components/webcrypto/algorithms/aes_ctr_unittest.cc

// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <stddef.h>
#include <stdint.h>

#include <array>

#include "base/containers/span.h"
#include "components/webcrypto/algorithm_dispatch.h"
#include "components/webcrypto/algorithms/test_helpers.h"
#include "components/webcrypto/status.h"
#include "third_party/blink/public/platform/web_crypto_algorithm_params.h"
#include "third_party/blink/public/platform/web_crypto_key_algorithm.h"

namespace webcrypto {

namespace {

// Creates an AES-CTR algorithm for encryption/decryption.
blink::WebCryptoAlgorithm CreateAesCtrAlgorithm(
    const std::vector<uint8_t>& counter,
    uint8_t length_bits) {
  return blink::WebCryptoAlgorithm::AdoptParamsAndCreate(
      blink::kWebCryptoAlgorithmIdAesCtr,
      new blink::WebCryptoAesCtrParams(length_bits, counter));
}

blink::WebCryptoKey AesCtrKeyFromBytes(const std::vector<uint8_t>& bytes) {
  blink::WebCryptoKey key = ImportSecretKeyFromRaw(
      bytes, CreateAlgorithm(blink::kWebCryptoAlgorithmIdAesCtr),
      blink::kWebCryptoKeyUsageEncrypt | blink::kWebCryptoKeyUsageDecrypt);
  EXPECT_EQ(bytes.size() * 8, key.Algorithm().AesParams()->LengthBits());
  return key;
}

class WebCryptoAesCtrTest : public WebCryptoTestBase {};

struct AesCtrKnownAnswer {
  const char* key;
  const char* plaintext;
  const char* counter;
  size_t counter_length;
  const char* ciphertext;
};

const char k128BitTestKey[] = "7691BE035E5020A8AC6E618529F9A0DC";
const char k256BitTestKey[] =
    "F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884";

constexpr auto kAesCtrKnownAnswers = std::to_array<AesCtrKnownAnswer>({
    // RFC 3686 test vector #3:
    {k128BitTestKey,
     "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223",
     "00E0017B27777F3F4A1786F000000001", 32,
     "C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072"
     "F"},
    // RFC 3686 test vector #8:
    {k256BitTestKey,
     "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
     "00FAAC24C1585EF15A43D87500000001", 32,
     "F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C"},
    // Empty plaintext, same key as above:
    {k256BitTestKey, "", "00FAAC24C1585EF15A43D87500000001", 32, ""},
    // 32-bit counter wraparound:
    {k256BitTestKey,
     "F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1CC1CF48A89"
     "F2FFDD9CF4652E9EFDB72D7",
     "00FAAC24C1585EF15A43D875FFFFFFFF", 32,
     "2E32E02FF9E69A1D6B78AC4308A67592C5DD5505589B79183D4189619A1467E4319069B0A"
     "3BE9AF28EA158E96398CE71"},
    // 1-bit counter wraparound:
    {k128BitTestKey,
     "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C",
     "00FAAC24C1585EF15A43D875000000FF", 1,
     "52334727723A84F4278FB319386CD7B5587DD8B2D9AA394D83EF8A826C4761AA"},
    // 4-bit counter wraparound:
    {k128BitTestKey,
     "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C141516171"
     "8191A1B1C1D1E1F20212223",
     "00FAAC24C1585EF15A43D8750000111E", 4,
     "5573894046DEF46162ED54966A22D8F0517B61A0CE7E657A5A5124A7F62AAE149A3C78567"
     "11C59D67F34F31374CF7A72"},
    // same, but plaintext is not a multiple of block size:
    {k128BitTestKey,
     "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C141516171"
     "8191A1B1C1D1E1F20",
     "00FAAC24C1585EF15A43D8750000111E", 4,
     "5573894046DEF46162ED54966A22D8F0517B61A0CE7E657A5A5124A7F62AAE149A3C78567"
     "11C59D67F34F31374"},
    // 128-bit counter wraparound:
    {k128BitTestKey,
     "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C141516171"
     "8191A1B1C1D1E1F20212223",
     "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE", 128,
     "D2C49B275BC73814DC90ECE98959041C9A3481F2247E08B0AF5D8DE3F521C9DAF535B0A81"
     "56DF9D2370EE7328103C8AD"},
});

