2016-02-23 02:50:19 +03:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
|
|
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
2016-08-19 12:20:21 +03:00
|
|
|
#include <memory>
|
2016-02-23 02:50:19 +03:00
|
|
|
#include "nss.h"
|
|
|
|
#include "pk11pub.h"
|
|
|
|
#include "sechash.h"
|
2019-04-30 21:22:11 +03:00
|
|
|
#include "secerr.h"
|
2016-02-23 02:50:19 +03:00
|
|
|
|
2017-03-15 21:46:22 +03:00
|
|
|
#include "cpputil.h"
|
2018-10-01 17:44:32 +03:00
|
|
|
#include "nss_scoped_ptrs.h"
|
2016-02-23 02:50:19 +03:00
|
|
|
|
2019-01-03 06:52:36 +03:00
|
|
|
#include "testvectors/chachapoly-vectors.h"
|
2017-03-15 21:46:22 +03:00
|
|
|
#include "gtest/gtest.h"
|
|
|
|
|
2016-02-23 02:50:19 +03:00
|
|
|
namespace nss_test {
|
|
|
|
|
2019-04-30 21:22:11 +03:00
|
|
|
static const CK_MECHANISM_TYPE kMech = CKM_NSS_CHACHA20_POLY1305;
|
|
|
|
static const CK_MECHANISM_TYPE kMechXor = CKM_NSS_CHACHA20_CTR;
|
|
|
|
// Some test data for simple tests.
|
|
|
|
static const uint8_t kKeyData[32] = {'k'};
|
|
|
|
static const uint8_t kCtrNonce[16] = {'c', 0, 0, 0, 'n'};
|
|
|
|
static const uint8_t kData[16] = {'d'};
|
|
|
|
|
2018-12-14 00:01:41 +03:00
|
|
|
class Pkcs11ChaCha20Poly1305Test
|
|
|
|
: public ::testing::TestWithParam<chacha_testvector> {
|
2016-02-23 02:50:19 +03:00
|
|
|
public:
|
2019-04-30 21:22:11 +03:00
|
|
|
void EncryptDecrypt(const ScopedPK11SymKey& key, const bool invalid_iv,
|
2018-12-14 00:01:41 +03:00
|
|
|
const bool invalid_tag, const uint8_t* data,
|
|
|
|
size_t data_len, const uint8_t* aad, size_t aad_len,
|
|
|
|
const uint8_t* iv, size_t iv_len,
|
|
|
|
const uint8_t* ct = nullptr, size_t ct_len = 0) {
|
2016-02-23 02:50:19 +03:00
|
|
|
// Prepare AEAD params.
|
|
|
|
CK_NSS_AEAD_PARAMS aead_params;
|
|
|
|
aead_params.pNonce = toUcharPtr(iv);
|
|
|
|
aead_params.ulNonceLen = iv_len;
|
|
|
|
aead_params.pAAD = toUcharPtr(aad);
|
|
|
|
aead_params.ulAADLen = aad_len;
|
|
|
|
aead_params.ulTagLen = 16;
|
|
|
|
|
2016-08-19 12:20:21 +03:00
|
|
|
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
|
|
|
|
sizeof(aead_params)};
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Encrypt.
|
|
|
|
unsigned int outputLen = 0;
|
|
|
|
std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
|
2019-04-30 21:22:11 +03:00
|
|
|
SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(),
|
2018-12-14 00:01:41 +03:00
|
|
|
&outputLen, output.size(), data, data_len);
|
|
|
|
|
|
|
|
// Return if encryption failure was expected due to invalid IV.
|
|
|
|
// Without valid ciphertext, all further tests can be skipped.
|
|
|
|
if (invalid_iv) {
|
|
|
|
EXPECT_EQ(rv, SECFailure);
|
|
|
|
return;
|
|
|
|
} else {
|
|
|
|
EXPECT_EQ(rv, SECSuccess);
|
|
|
|
}
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Check ciphertext and tag.
|
|
|
|
if (ct) {
|
2018-12-14 00:01:41 +03:00
|
|
|
ASSERT_EQ(ct_len, outputLen);
|
|
|
|
EXPECT_TRUE(!memcmp(ct, output.data(), outputLen) != invalid_tag);
|
2016-02-23 02:50:19 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt.
