...
Run Format

Source file src/crypto/aes/aes_test.go

Documentation: crypto/aes

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package aes
     6  
     7  import (
     8  	"testing"
     9  )
    10  
    11  // See const.go for overview of math here.
    12  
    13  // Test that powx is initialized correctly.
    14  // (Can adapt this code to generate it too.)
    15  func TestPowx(t *testing.T) {
    16  	p := 1
    17  	for i := 0; i < len(powx); i++ {
    18  		if powx[i] != byte(p) {
    19  			t.Errorf("powx[%d] = %#x, want %#x", i, powx[i], p)
    20  		}
    21  		p <<= 1
    22  		if p&0x100 != 0 {
    23  			p ^= poly
    24  		}
    25  	}
    26  }
    27  
    28  // Multiply b and c as GF(2) polynomials modulo poly
    29  func mul(b, c uint32) uint32 {
    30  	i := b
    31  	j := c
    32  	s := uint32(0)
    33  	for k := uint32(1); k < 0x100 && j != 0; k <<= 1 {
    34  		// Invariant: k == 1<<n, i == b * xⁿ
    35  
    36  		if j&k != 0 {
    37  			// s += i in GF(2); xor in binary
    38  			s ^= i
    39  			j ^= k // turn off bit to end loop early
    40  		}
    41  
    42  		// i *= x in GF(2) modulo the polynomial
    43  		i <<= 1
    44  		if i&0x100 != 0 {
    45  			i ^= poly
    46  		}
    47  	}
    48  	return s
    49  }
    50  
    51  // Test all mul inputs against bit-by-bit n² algorithm.
    52  func TestMul(t *testing.T) {
    53  	for i := uint32(0); i < 256; i++ {
    54  		for j := uint32(0); j < 256; j++ {
    55  			// Multiply i, j bit by bit.
    56  			s := uint8(0)
    57  			for k := uint(0); k < 8; k++ {
    58  				for l := uint(0); l < 8; l++ {
    59  					if i&(1<<k) != 0 && j&(1<<l) != 0 {
    60  						s ^= powx[k+l]
    61  					}
    62  				}
    63  			}
    64  			if x := mul(i, j); x != uint32(s) {
    65  				t.Fatalf("mul(%#x, %#x) = %#x, want %#x", i, j, x, s)
    66  			}
    67  		}
    68  	}
    69  }
    70  
    71  // Check that S-boxes are inverses of each other.
    72  // They have more structure that we could test,
    73  // but if this sanity check passes, we'll assume
    74  // the cut and paste from the FIPS PDF worked.
    75  func TestSboxes(t *testing.T) {
    76  	for i := 0; i < 256; i++ {
    77  		if j := sbox0[sbox1[i]]; j != byte(i) {
    78  			t.Errorf("sbox0[sbox1[%#x]] = %#x", i, j)
    79  		}
    80  		if j := sbox1[sbox0[i]]; j != byte(i) {
    81  			t.Errorf("sbox1[sbox0[%#x]] = %#x", i, j)
    82  		}
    83  	}
    84  }
    85  
    86  // Test that encryption tables are correct.
    87  // (Can adapt this code to generate them too.)
    88  func TestTe(t *testing.T) {
    89  	for i := 0; i < 256; i++ {
    90  		s := uint32(sbox0[i])
    91  		s2 := mul(s, 2)
    92  		s3 := mul(s, 3)
    93  		w := s2<<24 | s<<16 | s<<8 | s3
    94  		te := [][256]uint32{te0, te1, te2, te3}
    95  		for j := 0; j < 4; j++ {
    96  			if x := te[j][i]; x != w {
    97  				t.Fatalf("te[%d][%d] = %#x, want %#x", j, i, x, w)
    98  			}
    99  			w = w<<24 | w>>8
   100  		}
   101  	}
   102  }
   103  
   104  // Test that decryption tables are correct.
   105  // (Can adapt this code to generate them too.)
