1 // Copyright 2023, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 use bssl_avf::{Aead, AeadContext, ApiName, CipherError, Error, ReasonCode, Result};
16
17 /// The following vectors are generated randomly with:
18 /// `hexdump -vn32 -e'32/1 "0x%02x, " 1 "\n"' /dev/urandom`
19 const KEY1: [u8; 32] = [
20 0xdb, 0x16, 0xcc, 0xbf, 0xf0, 0xc4, 0xbc, 0x93, 0xc3, 0x5f, 0x11, 0xc5, 0xfa, 0xae, 0x03, 0x6c,
21 0x75, 0x40, 0x1f, 0x60, 0xb6, 0x3e, 0xb9, 0x2a, 0x6c, 0x84, 0x06, 0x4b, 0x36, 0x7f, 0xed, 0xdb,
22 ];
23 const KEY2: [u8; 32] = [
24 0xaa, 0x57, 0x7a, 0x1a, 0x8b, 0xa2, 0x59, 0x3b, 0xad, 0x5f, 0x4d, 0x29, 0xe1, 0x0c, 0xaa, 0x85,
25 0xde, 0xf9, 0xad, 0xad, 0x8c, 0x11, 0x0c, 0x2e, 0x13, 0x43, 0xd7, 0xdf, 0x2a, 0x43, 0xb9, 0xdd,
26 ];
27 /// The following vectors are generated randomly with:
28 /// Generated with `hexdump -vn12 -e'12/1 "0x%02x, " 1 "\n"' /dev/urandom`
29 const AES_256_GCM_NONCE1: [u8; 12] =
30 [0x56, 0x96, 0x73, 0xe1, 0xc6, 0x3d, 0xca, 0x9a, 0x2f, 0xad, 0x3b, 0xeb];
31 const AES_256_GCM_NONCE2: [u8; 12] =
32 [0xa0, 0x27, 0xea, 0x3a, 0x29, 0xfa, 0x8a, 0x49, 0x35, 0x07, 0x32, 0xec];
33 const MESSAGE: &[u8] = b"aead_aes_256_gcm test message";
34
35 #[test]
aes_256_gcm_encrypts_and_decrypts_successfully() -> Result<()>36 fn aes_256_gcm_encrypts_and_decrypts_successfully() -> Result<()> {
37 let ciphertext = aes_256_gcm_encrypt(MESSAGE)?;
38 let tag_len = None;
39
40 let ad = &[];
41 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
42 let mut out = vec![0u8; ciphertext.len()];
43
44 let plaintext = aead_ctx.open(&ciphertext, &AES_256_GCM_NONCE1, ad, &mut out)?;
45
46 assert_eq!(MESSAGE, plaintext);
47 Ok(())
48 }
49
50 #[test]
aes_256_gcm_fails_to_encrypt_with_invalid_nonce() -> Result<()>51 fn aes_256_gcm_fails_to_encrypt_with_invalid_nonce() -> Result<()> {
52 let tag_len = None;
53 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
54 let nonce = &[];
55 let ad = &[];
56 let mut out = vec![0u8; MESSAGE.len() + aead_ctx.aead().max_overhead()];
57
58 let err = aead_ctx.seal(MESSAGE, nonce, ad, &mut out).unwrap_err();
59
60 let expected_err = Error::CallFailed(
61 ApiName::EVP_AEAD_CTX_seal,
62 ReasonCode::Cipher(CipherError::InvalidNonceSize),
63 );
64 assert_eq!(expected_err, err);
65 Ok(())
66 }
67
68 #[test]
aes_256_gcm_fails_to_decrypt_with_wrong_key() -> Result<()>69 fn aes_256_gcm_fails_to_decrypt_with_wrong_key() -> Result<()> {
70 let ciphertext = aes_256_gcm_encrypt(MESSAGE)?;
71 let tag_len = None;
72
73 let ad = &[];
74 let aead_ctx2 = AeadContext::new(Aead::aes_256_gcm(), &KEY2, tag_len)?;
75 let mut plaintext = vec![0u8; ciphertext.len()];
76
77 let err = aead_ctx2.open(&ciphertext, &AES_256_GCM_NONCE1, ad, &mut plaintext).unwrap_err();