TEST_F(WebCryptoAesCtrTest, EncryptDecryptKnownAnswer) {
  for (const auto& test : kAesCtrKnownAnswers) {
    SCOPED_TRACE(&test - &kAesCtrKnownAnswers[0]);

    std::vector<uint8_t> key_bytes = HexStringToBytes(test.key);
    std::vector<uint8_t> counter = HexStringToBytes(test.counter);
    std::vector<uint8_t> plaintext = HexStringToBytes(test.plaintext);
    std::vector<uint8_t> ciphertext = HexStringToBytes(test.ciphertext);

    blink::WebCryptoKey key = AesCtrKeyFromBytes(key_bytes);

    std::vector<uint8_t> output;

    // Test encryption.
    EXPECT_EQ(Status::Success(),
              Encrypt(CreateAesCtrAlgorithm(counter, test.counter_length), key,
                      plaintext, &output));
    EXPECT_EQ(ciphertext, output);

    // Test decryption.
    EXPECT_EQ(Status::Success(),
              Decrypt(CreateAesCtrAlgorithm(counter, test.counter_length), key,
                      ciphertext, &output));
    EXPECT_EQ(plaintext, output);
  }
}

// The counter block must be exactly 16 bytes.
TEST_F(WebCryptoAesCtrTest, InvalidCounterBlockLength) {
  blink::WebCryptoKey key = AesCtrKeyFromBytes(std::vector<uint8_t>(16));

  std::vector<uint8_t> input(32);
  std::vector<uint8_t> output;

  for (size_t bad_length : {0, 15, 17}) {
    std::vector<uint8_t> bad_counter(bad_length);

    EXPECT_EQ(
        Status::ErrorIncorrectSizeAesCtrCounter(),
        Encrypt(CreateAesCtrAlgorithm(bad_counter, 128), key, input, &output));

    EXPECT_EQ(
        Status::ErrorIncorrectSizeAesCtrCounter(),
        Decrypt(CreateAesCtrAlgorithm(bad_counter, 128), key, input, &output));
  }
}

TEST_F(WebCryptoAesCtrTest, InvalidCounterLength) {
  blink::WebCryptoKey key = AesCtrKeyFromBytes(std::vector<uint8_t>(16));

  std::vector<uint8_t> counter(16);
  std::vector<uint8_t> input(32);
  std::vector<uint8_t> output;

  // The counter length cannot be less than 1 or greater than 128.
  for (uint8_t bad_length : {0, 129}) {
    EXPECT_EQ(Status::ErrorInvalidAesCtrCounterLength(),
              Encrypt(CreateAesCtrAlgorithm(counter, bad_length), key, input,
                      &output));

    EXPECT_EQ(Status::ErrorInvalidAesCtrCounterLength(),
              Decrypt(CreateAesCtrAlgorithm(counter, bad_length), key, input,
                      &output));
  }
}

// Tests wrap-around using a 4-bit counter.
//
// Wrap-around is allowed, however if the counter repeats itself an error should
// be thrown.
//
// Using a 4-bit counter it is possible to encrypt 16 blocks. However the 17th
// block would end up wrapping back to the starting value.
TEST_F(WebCryptoAesCtrTest, OverflowAndRepeatCounter) {
  const uint8_t kCounterLengthBits = 4;

  blink::WebCryptoKey key = AesCtrKeyFromBytes(std::vector<uint8_t>(16));

  std::vector<uint8_t> buffer(272);

  // 16 and 17 AES blocks worth of data respectively (AES blocks are 16 bytes
  // long).
  auto input_16 = base::span(buffer).first<256>();
  auto input_17 = base::span(buffer).first<272>();

  std::vector<uint8_t> output;

  for (uint8_t start : {0, 1, 15}) {
    std::vector<uint8_t> counter(16);
    counter[15] = start;

    // Baseline test: Encrypting 16 blocks should work (don't bother to check
    // output, the known answer tests already do that).
    EXPECT_EQ(Status::Success(),
              Encrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits), key,
                      input_16, &output));

    // Encrypting/Decrypting 17 however should fail.
    EXPECT_EQ(Status::ErrorAesCtrInputTooLongCounterRepeated(),
              Encrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits), key,
                      input_17, &output));
    EXPECT_EQ(Status::ErrorAesCtrInputTooLongCounterRepeated(),
              Decrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits), key,
                      input_17, &output));
  }
}

}  // namespace

}  // namespace webcrypto