xref: /openbsd/regress/sys/crypto/gmac/gmac_test.c (revision a6445c1d) 
1 /*      $OpenBSD: gmac_test.c,v 1.2 2011/04/04 16:46:22 deraadt Exp $  */
2 
3 /*
4  * Copyright (c) 2010 Mike Belopuhov <mikeb@openbsd.org>
5  * Copyright (c) 2005 Markus Friedl <markus@openbsd.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/param.h>
21 #include <crypto/rijndael.h>
22 #include <crypto/gmac.h>
23 #include <err.h>
24 #include <errno.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <stdio.h>
28 
29 int debug = 0;
30 
31 enum { TST_KEY, TST_IV, TST_AAD, TST_CIPHER, TST_TAG, TST_NUM };
32 
33 struct {
34 	char	*data[TST_NUM];
35 } tests[] = {
36 	/* Test vectors from gcm-spec.pdf (initial proposal to NIST) */
37 
38 	/* 128 bit key */
39 
40 	/* Test Case 1 */
41 	{
42 		/* key + salt */
43 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
44 		"00 00 00 00",
45 		/* iv */
46 		"00 00 00 00 00 00 00 00",
47 		/* aad */
48 		NULL,
49 		/* ciphertext */
50 		NULL,
51 		/* tag */
52 		"58 e2 fc ce fa 7e 30 61 36 7f 1d 57 a4 e7 45 5a"
53 	},
54 	/* Test Case 2 */
55 	{
56 		/* key + salt */
57 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
58 		"00 00 00 00",
59 		/* iv */
60 		"00 00 00 00 00 00 00 00",
61 		/* aad */
62 		NULL,
63 		/* ciphertext */
64 		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78",
65 		/* tag */
66 		"ab 6e 47 d4 2c ec 13 bd f5 3a 67 b2 12 57 bd df"
67 	},
68 	/* Test Case 3 */
69 	{
70 		/* key + salt */
71 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
72 		"ca fe ba be",
73 		/* iv */
74 		"fa ce db ad de ca f8 88",
75 		/* aad */
76 		NULL,
77 		/* ciphertext */
78 		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
79 		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
80 		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
81 		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91 47 3f 59 85",
82 		/* tag */
83 		"4d 5c 2a f3 27 cd 64 a6 2c f3 5a bd 2b a6 fa b4"
84 	},
85 	/* Test Case 4 */
86 	{
87 		/* key + salt */
88 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
89 		"ca fe ba be",
90 		/* iv */
91 		"fa ce db ad de ca f8 88",
92 		/* aad */
93 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
94 		"ab ad da d2",
95 		/* ciphertext */
96 		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
97 		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
98 		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
99 		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91",
100 		/* tag */
101 		"5b c9 4f bc 32 21 a5 db 94 fa e9 5a e7 12 1a 47"
102 	},
103 
104 	/* 192 bit key */
105 
106 	/* Test Case 7 */
107 	{
108 		/* key + salt */
109 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
110 		"00 00 00 00 00 00 00 00 "
111 		"00 00 00 00",
112 		/* iv */
113 		"00 00 00 00 00 00 00 00",
114 		/* aad */
115 		NULL,
116 		/* ciphertext */
117 		NULL,
118 		/* tag */
119 		"cd 33 b2 8a c7 73 f7 4b a0 0e d1 f3 12 57 24 35"
120 	},
121 	/* Test Case 8 */
122 	{
123 		/* key + salt */
124 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
125 		"00 00 00 00 00 00 00 00 "
