xref: /openbsd/regress/sys/crypto/gmac/gmac_test.c (revision 73471bf0) 
1 /*      $OpenBSD: gmac_test.c,v 1.7 2021/12/14 06:27:48 deraadt Exp $  */
2 
3 /*
4  * Copyright (c) 2010 Mike Belopuhov <mikeb@openbsd.org>
5  * Copyright (c) 2005 Markus Friedl <markus@openbsd.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/types.h>
21 #include <crypto/aes.h>
22 #include <crypto/gmac.h>
23 #include <err.h>
24 #include <errno.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <stdio.h>
28 
29 #define MINIMUM(a, b)       (((a) < (b)) ? (a) : (b))
30 
31 int debug = 0;
32 
33 enum { TST_KEY, TST_IV, TST_AAD, TST_CIPHER, TST_TAG, TST_NUM };
34 
35 struct {
36 	char	*data[TST_NUM];
37 } tests[] = {
38 	/* Test vectors from gcm-spec.pdf (initial proposal to NIST) */
39 
40 	/* 128 bit key */
41 
42 	/* Test Case 1 */
43 	{
44 		/* key + salt */
45 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
46 		"00 00 00 00",
47 		/* iv */
48 		"00 00 00 00 00 00 00 00",
49 		/* aad */
50 		NULL,
51 		/* ciphertext */
52 		NULL,
53 		/* tag */
54 		"58 e2 fc ce fa 7e 30 61 36 7f 1d 57 a4 e7 45 5a"
55 	},
56 	/* Test Case 2 */
57 	{
58 		/* key + salt */
59 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
60 		"00 00 00 00",
61 		/* iv */
62 		"00 00 00 00 00 00 00 00",
63 		/* aad */
64 		NULL,
65 		/* ciphertext */
66 		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78",
67 		/* tag */
68 		"ab 6e 47 d4 2c ec 13 bd f5 3a 67 b2 12 57 bd df"
69 	},
70 	/* Test Case 3 */
71 	{
72 		/* key + salt */
73 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
74 		"ca fe ba be",
75 		/* iv */
76 		"fa ce db ad de ca f8 88",
77 		/* aad */
78 		NULL,
79 		/* ciphertext */
80 		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
81 		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
82 		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
83 		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91 47 3f 59 85",
84 		/* tag */
85 		"4d 5c 2a f3 27 cd 64 a6 2c f3 5a bd 2b a6 fa b4"
86 	},
87 	/* Test Case 4 */
88 	{
89 		/* key + salt */
90 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
91 		"ca fe ba be",
92 		/* iv */
93 		"fa ce db ad de ca f8 88",
94 		/* aad */
95 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
96 		"ab ad da d2",
97 		/* ciphertext */
98 		"42 83 1e c2 21 77 74 24 4b 72 21 b7 84 d0 d4 9c "
99 		"e3 aa 21 2f 2c 02 a4 e0 35 c1 7e 23 29 ac a1 2e "
100 		"21 d5 14 b2 54 66 93 1c 7d 8f 6a 5a ac 84 aa 05 "
101 		"1b a3 0b 39 6a 0a ac 97 3d 58 e0 91",
102 		/* tag */
103 		"5b c9 4f bc 32 21 a5 db 94 fa e9 5a e7 12 1a 47"
104 	},
105 
106 	/* 192 bit key */
107 
108 	/* Test Case 7 */
109 	{
110 		/* key + salt */
111 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
112 		"00 00 00 00 00 00 00 00 "
113 		"00 00 00 00",
