1 /* Copyright (c) 2015, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <string.h>
18
19 #include <memory>
20 #include <vector>
21
22 #include <gtest/gtest.h>
23
24 #include <openssl/aes.h>
25 #include <openssl/rand.h>
26
27 #include "internal.h"
28 #include "../../internal.h"
29 #include "../../test/abi_test.h"
30 #include "../../test/file_test.h"
31 #include "../../test/test_util.h"
32 #include "../../test/wycheproof_util.h"
33
34
TestRaw(FileTest * t)35 static void TestRaw(FileTest *t) {
36 std::vector<uint8_t> key, plaintext, ciphertext;
37 ASSERT_TRUE(t->GetBytes(&key, "Key"));
38 ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext"));
39 ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext"));
40
41 ASSERT_EQ(static_cast<unsigned>(AES_BLOCK_SIZE), plaintext.size());
42 ASSERT_EQ(static_cast<unsigned>(AES_BLOCK_SIZE), ciphertext.size());
43
44 AES_KEY aes_key;
45 ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key));
46
47 // Test encryption.
48 uint8_t block[AES_BLOCK_SIZE];
49 AES_encrypt(plaintext.data(), block, &aes_key);
50 EXPECT_EQ(Bytes(ciphertext), Bytes(block));
51
52 // Test in-place encryption.
53 OPENSSL_memcpy(block, plaintext.data(), AES_BLOCK_SIZE);
54 AES_encrypt(block, block, &aes_key);
55 EXPECT_EQ(Bytes(ciphertext), Bytes(block));
56
57 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key));
58
59 // Test decryption.
60 AES_decrypt(ciphertext.data(), block, &aes_key);
61 EXPECT_EQ(Bytes(plaintext), Bytes(block));
62
63 // Test in-place decryption.
64 OPENSSL_memcpy(block, ciphertext.data(), AES_BLOCK_SIZE);
65 AES_decrypt(block, block, &aes_key);
66 EXPECT_EQ(Bytes(plaintext), Bytes(block));
67 }
68
TestKeyWrap(FileTest * t)69 static void TestKeyWrap(FileTest *t) {
70 // All test vectors use the default IV, so test both with implicit and
71 // explicit IV.
72 //
73 // TODO(davidben): Find test vectors that use a different IV.
74 static const uint8_t kDefaultIV[] = {
75 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
76 };
77
78 std::vector<uint8_t> key, plaintext, ciphertext;
79 ASSERT_TRUE(t->GetBytes(&key, "Key"));
80 ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext"));
81 ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext"));
82
83 ASSERT_EQ(plaintext.size() + 8, ciphertext.size())
84 << "Invalid Plaintext and Ciphertext lengths.";
85
86 // Test encryption.
87 AES_KEY aes_key;
88 ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key));
89
90 // Test with implicit IV.
91 std::unique_ptr<uint8_t[]> buf(new uint8_t[ciphertext.size()]);
92 int len = AES_wrap_key(&aes_key, nullptr /* iv */, buf.get(),
93 plaintext.data(), plaintext.size());
94 ASSERT_GE(len, 0);
95 EXPECT_EQ(Bytes(ciphertext), Bytes(buf.get(), static_cast<size_t>(len)));
96
97 // Test with explicit IV.
98 OPENSSL_memset(buf.get(), 0, ciphertext.size());
99 len = AES_wrap_key(&aes_key, kDefaultIV, buf.get(), plaintext.data(),
100 plaintext.size());
101 ASSERT_GE(len, 0);
102 EXPECT_EQ(Bytes(ciphertext), Bytes(buf.get(), static_cast<size_t>(len)));
103
104 // Test decryption.
105 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key));
106
107 // Test with implicit IV.
108 buf.reset(new uint8_t[plaintext.size()]);
109 len = AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(),
110 ciphertext.size());
111 ASSERT_GE(len, 0);
112 EXPECT_EQ(Bytes(plaintext), Bytes(buf.get(), static_cast<size_t>(len)));
113
114 // Test with explicit IV.
115 OPENSSL_memset(buf.get(), 0, plaintext.size());
116 len = AES_unwrap_key(&aes_key, kDefaultIV, buf.get(), ciphertext.data(),
117 ciphertext.size());
118 ASSERT_GE(len, 0);
119
120 // Test corrupted ciphertext.
121 ciphertext[0] ^= 1;
122 EXPECT_EQ(-1, AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(),
123 ciphertext.data(), ciphertext.size()));
124 }
125
TestKeyWrapWithPadding(FileTest * t)126 static void TestKeyWrapWithPadding(FileTest *t) {
127 std::vector<uint8_t> key, plaintext, ciphertext;
128 ASSERT_TRUE(t->GetBytes(&key, "Key"));
129 ASSERT_TRUE(t->GetBytes(&plaintext, "Plaintext"));
130 ASSERT_TRUE(t->GetBytes(&ciphertext, "Ciphertext"));
131
132 // Test encryption.
