1 files changed, 82 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc
new file mode 100644
index 0000000000..7f389fef17
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc
@@ -0,0 +1,82 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+#include "secerr.h"
+
+#include "nss_scoped_ptrs.h"
+#include "gtest/gtest.h"
+#include "util.h"
+
+namespace nss_test {
+class Pkcs11SeedTest : public ::testing::Test {
+ protected:
+  void EncryptDecryptSeed(SECStatus expected, unsigned int input_size,
+                          unsigned int output_size,
+                          CK_MECHANISM_TYPE mech = CKM_SEED_CBC) {
+    // Generate a random key.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ScopedPK11SymKey sym_key(
+        PK11_KeyGen(slot.get(), mech, nullptr, 16, nullptr));
+    EXPECT_TRUE(!!sym_key);
+
+    std::vector<uint8_t> plaintext(input_size, 0xFF);
+    std::vector<uint8_t> init_vector(16);
+    std::vector<uint8_t> ciphertext(output_size, 0);
+    SECItem iv_param = {siBuffer, init_vector.data(),
+                        (unsigned int)init_vector.size()};
+    std::vector<uint8_t> decrypted(output_size, 0);
+
+    // Try to encrypt, decrypt if positive test.
+    unsigned int output_len = 0;
+    EXPECT_EQ(expected,
+              PK11_Encrypt(sym_key.get(), mech, &iv_param, ciphertext.data(),
+                           &output_len, output_size, plaintext.data(),
+                           plaintext.size()));
+
+    if (expected == SECSuccess) {
+      EXPECT_EQ(expected,
+                PK11_Decrypt(sym_key.get(), mech, &iv_param, decrypted.data(),
+                             &output_len, output_size, ciphertext.data(),
+                             output_len));
+      decrypted.resize(output_len);
+      EXPECT_EQ(plaintext, decrypted);
+    }
+  }
+};
+
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+// The intention here is to test the arguments of these functions
+// The resulted content is already tested in EncryptDeriveTests.
+// SEED_CBC needs an IV of 16 bytes.
+// The input data size must be multiple of 16.
+// If not, some padding should be added.
+// The output size must be at least the size of input data.
+TEST_F(Pkcs11SeedTest, CBC_ValidArgs) {
+  EncryptDecryptSeed(SECSuccess, 16, 16);
+  // No problem if maxLen is bigger than input data.
+  EncryptDecryptSeed(SECSuccess, 16, 32);
+}
+
+TEST_F(Pkcs11SeedTest, CBC_InvalidArgs) {
+  // maxLen lower than input data.
+  EncryptDecryptSeed(SECFailure, 16, 10);
+  // input data not multiple of SEED_BLOCK_SIZE (16)
+  EncryptDecryptSeed(SECFailure, 17, 32);
+}
+
+TEST_F(Pkcs11SeedTest, ECB_Singleblock) {
+  EncryptDecryptSeed(SECSuccess, 16, 16, CKM_SEED_ECB);
+}
+
+TEST_F(Pkcs11SeedTest, ECB_Multiblock) {
+  EncryptDecryptSeed(SECSuccess, 64, 64, CKM_SEED_ECB);
+}
+#endif
+
+}  // namespace nss_test