1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/quic/crypto/aes_128_gcm_12_decrypter.h" 6 7 #include "net/quic/test_tools/quic_test_utils.h" 8 9 using base::StringPiece; 10 11 namespace { 12 13 // The AES GCM test vectors come from the file gcmDecrypt128.rsp 14 // downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on 15 // 2013-02-01. The test vectors in that file look like this: 16 // 17 // [Keylen = 128] 18 // [IVlen = 96] 19 // [PTlen = 0] 20 // [AADlen = 0] 21 // [Taglen = 128] 22 // 23 // Count = 0 24 // Key = cf063a34d4a9a76c2c86787d3f96db71 25 // IV = 113b9785971864c83b01c787 26 // CT = 27 // AAD = 28 // Tag = 72ac8493e3a5228b5d130a69d2510e42 29 // PT = 30 // 31 // Count = 1 32 // Key = a49a5e26a2f8cb63d05546c2a62f5343 33 // IV = 907763b19b9b4ab6bd4f0281 34 // CT = 35 // AAD = 36 // Tag = a2be08210d8c470a8df6e8fbd79ec5cf 37 // FAIL 38 // 39 // ... 40 // 41 // The gcmDecrypt128.rsp file is huge (2.6 MB), so I selected just a 42 // few test vectors for this unit test. 43 44 // Describes a group of test vectors that all have a given key length, IV 45 // length, plaintext length, AAD length, and tag length. 46 struct TestGroupInfo { 47 size_t key_len; 48 size_t iv_len; 49 size_t pt_len; 50 size_t aad_len; 51 size_t tag_len; 52 }; 53 54 // Each test vector consists of six strings of lowercase hexadecimal digits. 55 // The strings may be empty (zero length). A test vector with a NULL |key| 56 // marks the end of an array of test vectors. 57 struct TestVector { 58 // Input: 59 const char* key; 60 const char* iv; 61 const char* ct; 62 const char* aad; 63 const char* tag; 64 65 // Expected output: 66 const char* pt; // An empty string "" means decryption succeeded and 67 // the plaintext is zero-length. NULL means decryption 68 // failed. 69 }; 70 71 const TestGroupInfo test_group_info[] = { 72 { 128, 96, 0, 0, 128 }, 73 { 128, 96, 0, 128, 128 }, 74 { 128, 96, 128, 0, 128 }, 75 { 128, 96, 408, 160, 128 }, 76 { 128, 96, 408, 720, 128 }, 77 { 128, 96, 104, 0, 128 }, 78 }; 79 80 const TestVector test_group_0[] = { 81 { "cf063a34d4a9a76c2c86787d3f96db71", 82 "113b9785971864c83b01c787", 83 "", 84 "", 85 "72ac8493e3a5228b5d130a69d2510e42", 86 "" 87 }, 88 { "a49a5e26a2f8cb63d05546c2a62f5343", 89 "907763b19b9b4ab6bd4f0281", 90 "", 91 "", 92 "a2be08210d8c470a8df6e8fbd79ec5cf", 93 NULL // FAIL 94 }, 95 { NULL } 96 }; 97 98 const TestVector test_group_1[] = { 99 { "d1f6af919cde85661208bdce0c27cb22", 100 "898c6929b435017bf031c3c5", 101 "", 102 "7c5faa40e636bbc91107e68010c92b9f", 103 "ae45f11777540a2caeb128be8092468a", 104 NULL // FAIL 105 }, 106 { "2370e320d4344208e0ff5683f243b213", 107 "04dbb82f044d30831c441228", 108 "", 109 "d43a8e5089eea0d026c03a85178b27da", 110 "2a049c049d25aa95969b451d93c31c6e", 111 "" 112 }, 113 { NULL } 114 }; 115 116 const TestVector test_group_2[] = { 117 { "e98b72a9881a84ca6b76e0f43e68647a", 118 "8b23299fde174053f3d652ba", 119 "5a3c1cf1985dbb8bed818036fdd5ab42", 120 "", 121 "23c7ab0f952b7091cd324835043b5eb5", 122 "28286a321293253c3e0aa2704a278032" 123 }, 124 { "33240636cd3236165f1a553b773e728e", 125 "17c4d61493ecdc8f31700b12", 126 "47bb7e23f7bdfe05a8091ac90e4f8b2e", 127 "", 128 "b723c70e931d9785f40fd4ab1d612dc9", 129 "95695a5b12f2870b9cc5fdc8f218a97d" 130 }, 131 { "5164df856f1e9cac04a79b808dc5be39", 132 "e76925d5355e0584ce871b2b", 133 "0216c899c88d6e32c958c7e553daa5bc", 134 "", 135 "a145319896329c96df291f64efbe0e3a", 136 NULL // FAIL 137 }, 138 { NULL } 139 }; 140 141 const TestVector test_group_3[] = { 142 { "af57f42c60c0fc5a09adb81ab86ca1c3", 143 "a2dc01871f37025dc0fc9a79", 144 "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947" 145 "338b22f9bad09093276a331e9c79c7f4", 146 "41dc38988945fcb44faf2ef72d0061289ef8efd8", 147 "4f71e72bde0018f555c5adcce062e005", 148 "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279" 149 "5b2f69b041596e8817d0a3c16f8fadeb" 