Bug 373108 - Implement AES Galois Counter Mode (GCM)

r=wtc,emaldona


git-svn-id: svn://10.0.0.236/trunk@264319 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes-cts-type-1-vectors.txt

@@ -0,0 +1,47 @@
+# Raeburn                     Standards Track                    [Page 12]
+# 
+# RFC 3962             AES Encryption for Kerberos 5         February 2005
+# 
+# Some test vectors for CBC with ciphertext stealing, using an initial
+# vector of all-zero.
+#
+# Original Test vectors were for AES CTS-3 (Kerberos). These test vectors have been modified for AES CTS-1 (NIST)
+#
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20
+Output:   97 c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+Next IV:  c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+Next IV:  fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+Next IV:  39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+Next IV:  b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+Next IV:  9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+Next IV:  48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_0.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20
+Output:   97 c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+Next IV:  c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_1.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+Next IV:  fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_2.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+Next IV:  39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_3.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+Next IV:  b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_4.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+Next IV:  9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/aes_cts_5.txt

@@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+Next IV:  48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext0

@@ -0,0 +1 @@
+l8Y1NWjyv4y02KWANi2n/38=

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext1

@@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/l/AB4Pg79ssHURdTI7/ftIg==

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext2

@@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9ag=

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext3

@@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9bP//ZQMFqGMG1VJ0vg4Ap4=

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext4

@@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9aidrYu7lsTNwDvBA+GhlLvY

mozilla/security/nss/cmd/bltest/tests/aes_cts/ciphertext5

@@ -0,0 +1,2 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9aidrYu7lsTNwDvBA+GhlLvY
+SAfv6DbuiaUmcw28L3vIQA==

mozilla/security/nss/cmd/bltest/tests/aes_cts/key0

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/key1

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/key2

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/key3

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/key4

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/key5

@@ -0,0 +1 @@
+chicken teriyaki

mozilla/security/nss/cmd/bltest/tests/aes_cts/mktst.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+for i in 0 1 2 3 4 5
+do
+    file="aes_cts_$i.txt"
+    grep "Key" $file | sed -e 's;Key:;;' | hex > key$i
+    grep "IV"  $file | sed -e 's;IV:;;' | hex > iv$i
+    grep "Input"  $file | sed -e 's;Input:;;' | hex  > plaintext$i
+    grep "Output"  $file | sed -e 's;Output:;;' | hex | btoa > ciphertext$i
+done

mozilla/security/nss/cmd/bltest/tests/aes_cts/numtests

@@ -0,0 +1 @@
+6

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext0

@@ -0,0 +1 @@
+I would like the 

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext1

@@ -0,0 +1 @@
+I would like the General Gau's 

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext2

@@ -0,0 +1 @@
+I would like the General Gau's C

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext3

@@ -0,0 +1 @@
+I would like the General Gau's Chicken, please,

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext4

@@ -0,0 +1 @@
+I would like the General Gau's Chicken, please, 

mozilla/security/nss/cmd/bltest/tests/aes_cts/plaintext5

@@ -0,0 +1 @@
+I would like the General Gau's Chicken, please, and wonton soup.

mozilla/security/nss/lib/freebl/cts.c

@@ -115,7 +115,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsigned char *outbuf,
     if (rv != SECSuccess) {
 	return SECFailure;
     }
-    PORT_Assert(*outlen == fullblocks);
+    *outlen = fullblocks; /* AES low level doesn't set outlen */
     inbuf += fullblocks;
     inlen -= fullblocks;
     if (inlen == 0) {
@@ -140,7 +140,6 @@ CTS_EncryptUpdate(CTSContext *cts, unsigned char *outbuf,
 			blocksize, blocksize);
     PORT_Memset(lastBlock, 0, blocksize);
     if (rv == SECSuccess) {
-	PORT_Assert(tmp == blocksize);
 	*outlen = written + blocksize;
     }
     return rv;
@@ -208,19 +207,19 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
      * the comment for encrypt. NOTE2: since we can't modify inbuf unless
      * inbuf and outbuf overlap, just copy inbuf to outbuf and modify it there
      */
-    pad = blocksize + (inlen - fullblocks);
-    if (pad != blocksize) {
+    pad = inlen - fullblocks;
+    if (pad != 0) {
 	if (inbuf != outbuf) {
 	    memcpy(outbuf, inbuf, inlen);
 	    /* keep the names so we logically know how we are using the
 	     * buffers */
 	    inbuf = outbuf;
 	}
-	memcpy(lastBlock,        inbuf+inlen-blocksize-pad, blocksize);
+	memcpy(lastBlock, inbuf+inlen-blocksize, blocksize);
 	/* we know inbuf == outbuf now, inbuf is declared const and can't
 	 * be the target, so use outbuf for the target here */
-	memcpy(outbuf+inlen-blocksize-pad, inbuf+inlen-pad, pad);
-	memcpy(outbuf+inlen-blocksize,     lastBlock,       blocksize);
+	memcpy(outbuf+inlen-pad, inbuf+inlen-blocksize-pad, pad);
+	memcpy(outbuf+inlen-blocksize-pad, lastBlock, blocksize);
     }
     /* save the previous to last block so we can undo the misordered
      * chaining */
@@ -233,7 +232,7 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     if (rv != SECSuccess) {
 	return SECFailure;
     }
-    PORT_Assert(*outlen == fullblocks);
+    *outlen = fullblocks; /* AES low level doesn't set outlen */
     inbuf += fullblocks;
     inlen -= fullblocks;
     if (inlen == 0) {
@@ -275,7 +274,7 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     PORT_Memcpy(outbuf, lastBlock, inlen);
     *outlen += inlen;
     /* copy Cn-1* into last buf to recover Cn-1 */
-    PORT_Memcpy(lastBlock, Cn-1, inlen);
+    PORT_Memcpy(lastBlock, Cn_1, inlen);
     /* note: because Cn and Cn-1 were out of order, our pointer to Pn also
      * points to where Pn-1 needs to reside. From here on out read Pn in
      * the code as really Pn-1. */
@@ -284,7 +283,6 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     if (rv != SECSuccess) {
 	return SECFailure;
     }
-    PORT_Assert(tmpLen == blocksize);
     /* make up for the out of order CBC decryption */
     XOR_BLOCK(Pn, Cn_2, blocksize);
     XOR_BLOCK(Pn, Cn, blocksize);