1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/crypto/aes_128_gcm_encrypter.h"
6
7 #include <memory>
8 #include <string>
9
10 #include "absl/base/macros.h"
11 #include "absl/strings/escaping.h"
12 #include "quiche/quic/core/quic_utils.h"
13 #include "quiche/quic/platform/api/quic_test.h"
14 #include "quiche/quic/test_tools/quic_test_utils.h"
15 #include "quiche/common/test_tools/quiche_test_utils.h"
16
17 namespace {
18
19 // The AES GCM test vectors come from the file gcmEncryptExtIV128.rsp
20 // downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on
21 // 2013-02-01. The test vectors in that file look like this:
22 //
23 // [Keylen = 128]
24 // [IVlen = 96]
25 // [PTlen = 0]
26 // [AADlen = 0]
27 // [Taglen = 128]
28 //
29 // Count = 0
30 // Key = 11754cd72aec309bf52f7687212e8957
31 // IV = 3c819d9a9bed087615030b65
32 // PT =
33 // AAD =
34 // CT =
35 // Tag = 250327c674aaf477aef2675748cf6971
36 //
37 // Count = 1
38 // Key = ca47248ac0b6f8372a97ac43508308ed
39 // IV = ffd2b598feabc9019262d2be
40 // PT =
41 // AAD =
42 // CT =
43 // Tag = 60d20404af527d248d893ae495707d1a
44 //
45 // ...
46 //
47 // The gcmEncryptExtIV128.rsp file is huge (2.8 MB), so I selected just a
48 // few test vectors for this unit test.
49
50 // Describes a group of test vectors that all have a given key length, IV
51 // length, plaintext length, AAD length, and tag length.
52 struct TestGroupInfo {
53 size_t key_len;
54 size_t iv_len;
55 size_t pt_len;
56 size_t aad_len;
57 size_t tag_len;
58 };
59
60 // Each test vector consists of six strings of lowercase hexadecimal digits.
61 // The strings may be empty (zero length). A test vector with a nullptr |key|
62 // marks the end of an array of test vectors.
63 struct TestVector {
64 const char* key;
65 const char* iv;
66 const char* pt;
67 const char* aad;
68 const char* ct;
69 const char* tag;
70 };
71
72 const TestGroupInfo test_group_info[] = {
73 {128, 96, 0, 0, 128}, {128, 96, 0, 128, 128}, {128, 96, 128, 0, 128},
74 {128, 96, 408, 160, 128}, {128, 96, 408, 720, 128}, {128, 96, 104, 0, 128},
75 };
76
77 const TestVector test_group_0[] = {
78 {"11754cd72aec309bf52f7687212e8957", "3c819d9a9bed087615030b65", "", "", "",
79 "250327c674aaf477aef2675748cf6971"},
80 {"ca47248ac0b6f8372a97ac43508308ed", "ffd2b598feabc9019262d2be", "", "", "",
81 "60d20404af527d248d893ae495707d1a"},
82 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
83
84 const TestVector test_group_1[] = {
85 {"77be63708971c4e240d1cb79e8d77feb", "e0e00f19fed7ba0136a797f3", "",
86 "7a43ec1d9c0a5a78a0b16533a6213cab", "",
87 "209fcc8d3675ed938e9c7166709dd946"},
88 {"7680c5d3ca6154758e510f4d25b98820", "f8f105f9c3df4965780321f8", "",
89 "c94c410194c765e3dcc7964379758ed3", "",
90 "94dca8edfcf90bb74b153c8d48a17930"},
91 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
92
93 const TestVector test_group_2[] = {
94 {"7fddb57453c241d03efbed3ac44e371c", "ee283a3fc75575e33efd4887",
95 "d5de42b461646c255c87bd2962d3b9a2", "", "2ccda4a5415cb91e135c2a0f78c9b2fd",
96 "b36d1df9b9d5e596f83e8b7f52971cb3"},
97 {"ab72c77b97cb5fe9a382d9fe81ffdbed", "54cc7dc2c37ec006bcc6d1da",
98 "007c5e5b3e59df24a7c355584fc1518d", "", "0e1bde206a07a9c2c1b65300f8c64997",
99 "2b4401346697138c7a4891ee59867d0c"},
100 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
101
102 const TestVector test_group_3[] = {
103 {"fe47fcce5fc32665d2ae399e4eec72ba", "5adb9609dbaeb58cbd6e7275",
104 "7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1"
105 "b840382c4bccaf3bafb4ca8429bea063",
106 "88319d6e1d3ffa5f987199166c8a9b56c2aeba5a",
107 "98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf539304373636525"
108 "3ddbc5db8778371495da76d269e5db3e",
109 "291ef1982e4defedaa2249f898556b47"},
110 {"ec0c2ba17aa95cd6afffe949da9cc3a8", "296bce5b50b7d66096d627ef",
111 "b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987"
112 "b764b9611f6c0f8641843d5d58f3a242",
113 "f8d00f05d22bf68599bcdeb131292ad6e2df5d14",
