1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/subtle/hmac_boringssl.h"
18
19 #include <string>
20 #include <utility>
21
22 #include "gtest/gtest.h"
23 #include "absl/status/status.h"
24 #include "absl/strings/escaping.h"
25 #include "tink/internal/fips_utils.h"
26 #include "tink/mac.h"
27 #include "tink/subtle/common_enums.h"
28 #include "tink/util/secret_data.h"
29 #include "tink/util/status.h"
30 #include "tink/util/statusor.h"
31 #include "tink/util/test_matchers.h"
32
33 namespace crypto {
34 namespace tink {
35 namespace subtle {
36 namespace {
37
38 using ::crypto::tink::test::StatusIs;
39
40 class HmacBoringSslTest : public ::testing::Test {
41 public:
42 // Utility to simplify testing with test vectors.
43 // Arguments and result are hexadecimal.
HmacVerifyHex(HashType hash,uint32_t tag_size,const std::string & key_hex,const std::string & tag_hex,const std::string & data_hex)44 bool HmacVerifyHex(HashType hash, uint32_t tag_size,
45 const std::string &key_hex, const std::string &tag_hex,
46 const std::string &data_hex) {
47 util::SecretData key =
48 util::SecretDataFromStringView(absl::HexStringToBytes(key_hex));
49 std::string tag = absl::HexStringToBytes(tag_hex);
50 std::string data = absl::HexStringToBytes(data_hex);
51 auto hmac_result = HmacBoringSsl::New(hash, tag_size, key);
52 EXPECT_TRUE(hmac_result.ok()) << hmac_result.status();
53 auto hmac = std::move(hmac_result.value());
54 auto result = hmac->VerifyMac(tag, data);
55 return result.ok();
56 }
57 };
58
TEST_F(HmacBoringSslTest,testBasic)59 TEST_F(HmacBoringSslTest, testBasic) {
60 if (internal::IsFipsModeEnabled() && !internal::IsFipsEnabledInSsl()) {
61 GTEST_SKIP()
62 << "Test should not run in FIPS mode when BoringCrypto is unavailable.";
63 }
64
65 util::SecretData key = util::SecretDataFromStringView(
66 absl::HexStringToBytes("000102030405060708090a0b0c0d0e0f"));
67 size_t tag_size = 16;
68 auto hmac_result = HmacBoringSsl::New(HashType::SHA1, tag_size, key);
69 EXPECT_TRUE(hmac_result.ok()) << hmac_result.status();
70 auto hmac = std::move(hmac_result.value());
71 { // Test with some example data.
72 std::string data = "Some data to test.";
73 auto res = hmac->ComputeMac(data);
74 EXPECT_TRUE(res.ok()) << res.status();
75 std::string tag = res.value();
76 EXPECT_EQ(tag_size, tag.size());
77 EXPECT_EQ(tag, absl::HexStringToBytes("9ccdca5b7fffb690df396e4ac49b9cd4"));
78 auto status = hmac->VerifyMac(tag, data);
79 EXPECT_TRUE(status.ok())
80 << "tag:" << absl::BytesToHexString(tag) << " status:" << status;
81 }
82 { // Test with empty example data.
83 absl::string_view data;
84 auto res = hmac->ComputeMac(data);
85 EXPECT_TRUE(res.ok()) << res.status();
86 std::string tag = res.value();
87 EXPECT_EQ(tag_size, tag.size());
88 EXPECT_EQ(tag, absl::HexStringToBytes("5433122f77bcf8a4d9b874b4149823ef"));
89 auto status = hmac->VerifyMac(tag, data);
90 EXPECT_TRUE(status.ok())
91 << "tag:" << absl::BytesToHexString(tag) << " status:" << status;
92 }
93 }
94
TEST_F(HmacBoringSslTest,testModification)95 TEST_F(HmacBoringSslTest, testModification) {
96 if (internal::IsFipsModeEnabled() && !internal::IsFipsEnabledInSsl()) {
97 GTEST_SKIP()
98 << "Test should not run in FIPS mode when BoringCrypto is unavailable.";
99 }
100
101 util::SecretData key = util::SecretDataFromStringView(
102 absl::HexStringToBytes("000102030405060708090a0b0c0d0e0f"));
103 auto hmac_result = HmacBoringSsl::New(HashType::SHA1, 16, key);
104 EXPECT_TRUE(hmac_result.ok()) << hmac_result.status();
105 auto hmac = std::move(hmac_result.value());
106 std::string data = "Some data to test";
107 std::string tag = hmac->ComputeMac(data).value();
108 auto status = hmac->VerifyMac(tag, data);
109 EXPECT_TRUE(status.ok()) << status;
110 size_t bits = tag.size() * 8;
111 for (size_t i = 0; i < bits; i++) {
