Browse Source
Add tests for padding variations.
Test that SSLv3 accepts arbitrary padding bytes (hello, POODLE) and rejects non-minimal padding, while TLS accepts non-minimal padding but rejects arbitrary padding bytes. Also test what happens when the MAC is correct, but there is no padding. This is the case that triggers a failing padding_ok check after the MAC check on padding_len = 0 passes. Change-Id: Ia1444c526437899fc57ceafcbcef9c8f5cb9a6c5 Reviewed-on: https://boringssl-review.googlesource.com/2702 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
David Benjamin
9 years ago
committed by
Adam Langley
Adam Langley
14 changed files with 567 additions and 84 deletions
Split View
Diff Options
-
+83 -65crypto/cipher/aead_test.c
-
+32 -0crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
-
+32 -0crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
-
+32 -0crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
-
+32 -0crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
-
+32 -0crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
-
+32 -0crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
-
+32 -0crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
-
+32 -0crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
-
+32 -0crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
-
+32 -0crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
-
+32 -0crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
-
+32 -0crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
-
+100 -19crypto/cipher/test/make_legacy_aead_tests.go
+ 83
- 65
crypto/cipher/aead_test.c
View File
| @@ -51,11 +51,14 @@ enum { | |||
| CT, /* hex encoded ciphertext (not including the authenticator, | |||
| which is next). */ | |||
| TAG, /* hex encoded authenticator. */ | |||
| NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG, | |||
| however open(CT+TAG) should still be IN. */ | |||
| FAILS, /* non-zero length if open(CT+TAG) is expected to fail. */ | |||
| NUM_TYPES, | |||
| }; | |||
| static const char NAMES[6][NUM_TYPES] = { | |||
| "KEY", "NONCE", "IN", "AD", "CT", "TAG", | |||
| static const char NAMES[8][NUM_TYPES] = { | |||
| "KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS", | |||
| }; | |||
| static unsigned char hex_digit(char h) { | |||
| @@ -84,27 +87,33 @@ static int run_test_case(const EVP_AEAD *aead, | |||
| return 0; | |||
| } | |||
| if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE], | |||
| lengths[NONCE], bufs[IN], lengths[IN], bufs[AD], | |||
| lengths[AD])) { | |||
| fprintf(stderr, "Failed to run AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (!lengths[NO_SEAL]) { | |||
| if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE], | |||
| lengths[NONCE], bufs[IN], lengths[IN], bufs[AD], | |||
| lengths[AD])) { | |||
| fprintf(stderr, "Failed to run AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (ciphertext_len != lengths[CT] + lengths[TAG]) { | |||
| fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no, | |||
| (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG])); | |||
| return 0; | |||
| } | |||
| if (ciphertext_len != lengths[CT] + lengths[TAG]) { | |||
| fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no, | |||
| (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG])); | |||
| return 0; | |||
| } | |||
| if (memcmp(out, bufs[CT], lengths[CT]) != 0) { | |||
| fprintf(stderr, "Bad output on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (memcmp(out, bufs[CT], lengths[CT]) != 0) { | |||
| fprintf(stderr, "Bad output on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { | |||
| fprintf(stderr, "Bad tag on line %u\n", line_no); | |||
| return 0; | |||
| if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { | |||
| fprintf(stderr, "Bad tag on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| } else { | |||
| memcpy(out, bufs[CT], lengths[CT]); | |||
| memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]); | |||
| ciphertext_len = lengths[CT] + lengths[TAG]; | |||
| } | |||
| /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||
| @@ -118,56 +127,65 @@ static int run_test_case(const EVP_AEAD *aead, | |||
| /* The "stateful" AEADs require |max_out| be |in_len| despite the final | |||
| * output always being smaller by at least tag length. */ | |||
| if (!EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, | |||
| bufs[NONCE], lengths[NONCE], out, ciphertext_len, | |||
| bufs[AD], lengths[AD])) { | |||
| fprintf(stderr, "Failed to decrypt on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (plaintext_len != lengths[IN]) { | |||
| fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no, | |||
| (unsigned)ciphertext_len); | |||
| return 0; | |||
| } | |||
| int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, | |||
| bufs[NONCE], lengths[NONCE], out, ciphertext_len, | |||
| bufs[AD], lengths[AD]); | |||
| if (lengths[FAILS]) { | |||
| if (ret) { | |||
| fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| ERR_clear_error(); | |||
| } else { | |||
| if (!ret) { | |||
| fprintf(stderr, "Failed to decrypt on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||
| * reset after each operation. */ | |||
| EVP_AEAD_CTX_cleanup(&ctx); | |||
| if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||
| NULL)) { | |||
| fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| if (plaintext_len != lengths[IN]) { | |||
| fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no, | |||
| (unsigned)ciphertext_len); | |||
| return 0; | |||
| } | |||
| /* Garbage at the end isn't ignored. */ | |||
| out[ciphertext_len] = 0; | |||
| if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1, bufs[NONCE], | |||
| lengths[NONCE], out, ciphertext_len + 1, bufs[AD], | |||
| lengths[AD])) { | |||
| fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| ERR_clear_error(); | |||
| /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||
| * reset after each operation. */ | |||
| EVP_AEAD_CTX_cleanup(&ctx); | |||
| if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||
| NULL)) { | |||
| fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||
| * reset after each operation. */ | |||
| EVP_AEAD_CTX_cleanup(&ctx); | |||
| if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||
| NULL)) { | |||
| fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||
| * reset after each operation. */ | |||
| EVP_AEAD_CTX_cleanup(&ctx); | |||
| if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||
| NULL)) { | |||
| fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| /* Verify integrity is checked. */ | |||
| out[0] ^= 0x80; | |||
| if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE], | |||
| lengths[NONCE], out, ciphertext_len, bufs[AD], | |||
| lengths[AD])) { | |||
| fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||
| return 0; | |||
| /* Garbage at the end isn't ignored. */ | |||
| out[ciphertext_len] = 0; | |||
| if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1, | |||
| bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1, | |||
| bufs[AD], lengths[AD])) { | |||
| fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| ERR_clear_error(); | |||
| /* Verify integrity is checked. */ | |||
| out[0] ^= 0x80; | |||
| if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE], | |||
| lengths[NONCE], out, ciphertext_len, bufs[AD], | |||
| lengths[AD])) { | |||
| fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||
| return 0; | |||
| } | |||
| ERR_clear_error(); | |||
| } | |||
| ERR_clear_error(); | |||
| EVP_AEAD_CTX_cleanup(&ctx); | |||
| return 1; | |||
+ 32
- 0
crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: b7b9920735d05707f3640947f30968fd28b859368f54f0640312ac25 | |||
| TAG: 0fd5c300f0bc1e4c696b6b18c7049fba428940f5 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: b7b9920735d05707f3640947 | |||
| TAG: f30968fda5d36eed80b2be5e31b53279d1ffabe8 | |||
| NO_SEAL: 01 | |||
| # Test with no padding. | |||
| # DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||
| KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99 | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7 | |||
| CT: cd8df431309589084bfa5bcce99cbe08433cba6fd69fbb3e22a492644f3dfa7697d9bec176735e241721025b | |||
| TAG: 158cf6c3158503d5e540f784482988db925b4405 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | |||
| KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d | |||
| TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2 | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: c6281c1cd562c1935946013b | |||
| TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312 | |||
| TAG: ead153f0c9488b88357e81187178465d2416ca97 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8 | |||
| NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d | |||
| TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2 | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8 | |||
| NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: c6281c1cd562c1935946013b | |||
| TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | |||
| NONCE: c55b436965aabe477e0cdd46be99371e | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312 | |||
| TAG: ead153f0c9488b88357e81187178465d2416ca97 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4 | |||
| NONCE: 183aa23fd8d7efd88503f78b8ed1c8e9 | |||
+ 32
- 0
crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba | |||
| NONCE: 2fd6773e0d0c302a5f47e037446f5891 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d25f286de17a05e3727d1399c895b02464357998b11b7f98525ac704f9cd130a | |||
| TAG: ced325c6691591a3f137a8cf4d6332b007edc59c516e3641b9c0e02fe218521e | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba | |||
| NONCE: 2fd6773e0d0c302a5f47e037446f5891 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d25f286de17a05e3727d1399c895b024 | |||
