Home | History | Annotate | Download | only in aes
      1 // Copyright 2009 The Go Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style
      3 // license that can be found in the LICENSE file.
      4 
      5 package aes
      6 
      7 import (
      8 	"testing"
      9 )
     10 
     11 // See const.go for overview of math here.
     12 
     13 // Test that powx is initialized correctly.
     14 // (Can adapt this code to generate it too.)
     15 func TestPowx(t *testing.T) {
     16 	p := 1
     17 	for i := 0; i < len(powx); i++ {
     18 		if powx[i] != byte(p) {
     19 			t.Errorf("powx[%d] = %#x, want %#x", i, powx[i], p)
     20 		}
     21 		p <<= 1
     22 		if p&0x100 != 0 {
     23 			p ^= poly
     24 		}
     25 	}
     26 }
     27 
     28 // Multiply b and c as GF(2) polynomials modulo poly
     29 func mul(b, c uint32) uint32 {
     30 	i := b
     31 	j := c
     32 	s := uint32(0)
     33 	for k := uint32(1); k < 0x100 && j != 0; k <<= 1 {
     34 		// Invariant: k == 1<<n, i == b * x
     35 
     36 		if j&k != 0 {
     37 			// s += i in GF(2); xor in binary
     38 			s ^= i
     39 			j ^= k // turn off bit to end loop early
     40 		}
     41 
     42 		// i *= x in GF(2) modulo the polynomial
     43 		i <<= 1
     44 		if i&0x100 != 0 {
     45 			i ^= poly
     46 		}
     47 	}
     48 	return s
     49 }
     50 
     51 // Test all mul inputs against bit-by-bit n algorithm.
     52 func TestMul(t *testing.T) {
     53 	for i := uint32(0); i < 256; i++ {
     54 		for j := uint32(0); j < 256; j++ {
     55 			// Multiply i, j bit by bit.
     56 			s := uint8(0)
     57 			for k := uint(0); k < 8; k++ {
     58 				for l := uint(0); l < 8; l++ {
     59 					if i&(1<<k) != 0 && j&(1<<l) != 0 {
     60 						s ^= powx[k+l]
     61 					}
     62 				}
     63 			}
     64 			if x := mul(i, j); x != uint32(s) {
     65 				t.Fatalf("mul(%#x, %#x) = %#x, want %#x", i, j, x, s)
     66 			}
     67 		}
     68 	}
     69 }
     70 
     71 // Check that S-boxes are inverses of each other.
     72 // They have more structure that we could test,
     73 // but if this sanity check passes, we'll assume
     74 // the cut and paste from the FIPS PDF worked.
     75 func TestSboxes(t *testing.T) {
     76 	for i := 0; i < 256; i++ {
     77 		if j := sbox0[sbox1[i]]; j != byte(i) {
     78 			t.Errorf("sbox0[sbox1[%#x]] = %#x", i, j)
     79 		}
     80 		if j := sbox1[sbox0[i]]; j != byte(i) {
     81 			t.Errorf("sbox1[sbox0[%#x]] = %#x", i, j)
     82 		}
     83 	}
     84 }
     85 
     86 // Test that encryption tables are correct.
     87 // (Can adapt this code to generate them too.)
     88 func TestTe(t *testing.T) {
     89 	for i := 0; i < 256; i++ {
     90 		s := uint32(sbox0[i])
     91 		s2 := mul(s, 2)
     92 		s3 := mul(s, 3)
     93 		w := s2<<24 | s<<16 | s<<8 | s3
     94 		te := [][256]uint32{te0, te1, te2, te3}
     95 		for j := 0; j < 4; j++ {
     96 			if x := te[j][i]; x != w {
     97 				t.Fatalf("te[%d][%d] = %#x, want %#x", j, i, x, w)
     98 			}
     99 			w = w<<24 | w>>8
    100 		}
    101 	}
    102 }
    103 
    104 // Test that decryption tables are correct.
    105 // (Can adapt this code to generate them too.)
