xref: /freebsd/crypto/openssl/test/igetest.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8) 
1 /* test/igetest.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  */
51 
52 #include <openssl/aes.h>
53 #include <openssl/rand.h>
54 #include <stdio.h>
55 #include <string.h>
56 #include <assert.h>
57 
58 #define TEST_SIZE	128
59 #define BIG_TEST_SIZE 10240
60 
61 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
62     {
63     int n=0;
64 
65     fprintf(f,"%s",title);
66     for( ; n < l ; ++n)
67 		{
68 		if((n%16) == 0)
69 			fprintf(f,"\n%04x",n);
70 		fprintf(f," %02x",s[n]);
71 		}
72     fprintf(f,"\n");
73     }
74 
75 #define MAX_VECTOR_SIZE	64
76 
77 struct ige_test
78 	{
79 	const unsigned char key[16];
80 	const unsigned char iv[32];
81 	const unsigned char in[MAX_VECTOR_SIZE];
82 	const unsigned char out[MAX_VECTOR_SIZE];
83 	const size_t length;
84 	const int encrypt;
85 	};
86 
87 static struct ige_test const ige_test_vectors[] = {
88 { { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
89     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, /* key */
90   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
91     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
92     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
93     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }, /* iv */
94   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
97     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /* in */
98   { 0x1a, 0x85, 0x19, 0xa6, 0x55, 0x7b, 0xe6, 0x52,
99     0xe9, 0xda, 0x8e, 0x43, 0xda, 0x4e, 0xf4, 0x45,
100     0x3c, 0xf4, 0x56, 0xb4, 0xca, 0x48, 0x8a, 0xa3,
101     0x83, 0xc7, 0x9c, 0x98, 0xb3, 0x47, 0x97, 0xcb }, /* out */
102   32, AES_ENCRYPT }, /* test vector 0 */
103 
104 { { 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
105     0x61, 0x6e, 0x20, 0x69, 0x6d, 0x70, 0x6c, 0x65 }, /* key */
106   { 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f,
107     0x6e, 0x20, 0x6f, 0x66, 0x20, 0x49, 0x47, 0x45,
108     0x20, 0x6d, 0x6f, 0x64, 0x65, 0x20, 0x66, 0x6f,
109     0x72, 0x20, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53 }, /* iv */
110   { 0x4c, 0x2e, 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73,
111     0x20, 0x68, 0x6f, 0x70, 0x65, 0x20, 0x42, 0x65,
112     0x6e, 0x20, 0x67, 0x6f, 0x74, 0x20, 0x69, 0x74,
113     0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x0a }, /* in */
114   { 0x99, 0x70, 0x64, 0x87, 0xa1, 0xcd, 0xe6, 0x13,
115     0xbc, 0x6d, 0xe0, 0xb6, 0xf2, 0x4b, 0x1c, 0x7a,
116     0xa4, 0x48, 0xc8, 0xb9, 0xc3, 0x40, 0x3e, 0x34,
117     0x67, 0xa8, 0xca, 0xd8, 0x93, 0x40, 0xf5, 0x3b }, /* out */
118   32, AES_DECRYPT }, /* test vector 1 */
119 };
120 
121 struct bi_ige_test
122 	{
123 	const unsigned char key1[32];
124 	const unsigned char key2[32];
125 	const unsigned char iv[64];
126 	const unsigned char in[MAX_VECTOR_SIZE];
127 	const unsigned char out[MAX_VECTOR_SIZE];
128 	const size_t keysize;
129 	const size_t length;
130 	const int encrypt;
131 	};
132 
133 static struct bi_ige_test const bi_ige_test_vectors[] = {
134 { { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
135     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, /* key1 */
136   { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
137     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }, /* key2 */
138   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
139     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
140     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
141     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
142     0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
143     0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
144     0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
145     0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f }, /* iv */
146   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