114 		/* iv */
115 		"00 00 00 00 00 00 00 00",
116 		/* aad */
117 		NULL,
118 		/* ciphertext */
119 		NULL,
120 		/* tag */
121 		"cd 33 b2 8a c7 73 f7 4b a0 0e d1 f3 12 57 24 35"
122 	},
123 	/* Test Case 8 */
124 	{
125 		/* key + salt */
126 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
127 		"00 00 00 00 00 00 00 00 "
128 		"00 00 00 00",
129 		/* iv */
130 		"00 00 00 00 00 00 00 00",
131 		/* aad */
132 		NULL,
133 		/* ciphertext */
134 		"98 e7 24 7c 07 f0 fe 41 1c 26 7e 43 84 b0 f6 00",
135 		/* tag */
136 		"2f f5 8d 80 03 39 27 ab 8e f4 d4 58 75 14 f0 fb"
137 	},
138 	/* Test Case 9 */
139 	{
140 		/* key + salt */
141 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
142 		"fe ff e9 92 86 65 73 1c "
143 		"ca fe ba be",
144 		/* iv */
145 		"fa ce db ad de ca f8 88",
146 		/* aad */
147 		NULL,
148 		/* ciphertext */
149 		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
150 		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
151 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
152 		"18 e2 44 8b 2f e3 24 d9 cc da 27 10 ac ad e2 56",
153 		/* tag */
154 		"99 24 a7 c8 58 73 36 bf b1 18 02 4d b8 67 4a 14"
155 	},
156 	/* Test Case 10 */
157 	{
158 		/* key + salt */
159 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
160 		"fe ff e9 92 86 65 73 1c "
161 		"ca fe ba be",
162 		/* iv */
163 		"fa ce db ad de ca f8 88",
164 		/* aad */
165 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
166 		"ab ad da d2",
167 		/* ciphertext */
168 		"39 80 ca 0b 3c 00 e8 41 eb 06 fa c4 87 2a 27 57 "
169 		"85 9e 1c ea a6 ef d9 84 62 85 93 b4 0c a1 e1 9c "
170 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
171 		"18 e2 44 8b 2f e3 24 d9 cc da 27 10",
172 		/* tag */
173 		"25 19 49 8e 80 f1 47 8f 37 ba 55 bd 6d 27 61 8c"
174 	},
175 
176 	/* 256 bit key */
177 
178 	/* Test Case 13 */
179 	{
180 		/* key + salt */
181 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
182 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
183 		"00 00 00 00",
184 		/* iv */
185 		"00 00 00 00 00 00 00 00",
186 		/* aad */
187 		NULL,
188 		/* ciphertext */
189 		NULL,
190 		/* tag */
191 		"53 0f 8a fb c7 45 36 b9 a9 63 b4 f1 c4 cb 73 8b"
192 	},
193 	/* Test Case 14 */
194 	{
195 		/* key + salt */
196 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
197 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
198 		"00 00 00 00",
199 		/* iv */
200 		"00 00 00 00 00 00 00 00",
201 		/* aad */
202 		NULL,
203 		/* ciphertext */
204 		"ce a7 40 3d 4d 60 6b 6e 07 4e c5 d3 ba f3 9d 18",
205 		/* tag */
206 		"d0 d1 c8 a7 99 99 6b f0 26 5b 98 b5 d4 8a b9 19"
207 	},
208 	/* Test Case 15 */
209 	{
210 		/* key + salt */
211 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
212 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
