1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/quic/crypto/aes_128_gcm_12_encrypter.h" 6 7#include "net/quic/test_tools/quic_test_utils.h" 8 9using base::StringPiece; 10 11namespace { 12 13// The AES GCM test vectors come from the file gcmEncryptExtIV128.rsp 14// downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on 15// 2013-02-01. The test vectors in that file look like this: 16// 17// [Keylen = 128] 18// [IVlen = 96] 19// [PTlen = 0] 20// [AADlen = 0] 21// [Taglen = 128] 22// 23// Count = 0 24// Key = 11754cd72aec309bf52f7687212e8957 25// IV = 3c819d9a9bed087615030b65 26// PT = 27// AAD = 28// CT = 29// Tag = 250327c674aaf477aef2675748cf6971 30// 31// Count = 1 32// Key = ca47248ac0b6f8372a97ac43508308ed 33// IV = ffd2b598feabc9019262d2be 34// PT = 35// AAD = 36// CT = 37// Tag = 60d20404af527d248d893ae495707d1a 38// 39// ... 40// 41// The gcmEncryptExtIV128.rsp file is huge (2.8 MB), so I selected just a 42// few test vectors for this unit test. 43 44// Describes a group of test vectors that all have a given key length, IV 45// length, plaintext length, AAD length, and tag length. 46struct TestGroupInfo { 47 size_t key_len; 48 size_t iv_len; 49 size_t pt_len; 50 size_t aad_len; 51 size_t tag_len; 52}; 53 54// Each test vector consists of six strings of lowercase hexadecimal digits. 55// The strings may be empty (zero length). A test vector with a NULL |key| 56// marks the end of an array of test vectors. 57struct TestVector { 58 const char* key; 59 const char* iv; 60 const char* pt; 61 const char* aad; 62 const char* ct; 63 const char* tag; 64}; 65 66const TestGroupInfo test_group_info[] = { 67 { 128, 96, 0, 0, 128 }, 68 { 128, 96, 0, 128, 128 }, 69 { 128, 96, 128, 0, 128 }, 70 { 128, 96, 408, 160, 128 }, 71 { 128, 96, 408, 720, 128 }, 72 { 128, 96, 104, 0, 128 }, 73}; 74 75const TestVector test_group_0[] = { 76 { "11754cd72aec309bf52f7687212e8957", 77 "3c819d9a9bed087615030b65", 78 "", 79 "", 80 "", 81 "250327c674aaf477aef2675748cf6971" 82 }, 83 { "ca47248ac0b6f8372a97ac43508308ed", 84 "ffd2b598feabc9019262d2be", 85 "", 86 "", 87 "", 88 "60d20404af527d248d893ae495707d1a" 89 }, 90 { NULL } 91}; 92 93const TestVector test_group_1[] = { 94 { "77be63708971c4e240d1cb79e8d77feb", 95 "e0e00f19fed7ba0136a797f3", 96 "", 97 "7a43ec1d9c0a5a78a0b16533a6213cab", 98 "", 99 "209fcc8d3675ed938e9c7166709dd946" 100 }, 101 { "7680c5d3ca6154758e510f4d25b98820", 102 "f8f105f9c3df4965780321f8", 103 "", 104 "c94c410194c765e3dcc7964379758ed3", 105 "", 106 "94dca8edfcf90bb74b153c8d48a17930" 107 }, 108 { NULL } 109}; 110 111const TestVector test_group_2[] = { 112 { "7fddb57453c241d03efbed3ac44e371c", 113 "ee283a3fc75575e33efd4887", 114 "d5de42b461646c255c87bd2962d3b9a2", 115 "", 116 "2ccda4a5415cb91e135c2a0f78c9b2fd", 117 "b36d1df9b9d5e596f83e8b7f52971cb3" 118 }, 119 { "ab72c77b97cb5fe9a382d9fe81ffdbed", 120 "54cc7dc2c37ec006bcc6d1da", 121 "007c5e5b3e59df24a7c355584fc1518d", 122 "", 123 "0e1bde206a07a9c2c1b65300f8c64997", 124 "2b4401346697138c7a4891ee59867d0c" 125 }, 126 { NULL } 127}; 128 129const TestVector test_group_3[] = { 130 { "fe47fcce5fc32665d2ae399e4eec72ba", 131 "5adb9609dbaeb58cbd6e7275", 132 "7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1" 133 "b840382c4bccaf3bafb4ca8429bea063", 134 "88319d6e1d3ffa5f987199166c8a9b56c2aeba5a", 135 "98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf539304373636525" 136 "3ddbc5db8778371495da76d269e5db3e", 137 "291ef1982e4defedaa2249f898556b47" 138 }, 139 { "ec0c2ba17aa95cd6afffe949da9cc3a8", 140 "296bce5b50b7d66096d627ef", 141 "b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987" 142 "b764b9611f6c0f8641843d5d58f3a242", 143 "f8d00f05d22bf68599bcdeb131292ad6e2df5d14", 144 "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299" 145 "5506fde6309ffc19e716eddf1a828c5a", 146 "890147971946b627c40016da1ecf3e77" 147 }, 148 { NULL } 149}; 150 151const TestVector test_group_4[] = { 152 { "2c1f21cf0f6fb3661943155c3e3d8492", 153 "23cb5ff362e22426984d1907", 154 "42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d6" 155 "8b5615ba7c1220ff6510e259f06655d8", 156 "5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e" 157 "3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f" 158 "4488f33cfb5e979e42b6e1cfc0a60238982a7aec", 159 "81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222" 160 "b6ad57af43e1895df9dca2a5344a62cc", 161 "57a3ee28136e94c74838997ae9823f3a" 162 }, 163 { "d9f7d2411091f947b4d6f1e2d1f0fb2e", 164 "e1934f5db57cc983e6b180e7", 165 "73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490" 166 "c2c6f6166f4a59431e182663fcaea05a", 167 "0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d" 168 "0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a201" 169 "15d2e51398344b16bee1ed7c499b353d6c597af8", 170 "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57" 171 "3c7891c2a91fbc48db29967ec9542b23", 172 "21b51ca862cb637cdd03b99a0f93b134" 173 }, 174 { NULL } 175}; 176 177const TestVector test_group_5[] = { 178 { "fe9bb47deb3a61e423c2231841cfd1fb", 179 "4d328eb776f500a2f7fb47aa", 180 "f1cc3818e421876bb6b8bbd6c9", 181 "", 182 "b88c5c1977b35b517b0aeae967", 183 "43fd4727fe5cdb4b5b42818dea7ef8c9" 184 }, 185 { "6703df3701a7f54911ca72e24dca046a", 186 "12823ab601c350ea4bc2488c", 187 "793cd125b0b84a043e3ac67717", 188 "", 189 "b2051c80014f42f08735a7b0cd", 190 "38e6bcd29962e5f2c13626b85a877101" 191 }, 192 { NULL } 193}; 194 195const TestVector* const test_group_array[] = { 196 test_group_0, 197 test_group_1, 198 test_group_2, 199 test_group_3, 200 test_group_4, 201 test_group_5, 202}; 203 204} // namespace 205 206namespace net { 207namespace test { 208 209// EncryptWithNonce wraps the |Encrypt| method of |encrypter| to allow passing 210// in an nonce and also to allocate the buffer needed for the ciphertext. 