1*ca1e9c3bSRichard Henderson/* SPDX-License-Identifier: GPL-2.0-or-later */ 2*ca1e9c3bSRichard Henderson 3*ca1e9c3bSRichard Henderson#include <stdint.h> 4*ca1e9c3bSRichard Henderson#include <stdbool.h> 5*ca1e9c3bSRichard Henderson#include <stdlib.h> 6*ca1e9c3bSRichard Henderson#include <string.h> 7*ca1e9c3bSRichard Henderson#include <stdio.h> 8*ca1e9c3bSRichard Henderson 9*ca1e9c3bSRichard Hendersonstatic bool test_SB_SR(uint8_t *o, const uint8_t *i); 10*ca1e9c3bSRichard Hendersonstatic bool test_MC(uint8_t *o, const uint8_t *i); 11*ca1e9c3bSRichard Hendersonstatic bool test_SB_SR_MC_AK(uint8_t *o, const uint8_t *i, const uint8_t *k); 12*ca1e9c3bSRichard Henderson 13*ca1e9c3bSRichard Hendersonstatic bool test_ISB_ISR(uint8_t *o, const uint8_t *i); 14*ca1e9c3bSRichard Hendersonstatic bool test_IMC(uint8_t *o, const uint8_t *i); 15*ca1e9c3bSRichard Hendersonstatic bool test_ISB_ISR_AK_IMC(uint8_t *o, const uint8_t *i, const uint8_t *k); 16*ca1e9c3bSRichard Hendersonstatic bool test_ISB_ISR_IMC_AK(uint8_t *o, const uint8_t *i, const uint8_t *k); 17*ca1e9c3bSRichard Henderson 18*ca1e9c3bSRichard Henderson/* 19*ca1e9c3bSRichard Henderson * From https://doi.org/10.6028/NIST.FIPS.197-upd1, 20*ca1e9c3bSRichard Henderson * Appendix B -- Cipher Example 21*ca1e9c3bSRichard Henderson * 22*ca1e9c3bSRichard Henderson * Note that the formatting of the 4x4 matrices in the document is 23*ca1e9c3bSRichard Henderson * column-major, whereas C is row-major. Therefore to get the bytes 24*ca1e9c3bSRichard Henderson * in the same order as the text, the matrices are transposed. 25*ca1e9c3bSRichard Henderson * 26*ca1e9c3bSRichard Henderson * Note that we are not going to test SubBytes or ShiftRows separately, 27*ca1e9c3bSRichard Henderson * so the "After SubBytes" column is omitted, using only the combined 28*ca1e9c3bSRichard Henderson * result "After ShiftRows" column. 29*ca1e9c3bSRichard Henderson */ 30*ca1e9c3bSRichard Henderson 31*ca1e9c3bSRichard Henderson/* Ease the inline assembly by aligning everything. */ 32*ca1e9c3bSRichard Hendersontypedef struct { 33*ca1e9c3bSRichard Henderson uint8_t b[16] __attribute__((aligned(16))); 34*ca1e9c3bSRichard Henderson} State; 35*ca1e9c3bSRichard Henderson 36*ca1e9c3bSRichard Hendersontypedef struct { 37*ca1e9c3bSRichard Henderson State start, after_sr, after_mc, round_key; 38*ca1e9c3bSRichard Henderson} Round; 39*ca1e9c3bSRichard Henderson 40*ca1e9c3bSRichard Hendersonstatic const Round rounds[] = { 41*ca1e9c3bSRichard Henderson /* Round 1 */ 