114 "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299"
115 "5506fde6309ffc19e716eddf1a828c5a",
116 "890147971946b627c40016da1ecf3e77"},
117 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
118
119 const TestVector test_group_4[] = {
120 {"2c1f21cf0f6fb3661943155c3e3d8492", "23cb5ff362e22426984d1907",
121 "42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d6"
122 "8b5615ba7c1220ff6510e259f06655d8",
123 "5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e"
124 "3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f"
125 "4488f33cfb5e979e42b6e1cfc0a60238982a7aec",
126 "81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222"
127 "b6ad57af43e1895df9dca2a5344a62cc",
128 "57a3ee28136e94c74838997ae9823f3a"},
129 {"d9f7d2411091f947b4d6f1e2d1f0fb2e", "e1934f5db57cc983e6b180e7",
130 "73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490"
131 "c2c6f6166f4a59431e182663fcaea05a",
132 "0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d"
133 "0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a201"
134 "15d2e51398344b16bee1ed7c499b353d6c597af8",
135 "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57"
136 "3c7891c2a91fbc48db29967ec9542b23",
137 "21b51ca862cb637cdd03b99a0f93b134"},
138 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
139
140 const TestVector test_group_5[] = {
141 {"fe9bb47deb3a61e423c2231841cfd1fb", "4d328eb776f500a2f7fb47aa",
142 "f1cc3818e421876bb6b8bbd6c9", "", "b88c5c1977b35b517b0aeae967",
143 "43fd4727fe5cdb4b5b42818dea7ef8c9"},
144 {"6703df3701a7f54911ca72e24dca046a", "12823ab601c350ea4bc2488c",
145 "793cd125b0b84a043e3ac67717", "", "b2051c80014f42f08735a7b0cd",
146 "38e6bcd29962e5f2c13626b85a877101"},
147 {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
148
149 const TestVector* const test_group_array[] = {
150 test_group_0, test_group_1, test_group_2,
151 test_group_3, test_group_4, test_group_5,
152 };
153
154 } // namespace
155
156 namespace quic {
157 namespace test {
158
159 // EncryptWithNonce wraps the |Encrypt| method of |encrypter| to allow passing
160 // in an nonce and also to allocate the buffer needed for the ciphertext.
EncryptWithNonce(Aes128GcmEncrypter * encrypter,absl::string_view nonce,absl::string_view associated_data,absl::string_view plaintext)161 QuicData* EncryptWithNonce(Aes128GcmEncrypter* encrypter,
162 absl::string_view nonce,
163 absl::string_view associated_data,
164 absl::string_view plaintext) {
165 size_t ciphertext_size = encrypter->GetCiphertextSize(plaintext.length());
166 std::unique_ptr<char[]> ciphertext(new char[ciphertext_size]);
167
168 if (!encrypter->Encrypt(nonce, associated_data, plaintext,
169 reinterpret_cast<unsigned char*>(ciphertext.get()))) {
170 return nullptr;
171 }
172
173 return new QuicData(ciphertext.release(), ciphertext_size, true);
174 }
175
176 class Aes128GcmEncrypterTest : public QuicTest {};
177
TEST_F(Aes128GcmEncrypterTest,Encrypt)178 TEST_F(Aes128GcmEncrypterTest, Encrypt) {
179 for (size_t i = 0; i < ABSL_ARRAYSIZE(test_group_array); i++) {
180 SCOPED_TRACE(i);
181 const TestVector* test_vectors = test_group_array[i];
182 const TestGroupInfo& test_info = test_group_info[i];
183 for (size_t j = 0; test_vectors[j].key != nullptr; j++) {
184 // Decode the test vector.
185 std::string key;
186 std::string iv;
187 std::string pt;
188 std::string aad;
189 std::string ct;
190 std::string tag;
191 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].key, &key));
192 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].iv, &iv));
193 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].pt, &pt));
194 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].aad, &aad));
195 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].ct, &ct));
196 ASSERT_TRUE(absl::HexStringToBytes(test_vectors[j].tag, &tag));
197
198 // The test vector's lengths should look sane. Note that the lengths
199 // in |test_info| are in bits.