    106 func TestTd(t *testing.T) {
    107 	for i := 0; i < 256; i++ {
    108 		s := uint32(sbox1[i])
    109 		s9 := mul(s, 0x9)
    110 		sb := mul(s, 0xb)
    111 		sd := mul(s, 0xd)
    112 		se := mul(s, 0xe)
    113 		w := se<<24 | s9<<16 | sd<<8 | sb
    114 		td := [][256]uint32{td0, td1, td2, td3}
    115 		for j := 0; j < 4; j++ {
    116 			if x := td[j][i]; x != w {
    117 				t.Fatalf("td[%d][%d] = %#x, want %#x", j, i, x, w)
    118 			}
    119 			w = w<<24 | w>>8
    120 		}
    121 	}
    122 }
    123 
    124 // Test vectors are from FIPS 197:
    125 //	http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
    126 
    127 // Appendix A of FIPS 197: Key expansion examples
    128 type KeyTest struct {
    129 	key []byte
    130 	enc []uint32
    131 	dec []uint32 // decryption expansion; not in FIPS 197, computed from C implementation.
    132 }
    133 
    134 var keyTests = []KeyTest{
    135 	{
    136 		// A.1.  Expansion of a 128-bit Cipher Key
    137 		[]byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
    138 		[]uint32{
    139 			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c,
    140 			0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605,
    141 			0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f,
    142 			0x3d80477d, 0x4716fe3e, 0x1e237e44, 0x6d7a883b,
    143 			0xef44a541, 0xa8525b7f, 0xb671253b, 0xdb0bad00,
    144 			0xd4d1c6f8, 0x7c839d87, 0xcaf2b8bc, 0x11f915bc,
    145 			0x6d88a37a, 0x110b3efd, 0xdbf98641, 0xca0093fd,
    146 			0x4e54f70e, 0x5f5fc9f3, 0x84a64fb2, 0x4ea6dc4f,
    147 			0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f,
    148 			0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e,
    149 			0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
    150 		},
    151 		[]uint32{
    152 			0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
    153 			0xc7b5a63, 0x1319eafe, 0xb0398890, 0x664cfbb4,
    154 			0xdf7d925a, 0x1f62b09d, 0xa320626e, 0xd6757324,
    155 			0x12c07647, 0xc01f22c7, 0xbc42d2f3, 0x7555114a,
    156 			0x6efcd876, 0xd2df5480, 0x7c5df034, 0xc917c3b9,
    157 			0x6ea30afc, 0xbc238cf6, 0xae82a4b4, 0xb54a338d,
    158 			0x90884413, 0xd280860a, 0x12a12842, 0x1bc89739,
    159 			0x7c1f13f7, 0x4208c219, 0xc021ae48, 0x969bf7b,
    160 			0xcc7505eb, 0x3e17d1ee, 0x82296c51, 0xc9481133,
    161 			0x2b3708a7, 0xf262d405, 0xbc3ebdbf, 0x4b617d62,
    162 			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x9cf4f3c,
    163 		},
    164 	},
    165 	{
    166 		// A.2.  Expansion of a 192-bit Cipher Key
    167 		[]byte{
    168 			0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
    169 			0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b,
    170 		},
    171 		[]uint32{
    172 			0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
    173 			0x62f8ead2, 0x522c6b7b, 0xfe0c91f7, 0x2402f5a5,
    174 			0xec12068e, 0x6c827f6b, 0x0e7a95b9, 0x5c56fec2,
    175 			0x4db7b4bd, 0x69b54118, 0x85a74796, 0xe92538fd,
    176 			0xe75fad44, 0xbb095386, 0x485af057, 0x21efb14f,
    177 			0xa448f6d9, 0x4d6dce24, 0xaa326360, 0x113b30e6,
    178 			0xa25e7ed5, 0x83b1cf9a, 0x27f93943, 0x6a94f767,
    179 			0xc0a69407, 0xd19da4e1, 0xec1786eb, 0x6fa64971,
    180 			0x485f7032, 0x22cb8755, 0xe26d1352, 0x33f0b7b3,
    181 			0x40beeb28, 0x2f18a259, 0x6747d26b, 0x458c553e,
    182 			0xa7e1466c, 0x9411f1df, 0x821f750a, 0xad07d753,
    183 			0xca400538, 0x8fcc5006, 0x282d166a, 0xbc3ce7b5,
    184 			0xe98ba06f, 0x448c773c, 0x8ecc7204, 0x01002202,
    185 		},
    186 		nil,
    187 	},
    188 	{
    189 		// A.3.  Expansion of a 256-bit Cipher Key
    190 		[]byte{
    191 			0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
    192 			0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4,
    193 		},
    194 		[]uint32{
    195 			0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
    196 			0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4,
