cc/aead/internal/cord_aes_gcm_boringssl_test.cc - third_party/tink - Git at Google

 // Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 #include "tink/aead/internal/cord_aes_gcm_boringssl.h"

 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>

 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/strings/cord.h"
 #include "absl/strings/cord_test_helpers.h"
 #include "absl/strings/escaping.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_split.h"
 #include "openssl/err.h"
 #include "include/rapidjson/document.h"
 #include "tink/subtle/aes_gcm_boringssl.h"
 #include "tink/subtle/wycheproof_util.h"
 #include "tink/util/secret_data.h"
 #include "tink/util/statusor.h"
 #include "tink/util/test_matchers.h"

 namespace crypto {
 namespace tink {
 namespace internal {
 namespace {

 constexpr absl::string_view key_128 = "000102030405060708090a0b0c0d0e0f";
 constexpr absl::string_view kMessage = "Some data to encrypt.";
 constexpr absl::string_view kLongMessage =
     "This is some long message which will be fragmented.";
 constexpr absl::string_view kAssociatedData = "Some associated data.";

 using ::crypto::tink::test::IsOk;
 using ::testing::Eq;
 using ::testing::Not;
 using ::testing::SizeIs;
 using ::testing::Test;

 class CordAesGcmBoringSslTest : public Test {
  protected:
   void SetUp() override {
     key_ = util::SecretDataFromStringView(absl::HexStringToBytes(key_128));
     util::StatusOr<std::unique_ptr<CordAead>> res =
         CordAesGcmBoringSsl::New(key_);
     ASSERT_THAT(res, IsOk());
     cipher_ = std::move(*res);
   }

   util::SecretData key_;
   std::unique_ptr<CordAead> cipher_;
 };

 TEST_F(CordAesGcmBoringSslTest, EncryptDecryptCord) {
   absl::Cord message_cord = absl::Cord(kMessage);
   absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
   util::StatusOr<absl::Cord> ct =
       cipher_->Encrypt(message_cord, associated_data_cord);
   ASSERT_THAT(ct, IsOk());
   EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
   util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
   ASSERT_THAT(pt, IsOk());
   EXPECT_EQ(*pt, message_cord.Flatten());
 }

 TEST_F(CordAesGcmBoringSslTest, ChunkyCordEncrypt) {
   absl::Cord message_cord =
       absl::MakeFragmentedCord(absl::StrSplit(kLongMessage, absl::ByLength(3)));
   absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
   util::StatusOr<absl::Cord> ct =
       cipher_->Encrypt(message_cord, associated_data_cord);
   ASSERT_THAT(ct, IsOk());
   EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
   util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
   ASSERT_THAT(pt, IsOk());
   EXPECT_THAT(*pt, Eq(kLongMessage));
 }

 TEST_F(CordAesGcmBoringSslTest, ChunkyCordDecrypt) {
   absl::Cord message_cord = absl::Cord(kLongMessage);
   absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
   util::StatusOr<absl::Cord> ct =
       cipher_->Encrypt(message_cord, associated_data_cord);
   ASSERT_THAT(ct, IsOk());
   absl::Cord fragmented_ct = absl::MakeFragmentedCord(
       absl::StrSplit(ct->Flatten(), absl::ByLength(3)));
   util::StatusOr<absl::Cord> pt =
       cipher_->Decrypt(fragmented_ct, associated_data_cord);
   ASSERT_THAT(pt, IsOk());
   EXPECT_THAT(*pt, Eq(kLongMessage));
 }

 TEST_F(CordAesGcmBoringSslTest, CanDecryptWithStringAead) {
   absl::Cord message_cord = absl::Cord(kMessage);
   absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
   util::StatusOr<absl::Cord> ct =
       cipher_->Encrypt(message_cord, associated_data_cord);
   ASSERT_THAT(ct, IsOk());
   EXPECT_EQ(ct->size(), message_cord.size() + 12 + 16);
   util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
   ASSERT_THAT(pt, IsOk());
   EXPECT_EQ(*pt, message_cord.Flatten());

