1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "crypto/aes_128_gcm_helpers_nss.h"
11 #include "base/logging.h"
12 #include "base/rand_util.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/strings/string_util.h"
15 #include "crypto/nss_util.h"
16 #include "crypto/random.h"
17 #include "crypto/scoped_nss_types.h"
18 #include "testing/gtest/include/gtest/gtest.h"
24 // The AES GCM test vectors come from the gcmDecrypt128.rsp and
25 // gcmEncryptExtIV128.rsp files downloaded from
26 // http://csrc.nist.gov/groups/STM/cavp/index.html on 2013-02-01. The test
27 // vectors in that file look like this:
36 // Key = cf063a34d4a9a76c2c86787d3f96db71
37 // IV = 113b9785971864c83b01c787
40 // Tag = 72ac8493e3a5228b5d130a69d2510e42
44 // Key = a49a5e26a2f8cb63d05546c2a62f5343
45 // IV = 907763b19b9b4ab6bd4f0281
48 // Tag = a2be08210d8c470a8df6e8fbd79ec5cf
53 // These files are huge (2.6 MB and 2.8 MB), so this file contains just a
54 // selection of test vectors.
56 // Describes a group of test vectors that all have a given key length, IV
57 // length, plaintext length, AAD length, and tag length.
58 struct TestGroupInfo
{
66 // Each test vector consists of six strings of lowercase hexadecimal digits.
67 // The strings may be empty (zero length). A test vector with a NULL |key|
68 // marks the end of an array of test vectors.
78 const char* output
; // An empty string "" means decryption or encryption
79 // succeeded and the plaintext is zero-length. NULL means
80 // that the decryption or encryption failed.
83 const TestGroupInfo test_group_info
[] = {
85 {128, 96, 0, 128, 128},
86 {128, 96, 128, 0, 128},
87 {128, 96, 408, 160, 128},
88 {128, 96, 408, 720, 128},
89 {128, 96, 104, 0, 128},
92 const TestVector decryption_test_group_0
[] = {
93 {"cf063a34d4a9a76c2c86787d3f96db71",
94 "113b9785971864c83b01c787",
97 "72ac8493e3a5228b5d130a69d2510e42",
100 "a49a5e26a2f8cb63d05546c2a62f5343",
101 "907763b19b9b4ab6bd4f0281",
104 "a2be08210d8c470a8df6e8fbd79ec5cf",
109 const TestVector decryption_test_group_1
[] = {
111 "d1f6af919cde85661208bdce0c27cb22",
112 "898c6929b435017bf031c3c5",
114 "7c5faa40e636bbc91107e68010c92b9f",
115 "ae45f11777540a2caeb128be8092468a",
118 {"2370e320d4344208e0ff5683f243b213",
119 "04dbb82f044d30831c441228",
121 "d43a8e5089eea0d026c03a85178b27da",
122 "2a049c049d25aa95969b451d93c31c6e",
126 const TestVector decryption_test_group_2
[] = {
127 {"e98b72a9881a84ca6b76e0f43e68647a",
128 "8b23299fde174053f3d652ba",
129 "5a3c1cf1985dbb8bed818036fdd5ab42",
131 "23c7ab0f952b7091cd324835043b5eb5",
132 "28286a321293253c3e0aa2704a278032"},
133 {"33240636cd3236165f1a553b773e728e",
134 "17c4d61493ecdc8f31700b12",
135 "47bb7e23f7bdfe05a8091ac90e4f8b2e",
137 "b723c70e931d9785f40fd4ab1d612dc9",
138 "95695a5b12f2870b9cc5fdc8f218a97d"},
140 "5164df856f1e9cac04a79b808dc5be39",
141 "e76925d5355e0584ce871b2b",
142 "0216c899c88d6e32c958c7e553daa5bc",
144 "a145319896329c96df291f64efbe0e3a",
149 const TestVector decryption_test_group_3
[] = {
150 {"af57f42c60c0fc5a09adb81ab86ca1c3",
151 "a2dc01871f37025dc0fc9a79",
152 "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947"
153 "338b22f9bad09093276a331e9c79c7f4",
154 "41dc38988945fcb44faf2ef72d0061289ef8efd8",
155 "4f71e72bde0018f555c5adcce062e005",
156 "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279"
