324 lines
12 KiB
Rust
324 lines
12 KiB
Rust
// Copyright 2015-2016 Brian Smith.
|
|
//
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
// copyright notice and this permission notice appear in all copies.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
|
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
|
|
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
#![forbid(
|
|
anonymous_parameters,
|
|
box_pointers,
|
|
legacy_directory_ownership,
|
|
missing_copy_implementations,
|
|
missing_debug_implementations,
|
|
missing_docs,
|
|
trivial_casts,
|
|
trivial_numeric_casts,
|
|
unsafe_code,
|
|
unstable_features,
|
|
unused_extern_crates,
|
|
unused_import_braces,
|
|
unused_qualifications,
|
|
unused_results,
|
|
variant_size_differences,
|
|
warnings
|
|
)]
|
|
|
|
use ring::{aead, error, test, test_file};
|
|
|
|
#[test]
|
|
fn aead_aes_gcm_128() {
|
|
test_aead(&aead::AES_128_GCM, test_file!("aead_aes_128_gcm_tests.txt"));
|
|
}
|
|
|
|
#[test]
|
|
fn aead_aes_gcm_256() {
|
|
test_aead(&aead::AES_256_GCM, test_file!("aead_aes_256_gcm_tests.txt"));
|
|
}
|
|
|
|
#[test]
|
|
fn aead_chacha20_poly1305() {
|
|
test_aead(
|
|
&aead::CHACHA20_POLY1305,
|
|
test_file!("aead_chacha20_poly1305_tests.txt"),
|
|
);
|
|
}
|
|
|
|
fn test_aead(aead_alg: &'static aead::Algorithm, test_file: test::File) {
|
|
test_aead_key_sizes(aead_alg);
|
|
|
|
test::run(test_file, |section, test_case| {
|
|
assert_eq!(section, "");
|
|
let key_bytes = test_case.consume_bytes("KEY");
|
|
let nonce = test_case.consume_bytes("NONCE");
|
|
let plaintext = test_case.consume_bytes("IN");
|
|
let ad = test_case.consume_bytes("AD");
|
|
let mut ct = test_case.consume_bytes("CT");
|
|
let tag = test_case.consume_bytes("TAG");
|
|
let error = test_case.consume_optional_string("FAILS");
|
|
|
|
match &error {
|
|
Some(err) if err == "WRONG_NONCE_LENGTH" => {
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce).is_err());
|
|
return Ok(());
|
|
}
|
|
_ => (),
|
|
};
|
|
|
|
let tag_len = aead_alg.tag_len();
|
|
let mut s_in_out = plaintext.clone();
|
|
for _ in 0..tag_len {
|
|
s_in_out.push(0);
|
|
}
|
|
let s_key = aead::SealingKey::new(aead_alg, &key_bytes[..])?;
|
|
let s_result = {
|
|
let nonce = aead::Nonce::try_assume_unique_for_key(&nonce).unwrap();
|
|
aead::seal_in_place(
|
|
&s_key,
|
|
nonce,
|
|
aead::Aad::from(&ad),
|
|
&mut s_in_out[..],
|
|
tag_len,
|
|
)
|
|
};
|
|
|
|
ct.extend(tag);
|
|
|
|
if s_result.is_ok() {
|
|
assert_eq!(Ok(ct.len()), s_result);
|
|
assert_eq!(&ct[..], &s_in_out[..ct.len()]);
|
|
}
|
|
|
|
let o_key = aead::OpeningKey::new(aead_alg, &key_bytes[..])?;
|
|
|
|
// In release builds, test all prefix lengths from 0 to 4096 bytes.
|
|
// Debug builds are too slow for this, so for those builds, only
|
|
// test a smaller subset.
|
|
|
|
// TLS record headers are 5 bytes long.
|
|
// TLS explicit nonces for AES-GCM are 8 bytes long.
|
|
static MINIMAL_IN_PREFIX_LENS: [usize; 36] = [
|
|
// No input prefix to overwrite; i.e. the opening is exactly
|
|
// "in place."
|
|
0,
|
|
1,
|
|
2,
|
|
// Proposed TLS 1.3 header (no explicit nonce).
|
|
5,
|
|
8,
|
|
// Probably the most common use of a non-zero `in_prefix_len`
|
|
// would be to write a decrypted TLS record over the top of the
|
|
// TLS header and nonce.
|
|
5 /* record header */ + 8, /* explicit nonce */
|
|
// The stitched AES-GCM x86-64 code works on 6-block (96 byte)
|
|
// units. Some of the ChaCha20 code is even weirder.
|
|
15, // The maximum partial AES block.
|
|
16, // One AES block.
|
|
17, // One byte more than a full AES block.
|
|
31, // 2 AES blocks or 1 ChaCha20 block, minus 1.
