3 Self-test and vectors for CCM mode ciphers using AES-128 and AES-256.
5 Copyright (C) 2014 Exegin Technologies Limited
6 Copyright (C) 2014 Owen Kirby
8 This file is part of GNU Nettle.
10 GNU Nettle is free software: you can redistribute it and/or
11 modify it under the terms of either:
13 * the GNU Lesser General Public License as published by the Free
14 Software Foundation; either version 3 of the License, or (at your
15 option) any later version.
19 * the GNU General Public License as published by the Free
20 Software Foundation; either version 2 of the License, or (at your
21 option) any later version.
23 or both in parallel, as here.
25 GNU Nettle is distributed in the hope that it will be useful,
26 but WITHOUT ANY WARRANTY; without even the implied warranty of
27 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28 General Public License for more details.
30 You should have received copies of the GNU General Public License and
31 the GNU Lesser General Public License along with this program. If
32 not, see http://www.gnu.org/licenses/.
36 * test vectors have been collected from the following standards:
40 * IEEE P1619.1/D22 July 2007 (draft version)
43 #include "testutils.h"
46 #include "knuth-lfib.h"
49 test_compare_results(const char *name,
50 const struct tstring *adata,
51 /* Expected results. */
52 const struct tstring *e_clear,
53 const struct tstring *e_cipher,
57 const void *digest) /* digest optional. */
59 int tlength = (e_cipher->length - e_clear->length);
60 if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest))
62 fprintf(stderr, "%s digest failed:\nAdata:", name);
63 tstring_print_hex(adata);
64 fprintf(stderr, "\nInput: ");
65 tstring_print_hex(e_clear);
66 fprintf(stderr, "\nOutput: ");
67 print_hex(tlength, digest);
68 fprintf(stderr, "\nExpected:");
69 print_hex(tlength, e_cipher->data + e_clear->length);
70 fprintf(stderr, "\n");
73 if (!MEMEQ(e_cipher->length, e_cipher->data, cipher))
75 fprintf(stderr, "%s: encryption failed\nAdata: ", name);
76 tstring_print_hex(adata);
77 fprintf(stderr, "\nInput: ");
78 tstring_print_hex(e_clear);
79 fprintf(stderr, "\nOutput: ");
80 print_hex(e_cipher->length, cipher);
81 fprintf(stderr, "\nExpected:");
82 tstring_print_hex(e_cipher);
83 fprintf(stderr, "\n");
86 if (!MEMEQ(e_clear->length, e_clear->data, clear))
88 fprintf(stderr, "%s decrypt failed:\nAdata:", name);
89 tstring_print_hex(adata);
90 fprintf(stderr, "\nInput: ");
91 tstring_print_hex(e_cipher);
92 fprintf(stderr, "\nOutput: ");
93 print_hex(e_clear->length, clear);
94 fprintf(stderr, "\nExpected:");
95 tstring_print_hex(e_clear);
96 fprintf(stderr, "\n");
99 } /* test_compare_results */
102 test_cipher_ccm(const struct nettle_cipher *cipher,
103 const struct tstring *key,
104 const struct tstring *nonce,
105 const struct tstring *authdata,
107 const struct tstring *cleartext,
108 const struct tstring *ciphertext)
110 void *ctx = xalloc(cipher->context_size);
114 uint8_t de_digest[CCM_BLOCK_SIZE];
119 ASSERT (key->length == cipher->key_size);
120 ASSERT (cleartext->length <= ciphertext->length);
121 ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length);
122 tlength = ciphertext->length - cleartext->length;
124 de_data = xalloc(cleartext->length);
125 en_data = xalloc(ciphertext->length);
126 en_digest = en_data + cleartext->length;
127 cipher->set_encrypt_key(ctx, key->data);
129 /* Encrypt using the incremental API. */
130 ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data,
131 authdata->length * repeat, cleartext->length, tlength);
132 for (i = 0; i < repeat; i++) {
133 ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data);
135 ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data);
136 ccm_digest(&ccm, ctx, cipher->encrypt, tlength, en_digest);
138 /* Decrypt using the incremental API. */
139 ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data,
140 authdata->length * repeat, cleartext->length, tlength);
141 for (i = 0; i < repeat; i++) {
142 ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data);
