Google Git
Sign in
go / go.git / refs/heads/master / . / src / crypto / internal / cryptotest / blockmode.go
blob: 06403e0995467be5fbf85cf141fe454b18a13c6d [file] [log] [blame] [edit]
// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package cryptotest
import (
"bytes"
"crypto/cipher"
"testing"
)
// MakeBlockMode returns a cipher.BlockMode instance.
// It expects len(iv) == b.BlockSize().
type MakeBlockMode func(b cipher.Block, iv []byte) cipher.BlockMode
// TestBlockMode performs a set of tests on cipher.BlockMode implementations,
// checking the documented requirements of CryptBlocks.
func TestBlockMode(t *testing.T, block cipher.Block, makeEncrypter, makeDecrypter MakeBlockMode) {
rng := newRandReader(t)
iv := make([]byte, block.BlockSize())
rng.Read(iv)
testBlockModePair(t, block, makeEncrypter, makeDecrypter, iv)
}
func testBlockModePair(t *testing.T, b cipher.Block, enc, dec MakeBlockMode, iv []byte) {
t.Run("Encryption", func(t *testing.T) {
testBlockMode(t, enc, b, iv)
})
t.Run("Decryption", func(t *testing.T) {
testBlockMode(t, dec, b, iv)
})
t.Run("Roundtrip", func(t *testing.T) {
rng := newRandReader(t)
blockSize := enc(b, iv).BlockSize()
if decBlockSize := dec(b, iv).BlockSize(); decBlockSize != blockSize {
t.Errorf("decryption blocksize different than encryption's; got %d, want %d", decBlockSize, blockSize)
}
before, dst, after := make([]byte, blockSize*2), make([]byte, blockSize*2), make([]byte, blockSize*2)
rng.Read(before)
enc(b, iv).CryptBlocks(dst, before)
dec(b, iv).CryptBlocks(after, dst)
if !bytes.Equal(after, before) {
t.Errorf("plaintext is different after an encrypt/decrypt cycle; got %x, want %x", after, before)
}
})
}
func testBlockMode(t *testing.T, bm MakeBlockMode, b cipher.Block, iv []byte) {
blockSize := bm(b, iv).BlockSize()
t.Run("WrongIVLen", func(t *testing.T) {
iv := make([]byte, b.BlockSize()+1)
mustPanic(t, "IV length must equal block size", func() { bm(b, iv) })
})
t.Run("EmptyInput", func(t *testing.T) {
rng := newRandReader(t)
src, dst := make([]byte, blockSize), make([]byte, blockSize)
rng.Read(dst)
before := bytes.Clone(dst)
bm(b, iv).CryptBlocks(dst, src[:0])
if !bytes.Equal(dst, before) {
t.Errorf("CryptBlocks modified dst on empty input; got %x, want %x", dst, before)
}
})
t.Run("AlterInput", func(t *testing.T) {
rng := newRandReader(t)
src, dst, before := make([]byte, blockSize*2), make([]byte, blockSize*2), make([]byte, blockSize*2)
for _, length := range []int{0, blockSize, blockSize * 2} {
rng.Read(src)
copy(before, src)
bm(b, iv).CryptBlocks(dst[:length], src[:length])
if !bytes.Equal(src, before) {
t.Errorf("CryptBlocks modified src; got %x, want %x", src, before)
}
}
})
t.Run("Aliasing", func(t *testing.T) {
rng := newRandReader(t)
buff, expectedOutput := make([]byte, blockSize*2), make([]byte, blockSize*2)
for _, length := range []int{0, blockSize, blockSize * 2} {
// Record what output is when src and dst are different
rng.Read(buff)
bm(b, iv).CryptBlocks(expectedOutput[:length], buff[:length])
// Check that the same output is generated when src=dst alias to the same
// memory
bm(b, iv).CryptBlocks(buff[:length], buff[:length])
if !bytes.Equal(buff[:length], expectedOutput[:length]) {
t.Errorf("block cipher produced different output when dst = src; got %x, want %x", buff[:length], expectedOutput[:length])
}
}
})
t.Run("OutOfBoundsWrite", func(t *testing.T) { // Issue 21104
rng := newRandReader(t)
src := make([]byte, blockSize)
rng.Read(src)
// Make a buffer with dst in the middle and data on either end
buff := make([]byte, blockSize*3)
endOfPrefix, startOfSuffix := blockSize, blockSize*2
rng.Read(buff[:endOfPrefix])
rng.Read(buff[startOfSuffix:])
dst := buff[endOfPrefix:startOfSuffix]
// Record the prefix and suffix data to make sure they aren't written to
initPrefix, initSuffix := make([]byte, blockSize), make([]byte, blockSize)
copy(initPrefix, buff[:endOfPrefix])