    197 			0x9ba35411, 0x8e6925af, 0xa51a8b5f, 0x2067fcde,
    198 			0xa8b09c1a, 0x93d194cd, 0xbe49846e, 0xb75d5b9a,
    199 			0xd59aecb8, 0x5bf3c917, 0xfee94248, 0xde8ebe96,
    200 			0xb5a9328a, 0x2678a647, 0x98312229, 0x2f6c79b3,
    201 			0x812c81ad, 0xdadf48ba, 0x24360af2, 0xfab8b464,
    202 			0x98c5bfc9, 0xbebd198e, 0x268c3ba7, 0x09e04214,
    203 			0x68007bac, 0xb2df3316, 0x96e939e4, 0x6c518d80,
    204 			0xc814e204, 0x76a9fb8a, 0x5025c02d, 0x59c58239,
    205 			0xde136967, 0x6ccc5a71, 0xfa256395, 0x9674ee15,
    206 			0x5886ca5d, 0x2e2f31d7, 0x7e0af1fa, 0x27cf73c3,
    207 			0x749c47ab, 0x18501dda, 0xe2757e4f, 0x7401905a,
    208 			0xcafaaae3, 0xe4d59b34, 0x9adf6ace, 0xbd10190d,
    209 			0xfe4890d1, 0xe6188d0b, 0x046df344, 0x706c631e,
    210 		},
    211 		nil,
    212 	},
    213 }
    214 
    215 // Test key expansion against FIPS 197 examples.
    216 func TestExpandKey(t *testing.T) {
    217 L:
    218 	for i, tt := range keyTests {
    219 		enc := make([]uint32, len(tt.enc))
    220 		var dec []uint32
    221 		if tt.dec != nil {
    222 			dec = make([]uint32, len(tt.dec))
    223 		}
    224 		// This test could only test Go version of expandKey because asm
    225 		// version might use different memory layout for expanded keys
    226 		// This is OK because we don't expose expanded keys to the outside
    227 		expandKeyGo(tt.key, enc, dec)
    228 		for j, v := range enc {
    229 			if v != tt.enc[j] {
    230 				t.Errorf("key %d: enc[%d] = %#x, want %#x", i, j, v, tt.enc[j])
    231 				continue L
    232 			}
    233 		}
    234 		if dec != nil {
    235 			for j, v := range dec {
    236 				if v != tt.dec[j] {
    237 					t.Errorf("key %d: dec[%d] = %#x, want %#x", i, j, v, tt.dec[j])
    238 					continue L
    239 				}
    240 			}
    241 		}
    242 	}
    243 }
    244 
    245 // Appendix B, C of FIPS 197: Cipher examples, Example vectors.
    246 type CryptTest struct {
    247 	key []byte
    248 	in  []byte
    249 	out []byte
    250 }
    251 
    252 var encryptTests = []CryptTest{
    253 	{
    254 		// Appendix B.
    255 		[]byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
    256 		[]byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34},
    257 		[]byte{0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32},
    258 	},
    259 	{
    260 		// Appendix C.1.  AES-128
    261 		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
    262 		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
    263 		[]byte{0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a},
    264 	},
    265 	{
    266 		// Appendix C.2.  AES-192
    267 		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    268 			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
    269 		},
    270 		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
    271 		[]byte{0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91},
    272 	},
    273 	{
    274 		// Appendix C.3.  AES-256
    275 		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    276 			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
    277 		},
    278 		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
    279 		[]byte{0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89},
    280 	},
    281 }
    282 
    283 // Test encryptBlock against FIPS 197 examples.
    284 func TestEncryptBlock(t *testing.T) {
    285 	for i, tt := range encryptTests {
    286 		n := len(tt.key) + 28
    287 		enc := make([]uint32, n)
    288 		dec := make([]uint32, n)
    289 		expandKey(tt.key, enc, dec)
    290 		out := make([]byte, len(tt.in))
    291 		encryptBlock(enc, out, tt.in)
    292 		for j, v := range out {
    293 			if v != tt.out[j] {
    294 				t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j])
    295 				break
    296 			}
    297 		}
    298 	}
    299 }
    300 
    301 // Test decryptBlock against FIPS 197 examples.