144 ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data);
145 ccm_digest(&ccm, ctx, cipher->encrypt, tlength, de_digest);
147 /* Compare results using the generic API. */
148 test_compare_results("CCM", authdata,
149 cleartext, ciphertext, de_data, en_data, de_digest);
151 /* Ensure we get the same answers using the all-in-one API. */
154 memset(de_data, 0, cleartext->length);
155 memset(en_data, 0, ciphertext->length);
156 memset(de_digest, 0, sizeof(de_digest));
158 ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data,
159 authdata->length, authdata->data, tlength,
160 ciphertext->length, en_data, cleartext->data);
162 ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data,
163 authdata->length, authdata->data, tlength,
164 cleartext->length, de_data, ciphertext->data);
166 if (ret != 1) fprintf(stderr, "ccm_decrypt_message failed to validate message\n");
167 test_compare_results("CCM_MSG", authdata,
168 cleartext, ciphertext, de_data, en_data, NULL);
170 /* Ensure that we can detect corrupted message or tag data. */
173 ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data,
174 authdata->length, authdata->data, tlength,
175 cleartext->length, de_data, en_data);
176 if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n");
178 /* Ensure we can detect corrupted adata. */
179 if (tlength && authdata->length) {
180 ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data,
181 authdata->length-1, authdata->data, tlength,
182 cleartext->length, de_data, ciphertext->data);
183 if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n");
187 /* Ensure we get the same answers using the per-cipher API. */
188 if (cipher == &nettle_aes128) {
189 struct ccm_aes128_ctx aes;
190 memset(de_data, 0, cleartext->length);
191 memset(en_data, 0, ciphertext->length);
192 memset(de_digest, 0, sizeof(de_digest));
194 /* AES-128 encrypt. */
195 ccm_aes128_set_key(&aes, key->data);
196 ccm_aes128_set_nonce(&aes, nonce->length, nonce->data,
197 authdata->length * repeat, cleartext->length, tlength);
198 for (i = 0; i < repeat; i++) {
199 ccm_aes128_update(&aes, authdata->length, authdata->data);
201 ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data);
202 ccm_aes128_digest(&aes, tlength, en_digest);
204 /* AES-128 decrypt. */
205 ccm_aes128_set_nonce(&aes, nonce->length, nonce->data,
206 authdata->length * repeat, cleartext->length, tlength);
207 for (i = 0; i < repeat; i++) {
208 ccm_aes128_update(&aes, authdata->length, authdata->data);
210 ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data);
211 ccm_aes128_digest(&aes, tlength, de_digest);
213 test_compare_results("CCM_AES_128", authdata,
214 cleartext, ciphertext, de_data, en_data, de_digest);
216 /* TODO: I couldn't find any test cases for CCM-AES-192 */
217 if (cipher == &nettle_aes256) {
218 struct ccm_aes256_ctx aes;
219 memset(de_data, 0, cleartext->length);
220 memset(en_data, 0, ciphertext->length);
221 memset(de_digest, 0, sizeof(de_digest));
223 /* AES-256 encrypt. */
224 ccm_aes256_set_key(&aes, key->data);
225 ccm_aes256_set_nonce(&aes, nonce->length, nonce->data,
226 authdata->length * repeat, cleartext->length, tlength);
227 for (i = 0; i < repeat; i++) {
228 ccm_aes256_update(&aes, authdata->length, authdata->data);
230 ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data);
231 ccm_aes256_digest(&aes, tlength, en_digest);
233 /* AES-256 decrypt. */
234 ccm_aes256_set_nonce(&aes, nonce->length, nonce->data,
235 authdata->length * repeat, cleartext->length, tlength);
236 for (i = 0; i < repeat; i++) {
237 ccm_aes256_update(&aes, authdata->length, authdata->data);
239 ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data);
240 ccm_aes256_digest(&aes, tlength, de_digest);
242 test_compare_results("CCM_AES_256", authdata,
243 cleartext, ciphertext, de_data, en_data, de_digest);
254 /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */
255 struct tstring *adata;
257 adata = tstring_alloc(256);
258 for (i=0; i<adata->length; i++) adata->data[i] = (i & 0xff);
260 /* From NIST spec 800-38C on AES modes.
