xref: /aosp_15_r20/external/tink/cc/aead/internal/cord_aes_gcm_boringssl_test.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5)

// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

#include "tink/aead/internal/cord_aes_gcm_boringssl.h"

#include <memory>
#include <string>
#include <utility>
#include <vector>

#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "absl/strings/cord.h"
#include "absl/strings/cord_test_helpers.h"
#include "absl/strings/escaping.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "openssl/err.h"
#include "include/rapidjson/document.h"
#include "tink/subtle/aes_gcm_boringssl.h"
#include "tink/subtle/wycheproof_util.h"
#include "tink/util/secret_data.h"
#include "tink/util/statusor.h"
#include "tink/util/test_matchers.h"

namespace crypto {
namespace tink {
namespace internal {
namespace {

constexpr absl::string_view key_128 = "000102030405060708090a0b0c0d0e0f";
constexpr absl::string_view kMessage = "Some data to encrypt.";
constexpr absl::string_view kLongMessage =
    "This is some long message which will be fragmented.";
constexpr absl::string_view kAssociatedData = "Some associated data.";

using ::crypto::tink::test::IsOk;
using ::testing::Eq;
using ::testing::Not;
using ::testing::SizeIs;
using ::testing::Test;

class CordAesGcmBoringSslTest : public Test {
 protected:
  void SetUp() override {
    key_ = util::SecretDataFromStringView(absl::HexStringToBytes(key_128));
    util::StatusOr<std::unique_ptr<CordAead>> res =
        CordAesGcmBoringSsl::New(key_);
    ASSERT_THAT(res, IsOk());
    cipher_ = std::move(*res);
  }

  util::SecretData key_;
  std::unique_ptr<CordAead> cipher_;
};

TEST_F(CordAesGcmBoringSslTest, EncryptDecryptCord) {
  absl::Cord message_cord = absl::Cord(kMessage);
  absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
  util::StatusOr<absl::Cord> ct =
      cipher_->Encrypt(message_cord, associated_data_cord);
  ASSERT_THAT(ct, IsOk());
  EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
  util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
  ASSERT_THAT(pt, IsOk());
  EXPECT_EQ(*pt, message_cord.Flatten());
}

TEST_F(CordAesGcmBoringSslTest, ChunkyCordEncrypt) {
  absl::Cord message_cord =
      absl::MakeFragmentedCord(absl::StrSplit(kLongMessage, absl::ByLength(3)));
  absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
  util::StatusOr<absl::Cord> ct =
      cipher_->Encrypt(message_cord, associated_data_cord);
  ASSERT_THAT(ct, IsOk());
  EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
  util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
  ASSERT_THAT(pt, IsOk());
  EXPECT_THAT(*pt, Eq(kLongMessage));
}

TEST_F(CordAesGcmBoringSslTest, ChunkyCordDecrypt) {
  absl::Cord message_cord = absl::Cord(kLongMessage);
  absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
  util::StatusOr<absl::Cord> ct =
      cipher_->Encrypt(message_cord, associated_data_cord);
  ASSERT_THAT(ct, IsOk());
  absl::Cord fragmented_ct = absl::MakeFragmentedCord(
      absl::StrSplit(ct->Flatten(), absl::ByLength(3)));
  util::StatusOr<absl::Cord> pt =
      cipher_->Decrypt(fragmented_ct, associated_data_cord);
  ASSERT_THAT(pt, IsOk());
  EXPECT_THAT(*pt, Eq(kLongMessage));
}

TEST_F(CordAesGcmBoringSslTest, CanDecryptWithStringAead) {
  absl::Cord message_cord = absl::Cord(kMessage);
  absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
  util::StatusOr<absl::Cord> ct =
      cipher_->Encrypt(message_cord, associated_data_cord);
  ASSERT_THAT(ct, IsOk());
  EXPECT_EQ(ct->size(), message_cord.size() + 12 + 16);
  util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
  ASSERT_THAT(pt, IsOk());
  EXPECT_EQ(*pt, message_cord.Flatten());

  // Decrypt as string and check if it gives same result.
  util::StatusOr<std::unique_ptr<Aead>> string_aead =
      subtle::AesGcmBoringSsl::New(key_);
  ASSERT_THAT(string_aead, IsOk());
  util::StatusOr<std::string> plaintext =
      (*string_aead)
          ->Decrypt(ct.value().Flatten(), associated_data_cord.Flatten());
  ASSERT_THAT(plaintext, IsOk());
  EXPECT_EQ(*plaintext, kMessage);
}

TEST_F(CordAesGcmBoringSslTest, ModifiedCord) {
  absl::Cord message = absl::Cord(kMessage);
  absl::Cord ad = absl::Cord(kAssociatedData);
  util::StatusOr<absl::Cord> ct = cipher_->Encrypt(message, ad);
  ASSERT_THAT(ct, IsOk());
  util::StatusOr<absl::Cord> plaintext = cipher_->Decrypt(*ct, ad);
  ASSERT_THAT(plaintext, IsOk());
  EXPECT_EQ(*plaintext, message);