78
79 let expected_err =
80 Error::CallFailed(ApiName::EVP_AEAD_CTX_open, ReasonCode::Cipher(CipherError::BadDecrypt));
81 assert_eq!(expected_err, err);
82 Ok(())
83 }
84
85 #[test]
aes_256_gcm_fails_to_decrypt_with_different_ad() -> Result<()>86 fn aes_256_gcm_fails_to_decrypt_with_different_ad() -> Result<()> {
87 let ciphertext = aes_256_gcm_encrypt(MESSAGE)?;
88 let tag_len = None;
89
90 let ad2 = &[1];
91 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
92 let mut plaintext = vec![0u8; ciphertext.len()];
93
94 let err = aead_ctx.open(&ciphertext, &AES_256_GCM_NONCE1, ad2, &mut plaintext).unwrap_err();
95
96 let expected_err =
97 Error::CallFailed(ApiName::EVP_AEAD_CTX_open, ReasonCode::Cipher(CipherError::BadDecrypt));
98 assert_eq!(expected_err, err);
99 Ok(())
100 }
101
102 #[test]
aes_256_gcm_fails_to_decrypt_with_different_nonce() -> Result<()>103 fn aes_256_gcm_fails_to_decrypt_with_different_nonce() -> Result<()> {
104 let ciphertext = aes_256_gcm_encrypt(MESSAGE)?;
105 let tag_len = None;
106
107 let ad = &[];
108 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
109 let mut plaintext = vec![0u8; ciphertext.len()];
110
111 let err = aead_ctx.open(&ciphertext, &AES_256_GCM_NONCE2, ad, &mut plaintext).unwrap_err();
112
113 let expected_err =
114 Error::CallFailed(ApiName::EVP_AEAD_CTX_open, ReasonCode::Cipher(CipherError::BadDecrypt));
115 assert_eq!(expected_err, err);
116 Ok(())
117 }
118
119 #[test]
aes_256_gcm_fails_to_decrypt_corrupted_ciphertext() -> Result<()>120 fn aes_256_gcm_fails_to_decrypt_corrupted_ciphertext() -> Result<()> {
121 let mut ciphertext = aes_256_gcm_encrypt(MESSAGE)?;
122 ciphertext[1] = !ciphertext[1];
123 let tag_len = None;
124
125 let ad = &[];
126 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
127 let mut plaintext = vec![0u8; ciphertext.len()];
128
129 let err = aead_ctx.open(&ciphertext, &AES_256_GCM_NONCE1, ad, &mut plaintext).unwrap_err();
130
131 let expected_err =
132 Error::CallFailed(ApiName::EVP_AEAD_CTX_open, ReasonCode::Cipher(CipherError::BadDecrypt));
133 assert_eq!(expected_err, err);
134 Ok(())
135 }
136
aes_256_gcm_encrypt(message: &[u8]) -> Result<Vec<u8>>137 fn aes_256_gcm_encrypt(message: &[u8]) -> Result<Vec<u8>> {
138 let tag_len = None;
139 let aead_ctx = AeadContext::new(Aead::aes_256_gcm(), &KEY1, tag_len)?;
140 let mut out = vec![0u8; message.len() + aead_ctx.aead().max_overhead()];
141
142 assert_eq!(aead_ctx.aead().nonce_length(), AES_256_GCM_NONCE1.len());
143 let ad = &[];
144
145 let ciphertext = aead_ctx.seal(message, &AES_256_GCM_NONCE1, ad, &mut out)?;
146 assert_ne!(message, ciphertext);
147 Ok(ciphertext.to_vec())
148 }
149