   106  func TestTd(t *testing.T) {
   107  	for i := 0; i < 256; i++ {
   108  		s := uint32(sbox1[i])
   109  		s9 := mul(s, 0x9)
   110  		sb := mul(s, 0xb)
   111  		sd := mul(s, 0xd)
   112  		se := mul(s, 0xe)
   113  		w := se<<24 | s9<<16 | sd<<8 | sb
   114  		td := [][256]uint32{td0, td1, td2, td3}
   115  		for j := 0; j < 4; j++ {
   116  			if x := td[j][i]; x != w {
   117  				t.Fatalf("td[%d][%d] = %#x, want %#x", j, i, x, w)
   118  			}
   119  			w = w<<24 | w>>8
   120  		}
   121  	}
   122  }
   123  
   124  // Test vectors are from FIPS 197:
   125  //	https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
   126  
   127  // Appendix A of FIPS 197: Key expansion examples
   128  type KeyTest struct {
   129  	key []byte
   130  	enc []uint32
   131  	dec []uint32 // decryption expansion; not in FIPS 197, computed from C implementation.
   132  }
   133  
   134  var keyTests = []KeyTest{
   135  	{
   136  		// A.1.  Expansion of a 128-bit Cipher Key
   137  		[]byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
   138  		[]uint32{
   139  			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c,
   140  			0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605,
   141  			0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f,
   142  			0x3d80477d, 0x4716fe3e, 0x1e237e44, 0x6d7a883b,
   143  			0xef44a541, 0xa8525b7f, 0xb671253b, 0xdb0bad00,
   144  			0xd4d1c6f8, 0x7c839d87, 0xcaf2b8bc, 0x11f915bc,
   145  			0x6d88a37a, 0x110b3efd, 0xdbf98641, 0xca0093fd,
   146  			0x4e54f70e, 0x5f5fc9f3, 0x84a64fb2, 0x4ea6dc4f,
   147  			0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f,
   148  			0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e,
   149  			0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
   150  		},
   151  		[]uint32{
   152  			0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6,
   153  			0xc7b5a63, 0x1319eafe, 0xb0398890, 0x664cfbb4,
   154  			0xdf7d925a, 0x1f62b09d, 0xa320626e, 0xd6757324,
   155  			0x12c07647, 0xc01f22c7, 0xbc42d2f3, 0x7555114a,
   156  			0x6efcd876, 0xd2df5480, 0x7c5df034, 0xc917c3b9,
   157  			0x6ea30afc, 0xbc238cf6, 0xae82a4b4, 0xb54a338d,
   158  			0x90884413, 0xd280860a, 0x12a12842, 0x1bc89739,
   159  			0x7c1f13f7, 0x4208c219, 0xc021ae48, 0x969bf7b,
   160  			0xcc7505eb, 0x3e17d1ee, 0x82296c51, 0xc9481133,
   161  			0x2b3708a7, 0xf262d405, 0xbc3ebdbf, 0x4b617d62,
   162  			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x9cf4f3c,
   163  		},
   164  	},
   165  	{
   166  		// A.2.  Expansion of a 192-bit Cipher Key
   167  		[]byte{
   168  			0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
   169  			0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b,
   170  		},
   171  		[]uint32{
   172  			0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
   173  			0x62f8ead2, 0x522c6b7b, 0xfe0c91f7, 0x2402f5a5,
   174  			0xec12068e, 0x6c827f6b, 0x0e7a95b9, 0x5c56fec2,
   175  			0x4db7b4bd, 0x69b54118, 0x85a74796, 0xe92538fd,
   176  			0xe75fad44, 0xbb095386, 0x485af057, 0x21efb14f,
   177  			0xa448f6d9, 0x4d6dce24, 0xaa326360, 0x113b30e6,
   178  			0xa25e7ed5, 0x83b1cf9a, 0x27f93943, 0x6a94f767,
   179  			0xc0a69407, 0xd19da4e1, 0xec1786eb, 0x6fa64971,
   180  			0x485f7032, 0x22cb8755, 0xe26d1352, 0x33f0b7b3,
   181  			0x40beeb28, 0x2f18a259, 0x6747d26b, 0x458c553e,
   182  			0xa7e1466c, 0x9411f1df, 0x821f750a, 0xad07d753,
   183  			0xca400538, 0x8fcc5006, 0x282d166a, 0xbc3ce7b5,
   184  			0xe98ba06f, 0x448c773c, 0x8ecc7204, 0x01002202,
   185  		},
   186  		nil,
   187  	},
   188  	{
   189  		// A.3.  Expansion of a 256-bit Cipher Key
   190  		[]byte{