133 AES_KEY aes_key;
134 ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key));
135 std::unique_ptr<uint8_t[]> buf(new uint8_t[plaintext.size() + 15]);
136 size_t len;
137 ASSERT_TRUE(AES_wrap_key_padded(&aes_key, buf.get(), &len,
138 plaintext.size() + 15, plaintext.data(),
139 plaintext.size()));
140 EXPECT_EQ(Bytes(ciphertext), Bytes(buf.get(), static_cast<size_t>(len)));
141
142 // Test decryption
143 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key));
144 buf.reset(new uint8_t[ciphertext.size() - 8]);
145 ASSERT_TRUE(AES_unwrap_key_padded(&aes_key, buf.get(), &len,
146 ciphertext.size() - 8, ciphertext.data(),
147 ciphertext.size()));
148 ASSERT_EQ(len, plaintext.size());
149 EXPECT_EQ(Bytes(plaintext), Bytes(buf.get(), static_cast<size_t>(len)));
150 }
151
TEST(AESTest,TestVectors)152 TEST(AESTest, TestVectors) {
153 FileTestGTest("crypto/fipsmodule/aes/aes_tests.txt", [](FileTest *t) {
154 if (t->GetParameter() == "Raw") {
155 TestRaw(t);
156 } else if (t->GetParameter() == "KeyWrap") {
157 TestKeyWrap(t);
158 } else if (t->GetParameter() == "KeyWrapWithPadding") {
159 TestKeyWrapWithPadding(t);
160 } else {
161 ADD_FAILURE() << "Unknown mode " << t->GetParameter();
162 }
163 });
164 }
165
TEST(AESTest,WycheproofKeyWrap)166 TEST(AESTest, WycheproofKeyWrap) {
167 FileTestGTest("third_party/wycheproof_testvectors/kw_test.txt",
168 [](FileTest *t) {
169 std::string key_size;
170 ASSERT_TRUE(t->GetInstruction(&key_size, "keySize"));
171 std::vector<uint8_t> ct, key, msg;
172 ASSERT_TRUE(t->GetBytes(&ct, "ct"));
173 ASSERT_TRUE(t->GetBytes(&key, "key"));
174 ASSERT_TRUE(t->GetBytes(&msg, "msg"));
175 ASSERT_EQ(static_cast<unsigned>(atoi(key_size.c_str())), key.size() * 8);
176 WycheproofResult result;
177 ASSERT_TRUE(GetWycheproofResult(t, &result));
178
179 if (result != WycheproofResult::kInvalid) {
180 ASSERT_GE(ct.size(), 8u);
181
182 AES_KEY aes;
183 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
184 std::vector<uint8_t> out(ct.size() - 8);
185 int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size());
186 ASSERT_EQ(static_cast<int>(out.size()), len);
187 EXPECT_EQ(Bytes(msg), Bytes(out));
188
189 out.resize(msg.size() + 8);
190 ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes));
191 len = AES_wrap_key(&aes, nullptr, out.data(), msg.data(), msg.size());
192 ASSERT_EQ(static_cast<int>(out.size()), len);
193 EXPECT_EQ(Bytes(ct), Bytes(out));
194 } else {
195 AES_KEY aes;
196 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
197 std::vector<uint8_t> out(ct.size() < 8 ? 0 : ct.size() - 8);
198 int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size());
199 EXPECT_EQ(-1, len);
200 }
201 });
202 }
203
TEST(AESTest,WycheproofKeyWrapWithPadding)204 TEST(AESTest, WycheproofKeyWrapWithPadding) {
205 FileTestGTest("third_party/wycheproof_testvectors/kwp_test.txt",
206 [](FileTest *t) {
207 std::string key_size;
208 ASSERT_TRUE(t->GetInstruction(&key_size, "keySize"));
209 std::vector<uint8_t> ct, key, msg;
210 ASSERT_TRUE(t->GetBytes(&ct, "ct"));
211 ASSERT_TRUE(t->GetBytes(&key, "key"));
212 ASSERT_TRUE(t->GetBytes(&msg, "msg"));
213 ASSERT_EQ(static_cast<unsigned>(atoi(key_size.c_str())), key.size() * 8);
214 WycheproofResult result;
215 ASSERT_TRUE(GetWycheproofResult(t, &result));
216
217 // Wycheproof contains test vectors with empty messages that it believes
218 // should pass. However, both RFC 5649 and SP 800-38F section 5.3.1 say that
219 // the minimum length is one. Therefore we consider test cases with an empty
220 // message to be invalid.