262 * Appendix C: Example Vectors
266 * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32
268 test_cipher_ccm(&nettle_aes128,
269 SHEX("404142434445464748494a4b4c4d4e4f"),
270 SHEX("10111213141516"),
271 SHEX("0001020304050607"), 1,
278 * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128
280 test_cipher_ccm(&nettle_aes128,
281 SHEX("404142434445464748494a4b4c4d4e4f"),
282 SHEX("1011121314151617"),
283 SHEX("000102030405060708090a0b0c0d0e0f"), 1,
284 SHEX("202122232425262728292a2b2c2d2e2f"),
285 SHEX("d2a1f0e051ea5f62081a7792073d593d"
290 * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192
292 test_cipher_ccm(&nettle_aes128,
293 SHEX("404142434445464748494a4b4c4d4e4f"),
294 SHEX("101112131415161718191a1b"),
295 SHEX("000102030405060708090a0b0c0d0e0f"
297 SHEX("202122232425262728292a2b2c2d2e2f"
299 SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b"
300 "6176aad9a4428aa5 484392fbc1b09951"));
304 * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256
305 * A = 00010203 04050607 08090a0b 0c0d0e0f
308 test_cipher_ccm(&nettle_aes128,
309 SHEX("404142434445464748494a4b4c4d4e4f"),
310 SHEX("101112131415161718191a1b1c"),
312 SHEX("202122232425262728292a2b2c2d2e2f"
313 "303132333435363738393a3b3c3d3e3f"),
314 SHEX("69915dad1e84c6376a68c2967e4dab61"
315 "5ae0fd1faec44cc484828529463ccf72"
316 "b4ac6bec93e8598e7f0dadbcea5b"));
320 * Section 8: Test Vectors
323 test_cipher_ccm(&nettle_aes128,
324 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
325 SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"),
326 SHEX("00 01 02 03 04 05 06 07"), 1,
327 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"),
328 SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84"
329 "17 E8 D1 2C FD F9 26 E0"));
334 test_cipher_ccm(&nettle_aes128,
335 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
336 SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"),
337 SHEX("00 01 02 03 04 05 06 07"), 1,
338 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"),
339 SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B"
340 "A0 91 D5 6E 10 40 09 16"));
345 test_cipher_ccm(&nettle_aes128,
346 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
347 SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"),
348 SHEX("00 01 02 03 04 05 06 07"), 1,
349 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"),
350 SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57"
351 "4A DA A7 6F BD 9F B0 C5"));
356 test_cipher_ccm(&nettle_aes128,
357 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
358 SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"),
359 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
360 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"),
361 SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C"
362 "96 C8 61 B9 C9 E6 1E F1"));
367 test_cipher_ccm(&nettle_aes128,
368 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
369 SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"),
370 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
371 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"),
372 SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E"
373 "51 E8 3F 07 7D 9C 2D 93"));
378 test_cipher_ccm(&nettle_aes128,
379 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
380 SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"),
381 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
382 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"),
383 SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87"
384 "40 5A 04 43 AC 91 CB 94"));
389 test_cipher_ccm(&nettle_aes128,
390 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
391 SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"),
392 SHEX("00 01 02 03 04 05 06 07"), 1,
393 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"),
394 SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C"
395 "04 8C 56 60 2C 97 AC BB 74 90"));
400 test_cipher_ccm(&nettle_aes128,
401 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
402 SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"),
403 SHEX("00 01 02 03 04 05 06 07"), 1,
404 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"),
405 SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24"
406 "C1 7B 44 33 F4 34 96 3F 34 B4"));
411 test_cipher_ccm(&nettle_aes128,
412 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
413 SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"),
414 SHEX("00 01 02 03 04 05 06 07"), 1,
415 SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"),
416 SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97"
417 "EA 9C 07 E5 6B 5E B1 7E 5F 4E"));
422 test_cipher_ccm(&nettle_aes128,
423 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
424 SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"),
425 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
426 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"),
427 SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B"
428 "56 6A A9 40 6B 4D 99 99 88 DD"));
433 test_cipher_ccm(&nettle_aes128,