157 "5b2f69b041596e8817d0a3c16f8fadeb"},
158 {"ebc753e5422b377d3cb64b58ffa41b61",
159 "2e1821efaced9acf1f241c9b",
160 "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9"
161 "f401823e04b05817243d2142a3589878",
162 "b9673412fd4f88ba0e920f46dd6438ff791d8eef",
163 "534d9234d2351cf30e565de47baece0b",
164 "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18"
165 "353a18017f5b36bfc00b1f6dcb7ed485"},
167 "52bdbbf9cf477f187ec010589cb39d58",
168 "d3be36d3393134951d324b31",
169 "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e"
170 "32b992760b3a5f99e9a47838867000a9",
171 "93c4fc6a4135f54d640b0c976bf755a06a292c33",
172 "8ca4e38aa3dfa6b1d0297021ccf3ea5f",
177 const TestVector decryption_test_group_4
[] = {
178 {"da2bb7d581493d692380c77105590201",
179 "44aa3e7856ca279d2eb020c6",
180 "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a"
181 "f4ee16c761b3c9aeac3da03aa9889c88",
182 "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab"
183 "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7"
184 "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72",
185 "9e3ac938d3eb0cadd6f5c9e35d22ba38",
186 "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a"
187 "d65dbd1378b196ac270588dd0621f642"},
188 {"d74e4958717a9d5c0e235b76a926cae8",
189 "0b7471141e0c70b1995fd7b1",
190 "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22"
191 "b0f1420be29ea547d42c713bc6af66aa",
192 "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22"
193 "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf"
194 "34a6039312774cedebf4961f3978b14a26509f96",
195 "e192c23cb036f0b31592989119eed55d",
196 "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f"
197 "f0a34bc305b88b804c60b90add594a17"},
199 "1986310c725ac94ecfe6422e75fc3ee7",
200 "93ec4214fa8e6dc4e3afc775",
201 "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02"
202 "43edfd365b90d5b325950df0ada058f9",
203 "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463"
204 "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42"
205 "72c2cb136c8fd091cc4539877a5d1e72d607f960",
206 "8b347853f11d75e81e8a95010be81f17",
211 const TestVector decryption_test_group_5
[] = {
212 {"387218b246c1a8257748b56980e50c94",
213 "dd7e014198672be39f95b69d",
214 "cdba9e73eaf3d38eceb2b04a8d",
216 "ecf90f4a47c9c626d6fb2c765d201556",
217 "48f5b426baca03064554cc2b30"},
218 {"294de463721e359863887c820524b3d4",
219 "3338b35c9d57a5d28190e8c9",
220 "2f46634e74b8e4c89812ac83b9",
222 "dabd506764e68b82a7e720aa18da0abe",
223 "46a2e55c8e264df211bd112685"},
224 {"28ead7fd2179e0d12aa6d5d88c58c2dc",
225 "5055347f18b4d5add0ae5c41",
226 "142d8210c3fb84774cdbd0447a",
228 "5fd321d9cdb01952dc85f034736c2a7d",
229 "3b95b981086ee73cc4d0cc1422"},
231 "7d7b6c988137b8d470c57bf674a09c87",
232 "9edf2aa970d016ac962e1fd8",
233 "a85b66c3cb5eab91d5bdc8bc0e",
235 "dc054efc01f3afd21d9c2484819f569a",
240 const TestVector encryption_test_group_0
[] = {
241 {"11754cd72aec309bf52f7687212e8957",
242 "3c819d9a9bed087615030b65",
245 "250327c674aaf477aef2675748cf6971",
247 {"ca47248ac0b6f8372a97ac43508308ed",
248 "ffd2b598feabc9019262d2be",
251 "60d20404af527d248d893ae495707d1a",
255 const TestVector encryption_test_group_1
[] = {
256 {"77be63708971c4e240d1cb79e8d77feb",
257 "e0e00f19fed7ba0136a797f3",
259 "7a43ec1d9c0a5a78a0b16533a6213cab",
260 "209fcc8d3675ed938e9c7166709dd946",
