1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/quic/crypto/aes_128_gcm_12_decrypter.h"
6
7#include "net/quic/test_tools/quic_test_utils.h"
8
9using base::StringPiece;
10
11namespace {
12
13// The AES GCM test vectors come from the file gcmDecrypt128.rsp
14// downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on
15// 2013-02-01. The test vectors in that file look like this:
16//
17// [Keylen = 128]
18// [IVlen = 96]
19// [PTlen = 0]
20// [AADlen = 0]
21// [Taglen = 128]
22//
23// Count = 0
24// Key = cf063a34d4a9a76c2c86787d3f96db71
25// IV = 113b9785971864c83b01c787
26// CT =
27// AAD =
28// Tag = 72ac8493e3a5228b5d130a69d2510e42
29// PT =
30//
31// Count = 1
32// Key = a49a5e26a2f8cb63d05546c2a62f5343
33// IV = 907763b19b9b4ab6bd4f0281
34// CT =
35// AAD =
36// Tag = a2be08210d8c470a8df6e8fbd79ec5cf
37// FAIL
38//
39// ...
40//
41// The gcmDecrypt128.rsp file is huge (2.6 MB), so I selected just a
42// few test vectors for this unit test.
43
44// Describes a group of test vectors that all have a given key length, IV
45// length, plaintext length, AAD length, and tag length.
46struct TestGroupInfo {
47  size_t key_len;
48  size_t iv_len;
49  size_t pt_len;
50  size_t aad_len;
51  size_t tag_len;
52};
53
54// Each test vector consists of six strings of lowercase hexadecimal digits.
55// The strings may be empty (zero length). A test vector with a NULL |key|
56// marks the end of an array of test vectors.
57struct TestVector {
58  // Input:
59  const char* key;
60  const char* iv;
61  const char* ct;
62  const char* aad;
63  const char* tag;
64
65  // Expected output:
66  const char* pt;  // An empty string "" means decryption succeeded and
67                   // the plaintext is zero-length. NULL means decryption
68                   // failed.
69};
70
71const TestGroupInfo test_group_info[] = {
72  { 128, 96, 0, 0, 128 },
73  { 128, 96, 0, 128, 128 },
74  { 128, 96, 128, 0, 128 },
75  { 128, 96, 408, 160, 128 },
76  { 128, 96, 408, 720, 128 },
77  { 128, 96, 104, 0, 128 },
78};
79
80const TestVector test_group_0[] = {
81  { "cf063a34d4a9a76c2c86787d3f96db71",
82    "113b9785971864c83b01c787",
83    "",
84    "",
85    "72ac8493e3a5228b5d130a69d2510e42",
86    ""
87  },
88  { "a49a5e26a2f8cb63d05546c2a62f5343",
89    "907763b19b9b4ab6bd4f0281",
90    "",
91    "",
92    "a2be08210d8c470a8df6e8fbd79ec5cf",
93    NULL  // FAIL
94  },
95  { NULL }
96};
97
98const TestVector test_group_1[] = {
99  { "d1f6af919cde85661208bdce0c27cb22",
100    "898c6929b435017bf031c3c5",
101    "",
102    "7c5faa40e636bbc91107e68010c92b9f",
103    "ae45f11777540a2caeb128be8092468a",
104    NULL  // FAIL
105  },
106  { "2370e320d4344208e0ff5683f243b213",
107    "04dbb82f044d30831c441228",
108    "",
109    "d43a8e5089eea0d026c03a85178b27da",
110    "2a049c049d25aa95969b451d93c31c6e",
111    ""
112  },
113  { NULL }
114};
115
116const TestVector test_group_2[] = {
117  { "e98b72a9881a84ca6b76e0f43e68647a",
118    "8b23299fde174053f3d652ba",
119    "5a3c1cf1985dbb8bed818036fdd5ab42",
120    "",
121    "23c7ab0f952b7091cd324835043b5eb5",
122    "28286a321293253c3e0aa2704a278032"
123  },
124  { "33240636cd3236165f1a553b773e728e",
125    "17c4d61493ecdc8f31700b12",
126    "47bb7e23f7bdfe05a8091ac90e4f8b2e",
127    "",
128    "b723c70e931d9785f40fd4ab1d612dc9",
129    "95695a5b12f2870b9cc5fdc8f218a97d"
130  },
131  { "5164df856f1e9cac04a79b808dc5be39",
132    "e76925d5355e0584ce871b2b",
133    "0216c899c88d6e32c958c7e553daa5bc",
134    "",
135    "a145319896329c96df291f64efbe0e3a",
136    NULL  // FAIL
137  },
138  { NULL }
139};
140
141const TestVector test_group_3[] = {
142  { "af57f42c60c0fc5a09adb81ab86ca1c3",
143    "a2dc01871f37025dc0fc9a79",
144    "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947"
145    "338b22f9bad09093276a331e9c79c7f4",
