diff options
author | Todd Short <tshort@akamai.com> | 2022-04-28 14:56:11 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-07-29 08:32:16 -0400 |
commit | 0113ec8460a918f8bc782130db8f75540b3b1ab2 (patch) | |
tree | 2e8c7100cd3be8c2a0cc32efed6330daf3f8395f /test | |
parent | dffafaf48174497a724d546c3483d2493fc9b64c (diff) | |
download | openssl-new-0113ec8460a918f8bc782130db8f75540b3b1ab2.tar.gz |
Implement AES-GCM-SIV (RFC8452)
Fixes #16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
Diffstat (limited to 'test')
-rw-r--r-- | test/evp_test.c | 1 | ||||
-rw-r--r-- | test/recipes/30-test_evp.t | 4 | ||||
-rw-r--r-- | test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt | 418 |
3 files changed, 422 insertions, 1 deletions
diff --git a/test/evp_test.c b/test/evp_test.c index f0ca8c48ff..4a532bee76 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1099,6 +1099,7 @@ static int cipher_test_run(EVP_TEST *t) && EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_STREAM_CIPHER) || ((EVP_CIPHER_get_flags(cdat->cipher) & EVP_CIPH_FLAG_CTS) != 0) || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_SIV_MODE + || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_GCM_SIV_MODE || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_XTS_MODE || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_WRAP_MODE) break; diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 9f321850dd..572f5b1d8e 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -28,6 +28,7 @@ my $no_dsa = disabled("dsa"); my $no_ec = disabled("ec"); my $no_gost = disabled("gost"); my $no_sm2 = disabled("sm2"); +my $no_siv = disabled("siv"); # Default config depends on if the legacy module is built or not my $defaultcnf = $no_legacy ? 'default.cnf' : 'default-and-legacy.cnf'; @@ -83,7 +84,6 @@ push @files, qw( # (i.e. The algorithms are not present in the fips provider) my @defltfiles = qw( evpciph_aes_ocb.txt - evpciph_aes_siv.txt evpciph_aria.txt evpciph_bf.txt evpciph_camellia.txt @@ -120,6 +120,8 @@ my @defltfiles = qw( ); push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; +push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; +push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; plan tests => + (scalar(@configs) * scalar(@files)) diff --git a/test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt new file mode 100644 index 0000000000..39c880cda9 --- /dev/null +++ b/test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt @@ -0,0 +1,418 @@ +# +# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + +Title = RFC8452 AES-GCM-SIV + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 578782fff6013b815b287c22493a364c +Plaintext = 0100000000000000 +Ciphertext = b5d839330ac7b786 + + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = a4978db357391a0bc4fdec8b0d106639 +Plaintext = 010000000000000000000000 +Ciphertext = 7323ea61d05932260047d942 + + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 303aaf90f6fe21199c6068577437a0c4 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 743f7c8077ab25f8624e2e948579cf77 + + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1a8e45dcd4578c667cd86847bf6155ff +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 84e07e62ba83a6585417245d7ec413a9fe427d6315c09b57ce45f2e3936a9445 + + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5e6e311dbf395d35b0fe39c2714388f8 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 3fd24ce1f5a67b75bf2351f181a475c7b800a5b4d3dcf70106b1eea82fa1d64df42bf7226122fa92e17a40eeaac1201b + + +Cipher = aes-128-gcm-siv +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8a263dd317aa88d56bdf3936dba75bb8 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 2433668f1058190f6d43e360f4f35cd8e475127cfca7028ea8ab5c20f7ab2af02516a2bdcbc08d521be37ff28c152bba36697f25b4cd169c6590d1dd39566d3f + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 3b0a1a2560969cdf790d99759abd1508 +Plaintext = 0200000000000000 +Ciphertext = 1e6daba35669f427 + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 08299c5102745aaa3a0c469fad9e075a +Plaintext = 020000000000000000000000 +Ciphertext = 296c7889fd99f41917f44620 + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8f8936ec039e4e4bb97ebd8c4457441f +Plaintext = 02000000000000000000000000000000 +Ciphertext = e2b0c5da79a901c1745f700525cb335b + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e6af6a7f87287da059a71684ed3498e1 +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 