1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package aes 6 7 import ( 8 "testing" 9 ) 10 11 // See const.go for overview of math here. 12 13 // Test that powx is initialized correctly. 14 // (Can adapt this code to generate it too.) 15 func TestPowx(t *testing.T) { 16 p := 1 17 for i := 0; i < len(powx); i++ { 18 if powx[i] != byte(p) { 19 t.Errorf("powx[%d] = %#x, want %#x", i, powx[i], p) 20 } 21 p <<= 1 22 if p&0x100 != 0 { 23 p ^= poly 24 } 25 } 26 } 27 28 // Multiply b and c as GF(2) polynomials modulo poly 29 func mul(b, c uint32) uint32 { 30 i := b 31 j := c 32 s := uint32(0) 33 for k := uint32(1); k < 0x100 && j != 0; k <<= 1 { 34 // Invariant: k == 1<<n, i == b * x 35 36 if j&k != 0 { 37 // s += i in GF(2); xor in binary 38 s ^= i 39 j ^= k // turn off bit to end loop early 40 } 41 42 // i *= x in GF(2) modulo the polynomial 43 i <<= 1 44 if i&0x100 != 0 { 45 i ^= poly 46 } 47 } 48 return s 49 } 50 51 // Test all mul inputs against bit-by-bit n algorithm. 52 func TestMul(t *testing.T) { 53 for i := uint32(0); i < 256; i++ { 54 for j := uint32(0); j < 256; j++ { 55 // Multiply i, j bit by bit. 56 s := uint8(0) 57 for k := uint(0); k < 8; k++ { 58 for l := uint(0); l < 8; l++ { 59 if i&(1<<k) != 0 && j&(1<<l) != 0 { 60 s ^= powx[k+l] 61 } 62 } 63 } 64 if x := mul(i, j); x != uint32(s) { 65 t.Fatalf("mul(%#x, %#x) = %#x, want %#x", i, j, x, s) 66 } 67 } 68 } 69 } 70 71 // Check that S-boxes are inverses of each other. 72 // They have more structure that we could test, 73 // but if this sanity check passes, we'll assume 74 // the cut and paste from the FIPS PDF worked. 75 func TestSboxes(t *testing.T) { 76 for i := 0; i < 256; i++ { 77 if j := sbox0[sbox1[i]]; j != byte(i) { 78 t.Errorf("sbox0[sbox1[%#x]] = %#x", i, j) 79 } 80 if j := sbox1[sbox0[i]]; j != byte(i) { 81 t.Errorf("sbox1[sbox0[%#x]] = %#x", i, j) 82 } 83 } 84 } 85 86 // Test that encryption tables are correct. 87 // (Can adapt this code to generate them too.) 88 func TestTe(t *testing.T) { 89 for i := 0; i < 256; i++ { 90 s := uint32(sbox0[i]) 91 s2 := mul(s, 2) 92 s3 := mul(s, 3) 93 w := s2<<24 | s<<16 | s<<8 | s3 94 te := [][256]uint32{te0, te1, te2, te3} 95 for j := 0; j < 4; j++ { 96 if x := te[j][i]; x != w { 97 t.Fatalf("te[%d][%d] = %#x, want %#x", j, i, x, w) 98 } 99 w = w<<24 | w>>8 100 } 101 } 102 } 103 104 // Test that decryption tables are correct. 105 // (Can adapt this code to generate them too.) 106 func TestTd(t *testing.T) { 107 for i := 0; i < 256; i++ { 108 s := uint32(sbox1[i]) 109 s9 := mul(s, 0x9) 110 sb := mul(s, 0xb) 111 sd := mul(s, 0xd) 112 se := mul(s, 0xe) 113 w := se<<24 | s9<<16 | sd<<8 | sb 114 td := [][256]uint32{td0, td1, td2, td3} 115 for j := 0; j < 4; j++ { 116 if x := td[j][i]; x != w { 117 t.Fatalf("td[%d][%d] = %#x, want %#x", j, i, x, w) 118 } 119 w = w<<24 | w>>8 120 } 121 } 122 } 123 124 // Test vectors are from FIPS 197: 125 // http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf 126 127 // Appendix A of FIPS 197: Key expansion examples 128 type KeyTest struct { 129 key []byte 130 enc []uint32 131 dec []uint32 // decryption expansion; not in FIPS 197, computed from C implementation. 132 } 133 134 var keyTests = []KeyTest{ 135 { 136 // A.1. Expansion of a 128-bit Cipher Key 137 []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}, 138 []uint32{ 139 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, 140 0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605, 141 0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f, 142 0x3d80477d, 0x4716fe3e, 0x1e237e44, 0x6d7a883b, 143 0xef44a541, 0xa8525b7f, 0xb671253b, 0xdb0bad00, 144 0xd4d1c6f8, 0x7c839d87, 0xcaf2b8bc, 0x11f915bc, 145 0x6d88a37a, 0x110b3efd, 0xdbf98641, 0xca0093fd, 146 0x4e54f70e, 0x5f5fc9f3, 0x84a64fb2, 0x4ea6dc4f, 147 0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f, 148 0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e, 149 0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6, 150 }, 151 []uint32{ 152 0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6, 153 0xc7b5a63, 0x1319eafe, 0xb0398890, 0x664cfbb4, 154 0xdf7d925a, 0x1f62b09d, 0xa320626e, 0xd6757324, 155 