434 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
435 SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"),
436 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
437 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"),
438 SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34"
439 "F5 3A A2 E9 10 7A 8B 6C 02 2C"));
444 test_cipher_ccm(&nettle_aes128,
445 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
446 SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"),
447 SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1,
448 SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"),
449 SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43"
450 "CD 1A A3 16 62 E7 AD 65 D6 DB"));
455 test_cipher_ccm(&nettle_aes128,
456 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
457 SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"),
458 SHEX("0B E1 A8 8B AC E0 18 B1"), 1,
459 SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"),
460 SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8"
461 "E7 8C F7 CB 0C DD D7 B3"));
466 test_cipher_ccm(&nettle_aes128,
467 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
468 SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"),
469 SHEX("63 01 8F 76 DC 8A 1B CB"), 1,
470 SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"),
471 SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33"
472 "C5 2E E8 1D 7D 77 C0 8A"));
477 test_cipher_ccm(&nettle_aes128,
478 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
479 SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"),
480 SHEX("AA 6C FA 36 CA E8 6B 40"), 1,
481 SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"),
482 SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08"
483 "A7 76 79 6E DB 72 35 06"));
488 test_cipher_ccm(&nettle_aes128,
489 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
490 SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"),
491 SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1,
492 SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"),
493 SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26"
494 "9A 6F 49 97 5B CA DE AF"));
499 test_cipher_ccm(&nettle_aes128,
500 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
501 SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"),
502 SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1,
503 SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"),
504 SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F"
505 "76 2C 0C 77 44 FE 7E 3C"));
510 test_cipher_ccm(&nettle_aes128,
511 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
512 SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"),
513 SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1,
514 SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"),
515 SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8"
516 "47 09 9E 5A E0 70 45 51"));
521 test_cipher_ccm(&nettle_aes128,
522 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
523 SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"),
524 SHEX("D8 5B C7 E6 9F 94 4F B8"), 1,
525 SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"),
526 SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A"
527 "63 7C F9 BE C2 40 88 97 C6 BA"));
532 test_cipher_ccm(&nettle_aes128,
533 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
534 SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"),
535 SHEX("74 A0 EB C9 06 9F 5B 37"), 1,
536 SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"),
537 SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6"
538 "F0 A4 77 CC 2F C9 BF 54 89 44"));
543 test_cipher_ccm(&nettle_aes128,
544 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
545 SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"),
546 SHEX("44 A3 AA 3A AE 64 75 CA"), 1,
547 SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"),
548 SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54"
549 "4D 41 51 A4 ED 3A 8B 87 B9 CE"));
554 test_cipher_ccm(&nettle_aes128,
555 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
556 SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"),
557 SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1,
558 SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"),
559 SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF"
560 "7D 22 C8 08 8C 66 6B E5 C1 97"));
565 test_cipher_ccm(&nettle_aes128,
566 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
567 SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"),
568 SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1,
569 SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"),
570 SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC"
571 "DF 7E 00 DC CE C7 AE 52 98 7D"));
576 test_cipher_ccm(&nettle_aes128,
577 SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"),
578 SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"),
579 SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1,
580 SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"),
581 SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1"
