Fix AES cipher implementation.

Update test program to validate the key expansion using the FIPS-197 example.

Add password-protected RC4 test output.

Add no-password AES-128 test output.
This commit is contained in:
Michael R Sweet 2021-10-23 00:07:13 -04:00
parent ea126c7e8d
commit 19571d00f2
No known key found for this signature in database
GPG Key ID: 999559A027815955
2 changed files with 75 additions and 24 deletions

View File

@ -110,7 +110,7 @@ _pdfioCryptoAESInit(
*rkptr, // Current round_key values
*rkend, // End of round_key values
tempa[4]; // Used for the column/row operations
size_t roundlen = keylen + 24; // Length of round_key
// size_t roundlen = keylen + 24; // Length of round_key
size_t nwords = keylen / 4; // Number of 32-bit words in key
@ -122,24 +122,16 @@ _pdfioCryptoAESInit(
memcpy(ctx->round_key, key, keylen);
// All other round keys are found from the previous round keys.
for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr + roundlen, i = nwords; rkptr < rkend; i ++)
for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr + 16 * ctx->round_size, i = nwords; rkptr < rkend; i ++)
{
if ((i % nwords) == 0)
{
// TODO: Optimize to shift and lookup S box in one step
// Shifts word left once - [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
tempa[0] = rkptr[-3];
tempa[1] = rkptr[-2];
tempa[2] = rkptr[-1];
tempa[3] = rkptr[-4];
// Apply the S-box to each of the four bytes to produce an output word.
tempa[0] = sbox[tempa[0]];
tempa[1] = sbox[tempa[1]];
tempa[2] = sbox[tempa[2]];
tempa[3] = sbox[tempa[3]];
tempa[0] = tempa[0] ^ Rcon[i / nwords];
// Shifts word left once - [a0,a1,a2,a3] becomes [a1,a2,a3,a0], then
// apply the S-box to each of the four bytes to produce an output word.
tempa[0] = sbox[rkptr[-3]] ^ Rcon[i / nwords];
tempa[1] = sbox[rkptr[-2]];
tempa[2] = sbox[rkptr[-1]];
tempa[3] = sbox[rkptr[-4]];
}
else if (keylen == 32 && (i % nwords) == 4)
{
@ -456,17 +448,16 @@ Cipher(state_t *state, const _pdfio_aes_t *ctx)
// The first Nr-1 rounds are identical.
// These Nr rounds are executed in the loop below.
// Last one without MixColumns()
for (round = 1; ; ++round)
for (round = 1; round < ctx->round_size; round ++)
{
SubBytes(state);
ShiftRows(state);
if (round == ctx->round_size)
break;
MixColumns(state);
AddRoundKey(round, state, ctx->round_key);
}
// Add round key to last round
SubBytes(state);
ShiftRows(state);
AddRoundKey(ctx->round_size, state, ctx->round_key);
}