262 {"7680c5d3ca6154758e510f4d25b98820",
263 "f8f105f9c3df4965780321f8",
265 "c94c410194c765e3dcc7964379758ed3",
266 "94dca8edfcf90bb74b153c8d48a17930",
270 const TestVector encryption_test_group_2
[] = {
271 {"7fddb57453c241d03efbed3ac44e371c",
272 "ee283a3fc75575e33efd4887",
273 "d5de42b461646c255c87bd2962d3b9a2",
275 "b36d1df9b9d5e596f83e8b7f52971cb3",
276 "2ccda4a5415cb91e135c2a0f78c9b2fd"},
277 {"ab72c77b97cb5fe9a382d9fe81ffdbed",
278 "54cc7dc2c37ec006bcc6d1da",
279 "007c5e5b3e59df24a7c355584fc1518d",
281 "2b4401346697138c7a4891ee59867d0c",
282 "0e1bde206a07a9c2c1b65300f8c64997"},
285 const TestVector encryption_test_group_3
[] = {
286 {"fe47fcce5fc32665d2ae399e4eec72ba",
287 "5adb9609dbaeb58cbd6e7275",
288 "7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1"
289 "b840382c4bccaf3bafb4ca8429bea063",
290 "88319d6e1d3ffa5f987199166c8a9b56c2aeba5a",
291 "291ef1982e4defedaa2249f898556b47",
292 "98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf539304373636525"
293 "3ddbc5db8778371495da76d269e5db3e"},
294 {"ec0c2ba17aa95cd6afffe949da9cc3a8",
295 "296bce5b50b7d66096d627ef",
296 "b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987"
297 "b764b9611f6c0f8641843d5d58f3a242",
298 "f8d00f05d22bf68599bcdeb131292ad6e2df5d14",
299 "890147971946b627c40016da1ecf3e77",
300 "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299"
301 "5506fde6309ffc19e716eddf1a828c5a"},
304 const TestVector encryption_test_group_4
[] = {
305 {"2c1f21cf0f6fb3661943155c3e3d8492",
306 "23cb5ff362e22426984d1907",
307 "42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d6"
308 "8b5615ba7c1220ff6510e259f06655d8",
309 "5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e"
310 "3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f"
311 "4488f33cfb5e979e42b6e1cfc0a60238982a7aec",
312 "57a3ee28136e94c74838997ae9823f3a",
313 "81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222"
314 "b6ad57af43e1895df9dca2a5344a62cc"},
315 {"d9f7d2411091f947b4d6f1e2d1f0fb2e",
316 "e1934f5db57cc983e6b180e7",
317 "73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490"
318 "c2c6f6166f4a59431e182663fcaea05a",
319 "0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d"
320 "0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a201"
321 "15d2e51398344b16bee1ed7c499b353d6c597af8",
322 "21b51ca862cb637cdd03b99a0f93b134",
323 "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57"
324 "3c7891c2a91fbc48db29967ec9542b23"},
327 const TestVector encryption_test_group_5
[] = {
328 {"fe9bb47deb3a61e423c2231841cfd1fb",
329 "4d328eb776f500a2f7fb47aa",
330 "f1cc3818e421876bb6b8bbd6c9",
332 "43fd4727fe5cdb4b5b42818dea7ef8c9",
333 "b88c5c1977b35b517b0aeae967"},
334 {"6703df3701a7f54911ca72e24dca046a",
335 "12823ab601c350ea4bc2488c",
336 "793cd125b0b84a043e3ac67717",
338 "38e6bcd29962e5f2c13626b85a877101",
339 "b2051c80014f42f08735a7b0cd"},
342 const TestVector
* const decryption_test_group_array
[] = {
343 decryption_test_group_0
,
344 decryption_test_group_1
,
345 decryption_test_group_2
,
346 decryption_test_group_3
,
347 decryption_test_group_4
,
348 decryption_test_group_5
,
351 const TestVector
* const encryption_test_group_array
[] = {
352 encryption_test_group_0
,
353 encryption_test_group_1
,
354 encryption_test_group_2
,
355 encryption_test_group_3
,