147     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
148     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
149     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /* in */
150   { 0x14, 0x40, 0x6f, 0xae, 0xa2, 0x79, 0xf2, 0x56,
151 	0x1f, 0x86, 0xeb, 0x3b, 0x7d, 0xff, 0x53, 0xdc,
152 	0x4e, 0x27, 0x0c, 0x03, 0xde, 0x7c, 0xe5, 0x16,
153 	0x6a, 0x9c, 0x20, 0x33, 0x9d, 0x33, 0xfe, 0x12 }, /* out */
154   16, 32, AES_ENCRYPT }, /* test vector 0 */
155 { { 0x58, 0x0a, 0x06, 0xe9, 0x97, 0x07, 0x59, 0x5c,
156 	0x9e, 0x19, 0xd2, 0xa7, 0xbb, 0x40, 0x2b, 0x7a,
157 	0xc7, 0xd8, 0x11, 0x9e, 0x4c, 0x51, 0x35, 0x75,
158 	0x64, 0x28, 0x0f, 0x23, 0xad, 0x74, 0xac, 0x37 }, /* key1 */
159   { 0xd1, 0x80, 0xa0, 0x31, 0x47, 0xa3, 0x11, 0x13,
160 	0x86, 0x26, 0x9e, 0x6d, 0xff, 0xaf, 0x72, 0x74,
161 	0x5b, 0xa2, 0x35, 0x81, 0xd2, 0xa6, 0x3d, 0x21,
162 	0x67, 0x7b, 0x58, 0xa8, 0x18, 0xf9, 0x72, 0xe4 }, /* key2 */
163   { 0x80, 0x3d, 0xbd, 0x4c, 0xe6, 0x7b, 0x06, 0xa9,
164 	0x53, 0x35, 0xd5, 0x7e, 0x71, 0xc1, 0x70, 0x70,
165 	0x74, 0x9a, 0x00, 0x28, 0x0c, 0xbf, 0x6c, 0x42,
166 	0x9b, 0xa4, 0xdd, 0x65, 0x11, 0x77, 0x7c, 0x67,
167 	0xfe, 0x76, 0x0a, 0xf0, 0xd5, 0xc6, 0x6e, 0x6a,
168 	0xe7, 0x5e, 0x4c, 0xf2, 0x7e, 0x9e, 0xf9, 0x20,
169 	0x0e, 0x54, 0x6f, 0x2d, 0x8a, 0x8d, 0x7e, 0xbd,
170 	0x48, 0x79, 0x37, 0x99, 0xff, 0x27, 0x93, 0xa3 }, /* iv */
171   { 0xf1, 0x54, 0x3d, 0xca, 0xfe, 0xb5, 0xef, 0x1c,
172 	0x4f, 0xa6, 0x43, 0xf6, 0xe6, 0x48, 0x57, 0xf0,
173 	0xee, 0x15, 0x7f, 0xe3, 0xe7, 0x2f, 0xd0, 0x2f,
174 	0x11, 0x95, 0x7a, 0x17, 0x00, 0xab, 0xa7, 0x0b,
175 	0xbe, 0x44, 0x09, 0x9c, 0xcd, 0xac, 0xa8, 0x52,
176 	0xa1, 0x8e, 0x7b, 0x75, 0xbc, 0xa4, 0x92, 0x5a,
177 	0xab, 0x46, 0xd3, 0x3a, 0xa0, 0xd5, 0x35, 0x1c,
178 	0x55, 0xa4, 0xb3, 0xa8, 0x40, 0x81, 0xa5, 0x0b}, /* in */
179   { 0x42, 0xe5, 0x28, 0x30, 0x31, 0xc2, 0xa0, 0x23,
180 	0x68, 0x49, 0x4e, 0xb3, 0x24, 0x59, 0x92, 0x79,
181 	0xc1, 0xa5, 0xcc, 0xe6, 0x76, 0x53, 0xb1, 0xcf,
182 	0x20, 0x86, 0x23, 0xe8, 0x72, 0x55, 0x99, 0x92,
183 	0x0d, 0x16, 0x1c, 0x5a, 0x2f, 0xce, 0xcb, 0x51,
184 	0xe2, 0x67, 0xfa, 0x10, 0xec, 0xcd, 0x3d, 0x67,
185 	0xa5, 0xe6, 0xf7, 0x31, 0x26, 0xb0, 0x0d, 0x76,
186 	0x5e, 0x28, 0xdc, 0x7f, 0x01, 0xc5, 0xa5, 0x4c}, /* out */
187   32, 64, AES_ENCRYPT }, /* test vector 1 */
188 
189 };
190 
191 static int run_test_vectors(void)
192 	{
193 	int n;
194 	int errs = 0;
195 
196 	for(n=0 ; n < sizeof(ige_test_vectors)/sizeof(ige_test_vectors[0]) ; ++n)
197 		{
198 		const struct ige_test * const v = &ige_test_vectors[n];
199 		AES_KEY key;
200 		unsigned char buf[MAX_VECTOR_SIZE];
201 		unsigned char iv[AES_BLOCK_SIZE*2];
202 
203 		assert(v->length <= MAX_VECTOR_SIZE);
204 
205 		if(v->encrypt == AES_ENCRYPT)
206 			AES_set_encrypt_key(v->key, 8*sizeof v->key, &key);
207 		else
208 			AES_set_decrypt_key(v->key, 8*sizeof v->key, &key);
209 		memcpy(iv, v->iv, sizeof iv);
210 		AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt);
211 
212 		if(memcmp(v->out, buf, v->length))
213 			{
214 			printf("IGE test vector %d failed\n", n);
215 			hexdump(stdout, "key", v->key, sizeof v->key);
216 			hexdump(stdout, "iv", v->iv, sizeof v->iv);
217 			hexdump(stdout, "in", v->in, v->length);
218 			hexdump(stdout, "expected", v->out, v->length);
219 			hexdump(stdout, "got", buf, v->length);
220 
221 			++errs;
222 			}
223 		}
224 
225 	for(n=0 ; n < sizeof(bi_ige_test_vectors)/sizeof(bi_ige_test_vectors[0])
226 			; ++n)
227 		{
228 		const struct bi_ige_test * const v = &bi_ige_test_vectors[n];
229 		AES_KEY key1;
230 		AES_KEY key2;
231 		unsigned char buf[MAX_VECTOR_SIZE];
232 
233 		assert(v->length <= MAX_VECTOR_SIZE);
234 
235 		if(v->encrypt == AES_ENCRYPT)
236 			{
237 			AES_set_encrypt_key(v->key1, 8*v->keysize, &key1);
238 			AES_set_encrypt_key(v->key2, 8*v->keysize, &key2);
239 			}
240 		else
241 			{
242 			AES_set_decrypt_key(v->key1, 8*v->keysize, &key1);
243 			AES_set_decrypt_key(v->key2, 8*v->keysize, &key2);
244 			}