221 if (result != WycheproofResult::kInvalid && !msg.empty()) {
222 AES_KEY aes;
223 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
224 std::vector<uint8_t> out(ct.size() - 8);
225 size_t len;
226 ASSERT_TRUE(AES_unwrap_key_padded(&aes, out.data(), &len, ct.size() - 8,
227 ct.data(), ct.size()));
228 EXPECT_EQ(Bytes(msg), Bytes(out.data(), len));
229
230 out.resize(msg.size() + 15);
231 ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes));
232 ASSERT_TRUE(AES_wrap_key_padded(&aes, out.data(), &len, msg.size() + 15,
233 msg.data(), msg.size()));
234 EXPECT_EQ(Bytes(ct), Bytes(out.data(), len));
235 } else {
236 AES_KEY aes;
237 ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
238 std::vector<uint8_t> out(ct.size());
239 size_t len;
240 ASSERT_FALSE(AES_unwrap_key_padded(&aes, out.data(), &len, ct.size(),
241 ct.data(), ct.size()));
242 }
243 });
244 }
245
TEST(AESTest,WrapBadLengths)246 TEST(AESTest, WrapBadLengths) {
247 uint8_t key[128/8] = {0};
248 AES_KEY aes;
249 ASSERT_EQ(0, AES_set_encrypt_key(key, 128, &aes));
250
251 // Input lengths to |AES_wrap_key| must be a multiple of 8 and at least 16.
252 static const size_t kLengths[] = {0, 1, 2, 3, 4, 5, 6, 7, 8,
253 9, 10, 11, 12, 13, 14, 15, 20};
254 for (size_t len : kLengths) {
255 SCOPED_TRACE(len);
256 std::vector<uint8_t> in(len);
257 std::vector<uint8_t> out(len + 8);
258 EXPECT_EQ(-1,
259 AES_wrap_key(&aes, nullptr, out.data(), in.data(), in.size()));
260 }
261 }
262
TEST(AESTest,InvalidKeySize)263 TEST(AESTest, InvalidKeySize) {
264 static const uint8_t kZero[8] = {0};
265 AES_KEY key;
266 EXPECT_LT(AES_set_encrypt_key(kZero, 42, &key), 0);
267 EXPECT_LT(AES_set_decrypt_key(kZero, 42, &key), 0);
268 }
269
270 #if defined(SUPPORTS_ABI_TEST)
TEST(AESTest,ABI)271 TEST(AESTest, ABI) {
272 for (int bits : {128, 192, 256}) {
273 SCOPED_TRACE(bits);
274 const uint8_t kKey[256/8] = {0};
275 AES_KEY key;
276 uint8_t block[AES_BLOCK_SIZE];
277 uint8_t buf[AES_BLOCK_SIZE * 64] = {0};
278 std::vector<int> block_counts;
279 if (bits == 128) {
280 block_counts = {0, 1, 2, 3, 4, 8, 16, 31};
281 } else {
282 // Unwind tests are very slow. Assume that the various input sizes do not
283 // differ significantly by round count for ABI purposes.
284 block_counts = {0, 1, 8};
285 }
286
287 CHECK_ABI(aes_nohw_set_encrypt_key, kKey, bits, &key);
288 CHECK_ABI(aes_nohw_encrypt, block, block, &key);
289 #if defined(AES_NOHW_CBC)
290 for (size_t blocks : block_counts) {
291 SCOPED_TRACE(blocks);
292 CHECK_ABI(aes_nohw_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
293 block, AES_ENCRYPT);
294 }
295 #endif
296
297 CHECK_ABI(aes_nohw_set_decrypt_key, kKey, bits, &key);
298 CHECK_ABI(aes_nohw_decrypt, block, block, &key);
299 #if defined(AES_NOHW_CBC)
300 for (size_t blocks : block_counts) {
301 SCOPED_TRACE(blocks);
302 CHECK_ABI(aes_nohw_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
303 block, AES_DECRYPT);
304 }
305 #endif
306
307 if (bsaes_capable()) {
308 vpaes_set_encrypt_key(kKey, bits, &key);
309 CHECK_ABI(vpaes_encrypt_key_to_bsaes, &key, &key);
310 for (size_t blocks : block_counts) {
311 SCOPED_TRACE(blocks);
312 if (blocks != 0) {
313 CHECK_ABI(bsaes_ctr32_encrypt_blocks, buf, buf, blocks, &key, block);
314 }
315 }
316
317 vpaes_set_decrypt_key(kKey, bits, &key);
318 CHECK_ABI(vpaes_decrypt_key_to_bsaes, &key, &key);
319 for (size_t blocks : block_counts) {
320 SCOPED_TRACE(blocks);
321 CHECK_ABI(bsaes_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
