go/aead/subtle/aes_gcm_siv_test.go - platform/external/tink - Git at Google

 // Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package subtle_test

 import (
 	"bytes"
 	"encoding/hex"
 	"fmt"
 	"testing"

 	"github.com/google/tink/go/aead/subtle"
 	"github.com/google/tink/go/subtle/random"
 	"github.com/google/tink/go/testutil"
 )

 func TestAESGCMSIVRejectsInvalidKeyLength(t *testing.T) {
 	invalidKeySizes := []uint32{4, 8, 12, 15, 17, 24, 30, 31, 33, 64, 128}

 	for _, keySize := range invalidKeySizes {
 		key := random.GetRandomBytes(keySize)

 		if _, err := subtle.NewAESGCMSIV(key); err == nil {
 			t.Errorf("expected error with invalid key-size %d", keySize)
 		}
 	}
 }

 func TestAESGCMSIVRandomNonceProducesDifferentCiphertexts(t *testing.T) {
 	nSample := 1 << 17
 	key := random.GetRandomBytes(16)
 	pt := []byte{}
 	ad := []byte{}
 	a, _ := subtle.NewAESGCMSIV(key)
 	ctSet := make(map[string]bool)

 	for i := 0; i < nSample; i++ {
 		ct, _ := a.Encrypt(pt, ad)
 		ctHex := hex.EncodeToString(ct)

 		if _, existed := ctSet[ctHex]; existed {
 			t.Errorf("nonce is repeated after %d samples", i)
 		}
 		ctSet[ctHex] = true
 	}
 }

 func TestAESGCMSIVModifyCiphertext(t *testing.T) {
 	ad := random.GetRandomBytes(33)
 	key := random.GetRandomBytes(16)
 	pt := random.GetRandomBytes(32)
 	a, _ := subtle.NewAESGCMSIV(key)
 	ct, _ := a.Encrypt(pt, ad)
 	// flipping bits
 	for i := 0; i < len(ct); i++ {
 		tmp := ct[i]
 		for j := 0; j < 8; j++ {
 			ct[i] ^= 1 << uint8(j)
 			if _, err := a.Decrypt(ct, ad); err == nil {
 				t.Errorf("expect an error when flipping bit of ciphertext: byte %d, bit %d", i, j)
 			}
 			ct[i] = tmp
 		}
 	}
 	// truncated ciphertext
 	for i := 1; i < len(ct); i++ {
 		if _, err := a.Decrypt(ct[:i], ad); err == nil {
 			t.Errorf("expect an error ciphertext is truncated until byte %d", i)
 		}
 	}
 	// modify associated data
 	for i := 0; i < len(ad); i++ {
 		tmp := ad[i]
 		for j := 0; j < 8; j++ {
 			ad[i] ^= 1 << uint8(j)
 			if _, err := a.Decrypt(ct, ad); err == nil {
 				t.Errorf("expect an error when flipping bit of ad: byte %d, bit %d", i, j)
 			}
 			ad[i] = tmp
 		}
 	}
 }

 func TestAESGCMSIVWycheproofCases(t *testing.T) {
 	testutil.SkipTestIfTestSrcDirIsNotSet(t)
 	suite := new(AEADSuite)
 	if err := testutil.PopulateSuite(suite, "aes_gcm_siv_test.json"); err != nil {
 		t.Fatalf("failed populating suite: %s", err)
 	}
 	for _, group := range suite.TestGroups {
 		for _, test := range group.Tests {
 			caseName := fmt.Sprintf("%s-%s(%d):Case-%d", suite.Algorithm, group.Type, group.KeySize, test.CaseID)
 			t.Run("DecryptOnly/"+caseName, func(t *testing.T) { runWycheproofDecryptOnly(t, test) })
 			t.Run("EncryptDecrypt/"+caseName, func(t *testing.T) { runWycheproofEncryptDecrypt(t, test) })
 		}
 	}
 }

 func runWycheproofDecryptOnly(t *testing.T, testCase *AEADCase) {
 	aead, err := subtle.NewAESGCMSIV(testCase.Key)
 	if err != nil {
 		t.Fatalf("cannot create aead, error: %v", err)
 	}

