diff options
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc')
| -rw-r--r-- | security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc | 607 |
1 files changed, 607 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc new file mode 100644 index 0000000000..6989e3ca65 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc @@ -0,0 +1,607 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <memory> +#include "nss.h" +#include "pk11pub.h" +#include "pk11priv.h" +#include "sechash.h" +#include "secerr.h" + +#include "cpputil.h" +#include "nss_scoped_ptrs.h" + +#include "testvectors/chachapoly-vectors.h" +#include "gtest/gtest.h" + +namespace nss_test { + +static const CK_MECHANISM_TYPE kMech = CKM_CHACHA20_POLY1305; +static const CK_MECHANISM_TYPE kMechLegacy = CKM_NSS_CHACHA20_POLY1305; +static const CK_MECHANISM_TYPE kMechXor = CKM_CHACHA20; +static const CK_MECHANISM_TYPE kMechXorLegacy = CKM_NSS_CHACHA20_CTR; +// Some test data for simple tests. +static const uint8_t kKeyData[32] = {'k'}; +static const uint8_t kXorParamsLegacy[16] = {'c', 0, 0, 0, 'n'}; +static const uint8_t kCounter[4] = {'c', 0}; +static const uint8_t kNonce[12] = {'n', 0}; +static const CK_CHACHA20_PARAMS kXorParams{ + /* pBlockCounter */ const_cast<CK_BYTE_PTR>(kCounter), + /* blockCounterBits */ sizeof(kCounter) * 8, + /* pNonce */ const_cast<CK_BYTE_PTR>(kNonce), + /* ulNonceBits */ sizeof(kNonce) * 8, +}; +static const uint8_t kData[16] = {'d'}; +static const uint8_t kExpectedXor[sizeof(kData)] = { + 0xd8, 0x15, 0xd3, 0xb3, 0xe9, 0x34, 0x3b, 0x7a, + 0x24, 0xf6, 0x5f, 0xd7, 0x95, 0x3d, 0xd3, 0x51}; +static const size_t kTagLen = 16; + +class Pkcs11ChaCha20Poly1305Test + : public ::testing::TestWithParam<ChaChaTestVector> { + public: + void EncryptDecrypt(const ScopedPK11SymKey& key, const bool invalid_iv, + const bool invalid_tag, const uint8_t* data, + size_t data_len, CK_MECHANISM_TYPE mech, SECItem* params, + std::vector<uint8_t>* nonce, std::vector<uint8_t>* aad, + const uint8_t* ct = nullptr, size_t ct_len = 0) { + std::vector<uint8_t> encrypted(data_len + kTagLen); + unsigned int encrypted_len = 0; + // Encrypt. + SECStatus rv = + PK11_Encrypt(key.get(), mech, params, encrypted.data(), &encrypted_len, + encrypted.size(), data, data_len); + + // Return if encryption failure was expected due to invalid IV. + // Without valid ciphertext, all further tests can be skipped. + if (invalid_iv) { + EXPECT_EQ(rv, SECFailure); + EXPECT_EQ(0U, encrypted_len) + << "encrypted_len is unmodified after failure"; + return; + } + + EXPECT_EQ(rv, SECSuccess); + EXPECT_EQ(encrypted.size(), static_cast<size_t>(encrypted_len)); + + // Check ciphertext and tag. + if (ct) { + ASSERT_EQ(ct_len, encrypted_len); + EXPECT_TRUE(!memcmp(ct, encrypted.data(), encrypted.size() - 16)); + EXPECT_TRUE(!memcmp(ct, encrypted.data(), encrypted.size()) != + invalid_tag); + } + + // Get the *estimated* plaintext length. This value should + // never be zero as it could lead to a NULL outPtr being + // passed to a subsequent decryption call (for AEAD we + // must authenticate even when the pt is zero-length). + unsigned int decrypt_bytes_needed = 0; + rv = PK11_Decrypt(key.get(), mech, params, nullptr, &decrypt_bytes_needed, + 0, encrypted.data(), encrypted_len); + EXPECT_EQ(rv, SECSuccess); + EXPECT_GT(decrypt_bytes_needed, data_len); + + // Now decrypt it + std::vector<uint8_t> decrypted(decrypt_bytes_needed); + unsigned int decrypted_len = 0; + rv = PK11_Decrypt(key.get(), mech, params, decrypted.data(), &decrypted_len, + decrypted.size(), encrypted.data(), encrypted.size()); + EXPECT_EQ(rv, SECSuccess); + + // Check the plaintext. + ASSERT_EQ(data_len, decrypted_len); + EXPECT_TRUE(!memcmp(data, decrypted.data(), decrypted_len)); + + // Decrypt with bogus