   // Decrypt as string and check if it gives same result.
   util::StatusOr<std::unique_ptr<Aead>> string_aead =
       subtle::AesGcmBoringSsl::New(key_);
   ASSERT_THAT(string_aead, IsOk());
   util::StatusOr<std::string> plaintext =
       (*string_aead)
           ->Decrypt(ct.value().Flatten(), associated_data_cord.Flatten());
   ASSERT_THAT(plaintext, IsOk());
   EXPECT_EQ(*plaintext, kMessage);
 }

 TEST_F(CordAesGcmBoringSslTest, ModifiedCord) {
   absl::Cord message = absl::Cord(kMessage);
   absl::Cord ad = absl::Cord(kAssociatedData);
   util::StatusOr<absl::Cord> ct = cipher_->Encrypt(message, ad);
   ASSERT_THAT(ct, IsOk());
   util::StatusOr<absl::Cord> plaintext = cipher_->Decrypt(*ct, ad);
   ASSERT_THAT(plaintext, IsOk());
   EXPECT_EQ(*plaintext, message);

   // Modify the ciphertext.
   for (size_t i = 0; i < ct->size() * 8; i++) {
     std::string modified_ct = std::string(ct->Flatten());
     modified_ct[i / 8] ^= 1 << (i % 8);
     absl::Cord modified_ct_cord;
     modified_ct_cord = absl::Cord(modified_ct);
     EXPECT_THAT(cipher_->Decrypt(modified_ct_cord, ad), Not(IsOk()))
         << i;
   }
   // Modify the associated data.
   for (size_t i = 0; i < ad.size() * 8; i++) {
     std::string modified_ad = std::string(ad.Flatten());
     modified_ad[i / 8] ^= 1 << (i % 8);
     absl::Cord modified_associated_data_cord;
     modified_associated_data_cord = absl::Cord(modified_ad);
     util::StatusOr<absl::Cord> decrypted =
         cipher_->Decrypt(*ct, modified_associated_data_cord);
     EXPECT_THAT(decrypted, Not(IsOk())) << i << " pt: " << *decrypted;
   }
   // Truncate the ciphertext.
   for (size_t i = 0; i < ct->size(); i++) {
     std::string truncated_ct(std::string(ct->Flatten()), 0, i);
     absl::Cord truncated_ct_cord;
     truncated_ct_cord = absl::Cord(truncated_ct);
     EXPECT_THAT(cipher_->Decrypt(truncated_ct_cord, ad), Not(IsOk()))
         << i;
   }
 }

 static std::string GetError() {
   auto err = ERR_peek_last_error();
   // Sometimes there is no error message on the stack.
   if (err == 0) {
     return "";
   }
   std::string lib(ERR_lib_error_string(err));
   std::string func(ERR_func_error_string(err));
   std::string reason(ERR_reason_error_string(err));
   return lib + ":" + func + ":" + reason;
 }

 // Test with test vectors from Wycheproof project.
 bool WycheproofTest(const rapidjson::Document& root) {
   int errors = 0;
   for (const rapidjson::Value& test_group : root["testGroups"].GetArray()) {
     const size_t iv_size = test_group["ivSize"].GetInt();
     const size_t key_size = test_group["keySize"].GetInt();
     const size_t tag_size = test_group["tagSize"].GetInt();
     // CordAesGcmBoringSsl only supports 12-byte IVs and 16-byte
     // authentication tag. Also 24-byte keys are not supported.
     if (iv_size != 96 || tag_size != 128 || key_size == 192) {
       // Not supported
       continue;
     }
     for (const rapidjson::Value& test : test_group["tests"].GetArray()) {
       std::string comment = test["comment"].GetString();
       std::string key = subtle::WycheproofUtil::GetBytes(test["key"]);
       std::string iv = subtle::WycheproofUtil::GetBytes(test["iv"]);
       std::string msg = subtle::WycheproofUtil::GetBytes(test["msg"]);
       std::string ct = subtle::WycheproofUtil::GetBytes(test["ct"]);
       std::string ad = subtle::WycheproofUtil::GetBytes(test["aad"]);
       std::string tag = subtle::WycheproofUtil::GetBytes(test["tag"]);
       std::string id = absl::StrCat(test["tcId"].GetInt());
       std::string expected = test["result"].GetString();