620048ef3c1e73e57e02bb8562c416a319e73e4caac8e96a1ecb2933145a1d71 + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 6a8cc3865f76897c2e4b245cf31c51f2 +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 50c8303ea93925d64090d07bd109dfd9515a5a33431019c17d93465999a8b0053201d723120a8562b838cdff25bf9d1e + + +Cipher = aes-128-gcm-siv +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cdc46ae475563de037001ef84ae21744 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 2f5c64059db55ee0fb847ed513003746aca4e61c711b5de2e7a77ffd02da42feec601910d3467bb8b36ebbaebce5fba30d36c95f48a3e7980f0e7ac299332a80 + + +Cipher = aes-128-gcm-siv +AAD = 010000000000000000000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 +Plaintext = 02000000 +Ciphertext = a8fe3e87 + + +Cipher = aes-128-gcm-siv +AAD = 010000000000000000000000000000000200 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 24afc9805e976f451e6d87f6fe106514 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 6bb0fecf5ded9b77f902c7d5da236a4391dd0297 + + +Cipher = aes-128-gcm-siv +AAD = 0100000000000000000000000000000002000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = bff9b2ef00fb47920cc72a0c0f13b9fd +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 44d0aaf6fb2f1f34add5e8064e83e12a2ada + +Cipher = aes-128-gcm-siv +AAD = 46bb91c3c5 +Key = 36864200e0eaf5284d884a0e77d31646 +IV = bae8e37fc83441b16034566b +Tag = 711bd85bc1e4d3e0a462e074eea428a8 +Plaintext = 7a806c +Ciphertext = af60eb + + +Cipher = aes-128-gcm-siv +AAD = fc880c94a95198874296 +Key = aedb64a6c590bc84d1a5e269e4b47801 +IV = afc0577e34699b9e671fdd4f +Tag = d6a9c45545cfc11f03ad743dba20f966 +Plaintext = bdc66f146545 +Ciphertext = bb93a3e34d3c + + +Cipher = aes-128-gcm-siv +AAD = 046787f3ea22c127aaf195d1894728 +Key = d5cc1fd161320b6920ce07787f86743b +IV = 275d1ab32f6d1f0434d8848c +Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b +Plaintext = 1177441f195495860f +Ciphertext = 4f37281f7ad12949d0 + + +Cipher = aes-128-gcm-siv +AAD = c9882e5386fd9f92ec489c8fde2be2cf97e74e93 +Key = b3fed1473c528b8426a582995929a149 +IV = 9e9ad8780c8d63d0ab4149c0 +Tag = c1dc2f871fb7561da1286e655e24b7b0 +Plaintext = 9f572c614b4745914474e7c7 +Ciphertext = f54673c5ddf710c745641c8b + + +Cipher = aes-128-gcm-siv +AAD = 2950a70d5a1db2316fd568378da107b52b0da55210cc1c1b0a +Key = 2d4ed87da44102952ef94b02b805249b +IV = ac80e6f61455bfac8308a2d4 +Tag = 83b3449b9f39552de99dc214a1190b0b +Plaintext = 0d8c8451178082355c9e940fea2f58 +Ciphertext = c9ff545e07b88a015f05b274540aa1 + + +Cipher = aes-128-gcm-siv +AAD = 1860f762ebfbd08284e421702de0de18baa9c9596291b08466f37de21c7f +Key = bde3b2f204d1e9f8b06bc47f9745b3d1 +IV = ae06556fb6aa7890bebc18fe +Tag = 3e377094f04709f64d7b985310a4db84 +Plaintext = 6b3db4da3d57aa94842b9803a96e07fb6de7 +Ciphertext = 6298b296e24e8cc35dce0bed484b7f30d580 + + +Cipher = aes-128-gcm-siv +AAD = 7576f7028ec6eb5ea7e298342a94d4b202b370ef9768ec6561c4fe6b7e7296fa859c21 +Key = f901cfe8a69615a93fdf7a98cad48179 +IV = 6245709fb18853f68d833640 +Tag = 2d15506c84a9edd65e13e9d24a2a6e70 +Plaintext = e42a3c02c25b64869e146d7b233987bddfc240871d +Ciphertext = 391cc328d484a4f46406181bcd62efd9b3ee197d05 + + +# AES_256_GCM_SIV + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 843122130f7364b761e0b97427e3df28 +Plaintext = 0100000000000000 +Ciphertext = c2ef328e5c71c83b + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e +Plaintext = 010000000000000000000000 +Ciphertext = 9aab2aeb3faa0a34aea8e2b1 + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c9eac6fa700942702e90862383c6c366 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 85a01b63025ba19b7fd3ddfc033b3e76 + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e819e63abcd020b006a976397632eb5d +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 4a6a9db4c8c6549201b9edb53006cba821ec9cf850948a7c86c68ac7539d027f + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 790bc96880a99ba804bd12c0e6a22cc4 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = c00d121893a9fa603f48ccc1ca3c57ce7499245ea0046db16c53c7c66fe717e39cf6c748837b61f6ee3adcee17534ed5 + + +Cipher = aes-256-gcm-siv +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 112864c269fc0d9d88c61fa47e39aa08 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c2d5160a1f8683834910acdafc41fbb1632d4a353e8b905ec9a5499ac34f96c7e1049eb080883891a4db8caaa1f99dd004d80487540735234e3744512c6f90ce + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 91213f267e3b452f02d01ae33e4ec854 +Plaintext = 