213 		"ca fe ba be",
214 		/* iv */
215 		"fa ce db ad de ca f8 88",
216 		/* aad */
217 		NULL,
218 		/* ciphertext */
219 		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
220 		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
221 		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
222 		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62 89 80 15 ad",
223 		/* tag */
224 		"b0 94 da c5 d9 34 71 bd ec 1a 50 22 70 e3 cc 6c"
225 	},
226 	/* Test Case 16 */
227 	{
228 		/* key + salt */
229 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
230 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
231 		"ca fe ba be",
232 		/* iv */
233 		"fa ce db ad de ca f8 88",
234 		/* aad */
235 		"fe ed fa ce de ad be ef fe ed fa ce de ad be ef "
236 		"ab ad da d2",
237 		/* ciphertext */
238 		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
239 		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
240 		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
241 		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62",
242 		/* tag */
243 		"76 fc 6e ce 0f 4e 17 68 cd df 88 53 bb 2d 55 1b"
244 	},
245 
246 	/* Test vectors from draft-mcgrew-gcm-test-01.txt */
247 
248 	/* Page 6 */
249 	{
250 		/* key + salt */
251 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
252 		"2e 44 3b 68",
253 		/* iv */
254 		"49 56 ed 7e 3b 24 4c fe",
255 		/* aad */
256 		"00 00 43 21 87 65 43 21 00 00 00 00",
257 		/* ciphertext */
258 		"fe cf 53 7e 72 9d 5b 07 dc 30 df 52 8d d2 2b 76 "
259 		"8d 1b 98 73 66 96 a6 fd 34 85 09 fa 13 ce ac 34 "
260 		"cf a2 43 6f 14 a3 f3 cf 65 92 5b f1 f4 a1 3c 5d "
261 		"15 b2 1e 18 84 f5 ff 62 47 ae ab b7 86 b9 3b ce "
262 		"61 bc 17 d7 68 fd 97 32",
263 		/* tag */
264 		"45 90 18 14 8f 6c be 72 2f d0 47 96 56 2d fd b4"
265 	},
266 	/* Page 7 */
267 	{
268 		/* key + salt */
269 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
270 		"ca fe ba be",
271 		/* iv */
272 		"fa ce db ad de ca f8 88",
273 		/* aad */
274 		"00 00 a5 f8 00 00 00 0a",
275 		/* ciphertext */
276 		"de b2 2c d9 b0 7c 72 c1 6e 3a 65 be eb 8d f3 04 "
277 		"a5 a5 89 7d 33 ae 53 0f 1b a7 6d 5d 11 4d 2a 5c "
278 		"3d e8 18 27 c1 0e 9a 4f 51 33 0d 0e ec 41 66 42 "
279 		"cf bb 85 a5 b4 7e 48 a4 ec 3b 9b a9 5d 91 8b d1",
280 		/* tag */
281 		"83 b7 0d 3a a8 bc 6e e4 c3 09 e9 d8 5a 41 ad 4a"
282 	},
283 	/* Page 8 */
284 	{
285 		/* key + salt */
286 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
287 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
288 		"11 22 33 44",
289 		/* iv */
290 		"01 02 03 04 05 06 07 08",
291 		/* aad */
292 		"4a 2c bf e3 00 00 00 02",
293 		/* ciphertext */
294 		"ff 42 5c 9b 72 45 99 df 7a 3b cd 51 01 94 e0 0d "
295 		"6a 78 10 7f 1b 0b 1c bf 06 ef ae 9d 65 a5 d7 63 "