126 		"00 00 00 00",
127 		/* iv */
128 		"00 00 00 00 00 00 00 00",
129 		/* aad */
130 		NULL,
131 		/* ciphertext */
132 		"98 e7 24 7c 07 f0 fe 41 1c 26 7e 43 84 b0 f6 00",
133 		/* tag */
134 		"2f f5 8d 80 03 39 27 ab 8e f4 d4 58 75 14 f0 fb"
135 	},
136 	/* Test Case 9 */
137 	{
138 		/* key + salt */
139 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
140 		"fe ff e9 92 86 65 73 1c "
141 		"ca fe ba be",
142 		/* iv */
143 		"fa ce db ad de ca f8 88",
144 		/* aad */
145 		NULL,
146 		/* ciphertext */
147 		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
148 		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
149 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
150 		"18 e2 44 8b 2f e3 24 d9 cc da 27 10 ac ad e2 56",
151 		/* tag */
152 		"99 24 a7 c8 58 73 36 bf b1 18 02 4d b8 67 4a 14"
153 	},
154 	/* Test Case 10 */
155 	{
156 		/* key + salt */
157 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
158 		"fe ff e9 92 86 65 73 1c "
159 		"ca fe ba be",
160 		/* iv */
161 		"fa ce db ad de ca f8 88",
162 		/* aad */
163 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
164 		"ab ad da d2",
165 		/* ciphertext */
166 		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
167 		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
168 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
169 		"18 e2 44 8b 2f e3 24 d9 cc da 27 10",
170 		/* tag */
171 		"25 19 49 8e 80 f1 47 8f 37 ba 55 bd 6d 27 61 8c"
172 	},
173 
174 	/* 256 bit key */
175 
176 	/* Test Case 13 */
177 	{
178 		/* key + salt */
179 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
180 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
181 		"00 00 00 00",
182 		/* iv */
183 		"00 00 00 00 00 00 00 00",
184 		/* aad */
185 		NULL,
186 		/* ciphertext */
187 		NULL,
188 		/* tag */
189 		"53 0f 8a fb c7 45 36 b9 a9 63 b4 f1 c4 cb 73 8b"
190 	},
191 	/* Test Case 14 */
192 	{
193 		/* key + salt */
194 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
195 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
196 		"00 00 00 00",
197 		/* iv */
198 		"00 00 00 00 00 00 00 00",
199 		/* aad */
200 		NULL,
201 		/* ciphertext */
202 		"ce a7 40 3d 4d 60 6b 6e 07 4e c5 d3 ba f3 9d 18",
203 		/* tag */
204 		"d0 d1 c8 a7 99 99 6b f0 26 5b 98 b5 d4 8a b9 19"
205 	},
206 	/* Test Case 15 */
207 	{
208 		/* key + salt */
209 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
210 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
211 		"ca fe ba be",
212 		/* iv */
213 		"fa ce db ad de ca f8 88",
214 		/* aad */
215 		NULL,
216 		/* ciphertext */
217 		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
218 		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
219 		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
220 		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62 89 80 15 ad",
221 		/* tag */
222 		"b0 94 da c5 d9 34 71 bd ec 1a 50 22 70 e3 cc 6c"
223 	},
224 	/* Test Case 16 */
225 	{
226 		/* key + salt */
227 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
228 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