245 
246 		AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv,
247 						   v->encrypt);
248 
249 		if(memcmp(v->out, buf, v->length))
250 			{
251 			printf("Bidirectional IGE test vector %d failed\n", n);
252 			hexdump(stdout, "key 1", v->key1, sizeof v->key1);
253 			hexdump(stdout, "key 2", v->key2, sizeof v->key2);
254 			hexdump(stdout, "iv", v->iv, sizeof v->iv);
255 			hexdump(stdout, "in", v->in, v->length);
256 			hexdump(stdout, "expected", v->out, v->length);
257 			hexdump(stdout, "got", buf, v->length);
258 
259 			++errs;
260 			}
261 		}
262 
263 	return errs;
264 	}
265 
266 int main(int argc, char **argv)
267 	{
268 	unsigned char rkey[16];
269 	unsigned char rkey2[16];
270 	AES_KEY key;
271 	AES_KEY key2;
272 	unsigned char plaintext[BIG_TEST_SIZE];
273 	unsigned char ciphertext[BIG_TEST_SIZE];
274 	unsigned char checktext[BIG_TEST_SIZE];
275 	unsigned char iv[AES_BLOCK_SIZE*4];
276 	unsigned char saved_iv[AES_BLOCK_SIZE*4];
277 	int err = 0;
278 	int n;
279 	unsigned matches;
280 
281 	assert(BIG_TEST_SIZE >= TEST_SIZE);
282 
283 	RAND_pseudo_bytes(rkey, sizeof rkey);
284 	RAND_pseudo_bytes(plaintext, sizeof plaintext);
285 	RAND_pseudo_bytes(iv, sizeof iv);
286 	memcpy(saved_iv, iv, sizeof saved_iv);
287 
288 	/* Forward IGE only... */
289 
290 	/* Straight encrypt/decrypt */
291 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
292 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv,
293 					AES_ENCRYPT);
294 
295 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
296 	memcpy(iv, saved_iv, sizeof iv);
297 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv,
298 					AES_DECRYPT);
299 
300 	if(memcmp(checktext, plaintext, TEST_SIZE))
301 		{
302 		printf("Encrypt+decrypt doesn't match\n");
303 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
304 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
305 		++err;
306 		}
307 
308 	/* Now check encrypt chaining works */
309 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
310 	memcpy(iv, saved_iv, sizeof iv);
311 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE/2, &key, iv,
312 					AES_ENCRYPT);
313 	AES_ige_encrypt(plaintext+TEST_SIZE/2,
314 					ciphertext+TEST_SIZE/2, TEST_SIZE/2,
315 					&key, iv, AES_ENCRYPT);
316 
317 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
318 	memcpy(iv, saved_iv, sizeof iv);
319 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv,
320 					AES_DECRYPT);
321 
322 	if(memcmp(checktext, plaintext, TEST_SIZE))
323 		{
324 		printf("Chained encrypt+decrypt doesn't match\n");
325 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
326 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
327 		++err;
328 		}
329 
330 	/* And check decrypt chaining */
331 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
332 	memcpy(iv, saved_iv, sizeof iv);
333 	AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE/2, &key, iv,
334 					AES_ENCRYPT);
335 	AES_ige_encrypt(plaintext+TEST_SIZE/2,
336 					ciphertext+TEST_SIZE/2, TEST_SIZE/2,
337 					&key, iv, AES_ENCRYPT);
338 
339 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
340 	memcpy(iv, saved_iv, sizeof iv);
341 	AES_ige_encrypt(ciphertext, checktext, TEST_SIZE/2, &key, iv,
342 					AES_DECRYPT);
343 	AES_ige_encrypt(ciphertext+TEST_SIZE/2,
344 					checktext+TEST_SIZE/2, TEST_SIZE/2, &key, iv,
345 					AES_DECRYPT);
346 
347 	if(memcmp(checktext, plaintext, TEST_SIZE))
348 		{
349 		printf("Chained encrypt+chained decrypt doesn't match\n");
350 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
351 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
352 		++err;
353 		}
354 
355 	/* make sure garble extends forwards only */
356 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
357 	memcpy(iv, saved_iv, sizeof iv);
358 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
359 					AES_ENCRYPT);
360 
361 	/* corrupt halfway through */
362 	++ciphertext[sizeof ciphertext/2];