296 		"74 8a 63 79 85 77 1d 34 7f 05 45 65 9f 14 e9 9d "
297 		"ef 84 2d 8e",
298 		/* tag */
299 		"b3 35 f4 ee cf db f8 31 82 4b 4c 49 15 95 6c 96"
300 	},
301 	/* Page 9 */
302 	{
303 		/* key + salt */
304 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
305 		"00 00 00 00",
306 		/* iv */
307 		"00 00 00 00 00 00 00 00",
308 		/* aad */
309 		"00 00 00 00 00 00 00 01",
310 		/* ciphertext */
311 		"46 88 da f2 f9 73 a3 92 73 29 09 c3 31 d5 6d 60 "
312 		"f6 94 ab aa 41 4b 5e 7f f5 fd cd ff f5 e9 a2 84 "
313 		"45 64 76 49 27 19 ff b6 4d e7 d9 dc a1 e1 d8 94 "
314 		"bc 3b d5 78 73 ed 4d 18 1d 19 d4 d5 c8 c1 8a f3",
315 		/* tag */
316 		"f8 21 d4 96 ee b0 96 e9 8a d2 b6 9e 47 99 c7 1d"
317 	},
318 	/* Page 10 */
319 	{
320 		/* key + salt */
321 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
322 		"57 69 0e 43",
323 		/* iv */
324 		"4e 28 00 00 a2 fc a1 a3",
325 		/* aad */
326 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
327 		/* ciphertext */
328 		"fb a2 ca a4 85 3c f9 f0 f2 2c b1 0d 86 dd 83 b0 "
329 		"fe c7 56 91 cf 1a 04 b0 0d 11 38 ec 9c 35 79 17 "
330 		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
331 		"17 55 e6 66 2b 4c 8d 0d 1f 5e 22 73 95 30 32 0a",
332 		/* tag */
333 		"e0 d7 31 cc 97 8e ca fa ea e8 8f 00 e8 0d 6e 48"
334 	},
335 	/* Page 11 */
336 	{
337 		/* key + salt */
338 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
339 		"57 69 0e 43",
340 		/* iv */
341 		"4e 28 00 00 a2 fc a1 a3",
342 		/* aad */
343 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
344 		/* ciphertext */
345 		"fb a2 ca 84 5e 5d f9 f0 f2 2c 3e 6e 86 dd 83 1e "
346 		"1f c6 57 92 cd 1a f9 13 0e 13 79 ed",
347 		/* tag */
348 		"36 9f 07 1f 35 e0 34 be 95 f1 12 e4 e7 d0 5d 35"
349 	},
350 	/* Page 11 */
351 	{
352 		/* key + salt */
353 		"fe ff e9 92 86 65 73 1c 6d 6a 8f 94 67 30 83 08 "
354 		"fe ff e9 92 86 65 73 1c "
355 		"ca fe ba be",
356 		/* iv */
357 		"fa ce db ad de ca f8 88",
358 		/* aad */
359 		"00 00 a5 f8 00 00 00 0a",
360 		/* ciphertext */
361 		"a5 b1 f8 06 60 29 ae a4 0e 59 8b 81 22 de 02 42 "
362 		"09 38 b3 ab 33 f8 28 e6 87 b8 85 8b 5b fb db d0 "
363 		"31 5b 27 45 21 44 cc 77",
364 		/* tag */
365 		"95 45 7b 96 52 03 7f 53 18 02 7b 5b 4c d7 a6 36"
366 	},
367 	/* Page 12 */
368 	{
369 		/* key + salt */
370 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
371 		"de ca f8 88",
372 		/* iv */
373 		"ca fe de ba ce fa ce 74",
374 		/* aad */
375 		"00 00 01 00 00 00 00 00 00 00 00 01",
376 		/* ciphertext */
377 		"18 a6 fd 42 f7 2c bf 4a b2 a2 ea 90 1f 73 d8 14 "
378 		"e3 e7 f2 43 d9 54 12 e1 c3 49 c1 d2 fb ec 16 8f "
379 		"91 90 fe eb af 2c b0 19 84 e6 58 63 96 5d 74 72 "
380 		"b7 9d a3 45 e0 e7 80 19 1f 0d 2f 0e 0f 49 6c 22 "
381 		"6f 21 27 b2 7d b3 57 24 e7 84 5d 68",
