1/*      $OpenBSD: gmac_test.c,v 1.7 2021/12/14 06:27:48 deraadt Exp $  */
2
3/*
4 * Copyright (c) 2010 Mike Belopuhov <mikeb@openbsd.org>
5 * Copyright (c) 2005 Markus Friedl <markus@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <crypto/aes.h>
22#include <crypto/gmac.h>
23#include <err.h>
24#include <errno.h>
25#include <string.h>
26#include <stdlib.h>
27#include <stdio.h>
28
29#define MINIMUM(a, b)       (((a) < (b)) ? (a) : (b))
30
31int debug = 0;
32
33enum { TST_KEY, TST_IV, TST_AAD, TST_CIPHER, TST_TAG, TST_NUM };
34
35struct {
36	char	*data[TST_NUM];
37} tests[] = {
38	/* Test vectors from gcm-spec.pdf (initial proposal to NIST) */
39
40	/* 128 bit key */
41
42	/* Test Case 1 */
43	{
44		/* key + salt */
45		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
46		"00 00 00 00",
47		/* iv */
48		"00 00 00 00 00 00 00 00",
49		/* aad */
50		NULL,
51		/* ciphertext */
52		NULL,
53		/* tag */
54		"58 e2 fc ce fa 7e 30 61 36 7f 1d 57 a4 e7 45 5a"
55	},
56	/* Test Case 2 */
57	{
58		/* key + salt */
59		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
60		"00 00 00 00",
61		/* iv */
62		"00 00 00 00 00 00 00 00",
63		/* aad */
64		NULL,
65		/* ciphertext */
66		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78",
67		/* tag */
68		"ab 6e 47 d4 2c ec 13 bd f5 3a 67 b2 12 57 bd df"
69	},
70	/* Test Case 3 */
71	{
72		/* key + salt */
73		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
74		"ca fe ba be",
75		/* iv */
76		"fa ce db ad de ca f8 88",
77		/* aad */
78		NULL,
79		/* ciphertext */
80		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
81		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
82		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
83		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91 47 3f 59 85",
84		/* tag */
85		"4d 5c 2a f3 27 cd 64 a6 2c f3 5a bd 2b a6 fa b4"
86	},
87	/* Test Case 4 */
88	{
89		/* key + salt */
90		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
91		"ca fe ba be",
92		/* iv */
93		"fa ce db ad de ca f8 88",
94		/* aad */
95		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
96		"ab ad da d2",
97		/* ciphertext */
98		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
99		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
100		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
101		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91",
102		/* tag */
103		"5b c9 4f bc 32 21 a5 db 94 fa e9 5a e7 12 1a 47"
104	},
105
106	/* 192 bit key */
107
108	/* Test Case 7 */
109	{
110		/* key + salt */
111		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
112		"00 00 00 00 00 00 00 00 "
113		"00 00 00 00",
114		/* iv */
115		"00 00 00 00 00 00 00 00",
116		/* aad */
117		NULL,
118		/* ciphertext */
119		NULL,
120		/* tag */
121		"cd 33 b2 8a c7 73 f7 4b a0 0e d1 f3 12 57 24 35"
122	},
123	/* Test Case 8 */
124	{
125		/* key + salt */
126		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
127		"00 00 00 00 00 00 00 00 "
128		"00 00 00 00",
129		/* iv */
130		"00 00 00 00 00 00 00 00",
131		/* aad */
132		NULL,
133		/* ciphertext */
