blob: 7c48c8cd87e99cca45323b539b47bd6071b54f1d [file] [log] [blame]
// Copyright (c) 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "quiche/quic/core/crypto/aes_256_gcm_decrypter.h"
#include <memory>
#include <string>
#include "absl/base/macros.h"
#include "absl/strings/escaping.h"
#include "absl/strings/string_view.h"
#include "quiche/quic/core/quic_utils.h"
#include "quiche/quic/platform/api/quic_test.h"
#include "quiche/quic/test_tools/quic_test_utils.h"
#include "quiche/common/test_tools/quiche_test_utils.h"
namespace {
// The AES GCM test vectors come from the file gcmDecrypt256.rsp
// downloaded from
// https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#GCMVS
// on 2017-09-27. The test vectors in that file look like this:
//
// [Keylen = 256]
// [IVlen = 96]
// [PTlen = 0]
// [AADlen = 0]
// [Taglen = 128]
//
// Count = 0
// Key = f5a2b27c74355872eb3ef6c5feafaa740e6ae990d9d48c3bd9bb8235e589f010
// IV = 58d2240f580a31c1d24948e9
// CT =
// AAD =
// Tag = 15e051a5e4a5f5da6cea92e2ebee5bac
// PT =
//
// Count = 1
// Key = e5a8123f2e2e007d4e379ba114a2fb66e6613f57c72d4e4f024964053028a831
// IV = 51e43385bf533e168427e1ad
// CT =
// AAD =
// Tag = 38fe845c66e66bdd884c2aecafd280e6
// FAIL
//
// ...
//
// The gcmDecrypt256.rsp file is huge (3.0 MB), so a few test vectors were
// selected for this unit test.
// Describes a group of test vectors that all have a given key length, IV
// length, plaintext length, AAD length, and tag length.
struct TestGroupInfo {
size_t key_len;
size_t iv_len;
size_t pt_len;
size_t aad_len;
size_t tag_len;
};
// Each test vector consists of six strings of lowercase hexadecimal digits.
// The strings may be empty (zero length). A test vector with a nullptr |key|
// marks the end of an array of test vectors.
struct TestVector {
// Input:
const char* key;
const char* iv;
const char* ct;
const char* aad;
const char* tag;
// Expected output:
const char* pt; // An empty string "" means decryption succeeded and
// the plaintext is zero-length. nullptr means decryption
// failed.
};
const TestGroupInfo test_group_info[] = {
{256, 96, 0, 0, 128}, {256, 96, 0, 128, 128}, {256, 96, 128, 0, 128},
{256, 96, 408, 160, 128}, {256, 96, 408, 720, 128}, {256, 96, 104, 0, 128},
};
const TestVector test_group_0[] = {
{"f5a2b27c74355872eb3ef6c5feafaa740e6ae990d9d48c3bd9bb8235e589f010",
"58d2240f580a31c1d24948e9", "", "", "15e051a5e4a5f5da6cea92e2ebee5bac",
""},
{
"e5a8123f2e2e007d4e379ba114a2fb66e6613f57c72d4e4f024964053028a831",
"51e43385bf533e168427e1ad", "", "", "38fe845c66e66bdd884c2aecafd280e6",
nullptr // FAIL
},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector test_group_1[] = {
{"6dfdafd6703c285c01f14fd10a6012862b2af950d4733abb403b2e745b26945d",
"3749d0b3d5bacb71be06ade6", "", "c0d249871992e70302ae008193d1e89f",
"4aa4cc69f84ee6ac16d9bfb4e05de500", ""},
{
"2c392a5eb1a9c705371beda3a901c7c61dca4d93b4291de1dd0dd15ec11ffc45",
"0723fb84a08f4ea09841f32a", "", "140be561b6171eab942c486a94d33d43",
"aa0e1c9b57975bfc91aa137231977d2c", nullptr // FAIL
},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector test_group_2[] = {
{"4c8ebfe1444ec1b2d503c6986659af2c94fafe945f72c1e8486a5acfedb8a0f8",
"473360e0ad24889959858995", "d2c78110ac7e8f107c0df0570bd7c90c", "",
"c26a379b6d98ef2852ead8ce83a833a7", "7789b41cb3ee548814ca0b388c10b343"},
{"3934f363fd9f771352c4c7a060682ed03c2864223a1573b3af997e2ababd60ab",
"efe2656d878c586e41c539c4", "e0de64302ac2d04048d65a87d2ad09fe", "",
"33cbd8d2fb8a3a03e30c1eb1b53c1d99", "697aff2d6b77e5ed6232770e400c1ead"},
{
"c997768e2d14e3d38259667a6649079de77beb4543589771e5068e6cd7cd0b14",
"835090aed9552dbdd45277e2", "9f6607d68e22ccf21928db0986be126e", "",
"f32617f67c574fd9f44ef76ff880ab9f", nullptr // FAIL
},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector test_group_3[] = {