582 "6D CE 9E 82 EF A1 6D A6 20 59"));
584 /* From IEEE 802.15.4-2011
586 * Annex C: Test vectors for cryptographic building blocks
587 * C.2.1 MAC beacon frame
589 test_cipher_ccm(&nettle_aes128,
590 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
591 SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"),
592 SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1,
594 SHEX("22 3B C1 EC 84 1A B5 53"));
597 * C.2.2 MAC data frame
599 test_cipher_ccm(&nettle_aes128,
600 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
601 SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 04"),
602 SHEX("69 DC 84 21 43 02 00 00 00 00 48 DE AC 01 00 00 00 00 48 DE AC 04 05 00 00 00"), 1,
604 SHEX("D4 3E 02 2B"));
607 * C.2.3 MAC command frame
609 test_cipher_ccm(&nettle_aes128,
610 SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"),
611 SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"),
612 SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1,
614 SHEX("D8 4F DE 52 90 61 F9 C6 F1"));
616 /* From IEEE P1619.1/D22 July 2007 (draft version)
618 * Annex D: Test Vectors
619 * D.2.1 CCM-128-AES-256 test vector 1
621 test_cipher_ccm(&nettle_aes256,
622 SHEX("0000000000000000000000000000000000000000000000000000000000000000"),
623 SHEX("000000000000000000000000"),
625 SHEX("00000000000000000000000000000000"),
626 SHEX("c1944044c8e7aa95d2de9513c7f3dd8c"
627 "4b0a3e5e51f151eb0ffae7c43d010fdb"));
630 * D.2.2 CCM-128-AES-256 test vector 2
632 test_cipher_ccm(&nettle_aes256,
633 SHEX("0000000000000000000000000000000000000000000000000000000000000000"),
634 SHEX("000000000000000000000000"),
635 SHEX("00000000000000000000000000000000"), 1,
637 SHEX("904704e89fb216443cb9d584911fc3c2"));
640 * D.2.3 CCM-128-AES-256 test vector 3
642 test_cipher_ccm(&nettle_aes256,
643 SHEX("0000000000000000000000000000000000000000000000000000000000000000"),
644 SHEX("000000000000000000000000"),
645 SHEX("00000000000000000000000000000000"), 1,
646 SHEX("00000000000000000000000000000000"),
647 SHEX("c1944044c8e7aa95d2de9513c7f3dd8c"
648 "87314e9c1fa01abe6a6415943dc38521"));
651 * D.2.4 CCM-128-AES-256 test vector 4
653 test_cipher_ccm(&nettle_aes256,
654 SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"),
655 SHEX("dbd1a3636024b7b402da7d6f"),
657 SHEX("a845348ec8c5b5f126f50e76fefd1b1e"),
658 SHEX("cc881261c6a7fa72b96a1739176b277f"
659 "3472e1145f2c0cbe146349062cf0e423"));
662 * D.2.5 CCM-128-AES-256 test vector 5
664 test_cipher_ccm(&nettle_aes256,
665 SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"),
666 SHEX("101112131415161718191a1b"),
667 SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1,
668 SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"),
669 SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5"
670 "9bba3f3a107f3239bd63902923f80371"));
673 * D.2.6 CCM-128-AES-256 test vector 6
675 test_cipher_ccm(&nettle_aes256,
676 SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"),
677 SHEX("101112131415161718191a1b"),
679 SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"),
680 SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2"
681 "3376d2cf256ef613c56454cbb5265834"));
684 * D.2.7 CCM-128-AES-256 test vector 7
686 test_cipher_ccm(&nettle_aes256,
687 SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"),
688 SHEX("101112131415161718191a1b"),
689 SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1,
690 SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
691 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
692 "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"
693 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
694 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
695 "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
696 "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
697 "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"),
698 SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2"
699 "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86"
700 "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108"
701 "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152"
702 "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2"
703 "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad"
704 "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738"
705 "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9"
706 "ebb1fa9d28ccfe21bdfea7e6d91e0bab"));
709 * D.2.8 CCM-128-AES-256 test vector 8
711 test_cipher_ccm(&nettle_aes256,
712 SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"),
713 SHEX("dbd1a3636024b7b402da7d6f"),
716 SHEX("9d3261b1cf931431e99a32806738ecbd2a"));
719 * D.2.9 CCM-128-AES-256 test vector 9
721 test_cipher_ccm(&nettle_aes256,
722 SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"),
723 SHEX("dbd1a3636024b7b402da7d6f"),
724 SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1,
725 SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"),
726 SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6"
727 "8f3829e8e76ee23c04f566189e63c686"));