382 		/* tag */
383 		"65 1f 57 e6 5f 35 4f 75 ff 17 01 57 69 62 34 36"
384 	},
385 	/* Page 13 */
386 	{
387 		/* key + salt */
388 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
389 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
390 		"73 61 6c 74",
391 		/* iv */
392 		"61 6e 64 01 69 76 65 63",
393 		/* aad */
394 		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
395 		/* ciphertext */
396 		"f2 d6 9e cd bd 5a 0d 5b 8d 5e f3 8b ad 4d a5 8d "
397 		"1f 27 8f de 98 ef 67 54 9d 52 4a 30 18 d9 a5 7f "
398 		"f4 d3 a3 1c e6 73 11 9e",
399 		/* tag */
400 		"45 16 26 c2 41 57 71 e3 b7 ee bc a6 14 c8 9b 35"
401 	},
402 	/* Page 14 */
403 	{
404 		/* key + salt */
405 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
406 		"57 69 0e 43",
407 		/* iv */
408 		"4e 28 00 00 a2 fc a1 a3",
409 		/* aad */
410 		"42 f6 7e 3f 10 10 10 10 10 10 10 10",
411 		/* ciphertext */
412 		"fb a2 ca d1 2f c1 f9 f0 0d 3c eb f3 05 41 0d b8 "
413 		"3d 77 84 b6 07 32 3d 22 0f 24 b0 a9 7d 54 18 28 "
414 		"00 ca db 0f 68 d9 9e f0 e0 c0 c8 9a e9 be a8 88 "
415 		"4e 52 d6 5b c1 af d0 74 0f 74 24 44 74 7b 5b 39 "
416 		"ab 53 31 63 aa d4 55 0e e5 16 09 75",
417 		/* tag */
418 		"cd b6 08 c5 76 91 89 60 97 63 b8 e1 8c aa 81 e2"
419 	},
420 	/* Page 15 */
421 	{
422 		/* key + salt */
423 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
424 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
425 		"73 61 6c 74",
426 		/* iv */
427 		"61 6e 64 01 69 76 65 63",
428 		/* aad */
429 		"17 40 5e 67 15 6f 31 26 dd 0d b9 9b",
430 		/* ciphertext */
431 		"d4 b7 ed 86 a1 77 7f 2e a1 3d 69 73 d3 24 c6 9e "
432 		"7b 43 f8 26 fb 56 83 12 26 50 8b eb d2 dc eb 18 "
433 		"d0 a6 df 10 e5 48 7d f0 74 11 3e 14 c6 41 02 4e "
434 		"3e 67 73 d9 1a 62 ee 42 9b 04 3a 10 e3 ef e6 b0 "
435 		"12 a4 93 63 41 23 64 f8",
436 		/* tag */
437 		"c0 ca c5 87 f2 49 e5 6b 11 e2 4f 30 e4 4c cc 76"
438 	},
439 	/* Page 16 */
440 	{
441 		/* key + salt */
442 		"7d 77 3d 00 c1 44 c5 25 ac 61 9d 18 c8 4a 3f 47 "
443 		"d9 66 42 67",
444 		/* iv */
445 		"43 45 7e 91 82 44 3b c6",
446 		/* aad */
447 		"33 54 67 ae ff ff ff ff",
448 		/* ciphertext */
449 		"43 7f 86 6b",
450 		/* tag */
451 		"cb 3f 69 9f e9 b0 82 2b ac 96 1c 45 04 be f2 70"
452 	},
453 	/* Page 16 */
454 	{
455 		/* key + salt */
456 		"ab bc cd de f0 01 12 23 34 45 56 67 78 89 9a ab "
457 		"de ca f8 88",
458 		/* iv */
459 		"ca fe de ba ce fa ce 74",
460 		/* aad */
461 		"00 00 01 00 00 00 00 00 00 00 00 01",
462 		/* ciphertext */
463 		"29 c9 fc 69 a1 97 d0 38 cc dd 14 e2 dd fc aa 05 "
464 		"43 33 21 64",
465 		/* tag */
466 		"41 25 03 52 43 03 ed 3c 6c 5f 28 38 43 af 8c 3e"
467 	},
468 	/* Page 17 */
469 	{
470 		/* key + salt */
471 		"6c 65 67 61 6c 69 7a 65 6d 61 72 69 6a 75 61 6e "