134		"98 e7 24 7c 07 f0 fe 41 1c 26 7e 43 84 b0 f6 00",
135		/* tag */
136		"2f f5 8d 80 03 39 27 ab 8e f4 d4 58 75 14 f0 fb"
137	},
138	/* Test Case 9 */
139	{
140		/* key + salt */
141		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
142		"fe ff e9 92 86 65 73 1c "
143		"ca fe ba be",
144		/* iv */
145		"fa ce db ad de ca f8 88",
146		/* aad */
147		NULL,
148		/* ciphertext */
149		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
150		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
151		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
152		"18 e2 44 8b 2f e3 24 d9 cc da 27 10 ac ad e2 56",
153		/* tag */
154		"99 24 a7 c8 58 73 36 bf b1 18 02 4d b8 67 4a 14"
155	},
156	/* Test Case 10 */
157	{
158		/* key + salt */
159		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
160		"fe ff e9 92 86 65 73 1c "
161		"ca fe ba be",
162		/* iv */
163		"fa ce db ad de ca f8 88",
164		/* aad */
165		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
166		"ab ad da d2",
167		/* ciphertext */
168		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
169		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
170		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
171		"18 e2 44 8b 2f e3 24 d9 cc da 27 10",
172		/* tag */
173		"25 19 49 8e 80 f1 47 8f 37 ba 55 bd 6d 27 61 8c"
174	},
175
176	/* 256 bit key */
177
178	/* Test Case 13 */
179	{
180		/* key + salt */
181		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
182		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
183		"00 00 00 00",
184		/* iv */
185		"00 00 00 00 00 00 00 00",
186		/* aad */
187		NULL,
188		/* ciphertext */
189		NULL,
190		/* tag */
191		"53 0f 8a fb c7 45 36 b9 a9 63 b4 f1 c4 cb 73 8b"
192	},
193	/* Test Case 14 */
194	{
195		/* key + salt */
196		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
197		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
198		"00 00 00 00",
199		/* iv */
200		"00 00 00 00 00 00 00 00",
201		/* aad */
202		NULL,
203		/* ciphertext */
204		"ce a7 40 3d 4d 60 6b 6e 07 4e c5 d3 ba f3 9d 18",
205		/* tag */
206		"d0 d1 c8 a7 99 99 6b f0 26 5b 98 b5 d4 8a b9 19"
207	},
208	/* Test Case 15 */
209	{
210		/* key + salt */
211		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
212		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
213		"ca fe ba be",
214		/* iv */
215		"fa ce db ad de ca f8 88",
216		/* aad */
217		NULL,
218		/* ciphertext */
219		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
220		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
221		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
222		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62 89 80 15 ad",
223		/* tag */
224		"b0 94 da c5 d9 34 71 bd ec 1a 50 22 70 e3 cc 6c"
225	},
226	/* Test Case 16 */
227	{
228		/* key + salt */
229		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
230		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
231		"ca fe ba be",
232		/* iv */
233		"fa ce db ad de ca f8 88",
234		/* aad */
235		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
236		"ab ad da d2",
237		/* ciphertext */
