From b47723daa24b63118bd9cea8e3bdc6b2246d5997 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 9 Nov 2023 19:33:26 +0100 Subject: [PATCH] Add support for AES-GCM-SIV using OpenSSL>=3.2.0 --- CHANGELOG.rst | 3 + docs/development/test-vectors.rst | 2 + docs/hazmat/primitives/aead.rst | 73 +++ .../hazmat/bindings/_rust/openssl/aead.pyi | 17 + .../hazmat/primitives/ciphers/aead.py | 2 + src/rust/build.rs | 3 + src/rust/src/backend/aead.rs | 111 ++++ tests/bench/test_aead.py | 20 + tests/hazmat/primitives/test_aead.py | 145 ++++++ .../ciphers/AES/GCM-SIV/openssl.txt | 492 ++++++++++++++++++ 10 files changed, 868 insertions(+) create mode 100644 vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt diff --git a/CHANGELOG.rst b/CHANGELOG.rst index be056eaeee488..9df9f4c149f56 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -46,6 +46,9 @@ Changelog * In the next release (43.0.0) of cryptography, loading an X.509 certificate with a negative serial number will raise an exception. This has been deprecated since 36.0.0. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using + OpenSSL 3.2.0+. .. _v41-0-5: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 82050b9d30e6e..6d0eeafd20c80 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -939,6 +939,7 @@ Symmetric ciphers * AES (CBC, CFB, ECB, GCM, OFB, CCM) from `NIST CAVP`_. * AES CTR from :rfc:`3686`. +* AES-GCM-SIV from OpenSSL's `evpciph_aes_gcm_siv.txt`_. * AES OCB3 from :rfc:`7253`, `dkg's additional OCB3 vectors`_, and `OpenSSL's OCB vectors`_. * AES SIV from OpenSSL's `evpciph_aes_siv.txt`_. * 3DES (CBC, CFB, ECB, OFB) from `NIST CAVP`_. @@ -1055,6 +1056,7 @@ header format (substituting the correct information): .. _`root-ed25519.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/root-ed25519.pem .. _`server-ed25519-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed25519-cert.pem .. _`server-ed448-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed448-cert.pem +.. _`evpciph_aes_gcm_siv.txt`: https://github.com/openssl/openssl/blob/a2b1ab6100d5f0fb50b61d241471eea087415632/test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt .. _`evpciph_aes_siv.txt`: https://github.com/openssl/openssl/blob/d830526c711074fdcd82c70c24c31444366a1ed8/test/recipes/30-test_evp_data/evpciph_aes_siv.txt .. _`dkg's additional OCB3 vectors`: https://gitlab.com/dkg/ocb-test-vectors .. _`OpenSSL's OCB vectors`: https://github.com/openssl/openssl/commit/2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be diff --git a/docs/hazmat/primitives/aead.rst b/docs/hazmat/primitives/aead.rst index db9ef96d1ab79..776f9b77271a9 100644 --- a/docs/hazmat/primitives/aead.rst +++ b/docs/hazmat/primitives/aead.rst @@ -164,6 +164,79 @@ also support providing integrity for associated data which is not encrypted. when the ciphertext has been changed, but will also occur when the key, nonce, or associated data are wrong. +.. class:: AESGCMSIV(key) + + .. versionadded:: 42.0.0 + + The AES-GCM-SIV construction is defined in :rfc:`8452` and is composed of + the :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` block + cipher utilizing Galois Counter Mode (GCM) and a synthetic initialization + vector (SIV). + + :param key: A 128, 192, or 256-bit key. This **must** be kept secret. + :type key: :term:`bytes-like` + + :raises cryptography.exceptions.UnsupportedAlgorithm: If the version of + OpenSSL does not support AES-GCM-SIV. + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives.ciphers.aead import AESGCMSIV + >>> data = b"a secret message" + >>> aad = b"authenticated but unencrypted data" + >>> key = AESGCMSIV.generate_key(bit_length=128) + >>> aesgcmsiv = AESGCMSIV(key) + >>> nonce = os.urandom(12) + >>> ct = aesgcmsiv.encrypt(nonce, data, aad) + >>> aesgcmsiv.decrypt(nonce, ct, aad) + b'a secret message' + + .. classmethod:: generate_key(bit_length) + + Securely generates a random AES-GCM-SIV key. + + :param bit_length: The bit length of the key to generate. Must be + 128, 192, or 256. + + :returns bytes: The generated key. + + .. method:: encrypt(nonce, data, associated_data) + + Encrypts and authenticates the ``data`` provided as well as + authenticating the ``associated_data``. The output of this can be + passed directly to the ``decrypt`` method. + + :param nonce: A 12-byte value. + :type nonce: :term:`bytes-like` + :param data: The data to encrypt. + :type data: :term:`bytes-like` + :param associated_data: Additional data that should be + authenticated with the key, but is not encrypted. Can be ``None``. + :type associated_data: :term:`bytes-like` + :returns bytes: The ciphertext bytes with the 16 byte tag appended. + :raises OverflowError: If ``data`` or ``associated_data`` is larger + than 2\ :sup:`32` - 1 bytes. + + .. method:: decrypt(nonce, data, associated_data) + + Decrypts the ``data`` and authenticates the ``associated_data``. If you + called encrypt with ``associated_data`` you must pass the same + ``associated_data`` in decrypt or the integrity check will fail. + + :param nonce: A 12-byte value. + :type nonce: :term:`bytes-like` + :param data: The data to decrypt (with tag appended). + :type data: :term:`bytes-like` + :param associated_data: Additional data to authenticate. Can be + ``None`` if none was passed during encryption. + :type associated_data: :term:`bytes-like` + :returns bytes: The original plaintext. + :raises cryptography.exceptions.InvalidTag: If the authentication tag + doesn't validate this exception will be raised. This will occur + when the ciphertext has been changed, but will also occur when the + key, nonce, or associated data are wrong. + .. class:: AESOCB3(key) .. versionadded:: 36.0.0 diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 981d69d13219d..62f1d8772b0bf 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -33,3 +33,20 @@ class AESOCB3: data: bytes, associated_data: bytes | None, ) -> bytes: ... + +class AESGCMSIV: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 291513d75f041..9752d786cea30 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -16,12 +16,14 @@ "ChaCha20Poly1305", "AESCCM", "AESGCM", + "AESGCMSIV", "AESOCB3", "AESSIV", ] AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 +AESGCMSIV = rust_openssl.aead.AESGCMSIV class ChaCha20Poly1305: diff --git a/src/rust/build.rs b/src/rust/build.rs index 27f6d12f77f74..77df683f4e41b 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -12,6 +12,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 0965b71a70054..4249021cfe46a 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -410,11 +410,122 @@ impl AesOcb3 { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESGCMSIV" +)] +struct AesGcmSiv { + ctx: EvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesGcmSiv { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + let _cipher_name = match key_buf.as_bytes().len() { + 16 => "aes-128-gcm-siv", + 24 => "aes-192-gcm-siv", + 32 => "aes-256-gcm-siv", + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AES-GCM-SIV key must be 128, 384 or 512 bits.", + ), + )) + } + }; + + #[cfg(not(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER))] + { + Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-GCM-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } + #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)] + { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-GCM-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + let cipher = openssl::cipher::Cipher::fetch(None, _cipher_name, None)?; + Ok(AesGcmSiv { + ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, true)?, + }) + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if data_bytes.