{
"e9d381a9c413bee66175d5586a189836e5c20f5583535ab4d3f3e612dc21700e",
"23e81571da1c7821c681c7ca",
"a25f3f580306cd5065d22a6b7e9660110af7204bb77d370f7f34bee547feeff7b32a59"
"6fce29c9040e68b1589aad48da881990",
"6f39c9ae7b8e8a58a95f0dd8ea6a9087cbccdfd6",
"5b6dcd70eefb0892fab1539298b92a4b",
nullptr // FAIL
},
{"6450d4501b1e6cfbe172c4c8570363e96b496591b842661c28c2f6c908379cad",
"7e4262035e0bf3d60e91668a",
"5a99b336fd3cfd82f10fb08f7045012415f0d9a06bb92dcf59c6f0dbe62d433671aacb8a1"
"c52ce7bbf6aea372bf51e2ba79406",
"f1c522f026e4c5d43851da516a1b78768ab18171",
"fe93b01636f7bb0458041f213e98de65",
"17449e236ef5858f6d891412495ead4607bfae2a2d735182a2a0242f9d52fc5345ef912db"
"e16f3bb4576fe3bcafe336dee6085"},
{"90f2e71ccb1148979cb742efc8f921de95457d898c84ce28edeed701650d3a26",
"aba58ad60047ba553f6e4c98",
"3fc77a5fe9203d091c7916587c9763cf2e4d0d53ca20b078b851716f1dab4873fe342b7b3"
"01402f015d00263bf3f77c58a99d6",
"2abe465df6e5be47f05b92c9a93d76ae3611fac5",
"9cb3d04637048bc0bddef803ffbb56cf",
"1d21639640e11638a2769e3fab78778f84be3f4a8ce28dfd99cb2e75171e05ea8e94e30aa"
"78b54bb402b39d613616a8ed951dc"},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector test_group_4[] = {
{
"e36aca93414b13f5313e76a7244588ee116551d1f34c32859166f2eb0ac1a9b7",
"e9e701b1ccef6bddd03391d8",
"5b059ac6733b6de0e8cf5b88b7301c02c993426f71bb12abf692e9deeacfac1ff1644c"
"87d4df130028f515f0feda636309a24d",
"6a08fe6e55a08f283cec4c4b37676e770f402af6102f548ad473ec6236da764f7076ff"
"d41bbd9611b439362d899682b7b0f839fc5a68d9df54afd1e2b3c4e7d072454ee27111"
"d52193d28b9c4f925d2a8b451675af39191a2cba",
"43c7c9c93cc265fc8e192000e0417b5b",
nullptr // FAIL
},
{"5f72046245d3f4a0877e50a86554bfd57d1c5e073d1ed3b5451f6d0fc2a8507a",
"ea6f5b391e44b751b26bce6f",
"0e6e0b2114c40769c15958d965a14dcf50b680e0185a4409d77d894ca15b1e698dd83b353"
"6b18c05d8cd0873d1edce8150ecb5",
"9b3a68c941d42744673fb60fea49075eae77322e7e70e34502c115b6495ebfc796d629080"
"7653c6b53cd84281bd0311656d0013f44619d2748177e99e8f8347c989a7b59f9d8dcf00f"
"31db0684a4a83e037e8777bae55f799b0d",
"fdaaff86ceb937502cd9012d03585800",
"b0a881b751cc1eb0c912a4cf9bd971983707dbd2411725664503455c55db25cdb19bc669c"
"2654a3a8011de6bf7eff3f9f07834"},
{"ab639bae205547607506522bd3cdca7861369e2b42ef175ff135f6ba435d5a8e",
"5fbb63eb44bd59fee458d8f6",
"9a34c62bed0972285503a32812877187a54dedbd55d2317fed89282bf1af4ba0b6bb9f9e1"
"6dd86da3b441deb7841262bc6bd63",
"1ef2b1768b805587935ffaf754a11bd2a305076d6374f1f5098b1284444b78f55408a786d"
"a37e1b7f1401c330d3585ef56f3e4d35eaaac92e1381d636477dc4f4beaf559735e902d6b"
"e58723257d4ac1ed9bd213de387f35f3c4",
"e0299e079bff46fd12e36d1c60e41434",
"e5a3ce804a8516cdd12122c091256b789076576040dbf3c55e8be3c016025896b8a72532b"
"fd51196cc82efca47aa0fd8e2e0dc"},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector test_group_5[] = {
{
"8b37c4b8cf634704920059866ad96c49e9da502c63fca4a3a7a4dcec74cb0610",
"cb59344d2b06c4ae57cd0ea4", "66ab935c93555e786b775637a3", "",
"d8733acbb564d8afaa99d7ca2e2f92a9", nullptr // FAIL
},
{"a71dac1377a3bf5d7fb1b5e36bee70d2e01de2a84a1c1009ba7448f7f26131dc",
"c5b60dda3f333b1146e9da7c", "43af49ec1ae3738a20755034d6", "",
"6f80b6ef2d8830a55eb63680a8dff9e0", "5b87141335f2becac1a559e05f"},
{"dc1f64681014be221b00793bbcf5a5bc675b968eb7a3a3d5aa5978ef4fa45ecc",
"056ae9a1a69e38af603924fe", "33013a48d9ea0df2911d583271", "",
"5b8f9cc22303e979cd1524187e9f70fe", "2a7e05612191c8bce2f529dca9"},
{nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}};
const TestVector* const test_group_array[] = {
test_group_0, test_group_1, test_group_2,
test_group_3, test_group_4, test_group_5,
};
} // namespace
namespace quic {
namespace test {
// DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
// in an nonce and also to allocate the buffer needed for the plaintext.