150 }, 151 { "ebc753e5422b377d3cb64b58ffa41b61", 152 "2e1821efaced9acf1f241c9b", 153 "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9" 154 "f401823e04b05817243d2142a3589878", 155 "b9673412fd4f88ba0e920f46dd6438ff791d8eef", 156 "534d9234d2351cf30e565de47baece0b", 157 "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18" 158 "353a18017f5b36bfc00b1f6dcb7ed485" 159 }, 160 { "52bdbbf9cf477f187ec010589cb39d58", 161 "d3be36d3393134951d324b31", 162 "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e" 163 "32b992760b3a5f99e9a47838867000a9", 164 "93c4fc6a4135f54d640b0c976bf755a06a292c33", 165 "8ca4e38aa3dfa6b1d0297021ccf3ea5f", 166 NULL // FAIL 167 }, 168 { NULL } 169 }; 170 171 const TestVector test_group_4[] = { 172 { "da2bb7d581493d692380c77105590201", 173 "44aa3e7856ca279d2eb020c6", 174 "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a" 175 "f4ee16c761b3c9aeac3da03aa9889c88", 176 "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab" 177 "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7" 178 "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72", 179 "9e3ac938d3eb0cadd6f5c9e35d22ba38", 180 "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a" 181 "d65dbd1378b196ac270588dd0621f642" 182 }, 183 { "d74e4958717a9d5c0e235b76a926cae8", 184 "0b7471141e0c70b1995fd7b1", 185 "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22" 186 "b0f1420be29ea547d42c713bc6af66aa", 187 "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22" 188 "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf" 189 "34a6039312774cedebf4961f3978b14a26509f96", 190 "e192c23cb036f0b31592989119eed55d", 191 "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f" 192 "f0a34bc305b88b804c60b90add594a17" 193 }, 194 { "1986310c725ac94ecfe6422e75fc3ee7", 195 "93ec4214fa8e6dc4e3afc775", 196 "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02" 197 "43edfd365b90d5b325950df0ada058f9", 198 "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463" 199 "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42" 200 "72c2cb136c8fd091cc4539877a5d1e72d607f960", 201 "8b347853f11d75e81e8a95010be81f17", 202 NULL // FAIL 203 }, 204 { NULL } 205 }; 206 207 const TestVector test_group_5[] = { 208 { "387218b246c1a8257748b56980e50c94", 209 "dd7e014198672be39f95b69d", 210 "cdba9e73eaf3d38eceb2b04a8d", 211 "", 212 "ecf90f4a47c9c626d6fb2c765d201556", 213 "48f5b426baca03064554cc2b30" 214 }, 215 { "294de463721e359863887c820524b3d4", 216 "3338b35c9d57a5d28190e8c9", 217 "2f46634e74b8e4c89812ac83b9", 218 "", 219 "dabd506764e68b82a7e720aa18da0abe", 220 "46a2e55c8e264df211bd112685" 221 }, 222 { "28ead7fd2179e0d12aa6d5d88c58c2dc", 223 "5055347f18b4d5add0ae5c41", 224 "142d8210c3fb84774cdbd0447a", 225 "", 226 "5fd321d9cdb01952dc85f034736c2a7d", 227 "3b95b981086ee73cc4d0cc1422" 228 }, 229 { "7d7b6c988137b8d470c57bf674a09c87", 230 "9edf2aa970d016ac962e1fd8", 231 "a85b66c3cb5eab91d5bdc8bc0e", 232 "", 233 "dc054efc01f3afd21d9c2484819f569a", 234 NULL // FAIL 235 }, 236 { NULL } 237 }; 238 239 const TestVector* const test_group_array[] = { 240 test_group_0, 241 test_group_1, 242 test_group_2, 243 test_group_3, 244 test_group_4, 245 test_group_5, 246 }; 247 248 // Returns true if |ch| is a lowercase hexadecimal digit. 249 bool IsHexDigit(char ch) { 250 return ('0' <= ch && ch <= '9') || ('a' <= ch && ch <= 'f'); 251 } 252 253 // Converts a lowercase hexadecimal digit to its integer value. 254 int HexDigitToInt(char ch) { 255 if ('0' <= ch && ch <= '9') { 256 return ch - '0'; 257 } 258 return ch - 'a' + 10; 259 } 260 261 // |in| is a string consisting of lowercase hexadecimal digits, where 262 // every two digits represent one byte. |out| is a buffer of size |max_len|. 263 // Converts |in| to bytes and stores the bytes in the |out| buffer. The 264 // number of bytes converted is returned in |*out_len|. Returns true on 265 // success, false on failure. 