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("data must not be zero length"), + )); + }; + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes long"), + )); + } + self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes long"), + )); + } + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; m.add_class::()?; m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/tests/bench/test_aead.py b/tests/bench/test_aead.py index f93c4e8892eb6..01c24cce01d1f 100644 --- a/tests/bench/test_aead.py +++ b/tests/bench/test_aead.py @@ -7,6 +7,7 @@ from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, + AESGCMSIV, AESOCB3, AESSIV, ChaCha20Poly1305, @@ -100,3 +101,22 @@ def test_aesccm_decrypt(benchmark): aes = AESCCM(b"\x00" * 32) ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) benchmark(aes.decrypt, b"\x00" * 12, ct, None) + + +@pytest.mark.skipif( + not _aead_supported(AESGCMSIV), + reason="Requires OpenSSL with AES-GCM-SIV support", +) +def test_aesgcmsiv_encrypt(benchmark): + aesgcmsiv = AESGCMSIV(b"\x00" * 32) + benchmark(aesgcmsiv.encrypt, b"\x00" * 12, b"hello world plaintext", None) + + +@pytest.mark.skipif( + not _aead_supported(AESGCMSIV), + reason="Requires OpenSSL with AES-GCM-SIV support", +) +def test_aesgcmsiv_decrypt(benchmark): + aesgcmsiv = AESGCMSIV(b"\x00" * 32) + ct = aesgcmsiv.encrypt(b"\x00" * 12, b"hello world plaintext", None) + benchmark(aesgcmsiv.decrypt, b"\x00" * 12, ct, None) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 5cf5bca546a15..34ad243c8ad5a 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -14,6 +14,7 @@ from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, + AESGCMSIV, AESOCB3, AESSIV, ChaCha20Poly1305, @@ -828,3 +829,147 @@ def test_buffer_protocol(self, backend): assert ct2 == ct computed_pt2 = aessiv.decrypt(ct2, ad) assert computed_pt2 == pt + + +@pytest.mark.skipif( + not _aead_supported(AESGCMSIV), + reason="Does not support AESGCMSIV", +) +class TestAESGCMSIV: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) + nonce = os.urandom(12) + aesgcmsiv = AESGCMSIV(key) + + large_data = large_mmap() + + with pytest.raises(OverflowError): + aesgcmsiv.encrypt(nonce, large_data, None) + + with pytest.raises(OverflowError): + aesgcmsiv.encrypt(nonce, b"irrelevant", large_data) + + with pytest.raises(OverflowError): + aesgcmsiv.decrypt(nonce, b"very very irrelevant", large_data) + + def test_invalid_nonce_length(self, backend): + key = AESGCMSIV.generate_key(128) + aesgcmsiv = AESGCMSIV(key) + pt = b"hello" + nonce = os.urandom(14) + with pytest.raises(ValueError): + aesgcmsiv.encrypt(nonce, pt, None) + + with pytest.raises(ValueError): + aesgcmsiv.decrypt(nonce, pt, None) + + def test_no_empty_encryption(self): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + + with pytest.raises(ValueError): + aesgcmsiv.encrypt(nonce, b"", None) + + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, b"", None) + + def test_vectors(self, backend, subtests): + vectors = load_vectors_from_file( + os.path.join("ciphers", "AES", "GCM-SIV", "openssl.txt"), + load_nist_vectors, + ) + for vector in vectors: + with subtests.test(): + key = binascii.unhexlify(vector["key"]) + nonce = binascii.unhexlify(vector["iv"]) + aad = binascii.unhexlify(vector.get("aad", b"")) + ct = binascii.unhexlify(vector["ciphertext"]) + tag = binascii.unhexlify(vector["tag"]) + pt = binascii.unhexlify(vector.get("plaintext", b"")) + aesgcmsiv = AESGCMSIV(key) + computed_ct = aesgcmsiv.encrypt(nonce, pt, aad) + assert computed_ct[:16] == tag + assert computed_ct[16:] == ct + computed_pt = aesgcmsiv.decrypt(nonce, computed_ct, aad) + assert computed_pt == pt + + def test_vectors_invalid(self, backend, subtests): + vectors = load_vectors_from_file( + os.path.join("ciphers", "AES", "GCM-SIV", "openssl.txt"), + load_nist_vectors, + ) + for vector in vectors: + with subtests.test(): + key = binascii.unhexlify(vector["key"]) + nonce = binascii.unhexlify(vector["iv"]) + aad = binascii.unhexlify(vector.get("aad", b"")) + ct = binascii.unhexlify(vector["ciphertext"]) + aesgcmsiv = AESGCMSIV(key) + with pytest.raises(InvalidTag): + badkey = AESGCMSIV(AESGCMSIV.generate_key(256)) + badkey.decrypt(nonce, ct, aad) + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, ct, b"nonsense") + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, b"nonsense", aad) + + @pytest.mark.parametrize( + ("nonce", "data", "associated_data"), + [ + [object(), b"data", b""], + [b"0" * 12, object(), b""], + [b"0" * 12, b"data", object()], + ], + ) + def test_params_not_bytes(self, nonce, data, associated_data, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + with pytest.raises(TypeError): + aesgcmsiv.encrypt(nonce, data, associated_data) + + with pytest.raises(TypeError): + aesgcmsiv.decrypt(nonce, data, associated_data) + + def test_bad_key(self, backend): + with pytest.raises(TypeError): + AESGCMSIV(object()) # type:ignore[arg-type] + + with pytest.raises(ValueError): + AESGCMSIV(b"0" * 31) + + def test_bad_generate_key(self, backend): + with pytest.raises(TypeError): + AESGCMSIV.generate_key(object()) # type:ignore[arg-type] + + with pytest.raises(ValueError): + AESGCMSIV.generate_key(129) + + def test_associated_data_none_equal_to_empty_bytestring(self, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + ct1 = aesgcmsiv.encrypt(nonce, b"some_data", None) + ct2 = aesgcmsiv.encrypt(nonce, b"some_data", b"") + assert ct1 == ct2 + pt1 = aesgcmsiv.decrypt(nonce, ct1, None) + pt2 = aesgcmsiv.decrypt(nonce, ct2, b"") + assert pt1 == pt2 + + def test_buffer_protocol(self, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + pt = b"encrypt me" + ad = b"additional" + ct = aesgcmsiv.encrypt(nonce, pt, ad) + computed_pt = aesgcmsiv.decrypt(nonce, ct, ad) + assert computed_pt == pt + aesgcmsiv = AESGCMSIV(bytearray(key)) + ct2 = aesgcmsiv.encrypt(nonce, pt, ad) + assert ct2 == ct + computed_pt2 = aesgcmsiv.decrypt(nonce, ct2, ad) + assert computed_pt2 == pt diff --git a/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt new file mode 100644 index 0000000000000..2032d83d37292 --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt @@ -0,0 +1,492 @@ +#Cipher = aes-128-gcm-siv +COUNT = 0 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 578782fff6013b815b287c22493a364c +Plaintext = 0100000000000000 +Ciphertext = b5d839330ac7b786 + + + +#Cipher = aes-128-gcm-siv +COUNT = 1 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = a4978db357391a0bc4fdec8b0d106639 +Plaintext = 010000000000000000000000 +Ciphertext = 7323ea61d05932260047d942 + + + +#Cipher = aes-128-gcm-siv +COUNT = 2 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 303aaf90f6fe21199c6068577437a0c4 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 743f7c8077ab25f8624e2e948579cf77 + + + +#Cipher = aes-128-gcm-siv +COUNT = 3 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1a8e45dcd4578c667cd86847bf6155ff +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 84e07e62ba83a6585417245d7ec413a9fe427d6315c09b57ce45f2e3936a9445 + + + +#Cipher = aes-128-gcm-siv +COUNT = 4 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5e6e311dbf395d35b0fe39c2714388f8 