michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include michael@0: #include michael@0: #include michael@0: michael@0: #include "pk11pub.h" michael@0: #include "secerr.h" michael@0: #include "nss.h" michael@0: michael@0: static SECStatus michael@0: hex_to_byteval(const char *c2, unsigned char *byteval) michael@0: { michael@0: int i; michael@0: unsigned char offset; michael@0: *byteval = 0; michael@0: for (i=0; i<2; i++) { michael@0: if (c2[i] >= '0' && c2[i] <= '9') { michael@0: offset = c2[i] - '0'; michael@0: *byteval |= offset << 4*(1-i); michael@0: } else if (c2[i] >= 'a' && c2[i] <= 'f') { michael@0: offset = c2[i] - 'a'; michael@0: *byteval |= (offset + 10) << 4*(1-i); michael@0: } else if (c2[i] >= 'A' && c2[i] <= 'F') { michael@0: offset = c2[i] - 'A'; michael@0: *byteval |= (offset + 10) << 4*(1-i); michael@0: } else { michael@0: return SECFailure; michael@0: } michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static SECStatus michael@0: aes_encrypt_buf( michael@0: const unsigned char *key, unsigned int keysize, michael@0: const unsigned char *iv, unsigned int ivsize, michael@0: unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen, michael@0: const unsigned char *input, unsigned int inputlen, michael@0: const unsigned char *aad, unsigned int aadlen, unsigned int tagsize) michael@0: { michael@0: SECStatus rv = SECFailure; michael@0: SECItem key_item; michael@0: PK11SlotInfo* slot = NULL; michael@0: PK11SymKey *symKey = NULL; michael@0: CK_GCM_PARAMS gcm_params; michael@0: SECItem param; michael@0: michael@0: /* Import key into NSS. */ michael@0: key_item.type = siBuffer; michael@0: key_item.data = (unsigned char *) key; /* const cast */ michael@0: key_item.len = keysize; michael@0: slot = PK11_GetInternalSlot(); michael@0: symKey = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap, michael@0: CKA_ENCRYPT, &key_item, NULL); michael@0: PK11_FreeSlot(slot); michael@0: slot = NULL; michael@0: if (!symKey) { michael@0: fprintf(stderr, "PK11_ImportSymKey failed\n"); michael@0: goto loser; michael@0: } michael@0: michael@0: gcm_params.pIv = (unsigned char *) iv; /* const cast */ michael@0: gcm_params.ulIvLen = ivsize; michael@0: gcm_params.pAAD = (unsigned char *) aad; /* const cast */ michael@0: gcm_params.ulAADLen = aadlen; michael@0: gcm_params.ulTagBits = tagsize * 8; michael@0: michael@0: param.type = siBuffer; michael@0: param.data = (unsigned char *) &gcm_params; michael@0: param.len = sizeof(gcm_params); michael@0: michael@0: if (PK11_Encrypt(symKey, CKM_AES_GCM, ¶m, michael@0: output, outputlen, maxoutputlen, michael@0: input, inputlen) != SECSuccess) { michael@0: fprintf(stderr, "PK11_Encrypt failed\n"); michael@0: goto loser; michael@0: } michael@0: michael@0: rv = SECSuccess; michael@0: michael@0: loser: michael@0: if (symKey != NULL) { michael@0: PK11_FreeSymKey(symKey); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: static SECStatus michael@0: aes_decrypt_buf( michael@0: const unsigned char *key, unsigned int keysize, michael@0: const unsigned char *iv, unsigned int ivsize, michael@0: unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen, michael@0: const unsigned char *input, unsigned int inputlen, michael@0: const unsigned char *aad, unsigned int aadlen, michael@0: const unsigned char *tag, unsigned int tagsize) michael@0: { michael@0: SECStatus rv = SECFailure; michael@0: unsigned char concatenated[11*16]; /* 1 to 11 blocks */ michael@0: SECItem key_item; michael@0: PK11SlotInfo *slot = NULL; michael@0: PK11SymKey *symKey = NULL; michael@0: CK_GCM_PARAMS gcm_params; michael@0: SECItem param; michael@0: michael@0: if (inputlen + tagsize > sizeof(concatenated)) { michael@0: fprintf(stderr, "aes_decrypt_buf: local buffer too small\n"); michael@0: goto loser; michael@0: } michael@0: