tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

cmac_unittests.cc (7828B)

      1 // This Source Code Form is subject to the terms of the Mozilla Public
      2 // License, v. 2.0. If a copy of the MPL was not distributed with this file,
      3 // You can obtain one at http://mozilla.org/MPL/2.0/.
      4 
      5 #include "gtest/gtest.h"
      6 
      7 #include <stdint.h>
      8 #include <memory>
      9 
     10 #include "blapi.h"
     11 #include "secitem.h"
     12 #include "freebl_scoped_ptrs.h"
     13 
     14 class CmacAesTest : public ::testing::Test {
     15 protected:
     16  bool Compare(const uint8_t *actual, const uint8_t *expected,
     17               unsigned int length) {
     18    return strncmp((const char *)actual, (const char *)expected, length) == 0;
     19  }
     20 };
     21 
     22 TEST_F(CmacAesTest, CreateInvalidSize) {
     23  uint8_t key[1] = {0x00};
     24  ScopedCMACContext ctx(CMAC_Create(CMAC_AES, key, sizeof(key)));
     25  ASSERT_EQ(ctx, nullptr);
     26 }
     27 
     28 TEST_F(CmacAesTest, CreateRightSize) {
     29  uint8_t *key = PORT_NewArray(uint8_t, AES_128_KEY_LENGTH);
     30  ScopedCMACContext ctx(CMAC_Create(CMAC_AES, key, AES_128_KEY_LENGTH));
     31 
     32  ASSERT_NE(ctx, nullptr);
     33  PORT_Free(key);
     34 }
     35 
     36 // The following tests were taken from NIST's Cryptographic Standards and
     37 // Guidelines page for AES-CMAC Examples with Intermediate Values. These same
     38 // test vectors for AES-128 can be found in RFC 4493, Section 4.
     39 
     40 static const uint8_t kNistKeys[][AES_256_KEY_LENGTH] = {
     41    {0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15,
     42     0x88, 0x09, 0xCF, 0x4F, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     43     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
     44    {0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 0xC8, 0x10, 0xF3,
     45     0x2B, 0x80, 0x90, 0x79, 0xE5, 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C,
     46     0x6B, 0x7B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
     47    {0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 0x2B, 0x73, 0xAE,
     48     0xF0, 0x85, 0x7D, 0x77, 0x81, 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61,
     49     0x08, 0xD7, 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4}};
     50 static const size_t kNistKeyLengthsCount = PR_ARRAY_SIZE(kNistKeys);
     51 static const unsigned int kNistKeyLengths[kNistKeyLengthsCount] = {
     52    AES_128_KEY_LENGTH, AES_192_KEY_LENGTH, AES_256_KEY_LENGTH};
     53 
     54 static const uint8_t kNistPlaintext[64] = {
     55    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E,
     56    0x11, 0x73, 0x93, 0x17, 0x2A, 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03,
     57    0xAC, 0x9C, 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 0x30,
     58    0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 0xE5, 0xFB, 0xC1, 0x19,
     59    0x1A, 0x0A, 0x52, 0xEF, 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B,
     60    0x17, 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10};
     61 static const unsigned int kNistPlaintextLengths[] = {0, 16, 20, 64};
     62 static const size_t kNistPlaintextLengthsCount =
     63    PR_ARRAY_SIZE(kNistPlaintextLengths);
     64 
     65 // This table contains the result of a CMAC over kNistPlaintext using keys from
     66 // kNistKeys.  For each key, there are kNistPlaintextLengthsCount answers, all
     67 // listed one after the other as the input is truncated to the different sizes
     68 // in kNistPlaintextLengths.
     69 static const uint8_t kNistKnown[][AES_BLOCK_SIZE] = {
     70    {0xBB, 0x1D, 0x69, 0x29, 0xE9, 0x59, 0x37, 0x28, 0x7F, 0xA3, 0x7D, 0x12,
     71     0x9B, 0x75, 0x67, 0x46},
     72    {0x07, 0x0A, 0x16, 0xB4, 0x6B, 0x4D, 0x41, 0x44, 0xF7, 0x9B, 0xDD, 0x9D,
     73     0xD0, 0x4A, 0x28, 0x7C},
     74    {0x7D, 0x85, 0x44, 0x9E, 0xA6, 0xEA, 0x19, 0xC8, 0x23, 0xA7, 0xBF, 0x78,
     75     0x83, 0x7D, 0xFA, 0xDE},
     76    {0x51, 0xF0, 0xBE, 0xBF, 0x7E, 0x3B, 0x9D, 0x92, 0xFC, 0x49, 0x74, 0x17,
     77     0x79, 0x36, 0x3C, 0xFE},
     78    {0xD1, 0x7D, 0xDF, 0x46, 0xAD, 0xAA, 0xCD, 0xE5, 0x31, 0xCA, 0xC4, 0x83,
     79     0xDE, 0x7A, 0x93, 0x67},
     80    {0x9E, 0x99, 0xA7, 0xBF, 0x31, 0xE7, 0x10, 0x90, 0x06, 0x62, 0xF6, 0x5E,
     81     0x61, 0x7C, 0x51, 0x84},
     82    {0x3D, 0x75, 0xC1, 0x94, 0xED, 0x96, 0x07, 0x04, 0x44, 0xA9, 0xFA, 0x7E,
     83     0xC7, 0x40, 0xEC, 0xF8},
     84    {0xA1, 0xD5, 0xDF, 0x0E, 0xED, 0x79, 0x0F, 0x79, 0x4D, 0x77, 0x58, 0x96,
     85     0x59, 0xF3, 0x9A, 0x11},