238		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
239		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
240		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
241		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62",
242		/* tag */
243		"76 fc 6e ce 0f 4e 17 68 cd df 88 53 bb 2d 55 1b"
244	},
245
246	/* Test vectors from draft-mcgrew-gcm-test-01.txt */
247
248	/* Page 6 */
249	{
250		/* key + salt */
251		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
252		"2e 44 3b 68",
253		/* iv */
254		"49 56 ed 7e 3b 24 4c fe",
255		/* aad */
256		"00 00 43 21 87 65 43 21 00 00 00 00",
257		/* ciphertext */
258		"fe cf 53 7e 72 9d 5b 07 dc 30 df 52 8d d2 2b 76 "
259		"8d 1b 98 73 66 96 a6 fd 34 85 09 fa 13 ce ac 34 "
260		"cf a2 43 6f 14 a3 f3 cf 65 92 5b f1 f4 a1 3c 5d "
261		"15 b2 1e 18 84 f5 ff 62 47 ae ab b7 86 b9 3b ce "
262		"61 bc 17 d7 68 fd 97 32",
263		/* tag */
264		"45 90 18 14 8f 6c be 72 2f d0 47 96 56 2d fd b4"
265	},
266	/* Page 7 */
267	{
268		/* key + salt */
269		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
270		"ca fe ba be",
271		/* iv */
272		"fa ce db ad de ca f8 88",
273		/* aad */
274		"00 00 a5 f8 00 00 00 0a",
275		/* ciphertext */
276		"de b2 2c d9 b0 7c 72 c1 6e 3a 65 be eb 8d f3 04 "
277		"a5 a5 89 7d 33 ae 53 0f 1b a7 6d 5d 11 4d 2a 5c "
278		"3d e8 18 27 c1 0e 9a 4f 51 33 0d 0e ec 41 66 42 "
279		"cf bb 85 a5 b4 7e 48 a4 ec 3b 9b a9 5d 91 8b d1",
280		/* tag */
281		"83 b7 0d 3a a8 bc 6e e4 c3 09 e9 d8 5a 41 ad 4a"
282	},
283	/* Page 8 */
284	{
285		/* key + salt */
286		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
287		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
288		"11 22 33 44",
289		/* iv */
290		"01 02 03 04 05 06 07 08",
291		/* aad */
292		"4a 2c bf e3 00 00 00 02",
293		/* ciphertext */
294		"ff 42 5c 9b 72 45 99 df 7a 3b cd 51 01 94 e0 0d "
295		"6a 78 10 7f 1b 0b 1c bf 06 ef ae 9d 65 a5 d7 63 "
296		"74 8a 63 79 85 77 1d 34 7f 05 45 65 9f 14 e9 9d "
297		"ef 84 2d 8e",
298		/* tag */
299		"b3 35 f4 ee cf db f8 31 82 4b 4c 49 15 95 6c 96"
300	},
301	/* Page 9 */
302	{
303		/* key + salt */
304		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
305		"00 00 00 00",
306		/* iv */
307		"00 00 00 00 00 00 00 00",
308		/* aad */
309		"00 00 00 00 00 00 00 01",
310		/* ciphertext */
311		"46 88 da f2 f9 73 a3 92 73 29 09 c3 31 d5 6d 60 "
312		"f6 94 ab aa 41 4b 5e 7f f5 fd cd ff f5 e9 a2 84 "
313		"45 64 76 49 27 19 ff b6 4d e7 d9 dc a1 e1 d8 94 "
314		"bc 3b d5 78 73 ed 4d 18 1d 19 d4 d5 c8 c1 8a f3",
315		/* tag */
316		"f8 21 d4 96 ee b0 96 e9 8a d2 b6 9e 47 99 c7 1d"
317	},
318	/* Page 10 */
319	{
320		/* key + salt */
321		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
322		"57 69 0e 43",
323		/* iv */
324		"4e 28 00 00 a2 fc a1 a3",
325		/* aad */
326		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
327		/* ciphertext */
328		"fb a2 ca a4 85 3c f9 f0 f2 2c b1 0d 86 dd 83 b0 "
329		"fe c7 56 91 cf 1a 04 b0 0d 11 38 ec 9c 35 79 17 "
330		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
331		"17 55 e6 66 2b 4c 8d 0d 1f 5e 22 73 95 30 32 0a",
332		/* tag */