229 		"ca fe ba be",
230 		/* iv */
231 		"fa ce db ad de ca f8 88",
232 		/* aad */
233 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
234 		"ab ad da d2",
235 		/* ciphertext */
236 		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
237 		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
238 		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
239 		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62",
240 		/* tag */
241 		"76 fc 6e ce 0f 4e 17 68 cd df 88 53 bb 2d 55 1b"
242 	},
243 
244 	/* Test vectors from draft-mcgrew-gcm-test-01.txt */
245 
246 	/* Page 6 */
247 	{
248 		/* key + salt */
249 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
250 		"2e 44 3b 68",
251 		/* iv */
252 		"49 56 ed 7e 3b 24 4c fe",
253 		/* aad */
254 		"00 00 43 21 87 65 43 21 00 00 00 00",
255 		/* ciphertext */
256 		"fe cf 53 7e 72 9d 5b 07 dc 30 df 52 8d d2 2b 76 "
257 		"8d 1b 98 73 66 96 a6 fd 34 85 09 fa 13 ce ac 34 "
258 		"cf a2 43 6f 14 a3 f3 cf 65 92 5b f1 f4 a1 3c 5d "
259 		"15 b2 1e 18 84 f5 ff 62 47 ae ab b7 86 b9 3b ce "
260 		"61 bc 17 d7 68 fd 97 32",
261 		/* tag */
262 		"45 90 18 14 8f 6c be 72 2f d0 47 96 56 2d fd b4"
263 	},
264 	/* Page 7 */
265 	{
266 		/* key + salt */
267 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
268 		"ca fe ba be",
269 		/* iv */
270 		"fa ce db ad de ca f8 88",
271 		/* aad */
272 		"00 00 a5 f8 00 00 00 0a",
273 		/* ciphertext */
274 		"de b2 2c d9 b0 7c 72 c1 6e 3a 65 be eb 8d f3 04 "
275 		"a5 a5 89 7d 33 ae 53 0f 1b a7 6d 5d 11 4d 2a 5c "
276 		"3d e8 18 27 c1 0e 9a 4f 51 33 0d 0e ec 41 66 42 "
277 		"cf bb 85 a5 b4 7e 48 a4 ec 3b 9b a9 5d 91 8b d1",
278 		/* tag */
279 		"83 b7 0d 3a a8 bc 6e e4 c3 09 e9 d8 5a 41 ad 4a"
280 	},
281 	/* Page 8 */
282 	{
283 		/* key + salt */
284 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
285 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
286 		"11 22 33 44",
287 		/* iv */
288 		"01 02 03 04 05 06 07 08",
289 		/* aad */
290 		"4a 2c bf e3 00 00 00 02",
291 		/* ciphertext */
292 		"ff 42 5c 9b 72 45 99 df 7a 3b cd 51 01 94 e0 0d "
293 		"6a 78 10 7f 1b 0b 1c bf 06 ef ae 9d 65 a5 d7 63 "
294 		"74 8a 63 79 85 77 1d 34 7f 05 45 65 9f 14 e9 9d "
295 		"ef 84 2d 8e",
296 		/* tag */
297 		"b3 35 f4 ee cf db f8 31 82 4b 4c 49 15 95 6c 96"
298 	},
299 	/* Page 9 */
300 	{
301 		/* key + salt */
302 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
303 		"00 00 00 00",
304 		/* iv */
305 		"00 00 00 00 00 00 00 00",
306 		/* aad */
307 		"00 00 00 00 00 00 00 01",
308 		/* ciphertext */
309 		"46 88 da f2 f9 73 a3 92 73 29 09 c3 31 d5 6d 60 "
310 		"f6 94 ab aa 41 4b 5e 7f f5 fd cd ff f5 e9 a2 84 "
311 		"45 64 76 49 27 19 ff b6 4d e7 d9 dc a1 e1 d8 94 "
312 		"bc 3b d5 78 73 ed 4d 18 1d 19 d4 d5 c8 c1 8a f3",
313 		/* tag */
314 		"f8 21 d4 96 ee b0 96 e9 8a d2 b6 9e 47 99 c7 1d"
315 	},
316 	/* Page 10 */
317 	{
318 		/* key + salt */
319 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
320 		"57 69 0e 43",
321 		/* iv */
322 		"4e 28 00 00 a2 fc a1 a3",
323 		/* aad */