     86    {0x02, 0x89, 0x62, 0xF6, 0x1B, 0x7B, 0xF8, 0x9E, 0xFC, 0x6B, 0x55, 0x1F,
     87     0x46, 0x67, 0xD9, 0x83},
     88    {0x28, 0xA7, 0x02, 0x3F, 0x45, 0x2E, 0x8F, 0x82, 0xBD, 0x4B, 0xF2, 0x8D,
     89     0x8C, 0x37, 0xC3, 0x5C},
     90    {0x15, 0x67, 0x27, 0xDC, 0x08, 0x78, 0x94, 0x4A, 0x02, 0x3C, 0x1F, 0xE0,
     91     0x3B, 0xAD, 0x6D, 0x93},
     92    {0xE1, 0x99, 0x21, 0x90, 0x54, 0x9F, 0x6E, 0xD5, 0x69, 0x6A, 0x2C, 0x05,
     93     0x6C, 0x31, 0x54, 0x10}};
     94 PR_STATIC_ASSERT(PR_ARRAY_SIZE(kNistKnown) ==
     95                 kNistKeyLengthsCount * kNistPlaintextLengthsCount);
     96 
     97 TEST_F(CmacAesTest, AesNistAligned) {
     98  for (unsigned int key_index = 0; key_index < kNistKeyLengthsCount;
     99       key_index++) {
    100    ScopedCMACContext ctx(CMAC_Create(CMAC_AES, kNistKeys[key_index],
    101                                      kNistKeyLengths[key_index]));
    102    ASSERT_NE(ctx, nullptr);
    103 
    104    for (unsigned int plaintext_index = 0;
    105         plaintext_index < kNistPlaintextLengthsCount; plaintext_index++) {
    106      CMAC_Begin(ctx.get());
    107 
    108      unsigned int known_index =
    109          (key_index * kNistPlaintextLengthsCount) + plaintext_index;
    110      CMAC_Update(ctx.get(), kNistPlaintext,
    111                  kNistPlaintextLengths[plaintext_index]);
    112 
    113      uint8_t output[AES_BLOCK_SIZE];
    114      CMAC_Finish(ctx.get(), output, NULL, AES_BLOCK_SIZE);
    115 
    116      ASSERT_TRUE(Compare(output, kNistKnown[known_index], AES_BLOCK_SIZE));
    117    }
    118  }
    119 }
    120 
    121 TEST_F(CmacAesTest, AesNistUnaligned) {
    122  for (unsigned int key_index = 0; key_index < kNistKeyLengthsCount;
    123       key_index++) {
    124    unsigned int key_length = kNistKeyLengths[key_index];
    125    ScopedCMACContext ctx(
    126        CMAC_Create(CMAC_AES, kNistKeys[key_index], key_length));
    127    ASSERT_NE(ctx, nullptr);
    128 
    129    // Skip the zero-length test.
    130    for (unsigned int plaintext_index = 1;
    131         plaintext_index < kNistPlaintextLengthsCount; plaintext_index++) {
    132      unsigned int known_index =
    133          (key_index * kNistPlaintextLengthsCount) + plaintext_index;
    134      unsigned int plaintext_length = kNistPlaintextLengths[plaintext_index];
    135 
    136      // Test all possible offsets and make sure that misaligned updates
    137      // produce the desired result. That is, do two updates:
    138      //  0      ... offset
    139      //  offset ... len - offset
    140      // and ensure the result is the same as doing one update.
    141      for (unsigned int offset = 1; offset < plaintext_length; offset++) {
    142        CMAC_Begin(ctx.get());
    143 
    144        CMAC_Update(ctx.get(), kNistPlaintext, offset);
    145        CMAC_Update(ctx.get(), kNistPlaintext + offset,
    146                    plaintext_length - offset);
    147 
    148        uint8_t output[AES_BLOCK_SIZE];
    149        CMAC_Finish(ctx.get(), output, NULL, AES_BLOCK_SIZE);
    150 
    151        ASSERT_TRUE(Compare(output, kNistKnown[known_index], AES_BLOCK_SIZE));
    152      }
    153    }
    154  }
    155 }
    156 
    157 TEST_F(CmacAesTest, AesNistTruncated) {
    158  for (unsigned int key_index = 0; key_index < kNistKeyLengthsCount;
    159       key_index++) {
    160    unsigned int key_length = kNistKeyLengths[key_index];
    161    ScopedCMACContext ctx(
    162        CMAC_Create(CMAC_AES, kNistKeys[key_index], key_length));
    163    ASSERT_TRUE(ctx != nullptr);
    164 
    165    // Skip the zero-length test.
    166    for (unsigned int plaintext_index = 1;
    167         plaintext_index < kNistPlaintextLengthsCount; plaintext_index++) {
    168      unsigned int known_index =
    169          (key_index * kNistPlaintextLengthsCount) + plaintext_index;
    170      unsigned int plaintext_length = kNistPlaintextLengths[plaintext_index];
    171 
    172      // Test truncated outputs to ensure that we always get the desired values.
    173      for (unsigned int out_len = 1; out_len < AES_BLOCK_SIZE; out_len++) {
    174        CMAC_Begin(ctx.get());
    175 
    176        CMAC_Update(ctx.get(), kNistPlaintext, plaintext_length);
    177 
    178        unsigned int actual_out_len = 0;
    179        uint8_t output[AES_BLOCK_SIZE];
    180        CMAC_Finish(ctx.get(), output, &actual_out_len, out_len);
    181 
    182        ASSERT_TRUE(actual_out_len == out_len);
    183        ASSERT_TRUE(Compare(output, kNistKnown[known_index], out_len));
    184      }
    185    }
    186  }
    187 }