 	var combinedCt []byte
 	combinedCt = append(combinedCt, testCase.Iv...)
 	combinedCt = append(combinedCt, testCase.Ct...)
 	combinedCt = append(combinedCt, testCase.Tag...)
 	decrypted, err := aead.Decrypt(combinedCt, testCase.Aad)
 	switch testCase.Result {
 	case "valid":
 		if err != nil {
 			t.Errorf("unexpected error in test-case: %v", err)
 		} else if !bytes.Equal(decrypted, testCase.Msg) {
 			t.Errorf(
 				"incorrect decryption: actual: %s; expected %s",
 				hex.EncodeToString(decrypted), hex.EncodeToString(testCase.Msg))
 		}
 	case "invalid":
 		if err == nil && bytes.Equal(testCase.Ct, decrypted) {
 			t.Error("successfully decrypted invalid test-case")
 		}
 	default:
 		t.Errorf("unknown test-case result: %s", testCase.Result)
 	}
 }

 func runWycheproofEncryptDecrypt(t *testing.T, testCase *AEADCase) {
 	aead, err := subtle.NewAESGCMSIV(testCase.Key)
 	if err != nil {
 		t.Fatalf("cannot create aead, error: %v", err)
 	}

 	ct, err := aead.Encrypt(testCase.Msg, testCase.Aad)
 	if err != nil {
 		if testCase.Result != "invalid" {
 			t.Errorf("unexpected error in test-case: %v", err)
 		}
 		return
 	}

 	decrypted, err := aead.Decrypt(ct, testCase.Aad)
 	switch testCase.Result {
 	case "valid":
 		if err != nil {
 			t.Errorf("unexpected error in test-case: %v", err)
 		} else if !bytes.Equal(decrypted, testCase.Msg) {
 			t.Errorf(
 				"incorrect decryption: actual: %s; expected %s",
 				hex.EncodeToString(decrypted), hex.EncodeToString(testCase.Msg))
 		}
 	case "invalid":
 		if err == nil && bytes.Equal(ct, decrypted) {
 			t.Error("successfully decrypted invalid test-case")
 		}
 	default:
 		t.Errorf("unknown test-case result: %s", testCase.Result)
 	}
 }
	// Copyright 2020 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package subtle_test

	import (
	"bytes"
	"encoding/hex"
	"fmt"
	"testing"

	"github.com/google/tink/go/aead/subtle"
	"github.com/google/tink/go/subtle/random"
	"github.com/google/tink/go/testutil"
	)

	func TestAESGCMSIVRejectsInvalidKeyLength(t *testing.T) {
	invalidKeySizes := []uint32{4, 8, 12, 15, 17, 24, 30, 31, 33, 64, 128}

	for _, keySize := range invalidKeySizes {
	key := random.GetRandomBytes(keySize)

	if _, err := subtle.NewAESGCMSIV(key); err == nil {
	t.Errorf("expected error with invalid key-size %d", keySize)
	}
	}
	}

	func TestAESGCMSIVRandomNonceProducesDifferentCiphertexts(t *testing.T) {
	nSample := 1 << 17
	key := random.GetRandomBytes(16)
	pt := []byte{}
	ad := []byte{}
	a, _ := subtle.NewAESGCMSIV(key)
	ctSet := make(map[string]bool)

	for i := 0; i < nSample; i++ {
	ct, _ := a.Encrypt(pt, ad)
	ctHex := hex.EncodeToString(ct)

	if _, existed := ctSet[ctHex]; existed {
	t.Errorf("nonce is repeated after %d samples", i)
	}
	ctSet[ctHex] = true
	}
	}