       std::unique_ptr<CordAead> cipher = std::move(
           *CordAesGcmBoringSsl::New(util::SecretDataFromStringView(key)));
       // Convert the ciphertext to cord.
       absl::Cord ct_cord = absl::Cord(iv + ct + tag);
       absl::Cord associated_data_cord = absl::Cord(ad);
       util::StatusOr<absl::Cord> result =
           cipher->Decrypt(ct_cord, associated_data_cord);
       if (result.ok()) {
         std::string decrypted = std::string(result->Flatten());
         if (expected == "invalid") {
           ADD_FAILURE() << "Decrypted invalid ciphertext:" << id;
           errors++;
         } else if (msg != decrypted) {
           ADD_FAILURE() << "Incorrect decryption:" << id;
           errors++;
         }
       } else {
         if (expected == "valid" || expected == "acceptable") {
           ADD_FAILURE() << "Could not decrypt test with tcId:" << id
                         << " iv_size:" << iv_size << " tag_size:" << tag_size
                         << " key_size:" << key_size << " error:" << GetError();
           errors++;
         }
       }
     }
   }
   return errors == 0;
 }

 TEST(CordAesGcmBoringSslWycheproofTest, TestVectors) {
   std::unique_ptr<rapidjson::Document> root =
       subtle::WycheproofUtil::ReadTestVectors("aes_gcm_test.json");
   ASSERT_TRUE(WycheproofTest(*root));
 }

 }  // namespace
 }  // namespace internal
 }  // namespace tink
 }  // namespace crypto
	// Copyright 2020 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	#include "tink/aead/internal/cord_aes_gcm_boringssl.h"

	#include <memory>
	#include <string>
	#include <utility>
	#include <vector>

	#include "gmock/gmock.h"
	#include "gtest/gtest.h"
	#include "absl/strings/cord.h"
	#include "absl/strings/cord_test_helpers.h"
	#include "absl/strings/escaping.h"
	#include "absl/strings/str_cat.h"
	#include "absl/strings/str_split.h"
	#include "openssl/err.h"
	#include "include/rapidjson/document.h"
	#include "tink/subtle/aes_gcm_boringssl.h"
	#include "tink/subtle/wycheproof_util.h"
	#include "tink/util/secret_data.h"
	#include "tink/util/statusor.h"
	#include "tink/util/test_matchers.h"

	namespace crypto {
	namespace tink {
	namespace internal {
	namespace {

	constexpr absl::string_view key_128 = "000102030405060708090a0b0c0d0e0f";
	constexpr absl::string_view kMessage = "Some data to encrypt.";
	constexpr absl::string_view kLongMessage =
	"This is some long message which will be fragmented.";
	constexpr absl::string_view kAssociatedData = "Some associated data.";

	using ::crypto::tink::test::IsOk;
	using ::testing::Eq;
	using ::testing::Not;
	using ::testing::SizeIs;
	using ::testing::Test;

	class CordAesGcmBoringSslTest : public Test {
	protected:
	void SetUp() override {
	key_ = util::SecretDataFromStringView(absl::HexStringToBytes(key_128));
	util::StatusOr<std::unique_ptr<CordAead>> res =
	CordAesGcmBoringSsl::New(key_);
	ASSERT_THAT(res, IsOk());
	cipher_ = std::move(*res);
	}

	util::SecretData key_;
	std::unique_ptr<CordAead> cipher_;
	};

	TEST_F(CordAesGcmBoringSslTest, EncryptDecryptCord) {
	absl::Cord message_cord = absl::Cord(kMessage);
	absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
	util::StatusOr<absl::Cord> ct =
	cipher_->Encrypt(message_cord, associated_data_cord);
	ASSERT_THAT(ct, IsOk());
	EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
	util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
	ASSERT_THAT(pt, IsOk());
	EXPECT_EQ(*pt, message_cord.Flatten());
	}