memcpy(concatenated, input, inputlen); michael@0: memcpy(concatenated + inputlen, tag, tagsize); michael@0: michael@0: /* Import key into NSS. */ michael@0: key_item.type = siBuffer; michael@0: key_item.data = (unsigned char *) key; /* const cast */ michael@0: key_item.len = keysize; michael@0: slot = PK11_GetInternalSlot(); michael@0: symKey = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap, michael@0: CKA_DECRYPT, &key_item, NULL); michael@0: PK11_FreeSlot(slot); michael@0: slot = NULL; michael@0: if (!symKey) { michael@0: fprintf(stderr, "PK11_ImportSymKey failed\n"); michael@0: goto loser; michael@0: } michael@0: michael@0: gcm_params.pIv = (unsigned char *) iv; michael@0: gcm_params.ulIvLen = ivsize; michael@0: gcm_params.pAAD = (unsigned char *) aad; michael@0: gcm_params.ulAADLen = aadlen; michael@0: gcm_params.ulTagBits = tagsize * 8; michael@0: michael@0: param.type = siBuffer; michael@0: param.data = (unsigned char *) &gcm_params; michael@0: param.len = sizeof(gcm_params); michael@0: michael@0: if (PK11_Decrypt(symKey, CKM_AES_GCM, ¶m, michael@0: output, outputlen, maxoutputlen, michael@0: concatenated, inputlen + tagsize) != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: michael@0: rv = SECSuccess; michael@0: michael@0: loser: michael@0: if (symKey != NULL) { michael@0: PK11_FreeSymKey(symKey); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * Perform the AES Known Answer Test (KAT) in Galois Counter Mode (GCM). michael@0: * michael@0: * respfn is the pathname of the RESPONSE file. michael@0: */ michael@0: static void michael@0: aes_gcm_kat(const char *respfn) michael@0: { michael@0: char buf[512]; /* holds one line from the input REQUEST file. michael@0: * needs to be large enough to hold the longest michael@0: * line "CIPHERTEXT = <320 hex digits>\n". michael@0: */ michael@0: FILE *aesresp; /* input stream from the RESPONSE file */ michael@0: int i, j; michael@0: unsigned int test_group = 0; michael@0: unsigned int num_tests; michael@0: PRBool is_encrypt; michael@0: unsigned char key[32]; /* 128, 192, or 256 bits */ michael@0: unsigned int keysize; michael@0: unsigned char iv[10*16]; /* 1 to 10 blocks */ michael@0: unsigned int ivsize; michael@0: unsigned char plaintext[10*16]; /* 1 to 10 blocks */ michael@0: unsigned int plaintextlen = 0; michael@0: unsigned char aad[10*16]; /* 1 to 10 blocks */ michael@0: unsigned int aadlen = 0; michael@0: unsigned char ciphertext[10*16]; /* 1 to 10 blocks */ michael@0: unsigned int ciphertextlen; michael@0: unsigned char tag[16]; michael@0: unsigned int tagsize; michael@0: unsigned char output[10*16]; /* 1 to 10 blocks */ michael@0: unsigned int outputlen; michael@0: michael@0: unsigned int expected_keylen = 0; michael@0: unsigned int expected_ivlen = 0; michael@0: unsigned int expected_ptlen = 0; michael@0: unsigned int expected_aadlen = 0; michael@0: unsigned int expected_taglen = 0; michael@0: SECStatus rv; michael@0: michael@0: if (strstr(respfn, "Encrypt") != NULL) { michael@0: is_encrypt = PR_TRUE; michael@0: } else if (strstr(respfn, "Decrypt") != NULL) { michael@0: is_encrypt = PR_FALSE; michael@0: } else { michael@0: fprintf(stderr, "Input file name must contain Encrypt or Decrypt\n"); michael@0: exit(1); michael@0: } michael@0: aesresp = fopen(respfn, "r"); michael@0: if (aesresp == NULL) { michael@0: fprintf(stderr, "Cannot open input file %s\n", respfn); michael@0: exit(1); michael@0: } michael@0: while (fgets(buf, sizeof buf, aesresp) != NULL) { michael@0: /* a comment or blank line */ michael@0: if (buf[0] == '#' || buf[0] == '\n') { michael@0: continue; michael@0: } michael@0: /* [Keylen = ...], [IVlen = ...], etc. */ michael@0: if (buf[0] == '[') { michael@0: if (strncmp(&buf[1], "Keylen = ", 9) == 0) { michael@0: expected_keylen = atoi(&buf[10]); michael@0: } else if (strncmp(&buf[1], "IVlen = ", 8) == 0) { michael@0: expected_ivlen = atoi(&buf[9]); michael@0: } else if (strncmp(&buf[1], "PTlen = ", 8) == 0) { michael@0: expected_ptlen = atoi(&buf[9]); michael@0: } else if (strncmp(&buf[1], "AADlen = ", 9) == 0) { michael@0: expected_aadlen = atoi(&buf[10]); michael@0: } else if (strncmp(&buf[1], "Taglen = ", 9) == 0) { michael@0: expected_taglen = atoi(&buf[10]); michael@0: michael@0: test_group++; michael@0: if (test_group > 1) { michael@0: /* Report num_tests for the previous test group. */ michael@0: printf("%u tests\n", num_tests); michael@0: } michael@0: num_tests = 0; michael@0: printf("Keylen = %u, IVlen = %u, PTlen = %u, AADlen = %u, " michael@0: "Taglen = %u: ", expected_keylen, expected_ivlen, michael@0: expected_ptlen, expected_aadlen, expected_taglen); michael@0: /* Convert lengths in bits to lengths in bytes. */ michael@0: PORT_Assert(expected_keylen % 8 == 0); michael@0: expected_keylen /= 8; michael@0: PORT_Assert(expected_ivlen % 8 == 0); michael@0: expected_ivlen /= 8; michael@0: PORT_Assert(expected_ptlen % 8 == 0); michael@0: expected_ptlen /= 8; michael@0: PORT_Assert(expected_aadlen % 8 == 0); michael@0: expected_aadlen /= 8; michael@0: PORT_Assert(expected_taglen % 8 == 0); michael@0: expected_taglen /= 8; michael@0: } else { michael@0: fprintf(stderr, "Unexpected input line: %s\n", buf); michael@0: exit(1); michael@0: } michael@0: continue; michael@0: } michael@0: /* "Count = x" begins a new data set */ michael@0: if (strncmp(buf, "Count", 5) == 0) { michael@0: /* zeroize the variables for the test with this data set */ michael@0: memset(key, 0, sizeof key); michael@0: keysize = 0; michael@0: memset(iv, 0, sizeof iv); michael@0: ivsize = 0; michael@0: memset(plaintext, 0, sizeof plaintext); michael@0: plaintextlen = 0; michael@0: memset(aad, 0, sizeof aad); michael@0: aadlen = 0; michael@0: memset(ciphertext, 0, sizeof ciphertext); michael@0: ciphertextlen = 0; michael@0: memset(output, 0, sizeof output); michael@0: outputlen = 0; michael@0: num_tests++; michael@0: continue; michael@0: } michael@0: /* Key = ... */ michael@0: if (strncmp(buf, "Key", 3) == 0) { michael@0: i = 3; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &key[j]); michael@0: } michael@0: keysize = j; michael@0: if (keysize != expected_keylen) { michael@0: fprintf(stderr, "Unexpected key length: %u vs. %u\n", michael@0: keysize, expected_keylen); michael@0: exit(1); michael@0: } michael@0: continue; michael@0: } michael@0: /* IV = ... */ michael@0: if (strncmp(buf, "IV", 2) == 0) { michael@0: i = 2; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &iv[j]); michael@0: } michael@0: ivsize = j; michael@0: if (ivsize != expected_ivlen) { michael@0: fprintf(stderr, "Unexpected IV length: %u vs. %u\n", michael@0: ivsize, expected_ivlen); michael@0: exit(1); michael@0: } michael@0: continue; michael@0: } michael@0: /* PT = ... */ michael@0: if (strncmp(buf, "PT", 2) == 0) { michael@0: i = 2; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &plaintext[j]); michael@0: } michael@0: plaintextlen = j; michael@0: if (plaintextlen != expected_ptlen) { michael@0: fprintf(stderr, "Unexpected PT length: %u vs. %u\n", michael@0: plaintextlen, expected_ptlen); michael@0: exit(1); michael@0: } michael@0: michael@0: if (!is_encrypt) { michael@0: rv = aes_decrypt_buf(key, keysize, iv, ivsize, michael@0: output, &outputlen, sizeof output, michael@0: ciphertext, ciphertextlen, aad, aadlen, tag, tagsize); michael@0: if (rv != SECSuccess) { michael@0: fprintf(stderr, "aes_decrypt_buf failed\n"); michael@0: goto loser; michael@0: } michael@0: if (outputlen != plaintextlen) { michael@0: fprintf(stderr, "aes_decrypt_buf: wrong output size\n"); michael@0: goto loser; michael@0: } michael@0: if (memcmp(output, plaintext, plaintextlen) != 