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 3fd24ce1f5a67b75bf2351f181a475c7b800a5b4d3dcf70106b1eea82fa1d64df42bf7226122fa92e17a40eeaac1201b + + + +#Cipher = aes-128-gcm-siv +COUNT = 5 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8a263dd317aa88d56bdf3936dba75bb8 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 2433668f1058190f6d43e360f4f35cd8e475127cfca7028ea8ab5c20f7ab2af02516a2bdcbc08d521be37ff28c152bba36697f25b4cd169c6590d1dd39566d3f + + + +#Cipher = aes-128-gcm-siv +COUNT = 6 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 3b0a1a2560969cdf790d99759abd1508 +Plaintext = 0200000000000000 +Ciphertext = 1e6daba35669f427 + + + +#Cipher = aes-128-gcm-siv +COUNT = 7 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 08299c5102745aaa3a0c469fad9e075a +Plaintext = 020000000000000000000000 +Ciphertext = 296c7889fd99f41917f44620 + + + +#Cipher = aes-128-gcm-siv +COUNT = 8 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8f8936ec039e4e4bb97ebd8c4457441f +Plaintext = 02000000000000000000000000000000 +Ciphertext = e2b0c5da79a901c1745f700525cb335b + + + +#Cipher = aes-128-gcm-siv +COUNT = 9 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e6af6a7f87287da059a71684ed3498e1 +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 620048ef3c1e73e57e02bb8562c416a319e73e4caac8e96a1ecb2933145a1d71 + + + +#Cipher = aes-128-gcm-siv +COUNT = 10 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 6a8cc3865f76897c2e4b245cf31c51f2 +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 50c8303ea93925d64090d07bd109dfd9515a5a33431019c17d93465999a8b0053201d723120a8562b838cdff25bf9d1e + + + +#Cipher = aes-128-gcm-siv +COUNT = 11 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cdc46ae475563de037001ef84ae21744 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 2f5c64059db55ee0fb847ed513003746aca4e61c711b5de2e7a77ffd02da42feec601910d3467bb8b36ebbaebce5fba30d36c95f48a3e7980f0e7ac299332a80 + + + +#Cipher = aes-128-gcm-siv +COUNT = 12 +AAD = 010000000000000000000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 +Plaintext = 02000000 +Ciphertext = a8fe3e87 + + + +#Cipher = aes-128-gcm-siv +COUNT = 13 +AAD = 010000000000000000000000000000000200 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 24afc9805e976f451e6d87f6fe106514 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 6bb0fecf5ded9b77f902c7d5da236a4391dd0297 + + + +#Cipher = aes-128-gcm-siv +COUNT = 14 +AAD = 0100000000000000000000000000000002000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = bff9b2ef00fb47920cc72a0c0f13b9fd +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 44d0aaf6fb2f1f34add5e8064e83e12a2ada + + +#Cipher = aes-128-gcm-siv +COUNT = 15 +AAD = 46bb91c3c5 +Key = 36864200e0eaf5284d884a0e77d31646 +IV = bae8e37fc83441b16034566b +Tag = 711bd85bc1e4d3e0a462e074eea428a8 +Plaintext = 7a806c +Ciphertext = af60eb + + + +#Cipher = aes-128-gcm-siv +COUNT = 16 +AAD = fc880c94a95198874296 +Key = aedb64a6c590bc84d1a5e269e4b47801 +IV = afc0577e34699b9e671fdd4f +Tag = d6a9c45545cfc11f03ad743dba20f966 +Plaintext = bdc66f146545 +Ciphertext = bb93a3e34d3c + + + +#Cipher = aes-128-gcm-siv +COUNT = 17 +AAD = 046787f3ea22c127aaf195d1894728 +Key = d5cc1fd161320b6920ce07787f86743b +IV = 275d1ab32f6d1f0434d8848c +Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b +Plaintext = 1177441f195495860f +Ciphertext = 4f37281f7ad12949d0 + + + +#Cipher = aes-128-gcm-siv +COUNT = 18 +AAD = c9882e5386fd9f92ec489c8fde2be2cf97e74e93 +Key = b3fed1473c528b8426a582995929a149 +IV = 9e9ad8780c8d63d0ab4149c0 +Tag = c1dc2f871fb7561da1286e655e24b7b0 +Plaintext = 9f572c614b4745914474e7c7 +Ciphertext = f54673c5ddf710c745641c8b + + + +#Cipher = aes-128-gcm-siv +COUNT = 19 +AAD = 2950a70d5a1db2316fd568378da107b52b0da55210cc1c1b0a +Key = 2d4ed87da44102952ef94b02b805249b +IV = ac80e6f61455bfac8308a2d4 +Tag = 83b3449b9f39552de99dc214a1190b0b +Plaintext = 0d8c8451178082355c9e940fea2f58 +Ciphertext = c9ff545e07b88a015f05b274540aa1 + + + +#Cipher = aes-128-gcm-siv +COUNT = 20 +AAD = 1860f762ebfbd08284e421702de0de18baa9c9596291b08466f37de21c7f +Key = bde3b2f204d1e9f8b06bc47f9745b3d1 +IV = ae06556fb6aa7890bebc18fe +Tag = 3e377094f04709f64d7b985310a4db84 +Plaintext = 6b3db4da3d57aa94842b9803a96e07fb6de7 +Ciphertext = 6298b296e24e8cc35dce0bed484b7f30d580 + + + +#Cipher = aes-128-gcm-siv +COUNT = 21 +AAD = 7576f7028ec6eb5ea7e298342a94d4b202b370ef9768ec6561c4fe6b7e7296fa859c21 +Key = f901cfe8a69615a93fdf7a98cad48179 +IV = 6245709fb18853f68d833640 +Tag = 2d15506c84a9edd65e13e9d24a2a6e70 +Plaintext = e42a3c02c25b64869e146d7b233987bddfc240871d +Ciphertext = 391cc328d484a4f46406181bcd62efd9b3ee197d05 + + +# AES_256_GCM_SIV + + + +#Cipher = aes-256-gcm-siv +COUNT = 22 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 843122130f7364b761e0b97427e3df28 +Plaintext = 0100000000000000 +Ciphertext = c2ef328e5c71c83b + + + +#Cipher = aes-256-gcm-siv +COUNT = 23 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e +Plaintext = 010000000000000000000000 +Ciphertext = 9aab2aeb3faa0a34aea8e2b1 + + + +#Cipher = aes-256-gcm-siv +COUNT = 24 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c9eac6fa700942702e90862383c6c366 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 85a01b63025ba19b7fd3ddfc033b3e76 + + + +#Cipher = aes-256-gcm-siv +COUNT = 25 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e819e63abcd020b006a976397632eb5d +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 4a6a9db4c8c6549201b9edb53006cba821ec9cf850948a7c86c68ac7539d027f + + + +#Cipher = aes-256-gcm-siv +COUNT = 26 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 790bc96880a99ba804bd12c0e6a22cc4 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = c00d121893a9fa603f48ccc1ca3c57ce7499245ea0046db16c53c7c66fe717e39cf6c748837b61f6ee3adcee17534ed5 + + + +#Cipher = aes-256-gcm-siv +COUNT = 27 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 112864c269fc0d9d88c61fa47e39aa08 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c2d5160a1f8683834910acdafc41fbb1632d4a353e8b905ec9a5499ac34f96c7e1049eb080883891a4db8caaa1f99dd004d80487540735234e3744512c6f90ce + + + +#Cipher = aes-256-gcm-siv +COUNT = 28 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 91213f267e3b452f02d01ae33e4ec854 +Plaintext = 0200000000000000 +Ciphertext = 1de22967237a8132 + + + +#Cipher = aes-256-gcm-siv +COUNT = 29 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c1a4a19ae800941ccdc57cc8413c277f +Plaintext = 020000000000000000000000 +Ciphertext = 163d6f9cc1b346cd453a2e4c + + + +#Cipher = aes-256-gcm-siv +COUNT = 30 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b292d28ff61189e8e49f3875ef91aff7 +Plaintext = 02000000000000000000000000000000 +Ciphertext = c91545823cc24f17dbb0e9e807d5ec17 + + + +#Cipher = aes-256-gcm-siv +COUNT = 31 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = aea1bad12702e1965604374aab96dbbc +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 07dad364bfc2b9da89116d7bef6daaaf6f255510aa654f920ac81b94e8bad365 + + + +#Cipher = aes-256-gcm-siv +COUNT = 32 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 03332742b228c647173616cfd44c54eb +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c67a1f0f567a5198aa1fcc8e3f21314336f7f51ca8b1af61feac35a86416fa47fbca3b5f749cdf564527f2314f42fe25 + + + +#Cipher = aes-256-gcm-siv +COUNT = 33 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5bde0285037c5de81e5b570a049b62a0 