View File

@ -132,6 +132,9 @@ do_crypto_tests(void)
const char *prefix, *suffix; // Prefix/suffix strings
static const char *text = "Hello, World! Now is the time for all good men to come to the aid of their country.\n";
// Test text
static uint8_t aes128key[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
static uint8_t aes128rounds[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, 0xa0, 0xfa, 0xfe, 0x17, 0x88, 0x54, 0x2c, 0xb1, 0x23, 0xa3, 0x39, 0x39, 0x2a, 0x6c, 0x76, 0x05, 0xf2, 0xc2, 0x95, 0xf2, 0x7a, 0x96, 0xb9, 0x43, 0x59, 0x35, 0x80, 0x7a, 0x73, 0x59, 0xf6, 0x7f, 0x3d, 0x80, 0x47, 0x7d, 0x47, 0x16, 0xfe, 0x3e, 0x1e, 0x23, 0x7e, 0x44, 0x6d, 0x7a, 0x88, 0x3b, 0xef, 0x44, 0xa5, 0x41, 0xa8, 0x52, 0x5b, 0x7f, 0xb6, 0x71, 0x25, 0x3b, 0xdb, 0x0b, 0xad, 0x00, 0xd4, 0xd1, 0xc6, 0xf8, 0x7c, 0x83, 0x9d, 0x87, 0xca, 0xf2, 0xb8, 0xbc, 0x11, 0xf9, 0x15, 0xbc, 0x6d, 0x88, 0xa3, 0x7a, 0x11, 0x0b, 0x3e, 0xfd, 0xdb, 0xf9, 0x86, 0x41, 0xca, 0x00, 0x93, 0xfd, 0x4e, 0x54, 0xf7, 0x0e, 0x5f, 0x5f, 0xc9, 0xf3, 0x84, 0xa6, 0x4f, 0xb2, 0x4e, 0xa6, 0xdc, 0x4f, 0xea, 0xd2, 0x73, 0x21, 0xb5, 0x8d, 0xba, 0xd2, 0x31, 0x2b, 0xf5, 0x60, 0x7f, 0x8d, 0x29, 0x2f, 0xac, 0x77, 0x66, 0xf3, 0x19, 0xfa, 0xdc, 0x21, 0x28, 0xd1, 0x29, 0x41, 0x57, 0x5c, 0x00, 0x6e, 0xd0, 0x14, 0xf9, 0xa8, 0xc9, 0xee, 0x25, 0x89, 0xe1, 0x3f, 0x0c, 0xc8, 0xb6, 0x63, 0x0c, 0xa6 };
// FIPS-197 example key expansion
static uint8_t aes128text[] = { 0xfb, 0x77, 0xac, 0xce, 0x3c, 0x95, 0x40, 0xcf, 0xca, 0xc8, 0x26, 0xbf, 0xc0, 0x69, 0x73, 0x3c, 0x01, 0xfd, 0x72, 0x01, 0xeb, 0x4d, 0x6f, 0xf7, 0xb4, 0x72, 0x6d, 0x84, 0x69, 0x9f, 0x89, 0xab, 0xe6, 0x2b, 0x9a, 0x9a, 0x6e, 0xc1, 0x61, 0xd7, 0x9d, 0x83, 0x2d, 0x58, 0x55, 0xa7, 0x58, 0x50, 0x00, 0xad, 0x19, 0x7b, 0xee, 0x6a, 0x36, 0x6f, 0xd1, 0xa7, 0xa4, 0x6b, 0xc5, 0x78, 0x9a, 0x18, 0x05, 0xf0, 0x2c, 0xd4, 0x60, 0x25, 0xe0, 0xa7, 0xb1, 0x36, 0xdb, 0x18, 0xd3, 0xf7, 0x59, 0x29, 0x22, 0xec, 0x25, 0x77, 0x0d, 0x9e, 0x5a, 0x01, 0xcc, 0xf6, 0x29, 0xc2, 0x08, 0xc2, 0xfc, 0x4f };
// Expected AES-128 CBC result
static uint8_t aes256text[] = { 0x2b, 0x94, 0x45, 0x9e, 0xed, 0xa0, 0x89, 0x7b, 0x35, 0x4e, 0xde, 0x06, 0x00, 0x4d, 0xda, 0x6b, 0x61, 0x2f, 0xb9, 0x06, 0xd5, 0x0f, 0x22, 0xed, 0xd2, 0xe3, 0x6b, 0x39, 0x5a, 0xa1, 0xe3, 0x7d, 0xa1, 0xcc, 0xd4, 0x0b, 0x6b, 0xa4, 0xff, 0xe9, 0x9c, 0x89, 0x0c, 0xc7, 0x95, 0x47, 0x19, 0x9b, 0x06, 0xdc, 0xc8, 0x7c, 0x5c, 0x5d, 0x56, 0x99, 0x1e, 0x90, 0x7d, 0x99, 0xc5, 0x7b, 0xc4, 0xe4, 0xfb, 0x02, 0x15, 0x50, 0x23, 0x2a, 0xe4, 0xc1, 0x20, 0xfd, 0xf4, 0x03, 0xfe, 0x6f, 0x15, 0x48, 0xd8, 0x62, 0x36, 0x98, 0x2a, 0x62, 0xf5, 0x2c, 0xa6, 0xfa, 0x7a, 0x43, 0x53, 0xcd, 0xad, 0x18 };
@ -144,6 +147,27 @@ do_crypto_tests(void)
// Expected SHA-256 hash result
fputs("_pdfioAESInit(128-bit sample key): ", stdout);
_pdfioCryptoAESInit(&aes, aes128key, sizeof(aes128key), NULL);
if (!memcmp(aes128rounds, aes.round_key, sizeof(aes128rounds)))
{
puts("PASS");
}
else
{
for (i = 0; i < (sizeof(aes128rounds) - 4); i ++)
{
if (aes.round_key[i] != aes128rounds[i])
break;
}
prefix = i > 0 ? "..." : "";