322 block, AES_DECRYPT);
323 }
324 }
325
326 if (vpaes_capable()) {
327 CHECK_ABI(vpaes_set_encrypt_key, kKey, bits, &key);
328 CHECK_ABI(vpaes_encrypt, block, block, &key);
329 for (size_t blocks : block_counts) {
330 SCOPED_TRACE(blocks);
331 #if defined(VPAES_CBC)
332 CHECK_ABI(vpaes_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
333 block, AES_ENCRYPT);
334 #endif
335 #if defined(VPAES_CTR32)
336 CHECK_ABI(vpaes_ctr32_encrypt_blocks, buf, buf, blocks, &key, block);
337 #endif
338 }
339
340 CHECK_ABI(vpaes_set_decrypt_key, kKey, bits, &key);
341 CHECK_ABI(vpaes_decrypt, block, block, &key);
342 #if defined(VPAES_CBC)
343 for (size_t blocks : block_counts) {
344 SCOPED_TRACE(blocks);
345 CHECK_ABI(vpaes_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
346 block, AES_DECRYPT);
347 }
348 #endif // VPAES_CBC
349 }
350
351 if (hwaes_capable()) {
352 CHECK_ABI(aes_hw_set_encrypt_key, kKey, bits, &key);
353 CHECK_ABI(aes_hw_encrypt, block, block, &key);
354 for (size_t blocks : block_counts) {
355 SCOPED_TRACE(blocks);
356 CHECK_ABI(aes_hw_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
357 block, AES_ENCRYPT);
358 CHECK_ABI(aes_hw_ctr32_encrypt_blocks, buf, buf, blocks, &key, block);
359 #if defined(HWAES_ECB)
360 CHECK_ABI(aes_hw_ecb_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
361 AES_ENCRYPT);
362 #endif
363 }
364
365 CHECK_ABI(aes_hw_set_decrypt_key, kKey, bits, &key);
366 CHECK_ABI(aes_hw_decrypt, block, block, &key);
367 for (size_t blocks : block_counts) {
368 SCOPED_TRACE(blocks);
369 CHECK_ABI(aes_hw_cbc_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
370 block, AES_DECRYPT);
371 #if defined(HWAES_ECB)
372 CHECK_ABI(aes_hw_ecb_encrypt, buf, buf, AES_BLOCK_SIZE * blocks, &key,
373 AES_DECRYPT);
374 #endif
375 }
376 }
377 }
378 }
379 #endif // SUPPORTS_ABI_TEST
380
381 #if defined(BSAES) && !defined(BORINGSSL_SHARED_LIBRARY)
AESKeyToBytes(const AES_KEY * key)382 static Bytes AESKeyToBytes(const AES_KEY *key) {
383 return Bytes(reinterpret_cast<const uint8_t *>(key), sizeof(*key));
384 }
385
TEST(AESTest,VPAESToBSAESConvert)386 TEST(AESTest, VPAESToBSAESConvert) {
387 const int kNumIterations = 1000;
388 for (int i = 0; i < kNumIterations; i++) {
389 uint8_t key[256 / 8];
390 RAND_bytes(key, sizeof(key));
391 SCOPED_TRACE(Bytes(key));
392 for (unsigned bits : {128u, 192u, 256u}) {
393 SCOPED_TRACE(bits);
394 for (bool enc : {false, true}) {
395 SCOPED_TRACE(enc);
396 AES_KEY nohw, vpaes, bsaes;
397 OPENSSL_memset(&nohw, 0xaa, sizeof(nohw));
398 OPENSSL_memset(&vpaes, 0xaa, sizeof(vpaes));
399 OPENSSL_memset(&bsaes, 0xaa, sizeof(bsaes));
400
401 if (enc) {
402 aes_nohw_set_encrypt_key(key, bits, &nohw);
403 vpaes_set_encrypt_key(key, bits, &vpaes);
404 vpaes_encrypt_key_to_bsaes(&bsaes, &vpaes);
405 } else {
406 aes_nohw_set_decrypt_key(key, bits, &nohw);
407 vpaes_set_decrypt_key(key, bits, &vpaes);
408 vpaes_decrypt_key_to_bsaes(&bsaes, &vpaes);
409 }
410
411 // Although not fatal, stop running if this fails, otherwise we'll spam
412 // the user's console.
413 ASSERT_EQ(AESKeyToBytes(&nohw), AESKeyToBytes(&bsaes));
414
415 // Repeat the test in-place.
416 OPENSSL_memcpy(&bsaes, &vpaes, sizeof(AES_KEY));
417 if (enc) {
418 vpaes_encrypt_key_to_bsaes(&bsaes, &vpaes);
419 } else {
420 vpaes_decrypt_key_to_bsaes(&bsaes, &vpaes);
421 }
422
423 ASSERT_EQ(AESKeyToBytes(&nohw), AESKeyToBytes(&bsaes));
424 }
425 }
426 }
427 }
428 #endif // !NO_ASM && X86_64 && !SHARED_LIBRARY
429