472 		"61 61 6e 64 64 6f 69 74 62 65 66 6f 72 65 69 61 "
473 		"74 75 72 6e",
474 		/* iv */
475 		"33 30 21 69 67 65 74 6d",
476 		/* aad */
477 		"79 6b 69 63 ff ff ff ff ff ff ff ff",
478 		/* ciphertext */
479 		"f9 7a b2 aa 35 6d 8e dc e1 76 44 ac 8c 78 e2 5d "
480 		"d2 4d ed bb 29 eb f1 b6 4a 27 4b 39 b4 9c 3a 86 "
481 		"4c d3 d7 8c a4 ae 68 a3 2b 42 45 8f b5 7d be 82 "
482 		"1d cc 63 b9",
483 		/* tag */
484 		"d0 93 7b a2 94 5f 66 93 68 66 1a 32 9f b4 c0 53"
485 	},
486 	/* Page 18 */
487 	{
488 		/* key + salt */
489 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
490 		"22 43 3c 64",
491 		/* iv */
492 		"00 00 00 00 00 00 00 00",
493 		/* aad */
494 		"00 00 43 21 00 00 00 07 00 00 00 00 00 00 00 00 "
495 		"45 00 00 30 da 3a 00 00 80 01 df 3b c0 a8 00 05 "
496 		"c0 a8 00 01 08 00 c6 cd 02 00 07 00 61 62 63 64 "
497 		"65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 "
498 		"01 02 02 01",
499 		/* ciphertext */
500 		NULL,
501 		/* tag */
502 		"f2 a9 a8 36 e1 55 10 6a a8 dc d6 18 e4 09 9a aa"
503 	},
504 	/* Page 19 */
505 	{
506 		/* key + salt */
507 		"3d e0 98 74 b3 88 e6 49 19 88 d0 c3 60 7e ae 1f "
508 		"57 69 0e 43",
509 		/* iv */
510 		"4e 28 00 00 a2 fc a1 a3",
511 		/* aad */
512 		"3f 7e f6 42 10 10 10 10 10 10 10 10",
513 		/* ciphertext */
514 		"fb a2 ca a8 c6 c5 f9 f0 f2 2c a5 4a 06 12 10 ad "
515 		"3f 6e 57 91 cf 1a ca 21 0d 11 7c ec 9c 35 79 17 "
516 		"65 ac bd 87 01 ad 79 84 5b f9 fe 3f ba 48 7b c9 "
517 		"63 21 93 06",
518 		/* tag */
519 		"84 ee ca db 56 91 25 46 e7 a9 5c 97 40 d7 cb 05"
520 	},
521 	/* Page 20 */
522 	{
523 		/* key + salt */
524 		"4c 80 cd ef bb 5d 10 da 90 6a c7 3c 36 13 a6 34 "
525 		"22 43 3c 64",
526 		/* iv */
527 		"48 55 ec 7d 3a 23 4b fd",
528 		/* aad */
529 		"00 00 43 21 87 65 43 21 00 00 00 07",
530 		/* ciphertext */
531 		"74 75 2e 8a eb 5d 87 3c d7 c0 f4 ac c3 6c 4b ff "
532 		"84 b7 d7 b9 8f 0c a8 b6 ac da 68 94 bc 61 90 69",
533 		/* tag */
534 		"ef 9c bc 28 fe 1b 56 a7 c4 e0 d5 8c 86 cd 2b c0"
535 	},
536 
537 	/* local add-ons, primarily streaming ghash tests */
538 
539 	/* 128 bytes aad */
540 	{
541 		/* key + salt */
542 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
543 		"00 00 00 00",
544 		/* iv */
545 		"00 00 00 00 00 00 00 00",
546 		/* aad */
547 		"d9 31 32 25 f8 84 06 e5 a5 59 09 c5 af f5 26 9a "
548 		"86 a7 a9 53 15 34 f7 da 2e 4c 30 3d 8a 31 8a 72 "
549 		"1c 3c 0c 95 95 68 09 53 2f cf 0e 24 49 a6 b5 25 "
550 		"b1 6a ed f5 aa 0d e6 57 ba 63 7b 39 1a af d2 55 "
551 		"52 2d c1 f0 99 56 7d 07 f4 7f 37 a3 2a 84 42 7d "
552 		"64 3a 8c dc bf e5 c0 c9 75 98 a2 bd 25 55 d1 aa "
553 		"8c b0 8e 48 59 0d bb 3d a7 b0 8b 10 56 82 88 38 "
554 		"c5 f6 1e 63 93 ba 7a 0a bc c9 f6 62 89 80 15 ad",
555 		/* ciphertext */
556 		NULL,
557 		/* tag */