0x12c07647, 0xc01f22c7, 0xbc42d2f3, 0x7555114a, 156 0x6efcd876, 0xd2df5480, 0x7c5df034, 0xc917c3b9, 157 0x6ea30afc, 0xbc238cf6, 0xae82a4b4, 0xb54a338d, 158 0x90884413, 0xd280860a, 0x12a12842, 0x1bc89739, 159 0x7c1f13f7, 0x4208c219, 0xc021ae48, 0x969bf7b, 160 0xcc7505eb, 0x3e17d1ee, 0x82296c51, 0xc9481133, 161 0x2b3708a7, 0xf262d405, 0xbc3ebdbf, 0x4b617d62, 162 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x9cf4f3c, 163 }, 164 }, 165 { 166 // A.2. Expansion of a 192-bit Cipher Key 167 []byte{ 168 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 169 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b, 170 }, 171 []uint32{ 172 0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5, 173 0x62f8ead2, 0x522c6b7b, 0xfe0c91f7, 0x2402f5a5, 174 0xec12068e, 0x6c827f6b, 0x0e7a95b9, 0x5c56fec2, 175 0x4db7b4bd, 0x69b54118, 0x85a74796, 0xe92538fd, 176 0xe75fad44, 0xbb095386, 0x485af057, 0x21efb14f, 177 0xa448f6d9, 0x4d6dce24, 0xaa326360, 0x113b30e6, 178 0xa25e7ed5, 0x83b1cf9a, 0x27f93943, 0x6a94f767, 179 0xc0a69407, 0xd19da4e1, 0xec1786eb, 0x6fa64971, 180 0x485f7032, 0x22cb8755, 0xe26d1352, 0x33f0b7b3, 181 0x40beeb28, 0x2f18a259, 0x6747d26b, 0x458c553e, 182 0xa7e1466c, 0x9411f1df, 0x821f750a, 0xad07d753, 183 0xca400538, 0x8fcc5006, 0x282d166a, 0xbc3ce7b5, 184 0xe98ba06f, 0x448c773c, 0x8ecc7204, 0x01002202, 185 }, 186 nil, 187 }, 188 { 189 // A.3. Expansion of a 256-bit Cipher Key 190 []byte{ 191 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 192 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4, 193 }, 194 []uint32{ 195 0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781, 196 0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4, 197 0x9ba35411, 0x8e6925af, 0xa51a8b5f, 0x2067fcde, 198 0xa8b09c1a, 0x93d194cd, 0xbe49846e, 0xb75d5b9a, 199 0xd59aecb8, 0x5bf3c917, 0xfee94248, 0xde8ebe96, 200 0xb5a9328a, 0x2678a647, 0x98312229, 0x2f6c79b3, 201 0x812c81ad, 0xdadf48ba, 0x24360af2, 0xfab8b464, 202 0x98c5bfc9, 0xbebd198e, 0x268c3ba7, 0x09e04214, 203 0x68007bac, 0xb2df3316, 0x96e939e4, 0x6c518d80, 204 0xc814e204, 0x76a9fb8a, 0x5025c02d, 0x59c58239, 205 0xde136967, 0x6ccc5a71, 0xfa256395, 0x9674ee15, 206 0x5886ca5d, 0x2e2f31d7, 0x7e0af1fa, 0x27cf73c3, 207 0x749c47ab, 0x18501dda, 0xe2757e4f, 0x7401905a, 208 0xcafaaae3, 0xe4d59b34, 0x9adf6ace, 0xbd10190d, 209 0xfe4890d1, 0xe6188d0b, 0x046df344, 0x706c631e, 210 }, 211 nil, 212 }, 213 } 214 215 // Test key expansion against FIPS 197 examples. 216 func TestExpandKey(t *testing.T) { 217 L: 218 for i, tt := range keyTests { 219 enc := make([]uint32, len(tt.enc)) 220 var dec []uint32 221 if tt.dec != nil { 222 dec = make([]uint32, len(tt.dec)) 223 } 224 // This test could only test Go version of expandKey because asm 225 // version might use different memory layout for expanded keys 226 // This is OK because we don't expose expanded keys to the outside 227 expandKeyGo(tt.key, enc, dec) 228 for j, v := range enc { 229 if v != tt.enc[j] { 230 t.Errorf("key %d: enc[%d] = %#x, want %#x", i, j, v, tt.enc[j]) 231 continue L 232 } 233 } 234 if dec != nil { 235 for j, v := range dec { 236 if v != tt.dec[j] { 237 t.Errorf("key %d: dec[%d] = %#x, want %#x", i, j, v, tt.dec[j]) 238 continue L 239 } 240 } 241 } 242 } 243 } 244 245 // Appendix B, C of FIPS 197: Cipher examples, Example vectors. 246 type CryptTest struct { 247 key []byte 248 in []byte 249 out []byte 250 } 251 252 var encryptTests = []CryptTest{ 253 { 254 // Appendix B. 255 []byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}, 256 []byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34}, 257 []byte{0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32}, 258 }, 259 { 260 // Appendix C.1. AES-128 261 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 262 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}, 263 []byte{0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a}, 264 }, 265 { 266 // Appendix C.2. AES-192 267 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 268 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 269 }, 270 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}, 271 []byte{0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91}, 272 }, 273 { 274 // Appendix C.3. AES-256 275 []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 276 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 277 }, 278 []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}, 279 []byte{0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89}, 280 }, 281 } 282 283 // Test encryptBlock against FIPS 197 examples. 