	func TestAESGCMSIVModifyCiphertext(t *testing.T) {
	ad := random.GetRandomBytes(33)
	key := random.GetRandomBytes(16)
	pt := random.GetRandomBytes(32)
	a, _ := subtle.NewAESGCMSIV(key)
	ct, _ := a.Encrypt(pt, ad)
	// flipping bits
	for i := 0; i < len(ct); i++ {
	tmp := ct[i]
	for j := 0; j < 8; j++ {
	ct[i] ^= 1 << uint8(j)
	if _, err := a.Decrypt(ct, ad); err == nil {
	t.Errorf("expect an error when flipping bit of ciphertext: byte %d, bit %d", i, j)
	}
	ct[i] = tmp
	}
	}
	// truncated ciphertext
	for i := 1; i < len(ct); i++ {
	if _, err := a.Decrypt(ct[:i], ad); err == nil {
	t.Errorf("expect an error ciphertext is truncated until byte %d", i)
	}
	}
	// modify associated data
	for i := 0; i < len(ad); i++ {
	tmp := ad[i]
	for j := 0; j < 8; j++ {
	ad[i] ^= 1 << uint8(j)
	if _, err := a.Decrypt(ct, ad); err == nil {
	t.Errorf("expect an error when flipping bit of ad: byte %d, bit %d", i, j)
	}
	ad[i] = tmp
	}
	}
	}

	func TestAESGCMSIVWycheproofCases(t *testing.T) {
	testutil.SkipTestIfTestSrcDirIsNotSet(t)
	suite := new(AEADSuite)
	if err := testutil.PopulateSuite(suite, "aes_gcm_siv_test.json"); err != nil {
	t.Fatalf("failed populating suite: %s", err)
	}
	for _, group := range suite.TestGroups {
	for _, test := range group.Tests {
	caseName := fmt.Sprintf("%s-%s(%d):Case-%d", suite.Algorithm, group.Type, group.KeySize, test.CaseID)
	t.Run("DecryptOnly/"+caseName, func(t *testing.T) { runWycheproofDecryptOnly(t, test) })
	t.Run("EncryptDecrypt/"+caseName, func(t *testing.T) { runWycheproofEncryptDecrypt(t, test) })
	}
	}
	}

	func runWycheproofDecryptOnly(t testing.T, testCase AEADCase) {
	aead, err := subtle.NewAESGCMSIV(testCase.Key)
	if err != nil {
	t.Fatalf("cannot create aead, error: %v", err)
	}

	var combinedCt []byte
	combinedCt = append(combinedCt, testCase.Iv...)
	combinedCt = append(combinedCt, testCase.Ct...)
	combinedCt = append(combinedCt, testCase.Tag...)
	decrypted, err := aead.Decrypt(combinedCt, testCase.Aad)
	switch testCase.Result {
	case "valid":
	if err != nil {
	t.Errorf("unexpected error in test-case: %v", err)
	} else if !bytes.Equal(decrypted, testCase.Msg) {
	t.Errorf(
	"incorrect decryption: actual: %s; expected %s",
	hex.EncodeToString(decrypted), hex.EncodeToString(testCase.Msg))
	}
	case "invalid":
	if err == nil && bytes.Equal(testCase.Ct, decrypted) {
	t.Error("successfully decrypted invalid test-case")
	}
	default:
	t.Errorf("unknown test-case result: %s", testCase.Result)
	}
	}

	func runWycheproofEncryptDecrypt(t testing.T, testCase AEADCase) {
	aead, err := subtle.NewAESGCMSIV(testCase.Key)
	if err != nil {
	t.Fatalf("cannot create aead, error: %v", err)
	}

	ct, err := aead.Encrypt(testCase.Msg, testCase.Aad)
	if err != nil {
	if testCase.Result != "invalid" {
	t.Errorf("unexpected error in test-case: %v", err)
	}
	return
	}

	decrypted, err := aead.Decrypt(ct, testCase.Aad)
	switch testCase.Result {
	case "valid":
	if err != nil {
	t.Errorf("unexpected error in test-case: %v", err)
	} else if !bytes.Equal(decrypted, testCase.Msg) {
	t.Errorf(
	"incorrect decryption: actual: %s; expected %s",
	hex.EncodeToString(decrypted), hex.EncodeToString(testCase.Msg))
	}
	case "invalid":
	if err == nil && bytes.Equal(ct, decrypted) {
	t.Error("successfully decrypted invalid test-case")
	}
	default:
	t.Errorf("unknown test-case result: %s", testCase.Result)
	}
	}