tt.in))
 309                 decryptBlock(dec, plain, tt.out)
 310                 for j, v := range plain {
 311                         if v != tt.in[j] {
 312                                 t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j])
 313                                 break
 314                         }
 315                 }
 316         }
 317 }
 318
 319 // Test Cipher Encrypt method against FIPS 197 examples.
 320 func TestCipherEncrypt(t *testing.T) {
 321         for i, tt := range encryptTests {
 322                 c, err := NewCipher(tt.key)
 323                 if err != nil {
 324                         t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
 325                         continue
 326                 }
 327                 out := make([]byte, len(tt.in))
 328                 c.Encrypt(out, tt.in)
 329                 for j, v := range out {
 330                         if v != tt.out[j] {
 331                                 t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j])
 332                                 break
 333                         }
 334                 }
 335         }
 336 }
 337
 338 // Test Cipher Decrypt against FIPS 197 examples.
 339 func TestCipherDecrypt(t *testing.T) {
 340         for i, tt := range encryptTests {
 341                 c, err := NewCipher(tt.key)
 342                 if err != nil {
 343                         t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
 344                         continue
 345                 }
 346                 plain := make([]byte, len(tt.in))
 347                 c.Decrypt(plain, tt.out)
 348                 for j, v := range plain {
 349                         if v != tt.in[j] {
 350                                 t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j])
 351                                 break
 352                         }
 353                 }
 354         }
 355 }
 356
 357 func BenchmarkEncrypt(b *testing.B) {
 358         tt := encryptTests[0]
 359         c, err := NewCipher(tt.key)
 360         if err != nil {
 361                 b.Fatal("NewCipher:", err)
 362         }
 363         out := make([]byte, len(tt.in))
 364         b.SetBytes(int64(len(out)))
 365         b.ResetTimer()
 366         for i := 0; i < b.N; i++ {
 367                 c.Encrypt(out, tt.in)
 368         }
 369 }
 370
 371 func BenchmarkDecrypt(b *testing.B) {
 372         tt := encryptTests[0]
 373         c, err := NewCipher(tt.key)
 374         if err != nil {
 375                 b.Fatal("NewCipher:", err)
 376         }
 377         out := make([]byte, len(tt.out))
 378         b.SetBytes(int64(len(out)))
 379         b.ResetTimer()
 380         for i := 0; i < b.N; i++ {
 381                 c.Decrypt(out, tt.out)
 382         }
 383 }
 384
 385 func BenchmarkExpand(b *testing.B) {
 386         tt := encryptTests[0]
 387         n := len(tt.key) + 28
 388         c := &aesCipher{make([]uint32, n), make([]uint32, n)}
 389         b.ResetTimer()
 390         for i := 0; i < b.N; i++ {
 391                 expandKey(tt.key, c.enc, c.dec)
 392         }
 393 }