333		"e0 d7 31 cc 97 8e ca fa ea e8 8f 00 e8 0d 6e 48"
334	},
335	/* Page 11 */
336	{
337		/* key + salt */
338		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
339		"57 69 0e 43",
340		/* iv */
341		"4e 28 00 00 a2 fc a1 a3",
342		/* aad */
343		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
344		/* ciphertext */
345		"fb a2 ca 84 5e 5d f9 f0 f2 2c 3e 6e 86 dd 83 1e "
346		"1f c6 57 92 cd 1a f9 13 0e 13 79 ed",
347		/* tag */
348		"36 9f 07 1f 35 e0 34 be 95 f1 12 e4 e7 d0 5d 35"
349	},
350	/* Page 11 */
351	{
352		/* key + salt */
353		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
354		"fe ff e9 92 86 65 73 1c "
355		"ca fe ba be",
356		/* iv */
357		"fa ce db ad de ca f8 88",
358		/* aad */
359		"00 00 a5 f8 00 00 00 0a",
360		/* ciphertext */
361		"a5 b1 f8 06 60 29 ae a4 0e 59 8b 81 22 de 02 42 "
362		"09 38 b3 ab 33 f8 28 e6 87 b8 85 8b 5b fb db d0 "
363		"31 5b 27 45 21 44 cc 77",
364		/* tag */
365		"95 45 7b 96 52 03 7f 53 18 02 7b 5b 4c d7 a6 36"
366	},
367	/* Page 12 */
368	{
369		/* key + salt */
370		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
371		"de ca f8 88",
372		/* iv */
373		"ca fe de ba ce fa ce 74",
374		/* aad */
375		"00 00 01 00 00 00 00 00 00 00 00 01",
376		/* ciphertext */
377		"18 a6 fd 42 f7 2c bf 4a b2 a2 ea 90 1f 73 d8 14 "
378		"e3 e7 f2 43 d9 54 12 e1 c3 49 c1 d2 fb ec 16 8f "
379		"91 90 fe eb af 2c b0 19 84 e6 58 63 96 5d 74 72 "
380		"b7 9d a3 45 e0 e7 80 19 1f 0d 2f 0e 0f 49 6c 22 "
381		"6f 21 27 b2 7d b3 57 24 e7 84 5d 68",
382		/* tag */
383		"65 1f 57 e6 5f 35 4f 75 ff 17 01 57 69 62 34 36"
384	},
385	/* Page 13 */
386	{
387		/* key + salt */
388		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
389		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
390		"73 61 6c 74",
391		/* iv */
392		"61 6e 64 01 69 76 65 63",
393		/* aad */
394		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
395		/* ciphertext */
396		"f2 d6 9e cd bd 5a 0d 5b 8d 5e f3 8b ad 4d a5 8d "
397		"1f 27 8f de 98 ef 67 54 9d 52 4a 30 18 d9 a5 7f "
398		"f4 d3 a3 1c e6 73 11 9e",
399		/* tag */
400		"45 16 26 c2 41 57 71 e3 b7 ee bc a6 14 c8 9b 35"
401	},
402	/* Page 14 */
403	{
404		/* key + salt */
405		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
406		"57 69 0e 43",
407		/* iv */
408		"4e 28 00 00 a2 fc a1 a3",
409		/* aad */
410		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
411		/* ciphertext */
412		"fb a2 ca d1 2f c1 f9 f0 0d 3c eb f3 05 41 0d b8 "
413		"3d 77 84 b6 07 32 3d 22 0f 24 b0 a9 7d 54 18 28 "
414		"00 ca db 0f 68 d9 9e f0 e0 c0 c8 9a e9 be a8 88 "
415		"4e 52 d6 5b c1 af d0 74 0f 74 24 44 74 7b 5b 39 "
416		"ab 53 31 63 aa d4 55 0e e5 16 09 75",
417		/* tag */
418		"cd b6 08 c5 76 91 89 60 97 63 b8 e1 8c aa 81 e2"
419	},
420	/* Page 15 */
421	{
422		/* key + salt */
423		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
424		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
425		"73 61 6c 74",
426		/* iv */
427		"61 6e 64 01 69 76 65 63",
428		/* aad */
429		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
430		/* ciphertext */