324 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
325 		/* ciphertext */
326 		"fb a2 ca a4 85 3c f9 f0 f2 2c b1 0d 86 dd 83 b0 "
327 		"fe c7 56 91 cf 1a 04 b0 0d 11 38 ec 9c 35 79 17 "
328 		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
329 		"17 55 e6 66 2b 4c 8d 0d 1f 5e 22 73 95 30 32 0a",
330 		/* tag */
331 		"e0 d7 31 cc 97 8e ca fa ea e8 8f 00 e8 0d 6e 48"
332 	},
333 	/* Page 11 */
334 	{
335 		/* key + salt */
336 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
337 		"57 69 0e 43",
338 		/* iv */
339 		"4e 28 00 00 a2 fc a1 a3",
340 		/* aad */
341 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
342 		/* ciphertext */
343 		"fb a2 ca 84 5e 5d f9 f0 f2 2c 3e 6e 86 dd 83 1e "
344 		"1f c6 57 92 cd 1a f9 13 0e 13 79 ed",
345 		/* tag */
346 		"36 9f 07 1f 35 e0 34 be 95 f1 12 e4 e7 d0 5d 35"
347 	},
348 	/* Page 11 */
349 	{
350 		/* key + salt */
351 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
352 		"fe ff e9 92 86 65 73 1c "
353 		"ca fe ba be",
354 		/* iv */
355 		"fa ce db ad de ca f8 88",
356 		/* aad */
357 		"00 00 a5 f8 00 00 00 0a",
358 		/* ciphertext */
359 		"a5 b1 f8 06 60 29 ae a4 0e 59 8b 81 22 de 02 42 "
360 		"09 38 b3 ab 33 f8 28 e6 87 b8 85 8b 5b fb db d0 "
361 		"31 5b 27 45 21 44 cc 77",
362 		/* tag */
363 		"95 45 7b 96 52 03 7f 53 18 02 7b 5b 4c d7 a6 36"
364 	},
365 	/* Page 12 */
366 	{
367 		/* key + salt */
368 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
369 		"de ca f8 88",
370 		/* iv */
371 		"ca fe de ba ce fa ce 74",
372 		/* aad */
373 		"00 00 01 00 00 00 00 00 00 00 00 01",
374 		/* ciphertext */
375 		"18 a6 fd 42 f7 2c bf 4a b2 a2 ea 90 1f 73 d8 14 "
376 		"e3 e7 f2 43 d9 54 12 e1 c3 49 c1 d2 fb ec 16 8f "
377 		"91 90 fe eb af 2c b0 19 84 e6 58 63 96 5d 74 72 "
378 		"b7 9d a3 45 e0 e7 80 19 1f 0d 2f 0e 0f 49 6c 22 "
379 		"6f 21 27 b2 7d b3 57 24 e7 84 5d 68",
380 		/* tag */
381 		"65 1f 57 e6 5f 35 4f 75 ff 17 01 57 69 62 34 36"
382 	},
383 	/* Page 13 */
384 	{
385 		/* key + salt */
386 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
387 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
388 		"73 61 6c 74",
389 		/* iv */
390 		"61 6e 64 01 69 76 65 63",
391 		/* aad */
392 		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
393 		/* ciphertext */
394 		"f2 d6 9e cd bd 5a 0d 5b 8d 5e f3 8b ad 4d a5 8d "
395 		"1f 27 8f de 98 ef 67 54 9d 52 4a 30 18 d9 a5 7f "
396 		"f4 d3 a3 1c e6 73 11 9e",
397 		/* tag */
398 		"45 16 26 c2 41 57 71 e3 b7 ee bc a6 14 c8 9b 35"
399 	},
400 	/* Page 14 */
401 	{
402 		/* key + salt */
403 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
404 		"57 69 0e 43",
405 		/* iv */
406 		"4e 28 00 00 a2 fc a1 a3",
407 		/* aad */
408 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
409 		/* ciphertext */
410 		"fb a2 ca d1 2f c1 f9 f0 0d 3c eb f3 05 41 0d b8 "
411 		"3d 77 84 b6 07 32 3d 22 0f 24 b0 a9 7d 54 18 28 "
412 		"00 ca db 0f 68 d9 9e f0 e0 c0 c8 9a e9 be a8 88 "
413 		"4e 52 d6 5b c1 af d0 74 0f 74 24 44 74 7b 5b 39 "
414 		"ab 53 31 63 aa d4 55 0e e5 16 09 75",
415 		/* tag */
416 		"cd b6 08 c5 76 91 89 60 97 63 b8 e1 8c aa 81 e2"
