1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/crypto/aes_128_gcm_decrypter.h"
6
7 #include <memory>
8 #include <string>
9
10 #include "absl/base/macros.h"
11 #include "absl/strings/escaping.h"
12 #include "quiche/quic/core/quic_utils.h"
13 #include "quiche/quic/platform/api/quic_test.h"
14 #include "quiche/quic/test_tools/quic_test_utils.h"
15 #include "quiche/common/test_tools/quiche_test_utils.h"
16
17 namespace {
18
19 // The AES GCM test vectors come from the file gcmDecrypt128.rsp
20 // downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on
21 // 2013-02-01. The test vectors in that file look like this:
22 //
23 // [Keylen = 128]
24 // [IVlen = 96]
25 // [PTlen = 0]
26 // [AADlen = 0]
27 // [Taglen = 128]
28 //
29 // Count = 0
30 // Key = cf063a34d4a9a76c2c86787d3f96db71
31 // IV = 113b9785971864c83b01c787
32 // CT =
33 // AAD =
34 // Tag = 72ac8493e3a5228b5d130a69d2510e42
35 // PT =
36 //
37 // Count = 1
38 // Key = a49a5e26a2f8cb63d05546c2a62f5343
39 // IV = 907763b19b9b4ab6bd4f0281
40 // CT =
41 // AAD =
42 // Tag = a2be08210d8c470a8df6e8fbd79ec5cf
43 // FAIL
44 //
45 // ...
46 //
47 // The gcmDecrypt128.rsp file is huge (2.6 MB), so I selected just a
48 // few test vectors for this unit test.
49
50 // Describes a group of test vectors that all have a given key length, IV
51 // length, plaintext length, AAD length, and tag length.
52 struct TestGroupInfo {
53 size_t key_len;
54 size_t iv_len;
55 size_t pt_len;
56 size_t aad_len;
57 size_t tag_len;
58 };
59
60 // Each test vector consists of six strings of lowercase hexadecimal digits.
61 // The strings may be empty (zero length). A test vector with a nullptr |key|
62 // marks the end of an array of test vectors.
63 struct TestVector {
64 // Input:
65 const char* key;
66 const char* iv;
67 const char* ct;
68 const char* aad;
69 const char* tag;
70
71 // Expected output:
72 const char* pt; // An empty string "" means decryption succeeded and
73 // the plaintext is zero-length. nullptr means decryption
74 // failed.
75 };
76
77 const TestGroupInfo test_group_info[] = {
78 {128, 96, 0, 0, 128}, {128, 96, 0, 128, 128}, {128, 96, 128, 0, 128},
79 {128, 96, 408, 160, 128}, {128, 96, 408, 720, 128}, {128, 96, 104, 0, 128},
80 };
81
82 const TestVector test_group_0[] = {
83 {"cf063a34d4a9a76c2c86787d3f96db71", "113b9785971864c83b01c787", "", "",
84 "72ac8493e3a5228b5d130a69d2510e42", ""},
85 {
86 "a49a5e26a2f8cb63d05546c2a62f5343", "907763b19b9b4ab6bd4f0281", "", "",
87 "a2be08210d8c470a8df6e8fbd79ec5cf",
88 nullptr // FAIL
89 },
90 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
91
92 const TestVector test_group_1[] = {
93 {
94 "d1f6af919cde85661208bdce0c27cb22", "898c6929b435017bf031c3c5", "",
95 "7c5faa40e636bbc91107e68010c92b9f", "ae45f11777540a2caeb128be8092468a",
96 nullptr // FAIL
97 },
98 {"2370e320d4344208e0ff5683f243b213", "04dbb82f044d30831c441228", "",
99 "d43a8e5089eea0d026c03a85178b27da", "2a049c049d25aa95969b451d93c31c6e",
100 ""},
101 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
102
103 const TestVector test_group_2[] = {
104 {"e98b72a9881a84ca6b76e0f43e68647a", "8b23299fde174053f3d652ba",
105 "5a3c1cf1985dbb8bed818036fdd5ab42", "", "23c7ab0f952b7091cd324835043b5eb5",
106 "28286a321293253c3e0aa2704a278032"},
107 {"33240636cd3236165f1a553b773e728e", "17c4d61493ecdc8f31700b12",
108 "47bb7e23f7bdfe05a8091ac90e4f8b2e", "", "b723c70e931d9785f40fd4ab1d612dc9",
109 "95695a5b12f2870b9cc5fdc8f218a97d"},
110 {
111 "5164df856f1e9cac04a79b808dc5be39", "e76925d5355e0584ce871b2b",
112 "0216c899c88d6e32c958c7e553daa5bc", "",
113 "a145319896329c96df291f64efbe0e3a",
114 nullptr // FAIL
115 },
116 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
117
118 const TestVector test_group_3[] = {