356 encryption_test_group_4
,
357 encryption_test_group_5
,
360 bool DecodeHexString(const base::StringPiece
& hex
, std::string
* bytes
) {
364 std::vector
<uint8
> v
;
365 if (!base::HexStringToBytes(hex
.as_string(), &v
))
368 bytes
->assign(reinterpret_cast<const char*>(&v
[0]), v
.size());
372 class Aes128GcmHelpersTest
: public ::testing::Test
{
374 enum Mode
{ DECRYPT
, ENCRYPT
};
376 void SetUp() override
{ EnsureNSSInit(); }
378 bool DecryptOrEncrypt(Mode mode
,
379 const base::StringPiece
& input
,
380 const base::StringPiece
& key
,
381 const base::StringPiece
& nonce
,
382 const base::StringPiece
& aad
,
383 size_t auth_tag_size
,
384 std::string
* output
) {
387 const CK_ATTRIBUTE_TYPE cka_mode
=
388 mode
== DECRYPT
? CKA_DECRYPT
: CKA_ENCRYPT
;
391 key_item
.type
= siBuffer
;
392 key_item
.data
= const_cast<unsigned char*>(
393 reinterpret_cast<const unsigned char*>(key
.data()));
394 key_item
.len
= key
.size();
396 crypto::ScopedPK11Slot
slot(PK11_GetInternalSlot());
399 crypto::ScopedPK11SymKey
aead_key(
400 PK11_ImportSymKey(slot
.get(), CKM_AES_GCM
, PK11_OriginUnwrap
, cka_mode
,
401 &key_item
, nullptr));
403 CK_GCM_PARAMS gcm_params
;
404 gcm_params
.pIv
= const_cast<unsigned char*>(
405 reinterpret_cast<const unsigned char*>(nonce
.data()));
406 gcm_params
.ulIvLen
= nonce
.size();
408 gcm_params
.pAAD
= const_cast<unsigned char*>(
409 reinterpret_cast<const unsigned char*>(aad
.data()));
411 gcm_params
.ulAADLen
= aad
.size();
413 gcm_params
.ulTagBits
= auth_tag_size
* 8;
416 param
.type
= siBuffer
;
417 param
.data
= reinterpret_cast<unsigned char*>(&gcm_params
);
418 param
.len
= sizeof(CK_GCM_PARAMS
);
420 size_t maximum_output_length
= input
.size();
422 maximum_output_length
+= auth_tag_size
;
424 unsigned int output_length
= 0;
425 unsigned char* raw_input
= const_cast<unsigned char*>(
426 reinterpret_cast<const unsigned char*>(input
.data()));
427 unsigned char* raw_output
= reinterpret_cast<unsigned char*>(
428 WriteInto(output
, maximum_output_length
+ 1 /* null */));
430 PK11Helper_TransformFunction
* transform_function
=
431 mode
== DECRYPT
? PK11DecryptHelper
: PK11EncryptHelper
;
433 const SECStatus result
= transform_function(
434 aead_key
.get(), CKM_AES_GCM
, ¶m
, raw_output
, &output_length
,
435 maximum_output_length
, raw_input
, input
.size());
437 if (result
!= SECSuccess
)
440 const size_t expected_output_length
= mode
== DECRYPT
441 ? input
.size() - auth_tag_size
442 : input
.size() + auth_tag_size
;
444 EXPECT_EQ(expected_output_length
, output_length
);
446 output
->resize(expected_output_length
);
451 // The prototype of PK11_Decrypt and PK11_Encrypt.
452 using PK11Helper_TransformFunction
= SECStatus(PK11SymKey
* symKey
,
453 CK_MECHANISM_TYPE mechanism
,
456 unsigned int* outLen
,
458 const unsigned char* data
,
459 unsigned int dataLen
);
464 TEST_F(Aes128GcmHelpersTest
, RoundTrip
) {
465 const std::string message
= "Hello, world!";
467 const size_t kKeySize
= 16;
468 const size_t kNonceSize
= 16;
470 std::string key
, nonce
;
471 RandBytes(WriteInto(&key
, kKeySize
+ 1), kKeySize
);
472 RandBytes(WriteInto(&nonce
, kNonceSize
+ 1), kNonceSize
);
474 // AEAD_AES_128_GCM is defined with a default authentication tag size of 16,
475 // but RFC 5282 extends this to authentication tag sizes of 8 and 12 as well.