266 bool DecodeHexString(const char* in, 267 char* out, 268 size_t* out_len, 269 size_t max_len) { 270 if (!in) { 271 *out_len = (size_t)-1; 272 return true; 273 } 274 *out_len = 0; 275 while (*in != '\0') { 276 if (!IsHexDigit(*in) || !IsHexDigit(*(in + 1))) { 277 return false; 278 } 279 if (*out_len >= max_len) { 280 return false; 281 } 282 out[*out_len] = HexDigitToInt(*in) * 16 + HexDigitToInt(*(in + 1)); 283 (*out_len)++; 284 in += 2; 285 } 286 return true; 287 } 288 289 } // namespace 290 291 namespace net { 292 namespace test { 293 294 // DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing 295 // in an nonce and also to allocate the buffer needed for the plaintext. 296 QuicData* DecryptWithNonce(Aes128Gcm12Decrypter* decrypter, 297 StringPiece nonce, 298 StringPiece associated_data, 299 StringPiece ciphertext) { 300 size_t plaintext_size = ciphertext.length(); 301 scoped_ptr<char[]> plaintext(new char[plaintext_size]); 302 303 if (!decrypter->Decrypt(nonce, associated_data, ciphertext, 304 reinterpret_cast<unsigned char*>(plaintext.get()), 305 &plaintext_size)) { 306 return NULL; 307 } 308 return new QuicData(plaintext.release(), plaintext_size, true); 309 } 310 311 TEST(Aes128Gcm12DecrypterTest, Decrypt) { 312 if (!Aes128Gcm12Decrypter::IsSupported()) { 313 LOG(INFO) << "AES GCM not supported. Test skipped."; 314 return; 315 } 316 317 char key[1024]; 318 size_t key_len; 319 char iv[1024]; 320 size_t iv_len; 321 char ct[1024]; 322 size_t ct_len; 323 char aad[1024]; 324 size_t aad_len; 325 char tag[1024]; 326 size_t tag_len; 327 char pt[1024]; 328 size_t pt_len; 329 330 for (size_t i = 0; i < arraysize(test_group_array); i++) { 331 SCOPED_TRACE(i); 332 const TestVector* test_vector = test_group_array[i]; 333 const TestGroupInfo& test_info = test_group_info[i]; 334 for (size_t j = 0; test_vector[j].key != NULL; j++) { 335 // Decode the test vector. 336 ASSERT_TRUE( 337 DecodeHexString(test_vector[j].key, key, &key_len, sizeof(key))); 338 ASSERT_TRUE(DecodeHexString(test_vector[j].iv, iv, &iv_len, sizeof(iv))); 339 ASSERT_TRUE(DecodeHexString(test_vector[j].ct, ct, &ct_len, sizeof(ct))); 340 ASSERT_TRUE( 341 DecodeHexString(test_vector[j].aad, aad, &aad_len, sizeof(aad))); 342 ASSERT_TRUE( 343 DecodeHexString(test_vector[j].tag, tag, &tag_len, sizeof(tag))); 344 ASSERT_TRUE(DecodeHexString(test_vector[j].pt, pt, &pt_len, sizeof(pt))); 345 346 // The test vector's lengths should look sane. Note that the lengths 347 // in |test_info| are in bits. 348 EXPECT_EQ(test_info.key_len, key_len * 8); 349 EXPECT_EQ(test_info.iv_len, iv_len * 8); 350 EXPECT_EQ(test_info.pt_len, ct_len * 8); 351 EXPECT_EQ(test_info.aad_len, aad_len * 8); 352 EXPECT_EQ(test_info.tag_len, tag_len * 8); 353 if (pt_len != static_cast<size_t>(-1)) { 354 EXPECT_EQ(test_info.pt_len, pt_len * 8); 355 } 356 357 // The test vectors have 16 byte authenticators but this code only uses 358 // the first 12. 359 ASSERT_LE(static_cast<size_t>(Aes128Gcm12Decrypter::kAuthTagSize), 360 tag_len); 361 tag_len = Aes128Gcm12Decrypter::kAuthTagSize; 362 363 Aes128Gcm12Decrypter decrypter; 364 ASSERT_TRUE(decrypter.SetKey(StringPiece(key, key_len))); 365 string ciphertext(ct, ct_len); 366 ciphertext.append(tag, tag_len); 367 scoped_ptr<QuicData> decrypted(DecryptWithNonce( 368 &decrypter, StringPiece(iv, iv_len), 369 // OpenSSL fails if NULL is set as the AAD, as opposed to a 370 // zero-length, non-NULL pointer. 371 StringPiece(aad_len ? aad : NULL, aad_len), ciphertext)); 372 if (!decrypted.get()) { 373 EXPECT_EQ((size_t)-1, pt_len); 374 continue; 375 } 376 ASSERT_NE((size_t)-1, pt_len); 377 378 ASSERT_EQ(pt_len, decrypted->length()); 379 test::CompareCharArraysWithHexError("plaintext", decrypted->data(), 380 pt_len, pt, pt_len); 381 } 382 } 383 } 384 385 } // namespace test 386 } // namespace net 387