200 EXPECT_EQ(test_info.key_len, key.length() * 8);
201 EXPECT_EQ(test_info.iv_len, iv.length() * 8);
202 EXPECT_EQ(test_info.pt_len, pt.length() * 8);
203 EXPECT_EQ(test_info.aad_len, aad.length() * 8);
204 EXPECT_EQ(test_info.pt_len, ct.length() * 8);
205 EXPECT_EQ(test_info.tag_len, tag.length() * 8);
206
207 Aes128GcmEncrypter encrypter;
208 ASSERT_TRUE(encrypter.SetKey(key));
209 std::unique_ptr<QuicData> encrypted(
210 EncryptWithNonce(&encrypter, iv,
211 // This deliberately tests that the encrypter can
212 // handle an AAD that is set to nullptr, as opposed
213 // to a zero-length, non-nullptr pointer.
214 aad.length() ? aad : absl::string_view(), pt));
215 ASSERT_TRUE(encrypted.get());
216
217 ASSERT_EQ(ct.length() + tag.length(), encrypted->length());
218 quiche::test::CompareCharArraysWithHexError(
219 "ciphertext", encrypted->data(), ct.length(), ct.data(), ct.length());
220 quiche::test::CompareCharArraysWithHexError(
221 "authentication tag", encrypted->data() + ct.length(), tag.length(),
222 tag.data(), tag.length());
223 }
224 }
225 }
226
TEST_F(Aes128GcmEncrypterTest,EncryptPacket)227 TEST_F(Aes128GcmEncrypterTest, EncryptPacket) {
228 std::string key;
229 std::string iv;
230 std::string aad;
231 std::string pt;
232 std::string ct;
233 ASSERT_TRUE(absl::HexStringToBytes("d95a145250826c25a77b6a84fd4d34fc", &key));
234 ASSERT_TRUE(absl::HexStringToBytes("50c4431ebb18283448e276e2", &iv));
235 ASSERT_TRUE(
236 absl::HexStringToBytes("875d49f64a70c9cbe713278f44ff000005", &aad));
237 ASSERT_TRUE(absl::HexStringToBytes("aa0003a250bd000000000001", &pt));
238 ASSERT_TRUE(absl::HexStringToBytes(
239 "7dd4708b989ee7d38a013e3656e9b37beefd05808fe1ab41e3b4f2c0", &ct));
240 uint64_t packet_num = 0x13278f44;
241
242 std::vector<char> out(ct.size());
243 size_t out_size;
244
245 Aes128GcmEncrypter encrypter;
246 ASSERT_TRUE(encrypter.SetKey(key));
247 ASSERT_TRUE(encrypter.SetIV(iv));
248 ASSERT_TRUE(encrypter.EncryptPacket(packet_num, aad, pt, out.data(),
249 &out_size, out.size()));
250 EXPECT_EQ(out_size, out.size());
251 quiche::test::CompareCharArraysWithHexError("ciphertext", out.data(),
252 out.size(), ct.data(), ct.size());
253 }
254
TEST_F(Aes128GcmEncrypterTest,GetMaxPlaintextSize)255 TEST_F(Aes128GcmEncrypterTest, GetMaxPlaintextSize) {
256 Aes128GcmEncrypter encrypter;
257 EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1016));
258 EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(116));
259 EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(26));
260 }
261
TEST_F(Aes128GcmEncrypterTest,GetCiphertextSize)262 TEST_F(Aes128GcmEncrypterTest, GetCiphertextSize) {
263 Aes128GcmEncrypter encrypter;
264 EXPECT_EQ(1016u, encrypter.GetCiphertextSize(1000));
265 EXPECT_EQ(116u, encrypter.GetCiphertextSize(100));
266 EXPECT_EQ(26u, encrypter.GetCiphertextSize(10));
267 }
268
TEST_F(Aes128GcmEncrypterTest,GenerateHeaderProtectionMask)269 TEST_F(Aes128GcmEncrypterTest, GenerateHeaderProtectionMask) {
270 Aes128GcmEncrypter encrypter;
271 std::string key;
272 std::string sample;
273 std::string expected_mask;
274 ASSERT_TRUE(absl::HexStringToBytes("d9132370cb18476ab833649cf080d970", &key));
275 ASSERT_TRUE(
276 absl::HexStringToBytes("d1d7998068517adb769b48b924a32c47", &sample));
277 ASSERT_TRUE(absl::HexStringToBytes("b132c37d6164da4ea4dc9b763aceec27",
278 &expected_mask));
279 ASSERT_TRUE(encrypter.SetHeaderProtectionKey(key));
280 std::string mask = encrypter.GenerateHeaderProtectionMask(sample);
281 quiche::test::CompareCharArraysWithHexError(
282 "header protection mask", mask.data(), mask.size(), expected_mask.data(),
283 expected_mask.size());
284 }
285
286 } // namespace test
287 } // namespace quic
288