|
|
|
|
unsigned int decryptedLen = 0;
|
|
|
|
std::vector<uint8_t> decrypted(data_len);
|
2019-04-30 21:22:11 +03:00
|
|
|
rv =
|
|
|
|
PK11_Decrypt(key.get(), kMech, ¶ms, decrypted.data(), &decryptedLen,
|
|
|
|
decrypted.size(), output.data(), outputLen);
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_EQ(rv, SECSuccess);
|
|
|
|
|
|
|
|
// Check the plaintext.
|
2018-12-14 00:01:41 +03:00
|
|
|
ASSERT_EQ(data_len, decryptedLen);
|
|
|
|
EXPECT_TRUE(!memcmp(data, decrypted.data(), decryptedLen));
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Decrypt with bogus data.
|
2018-12-14 00:01:41 +03:00
|
|
|
// Skip if there's no data to modify.
|
|
|
|
if (outputLen != 0) {
|
2016-02-23 02:50:19 +03:00
|
|
|
std::vector<uint8_t> bogusCiphertext(output);
|
|
|
|
bogusCiphertext[0] ^= 0xff;
|
2019-04-30 21:22:11 +03:00
|
|
|
rv = PK11_Decrypt(key.get(), kMech, ¶ms, decrypted.data(),
|
|
|
|
&decryptedLen, decrypted.size(), bogusCiphertext.data(),
|
|
|
|
outputLen);
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_NE(rv, SECSuccess);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt with bogus tag.
|
2018-12-14 00:01:41 +03:00
|
|
|
// Skip if there's no tag to modify.
|
|
|
|
if (outputLen != 0) {
|
2016-02-23 02:50:19 +03:00
|
|
|
std::vector<uint8_t> bogusTag(output);
|
|
|
|
bogusTag[outputLen - 1] ^= 0xff;
|
2019-04-30 21:22:11 +03:00
|
|
|
rv = PK11_Decrypt(key.get(), kMech, ¶ms, decrypted.data(),
|
|
|
|
&decryptedLen, decrypted.size(), bogusTag.data(),
|
|
|
|
outputLen);
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_NE(rv, SECSuccess);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt with bogus IV.
|
2018-12-14 00:01:41 +03:00
|
|
|
// iv_len == 0 is invalid and should be caught earlier.
|
|
|
|
// Still skip, if there's no IV to modify.
|
|
|
|
if (iv_len != 0) {
|
2016-02-23 02:50:19 +03:00
|
|
|
SECItem bogusParams(params);
|
|
|
|
CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
|
|
|
|
bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
|
|
|
|
|
|
|
|
std::vector<uint8_t> bogusIV(iv, iv + iv_len);
|
2018-12-14 00:01:41 +03:00
|
|
|
bogusAeadParams.pNonce = toUcharPtr(bogusIV.data());
|
2016-02-23 02:50:19 +03:00
|
|
|
bogusIV[0] ^= 0xff;
|
|
|
|
|
2019-04-30 21:22:11 +03:00
|
|
|
rv = PK11_Decrypt(key.get(), kMech, &bogusParams, decrypted.data(),
|
2018-12-14 00:01:41 +03:00
|
|
|
&decryptedLen, data_len, output.data(), outputLen);
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_NE(rv, SECSuccess);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt with bogus additional data.
|
2018-12-14 00:01:41 +03:00
|
|
|
// Skip when AAD was empty and can't be modified.
|
|
|
|
// Alternatively we could generate random aad.
|
|
|
|
if (aad_len != 0) {
|
2016-02-23 02:50:19 +03:00
|
|
|
SECItem bogusParams(params);
|
|
|
|
CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
|
|
|
|
bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
|
|
|
|
|
|
|
|
std::vector<uint8_t> bogusAAD(aad, aad + aad_len);
|
2018-12-14 00:01:41 +03:00
|
|
|
bogusAeadParams.pAAD = toUcharPtr(bogusAAD.data());
|
2016-02-23 02:50:19 +03:00
|
|
|
bogusAAD[0] ^= 0xff;
|
|
|
|
|
2019-04-30 21:22:11 +03:00
|
|
|
rv = PK11_Decrypt(key.get(), kMech, &bogusParams, decrypted.data(),
|
2018-12-14 00:01:41 +03:00
|
|
|
&decryptedLen, data_len, output.data(), outputLen);
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_NE(rv, SECSuccess);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-12-14 00:01:41 +03:00
|
|
|
void EncryptDecrypt(const chacha_testvector testvector) {
|
2016-02-23 02:50:19 +03:00
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
2019-04-30 21:22:11 +03:00
|
|
|
SECItem key_item = {siBuffer, toUcharPtr(testvector.Key.data()),
|
|
|
|
static_cast<unsigned int>(testvector.Key.size())};
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Import key.