copy(initSuffix, buff[startOfSuffix:])
// Write to dst (the middle of the buffer) and make sure it doesn't write
// beyond the dst slice on a valid CryptBlocks call
bm(b, iv).CryptBlocks(dst, src)
if !bytes.Equal(buff[startOfSuffix:], initSuffix) {
t.Errorf("block cipher did out of bounds write after end of dst slice; got %x, want %x", buff[startOfSuffix:], initSuffix)
}
if !bytes.Equal(buff[:endOfPrefix], initPrefix) {
t.Errorf("block cipher did out of bounds write before beginning of dst slice; got %x, want %x", buff[:endOfPrefix], initPrefix)
}
// Check that dst isn't written to beyond len(src) even if there is room in
// the slice
dst = buff[endOfPrefix:] // Extend dst to include suffix
bm(b, iv).CryptBlocks(dst, src)
if !bytes.Equal(buff[startOfSuffix:], initSuffix) {
t.Errorf("CryptBlocks modified dst past len(src); got %x, want %x", buff[startOfSuffix:], initSuffix)
}
// Issue 21104: Shouldn't write to anything outside of dst even if src is bigger
src = make([]byte, blockSize*3)
rng.Read(src)
mustPanic(t, "output smaller than input", func() {
bm(b, iv).CryptBlocks(dst, src)
})
if !bytes.Equal(buff[startOfSuffix:], initSuffix) {
t.Errorf("block cipher did out of bounds write after end of dst slice; got %x, want %x", buff[startOfSuffix:], initSuffix)
}
if !bytes.Equal(buff[:endOfPrefix], initPrefix) {
t.Errorf("block cipher did out of bounds write before beginning of dst slice; got %x, want %x", buff[:endOfPrefix], initPrefix)
}
})
// Check that output of cipher isn't affected by adjacent data beyond input
// slice scope
t.Run("OutOfBoundsRead", func(t *testing.T) {
rng := newRandReader(t)
src := make([]byte, blockSize)
rng.Read(src)
expectedDst := make([]byte, blockSize)
bm(b, iv).CryptBlocks(expectedDst, src)
// Make a buffer with src in the middle and data on either end
buff := make([]byte, blockSize*3)
endOfPrefix, startOfSuffix := blockSize, blockSize*2
copy(buff[endOfPrefix:startOfSuffix], src)
rng.Read(buff[:endOfPrefix])
rng.Read(buff[startOfSuffix:])
testDst := make([]byte, blockSize)
bm(b, iv).CryptBlocks(testDst, buff[endOfPrefix:startOfSuffix])
if !bytes.Equal(testDst, expectedDst) {
t.Errorf("CryptBlocks affected by data outside of src slice bounds; got %x, want %x", testDst, expectedDst)
}
})
t.Run("BufferOverlap", func(t *testing.T) {
rng := newRandReader(t)
buff := make([]byte, blockSize*2)
rng.Read(buff)
// Make src and dst slices point to same array with inexact overlap
src := buff[:blockSize]
dst := buff[1 : blockSize+1]
mustPanic(t, "invalid buffer overlap", func() { bm(b, iv).CryptBlocks(dst, src) })
// Only overlap on one byte
src = buff[:blockSize]
dst = buff[blockSize-1 : 2*blockSize-1]
mustPanic(t, "invalid buffer overlap", func() { bm(b, iv).CryptBlocks(dst, src) })
// src comes after dst with one byte overlap
src = buff[blockSize-1 : 2*blockSize-1]
dst = buff[:blockSize]
mustPanic(t, "invalid buffer overlap", func() { bm(b, iv).CryptBlocks(dst, src) })
})
// Input to CryptBlocks should be a multiple of BlockSize
t.Run("PartialBlocks", func(t *testing.T) {
// Check a few cases of not being a multiple of BlockSize
for _, srcSize := range []int{blockSize - 1, blockSize + 1, 2*blockSize - 1, 2*blockSize + 1} {
src := make([]byte, srcSize)
dst := make([]byte, 3*blockSize) // Make a dst large enough for all src
mustPanic(t, "input not full blocks", func() { bm(b, iv).CryptBlocks(dst, src) })
}
})
t.Run("KeepState", func(t *testing.T) {
rng := newRandReader(t)
src, serialDst, compositeDst := make([]byte, blockSize*4), make([]byte, blockSize*4), make([]byte, blockSize*4)
rng.Read(src)
length, block := 2*blockSize, bm(b, iv)
block.CryptBlocks(serialDst, src[:length])
block.CryptBlocks(serialDst[length:], src[length:])
bm(b, iv).CryptBlocks(compositeDst, src)
if !bytes.Equal(serialDst, compositeDst) {
t.Errorf("two successive CryptBlocks calls returned a different result than a single one; got %x, want %x", serialDst, compositeDst)
}
})
}