431		"d4 b7 ed 86 a1 77 7f 2e a1 3d 69 73 d3 24 c6 9e "
432		"7b 43 f8 26 fb 56 83 12 26 50 8b eb d2 dc eb 18 "
433		"d0 a6 df 10 e5 48 7d f0 74 11 3e 14 c6 41 02 4e "
434		"3e 67 73 d9 1a 62 ee 42 9b 04 3a 10 e3 ef e6 b0 "
435		"12 a4 93 63 41 23 64 f8",
436		/* tag */
437		"c0 ca c5 87 f2 49 e5 6b 11 e2 4f 30 e4 4c cc 76"
438	},
439	/* Page 16 */
440	{
441		/* key + salt */
442		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
443		"d9 66 42 67",
444		/* iv */
445		"43 45 7e 91 82 44 3b c6",
446		/* aad */
447		"33 54 67 ae ff ff ff ff",
448		/* ciphertext */
449		"43 7f 86 6b",
450		/* tag */
451		"cb 3f 69 9f e9 b0 82 2b ac 96 1c 45 04 be f2 70"
452	},
453	/* Page 16 */
454	{
455		/* key + salt */
456		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
457		"de ca f8 88",
458		/* iv */
459		"ca fe de ba ce fa ce 74",
460		/* aad */
461		"00 00 01 00 00 00 00 00 00 00 00 01",
462		/* ciphertext */
463		"29 c9 fc 69 a1 97 d0 38 cc dd 14 e2 dd fc aa 05 "
464		"43 33 21 64",
465		/* tag */
466		"41 25 03 52 43 03 ed 3c 6c 5f 28 38 43 af 8c 3e"
467	},
468	/* Page 17 */
469	{
470		/* key + salt */
471		"6c 65 67 61 6c 69 7a 65 6d 61 72 69 6a 75 61 6e "
472		"61 61 6e 64 64 6f 69 74 62 65 66 6f 72 65 69 61 "
473		"74 75 72 6e",
474		/* iv */
475		"33 30 21 69 67 65 74 6d",
476		/* aad */
477		"79 6b 69 63 ff ff ff ff ff ff ff ff",
478		/* ciphertext */
479		"f9 7a b2 aa 35 6d 8e dc e1 76 44 ac 8c 78 e2 5d "
480		"d2 4d ed bb 29 eb f1 b6 4a 27 4b 39 b4 9c 3a 86 "
481		"4c d3 d7 8c a4 ae 68 a3 2b 42 45 8f b5 7d be 82 "
482		"1d cc 63 b9",
483		/* tag */
484		"d0 93 7b a2 94 5f 66 93 68 66 1a 32 9f b4 c0 53"
485	},
486	/* Page 18 */
487	{
488		/* key + salt */
489		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
490		"22 43 3c 64",
491		/* iv */
492		"00 00 00 00 00 00 00 00",
493		/* aad */
494		"00 00 43 21 00 00 00 07 00 00 00 00 00 00 00 00 "
495		"45 00 00 30 da 3a 00 00 80 01 df 3b c0 a8 00 05 "
496		"c0 a8 00 01 08 00 c6 cd 02 00 07 00 61 62 63 64 "
497		"65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 "
498		"01 02 02 01",
499		/* ciphertext */
500		NULL,
501		/* tag */
502		"f2 a9 a8 36 e1 55 10 6a a8 dc d6 18 e4 09 9a aa"
503	},
504	/* Page 19 */
505	{
506		/* key + salt */
507		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
508		"57 69 0e 43",
509		/* iv */
510		"4e 28 00 00 a2 fc a1 a3",
511		/* aad */
512		"3f 7e f6 42 10 10 10 10 10 10 10 10",
513		/* ciphertext */
514		"fb a2 ca a8 c6 c5 f9 f0 f2 2c a5 4a 06 12 10 ad "
515		"3f 6e 57 91 cf 1a ca 21 0d 11 7c ec 9c 35 79 17 "
516		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
517		"63 21 93 06",
518		/* tag */
519		"84 ee ca db 56 91 25 46 e7 a9 5c 97 40 d7 cb 05"
520	},
521	/* Page 20 */
522	{
523		/* key + salt */
524		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
525		"22 43 3c 64",
526		/* iv */
527		"48 55 ec 7d 3a 23 4b fd",
528		/* aad */
529		"00 00 43 21 87 65 43 21 00 00 00 07",
530		/* ciphertext */
531		"74 75 2e 8a eb 5d 87 3c d7 c0 f4 ac c3 6c 4b ff "
532		"84 b7 d7 b9 8f 0c a8 b6 ac da 68 94 bc 61 90 69",
533		/* tag */
534		"ef 9c bc 28 fe 1b 56 a7 c4 e0 d5 8c 86 cd 2b c0"