|
2019-04-30 21:22:11 +03:00
|
|
|
ScopedPK11SymKey key(PK11_ImportSymKey(slot.get(), kMech, PK11_OriginUnwrap,
|
|
|
|
CKA_ENCRYPT, &key_item, nullptr));
|
|
|
|
EXPECT_TRUE(!!key);
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Check.
|
2019-04-30 21:22:11 +03:00
|
|
|
EncryptDecrypt(key, testvector.invalid_iv, testvector.invalid_tag,
|
2018-12-14 00:01:41 +03:00
|
|
|
testvector.Data.data(), testvector.Data.size(),
|
|
|
|
testvector.AAD.data(), testvector.AAD.size(),
|
|
|
|
testvector.IV.data(), testvector.IV.size(),
|
|
|
|
testvector.CT.data(), testvector.CT.size());
|
2016-02-23 02:50:19 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
protected:
|
|
|
|
};
|
|
|
|
|
|
|
|
TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateEncryptDecrypt) {
|
|
|
|
// Generate a random key.
|
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
2019-04-30 21:22:11 +03:00
|
|
|
ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr));
|
|
|
|
EXPECT_TRUE(!!key);
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
// Generate random data.
|
|
|
|
std::vector<uint8_t> data(512);
|
2018-12-14 00:01:41 +03:00
|
|
|
SECStatus rv =
|
|
|
|
PK11_GenerateRandomOnSlot(slot.get(), data.data(), data.size());
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_EQ(rv, SECSuccess);
|
|
|
|
|
|
|
|
// Generate random AAD.
|
|
|
|
std::vector<uint8_t> aad(16);
|
2018-12-14 00:01:41 +03:00
|
|
|
rv = PK11_GenerateRandomOnSlot(slot.get(), aad.data(), aad.size());
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_EQ(rv, SECSuccess);
|
|
|
|
|
|
|
|
// Generate random IV.
|
|
|
|
std::vector<uint8_t> iv(12);
|
2018-12-14 00:01:41 +03:00
|
|
|
rv = PK11_GenerateRandomOnSlot(slot.get(), iv.data(), iv.size());
|
2016-02-23 02:50:19 +03:00
|
|
|
EXPECT_EQ(rv, SECSuccess);
|
|
|
|
|
|
|
|
// Check.
|
2019-04-30 21:22:11 +03:00
|
|
|
EncryptDecrypt(key, false, false, data.data(), data.size(), aad.data(),
|
|
|
|
aad.size(), iv.data(), iv.size());
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(Pkcs11ChaCha20Poly1305Test, Xor) {
|
|
|
|
static const uint8_t kExpected[sizeof(kData)] = {
|
|
|
|
0xd8, 0x15, 0xd3, 0xb3, 0xe9, 0x34, 0x3b, 0x7a,
|
|
|
|
0x24, 0xf6, 0x5f, 0xd7, 0x95, 0x3d, 0xd3, 0x51};
|
|
|
|
|
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
|
|
|
SECItem keyItem = {siBuffer, toUcharPtr(kKeyData),
|
|
|
|
static_cast<unsigned int>(sizeof(kKeyData))};
|
|
|
|
ScopedPK11SymKey key(PK11_ImportSymKey(
|
|
|
|
slot.get(), kMechXor, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, nullptr));
|
|
|
|
EXPECT_TRUE(!!key);
|
|
|
|
|
|
|
|
SECItem ctr_nonce_item = {siBuffer, toUcharPtr(kCtrNonce),
|
|
|
|
static_cast<unsigned int>(sizeof(kCtrNonce))};
|
|
|
|
uint8_t output[sizeof(kData)];
|
|
|
|
unsigned int output_len = 88; // This should be overwritten.
