1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "quiche/quic/core/crypto/chacha20_poly1305_tls_decrypter.h"
6 
7 #include <memory>
8 #include <string>
9 
10 #include "absl/strings/escaping.h"
11 #include "absl/strings/string_view.h"
12 #include "quiche/quic/core/quic_utils.h"
13 #include "quiche/quic/platform/api/quic_test.h"
14 #include "quiche/quic/test_tools/quic_test_utils.h"
15 #include "quiche/common/test_tools/quiche_test_utils.h"
16 
17 namespace {
18 
19 // The test vectors come from RFC 7539 Section 2.8.2.
20 
21 // Each test vector consists of six strings of lowercase hexadecimal digits.
22 // The strings may be empty (zero length). A test vector with a nullptr |key|
23 // marks the end of an array of test vectors.
24 struct TestVector {
25   // Input:
26   const char* key;
27   const char* iv;
28   const char* fixed;
29   const char* aad;
30   const char* ct;
31 
32   // Expected output:
33   const char* pt;  // An empty string "" means decryption succeeded and
34                    // the plaintext is zero-length. nullptr means decryption
35                    // failed.
36 };
37 
38 const TestVector test_vectors[] = {
39     {"808182838485868788898a8b8c8d8e8f"
40      "909192939495969798999a9b9c9d9e9f",
41 
42      "4041424344454647",
43 
44      "07000000",
45 
46      "50515253c0c1c2c3c4c5c6c7",
47 
48      "d31a8d34648e60db7b86afbc53ef7ec2"
49      "a4aded51296e08fea9e2b5a736ee62d6"
50      "3dbea45e8ca9671282fafb69da92728b"
51      "1a71de0a9e060b2905d6a5b67ecd3b36"
52      "92ddbd7f2d778b8c9803aee328091b58"
53      "fab324e4fad675945585808b4831d7bc"
54      "3ff4def08e4b7a9de576d26586cec64b"
55      "6116"
56      "1ae10b594f09e26a7e902ecbd0600691",
57 
58      "4c616469657320616e642047656e746c"
59      "656d656e206f662074686520636c6173"
60      "73206f66202739393a20496620492063"
61      "6f756c64206f6666657220796f75206f"
62      "6e6c79206f6e652074697020666f7220"
63      "746865206675747572652c2073756e73"
64      "637265656e20776f756c642062652069"
65      "742e"},
66     // Modify the ciphertext (Poly1305 authenticator).
67     {"808182838485868788898a8b8c8d8e8f"
68      "909192939495969798999a9b9c9d9e9f",
69 
70      "4041424344454647",
71 
72      "07000000",
73 
74      "50515253c0c1c2c3c4c5c6c7",
75 
76      "d31a8d34648e60db7b86afbc53ef7ec2"
77      "a4aded51296e08fea9e2b5a736ee62d6"
78      "3dbea45e8ca9671282fafb69da92728b"
79      "1a71de0a9e060b2905d6a5b67ecd3b36"
80      "92ddbd7f2d778b8c9803aee328091b58"
81      "fab324e4fad675945585808b4831d7bc"
82      "3ff4def08e4b7a9de576d26586cec64b"
83      "6116"
84      "1ae10b594f09e26a7e902eccd0600691",
85 
86      nullptr},
87     // Modify the associated data.
88     {"808182838485868788898a8b8c8d8e8f"
89      "909192939495969798999a9b9c9d9e9f",
90 
91      "4041424344454647",
92 
93      "07000000",
94 
95      "60515253c0c1c2c3c4c5c6c7",
96 
97      "d31a8d34648e60db7b86afbc53ef7ec2"
98      "a4aded51296e08fea9e2b5a736ee62d6"
99      "3dbea45e8ca9671282fafb69da92728b"
100      "1a71de0a9e060b2905d6a5b67ecd3b36"
101      "92ddbd7f2d778b8c9803aee328091b58"
102      "fab324e4fad675945585808b4831d7bc"
103      "3ff4def08e4b7a9de576d26586cec64b"
104      "6116"
105      "1ae10b594f09e26a7e902ecbd0600691",
106 
107      nullptr},
108     {nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
109 
110 }  // namespace
111 
112 namespace quic {
113 namespace test {
114 
115 // DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
116 // in an nonce and also to allocate the buffer needed for the plaintext.