	TEST_F(CordAesGcmBoringSslTest, ChunkyCordEncrypt) {
	absl::Cord message_cord =
	absl::MakeFragmentedCord(absl::StrSplit(kLongMessage, absl::ByLength(3)));
	absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
	util::StatusOr<absl::Cord> ct =
	cipher_->Encrypt(message_cord, associated_data_cord);
	ASSERT_THAT(ct, IsOk());
	EXPECT_THAT(*ct, SizeIs(message_cord.size() + 12 + 16));
	util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
	ASSERT_THAT(pt, IsOk());
	EXPECT_THAT(*pt, Eq(kLongMessage));
	}

	TEST_F(CordAesGcmBoringSslTest, ChunkyCordDecrypt) {
	absl::Cord message_cord = absl::Cord(kLongMessage);
	absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
	util::StatusOr<absl::Cord> ct =
	cipher_->Encrypt(message_cord, associated_data_cord);
	ASSERT_THAT(ct, IsOk());
	absl::Cord fragmented_ct = absl::MakeFragmentedCord(
	absl::StrSplit(ct->Flatten(), absl::ByLength(3)));
	util::StatusOr<absl::Cord> pt =
	cipher_->Decrypt(fragmented_ct, associated_data_cord);
	ASSERT_THAT(pt, IsOk());
	EXPECT_THAT(*pt, Eq(kLongMessage));
	}

	TEST_F(CordAesGcmBoringSslTest, CanDecryptWithStringAead) {
	absl::Cord message_cord = absl::Cord(kMessage);
	absl::Cord associated_data_cord = absl::Cord(kAssociatedData);
	util::StatusOr<absl::Cord> ct =
	cipher_->Encrypt(message_cord, associated_data_cord);
	ASSERT_THAT(ct, IsOk());
	EXPECT_EQ(ct->size(), message_cord.size() + 12 + 16);
	util::StatusOr<absl::Cord> pt = cipher_->Decrypt(*ct, associated_data_cord);
	ASSERT_THAT(pt, IsOk());
	EXPECT_EQ(*pt, message_cord.Flatten());

	// Decrypt as string and check if it gives same result.
	util::StatusOr<std::unique_ptr<Aead>> string_aead =
	subtle::AesGcmBoringSsl::New(key_);
	ASSERT_THAT(string_aead, IsOk());
	util::StatusOr<std::string> plaintext =
	(*string_aead)
	->Decrypt(ct.value().Flatten(), associated_data_cord.Flatten());
	ASSERT_THAT(plaintext, IsOk());
	EXPECT_EQ(*plaintext, kMessage);
	}

	TEST_F(CordAesGcmBoringSslTest, ModifiedCord) {
	absl::Cord message = absl::Cord(kMessage);
	absl::Cord ad = absl::Cord(kAssociatedData);
	util::StatusOr<absl::Cord> ct = cipher_->Encrypt(message, ad);
	ASSERT_THAT(ct, IsOk());
	util::StatusOr<absl::Cord> plaintext = cipher_->Decrypt(*ct, ad);
	ASSERT_THAT(plaintext, IsOk());
	EXPECT_EQ(*plaintext, message);

	// Modify the ciphertext.
	for (size_t i = 0; i < ct->size() * 8; i++) {
	std::string modified_ct = std::string(ct->Flatten());
	modified_ct[i / 8] ^= 1 << (i % 8);
	absl::Cord modified_ct_cord;
	modified_ct_cord = absl::Cord(modified_ct);
	EXPECT_THAT(cipher_->Decrypt(modified_ct_cord, ad), Not(IsOk()))
	<< i;
	}
	// Modify the associated data.
	for (size_t i = 0; i < ad.size() * 8; i++) {
	std::string modified_ad = std::string(ad.Flatten());
	modified_ad[i / 8] ^= 1 << (i % 8);
	absl::Cord modified_associated_data_cord;
	modified_associated_data_cord = absl::Cord(modified_ad);
	util::StatusOr<absl::Cord> decrypted =
	cipher_->Decrypt(*ct, modified_associated_data_cord);
	EXPECT_THAT(decrypted, Not(IsOk())) << i << " pt: " << *decrypted;
	}
	// Truncate the ciphertext.
	for (size_t i = 0; i < ct->size(); i++) {
	std::string truncated_ct(std::string(ct->Flatten()), 0, i);
	absl::Cord truncated_ct_cord;
	truncated_ct_cord = absl::Cord(truncated_ct);
	EXPECT_THAT(cipher_->Decrypt(truncated_ct_cord, ad), Not(IsOk()))
	<< i;
	}
	}