|
|
32, // Two AES blocks, one ChaCha20 block.
|
|
33, // 2 AES blocks or 1 ChaCha20 block, plus 1.
|
|
47, // Three AES blocks - 1.
|
|
48, // Three AES blocks.
|
|
49, // Three AES blocks + 1.
|
|
63, // Four AES blocks or two ChaCha20 blocks, minus 1.
|
|
64, // Four AES blocks or two ChaCha20 blocks.
|
|
65, // Four AES blocks or two ChaCha20 blocks, plus 1.
|
|
79, // Five AES blocks, minus 1.
|
|
80, // Five AES blocks.
|
|
81, // Five AES blocks, plus 1.
|
|
95, // Six AES blocks or three ChaCha20 blocks, minus 1.
|
|
96, // Six AES blocks or three ChaCha20 blocks.
|
|
97, // Six AES blocks or three ChaCha20 blocks, plus 1.
|
|
111, // Seven AES blocks, minus 1.
|
|
112, // Seven AES blocks.
|
|
113, // Seven AES blocks, plus 1.
|
|
127, // Eight AES blocks or four ChaCha20 blocks, minus 1.
|
|
128, // Eight AES blocks or four ChaCha20 blocks.
|
|
129, // Eight AES blocks or four ChaCha20 blocks, plus 1.
|
|
143, // Nine AES blocks, minus 1.
|
|
144, // Nine AES blocks.
|
|
145, // Nine AES blocks, plus 1.
|
|
255, // 16 AES blocks or 8 ChaCha20 blocks, minus 1.
|
|
256, // 16 AES blocks or 8 ChaCha20 blocks.
|
|
257, // 16 AES blocks or 8 ChaCha20 blocks, plus 1.
|
|
];
|
|
|
|
let mut more_comprehensive_in_prefix_lengths = [0; 4096];
|
|
let in_prefix_lengths;
|
|
if cfg!(debug_assertions) {
|
|
in_prefix_lengths = &MINIMAL_IN_PREFIX_LENS[..];
|
|
} else {
|
|
for b in 0..more_comprehensive_in_prefix_lengths.len() {
|
|
more_comprehensive_in_prefix_lengths[b] = b;
|
|
}
|
|
in_prefix_lengths = &more_comprehensive_in_prefix_lengths[..];
|
|
}
|
|
let mut o_in_out = vec![123u8; 4096];
|
|
|
|
for in_prefix_len in in_prefix_lengths.iter() {
|
|
o_in_out.truncate(0);
|
|
for _ in 0..*in_prefix_len {
|
|
o_in_out.push(123);
|
|
}
|
|
o_in_out.extend_from_slice(&ct[..]);
|
|
let nonce = aead::Nonce::try_assume_unique_for_key(&nonce).unwrap();
|
|
let o_result = aead::open_in_place(
|
|
&o_key,
|
|
nonce,
|
|
aead::Aad::from(&ad),
|
|
*in_prefix_len,
|
|
&mut o_in_out[..],
|
|
);
|
|
match error {
|
|
None => {
|
|
assert!(s_result.is_ok());
|
|
assert_eq!(&plaintext[..], o_result.unwrap());
|
|
}
|
|
Some(ref error) if error == "WRONG_NONCE_LENGTH" => {
|
|
assert_eq!(Err(error::Unspecified), s_result);
|
|
assert_eq!(Err(error::Unspecified), o_result);
|
|
}
|
|
Some(error) => {
|
|
unreachable!("Unexpected error test case: {}", error);
|
|
}
|
|
};
|
|
}
|
|
|
|
Ok(())
|
|
});
|
|
}
|
|
|
|
fn test_aead_key_sizes(aead_alg: &'static aead::Algorithm) {
|
|
let key_len = aead_alg.key_len();
|
|
let key_data = vec![0u8; key_len * 2];
|
|
|
|
// Key is the right size.
|
|
assert!(aead::OpeningKey::new(aead_alg, &key_data[..key_len]).is_ok());
|
|
assert!(aead::SealingKey::new(aead_alg, &key_data[..key_len]).is_ok());
|
|
|
|
// Key is one byte too small.
|
|
assert!(aead::OpeningKey::new(aead_alg, &key_data[..(key_len - 1)]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &key_data[..(key_len - 1)]).is_err());
|
|
|
|
// Key is one byte too large.
|
|
assert!(aead::OpeningKey::new(aead_alg, &key_data[..(key_len + 1)]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &key_data[..(key_len + 1)]).is_err());
|
|
|
|
// Key is half the required size.
|
|
assert!(aead::OpeningKey::new(aead_alg, &key_data[..(key_len / 2)]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &key_data[..(key_len / 2)]).is_err());
|
|
|
|
// Key is twice the required size.