284 func TestEncryptBlock(t *testing.T) { 285 for i, tt := range encryptTests { 286 n := len(tt.key) + 28 287 enc := make([]uint32, n) 288 dec := make([]uint32, n) 289 expandKey(tt.key, enc, dec) 290 out := make([]byte, len(tt.in)) 291 encryptBlock(enc, out, tt.in) 292 for j, v := range out { 293 if v != tt.out[j] { 294 t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]) 295 break 296 } 297 } 298 } 299 } 300 301 // Test decryptBlock against FIPS 197 examples. 302 func TestDecryptBlock(t *testing.T) { 303 for i, tt := range encryptTests { 304 n := len(tt.key) + 28 305 enc := make([]uint32, n) 306 dec := make([]uint32, n) 307 expandKey(tt.key, enc, dec) 308 plain := make([]byte, len(tt.in)) 309 decryptBlock(dec, plain, tt.out) 310 for j, v := range plain { 311 if v != tt.in[j] { 312 t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]) 313 break 314 } 315 } 316 } 317 } 318 319 // Test Cipher Encrypt method against FIPS 197 examples. 320 func TestCipherEncrypt(t *testing.T) { 321 for i, tt := range encryptTests { 322 c, err := NewCipher(tt.key) 323 if err != nil { 324 t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err) 325 continue 326 } 327 out := make([]byte, len(tt.in)) 328 c.Encrypt(out, tt.in) 329 for j, v := range out { 330 if v != tt.out[j] { 331 t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]) 332 break 333 } 334 } 335 } 336 } 337 338 // Test Cipher Decrypt against FIPS 197 examples. 339 func TestCipherDecrypt(t *testing.T) { 340 for i, tt := range encryptTests { 341 c, err := NewCipher(tt.key) 342 if err != nil { 343 t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err) 344 continue 345 } 346 plain := make([]byte, len(tt.in)) 347 c.Decrypt(plain, tt.out) 348 for j, v := range plain { 349 if v != tt.in[j] { 350 t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]) 351 break 352 } 353 } 354 } 355 } 356 357 // Test short input/output. 358 // Assembly used to not notice. 359 // See issue 7928. 360 func TestShortBlocks(t *testing.T) { 361 bytes := func(n int) []byte { return make([]byte, n) } 362 363 c, _ := NewCipher(bytes(16)) 364 365 mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(1), bytes(1)) }) 366 mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(1), bytes(1)) }) 367 mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(100), bytes(1)) }) 368 mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(100), bytes(1)) }) 369 mustPanic(t, "crypto/aes: output not full block", func() { c.Encrypt(bytes(1), bytes(100)) }) 370 mustPanic(t, "crypto/aes: output not full block", func() { c.Decrypt(bytes(1), bytes(100)) }) 371 } 372 373 func mustPanic(t *testing.T, msg string, f func()) { 374 defer func() { 375 err := recover() 376 if err == nil { 377 t.Errorf("function did not panic, wanted %q", msg) 378 } else if err != msg { 379 t.Errorf("got panic %v, wanted %q", err, msg) 380 } 381 }() 382 f() 383 } 384 385 func BenchmarkEncrypt(b *testing.B) { 386 tt := encryptTests[0] 387 c, err := NewCipher(tt.key) 388 if err != nil { 389 b.Fatal("NewCipher:", err) 390 } 391 out := make([]byte, len(tt.in)) 392 b.SetBytes(int64(len(out))) 393 b.ResetTimer() 394 for i := 0; i < b.N; i++ { 395 c.Encrypt(out, tt.in) 396 } 397 } 398 399 func BenchmarkDecrypt(b *testing.B) { 400 tt := encryptTests[0] 401 c, err := NewCipher(tt.key) 402 if err != nil { 403 b.Fatal("NewCipher:", err) 404 } 405 out := make([]byte, len(tt.out)) 406 b.SetBytes(int64(len(out))) 407 b.ResetTimer() 408 for i := 0; i < b.N; i++ { 409 c.Decrypt(out, tt.out) 410 } 411 } 412 413 func BenchmarkExpand(b *testing.B) { 414 tt := encryptTests[0] 415 n := len(tt.key) + 28 416 c := &aesCipher{make([]uint32, n), make([]uint32, n)} 417 b.ResetTimer() 418 for i := 0; i < b.N; i++ { 419 expandKey(tt.key, c.enc, c.dec) 420 } 421 } 422