Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1 | /* Copyright (c) 2015, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #include <stdio.h> |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame^] | 16 | #include <stdlib.h> |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 17 | #include <string.h> |
| 18 | |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 19 | #include <memory> |
| 20 | #include <vector> |
| 21 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 22 | #include <gtest/gtest.h> |
| 23 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 24 | #include <openssl/aes.h> |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 25 | |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 26 | #include "../../internal.h" |
| 27 | #include "../../test/file_test.h" |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 28 | #include "../../test/test_util.h" |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame^] | 29 | #include "../../test/wycheproof_util.h" |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 30 | |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 31 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 32 | static void TestRaw(FileTest *t) { |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 33 | std::vector<uint8_t> key, plaintext, ciphertext; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 34 | ASSERT_TRUE(t->GetBytes(&key, "Key")); |
| 35 | ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext")); |
| 36 | ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext")); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 37 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 38 | ASSERT_EQ(static_cast<unsigned>(AES_BLOCK_SIZE), plaintext.size()); |
| 39 | ASSERT_EQ(static_cast<unsigned>(AES_BLOCK_SIZE), ciphertext.size()); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 40 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 41 | AES_KEY aes_key; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 42 | ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 43 | |
| 44 | // Test encryption. |
| 45 | uint8_t block[AES_BLOCK_SIZE]; |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 46 | AES_encrypt(plaintext.data(), block, &aes_key); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 47 | EXPECT_EQ(Bytes(ciphertext), Bytes(block)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 48 | |
| 49 | // Test in-place encryption. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 50 | OPENSSL_memcpy(block, plaintext.data(), AES_BLOCK_SIZE); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 51 | AES_encrypt(block, block, &aes_key); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 52 | EXPECT_EQ(Bytes(ciphertext), Bytes(block)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 53 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 54 | ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 55 | |
| 56 | // Test decryption. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 57 | AES_decrypt(ciphertext.data(), block, &aes_key); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 58 | EXPECT_EQ(Bytes(plaintext), Bytes(block)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 59 | |
| 60 | // Test in-place decryption. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 61 | OPENSSL_memcpy(block, ciphertext.data(), AES_BLOCK_SIZE); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 62 | AES_decrypt(block, block, &aes_key); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 63 | EXPECT_EQ(Bytes(plaintext), Bytes(block)); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 64 | } |
| 65 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 66 | static void TestKeyWrap(FileTest *t) { |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 67 | // All test vectors use the default IV, so test both with implicit and |
| 68 | // explicit IV. |
| 69 | // |
| 70 | // TODO(davidben): Find test vectors that use a different IV. |
| 71 | static const uint8_t kDefaultIV[] = { |
| 72 | 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, |
| 73 | }; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 74 | |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 75 | std::vector<uint8_t> key, plaintext, ciphertext; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 76 | ASSERT_TRUE(t->GetBytes(&key, "Key")); |
| 77 | ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext")); |
| 78 | ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext")); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 79 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 80 | ASSERT_EQ(plaintext.size() + 8, ciphertext.size()) |
| 81 | << "Invalid Plaintext and Ciphertext lengths."; |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 82 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 83 | // Test encryption. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 84 | AES_KEY aes_key; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 85 | ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key)); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 86 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 87 | // Test with implicit IV. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 88 | std::unique_ptr<uint8_t[]> buf(new uint8_t[ciphertext.size()]); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 89 | int len = AES_wrap_key(&aes_key, nullptr /* iv */, buf.get(), |