476 size_t auth_tag_size
= base::RandInt(2, 4) * 4;
478 std::string encrypted
;
479 ASSERT_TRUE(DecryptOrEncrypt(ENCRYPT
, message
, key
, nonce
,
480 base::StringPiece(), auth_tag_size
, &encrypted
));
482 std::string decrypted
;
483 ASSERT_TRUE(DecryptOrEncrypt(DECRYPT
, encrypted
, key
, nonce
,
484 base::StringPiece(), auth_tag_size
, &decrypted
));
486 EXPECT_EQ(message
, decrypted
);
489 TEST_F(Aes128GcmHelpersTest
, DecryptionVectors
) {
490 for (size_t i
= 0; i
< arraysize(decryption_test_group_array
); i
++) {
492 const TestVector
* test_vectors
= decryption_test_group_array
[i
];
493 const TestGroupInfo
& test_info
= test_group_info
[i
];
495 for (size_t j
= 0; test_vectors
[j
].key
!= nullptr; j
++) {
496 // If not present then decryption is expected to fail.
497 bool has_output
= test_vectors
[j
].output
;
499 // Decode the test vector.
500 std::string key
, iv
, input
, aad
, tag
, expected_output
;
501 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].key
, &key
));
502 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].iv
, &iv
));
503 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].input
, &input
));
504 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].aad
, &aad
));
505 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].tag
, &tag
));
507 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].output
, &expected_output
));
509 // The test vector's lengths should look sane. Note that the lengths
510 // in |test_info| are in bits.
511 EXPECT_EQ(test_info
.key_len
, key
.length() * 8);
512 EXPECT_EQ(test_info
.iv_len
, iv
.length() * 8);
513 EXPECT_EQ(test_info
.input_len
, input
.length() * 8);
514 EXPECT_EQ(test_info
.aad_len
, aad
.length() * 8);
515 EXPECT_EQ(test_info
.tag_len
, tag
.length() * 8);
517 EXPECT_EQ(test_info
.input_len
, expected_output
.length() * 8);
519 const std::string ciphertext
= input
+ tag
;
522 if (!DecryptOrEncrypt(DECRYPT
, ciphertext
, key
, iv
, aad
, tag
.length(),
524 EXPECT_FALSE(has_output
);
528 EXPECT_TRUE(has_output
);
529 EXPECT_EQ(expected_output
, output
);
534 TEST_F(Aes128GcmHelpersTest
, EncryptionVectors
) {
535 for (size_t i
= 0; i
< arraysize(encryption_test_group_array
); i
++) {
537 const TestVector
* test_vectors
= encryption_test_group_array
[i
];
538 const TestGroupInfo
& test_info
= test_group_info
[i
];
540 for (size_t j
= 0; test_vectors
[j
].key
!= nullptr; j
++) {
541 // If not present then decryption is expected to fail.
542 bool has_output
= test_vectors
[j
].output
;
544 // Decode the test vector.
545 std::string key
, iv
, input
, aad
, tag
, expected_output
;
546 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].key
, &key
));
547 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].iv
, &iv
));
548 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].input
, &input
));
549 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].aad
, &aad
));
550 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].tag
, &tag
));
552 ASSERT_TRUE(DecodeHexString(test_vectors
[j
].output
, &expected_output
));
554 // The test vector's lengths should look sane. Note that the lengths
555 // in |test_info| are in bits.
556 EXPECT_EQ(test_info
.key_len
, key
.length() * 8);
557 EXPECT_EQ(test_info
.iv_len
, iv
.length() * 8);
558 EXPECT_EQ(test_info
.input_len
, input
.length() * 8);
559 EXPECT_EQ(test_info
.aad_len
, aad
.length() * 8);
560 EXPECT_EQ(test_info
.tag_len
, tag
.length() * 8);
562 EXPECT_EQ(test_info
.input_len
, expected_output
.length() * 8);
566 if (!DecryptOrEncrypt(ENCRYPT
, input
, key
, iv
, aad
, tag
.length(),
568 EXPECT_FALSE(has_output
);
572 const std::string expected_output_with_tag
= expected_output
+ tag
;
574 EXPECT_TRUE(has_output
);
575 EXPECT_EQ(expected_output_with_tag
, output
);
580 } // namespace crypto