DecryptWithNonce(ChaCha20Poly1305TlsDecrypter * decrypter,absl::string_view nonce,absl::string_view associated_data,absl::string_view ciphertext)117 QuicData* DecryptWithNonce(ChaCha20Poly1305TlsDecrypter* decrypter,
118                            absl::string_view nonce,
119                            absl::string_view associated_data,
120                            absl::string_view ciphertext) {
121   decrypter->SetIV(nonce);
122   std::unique_ptr<char[]> output(new char[ciphertext.length()]);
123   size_t output_length = 0;
124   const bool success =
125       decrypter->DecryptPacket(0, associated_data, ciphertext, output.get(),
126                                &output_length, ciphertext.length());
127   if (!success) {
128     return nullptr;
129   }
130   return new QuicData(output.release(), output_length, true);
131 }
132 
133 class ChaCha20Poly1305TlsDecrypterTest : public QuicTest {};
134 
TEST_F(ChaCha20Poly1305TlsDecrypterTest,Decrypt)135 TEST_F(ChaCha20Poly1305TlsDecrypterTest, Decrypt) {
136   for (size_t i = 0; test_vectors[i].key != nullptr; i++) {
137     // If not present then decryption is expected to fail.
138     bool has_pt = test_vectors[i].pt;
139 
140     // Decode the test vector.
141     std::string key;
142     std::string iv;
143     std::string fixed;
144     std::string aad;
145     std::string ct;
146     std::string pt;
147     ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].key, &key));
148     ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].iv, &iv));
149     ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].fixed, &fixed));
150     ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].aad, &aad));
151     ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].ct, &ct));
152     if (has_pt) {
153       ASSERT_TRUE(absl::HexStringToBytes(test_vectors[i].pt, &pt));
154     }
155 
156     ChaCha20Poly1305TlsDecrypter decrypter;
157     ASSERT_TRUE(decrypter.SetKey(key));
158     std::unique_ptr<QuicData> decrypted(DecryptWithNonce(
159         &decrypter, fixed + iv,
160         // This deliberately tests that the decrypter can handle an AAD that
161         // is set to nullptr, as opposed to a zero-length, non-nullptr pointer.
162         absl::string_view(aad.length() ? aad.data() : nullptr, aad.length()),
163         ct));
164     if (!decrypted) {
165       EXPECT_FALSE(has_pt);
166       continue;
167     }
168     EXPECT_TRUE(has_pt);
169 
170     EXPECT_EQ(16u, ct.size() - decrypted->length());
171     ASSERT_EQ(pt.length(), decrypted->length());
172     quiche::test::CompareCharArraysWithHexError(
173         "plaintext", decrypted->data(), pt.length(), pt.data(), pt.length());
174   }
175 }
176 
TEST_F(ChaCha20Poly1305TlsDecrypterTest,GenerateHeaderProtectionMask)177 TEST_F(ChaCha20Poly1305TlsDecrypterTest, GenerateHeaderProtectionMask) {
178   ChaCha20Poly1305TlsDecrypter decrypter;
179   std::string key;
180   std::string sample;
181   std::string expected_mask;
182   ASSERT_TRUE(absl::HexStringToBytes(
183       "6a067f432787bd6034dd3f08f07fc9703a27e58c70e2d88d948b7f6489923cc7",
184       &key));
185   ASSERT_TRUE(
186       absl::HexStringToBytes("1210d91cceb45c716b023f492c29e612", &sample));
187   ASSERT_TRUE(absl::HexStringToBytes("1cc2cd98dc", &expected_mask));
188   QuicDataReader sample_reader(sample.data(), sample.size());
189   ASSERT_TRUE(decrypter.SetHeaderProtectionKey(key));
190   std::string mask = decrypter.GenerateHeaderProtectionMask(&sample_reader);
191   quiche::test::CompareCharArraysWithHexError(
192       "header protection mask", mask.data(), mask.size(), expected_mask.data(),
193       expected_mask.size());
194 }
195 
196 }  // namespace test
197 }  // namespace quic
198