|
|
|
|
SECStatus rv =
|
|
|
|
PK11_Encrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kData, sizeof(kData));
|
|
|
|
ASSERT_EQ(SECSuccess, rv);
|
|
|
|
ASSERT_EQ(sizeof(kExpected), static_cast<size_t>(output_len));
|
|
|
|
EXPECT_EQ(0, memcmp(kExpected, output, sizeof(kExpected)));
|
|
|
|
|
|
|
|
// Decrypting has the same effect.
|
|
|
|
rv = PK11_Decrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kData, sizeof(kData));
|
|
|
|
ASSERT_EQ(SECSuccess, rv);
|
|
|
|
ASSERT_EQ(sizeof(kData), static_cast<size_t>(output_len));
|
|
|
|
EXPECT_EQ(0, memcmp(kExpected, output, sizeof(kExpected)));
|
|
|
|
|
|
|
|
// Operating in reverse too.
|
|
|
|
rv = PK11_Encrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kExpected, sizeof(kExpected));
|
|
|
|
ASSERT_EQ(SECSuccess, rv);
|
|
|
|
ASSERT_EQ(sizeof(kExpected), static_cast<size_t>(output_len));
|
|
|
|
EXPECT_EQ(0, memcmp(kData, output, sizeof(kData)));
|
|
|
|
}
|
|
|
|
|
|
|
|
// This test just ensures that a key can be generated for use with the XOR
|
|
|
|
// function. The result is random and therefore cannot be checked.
|
|
|
|
TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateXor) {
|
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
|
|
|
ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr));
|
|
|
|
EXPECT_TRUE(!!key);
|
|
|
|
|
|
|
|
SECItem ctr_nonce_item = {siBuffer, toUcharPtr(kCtrNonce),
|
|
|
|
static_cast<unsigned int>(sizeof(kCtrNonce))};
|
|
|
|
uint8_t output[sizeof(kData)];
|
|
|
|
unsigned int output_len = 88; // This should be overwritten.
|
|
|
|
SECStatus rv =
|
|
|
|
PK11_Encrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kData, sizeof(kData));
|
|
|
|
ASSERT_EQ(SECSuccess, rv);
|
|
|
|
ASSERT_EQ(sizeof(kData), static_cast<size_t>(output_len));
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(Pkcs11ChaCha20Poly1305Test, XorInvalidParams) {
|
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
|
|
|
ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr));
|
|
|
|
EXPECT_TRUE(!!key);
|
|
|
|
|
|
|
|
SECItem ctr_nonce_item = {siBuffer, toUcharPtr(kCtrNonce),
|
|
|
|
static_cast<unsigned int>(sizeof(kCtrNonce)) - 1};
|
|
|
|
uint8_t output[sizeof(kData)];
|
|
|
|
unsigned int output_len = 88;
|
|
|
|
SECStatus rv =
|
|
|
|
PK11_Encrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kData, sizeof(kData));
|
|
|
|
EXPECT_EQ(SECFailure, rv);
|
|
|
|
|
|
|
|
ctr_nonce_item.data = nullptr;
|
|
|
|
rv = PK11_Encrypt(key.get(), kMechXor, &ctr_nonce_item, output, &output_len,
|
|
|
|
sizeof(output), kData, sizeof(kData));
|
|
|
|
EXPECT_EQ(SECFailure, rv);
|
|
|
|
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
|
2016-02-23 02:50:19 +03:00
|
|
|
}
|
|
|
|
|
2018-12-14 00:01:41 +03:00
|
|
|
TEST_P(Pkcs11ChaCha20Poly1305Test, TestVectors) { EncryptDecrypt(GetParam()); }
|
2016-02-23 02:50:19 +03:00
|
|
|
|
2018-12-14 00:01:41 +03:00
|
|
|
INSTANTIATE_TEST_CASE_P(NSSTestVector, Pkcs11ChaCha20Poly1305Test,
|
|
|
|
::testing::ValuesIn(kChaCha20Vectors));
|
|
|
|
|
|
|
|
INSTANTIATE_TEST_CASE_P(WycheproofTestVector, Pkcs11ChaCha20Poly1305Test,
|
|
|
|
::testing::ValuesIn(kChaCha20WycheproofVectors));
|
2016-02-23 02:50:19 +03:00
|
|
|
|
|
|
|
} // namespace nss_test
|