QuicData* DecryptWithNonce(Aes256GcmDecrypter* decrypter,
absl::string_view nonce,
absl::string_view associated_data,
absl::string_view ciphertext) {
decrypter->SetIV(nonce);
std::unique_ptr<char[]> output(new char[ciphertext.length()]);
size_t output_length = 0;
const bool success =
decrypter->DecryptPacket(0, associated_data, ciphertext, output.get(),
&output_length, ciphertext.length());
if (!success) {
return nullptr;
}
return new QuicData(output.release(), output_length, true);
}
class Aes256GcmDecrypterTest : public QuicTest {};
TEST_F(Aes256GcmDecrypterTest, Decrypt) {
for (size_t i = 0; i < ABSL_ARRAYSIZE(test_group_array); i++) {
SCOPED_TRACE(i);
const TestVector* test_vectors = test_group_array[i];
const TestGroupInfo& test_info = test_group_info[i];
for (size_t j = 0; test_vectors[j].key != nullptr; j++) {
// If not present then decryption is expected to fail.
bool has_pt = test_vectors[j].pt;
// Decode the test vector.
std::string key = absl::HexStringToBytes(test_vectors[j].key);
std::string iv = absl::HexStringToBytes(test_vectors[j].iv);
std::string ct = absl::HexStringToBytes(test_vectors[j].ct);
std::string aad = absl::HexStringToBytes(test_vectors[j].aad);
std::string tag = absl::HexStringToBytes(test_vectors[j].tag);
std::string pt;
if (has_pt) {
pt = absl::HexStringToBytes(test_vectors[j].pt);
}
// The test vector's lengths should look sane. Note that the lengths
// in |test_info| are in bits.
EXPECT_EQ(test_info.key_len, key.length() * 8);
EXPECT_EQ(test_info.iv_len, iv.length() * 8);
EXPECT_EQ(test_info.pt_len, ct.length() * 8);
EXPECT_EQ(test_info.aad_len, aad.length() * 8);
EXPECT_EQ(test_info.tag_len, tag.length() * 8);
if (has_pt) {
EXPECT_EQ(test_info.pt_len, pt.length() * 8);
}
std::string ciphertext = ct + tag;
Aes256GcmDecrypter decrypter;
ASSERT_TRUE(decrypter.SetKey(key));
std::unique_ptr<QuicData> decrypted(DecryptWithNonce(
&decrypter, iv,
// This deliberately tests that the decrypter can
// handle an AAD that is set to nullptr, as opposed
// to a zero-length, non-nullptr pointer.
aad.length() ? aad : absl::string_view(), ciphertext));
if (!decrypted) {
EXPECT_FALSE(has_pt);
continue;
}
EXPECT_TRUE(has_pt);
ASSERT_EQ(pt.length(), decrypted->length());
quiche::test::CompareCharArraysWithHexError(
"plaintext", decrypted->data(), pt.length(), pt.data(), pt.length());
}
}
}
TEST_F(Aes256GcmDecrypterTest, GenerateHeaderProtectionMask) {
Aes256GcmDecrypter decrypter;
std::string key = absl::HexStringToBytes(
"ed23ecbf54d426def5c52c3dcfc84434e62e57781d3125bb21ed91b7d3e07788");
std::string sample =
absl::HexStringToBytes("4d190c474be2b8babafb49ec4e38e810");
QuicDataReader sample_reader(sample.data(), sample.size());
ASSERT_TRUE(decrypter.SetHeaderProtectionKey(key));
std::string mask = decrypter.GenerateHeaderProtectionMask(&sample_reader);
std::string expected_mask =
absl::HexStringToBytes("db9ed4e6ccd033af2eae01407199c56e");
quiche::test::CompareCharArraysWithHexError(
"header protection mask", mask.data(), mask.size(), expected_mask.data(),
expected_mask.size());
}
} // namespace test
} // namespace quic