0200000000000000 +Ciphertext = 1de22967237a8132 + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c1a4a19ae800941ccdc57cc8413c277f +Plaintext = 020000000000000000000000 +Ciphertext = 163d6f9cc1b346cd453a2e4c + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b292d28ff61189e8e49f3875ef91aff7 +Plaintext = 02000000000000000000000000000000 +Ciphertext = c91545823cc24f17dbb0e9e807d5ec17 + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = aea1bad12702e1965604374aab96dbbc +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 07dad364bfc2b9da89116d7bef6daaaf6f255510aa654f920ac81b94e8bad365 + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 03332742b228c647173616cfd44c54eb +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c67a1f0f567a5198aa1fcc8e3f21314336f7f51ca8b1af61feac35a86416fa47fbca3b5f749cdf564527f2314f42fe25 + + +Cipher = aes-256-gcm-siv +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5bde0285037c5de81e5b570a049b62a0 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 67fd45e126bfb9a79930c43aad2d36967d3f0e4d217c1e551f59727870beefc98cb933a8fce9de887b1e40799988db1fc3f91880ed405b2dd298318858467c89 + + +Cipher = aes-256-gcm-siv +AAD = 010000000000000000000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1835e517741dfddccfa07fa4661b74cf +Plaintext = 02000000 +Ciphertext = 22b3f4cd + + +Cipher = aes-256-gcm-siv +AAD = 010000000000000000000000000000000200 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b879ad976d8242acc188ab59cabfe307 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 43dd0163cdb48f9fe3212bf61b201976067f342b + + +Cipher = aes-256-gcm-siv +AAD = 0100000000000000000000000000000002000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cfcdf5042112aa29685c912fc2056543 +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 462401724b5ce6588d5a54aae5375513a075 + +Cipher = aes-256-gcm-siv +AAD = 4fbdc66f14 +Key = bae8e37fc83441b16034566b7a806c46bb91c3c5aedb64a6c590bc84d1a5e269 +IV = e4b47801afc0577e34699b9e +Tag = 93da9bb81333aee0c785b240d319719d +Plaintext = 671fdd +Ciphertext = 0eaccb + + +Cipher = aes-256-gcm-siv +AAD = 6787f3ea22c127aaf195 +Key = 6545fc880c94a95198874296d5cc1fd161320b6920ce07787f86743b275d1ab3 +IV = 2f6d1f0434d8848c1177441f +Tag = 6b62b84dc40c84636a5ec12020ec8c2c +Plaintext = 195495860f04 +Ciphertext = a254dad4f3f9 + + +Cipher = aes-256-gcm-siv +AAD = 489c8fde2be2cf97e74e932d4ed87d +Key = d1894728b3fed1473c528b8426a582995929a1499e9ad8780c8d63d0ab4149c0 +IV = 9f572c614b4745914474e7c7 +Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2 +Plaintext = c9882e5386fd9f92ec +Ciphertext = 0df9e308678244c44b + + +Cipher = aes-256-gcm-siv +AAD = 0da55210cc1c1b0abde3b2f204d1e9f8b06bc47f +Key = a44102952ef94b02b805249bac80e6f61455bfac8308a2d40d8c845117808235 +IV = 5c9e940fea2f582950a70d5a +Tag = 404099c2587f64979f21826706d497d5 +Plaintext = 1db2316fd568378da107b52b +Ciphertext = 8dbeb9f7255bf5769dd56692 + + +Cipher = aes-256-gcm-siv +AAD = f37de21c7ff901cfe8a69615a93fdf7a98cad481796245709f +Key = 9745b3d1ae06556fb6aa7890bebc18fe6b3db4da3d57aa94842b9803a96e07fb +IV = 6de71860f762ebfbd08284e4 +Tag = b3080d28f6ebb5d3648ce97bd5ba67fd +Plaintext = 21702de0de18baa9c9596291b08466 +Ciphertext = 793576dfa5c0f88729a7ed3c2f1bff + + +Cipher = aes-256-gcm-siv +AAD = 9c2159058b1f0fe91433a5bdc20e214eab7fecef4454a10ef0657df21ac7 +Key = b18853f68d833640e42a3c02c25b64869e146d7b233987bddfc240871d7576f7 +IV = 028ec6eb5ea7e298342a94d4 +Tag = 454fc2a154fea91f8363a39fec7d0a49 +Plaintext = b202b370ef9768ec6561c4fe6b7e7296fa85 +Ciphertext = 857e16a64915a787637687db4a9519635cdd + + +Cipher = aes-256-gcm-siv +AAD = 734320ccc9d9bbbb19cb81b2af4ecbc3e72834321f7aa0f70b7282b4f33df23f167541 +Key = 3c535de192eaed3822a2fbbe2ca9dfc88255e14a661b8aa82cc54236093bbc23 +IV = 688089e55540db1872504e1c +Tag = 9d6c7029675b89eaf4ba1ded1a286594 +Plaintext = ced532ce4159b035277d4dfbb7db62968b13cd4eec +Ciphertext = 626660c26ea6612fb17ad91e8e767639edd6c9faee + +# The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to +# test correct wrapping of the block counter. + +Cipher = aes-256-gcm-siv +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = 000000000000000000000000000000004db923dc793ee6497c76dcc03a98e108 +Ciphertext = f3f80f2cf0cb2dd9c5984fcda908456cc537703b5ba70324a6793a7bf218d3ea + + +Cipher = aes-256-gcm-siv +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = eb3640277c7ffd1303c7a542d02d3e4c0000000000000000 +Ciphertext = 18ce4f0b8cb4d0cac65fea8f79257b20888e53e72299e56d + + |