119 {"af57f42c60c0fc5a09adb81ab86ca1c3", "a2dc01871f37025dc0fc9a79",
120 "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947"
121 "338b22f9bad09093276a331e9c79c7f4",
122 "41dc38988945fcb44faf2ef72d0061289ef8efd8",
123 "4f71e72bde0018f555c5adcce062e005",
124 "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279"
125 "5b2f69b041596e8817d0a3c16f8fadeb"},
126 {"ebc753e5422b377d3cb64b58ffa41b61", "2e1821efaced9acf1f241c9b",
127 "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9"
128 "f401823e04b05817243d2142a3589878",
129 "b9673412fd4f88ba0e920f46dd6438ff791d8eef",
130 "534d9234d2351cf30e565de47baece0b",
131 "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18"
132 "353a18017f5b36bfc00b1f6dcb7ed485"},
133 {
134 "52bdbbf9cf477f187ec010589cb39d58", "d3be36d3393134951d324b31",
135 "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e"
136 "32b992760b3a5f99e9a47838867000a9",
137 "93c4fc6a4135f54d640b0c976bf755a06a292c33",
138 "8ca4e38aa3dfa6b1d0297021ccf3ea5f",
139 nullptr // FAIL
140 },
141 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
142
143 const TestVector test_group_4[] = {
144 {"da2bb7d581493d692380c77105590201", "44aa3e7856ca279d2eb020c6",
145 "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a"
146 "f4ee16c761b3c9aeac3da03aa9889c88",
147 "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab"
148 "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7"
149 "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72",
150 "9e3ac938d3eb0cadd6f5c9e35d22ba38",
151 "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a"
152 "d65dbd1378b196ac270588dd0621f642"},
153 {"d74e4958717a9d5c0e235b76a926cae8", "0b7471141e0c70b1995fd7b1",
154 "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22"
155 "b0f1420be29ea547d42c713bc6af66aa",
156 "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22"
157 "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf"
158 "34a6039312774cedebf4961f3978b14a26509f96",
159 "e192c23cb036f0b31592989119eed55d",
160 "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f"
161 "f0a34bc305b88b804c60b90add594a17"},
162 {
163 "1986310c725ac94ecfe6422e75fc3ee7", "93ec4214fa8e6dc4e3afc775",
164 "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02"
165 "43edfd365b90d5b325950df0ada058f9",
166 "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463"
167 "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42"
168 "72c2cb136c8fd091cc4539877a5d1e72d607f960",
169 "8b347853f11d75e81e8a95010be81f17",
170 nullptr // FAIL
171 },
172 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
173
174 const TestVector test_group_5[] = {
175 {"387218b246c1a8257748b56980e50c94", "dd7e014198672be39f95b69d",
176 "cdba9e73eaf3d38eceb2b04a8d", "", "ecf90f4a47c9c626d6fb2c765d201556",
177 "48f5b426baca03064554cc2b30"},
178 {"294de463721e359863887c820524b3d4", "3338b35c9d57a5d28190e8c9",
179 "2f46634e74b8e4c89812ac83b9", "", "dabd506764e68b82a7e720aa18da0abe",
180 "46a2e55c8e264df211bd112685"},
181 {"28ead7fd2179e0d12aa6d5d88c58c2dc", "5055347f18b4d5add0ae5c41",
182 "142d8210c3fb84774cdbd0447a", "", "5fd321d9cdb01952dc85f034736c2a7d",
183 "3b95b981086ee73cc4d0cc1422"},
184 {
185 "7d7b6c988137b8d470c57bf674a09c87", "9edf2aa970d016ac962e1fd8",
186 "a85b66c3cb5eab91d5bdc8bc0e", "", "dc054efc01f3afd21d9c2484819f569a",
187 nullptr // FAIL
188 },
189 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
190
191 const TestVector* const test_group_array[] = {
192 test_group_0, test_group_1, test_group_2,
193 test_group_3, test_group_4, test_group_5,
194 };
195
196 } // namespace
197
198 namespace quic {
199 namespace test {
200
201 // DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
202 // in an nonce and also to allocate the buffer needed for the plaintext.