0) { michael@0: fprintf(stderr, "aes_decrypt_buf: wrong plaintext\n"); michael@0: goto loser; michael@0: } michael@0: } michael@0: continue; michael@0: } michael@0: /* FAIL */ michael@0: if (strncmp(buf, "FAIL", 4) == 0) { michael@0: plaintextlen = 0; michael@0: michael@0: PORT_Assert(!is_encrypt); michael@0: rv = aes_decrypt_buf(key, keysize, iv, ivsize, michael@0: output, &outputlen, sizeof output, michael@0: ciphertext, ciphertextlen, aad, aadlen, tag, tagsize); michael@0: if (rv != SECFailure) { michael@0: fprintf(stderr, "aes_decrypt_buf succeeded unexpectedly\n"); michael@0: goto loser; michael@0: } michael@0: if (PORT_GetError() != SEC_ERROR_BAD_DATA) { michael@0: fprintf(stderr, "aes_decrypt_buf failed with incorrect " michael@0: "error code\n"); michael@0: goto loser; michael@0: } michael@0: continue; michael@0: } michael@0: /* AAD = ... */ michael@0: if (strncmp(buf, "AAD", 3) == 0) { michael@0: i = 3; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &aad[j]); michael@0: } michael@0: aadlen = j; michael@0: if (aadlen != expected_aadlen) { michael@0: fprintf(stderr, "Unexpected AAD length: %u vs. %u\n", michael@0: aadlen, expected_aadlen); michael@0: exit(1); michael@0: } michael@0: continue; michael@0: } michael@0: /* CT = ... */ michael@0: if (strncmp(buf, "CT", 2) == 0) { michael@0: i = 2; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &ciphertext[j]); michael@0: } michael@0: ciphertextlen = j; michael@0: if (ciphertextlen != expected_ptlen) { michael@0: fprintf(stderr, "Unexpected CT length: %u vs. %u\n", michael@0: ciphertextlen, expected_ptlen); michael@0: exit(1); michael@0: } michael@0: continue; michael@0: } michael@0: /* Tag = ... */ michael@0: if (strncmp(buf, "Tag", 3) == 0) { michael@0: i = 3; michael@0: while (isspace(buf[i]) || buf[i] == '=') { michael@0: i++; michael@0: } michael@0: for (j=0; isxdigit(buf[i]); i+=2,j++) { michael@0: hex_to_byteval(&buf[i], &tag[j]); michael@0: } michael@0: tagsize = j; michael@0: if (tagsize != expected_taglen) { michael@0: fprintf(stderr, "Unexpected tag length: %u vs. %u\n", michael@0: tagsize, expected_taglen); michael@0: exit(1); michael@0: } michael@0: michael@0: if (is_encrypt) { michael@0: rv = aes_encrypt_buf(key, keysize, iv, ivsize, michael@0: output, &outputlen, sizeof output, michael@0: plaintext, plaintextlen, aad, aadlen, tagsize); michael@0: if (rv != SECSuccess) { michael@0: fprintf(stderr, "aes_encrypt_buf failed\n"); michael@0: goto loser; michael@0: } michael@0: if (outputlen != plaintextlen + tagsize) { michael@0: fprintf(stderr, "aes_encrypt_buf: wrong output size\n"); michael@0: goto loser; michael@0: } michael@0: if (memcmp(output, ciphertext, plaintextlen) != 0) { michael@0: fprintf(stderr, "aes_encrypt_buf: wrong ciphertext\n"); michael@0: goto loser; michael@0: } michael@0: if (memcmp(output + plaintextlen, tag, tagsize) != 0) { michael@0: fprintf(stderr, "aes_encrypt_buf: wrong tag\n"); michael@0: goto loser; michael@0: } michael@0: } michael@0: continue; michael@0: } michael@0: } michael@0: /* Report num_tests for the last test group. */ michael@0: printf("%u tests\n", num_tests); michael@0: printf("%u test groups\n", test_group); michael@0: printf("PASS\n"); michael@0: loser: michael@0: fclose(aesresp); michael@0: } michael@0: michael@0: int main(int argc, char **argv) michael@0: { michael@0: if (argc < 2) exit(1); michael@0: michael@0: NSS_NoDB_Init(NULL); michael@0: michael@0: /*************/ michael@0: /* AES */ michael@0: /*************/ michael@0: if (strcmp(argv[1], "aes") == 0) { michael@0: /* argv[2]=kat argv[3]=gcm argv[4]=.rsp */ michael@0: if (strcmp(argv[2], "kat") == 0) { michael@0: /* Known Answer Test (KAT) */ michael@0: aes_gcm_kat(argv[4]); michael@0: } michael@0: } michael@0: michael@0: NSS_Shutdown(); michael@0: return 0; michael@0: }