146    "41dc38988945fcb44faf2ef72d0061289ef8efd8",
147    "4f71e72bde0018f555c5adcce062e005",
148    "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279"
149    "5b2f69b041596e8817d0a3c16f8fadeb"
150  },
151  { "ebc753e5422b377d3cb64b58ffa41b61",
152    "2e1821efaced9acf1f241c9b",
153    "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9"
154    "f401823e04b05817243d2142a3589878",
155    "b9673412fd4f88ba0e920f46dd6438ff791d8eef",
156    "534d9234d2351cf30e565de47baece0b",
157    "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18"
158    "353a18017f5b36bfc00b1f6dcb7ed485"
159  },
160  { "52bdbbf9cf477f187ec010589cb39d58",
161    "d3be36d3393134951d324b31",
162    "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e"
163    "32b992760b3a5f99e9a47838867000a9",
164    "93c4fc6a4135f54d640b0c976bf755a06a292c33",
165    "8ca4e38aa3dfa6b1d0297021ccf3ea5f",
166    NULL  // FAIL
167  },
168  { NULL }
169};
170
171const TestVector test_group_4[] = {
172  { "da2bb7d581493d692380c77105590201",
173    "44aa3e7856ca279d2eb020c6",
174    "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a"
175    "f4ee16c761b3c9aeac3da03aa9889c88",
176    "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab"
177    "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7"
178    "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72",
179    "9e3ac938d3eb0cadd6f5c9e35d22ba38",
180    "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a"
181    "d65dbd1378b196ac270588dd0621f642"
182  },
183  { "d74e4958717a9d5c0e235b76a926cae8",
184    "0b7471141e0c70b1995fd7b1",
185    "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22"
186    "b0f1420be29ea547d42c713bc6af66aa",
187    "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22"
188    "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf"
189    "34a6039312774cedebf4961f3978b14a26509f96",
190    "e192c23cb036f0b31592989119eed55d",
191    "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f"
192    "f0a34bc305b88b804c60b90add594a17"
193  },
194  { "1986310c725ac94ecfe6422e75fc3ee7",
195    "93ec4214fa8e6dc4e3afc775",
196    "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02"
197    "43edfd365b90d5b325950df0ada058f9",
198    "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463"
199    "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42"
200    "72c2cb136c8fd091cc4539877a5d1e72d607f960",
201    "8b347853f11d75e81e8a95010be81f17",
202    NULL  // FAIL
203  },
204  { NULL }
205};
206
207const TestVector test_group_5[] = {
208  { "387218b246c1a8257748b56980e50c94",
209    "dd7e014198672be39f95b69d",
210    "cdba9e73eaf3d38eceb2b04a8d",
211    "",
212    "ecf90f4a47c9c626d6fb2c765d201556",
213    "48f5b426baca03064554cc2b30"
214  },
215  { "294de463721e359863887c820524b3d4",
216    "3338b35c9d57a5d28190e8c9",
217    "2f46634e74b8e4c89812ac83b9",
218    "",
219    "dabd506764e68b82a7e720aa18da0abe",
220    "46a2e55c8e264df211bd112685"
221  },
222  { "28ead7fd2179e0d12aa6d5d88c58c2dc",
223    "5055347f18b4d5add0ae5c41",
224    "142d8210c3fb84774cdbd0447a",
225    "",
226    "5fd321d9cdb01952dc85f034736c2a7d",
227    "3b95b981086ee73cc4d0cc1422"
228  },
229  { "7d7b6c988137b8d470c57bf674a09c87",
230    "9edf2aa970d016ac962e1fd8",
231    "a85b66c3cb5eab91d5bdc8bc0e",
232    "",
233    "dc054efc01f3afd21d9c2484819f569a",
234    NULL  // FAIL
235  },
236  { NULL }
237};
238
239const TestVector* const test_group_array[] = {
240  test_group_0,
241  test_group_1,
242  test_group_2,
243  test_group_3,
244  test_group_4,
245  test_group_5,
246};
247
248}  // namespace
249
250namespace net {
251namespace test {
252
253// DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
254// in an nonce and also to allocate the buffer needed for the plaintext.