| 90 | plaintext.data(), plaintext.size()); |
| 91 | ASSERT_GE(len, 0); |
| 92 | EXPECT_EQ(Bytes(ciphertext), Bytes(buf.get(), static_cast<size_t>(len))); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 93 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 94 | // Test with explicit IV. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 95 | OPENSSL_memset(buf.get(), 0, ciphertext.size()); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 96 | len = AES_wrap_key(&aes_key, kDefaultIV, buf.get(), plaintext.data(), |
| 97 | plaintext.size()); |
| 98 | ASSERT_GE(len, 0); |
| 99 | EXPECT_EQ(Bytes(ciphertext), Bytes(buf.get(), static_cast<size_t>(len))); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 100 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 101 | // Test decryption. |
| 102 | ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key)); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 103 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 104 | // Test with implicit IV. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 105 | buf.reset(new uint8_t[plaintext.size()]); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 106 | len = AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(), |
| 107 | ciphertext.size()); |
| 108 | ASSERT_GE(len, 0); |
| 109 | EXPECT_EQ(Bytes(plaintext), Bytes(buf.get(), static_cast<size_t>(len))); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 110 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 111 | // Test with explicit IV. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 112 | OPENSSL_memset(buf.get(), 0, plaintext.size()); |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 113 | len = AES_unwrap_key(&aes_key, kDefaultIV, buf.get(), ciphertext.data(), |
| 114 | ciphertext.size()); |
| 115 | ASSERT_GE(len, 0); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 116 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 117 | // Test corrupted ciphertext. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 118 | ciphertext[0] ^= 1; |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 119 | EXPECT_EQ(-1, AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), |
| 120 | ciphertext.data(), ciphertext.size())); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 121 | } |
| 122 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 123 | TEST(AESTest, TestVectors) { |
| 124 | FileTestGTest("crypto/fipsmodule/aes/aes_tests.txt", [](FileTest *t) { |
| 125 | if (t->GetParameter() == "Raw") { |
| 126 | TestRaw(t); |
| 127 | } else if (t->GetParameter() == "KeyWrap") { |
| 128 | TestKeyWrap(t); |
| 129 | } else { |
| 130 | ADD_FAILURE() << "Unknown mode " << t->GetParameter(); |
| 131 | } |
| 132 | }); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 133 | } |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame^] | 134 | |
| 135 | TEST(AESTest, WycheproofKeyWrap) { |
| 136 | FileTestGTest("third_party/wycheproof_testvectors/kw_test.txt", |
| 137 | [](FileTest *t) { |
| 138 | std::string key_size; |
| 139 | ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); |
| 140 | std::vector<uint8_t> ct, key, msg; |
| 141 | ASSERT_TRUE(t->GetBytes(&ct, "ct")); |
| 142 | ASSERT_TRUE(t->GetBytes(&key, "key")); |
| 143 | ASSERT_TRUE(t->GetBytes(&msg, "msg")); |
| 144 | ASSERT_EQ(static_cast<unsigned>(atoi(key_size.c_str())), key.size() * 8); |
| 145 | WycheproofResult result; |
| 146 | ASSERT_TRUE(GetWycheproofResult(t, &result)); |
| 147 | |
| 148 | if (result != WycheproofResult::kInvalid) { |
| 149 | ASSERT_GE(ct.size(), 8u); |
| 150 | |
| 151 | AES_KEY aes; |
| 152 | ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); |
| 153 | std::vector<uint8_t> out(ct.size() - 8); |
| 154 | int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); |
| 155 | ASSERT_EQ(static_cast<int>(out.size()), len); |
| 156 | EXPECT_EQ(Bytes(msg), Bytes(out)); |
| 157 | |
| 158 | out.resize(msg.size() + 8); |
| 159 | ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes)); |
| 160 | len = AES_wrap_key(&aes, nullptr, out.data(), msg.data(), msg.size()); |
| 161 | ASSERT_EQ(static_cast<int>(out.size()), len); |
| 162 | EXPECT_EQ(Bytes(ct), Bytes(out)); |
| 163 | } else { |
| 164 | AES_KEY aes; |
| 165 | ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); |
| 166 | std::vector<uint8_t> out(ct.size() < 8 ? 0 : ct.size() - 8); |
| 167 | int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); |
| 168 | EXPECT_EQ(-1, len); |
| 169 | } |
| 170 | }); |
| 171 | } |
| 172 | |
| 173 | TEST(AESTest, WrapBadLengths) { |
| 174 | uint8_t key[128/8] = {0}; |
| 175 | AES_KEY aes; |
| 176 | ASSERT_EQ(0, AES_set_encrypt_key(key, 128, &aes)); |
| 177 | |
| 178 | // Input lengths to |AES_wrap_key| must be a multiple of 8 and at least 16. |
| 179 | static const size_t kLengths[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, |
| 180 | 9, 10, 11, 12, 13, 14, 15, 20}; |
| 181 | for (size_t len : kLengths) { |
| 182 | SCOPED_TRACE(len); |
| 183 | std::vector<uint8_t> in(len); |
| 184 | std::vector<uint8_t> out(len + 8); |
| 185 | EXPECT_EQ(-1, |
| 186 | AES_wrap_key(&aes, nullptr, out.data(), in.data(), in.size())); |
| 187 | } |
| 188 | } |