   191  			0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
   192  			0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4,
   193  		},
   194  		[]uint32{
   195  			0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
   196  			0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4,
   197  			0x9ba35411, 0x8e6925af, 0xa51a8b5f, 0x2067fcde,
   198  			0xa8b09c1a, 0x93d194cd, 0xbe49846e, 0xb75d5b9a,
   199  			0xd59aecb8, 0x5bf3c917, 0xfee94248, 0xde8ebe96,
   200  			0xb5a9328a, 0x2678a647, 0x98312229, 0x2f6c79b3,
   201  			0x812c81ad, 0xdadf48ba, 0x24360af2, 0xfab8b464,
   202  			0x98c5bfc9, 0xbebd198e, 0x268c3ba7, 0x09e04214,
   203  			0x68007bac, 0xb2df3316, 0x96e939e4, 0x6c518d80,
   204  			0xc814e204, 0x76a9fb8a, 0x5025c02d, 0x59c58239,
   205  			0xde136967, 0x6ccc5a71, 0xfa256395, 0x9674ee15,
   206  			0x5886ca5d, 0x2e2f31d7, 0x7e0af1fa, 0x27cf73c3,
   207  			0x749c47ab, 0x18501dda, 0xe2757e4f, 0x7401905a,
   208  			0xcafaaae3, 0xe4d59b34, 0x9adf6ace, 0xbd10190d,
   209  			0xfe4890d1, 0xe6188d0b, 0x046df344, 0x706c631e,
   210  		},
   211  		nil,
   212  	},
   213  }
   214  
   215  // Test key expansion against FIPS 197 examples.
   216  func TestExpandKey(t *testing.T) {
   217  L:
   218  	for i, tt := range keyTests {
   219  		enc := make([]uint32, len(tt.enc))
   220  		var dec []uint32
   221  		if tt.dec != nil {
   222  			dec = make([]uint32, len(tt.dec))
   223  		}
   224  		// This test could only test Go version of expandKey because asm
   225  		// version might use different memory layout for expanded keys
   226  		// This is OK because we don't expose expanded keys to the outside
   227  		expandKeyGo(tt.key, enc, dec)
   228  		for j, v := range enc {
   229  			if v != tt.enc[j] {
   230  				t.Errorf("key %d: enc[%d] = %#x, want %#x", i, j, v, tt.enc[j])
   231  				continue L
   232  			}
   233  		}
   234  		if dec != nil {
   235  			for j, v := range dec {
   236  				if v != tt.dec[j] {
   237  					t.Errorf("key %d: dec[%d] = %#x, want %#x", i, j, v, tt.dec[j])
   238  					continue L
   239  				}
   240  			}
   241  		}
   242  	}
   243  }
   244  
   245  // Appendix B, C of FIPS 197: Cipher examples, Example vectors.
   246  type CryptTest struct {
   247  	key []byte
   248  	in  []byte
   249  	out []byte
   250  }
   251  
   252  var encryptTests = []CryptTest{
   253  	{
   254  		// Appendix B.
   255  		[]byte{0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
   256  		[]byte{0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34},
   257  		[]byte{0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32},
   258  	},
   259  	{
   260  		// Appendix C.1.  AES-128
   261  		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
   262  		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
   263  		[]byte{0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a},
   264  	},
   265  	{
   266  		// Appendix C.2.  AES-192
   267  		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
   268  			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
   269  		},
   270  		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
   271  		[]byte{0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91},
   272  	},
   273  	{
   274  		// Appendix C.3.  AES-256
   275  		[]byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
   276  			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
   277  		},
   278  		[]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
   279  		[]byte{0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89},
   280  	},
   281  }
   282  
   283  // Test Cipher Encrypt method against FIPS 197 examples.