535	},
536
537	/* local add-ons, primarily streaming ghash tests */
538
539	/* 128 bytes aad */
540	{
541		/* key + salt */
542		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
543		"00 00 00 00",
544		/* iv */
545		"00 00 00 00 00 00 00 00",
546		/* aad */
547		"d9 31 32 25 f8 84 06 e5 a5 59 09 c5 af f5 26 9a "
548		"86 a7 a9 53 15 34 f7 da 2e 4c 30 3d 8a 31 8a 72 "
549		"1c 3c 0c 95 95 68 09 53 2f cf 0e 24 49 a6 b5 25 "
550		"b1 6a ed f5 aa 0d e6 57 ba 63 7b 39 1a af d2 55 "
551		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
552		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
553		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
554		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62 89 80 15 ad",
555		/* ciphertext */
556		NULL,
557		/* tag */
558		"5f ea 79 3a 2d 6f 97 4d 37 e6 8e 0c b8 ff 94 92"
559	},
560	/* 48 bytes plaintext */
561	{
562		/* key + salt */
563		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
564		"00 00 00 00",
565		/* iv */
566		"00 00 00 00 00 00 00 00",
567		/* aad */
568		NULL,
569		/* ciphertext */
570		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
571		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
572		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0",
573		/* tag */
574		"9d d0 a3 76 b0 8e 40 eb 00 c3 5f 29 f9 ea 61 a4"
575	},
576	/* 80 bytes plaintext */
577	{
578		/* key + salt */
579		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
580		"00 00 00 00",
581		/* iv */
582		"00 00 00 00 00 00 00 00",
583		/* aad */
584		NULL,
585		/* ciphertext */
586		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
587		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
588		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0 "
589		"c9 4d a2 19 11 8e 29 7d 7b 7e bc bc c9 c3 88 f2 "
590		"8a de 7d 85 a8 ee 35 61 6f 71 24 a9 d5 27 02 91",
591		/* tag */
592		"98 88 5a 3a 22 bd 47 42 fe 7b 72 17 21 93 b1 63"
593	},
594	/* 128 bytes plaintext */
595	{
596		/* key + salt */
597		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
598		"00 00 00 00",
599		/* iv */
600		"00 00 00 00 00 00 00 00",
601		/* aad */
602		NULL,
603		/* ciphertext */
604		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
605		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
606		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0 "
607		"c9 4d a2 19 11 8e 29 7d 7b 7e bc bc c9 c3 88 f2 "
608		"8a de 7d 85 a8 ee 35 61 6f 71 24 a9 d5 27 02 91 "
609		"95 b8 4d 1b 96 c6 90 ff 2f 2d e3 0b f2 ec 89 e0 "
610		"02 53 78 6e 12 65 04 f0 da b9 0c 48 a3 03 21 de "
611		"33 45 e6 b0 46 1e 7c 9e 6c 6b 7a fe dd e8 3f 40",
612		/* tag */
613		"ca c4 5f 60 e3 1e fd 3b 5a 43 b9 8a 22 ce 1a a1"
614	},
615	/* 80 bytes plaintext, submitted by Intel */
616	{
617		/* key + salt */
618		"84 3f fc f5 d2 b7 26 94 d1 9e d0 1d 01 24 94 12 "
619		"db cc a3 2e",
620		/* iv */
621		"bf 9b 80 46 17 c3 aa 9e",
622		/* aad */
623		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
624		"10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f",
625		/* ciphertext */