558 		"5f ea 79 3a 2d 6f 97 4d 37 e6 8e 0c b8 ff 94 92"
559 	},
560 	/* 48 bytes plaintext */
561 	{
562 		/* key + salt */
563 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
564 		"00 00 00 00",
565 		/* iv */
566 		"00 00 00 00 00 00 00 00",
567 		/* aad */
568 		NULL,
569 		/* ciphertext */
570 		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
571 		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
572 		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0",
573 		/* tag */
574 		"9d d0 a3 76 b0 8e 40 eb 00 c3 5f 29 f9 ea 61 a4"
575 	},
576 	/* 80 bytes plaintext */
577 	{
578 		/* key + salt */
579 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
580 		"00 00 00 00",
581 		/* iv */
582 		"00 00 00 00 00 00 00 00",
583 		/* aad */
584 		NULL,
585 		/* ciphertext */
586 		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
587 		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
588 		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0 "
589 		"c9 4d a2 19 11 8e 29 7d 7b 7e bc bc c9 c3 88 f2 "
590 		"8a de 7d 85 a8 ee 35 61 6f 71 24 a9 d5 27 02 91",
591 		/* tag */
592 		"98 88 5a 3a 22 bd 47 42 fe 7b 72 17 21 93 b1 63"
593 	},
594 	/* 128 bytes plaintext */
595 	{
596 		/* key + salt */
597 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
598 		"00 00 00 00",
599 		/* iv */
600 		"00 00 00 00 00 00 00 00",
601 		/* aad */
602 		NULL,
603 		/* ciphertext */
604 		"03 88 da ce 60 b6 a3 92 f3 28 c2 b9 71 b2 fe 78 "
605 		"f7 95 aa ab 49 4b 59 23 f7 fd 89 ff 94 8b c1 e0 "
606 		"20 02 11 21 4e 73 94 da 20 89 b6 ac d0 93 ab e0 "
607 		"c9 4d a2 19 11 8e 29 7d 7b 7e bc bc c9 c3 88 f2 "
608 		"8a de 7d 85 a8 ee 35 61 6f 71 24 a9 d5 27 02 91 "
609 		"95 b8 4d 1b 96 c6 90 ff 2f 2d e3 0b f2 ec 89 e0 "
610 		"02 53 78 6e 12 65 04 f0 da b9 0c 48 a3 03 21 de "
611 		"33 45 e6 b0 46 1e 7c 9e 6c 6b 7a fe dd e8 3f 40",
612 		/* tag */
613 		"ca c4 5f 60 e3 1e fd 3b 5a 43 b9 8a 22 ce 1a a1"
614 	},
615 	/* 80 bytes plaintext, submitted by Intel */
616 	{
617 		/* key + salt */
618 		"84 3f fc f5 d2 b7 26 94 d1 9e d0 1d 01 24 94 12 "
619 		"db cc a3 2e",
620 		/* iv */
621 		"bf 9b 80 46 17 c3 aa 9e",
622 		/* aad */
623 		"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 "
624 		"10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f",
625 		/* ciphertext */
626 		"62 68 c6 fa 2a 80 b2 d1 37 46 7f 09 2f 65 7a c0 "
627 		"4d 89 be 2b ea a6 23 d6 1b 5a 86 8c 8f 03 ff 95 "
628 		"d3 dc ee 23 ad 2f 1a b3 a6 c8 0e af 4b 14 0e b0 "
629 		"5d e3 45 7f 0f bc 11 1a 6b 43 d0 76 3a a4 22 a3 "
630 		"01 3c f1 dc 37 fe 41 7d 1f bf c4 49 b7 5d 4c c5",
631 		/* tag */
632 		"3b 62 9c cf bc 11 19 b7 31 9e 1d ce 2c d6 fd 6d"
633 	}
634 };
635 
636 static void
637 dogmac(const unsigned char *key, size_t klen,