data. + // Skip if there's no data to modify. + if (encrypted_len > 0) { + decrypted_len = 0; + std::vector<uint8_t> bogus_ciphertext(encrypted); + bogus_ciphertext[0] ^= 0xff; + rv = PK11_Decrypt(key.get(), mech, params, decrypted.data(), + &decrypted_len, decrypted.size(), + bogus_ciphertext.data(), encrypted_len); + EXPECT_EQ(rv, SECFailure); + EXPECT_EQ(0U, decrypted_len); + } + + // Decrypt with bogus tag. + // Skip if there's no tag to modify. + if (encrypted_len > 0) { + decrypted_len = 0; + std::vector<uint8_t> bogus_tag(encrypted); + bogus_tag[encrypted_len - 1] ^= 0xff; + rv = PK11_Decrypt(key.get(), mech, params, decrypted.data(), + &decrypted_len, decrypted.size(), bogus_tag.data(), + encrypted_len); + EXPECT_EQ(rv, SECFailure); + EXPECT_EQ(0U, decrypted_len); + } + + // Decrypt with bogus nonce. + // A nonce length of 0 is invalid and should be caught earlier. + ASSERT_NE(0U, nonce->size()); + decrypted_len = 0; + nonce->data()[0] ^= 0xff; + rv = PK11_Decrypt(key.get(), mech, params, decrypted.data(), &decrypted_len, + data_len, encrypted.data(), encrypted.size()); + EXPECT_EQ(rv, SECFailure); + EXPECT_EQ(0U, decrypted_len); + nonce->data()[0] ^= 0xff; // restore value + + // Decrypt with bogus additional data. + // Skip when AAD was empty and can't be modified. + // Alternatively we could generate random aad. + if (aad->size() != 0) { + decrypted_len = 0; + aad->data()[0] ^= 0xff; + + rv = PK11_Decrypt(key.get(), mech, params, decrypted.data(), + &decrypted_len, data_len, encrypted.data(), + encrypted.size()); + EXPECT_EQ(rv, SECFailure); + EXPECT_EQ(0U, decrypted_len); + } + } + + void EncryptDecrypt(const ScopedPK11SymKey& key, const bool invalid_iv, + const bool invalid_tag, const uint8_t* data, + size_t data_len, const uint8_t* aad_ptr, size_t aad_len, + const uint8_t* iv_ptr, size_t iv_len, + const uint8_t* ct = nullptr, size_t ct_len = 0) { + std::vector<uint8_t> nonce(iv_ptr, iv_ptr + iv_len); + std::vector<uint8_t> aad(aad_ptr, aad_ptr + aad_len); + // Prepare AEAD params. + CK_SALSA20_CHACHA20_POLY1305_PARAMS aead_params; + aead_params.pNonce = toUcharPtr(nonce.data()); + aead_params.ulNonceLen = nonce.size(); + aead_params.pAAD = toUcharPtr(aad.data()); + aead_params.ulAADLen = aad.size(); + + SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params), + sizeof(aead_params)}; + + EncryptDecrypt(key, invalid_iv, invalid_tag, data, data_len, kMech, ¶ms, + &nonce, &aad, ct, ct_len); + } + + void EncryptDecryptLegacy(const ScopedPK11SymKey& key, const bool invalid_iv, + const bool invalid_tag, const uint8_t* data, + size_t data_len, const uint8_t* aad_ptr, + size_t aad_len, const uint8_t* iv_ptr, + size_t iv_len, const uint8_t* ct = nullptr, + size_t ct_len = 0) { + std::vector<uint8_t> nonce(iv_ptr, iv_ptr + iv_len); + std::vector<uint8_t> aad(aad_ptr, aad_ptr + aad_len); + // Prepare AEAD params. + CK_NSS_AEAD_PARAMS aead_params; + aead_params.pNonce = toUcharPtr(nonce.data()); + aead_params.ulNonceLen = nonce.size(); + aead_params.pAAD = toUcharPtr(aad.data()); + aead_params.ulAADLen = aad.size(); + aead_params.ulTagLen = kTagLen; + + SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params), + sizeof(aead_params)}; + + // Encrypt with bad parameters (TagLen is too long). + unsigned int encrypted_len = 0; + std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen); + aead_params.ulTagLen = 158072; + SECStatus rv = + PK11_Encrypt(key.get(), kMechLegacy, ¶ms, encrypted.data(), + &encrypted_len, encrypted.size(), data, data_len); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(0U, encrypted_len); + + // Encrypt with bad parameters (TagLen is too short). + aead_params.ulTagLen = 2; + rv = PK11_Encrypt(key.get(), kMechLegacy, ¶ms, encrypted.data(), + &encrypted_len, encrypted.size(), data, data_len); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(0U, encrypted_len); + + // Encrypt. + aead_params.ulTagLen = kTagLen; + EncryptDecrypt(key, invalid_iv, invalid_tag, data, data_len, kMechLegacy, + ¶ms, &nonce, &aad, ct, ct_len); + } + + void EncryptDecrypt(const ChaChaTestVector testvector) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + SECItem keyItem = {siBuffer, toUcharPtr(testvector.key.data()), + static_cast<unsigned int>(testvector.key.size())}; + + // Import key. + ScopedPK11SymKey key(PK11_ImportSymKey(slot.get(), kMech, PK11_OriginUnwrap, + CKA_ENCRYPT, &keyItem, nullptr)); + EXPECT_TRUE(!!key); + + // Check. + EncryptDecrypt(key, testvector.invalid_iv, testvector.invalid_tag, + testvector.plaintext.data(), testvector.plaintext.size(), + testvector.aad.data(), testvector.aad.size(), + testvector.iv.data(), testvector.iv.size(), + testvector.ciphertext.data(), testvector.ciphertext.size()); + } + + void MessageInterfaceTest(CK_MECHANISM_TYPE mech, int iterations, + PRBool separateTag) { + // Generate a random key. + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ASSERT_NE(nullptr, slot); + ScopedPK11SymKey sym_key( + PK11_KeyGen(slot.get(), mech, nullptr, 32, nullptr)); + ASSERT_NE(nullptr, sym_key); + + int tagSize = kTagLen; + int cipher_simulated_size; + int output_len_message = 0; + int output_len_simulated = 0; + unsigned int output_len_v24 = 0; + + std::vector<uint8_t> plainIn(17); + std::vector<uint8_t> plainOut_message(17); + std::vector<uint8_t> plainOut_simulated(17); + std::vector<uint8_t> plainOut_v24(17); + std::vector<uint8_t> nonce(12); + std::vector<uint8_t> cipher_message(33); + std::vector<uint8_t> cipher_simulated(33); + std::vector<uint8_t> cipher_v24(33); + std::vector<uint8_t> aad(16); + std::vector<uint8_t> tag_message(kTagLen); + std::vector<uint8_t> tag_simulated(kTagLen); + + // Prepare AEAD v2.40 params. + CK_SALSA20_CHACHA20_POLY1305_PARAMS chacha_params; + chacha_params.pNonce = nonce.data(); + chacha_params.ulNonceLen = nonce.size(); + chacha_params.pAAD = aad.data(); + chacha_params.ulAADLen = aad.size(); + + // Prepare AEAD MESSAGE params. + CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS chacha_message_params; + chacha_message_params.pNonce = nonce.data(); + chacha_message_params.ulNonceLen = nonce.size(); + if (separateTag) { + chacha_message_params.pTag = tag_message.data(); + } else { + chacha_message_params.pTag = cipher_message.data() + plainIn.size(); + } + + // Prepare AEAD MESSAGE params for simulated case + CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS chacha_simulated_params; + chacha_simulated_params = chacha_message_params; + if (separateTag) { + // The simulated case, we have to allocate temp bufs for separate + // tags, make sure that works in both the encrypt and the decrypt + // cases. + chacha_simulated_params.pTag = tag_simulated.data(); + cipher_simulated_size = cipher_simulated.size() - tagSize; + } else { + chacha_simulated_params.pTag = cipher_simulated.data() + plainIn.size(); + cipher_simulated_size = cipher_simulated.size(); + } + SECItem params = {siBuffer, + reinterpret_cast<unsigned char*>(&chacha_params), + sizeof(chacha_params)}; + SECItem empty = {siBuffer, NULL, 0}; + + // initialize our plain text, IV and aad. + ASSERT_EQ(PK11_GenerateRandom(plainIn.data(), plainIn.size()), SECSuccess); + ASSERT_EQ(PK11_GenerateRandom(aad.data(), aad.size()), SECSuccess); + + // Initialize message encrypt context + ScopedPK11Context encrypt_message_context(PK11_CreateContextBySymKey( + mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty)); + ASSERT_NE(nullptr, encrypt_message_context); + ASSERT_FALSE(_PK11_ContextGetAEADSimulation(encrypt_message_context.get())); + + // Initialize simulated encrypt