363 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
364 	memcpy(iv, saved_iv, sizeof iv);
365 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
366 					AES_DECRYPT);
367 
368 	matches=0;
369 	for(n=0 ; n < sizeof checktext ; ++n)
370 		if(checktext[n] == plaintext[n])
371 			++matches;
372 
373 	if(matches > sizeof checktext/2+sizeof checktext/100)
374 		{
375 		printf("More than 51%% matches after garbling\n");
376 		++err;
377 		}
378 
379 	if(matches < sizeof checktext/2)
380 		{
381 		printf("Garble extends backwards!\n");
382 		++err;
383 		}
384 
385 	/* Bi-directional IGE */
386 
387 	/* Note that we don't have to recover the IV, because chaining isn't */
388 	/* possible with biIGE, so the IV is not updated. */
389 
390 	RAND_pseudo_bytes(rkey2, sizeof rkey2);
391 
392 	/* Straight encrypt/decrypt */
393 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
394 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
395 	AES_bi_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, &key2, iv,
396 					   AES_ENCRYPT);
397 
398 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
399 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
400 	AES_bi_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, &key2, iv,
401 					   AES_DECRYPT);
402 
403 	if(memcmp(checktext, plaintext, TEST_SIZE))
404 		{
405 		printf("Encrypt+decrypt doesn't match\n");
406 		hexdump(stdout, "Plaintext", plaintext, TEST_SIZE);
407 		hexdump(stdout, "Checktext", checktext, TEST_SIZE);
408 		++err;
409 		}
410 
411 	/* make sure garble extends both ways */
412 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
413 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
414 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
415 					AES_ENCRYPT);
416 
417 	/* corrupt halfway through */
418 	++ciphertext[sizeof ciphertext/2];
419 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
420 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
421 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
422 					AES_DECRYPT);
423 
424 	matches=0;
425 	for(n=0 ; n < sizeof checktext ; ++n)
426 		if(checktext[n] == plaintext[n])
427 			++matches;
428 
429 	if(matches > sizeof checktext/100)
430 		{
431 		printf("More than 1%% matches after bidirectional garbling\n");
432 		++err;
433 		}
434 
435 	/* make sure garble extends both ways (2) */
436 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
437 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
438 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
439 					AES_ENCRYPT);
440 
441 	/* corrupt right at the end */
442 	++ciphertext[sizeof ciphertext-1];
443 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
444 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
445 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
446 					AES_DECRYPT);
447 
448 	matches=0;
449 	for(n=0 ; n < sizeof checktext ; ++n)
450 		if(checktext[n] == plaintext[n])
451 			++matches;
452 
453 	if(matches > sizeof checktext/100)
454 		{
455 		printf("More than 1%% matches after bidirectional garbling (2)\n");
456 		++err;
457 		}
458 
459 	/* make sure garble extends both ways (3) */
460 	AES_set_encrypt_key(rkey, 8*sizeof rkey, &key);
461 	AES_set_encrypt_key(rkey2, 8*sizeof rkey2, &key2);
462 	AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv,
463 					AES_ENCRYPT);
464 
465 	/* corrupt right at the start */
466 	++ciphertext[0];
467 	AES_set_decrypt_key(rkey, 8*sizeof rkey, &key);
468 	AES_set_decrypt_key(rkey2, 8*sizeof rkey2, &key2);
469 	AES_ige_encrypt(ciphertext, checktext, sizeof checktext, &key, iv,
470 					AES_DECRYPT);
471 
472 	matches=0;
473 	for(n=0 ; n < sizeof checktext ; ++n)
474 		if(checktext[n] == plaintext[n])
475 			++matches;
476 
477 	if(matches > sizeof checktext/100)
478 		{
479 		printf("More than 1%% matches after bidirectional garbling (3)\n");
480 		++err;
481 		}
482 
483 	err += run_test_vectors();
484 
485 	return err;
486 	}
487