|
|
assert!(aead::OpeningKey::new(aead_alg, &key_data[..(key_len * 2)]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &key_data[..(key_len * 2)]).is_err());
|
|
|
|
// Key is empty.
|
|
assert!(aead::OpeningKey::new(aead_alg, &[]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &[]).is_err());
|
|
|
|
// Key is one byte.
|
|
assert!(aead::OpeningKey::new(aead_alg, &[0]).is_err());
|
|
assert!(aead::SealingKey::new(aead_alg, &[0]).is_err());
|
|
}
|
|
|
|
// Test that we reject non-standard nonce sizes.
|
|
//
|
|
// XXX: This test isn't that great in terms of how it tests
|
|
// `open_in_place`. It should be constructing a valid ciphertext using the
|
|
// unsupported nonce size using a different implementation that supports
|
|
// non-standard nonce sizes. So, when `open_in_place` returns
|
|
// `Err(error::Unspecified)`, we don't know if it is because it rejected
|
|
// the non-standard nonce size or because it tried to process the input
|
|
// with the wrong nonce. But at least we're verifying that `open_in_place`
|
|
// won't crash or access out-of-bounds memory (when run under valgrind or
|
|
// similar). The AES-128-GCM tests have some WRONG_NONCE_LENGTH test cases
|
|
// that tests this more correctly.
|
|
#[test]
|
|
fn test_aead_nonce_sizes() -> Result<(), error::Unspecified> {
|
|
let nonce_len = aead::NONCE_LEN;
|
|
let nonce = vec![0u8; nonce_len * 2];
|
|
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..nonce_len]).is_ok());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..(nonce_len - 1)]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..(nonce_len + 1)]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..(nonce_len / 2)]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..(nonce_len * 2)]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&[]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..1]).is_err());
|
|
assert!(aead::Nonce::try_assume_unique_for_key(&nonce[..16]).is_err()); // 128 bits.
|
|
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn aead_chacha20_poly1305_openssh() {
|
|
// TODO: test_aead_key_sizes(...);
|
|
|
|
test::run(
|
|
test_file!("aead_chacha20_poly1305_openssh_tests.txt"),
|
|
|section, test_case| {
|
|
assert_eq!(section, "");
|
|
|
|
// XXX: `polyfill::convert` isn't available here.
|
|
let key_bytes = {
|
|
let as_vec = test_case.consume_bytes("KEY");
|
|
let mut as_array = [0u8; aead::chacha20_poly1305_openssh::KEY_LEN];
|
|
as_array.copy_from_slice(&as_vec);
|
|
as_array
|
|
};
|
|
|
|
let sequence_number = test_case.consume_usize("SEQUENCE_NUMBER");
|
|
assert_eq!(sequence_number as u32 as usize, sequence_number);
|
|
let sequence_num = sequence_number as u32;
|
|
let plaintext = test_case.consume_bytes("IN");
|
|
let ct = test_case.consume_bytes("CT");
|
|
let expected_tag = test_case.consume_bytes("TAG");
|
|
|
|
// TODO: Add some tests for when things fail.
|
|
//let error = test_case.consume_optional_string("FAILS");
|
|
|
|
let mut tag = [0u8; aead::chacha20_poly1305_openssh::TAG_LEN];
|
|
let mut s_in_out = plaintext.clone();
|
|
let s_key = aead::chacha20_poly1305_openssh::SealingKey::new(&key_bytes);
|
|
let () = s_key.seal_in_place(sequence_num, &mut s_in_out[..], &mut tag);
|
|
assert_eq!(&ct, &s_in_out);
|
|
assert_eq!(&expected_tag, &tag);
|
|
let o_key = aead::chacha20_poly1305_openssh::OpeningKey::new(&key_bytes);
|
|
|
|
{
|
|
let o_result = o_key.open_in_place(sequence_num, &mut s_in_out[..], &tag);
|
|
assert_eq!(o_result, Ok(&plaintext[4..]));
|
|
}
|
|
assert_eq!(&s_in_out[..4], &ct[..4]);
|
|
assert_eq!(&s_in_out[4..], &plaintext[4..]);
|
|
|
|
Ok(())
|
|
},
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn test_aead_key_debug() {
|
|
let key_bytes = [0; 32];
|
|
|
|
let key = aead::OpeningKey::new(&aead::AES_256_GCM, &key_bytes).unwrap();
|
|
assert_eq!(
|
|
"OpeningKey { key: Key { algorithm: AES_256_GCM } }",
|
|
format!("{:?}", key)
|
|
);
|
|
|
|
let key = aead::SealingKey::new(&aead::CHACHA20_POLY1305, &key_bytes).unwrap();
|
|
assert_eq!(
|
|
"SealingKey { key: Key { algorithm: CHACHA20_POLY1305 } }",
|
|
format!("{:?}", key)
|
|
);
|
|
}
|