42*ca1e9c3bSRichard Henderson { { { 0x19, 0x3d, 0xe3, 0xbe, /* start */ 43*ca1e9c3bSRichard Henderson 0xa0, 0xf4, 0xe2, 0x2b, 44*ca1e9c3bSRichard Henderson 0x9a, 0xc6, 0x8d, 0x2a, 45*ca1e9c3bSRichard Henderson 0xe9, 0xf8, 0x48, 0x08, } }, 46*ca1e9c3bSRichard Henderson 47*ca1e9c3bSRichard Henderson { { 0xd4, 0xbf, 0x5d, 0x30, /* after shiftrows */ 48*ca1e9c3bSRichard Henderson 0xe0, 0xb4, 0x52, 0xae, 49*ca1e9c3bSRichard Henderson 0xb8, 0x41, 0x11, 0xf1, 50*ca1e9c3bSRichard Henderson 0x1e, 0x27, 0x98, 0xe5, } }, 51*ca1e9c3bSRichard Henderson 52*ca1e9c3bSRichard Henderson { { 0x04, 0x66, 0x81, 0xe5, /* after mixcolumns */ 53*ca1e9c3bSRichard Henderson 0xe0, 0xcb, 0x19, 0x9a, 54*ca1e9c3bSRichard Henderson 0x48, 0xf8, 0xd3, 0x7a, 55*ca1e9c3bSRichard Henderson 0x28, 0x06, 0x26, 0x4c, } }, 56*ca1e9c3bSRichard Henderson 57*ca1e9c3bSRichard Henderson { { 0xa0, 0xfa, 0xfe, 0x17, /* round key */ 58*ca1e9c3bSRichard Henderson 0x88, 0x54, 0x2c, 0xb1, 59*ca1e9c3bSRichard Henderson 0x23, 0xa3, 0x39, 0x39, 60*ca1e9c3bSRichard Henderson 0x2a, 0x6c, 0x76, 0x05, } } }, 61*ca1e9c3bSRichard Henderson 62*ca1e9c3bSRichard Henderson /* Round 2 */ 63*ca1e9c3bSRichard Henderson { { { 0xa4, 0x9c, 0x7f, 0xf2, /* start */ 64*ca1e9c3bSRichard Henderson 0x68, 0x9f, 0x35, 0x2b, 65*ca1e9c3bSRichard Henderson 0x6b, 0x5b, 0xea, 0x43, 66*ca1e9c3bSRichard Henderson 0x02, 0x6a, 0x50, 0x49, } }, 67*ca1e9c3bSRichard Henderson 68*ca1e9c3bSRichard Henderson { { 0x49, 0xdb, 0x87, 0x3b, /* after shiftrows */ 69*ca1e9c3bSRichard Henderson 0x45, 0x39, 0x53, 0x89, 70*ca1e9c3bSRichard Henderson 0x7f, 0x02, 0xd2, 0xf1, 71*ca1e9c3bSRichard Henderson 0x77, 0xde, 0x96, 0x1a, } }, 72*ca1e9c3bSRichard Henderson 73*ca1e9c3bSRichard Henderson { { 0x58, 0x4d, 0xca, 0xf1, /* after mixcolumns */ 74*ca1e9c3bSRichard Henderson 0x1b, 0x4b, 0x5a, 0xac, 75*ca1e9c3bSRichard Henderson 0xdb, 0xe7, 0xca, 0xa8, 76*ca1e9c3bSRichard Henderson 0x1b, 0x6b, 0xb0, 0xe5, } }, 77*ca1e9c3bSRichard Henderson 78*ca1e9c3bSRichard Henderson { { 0xf2, 0xc2, 0x95, 0xf2, /* round key */ 79*ca1e9c3bSRichard Henderson 0x7a, 0x96, 0xb9, 0x43, 80*ca1e9c3bSRichard Henderson 0x59, 0x35, 0x80, 0x7a, 81*ca1e9c3bSRichard Henderson 0x73, 0x59, 0xf6, 0x7f, } } }, 82*ca1e9c3bSRichard Henderson 83*ca1e9c3bSRichard Henderson /* Round 3 */ 84*ca1e9c3bSRichard Henderson { { { 0xaa, 0x8f, 0x5f, 0x03, /* start */ 85*ca1e9c3bSRichard Henderson 0x61, 0xdd, 0xe3, 0xef, 86*ca1e9c3bSRichard Henderson 0x82, 0xd2, 0x4a, 0xd2, 87*ca1e9c3bSRichard Henderson 0x68, 0x32, 0x46, 0x9a, } }, 