suffix = i < (sizeof(aes128rounds) - 4) ? "..." : "";
printf("FAIL (got '%s%02X%02X%02X%02X%s', expected '%s%02X%02X%02X%02X%s')\n", prefix, aes.round_key[i], aes.round_key[i + 1], aes.round_key[i + 2], aes.round_key[i + 3], suffix, prefix, aes128rounds[i], aes128rounds[i + 1], aes128rounds[i + 2], aes128rounds[i + 3], suffix);
ret = 1;
}
fputs("_pdfioAESInit/Encrypt(128-bit CBC): ", stdout);
for (i = 0; i < 16; i ++)
{
@ -175,7 +199,7 @@ do_crypto_tests(void)
fputs("_pdfioAESInit/Decrypt(128-bit CBC): ", stdout);
_pdfioCryptoAESInit(&aes, key, 16, iv);
_pdfioCryptoAESDecrypt(&aes, buffer2, buffer, strlen(text));
_pdfioCryptoAESDecrypt(&aes, buffer2, buffer, sizeof(aes128text));
if (!memcmp(buffer2, text, strlen(text)))
{
@ -227,7 +251,7 @@ do_crypto_tests(void)
fputs("_pdfioAESInit/Decrypt(256-bit CBC): ", stdout);
_pdfioCryptoAESInit(&aes, key, 32, iv);
_pdfioCryptoAESDecrypt(&aes, buffer2, buffer, strlen(text));
_pdfioCryptoAESDecrypt(&aes, buffer2, buffer, sizeof(aes256text));
if (!memcmp(buffer2, text, strlen(text)))
{
@ -1025,6 +1049,25 @@ do_unit_tests(void)
return (1);
// if (read_unit_file("testpdfio-rc4.pdf", num_pages, first_image, false))
// return (1);
// Create new encrypted PDF files...
fputs("pdfioFileCreate(\"testpdfio-rc4p.pdf\", ...): ", stdout);
if ((outpdf = pdfioFileCreate("testpdfio-rc4p.pdf", NULL, NULL, NULL, (pdfio_error_cb_t)error_cb, &error)) != NULL)
puts("PASS");
else
return (1);
fputs("pdfioFileSetPermissions(no-print, RC4-128, passwords='owner' and 'user'): ", stdout);
if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL ^ PDFIO_PERMISSION_PRINT, PDFIO_ENCRYPTION_RC4_128, "owner", "user"))
puts("PASS");
else
return (1);
if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
return (1);
// if (read_unit_file("testpdfio-rc4p.pdf", num_pages, first_image, false))
// return (1);
fputs("pdfioFileCreate(\"testpdfio-aes.pdf\", ...): ", stdout);
@ -1033,6 +1076,24 @@ do_unit_tests(void)
else
return (1);
fputs("pdfioFileSetPermissions(all, AES-128, no passwords): ", stdout);
if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL, PDFIO_ENCRYPTION_AES_128, NULL, NULL))
puts("PASS");
else
return (1);
if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
return (1);
// if (read_unit_file("testpdfio-aes.pdf", num_pages, first_image, false))
// return (1);
fputs("pdfioFileCreate(\"testpdfio-aesp.pdf\", ...): ", stdout);
if ((outpdf = pdfioFileCreate("testpdfio-aesp.pdf", NULL, NULL, NULL, (pdfio_error_cb_t)error_cb, &error)) != NULL)
puts("PASS");
else
return (1);
fputs("pdfioFileSetPermissions(no-print, AES-128, passwords='owner' and 'user'): ", stdout);
if (pdfioFileSetPermissions(outpdf, PDFIO_PERMISSION_ALL ^ PDFIO_PERMISSION_PRINT, PDFIO_ENCRYPTION_AES_128, "owner", "user"))
puts("PASS");
@ -1042,10 +1103,9 @@ do_unit_tests(void)
if (write_unit_file(inpdf, outpdf, &num_pages, &first_image))
return (1);
// if (read_unit_file("testpdfio-aes.pdf", num_pages, first_image, false))
// if (read_unit_file("testpdfio-aesp.pdf", num_pages, first_image, false))
// return (1);
return (0);
}