255QuicData* DecryptWithNonce(Aes128Gcm12Decrypter* decrypter,
256                           StringPiece nonce,
257                           StringPiece associated_data,
258                           StringPiece ciphertext) {
259  size_t plaintext_size = ciphertext.length();
260  scoped_ptr<char[]> plaintext(new char[plaintext_size]);
261
262  if (!decrypter->Decrypt(nonce, associated_data, ciphertext,
263                          reinterpret_cast<unsigned char*>(plaintext.get()),
264                          &plaintext_size)) {
265    return NULL;
266  }
267  return new QuicData(plaintext.release(), plaintext_size, true);
268}
269
270TEST(Aes128Gcm12DecrypterTest, Decrypt) {
271  for (size_t i = 0; i < arraysize(test_group_array); i++) {
272    SCOPED_TRACE(i);
273    const TestVector* test_vectors = test_group_array[i];
274    const TestGroupInfo& test_info = test_group_info[i];
275    for (size_t j = 0; test_vectors[j].key != NULL; j++) {
276      // If not present then decryption is expected to fail.
277      bool has_pt = test_vectors[j].pt;
278
279      // Decode the test vector.
280      string key;
281      string iv;
282      string ct;
283      string aad;
284      string tag;
285      string pt;
286      ASSERT_TRUE(DecodeHexString(test_vectors[j].key, &key));
287      ASSERT_TRUE(DecodeHexString(test_vectors[j].iv, &iv));
288      ASSERT_TRUE(DecodeHexString(test_vectors[j].ct, &ct));
289      ASSERT_TRUE(DecodeHexString(test_vectors[j].aad, &aad));
290      ASSERT_TRUE(DecodeHexString(test_vectors[j].tag, &tag));
291      if (has_pt) {
292        ASSERT_TRUE(DecodeHexString(test_vectors[j].pt, &pt));
293      }
294
295      // The test vector's lengths should look sane. Note that the lengths
296      // in |test_info| are in bits.
297      EXPECT_EQ(test_info.key_len, key.length() * 8);
298      EXPECT_EQ(test_info.iv_len, iv.length() * 8);
299      EXPECT_EQ(test_info.pt_len, ct.length() * 8);
300      EXPECT_EQ(test_info.aad_len, aad.length() * 8);
301      EXPECT_EQ(test_info.tag_len, tag.length() * 8);
302      if (has_pt) {
303        EXPECT_EQ(test_info.pt_len, pt.length() * 8);
304      }
305
306      // The test vectors have 16 byte authenticators but this code only uses
307      // the first 12.
308      ASSERT_LE(static_cast<size_t>(Aes128Gcm12Decrypter::kAuthTagSize),
309                tag.length());
310      tag.resize(Aes128Gcm12Decrypter::kAuthTagSize);
311      string ciphertext = ct + tag;
312
313      Aes128Gcm12Decrypter decrypter;
314      ASSERT_TRUE(decrypter.SetKey(key));
315
316      scoped_ptr<QuicData> decrypted(DecryptWithNonce(
317          &decrypter, iv,
318          // This deliberately tests that the decrypter can handle an AAD that
319          // is set to NULL, as opposed to a zero-length, non-NULL pointer.
320          aad.length() ? aad : StringPiece(), ciphertext));
321      if (!decrypted.get()) {
322        EXPECT_FALSE(has_pt);
323        continue;
324      }
325      EXPECT_TRUE(has_pt);
326
327      ASSERT_EQ(pt.length(), decrypted->length());
328      test::CompareCharArraysWithHexError("plaintext", decrypted->data(),
329                                          pt.length(), pt.data(), pt.length());
330    }
331  }
332}
333
334}  // namespace test
335}  // namespace net
336