1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/crypto/chacha20_poly1305_decrypter.h"
6
7 #include <memory>
8 #include <string>
9
10 #include "absl/strings/escaping.h"
11 #include "absl/strings/string_view.h"
12 #include "quiche/quic/core/quic_utils.h"
13 #include "quiche/quic/platform/api/quic_test.h"
14 #include "quiche/quic/test_tools/quic_test_utils.h"
15 #include "quiche/common/test_tools/quiche_test_utils.h"
16
17 namespace {
18
19 // The test vectors come from RFC 7539 Section 2.8.2.
20
21 // Each test vector consists of six strings of lowercase hexadecimal digits.
22 // The strings may be empty (zero length). A test vector with a nullptr |key|
23 // marks the end of an array of test vectors.
24 struct TestVector {
25 // Input:
26 const char* key;
27 const char* iv;
28 const char* fixed;
29 const char* aad;
30 const char* ct;
31
32 // Expected output:
33 const char* pt; // An empty string "" means decryption succeeded and
34 // the plaintext is zero-length. nullptr means decryption
35 // failed.
36 };
37
38 const TestVector test_vectors[] = {
39 {"808182838485868788898a8b8c8d8e8f"
40 "909192939495969798999a9b9c9d9e9f",
41
42 "4041424344454647",
43
44 "07000000",
45
46 "50515253c0c1c2c3c4c5c6c7",
47
48 "d31a8d34648e60db7b86afbc53ef7ec2"
49 "a4aded51296e08fea9e2b5a736ee62d6"
50 "3dbea45e8ca9671282fafb69da92728b"
51 "1a71de0a9e060b2905d6a5b67ecd3b36"
52 "92ddbd7f2d778b8c9803aee328091b58"
53 "fab324e4fad675945585808b4831d7bc"
54 "3ff4def08e4b7a9de576d26586cec64b"
55 "6116"
56 "1ae10b594f09e26a7e902ecb", // "d0600691" truncated
57
58 "4c616469657320616e642047656e746c"
59 "656d656e206f662074686520636c6173"
60 "73206f66202739393a20496620492063"
61 "6f756c64206f6666657220796f75206f"
62 "6e6c79206f6e652074697020666f7220"
63 "746865206675747572652c2073756e73"
64 "637265656e20776f756c642062652069"
65 "742e"},
66 // Modify the ciphertext (Poly1305 authenticator).
67 {"808182838485868788898a8b8c8d8e8f"
68 "909192939495969798999a9b9c9d9e9f",
69
70 "4041424344454647",
71
72 "07000000",
73
74 "50515253c0c1c2c3c4c5c6c7",
75
76 "d31a8d34648e60db7b86afbc53ef7ec2"
77 "a4aded51296e08fea9e2b5a736ee62d6"
78 "3dbea45e8ca9671282fafb69da92728b"
79 "1a71de0a9e060b2905d6a5b67ecd3b36"
80 "92ddbd7f2d778b8c9803aee328091b58"
81 "fab324e4fad675945585808b4831d7bc"
82 "3ff4def08e4b7a9de576d26586cec64b"
83 "6116"
84 "1ae10b594f09e26a7e902ecc", // "d0600691" truncated
85
86 nullptr},
87 // Modify the associated data.
88 {"808182838485868788898a8b8c8d8e8f"
89 "909192939495969798999a9b9c9d9e9f",
90
91 "4041424344454647",
92
93 "07000000",
94
95 "60515253c0c1c2c3c4c5c6c7",
96
97 "d31a8d34648e60db7b86afbc53ef7ec2"
98 "a4aded51296e08fea9e2b5a736ee62d6"
99 "3dbea45e8ca9671282fafb69da92728b"
100 "1a71de0a9e060b2905d6a5b67ecd3b36"
101 "92ddbd7f2d778b8c9803aee328091b58"
102 "fab324e4fad675945585808b4831d7bc"
103 "3ff4def08e4b7a9de576d26586cec64b"
104 "6116"
105 "1ae10b594f09e26a7e902ecb", // "d0600691" truncated
106
107 nullptr},
108 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
109
110 } // namespace
111
112 namespace quic {
113 namespace test {
114
115 // DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
116 // in an nonce and also to allocate the buffer needed for the plaintext.
DecryptWithNonce(ChaCha20Poly1305Decrypter * decrypter,absl::string_view nonce,absl::string_view associated_data,absl::string_view ciphertext)117 QuicData* DecryptWithNonce(ChaCha20Poly1305Decrypter* decrypter,
118 absl::string_view nonce,
119 absl::string_view associated_data,
120 absl::string_view ciphertext) {
121 uint64_t packet_number;
122 absl::string_view nonce_prefix(nonce.data(),
123 nonce.size() - sizeof(packet_number));
124 decrypter->SetNoncePrefix(nonce_prefix);
125 memcpy(&packet_number, nonce.data() + nonce_prefix.size(),
126 sizeof(packet_number));
127 std::unique_ptr<char[]> output(new char[ciphertext.length()]);
128 size_t output_length = 0;
129 const bool success = decrypter->DecryptPacket(
130 packet_number, associated_data, ciphertext, output.get(), &output_length,
131 ciphertext.length());
132 if (!success) {
133 return nullptr;
134 }
135 return new QuicData(output.release(), output_length, true);
136 }
137
138 class ChaCha20Poly1305DecrypterTest : public QuicTest {};
139
TEST_F(ChaCha20Poly1305DecrypterTest,Decrypt)140 TEST_F(ChaCha20Poly1305DecrypterTest, Decrypt) {
141 for (size_t i = 0; test_vectors[i].key != nullptr; i++) {
142 // If not present then decryption is expected to fail.
143 bool has_pt = test_vectors[i].pt;
144
145 // Decode the test vector.
146 std::string key;
147 std::string iv;
148 std::string fixed;
149 std::string aad;
150 std::string ct;
151 std::string pt;
152 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].key, &key));
153 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].iv, &iv));
154 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].fixed, &fixed));
155 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].aad, &aad));
156 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].ct, &ct));
157 if (has_pt) {
158 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].pt, &pt));
159 }
160
161 ChaCha20Poly1305Decrypter decrypter;
162 ASSERT_TRUE(decrypter.SetKey(key));
163 std::unique_ptr<QuicData> decrypted(DecryptWithNonce(
164 &decrypter, fixed + iv,
165 // This deliberately tests that the decrypter can handle an AAD that
166 // is set to nullptr, as opposed to a zero-length, non-nullptr pointer.
167 absl::string_view(aad.length() ? aad.data() : nullptr, aad.length()),
168 ct));
169 if (!decrypted) {
170 EXPECT_FALSE(has_pt);
171 continue;
172 }
173 EXPECT_TRUE(has_pt);
174
175 EXPECT_EQ(12u, ct.size() - decrypted->length());
176 ASSERT_EQ(pt.length(), decrypted->length());
177 quiche::test::CompareCharArraysWithHexError(
178 "plaintext", decrypted->data(), pt.length(), pt.data(), pt.length());
179 }
180 }
181
182 } // namespace test
183 } // namespace quic
184