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 67fd45e126bfb9a79930c43aad2d36967d3f0e4d217c1e551f59727870beefc98cb933a8fce9de887b1e40799988db1fc3f91880ed405b2dd298318858467c89 + + + +#Cipher = aes-256-gcm-siv +COUNT = 34 +AAD = 010000000000000000000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1835e517741dfddccfa07fa4661b74cf +Plaintext = 02000000 +Ciphertext = 22b3f4cd + + + +#Cipher = aes-256-gcm-siv +COUNT = 35 +AAD = 010000000000000000000000000000000200 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b879ad976d8242acc188ab59cabfe307 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 43dd0163cdb48f9fe3212bf61b201976067f342b + + + +#Cipher = aes-256-gcm-siv +COUNT = 36 +AAD = 0100000000000000000000000000000002000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cfcdf5042112aa29685c912fc2056543 +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 462401724b5ce6588d5a54aae5375513a075 + + +#Cipher = aes-256-gcm-siv +COUNT = 37 +AAD = 4fbdc66f14 +Key = bae8e37fc83441b16034566b7a806c46bb91c3c5aedb64a6c590bc84d1a5e269 +IV = e4b47801afc0577e34699b9e +Tag = 93da9bb81333aee0c785b240d319719d +Plaintext = 671fdd +Ciphertext = 0eaccb + + + +#Cipher = aes-256-gcm-siv +COUNT = 38 +AAD = 6787f3ea22c127aaf195 +Key = 6545fc880c94a95198874296d5cc1fd161320b6920ce07787f86743b275d1ab3 +IV = 2f6d1f0434d8848c1177441f +Tag = 6b62b84dc40c84636a5ec12020ec8c2c +Plaintext = 195495860f04 +Ciphertext = a254dad4f3f9 + + + +#Cipher = aes-256-gcm-siv +COUNT = 39 +AAD = 489c8fde2be2cf97e74e932d4ed87d +Key = d1894728b3fed1473c528b8426a582995929a1499e9ad8780c8d63d0ab4149c0 +IV = 9f572c614b4745914474e7c7 +Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2 +Plaintext = c9882e5386fd9f92ec +Ciphertext = 0df9e308678244c44b + + + +#Cipher = aes-256-gcm-siv +COUNT = 40 +AAD = 0da55210cc1c1b0abde3b2f204d1e9f8b06bc47f +Key = a44102952ef94b02b805249bac80e6f61455bfac8308a2d40d8c845117808235 +IV = 5c9e940fea2f582950a70d5a +Tag = 404099c2587f64979f21826706d497d5 +Plaintext = 1db2316fd568378da107b52b +Ciphertext = 8dbeb9f7255bf5769dd56692 + + + +#Cipher = aes-256-gcm-siv +COUNT = 41 +AAD = f37de21c7ff901cfe8a69615a93fdf7a98cad481796245709f +Key = 9745b3d1ae06556fb6aa7890bebc18fe6b3db4da3d57aa94842b9803a96e07fb +IV = 6de71860f762ebfbd08284e4 +Tag = b3080d28f6ebb5d3648ce97bd5ba67fd +Plaintext = 21702de0de18baa9c9596291b08466 +Ciphertext = 793576dfa5c0f88729a7ed3c2f1bff + + + +#Cipher = aes-256-gcm-siv +COUNT = 42 +AAD = 9c2159058b1f0fe91433a5bdc20e214eab7fecef4454a10ef0657df21ac7 +Key = b18853f68d833640e42a3c02c25b64869e146d7b233987bddfc240871d7576f7 +IV = 028ec6eb5ea7e298342a94d4 +Tag = 454fc2a154fea91f8363a39fec7d0a49 +Plaintext = b202b370ef9768ec6561c4fe6b7e7296fa85 +Ciphertext = 857e16a64915a787637687db4a9519635cdd + + + +#Cipher = aes-256-gcm-siv +COUNT = 43 +AAD = 734320ccc9d9bbbb19cb81b2af4ecbc3e72834321f7aa0f70b7282b4f33df23f167541 +Key = 3c535de192eaed3822a2fbbe2ca9dfc88255e14a661b8aa82cc54236093bbc23 +IV = 688089e55540db1872504e1c +Tag = 9d6c7029675b89eaf4ba1ded1a286594 +Plaintext = ced532ce4159b035277d4dfbb7db62968b13cd4eec +Ciphertext = 626660c26ea6612fb17ad91e8e767639edd6c9faee + +# The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to +# test correct wrapping of the block counter. + + +#Cipher = aes-256-gcm-siv +COUNT = 44 +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = 000000000000000000000000000000004db923dc793ee6497c76dcc03a98e108 +Ciphertext = f3f80f2cf0cb2dd9c5984fcda908456cc537703b5ba70324a6793a7bf218d3ea + + + +#Cipher = aes-256-gcm-siv +COUNT = 45 +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = eb3640277c7ffd1303c7a542d02d3e4c0000000000000000 +Ciphertext = 18ce4f0b8cb4d0cac65fea8f79257b20888e53e72299e56d