DecryptWithNonce(Aes128GcmDecrypter * decrypter,absl::string_view nonce,absl::string_view associated_data,absl::string_view ciphertext)203 QuicData* DecryptWithNonce(Aes128GcmDecrypter* decrypter,
204 absl::string_view nonce,
205 absl::string_view associated_data,
206 absl::string_view ciphertext) {
207 decrypter->SetIV(nonce);
208 std::unique_ptr<char[]> output(new char[ciphertext.length()]);
209 size_t output_length = 0;
210 const bool success =
211 decrypter->DecryptPacket(0, associated_data, ciphertext, output.get(),
212 &output_length, ciphertext.length());
213 if (!success) {
214 return nullptr;
215 }
216 return new QuicData(output.release(), output_length, true);
217 }
218
219 class Aes128GcmDecrypterTest : public QuicTest {};
220
TEST_F(Aes128GcmDecrypterTest,Decrypt)221 TEST_F(Aes128GcmDecrypterTest, Decrypt) {
222 for (size_t i = 0; i < ABSL_ARRAYSIZE(test_group_array); i++) {
223 SCOPED_TRACE(i);
224 const TestVector* test_vectors = test_group_array[i];
225 const TestGroupInfo& test_info = test_group_info[i];
226 for (size_t j = 0; test_vectors[j].key != nullptr; j++) {
227 // If not present then decryption is expected to fail.
228 bool has_pt = test_vectors[j].pt;
229
230 // Decode the test vector.
231 std::string key;
232 std::string iv;
233 std::string ct;
234 std::string aad;
235 std::string tag;
236 std::string pt;
237 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].key, &key));
238 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].iv, &iv));
239 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].ct, &ct));
240 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].aad, &aad));
241 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].tag, &tag));
242 if (has_pt) {
243 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].pt, &pt));
244 }
245
246 // The test vector's lengths should look sane. Note that the lengths
247 // in |test_info| are in bits.
248 EXPECT_EQ(test_info.key_len, key.length() * 8);
249 EXPECT_EQ(test_info.iv_len, iv.length() * 8);
250 EXPECT_EQ(test_info.pt_len, ct.length() * 8);
251 EXPECT_EQ(test_info.aad_len, aad.length() * 8);
252 EXPECT_EQ(test_info.tag_len, tag.length() * 8);
253 if (has_pt) {
254 EXPECT_EQ(test_info.pt_len, pt.length() * 8);
255 }
256 std::string ciphertext = ct + tag;
257
258 Aes128GcmDecrypter decrypter;
259 ASSERT_TRUE(decrypter.SetKey(key));
260
261 std::unique_ptr<QuicData> decrypted(DecryptWithNonce(
262 &decrypter, iv,
263 // This deliberately tests that the decrypter can
264 // handle an AAD that is set to nullptr, as opposed
265 // to a zero-length, non-nullptr pointer.
266 aad.length() ? aad : absl::string_view(), ciphertext));
267 if (!decrypted) {
268 EXPECT_FALSE(has_pt);
269 continue;
270 }
271 EXPECT_TRUE(has_pt);
272
273 ASSERT_EQ(pt.length(), decrypted->length());
274 quiche::test::CompareCharArraysWithHexError(
275 "plaintext", decrypted->data(), pt.length(), pt.data(), pt.length());
276 }
277 }
278 }
279
TEST_F(Aes128GcmDecrypterTest,GenerateHeaderProtectionMask)280 TEST_F(Aes128GcmDecrypterTest, GenerateHeaderProtectionMask) {
281 Aes128GcmDecrypter decrypter;
282 std::string key;
283 std::string sample;
284 std::string expected_mask;
285 ASSERT_TRUE(absl::HexStringToBytes("d9132370cb18476ab833649cf080d970", &key));
286 ASSERT_TRUE(
287 absl::HexStringToBytes("d1d7998068517adb769b48b924a32c47", &sample));
288 ASSERT_TRUE(absl::HexStringToBytes("b132c37d6164da4ea4dc9b763aceec27",
289 &expected_mask));
290 QuicDataReader sample_reader(sample.data(), sample.size());
291 ASSERT_TRUE(decrypter.SetHeaderProtectionKey(key));
292 std::string mask = decrypter.GenerateHeaderProtectionMask(&sample_reader);
293 quiche::test::CompareCharArraysWithHexError(
294 "header protection mask", mask.data(), mask.size(), expected_mask.data(),
295 expected_mask.size());
296 }
297
298 } // namespace test
299 } // namespace quic
300