417 	},
418 	/* Page 15 */
419 	{
420 		/* key + salt */
421 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
422 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
423 		"73 61 6c 74",
424 		/* iv */
425 		"61 6e 64 01 69 76 65 63",
426 		/* aad */
427 		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
428 		/* ciphertext */
429 		"d4 b7 ed 86 a1 77 7f 2e a1 3d 69 73 d3 24 c6 9e "
430 		"7b 43 f8 26 fb 56 83 12 26 50 8b eb d2 dc eb 18 "
431 		"d0 a6 df 10 e5 48 7d f0 74 11 3e 14 c6 41 02 4e "
432 		"3e 67 73 d9 1a 62 ee 42 9b 04 3a 10 e3 ef e6 b0 "
433 		"12 a4 93 63 41 23 64 f8",
434 		/* tag */
435 		"c0 ca c5 87 f2 49 e5 6b 11 e2 4f 30 e4 4c cc 76"
436 	},
437 	/* Page 16 */
438 	{
439 		/* key + salt */
440 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
441 		"d9 66 42 67",
442 		/* iv */
443 		"43 45 7e 91 82 44 3b c6",
444 		/* aad */
445 		"33 54 67 ae ff ff ff ff",
446 		/* ciphertext */
447 		"43 7f 86 6b",
448 		/* tag */
449 		"cb 3f 69 9f e9 b0 82 2b ac 96 1c 45 04 be f2 70"
450 	},
451 	/* Page 16 */
452 	{
453 		/* key + salt */
454 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
455 		"de ca f8 88",
456 		/* iv */
457 		"ca fe de ba ce fa ce 74",
458 		/* aad */
459 		"00 00 01 00 00 00 00 00 00 00 00 01",
460 		/* ciphertext */
461 		"29 c9 fc 69 a1 97 d0 38 cc dd 14 e2 dd fc aa 05 "
462 		"43 33 21 64",
463 		/* tag */
464 		"41 25 03 52 43 03 ed 3c 6c 5f 28 38 43 af 8c 3e"
465 	},
466 	/* Page 17 */
467 	{
468 		/* key + salt */
469 		"6c 65 67 61 6c 69 7a 65 6d 61 72 69 6a 75 61 6e "
470 		"61 61 6e 64 64 6f 69 74 62 65 66 6f 72 65 69 61 "
471 		"74 75 72 6e",
472 		/* iv */
473 		"33 30 21 69 67 65 74 6d",
474 		/* aad */
475 		"79 6b 69 63 ff ff ff ff ff ff ff ff",
476 		/* ciphertext */
477 		"f9 7a b2 aa 35 6d 8e dc e1 76 44 ac 8c 78 e2 5d "
478 		"d2 4d ed bb 29 eb f1 b6 4a 27 4b 39 b4 9c 3a 86 "
479 		"4c d3 d7 8c a4 ae 68 a3 2b 42 45 8f b5 7d be 82 "
480 		"1d cc 63 b9",
481 		/* tag */
482 		"d0 93 7b a2 94 5f 66 93 68 66 1a 32 9f b4 c0 53"
483 	},
484 	/* Page 18 */
485 	{
486 		/* key + salt */
487 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
488 		"22 43 3c 64",
489 		/* iv */
490 		"00 00 00 00 00 00 00 00",
491 		/* aad */
492 		"00 00 43 21 00 00 00 07 00 00 00 00 00 00 00 00 "
493 		"45 00 00 30 da 3a 00 00 80 01 df 3b c0 a8 00 05 "
494 		"c0 a8 00 01 08 00 c6 cd 02 00 07 00 61 62 63 64 "
495 		"65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 "
496 		"01 02 02 01",
497 		/* ciphertext */
498 		NULL,
499 		/* tag */
500 		"f2 a9 a8 36 e1 55 10 6a a8 dc d6 18 e4 09 9a aa"
501 	},
502 	/* Page 19 */
503 	{
504 		/* key + salt */
505 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
506 		"57 69 0e 43",
507 		/* iv */
508 		"4e 28 00 00 a2 fc a1 a3",
509 		/* aad */
510 		"3f 7e f6 42 10 10 10 10 10 10 10 10",
511 		/* ciphertext */
512 		"fb a2 ca a8 c6 c5 f9 f0 f2 2c a5 4a 06 12 10 ad "
513 		"3f 6e 57 91 cf 1a ca 21 0d 11 7c ec 9c 35 79 17 "
514 		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
515 		"63 21 93 06",
516 		/* tag */