211QuicData* EncryptWithNonce(Aes128Gcm12Encrypter* encrypter, 212 StringPiece nonce, 213 StringPiece associated_data, 214 StringPiece plaintext) { 215 size_t ciphertext_size = encrypter->GetCiphertextSize(plaintext.length()); 216 scoped_ptr<char[]> ciphertext(new char[ciphertext_size]); 217 218 if (!encrypter->Encrypt(nonce, associated_data, plaintext, 219 reinterpret_cast<unsigned char*>(ciphertext.get()))) { 220 return NULL; 221 } 222 223 return new QuicData(ciphertext.release(), ciphertext_size, true); 224} 225 226TEST(Aes128Gcm12EncrypterTest, Encrypt) { 227 for (size_t i = 0; i < arraysize(test_group_array); i++) { 228 SCOPED_TRACE(i); 229 const TestVector* test_vectors = test_group_array[i]; 230 const TestGroupInfo& test_info = test_group_info[i]; 231 for (size_t j = 0; test_vectors[j].key != NULL; j++) { 232 // Decode the test vector. 233 string key; 234 string iv; 235 string pt; 236 string aad; 237 string ct; 238 string tag; 239 ASSERT_TRUE(DecodeHexString(test_vectors[j].key, &key)); 240 ASSERT_TRUE(DecodeHexString(test_vectors[j].iv, &iv)); 241 ASSERT_TRUE(DecodeHexString(test_vectors[j].pt, &pt)); 242 ASSERT_TRUE(DecodeHexString(test_vectors[j].aad, &aad)); 243 ASSERT_TRUE(DecodeHexString(test_vectors[j].ct, &ct)); 244 ASSERT_TRUE(DecodeHexString(test_vectors[j].tag, &tag)); 245 246 // The test vector's lengths should look sane. Note that the lengths 247 // in |test_info| are in bits. 248 EXPECT_EQ(test_info.key_len, key.length() * 8); 249 EXPECT_EQ(test_info.iv_len, iv.length() * 8); 250 EXPECT_EQ(test_info.pt_len, pt.length() * 8); 251 EXPECT_EQ(test_info.aad_len, aad.length() * 8); 252 EXPECT_EQ(test_info.pt_len, ct.length() * 8); 253 EXPECT_EQ(test_info.tag_len, tag.length() * 8); 254 255 Aes128Gcm12Encrypter encrypter; 256 ASSERT_TRUE(encrypter.SetKey(key)); 257 scoped_ptr<QuicData> encrypted(EncryptWithNonce( 258 &encrypter, iv, 259 // This deliberately tests that the encrypter can handle an AAD that 260 // is set to NULL, as opposed to a zero-length, non-NULL pointer. 261 aad.length() ? aad : StringPiece(), pt)); 262 ASSERT_TRUE(encrypted.get()); 263 264 // The test vectors have 16 byte authenticators but this code only uses 265 // the first 12. 266 ASSERT_LE(static_cast<size_t>(Aes128Gcm12Encrypter::kAuthTagSize), 267 tag.length()); 268 tag.resize(Aes128Gcm12Encrypter::kAuthTagSize); 269 270 ASSERT_EQ(ct.length() + tag.length(), encrypted->length()); 271 test::CompareCharArraysWithHexError("ciphertext", encrypted->data(), 272 ct.length(), ct.data(), ct.length()); 273 test::CompareCharArraysWithHexError( 274 "authentication tag", encrypted->data() + ct.length(), tag.length(), 275 tag.data(), tag.length()); 276 } 277 } 278} 279 280TEST(Aes128Gcm12EncrypterTest, GetMaxPlaintextSize) { 281 Aes128Gcm12Encrypter encrypter; 282 EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1012)); 283 EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(112)); 284 EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(22)); 285} 286 287TEST(Aes128Gcm12EncrypterTest, GetCiphertextSize) { 288 Aes128Gcm12Encrypter encrypter; 289 EXPECT_EQ(1012u, encrypter.GetCiphertextSize(1000)); 290 EXPECT_EQ(112u, encrypter.GetCiphertextSize(100)); 291 EXPECT_EQ(22u, encrypter.GetCiphertextSize(10)); 292} 293 294} // namespace test 295} // namespace net 296