context + ScopedPK11Context encrypt_simulated_context(PK11_CreateContextBySymKey( + mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty)); + ASSERT_NE(nullptr, encrypt_simulated_context); + ASSERT_EQ(SECSuccess, + _PK11_ContextSetAEADSimulation(encrypt_simulated_context.get())); + + // Initialize message decrypt context + ScopedPK11Context decrypt_message_context(PK11_CreateContextBySymKey( + mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty)); + ASSERT_NE(nullptr, decrypt_message_context); + ASSERT_FALSE(_PK11_ContextGetAEADSimulation(decrypt_message_context.get())); + + // Initialize simulated decrypt context + ScopedPK11Context decrypt_simulated_context(PK11_CreateContextBySymKey( + mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty)); + ASSERT_NE(nullptr, decrypt_simulated_context); + EXPECT_EQ(SECSuccess, + _PK11_ContextSetAEADSimulation(decrypt_simulated_context.get())); + + // Now walk down our iterations. Each method of calculating the operation + // should agree at each step. + for (int i = 0; i < iterations; i++) { + // get a unique nonce for each iteration + EXPECT_EQ(PK11_GenerateRandom(nonce.data(), nonce.size()), SECSuccess); + EXPECT_EQ(SECSuccess, + PK11_AEADRawOp( + encrypt_message_context.get(), &chacha_message_params, + sizeof(chacha_message_params), aad.data(), aad.size(), + cipher_message.data(), &output_len_message, + cipher_message.size(), plainIn.data(), plainIn.size())); + EXPECT_EQ(SECSuccess, + PK11_AEADRawOp( + encrypt_simulated_context.get(), &chacha_simulated_params, + sizeof(chacha_simulated_params), aad.data(), aad.size(), + cipher_simulated.data(), &output_len_simulated, + cipher_simulated_size, plainIn.data(), plainIn.size())); + // make sure simulated and message is the same + EXPECT_EQ(output_len_message, output_len_simulated); + EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_simulated.data(), + output_len_message)); + EXPECT_EQ(0, memcmp(chacha_message_params.pTag, + chacha_simulated_params.pTag, tagSize)); + // make sure v2.40 is the same. + EXPECT_EQ(SECSuccess, + PK11_Encrypt(sym_key.get(), mech, ¶ms, cipher_v24.data(), + &output_len_v24, cipher_v24.size(), plainIn.data(), + plainIn.size())); + EXPECT_EQ(output_len_message, (int)output_len_v24 - tagSize); + EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_v24.data(), + output_len_message)); + EXPECT_EQ(0, memcmp(chacha_message_params.pTag, + cipher_v24.data() + output_len_message, tagSize)); + // now make sure we can decrypt + EXPECT_EQ( + SECSuccess, + PK11_AEADRawOp(decrypt_message_context.get(), &chacha_message_params, + sizeof(chacha_message_params), aad.data(), aad.size(), + plainOut_message.data(), &output_len_message, + plainOut_message.size(), cipher_message.data(), + output_len_message)); + EXPECT_EQ(output_len_message, (int)plainIn.size()); + EXPECT_EQ( + 0, memcmp(plainOut_message.data(), plainIn.data(), plainIn.size())); + EXPECT_EQ(SECSuccess, + PK11_AEADRawOp(decrypt_simulated_context.get(), + &chacha_simulated_params, + sizeof(chacha_simulated_params), aad.data(), + aad.size(), plainOut_simulated.data(), + &output_len_simulated, plainOut_simulated.size(), + cipher_message.data(), output_len_simulated)); + EXPECT_EQ(output_len_simulated, (int)plainIn.size()); + EXPECT_EQ( + 0, memcmp(plainOut_simulated.data(), plainIn.data(), plainIn.size())); + if (separateTag) { + // in the separateTag case, we need to copy the tag back to the + // end of the cipher_message.data() before using the v2.4 interface + memcpy(cipher_message.data() + output_len_message, + chacha_message_params.pTag, tagSize); + } + EXPECT_EQ(SECSuccess, + PK11_Decrypt(sym_key.get(), mech, ¶ms, plainOut_v24.data(), + &output_len_v24, plainOut_v24.size(), + cipher_message.data(), output_len_v24)); + EXPECT_EQ(output_len_v24, plainIn.size()); + EXPECT_EQ(0, memcmp(plainOut_v24.data(), plainIn.data(), plainIn.size())); + } + return; + } + + protected: +}; + +TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateEncryptDecrypt) { + // Generate a random key. + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr)); + EXPECT_TRUE(!!key); + + // Generate random data. + std::vector<uint8_t> input(512); + SECStatus rv = + PK11_GenerateRandomOnSlot(slot.get(), input.data(), input.size()); + EXPECT_EQ(rv, SECSuccess); + + // Generate random AAD. + std::vector<uint8_t> aad(16); + rv = PK11_GenerateRandomOnSlot(slot.get(), aad.data(), aad.size()); + EXPECT_EQ(rv, SECSuccess); + + // Generate random IV. + std::vector<uint8_t> iv(12); + rv = PK11_GenerateRandomOnSlot(slot.get(), iv.data(), iv.size()); + EXPECT_EQ(rv, SECSuccess); + + // Check. + EncryptDecrypt(key, false, false, input.data(), input.size(), aad.data(), + aad.size(), iv.data(), iv.size()); +} + +TEST_F(Pkcs11ChaCha20Poly1305Test, Xor) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + SECItem keyItem = {siBuffer, toUcharPtr(kKeyData), + static_cast<unsigned int>(sizeof(kKeyData))}; + ScopedPK11SymKey key(PK11_ImportSymKey( + slot.get(), kMechXor, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, nullptr)); + EXPECT_TRUE(!!key); + + SECItem params = {siBuffer, + toUcharPtr(reinterpret_cast<const uint8_t*>(&kXorParams)), + static_cast<unsigned int>(sizeof(kXorParams))}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; // This should be overwritten. + SECStatus rv = + PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kExpectedXor), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kExpectedXor, encrypted, sizeof(kExpectedXor))); + + // Decrypting has the same effect. + rv = PK11_Decrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kData), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kExpectedXor, encrypted, sizeof(kExpectedXor))); + + // Operating in reverse too. + rv = PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kExpectedXor, sizeof(kExpectedXor)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kExpectedXor), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kData, encrypted, sizeof(kData))); +} + +TEST_F(Pkcs11ChaCha20Poly1305Test, XorLegacy) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + SECItem keyItem = {siBuffer, toUcharPtr(kKeyData), + static_cast<unsigned int>(sizeof(kKeyData))}; + ScopedPK11SymKey key(PK11_ImportSymKey(slot.get(), kMechXorLegacy, + PK11_OriginUnwrap, CKA_ENCRYPT, + &keyItem, nullptr)); + EXPECT_TRUE(!!key); + + SECItem ctrNonceItem = {siBuffer, toUcharPtr(kXorParamsLegacy), + static_cast<unsigned int>(sizeof(kXorParamsLegacy))}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; // This should be overwritten. + SECStatus rv = + PK11_Encrypt(key.get(), kMechXorLegacy, &ctrNonceItem, encrypted, + &encrypted_len, sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kExpectedXor), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kExpectedXor, encrypted, sizeof(kExpectedXor))); + + // Decrypting has the same effect. + rv = PK11_Decrypt(key.get(), kMechXorLegacy, &ctrNonceItem, encrypted, + &encrypted_len, sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kData), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kExpectedXor, encrypted, sizeof(kExpectedXor))); + + // Operating in reverse too. + rv = PK11_Encrypt(key.get(), kMechXorLegacy, &ctrNonceItem, encrypted, + &encrypted_len, sizeof(encrypted), kExpectedXor, + sizeof(kExpectedXor)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kExpectedXor), static_cast<size_t>(encrypted_len)); + EXPECT_EQ(0, memcmp(kData, encrypted, sizeof(kData))); +} + +// This test just ensures that a key can be generated for use with the XOR +// function. The