    302 func TestDecryptBlock(t *testing.T) {
    303 	for i, tt := range encryptTests {
    304 		n := len(tt.key) + 28
    305 		enc := make([]uint32, n)
    306 		dec := make([]uint32, n)
    307 		expandKey(tt.key, enc, dec)
    308 		plain := make([]byte, len(tt.in))
    309 		decryptBlock(dec, plain, tt.out)
    310 		for j, v := range plain {
    311 			if v != tt.in[j] {
    312 				t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j])
    313 				break
    314 			}
    315 		}
    316 	}
    317 }
    318 
    319 // Test Cipher Encrypt method against FIPS 197 examples.
    320 func TestCipherEncrypt(t *testing.T) {
    321 	for i, tt := range encryptTests {
    322 		c, err := NewCipher(tt.key)
    323 		if err != nil {
    324 			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
    325 			continue
    326 		}
    327 		out := make([]byte, len(tt.in))
    328 		c.Encrypt(out, tt.in)
    329 		for j, v := range out {
    330 			if v != tt.out[j] {
    331 				t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j])
    332 				break
    333 			}
    334 		}
    335 	}
    336 }
    337 
    338 // Test Cipher Decrypt against FIPS 197 examples.
    339 func TestCipherDecrypt(t *testing.T) {
    340 	for i, tt := range encryptTests {
    341 		c, err := NewCipher(tt.key)
    342 		if err != nil {
    343 			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
    344 			continue
    345 		}
    346 		plain := make([]byte, len(tt.in))
    347 		c.Decrypt(plain, tt.out)
    348 		for j, v := range plain {
    349 			if v != tt.in[j] {
    350 				t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j])
    351 				break
    352 			}
    353 		}
    354 	}
    355 }
    356 
    357 // Test short input/output.
    358 // Assembly used to not notice.
    359 // See issue 7928.
    360 func TestShortBlocks(t *testing.T) {
    361 	bytes := func(n int) []byte { return make([]byte, n) }
    362 
    363 	c, _ := NewCipher(bytes(16))
    364 
    365 	mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(1), bytes(1)) })
    366 	mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(1), bytes(1)) })
    367 	mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(100), bytes(1)) })
    368 	mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(100), bytes(1)) })
    369 	mustPanic(t, "crypto/aes: output not full block", func() { c.Encrypt(bytes(1), bytes(100)) })
    370 	mustPanic(t, "crypto/aes: output not full block", func() { c.Decrypt(bytes(1), bytes(100)) })
    371 }
    372 
    373 func mustPanic(t *testing.T, msg string, f func()) {
    374 	defer func() {
    375 		err := recover()
    376 		if err == nil {
    377 			t.Errorf("function did not panic, wanted %q", msg)
    378 		} else if err != msg {
    379 			t.Errorf("got panic %v, wanted %q", err, msg)
    380 		}
    381 	}()
    382 	f()
    383 }
    384 
    385 func BenchmarkEncrypt(b *testing.B) {
    386 	tt := encryptTests[0]
    387 	c, err := NewCipher(tt.key)
    388 	if err != nil {
    389 		b.Fatal("NewCipher:", err)
    390 	}
    391 	out := make([]byte, len(tt.in))
    392 	b.SetBytes(int64(len(out)))
    393 	b.ResetTimer()
    394 	for i := 0; i < b.N; i++ {
    395 		c.Encrypt(out, tt.in)
    396 	}
    397 }
    398 
    399 func BenchmarkDecrypt(b *testing.B) {
    400 	tt := encryptTests[0]
    401 	c, err := NewCipher(tt.key)
    402 	if err != nil {
    403 		b.Fatal("NewCipher:", err)
    404 	}
    405 	out := make([]byte, len(tt.out))
    406 	b.SetBytes(int64(len(out)))
    407 	b.ResetTimer()
    408 	for i := 0; i < b.N; i++ {
    409 		c.Decrypt(out, tt.out)
    410 	}
    411 }
    412 
    413 func BenchmarkExpand(b *testing.B) {
    414 	tt := encryptTests[0]
    415 	n := len(tt.key) + 28
    416 	c := &aesCipher{make([]uint32, n), make([]uint32, n)}
    417 	b.ResetTimer()
    418 	for i := 0; i < b.N; i++ {
    419 		expandKey(tt.key, c.enc, c.dec)
    420 	}
    421 }
    422