  // Modify the ciphertext.
  for (size_t i = 0; i < ct->size() * 8; i++) {
    std::string modified_ct = std::string(ct->Flatten());
    modified_ct[i / 8] ^= 1 << (i % 8);
    absl::Cord modified_ct_cord;
    modified_ct_cord = absl::Cord(modified_ct);
    EXPECT_THAT(cipher_->Decrypt(modified_ct_cord, ad), Not(IsOk()))
        << i;
  }
  // Modify the associated data.
  for (size_t i = 0; i < ad.size() * 8; i++) {
    std::string modified_ad = std::string(ad.Flatten());
    modified_ad[i / 8] ^= 1 << (i % 8);
    absl::Cord modified_associated_data_cord;
    modified_associated_data_cord = absl::Cord(modified_ad);
    util::StatusOr<absl::Cord> decrypted =
        cipher_->Decrypt(*ct, modified_associated_data_cord);
    EXPECT_THAT(decrypted, Not(IsOk())) << i << " pt: " << *decrypted;
  }
  // Truncate the ciphertext.
  for (size_t i = 0; i < ct->size(); i++) {
    std::string truncated_ct(std::string(ct->Flatten()), 0, i);
    absl::Cord truncated_ct_cord;
    truncated_ct_cord = absl::Cord(truncated_ct);
    EXPECT_THAT(cipher_->Decrypt(truncated_ct_cord, ad), Not(IsOk()))
        << i;
  }
}

static std::string GetError() {
  auto err = ERR_peek_last_error();
  // Sometimes there is no error message on the stack.
  if (err == 0) {
    return "";
  }
  std::string lib(ERR_lib_error_string(err));
  std::string func(ERR_func_error_string(err));
  std::string reason(ERR_reason_error_string(err));
  return lib + ":" + func + ":" + reason;
}

// Test with test vectors from Wycheproof project.
bool WycheproofTest(const rapidjson::Document& root) {
  int errors = 0;
  for (const rapidjson::Value& test_group : root["testGroups"].GetArray()) {
    const size_t iv_size = test_group["ivSize"].GetInt();
    const size_t key_size = test_group["keySize"].GetInt();
    const size_t tag_size = test_group["tagSize"].GetInt();
    // CordAesGcmBoringSsl only supports 12-byte IVs and 16-byte
    // authentication tag. Also 24-byte keys are not supported.
    if (iv_size != 96 || tag_size != 128 || key_size == 192) {
      // Not supported
      continue;
    }
    for (const rapidjson::Value& test : test_group["tests"].GetArray()) {
      std::string comment = test["comment"].GetString();
      std::string key = subtle::WycheproofUtil::GetBytes(test["key"]);
      std::string iv = subtle::WycheproofUtil::GetBytes(test["iv"]);
      std::string msg = subtle::WycheproofUtil::GetBytes(test["msg"]);
      std::string ct = subtle::WycheproofUtil::GetBytes(test["ct"]);
      std::string ad = subtle::WycheproofUtil::GetBytes(test["aad"]);
      std::string tag = subtle::WycheproofUtil::GetBytes(test["tag"]);
      std::string id = absl::StrCat(test["tcId"].GetInt());
      std::string expected = test["result"].GetString();

      std::unique_ptr<CordAead> cipher = std::move(
          *CordAesGcmBoringSsl::New(util::SecretDataFromStringView(key)));
      // Convert the ciphertext to cord.
      absl::Cord ct_cord = absl::Cord(iv + ct + tag);
      absl::Cord associated_data_cord = absl::Cord(ad);
      util::StatusOr<absl::Cord> result =
          cipher->Decrypt(ct_cord, associated_data_cord);
      if (result.ok()) {
        std::string decrypted = std::string(result->Flatten());
        if (expected == "invalid") {
          ADD_FAILURE() << "Decrypted invalid ciphertext:" << id;
          errors++;
        } else if (msg != decrypted) {
          ADD_FAILURE() << "Incorrect decryption:" << id;
          errors++;
        }
      } else {
        if (expected == "valid" || expected == "acceptable") {
          ADD_FAILURE() << "Could not decrypt test with tcId:" << id
                        << " iv_size:" << iv_size << " tag_size:" << tag_size
                        << " key_size:" << key_size << " error:" << GetError();
          errors++;
        }
      }
    }
  }
  return errors == 0;
}

TEST(CordAesGcmBoringSslWycheproofTest, TestVectors) {
  std::unique_ptr<rapidjson::Document> root =
      subtle::WycheproofUtil::ReadTestVectors("aes_gcm_test.json");
  ASSERT_TRUE(WycheproofTest(*root));
}

}  // namespace
}  // namespace internal
}  // namespace tink
}  // namespace crypto