result is random and therefore cannot be checked. +TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateXor) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMechXor, nullptr, 32, nullptr)); + EXPECT_TRUE(!!key); + + std::vector<uint8_t> iv(16); + SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), iv.data(), iv.size()); + EXPECT_EQ(SECSuccess, rv); + + CK_CHACHA20_PARAMS chacha_params; + chacha_params.pBlockCounter = iv.data(); + chacha_params.blockCounterBits = 32; + chacha_params.pNonce = iv.data() + 4; + chacha_params.ulNonceBits = 96; + + SECItem params = { + siBuffer, toUcharPtr(reinterpret_cast<const uint8_t*>(&chacha_params)), + static_cast<unsigned int>(sizeof(chacha_params))}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; // This should be overwritten. + rv = PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kData), static_cast<size_t>(encrypted_len)); +} + +TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateXorLegacy) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey key( + PK11_KeyGen(slot.get(), kMechXorLegacy, nullptr, 32, nullptr)); + EXPECT_TRUE(!!key); + + std::vector<uint8_t> iv(16); + SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), iv.data(), iv.size()); + EXPECT_EQ(SECSuccess, rv); + + SECItem params = {siBuffer, toUcharPtr(iv.data()), + static_cast<unsigned int>(iv.size())}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; // This should be overwritten. + rv = PK11_Encrypt(key.get(), kMechXorLegacy, ¶ms, encrypted, + &encrypted_len, sizeof(encrypted), kData, sizeof(kData)); + ASSERT_EQ(SECSuccess, rv); + ASSERT_EQ(sizeof(kData), static_cast<size_t>(encrypted_len)); +} + +TEST_F(Pkcs11ChaCha20Poly1305Test, XorInvalidParams) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr)); + EXPECT_TRUE(!!key); + + SECItem params = {siBuffer, + toUcharPtr(reinterpret_cast<const uint8_t*>(&kXorParams)), + static_cast<unsigned int>(sizeof(kXorParams)) - 1}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; + SECStatus rv = + PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + EXPECT_EQ(SECFailure, rv); + + params.data = nullptr; + rv = PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError()); +} + +TEST_F(Pkcs11ChaCha20Poly1305Test, XorLegacyInvalidParams) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), kMech, nullptr, 32, nullptr)); + EXPECT_TRUE(!!key); + + SECItem params = {siBuffer, toUcharPtr(kXorParamsLegacy), + static_cast<unsigned int>(sizeof(kXorParamsLegacy)) - 1}; + uint8_t encrypted[sizeof(kData)]; + unsigned int encrypted_len = 88; + SECStatus rv = + PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + EXPECT_EQ(SECFailure, rv); + + params.data = nullptr; + rv = PK11_Encrypt(key.get(), kMechXor, ¶ms, encrypted, &encrypted_len, + sizeof(encrypted), kData, sizeof(kData)); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError()); +} + +TEST_P(Pkcs11ChaCha20Poly1305Test, TestVectors) { EncryptDecrypt(GetParam()); } + +INSTANTIATE_TEST_SUITE_P(NSSTestVector, Pkcs11ChaCha20Poly1305Test, + ::testing::ValuesIn(kChaCha20Vectors)); + +INSTANTIATE_TEST_SUITE_P(WycheproofTestVector, Pkcs11ChaCha20Poly1305Test, + ::testing::ValuesIn(kChaCha20WycheproofVectors)); + +// basic message interface it's the most common configuration +TEST_F(Pkcs11ChaCha20Poly1305Test, ChaCha201305MessageInterfaceBasic) { + MessageInterfaceTest(CKM_CHACHA20_POLY1305, 16, PR_FALSE); +} + +// basic interface, but return the tags in a separate buffer. This triggers +// different behaviour in the simulated case, which has to buffer the +// intermediate values in a separate buffer. +TEST_F(Pkcs11ChaCha20Poly1305Test, + ChaCha20Poly1305MessageInterfaceSeparateTags) { + MessageInterfaceTest(CKM_CHACHA20_POLY1305, 16, PR_TRUE); +} + +} // namespace nss_test |