88*ca1e9c3bSRichard Henderson 89*ca1e9c3bSRichard Henderson { { 0xac, 0xc1, 0xd6, 0xb8, /* after shiftrows */ 90*ca1e9c3bSRichard Henderson 0xef, 0xb5, 0x5a, 0x7b, 91*ca1e9c3bSRichard Henderson 0x13, 0x23, 0xcf, 0xdf, 92*ca1e9c3bSRichard Henderson 0x45, 0x73, 0x11, 0xb5, } }, 93*ca1e9c3bSRichard Henderson 94*ca1e9c3bSRichard Henderson { { 0x75, 0xec, 0x09, 0x93, /* after mixcolumns */ 95*ca1e9c3bSRichard Henderson 0x20, 0x0b, 0x63, 0x33, 96*ca1e9c3bSRichard Henderson 0x53, 0xc0, 0xcf, 0x7c, 97*ca1e9c3bSRichard Henderson 0xbb, 0x25, 0xd0, 0xdc, } }, 98*ca1e9c3bSRichard Henderson 99*ca1e9c3bSRichard Henderson { { 0x3d, 0x80, 0x47, 0x7d, /* round key */ 100*ca1e9c3bSRichard Henderson 0x47, 0x16, 0xfe, 0x3e, 101*ca1e9c3bSRichard Henderson 0x1e, 0x23, 0x7e, 0x44, 102*ca1e9c3bSRichard Henderson 0x6d, 0x7a, 0x88, 0x3b, } } }, 103*ca1e9c3bSRichard Henderson}; 104*ca1e9c3bSRichard Henderson 105*ca1e9c3bSRichard Hendersonstatic void verify_log(const char *prefix, const State *s) 106*ca1e9c3bSRichard Henderson{ 107*ca1e9c3bSRichard Henderson printf("%s:", prefix); 108*ca1e9c3bSRichard Henderson for (int i = 0; i < sizeof(State); ++i) { 109*ca1e9c3bSRichard Henderson printf(" %02x", s->b[i]); 110*ca1e9c3bSRichard Henderson } 111*ca1e9c3bSRichard Henderson printf("\n"); 112*ca1e9c3bSRichard Henderson} 113*ca1e9c3bSRichard Henderson 114*ca1e9c3bSRichard Hendersonstatic void verify(const State *ref, const State *tst, const char *which) 115*ca1e9c3bSRichard Henderson{ 116*ca1e9c3bSRichard Henderson if (!memcmp(ref, tst, sizeof(State))) { 117*ca1e9c3bSRichard Henderson return; 118*ca1e9c3bSRichard Henderson } 119*ca1e9c3bSRichard Henderson 120*ca1e9c3bSRichard Henderson printf("Mismatch on %s\n", which); 121*ca1e9c3bSRichard Henderson verify_log("ref", ref); 122*ca1e9c3bSRichard Henderson verify_log("tst", tst); 123*ca1e9c3bSRichard Henderson exit(EXIT_FAILURE); 124*ca1e9c3bSRichard Henderson} 125*ca1e9c3bSRichard Henderson 126*ca1e9c3bSRichard Hendersonint main() 127*ca1e9c3bSRichard Henderson{ 128*ca1e9c3bSRichard Henderson int i, n = sizeof(rounds) / sizeof(Round); 129*ca1e9c3bSRichard Henderson State t; 130*ca1e9c3bSRichard Henderson 131*ca1e9c3bSRichard Henderson for (i = 0; i < n; ++i) { 132*ca1e9c3bSRichard Henderson if (test_SB_SR(t.b, rounds[i].start.b)) { 133*ca1e9c3bSRichard Henderson verify(&rounds[i].after_sr, &t, "SB+SR"); 134*ca1e9c3bSRichard Henderson } 135*ca1e9c3bSRichard Henderson } 136*ca1e9c3bSRichard Henderson 137*ca1e9c3bSRichard Henderson for (i = 0; i < n; ++i) { 138*ca1e9c3bSRichard Henderson if (test_MC(t.b, rounds[i].after_sr.b)) { 139*ca1e9c3bSRichard Henderson verify(&rounds[i].after_mc, &t, "MC"); 140*ca1e9c3bSRichard Henderson } 141*ca1e9c3bSRichard Henderson } 142*ca1e9c3bSRichard Henderson 143*ca1e9c3bSRichard Henderson /* The kernel of Cipher(). */ 144*ca1e9c3bSRichard Henderson for (i = 0; i < n - 1; ++i) { 145*ca1e9c3bSRichard Henderson if (test_SB_SR_MC_AK(t.b, rounds[i].start.b, rounds[i].round_key.b)) { 146*ca1e9c3bSRichard Henderson verify(&rounds[i + 1].start, &t, "SB+SR+MC+AK"); 147*ca1e9c3bSRichard Henderson } 148*ca1e9c3bSRichard Henderson } 149*ca1e9c3bSRichard Henderson 150*ca1e9c3bSRichard Henderson for (i = 0; i < n; ++i) { 151*ca1e9c3bSRichard Henderson if (test_ISB_ISR(t.b, rounds[i].after_sr.b)) { 152*ca1e9c3bSRichard Henderson verify(&rounds[i].start, &t, "ISB+ISR"); 153*ca1e9c3bSRichard Henderson } 154*ca1e9c3bSRichard Henderson } 155*ca1e9c3bSRichard Henderson 156*ca1e9c3bSRichard Henderson for (i = 0; i < n; ++i) { 157*ca1e9c3bSRichard Henderson if (test_IMC(t.b, rounds[i].after_mc.b)) { 158*ca1e9c3bSRichard Henderson verify(&rounds[i].after_sr, &t, "IMC"); 159*ca1e9c3bSRichard Henderson } 160*ca1e9c3bSRichard Henderson } 161*ca1e9c3bSRichard Henderson 162*ca1e9c3bSRichard Henderson /* The kernel of InvCipher(). */ 163*ca1e9c3bSRichard Henderson for (i = n - 1; i > 0; --i) { 164*ca1e9c3bSRichard Henderson if (test_ISB_ISR_AK_IMC(t.b, rounds[i].after_sr.b, 165*ca1e9c3bSRichard Henderson rounds[i - 1].round_key.b)) { 166*ca1e9c3bSRichard Henderson verify(&rounds[i - 1].after_sr, &t, "ISB+ISR+AK+IMC"); 167*ca1e9c3bSRichard Henderson } 168*ca1e9c3bSRichard Henderson } 169*ca1e9c3bSRichard Henderson 170*ca1e9c3bSRichard Henderson /* 171*ca1e9c3bSRichard Henderson * The kernel of EqInvCipher(). 172*ca1e9c3bSRichard Henderson * We must compute a different round key: apply InvMixColumns to 173*ca1e9c3bSRichard Henderson * the standard round key, per KeyExpansion vs KeyExpansionEIC. 174*ca1e9c3bSRichard Henderson */ 175*ca1e9c3bSRichard Henderson for (i = 1; i < n; ++i) { 176*ca1e9c3bSRichard Henderson if (test_IMC(t.b, rounds[i - 1].round_key.b) && 177*ca1e9c3bSRichard Henderson test_ISB_ISR_IMC_AK(t.b, rounds[i].after_sr.b, t.b)) { 178*ca1e9c3bSRichard Henderson verify(&rounds[i - 1].after_sr, &t, "ISB+ISR+IMC+AK"); 179*ca1e9c3bSRichard Henderson } 180*ca1e9c3bSRichard Henderson } 181*ca1e9c3bSRichard Henderson 182*ca1e9c3bSRichard Henderson return EXIT_SUCCESS; 183*ca1e9c3bSRichard Henderson} 184