Source file src/crypto/internal/fips140/aes/aes_test.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package aes
     6  
     7  import "testing"
     8  
     9  // See const.go for overview of math here.
    10  
    11  // Test that powx is initialized correctly.
    12  // (Can adapt this code to generate it too.)
    13  func TestPowx(t *testing.T) {
    14  	p := 1
    15  	for i := 0; i < len(powx); i++ {
    16  		if powx[i] != byte(p) {
    17  			t.Errorf("powx[%d] = %#x, want %#x", i, powx[i], p)
    18  		}
    19  		p <<= 1
    20  		if p&0x100 != 0 {
    21  			p ^= poly
    22  		}
    23  	}
    24  }
    25  
    26  // Multiply b and c as GF(2) polynomials modulo poly
    27  func mul(b, c uint32) uint32 {
    28  	i := b
    29  	j := c
    30  	s := uint32(0)
    31  	for k := uint32(1); k < 0x100 && j != 0; k <<= 1 {
    32  		// Invariant: k == 1<<n, i == b * xⁿ
    33  
    34  		if j&k != 0 {
    35  			// s += i in GF(2); xor in binary
    36  			s ^= i
    37  			j ^= k // turn off bit to end loop early
    38  		}
    39  
    40  		// i *= x in GF(2) modulo the polynomial
    41  		i <<= 1
    42  		if i&0x100 != 0 {
    43  			i ^= poly
    44  		}
    45  	}
    46  	return s
    47  }
    48  
    49  // Test all mul inputs against bit-by-bit n² algorithm.
    50  func TestMul(t *testing.T) {
    51  	for i := uint32(0); i < 256; i++ {
    52  		for j := uint32(0); j < 256; j++ {
    53  			// Multiply i, j bit by bit.
    54  			s := uint8(0)
    55  			for k := uint(0); k < 8; k++ {
    56  				for l := uint(0); l < 8; l++ {
    57  					if i&(1<<k) != 0 && j&(1<<l) != 0 {
    58  						s ^= powx[k+l]
    59  					}
    60  				}
    61  			}
    62  			if x := mul(i, j); x != uint32(s) {
    63  				t.Fatalf("mul(%#x, %#x) = %#x, want %#x", i, j, x, s)
    64  			}
    65  		}
    66  	}
    67  }
    68  
    69  // Check that S-boxes are inverses of each other.
    70  // They have more structure that we could test,
    71  // but if this sanity check passes, we'll assume
    72  // the cut and paste from the FIPS PDF worked.
    73  func TestSboxes(t *testing.T) {
    74  	for i := 0; i < 256; i++ {
    75  		if j := sbox0[sbox1[i]]; j != byte(i) {
    76  			t.Errorf("sbox0[sbox1[%#x]] = %#x", i, j)
    77  		}
    78  		if j := sbox1[sbox0[i]]; j != byte(i) {
    79  			t.Errorf("sbox1[sbox0[%#x]] = %#x", i, j)
    80  		}
    81  	}
    82  }
    83  
    84  // Test that encryption tables are correct.
    85  // (Can adapt this code to generate them too.)
    86  func TestTe(t *testing.T) {
    87  	for i := 0; i < 256; i++ {
    88  		s := uint32(sbox0[i])
    89  		s2 := mul(s, 2)
    90  		s3 := mul(s, 3)
    91  		w := s2<<24 | s<<16 | s<<8 | s3
    92  		te := [][256]uint32{te0, te1, te2, te3}
    93  		for j := 0; j < 4; j++ {
    94  			if x := te[j][i]; x != w {
    95  				t.Fatalf("te[%d][%d] = %#x, want %#x", j, i, x, w)
    96  			}
    97  			w = w<<24 | w>>8
    98  		}
    99  	}
   100  }
   101  
   102  // Test that decryption tables are correct.
   103  // (Can adapt this code to generate them too.)
   104  func TestTd(t *testing.T) {
   105  	for i := 0; i < 256; i++ {
   106  		s := uint32(sbox1[i])
   107  		s9 := mul(s, 0x9)
   108  		sb := mul(s, 0xb)
   109  		sd := mul(s, 0xd)
   110  		se := mul(s, 0xe)
   111  		w := se<<24 | s9<<16 | sd<<8 | sb
   112  		td := [][256]uint32{td0, td1, td2, td3}
   113  		for j := 0; j < 4; j++ {
   114  			if x := td[j][i]; x != w {
   115  				t.Fatalf("td[%d][%d] = %#x, want %#x", j, i, x, w)
   116  			}
   117  			w = w<<24 | w>>8
   118  		}
   119  	}
   120  }
   121  

View as plain text