112 std::string modified_tag = tag;
113 modified_tag[i / 8] ^= 1 << (i % 8);
114 EXPECT_FALSE(hmac->VerifyMac(modified_tag, data).ok())
115 << "tag:" << absl::BytesToHexString(tag)
116 << " modified:" << absl::BytesToHexString(modified_tag);
117 }
118 }
119
TEST_F(HmacBoringSslTest,testTruncation)120 TEST_F(HmacBoringSslTest, testTruncation) {
121 if (internal::IsFipsModeEnabled() && !internal::IsFipsEnabledInSsl()) {
122 GTEST_SKIP()
123 << "Test should not run in FIPS mode when BoringCrypto is unavailable.";
124 }
125
126 util::SecretData key = util::SecretDataFromStringView(
127 absl::HexStringToBytes("000102030405060708090a0b0c0d0e0f"));
128 auto hmac_result = HmacBoringSsl::New(HashType::SHA1, 20, key);
129 EXPECT_TRUE(hmac_result.ok()) << hmac_result.status();
130 auto hmac = std::move(hmac_result.value());
131 std::string data = "Some data to test";
132 std::string tag = hmac->ComputeMac(data).value();
133 auto status = hmac->VerifyMac(tag, data);
134 EXPECT_TRUE(status.ok()) << status;
135 for (size_t i = 0; i < tag.size(); i++) {
136 std::string modified_tag(tag, 0, i);
137 EXPECT_FALSE(hmac->VerifyMac(modified_tag, data).ok())
138 << "tag:" << absl::BytesToHexString(tag)
139 << " modified:" << absl::BytesToHexString(modified_tag);
140 }
141 }
142
TEST_F(HmacBoringSslTest,testInvalidKeySizes)143 TEST_F(HmacBoringSslTest, testInvalidKeySizes) {
144 if (internal::IsFipsModeEnabled() && !internal::IsFipsEnabledInSsl()) {
145 GTEST_SKIP()
146 << "Test should not run in FIPS mode when BoringCrypto is unavailable.";
147 }
148
149 size_t tag_size = 16;
150
151 for (int keysize = 0; keysize < 65; keysize++) {
152 util::SecretData key(keysize, 'x');
153 auto hmac_result = HmacBoringSsl::New(HashType::SHA1, tag_size, key);
154 if (keysize >= 16) {
155 EXPECT_TRUE(hmac_result.ok());
156 } else {
157 EXPECT_FALSE(hmac_result.ok());
158 }
159 }
160 }
161
TEST_F(HmacBoringSslTest,TestFipsFailWithoutBoringCrypto)162 TEST_F(HmacBoringSslTest, TestFipsFailWithoutBoringCrypto) {
163 if (!internal::IsFipsModeEnabled() || internal::IsFipsEnabledInSsl()) {
164 GTEST_SKIP()
165 << "Test assumes kOnlyUseFips but BoringCrypto is unavailable.";
166 }
167
168 util::SecretData key128 = util::SecretDataFromStringView(
169 absl::HexStringToBytes("000102030405060708090a0b0c0d0e0f"));
170 util::SecretData key256 =
171 util::SecretDataFromStringView(absl::HexStringToBytes(
172 "000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f"));
173
174 EXPECT_THAT(subtle::HmacBoringSsl::New(HashType::SHA1, 16, key128).status(),
175 StatusIs(absl::StatusCode::kInternal));
176 EXPECT_THAT(subtle::HmacBoringSsl::New(HashType::SHA224, 16, key128).status(),
177 StatusIs(absl::StatusCode::kInternal));
178 EXPECT_THAT(subtle::HmacBoringSsl::New(HashType::SHA256, 16, key128).status(),
179 StatusIs(absl::StatusCode::kInternal));
180 EXPECT_THAT(subtle::HmacBoringSsl::New(HashType::SHA384, 16, key128).status(),
181 StatusIs(absl::StatusCode::kInternal));
182 EXPECT_THAT(subtle::HmacBoringSsl::New(HashType::SHA512, 16, key128).status(),
183 StatusIs(absl::StatusCode::kInternal));
184 }
185 // TODO(bleichen): Stuff to test
186 // - Generate test vectors and share with Wycheproof.
187 // - Tag size wrong for construction
188 // - Tag size wrong during verification
189 // - Generate invalid tags with 0s in the middle to catch comparison with
190 // strcmp or similar.
191 // - Generate invalid tags with equal diffs (e.g. to catch broken constant
192 // time comparisons.
193 // - wrong size of tag during verification
194 // - Hmac key size must not be 0 (see RFC)
195 // - Generate test vectors with key sizes larger than the block size of the
196 // hash. (HMAC hashes these keys).
197
198 } // namespace
199 } // namespace subtle
200 } // namespace tink
201 } // namespace crypto
202
203