638     const unsigned char *iv, size_t ivlen,
639     const unsigned char *aad, size_t aadlen,
640     const unsigned char *in, unsigned char *out, size_t len)
641 {
642 	AES_GMAC_CTX ctx;
643 	uint8_t blk[GMAC_BLOCK_LEN];
644 	uint32_t *p;
645 	int i;
646 
647 	AES_GMAC_Init(&ctx);
648 
649 	AES_GMAC_Setkey(&ctx, key, klen);
650 
651 	AES_GMAC_Reinit(&ctx, iv, ivlen);
652 
653 	for (i = 0; i < aadlen; i += GMAC_BLOCK_LEN) {
654 		memset(blk, 0, GMAC_BLOCK_LEN);
655 		memcpy(blk, aad + i, MINIMUM(aadlen - i, GMAC_BLOCK_LEN));
656 		AES_GMAC_Update(&ctx, blk, GMAC_BLOCK_LEN);
657 	}
658 
659 	for (i = 0; i < len; i += GMAC_BLOCK_LEN) {
660 		int dlen = MINIMUM(len - i, GMAC_BLOCK_LEN);
661 		AES_GMAC_Update(&ctx, in + i, dlen);
662 	}
663 
664 	bzero(blk, sizeof blk);
665 	p = (uint32_t *)blk + 1;
666 	*p = htobe32(aadlen * 8);
667 	p = (uint32_t *)blk + 3;
668 	*p = htobe32(len * 8);
669 	AES_GMAC_Update(&ctx, blk, 16);
670 
671 	AES_GMAC_Final(out, &ctx);
672 }
673 
674 static int
675 match(unsigned char *a, unsigned char *b, size_t len)
676 {
677 	int i;
678 
679 	if (memcmp(a, b, len) == 0)
680 		return (1);
681 
682 	warnx("mismatch");
683 
684 	for (i = 0; i < len; i++)
685 		printf("%2.2x", a[i]);
686 	printf("\n");
687 	for (i = 0; i < len; i++)
688 		printf("%2.2x", b[i]);
689 	printf("\n");
690 
691 	return (0);
692 }
693 
694 static int
695 run(int num)
696 {
697 	int i, fail = 1, len, j, length[TST_NUM];
698 	u_long val;
699 	char *ep, *from;
700 	u_char *p, *data[TST_NUM], tag[GMAC_DIGEST_LEN];
701 
702 	for (i = 0; i < TST_NUM; i++)
703 		data[i] = NULL;
704 	for (i = 0; i < TST_NUM; i++) {
705 		from = tests[num].data[i];
706 		if (debug)
707 			printf("%s\n", from);
708 		if (!from) {
709 			length[i] = 0;
710 			data[i] = NULL;
711 			continue;
712 		}
713 		len = strlen(from);
714 		if ((p = malloc(len)) == 0) {
715 			warn("malloc");
716 			goto done;
717 		}
718 		errno = 0;
719 		for (j = 0; j < len; j++) {
720 			val = strtoul(&from[j*3], &ep, 16);
721 			p[j] = (u_char)val;
722 			if (*ep == '\0' || errno)
723 				break;
724 		}
725 		length[i] = j+1;
726 		data[i] = p;
727 	}
728 
729 	dogmac(data[TST_KEY], length[TST_KEY], data[TST_IV], length[TST_IV],
730 	    data[TST_AAD], length[TST_AAD], data[TST_CIPHER], tag,
731 	    length[TST_CIPHER]);
732 
733 	fail = !match(data[TST_TAG], tag, GMAC_DIGEST_LEN);
734 	printf("%s test vector %d\n", fail ? "FAILED" : "OK", num);
735 
736  done:
737 	for (i = 0; i < TST_NUM; i++)
738 		free(data[i]);
739 	return (fail);
740 }
741 
742 int
743 main(void)
744 {
745 	int i, fail = 0;
746 
747 	for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
748 		fail += run(i);
749 
750 	return (fail > 0 ? 1 : 0);
751 }
752 
753 void
754 explicit_bzero(void *b, size_t len)
755 {
756 	bzero(b, len);
757 }
758