   284  func TestCipherEncrypt(t *testing.T) {
   285  	for i, tt := range encryptTests {
   286  		c, err := NewCipher(tt.key)
   287  		if err != nil {
   288  			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
   289  			continue
   290  		}
   291  		out := make([]byte, len(tt.in))
   292  		c.Encrypt(out, tt.in)
   293  		for j, v := range out {
   294  			if v != tt.out[j] {
   295  				t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j])
   296  				break
   297  			}
   298  		}
   299  	}
   300  }
   301  
   302  // Test Cipher Decrypt against FIPS 197 examples.
   303  func TestCipherDecrypt(t *testing.T) {
   304  	for i, tt := range encryptTests {
   305  		c, err := NewCipher(tt.key)
   306  		if err != nil {
   307  			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err)
   308  			continue
   309  		}
   310  		plain := make([]byte, len(tt.in))
   311  		c.Decrypt(plain, tt.out)
   312  		for j, v := range plain {
   313  			if v != tt.in[j] {
   314  				t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j])
   315  				break
   316  			}
   317  		}
   318  	}
   319  }
   320  
   321  // Test short input/output.
   322  // Assembly used to not notice.
   323  // See issue 7928.
   324  func TestShortBlocks(t *testing.T) {
   325  	bytes := func(n int) []byte { return make([]byte, n) }
   326  
   327  	c, _ := NewCipher(bytes(16))
   328  
   329  	mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(1), bytes(1)) })
   330  	mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(1), bytes(1)) })
   331  	mustPanic(t, "crypto/aes: input not full block", func() { c.Encrypt(bytes(100), bytes(1)) })
   332  	mustPanic(t, "crypto/aes: input not full block", func() { c.Decrypt(bytes(100), bytes(1)) })
   333  	mustPanic(t, "crypto/aes: output not full block", func() { c.Encrypt(bytes(1), bytes(100)) })
   334  	mustPanic(t, "crypto/aes: output not full block", func() { c.Decrypt(bytes(1), bytes(100)) })
   335  }
   336  
   337  func mustPanic(t *testing.T, msg string, f func()) {
   338  	defer func() {
   339  		err := recover()
   340  		if err == nil {
   341  			t.Errorf("function did not panic, wanted %q", msg)
   342  		} else if err != msg {
   343  			t.Errorf("got panic %v, wanted %q", err, msg)
   344  		}
   345  	}()
   346  	f()
   347  }
   348  
   349  func BenchmarkEncrypt(b *testing.B) {
   350  	tt := encryptTests[0]
   351  	c, err := NewCipher(tt.key)
   352  	if err != nil {
   353  		b.Fatal("NewCipher:", err)
   354  	}
   355  	out := make([]byte, len(tt.in))
   356  	b.SetBytes(int64(len(out)))
   357  	b.ResetTimer()
   358  	for i := 0; i < b.N; i++ {
   359  		c.Encrypt(out, tt.in)
   360  	}
   361  }
   362  
   363  func BenchmarkDecrypt(b *testing.B) {
   364  	tt := encryptTests[0]
   365  	c, err := NewCipher(tt.key)
   366  	if err != nil {
   367  		b.Fatal("NewCipher:", err)
   368  	}
   369  	out := make([]byte, len(tt.out))
   370  	b.SetBytes(int64(len(out)))
   371  	b.ResetTimer()
   372  	for i := 0; i < b.N; i++ {
   373  		c.Decrypt(out, tt.out)
   374  	}
   375  }
   376  
   377  func BenchmarkExpand(b *testing.B) {
   378  	tt := encryptTests[0]
   379  	n := len(tt.key) + 28
   380  	c := &aesCipher{make([]uint32, n), make([]uint32, n)}
   381  	b.ResetTimer()
   382  	for i := 0; i < b.N; i++ {
   383  		expandKey(tt.key, c.enc, c.dec)
   384  	}
   385  }
   386  

View as plain text