626		"62 68 c6 fa 2a 80 b2 d1 37 46 7f 09 2f 65 7a c0 "
627		"4d 89 be 2b ea a6 23 d6 1b 5a 86 8c 8f 03 ff 95 "
628		"d3 dc ee 23 ad 2f 1a b3 a6 c8 0e af 4b 14 0e b0 "
629		"5d e3 45 7f 0f bc 11 1a 6b 43 d0 76 3a a4 22 a3 "
630		"01 3c f1 dc 37 fe 41 7d 1f bf c4 49 b7 5d 4c c5",
631		/* tag */
632		"3b 62 9c cf bc 11 19 b7 31 9e 1d ce 2c d6 fd 6d"
633	}
634};
635
636static void
637dogmac(const unsigned char *key, size_t klen,
638    const unsigned char *iv, size_t ivlen,
639    const unsigned char *aad, size_t aadlen,
640    const unsigned char *in, unsigned char *out, size_t len)
641{
642	AES_GMAC_CTX ctx;
643	uint8_t blk[GMAC_BLOCK_LEN];
644	uint32_t *p;
645	int i;
646
647	AES_GMAC_Init(&ctx);
648
649	AES_GMAC_Setkey(&ctx, key, klen);
650
651	AES_GMAC_Reinit(&ctx, iv, ivlen);
652
653	for (i = 0; i < aadlen; i += GMAC_BLOCK_LEN) {
654		memset(blk, 0, GMAC_BLOCK_LEN);
655		memcpy(blk, aad + i, MINIMUM(aadlen - i, GMAC_BLOCK_LEN));
656		AES_GMAC_Update(&ctx, blk, GMAC_BLOCK_LEN);
657	}
658
659	for (i = 0; i < len; i += GMAC_BLOCK_LEN) {
660		int dlen = MINIMUM(len - i, GMAC_BLOCK_LEN);
661		AES_GMAC_Update(&ctx, in + i, dlen);
662	}
663
664	bzero(blk, sizeof blk);
665	p = (uint32_t *)blk + 1;
666	*p = htobe32(aadlen * 8);
667	p = (uint32_t *)blk + 3;
668	*p = htobe32(len * 8);
669	AES_GMAC_Update(&ctx, blk, 16);
670
671	AES_GMAC_Final(out, &ctx);
672}
673
674static int
675match(unsigned char *a, unsigned char *b, size_t len)
676{
677	int i;
678
679	if (memcmp(a, b, len) == 0)
680		return (1);
681
682	warnx("mismatch");
683
684	for (i = 0; i < len; i++)
685		printf("%2.2x", a[i]);
686	printf("\n");
687	for (i = 0; i < len; i++)
688		printf("%2.2x", b[i]);
689	printf("\n");
690
691	return (0);
692}
693
694static int
695run(int num)
696{
697	int i, fail = 1, len, j, length[TST_NUM];
698	u_long val;
699	char *ep, *from;
700	u_char *p, *data[TST_NUM], tag[GMAC_DIGEST_LEN];
701
702	for (i = 0; i < TST_NUM; i++)
703		data[i] = NULL;
704	for (i = 0; i < TST_NUM; i++) {
705		from = tests[num].data[i];
706		if (debug)
707			printf("%s\n", from);
708		if (!from) {
709			length[i] = 0;
710			data[i] = NULL;
711			continue;
712		}
713		len = strlen(from);
714		if ((p = malloc(len)) == 0) {
715			warn("malloc");
716			goto done;
717		}
718		errno = 0;
719		for (j = 0; j < len; j++) {
720			val = strtoul(&from[j*3], &ep, 16);
721			p[j] = (u_char)val;
722			if (*ep == '\0' || errno)
723				break;
724		}
725		length[i] = j+1;
726		data[i] = p;
727	}
728
729	dogmac(data[TST_KEY], length[TST_KEY], data[TST_IV], length[TST_IV],
730	    data[TST_AAD], length[TST_AAD], data[TST_CIPHER], tag,
731	    length[TST_CIPHER]);
732
733	fail = !match(data[TST_TAG], tag, GMAC_DIGEST_LEN);
734	printf("%s test vector %d\n", fail ? "FAILED" : "OK", num);
735
736 done:
737	for (i = 0; i < TST_NUM; i++)
738		free(data[i]);
739	return (fail);
740}
741
742int
743main(void)
744{
745	int i, fail = 0;
746
747	for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
748		fail += run(i);
749
750	return (fail > 0 ? 1 : 0);
751}
752
753void
754explicit_bzero(void *b, size_t len)
755{
756	bzero(b, len);
757}
758