517 		"84 ee ca db 56 91 25 46 e7 a9 5c 97 40 d7 cb 05"
518 	},
519 	/* Page 20 */
520 	{
521 		/* key + salt */
522 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
523 		"22 43 3c 64",
524 		/* iv */
525 		"48 55 ec 7d 3a 23 4b fd",
526 		/* aad */
527 		"00 00 43 21 87 65 43 21 00 00 00 07",
528 		/* ciphertext */
529 		"74 75 2e 8a eb 5d 87 3c d7 c0 f4 ac c3 6c 4b ff "
530 		"84 b7 d7 b9 8f 0c a8 b6 ac da 68 94 bc 61 90 69",
531 		/* tag */
532 		"ef 9c bc 28 fe 1b 56 a7 c4 e0 d5 8c 86 cd 2b c0"
533 	}
534 };
535 
536 static void
537 dogmac(const unsigned char *key, size_t klen,
538     const unsigned char *iv, size_t ivlen,
539     const unsigned char *aad, size_t aadlen,
540     const unsigned char *in, unsigned char *out, size_t len)
541 {
542 	AES_GMAC_CTX ctx;
543 	uint8_t blk[16];
544 	uint32_t *p;
545 
546 	AES_GMAC_Init(&ctx);
547 
548 	AES_GMAC_Setkey(&ctx, key, klen);
549 
550 	AES_GMAC_Reinit(&ctx, iv, ivlen);
551 
552 	AES_GMAC_Update(&ctx, aad, aadlen);
553 
554 	AES_GMAC_Update(&ctx, in, len);
555 
556 	bzero(blk, sizeof blk);
557 	p = (uint32_t *)blk + 1;
558 	*p = htobe32(aadlen * 8);
559 	p = (uint32_t *)blk + 3;
560 	*p = htobe32(len * 8);
561 	AES_GMAC_Update(&ctx, blk, 16);
562 
563 	AES_GMAC_Final(out, &ctx);
564 }
565 
566 static int
567 match(unsigned char *a, unsigned char *b, size_t len)
568 {
569 	int i;
570 
571 	if (memcmp(a, b, len) == 0)
572 		return (1);
573 
574 	warnx("mismatch");
575 
576 	for (i = 0; i < len; i++)
577 		printf("%2.2x", a[i]);
578 	printf("\n");
579 	for (i = 0; i < len; i++)
580 		printf("%2.2x", b[i]);
581 	printf("\n");
582 
583 	return (0);
584 }
585 
586 static int
587 run(int num)
588 {
589 	int i, fail = 1, len, j, length[TST_NUM];
590 	u_long val;
591 	char *ep, *from;
592 	u_char *p, *data[TST_NUM], tag[GMAC_DIGEST_LEN];
593 
594 	for (i = 0; i < TST_NUM; i++)
595 		data[i] = NULL;
596 	for (i = 0; i < TST_NUM; i++) {
597 		from = tests[num].data[i];
598 		if (debug)
599 			printf("%s\n", from);
600 		if (!from) {
601 			length[i] = 0;
602 			data[i] = NULL;
603 			continue;
604 		}
605 		len = strlen(from);
606 		if ((p = malloc(len)) == 0) {
607 			warn("malloc");
608 			goto done;
609 		}
610 		errno = 0;
611 		for (j = 0; j < len; j++) {
612 			val = strtoul(&from[j*3], &ep, 16);
613 			p[j] = (u_char)val;
614 			if (*ep == '\0' || errno)
615 				break;
616 		}
617 		length[i] = j+1;
618 		data[i] = p;
619 	}
620 
621 	dogmac(data[TST_KEY], length[TST_KEY], data[TST_IV], length[TST_IV],
622 	    data[TST_AAD], length[TST_AAD], data[TST_CIPHER], tag,
623 	    length[TST_CIPHER]);
624 
625 	fail = !match(data[TST_TAG], tag, GMAC_DIGEST_LEN);
626 	printf("%s test vector %d\n", fail ? "FAILED" : "OK", num);
627 
628  done:
629 	for (i = 0; i < TST_NUM; i++)
630 		free(data[i]);
631 	return (fail);
632 }
633 
634 int
635 main(void)
636 {
637 	int i, fail = 0;
638 
639 	for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
640 		fail += run(i);
641 
642 	return (fail > 0 ? 1 : 0);
643 }
644 
645 void
646 explicit_bzero(void *b, size_t len)
647 {
648 	bzero(b, len);
649 }
650