	static std::string GetError() {
	auto err = ERR_peek_last_error();
	// Sometimes there is no error message on the stack.
	if (err == 0) {
	return "";
	}
	std::string lib(ERR_lib_error_string(err));
	std::string func(ERR_func_error_string(err));
	std::string reason(ERR_reason_error_string(err));
	return lib + ":" + func + ":" + reason;
	}

	// Test with test vectors from Wycheproof project.
	bool WycheproofTest(const rapidjson::Document& root) {
	int errors = 0;
	for (const rapidjson::Value& test_group : root["testGroups"].GetArray()) {
	const size_t iv_size = test_group["ivSize"].GetInt();
	const size_t key_size = test_group["keySize"].GetInt();
	const size_t tag_size = test_group["tagSize"].GetInt();
	// CordAesGcmBoringSsl only supports 12-byte IVs and 16-byte
	// authentication tag. Also 24-byte keys are not supported.
	if (iv_size != 96 \|\| tag_size != 128 \|\| key_size == 192) {
	// Not supported
	continue;
	}
	for (const rapidjson::Value& test : test_group["tests"].GetArray()) {
	std::string comment = test["comment"].GetString();
	std::string key = subtle::WycheproofUtil::GetBytes(test["key"]);
	std::string iv = subtle::WycheproofUtil::GetBytes(test["iv"]);
	std::string msg = subtle::WycheproofUtil::GetBytes(test["msg"]);
	std::string ct = subtle::WycheproofUtil::GetBytes(test["ct"]);
	std::string ad = subtle::WycheproofUtil::GetBytes(test["aad"]);
	std::string tag = subtle::WycheproofUtil::GetBytes(test["tag"]);
	std::string id = absl::StrCat(test["tcId"].GetInt());
	std::string expected = test["result"].GetString();

	std::unique_ptr<CordAead> cipher = std::move(
	*CordAesGcmBoringSsl::New(util::SecretDataFromStringView(key)));
	// Convert the ciphertext to cord.
	absl::Cord ct_cord = absl::Cord(iv + ct + tag);
	absl::Cord associated_data_cord = absl::Cord(ad);
	util::StatusOr<absl::Cord> result =
	cipher->Decrypt(ct_cord, associated_data_cord);
	if (result.ok()) {
	std::string decrypted = std::string(result->Flatten());
	if (expected == "invalid") {
	ADD_FAILURE() << "Decrypted invalid ciphertext:" << id;
	errors++;
	} else if (msg != decrypted) {
	ADD_FAILURE() << "Incorrect decryption:" << id;
	errors++;
	}
	} else {
	if (expected == "valid" \|\| expected == "acceptable") {
	ADD_FAILURE() << "Could not decrypt test with tcId:" << id
	<< " iv_size:" << iv_size << " tag_size:" << tag_size
	<< " key_size:" << key_size << " error:" << GetError();
	errors++;
	}
	}
	}
	}
	return errors == 0;
	}

	TEST(CordAesGcmBoringSslWycheproofTest, TestVectors) {
	std::unique_ptr<rapidjson::Document> root =
	subtle::WycheproofUtil::ReadTestVectors("aes_gcm_test.json");
	ASSERT_TRUE(WycheproofTest(*root));
	}

	} // namespace
	} // namespace internal
	} // namespace tink
	} // namespace crypto