| TAG: 64357998b11b7f98525ac704f9cd130a810efebe69fd479ccc46f0cd15a2ba47 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7 | |||
| KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | |||
| NONCE: c55b436965aabe477e0cdd46be99371e | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8 | |||
| AD: afa22993a340b9b3c589c7 | |||
| CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f271 | |||
| TAG: 713c1f8817ca022f454f0c6c7d6efea46b86d79baaa4341843404a416f301640 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b | |||
| NONCE: 8ed1c8e9ba2fd6773e0d0c302a5f47e0 | |||
+ 32
- 0
crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: c38859c09150f4c2dcbd409a6ff0d4d748ec14027a3a88c8117b119c | |||
| TAG: 2fbbebe4693c8fa8e966cac88a81834c0d8ff6ff | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: c38859c09150f4c2dcbd409a | |||
| TAG: 6ff0d4d77699ab8772483a69168bd80c869b5f30 | |||
| NO_SEAL: 01 | |||
| # Test with no padding. | |||
| # DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||
| KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39 | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7 | |||
| CT: c24738f07b81998c80b1c66a0d4e9c4c2f6c80c13eb9e557e70768f86382a300724998cfc1b0850270e9b4c4 | |||
| TAG: 25ab146e770a444418e57b6ab4bbcb78b2f1140c | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | |||
| KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb | |||
| TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315 | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d88861dcbb181ebd603365ed | |||
| TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0 | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07 | |||
| TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: 0d0c302a5f47e037446f5891d77df660 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb | |||
| TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315 | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: 0d0c302a5f47e037446f5891d77df660 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: d88861dcbb181ebd603365ed | |||
| TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||
| NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07 | |||
| TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | |||
| NONCE: ba2fd6773e0d0c302a5f47e037446f58 | |||
+ 32
- 0
crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891 | |||
| NONCE: d77df660ed82933f62be8dc55b436965 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 5485a389637bd49a1ea251ed03f3478129a62964bc26d5d16c69be13c2e657f1 | |||
| TAG: 0e971352bae57fd40d369aa902d9e8d365c498a4f4829af1a7e0da1bbd913e36 | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891 | |||
| NONCE: d77df660ed82933f62be8dc55b436965 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 5485a389637bd49a1ea251ed03f34781 | |||
| TAG: 29a62964bc26d5d16c69be13c2e657f1b36726df0f322286f368847fecaa5977 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7 | |||
| KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||
| NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8 | |||
| AD: afa22993a340b9b3c589c7 | |||
| CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae1 | |||
| TAG: bc33ca235ae35aad13e540cc9f0714dab00678652cc476d57c543967c39dddc9 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0 | |||
| NONCE: 37446f5891d77df660ed82933f62be8d | |||
+ 32
- 0
crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965 | |||
| NONCE: aabe477e0cdd46be99371eb8da7dac99 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: f6f8de8547cadb667c8c823a2ff44444bdc80dc7de80e5faffb40880dcf4d20f | |||
| TAG: 706109ef1d8fb6bed697545eeb0060e7f680d30dd70e8ecd3135b7e01e895983de56fb0889a4ab0856040dba57e94dcb | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965 | |||
| NONCE: aabe477e0cdd46be99371eb8da7dac99 | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: f6f8de8547cadb667c8c823a2ff44444 | |||
| TAG: bdc80dc7de80e5faffb40880dcf4d20f706109ef1d8fb6bed697545eeb0060e77a4c251b2e25daddee81248b6d121fa2 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: 43a413967bf0fc76201e7b4427191338c74b86300fbb5a193e01a1a4c743a36168ec2f52433b8ad4075186e5c7fed1c0 | |||
| KEY: f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||
| NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||
| IN: 936a91d0b5d2c0267218cb7090c61713 | |||
| AD: 86d641b87797b684e0fb56 | |||
| CT: c90e0c2567341ea7e9d968dbde46ecb4 | |||
| TAG: 8b4323f68c2cb1882cff4dd9ed10f49aa406481275509633d33028a0b510a77e780d4297ab8ad09b60445146ce85b21e | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: 2e6894abd3cfac4d4020094d02c6db6450cb7367b405443de9b5f2ab444b281848ef5da3aed9ebfc054ae89af094ddd6 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | |||
| NONCE: c55b436965aabe477e0cdd46be99371e | |||
+ 32
- 0
crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: 267abdc1b983e49bc0b906878f32d6a4c8181e7d | |||
| TAG: 5acf3fc5024062031c33e0801c44319a66c01882 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||
| KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c6 | |||
| CT: 267abdc1b983e49bc0b90687 | |||
| TAG: 8f32d6a4c8181e7d5acf3fc5a3bf9078433cc5a8 | |||
| NO_SEAL: 01 | |||
| # Test with no padding. | |||
| # DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||
| KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99 | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7 | |||
| CT: 66bbceb66b6010154b427f3a425cb4002071d7237093a9f29612e09cf241bcf9dbba5b5ef26c5f468763ee11 | |||
| TAG: 997c66a777945bb051934aa50dc6b8e3e58cd0b6 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | |||
| KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b | |||
| TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||
| NONCE: | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 144c98ca1f4a40ffe530b338 | |||
| TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||
| NONCE: | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f | |||
| TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | |||
| NONCE: | |||
+ 32
- 0
crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
View File
| @@ -6,6 +6,38 @@ | |||
| # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | |||
| # each test case. | |||
| # Test with non-minimal padding. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e | |||
| NONCE: d1c8e9ba2fd6773e | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b | |||
| TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae | |||
| NO_SEAL: 01 | |||
| # Test with bad padding values. | |||
| # DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||
| KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e | |||
| NONCE: d1c8e9ba2fd6773e | |||
| IN: 936a91d0b5 | |||
| AD: d2c0267218cb7090c61713 | |||
| CT: 144c98ca1f4a40ffe530b338 | |||
| TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02 | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # Test with no padding. | |||
| # DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||
| KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47 | |||
| NONCE: 7e0cdd46be99371e | |||
| IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||
| AD: 1df3f4183aa23fd8d7efd8 | |||
| CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f | |||
| TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f | |||
| NO_SEAL: 01 | |||
| FAILS: 01 | |||
| # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | |||
| KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd8 | |||
| NONCE: 8503f78b8ed1c8e9 | |||
+ 100
- 19
crypto/cipher/test/make_legacy_aead_tests.go
View File
| @@ -118,9 +118,22 @@ type testCase struct { | |||
| ad []byte | |||
| ciphertext []byte | |||
| tag []byte | |||
| noSeal bool | |||
| fails bool | |||
| } | |||
| func makeTestCase(length int) (*testCase, error) { | |||
| // options adds additional options for a test. | |||
| type options struct { | |||
| // extraPadding causes an extra block of padding to be added. | |||
| extraPadding bool | |||
| // wrongPadding causes one of the padding bytes to be wrong. | |||
| wrongPadding bool | |||
| // noPadding causes padding is to be omitted. The plaintext + MAC must | |||
| // be a multiple of the block size. | |||
| noPadding bool | |||
| } | |||
| func makeTestCase(length int, options options) (*testCase, error) { | |||
| rand, err := newRc4Stream("input stream") | |||
| if err != nil { | |||
| return nil, err | |||
| @@ -171,6 +184,7 @@ func makeTestCase(length int) (*testCase, error) { | |||
| var fixedIV []byte | |||
| var nonce []byte | |||
| var sealed []byte | |||
| var noSeal, fails bool | |||
| if *bulkCipher == "rc4" { | |||
| if *implicitIV { | |||
| return nil, fmt.Errorf("implicit IV enabled on a stream cipher") | |||
| @@ -205,18 +219,39 @@ func makeTestCase(length int) (*testCase, error) { | |||
| sealed = append(sealed, input...) | |||
| sealed = append(sealed, digest...) | |||
| paddingLen := cbc.BlockSize() - (len(sealed) % cbc.BlockSize()) | |||
| // TODO(davidben): Add tests for non-minimal padding (SSL3 | |||
| // forbids, TLS allows) and arbitrary padding bytes (SSL3 | |||
| // allows, TLS forbids). | |||
| if *ssl3 { | |||
| sealed = append(sealed, make([]byte, paddingLen-1)...) | |||
| sealed = append(sealed, byte(paddingLen-1)) | |||
| if options.noPadding { | |||
| if paddingLen != cbc.BlockSize() { | |||
| return nil, fmt.Errorf("invalid length for noPadding") | |||
| } | |||
| noSeal = true | |||
| fails = true | |||
| } else { | |||
| pad := make([]byte, paddingLen) | |||
| for i := range pad { | |||
| pad[i] = byte(paddingLen - 1) | |||
| if options.extraPadding { | |||
| paddingLen += cbc.BlockSize() | |||
| noSeal = true | |||
| if *ssl3 { | |||
| // SSLv3 padding must be minimal. | |||
| fails = true | |||
| } | |||
| } | |||
| if *ssl3 { | |||
| sealed = append(sealed, make([]byte, paddingLen-1)...) | |||
| sealed = append(sealed, byte(paddingLen-1)) | |||
| } else { | |||
| pad := make([]byte, paddingLen) | |||
| for i := range pad { | |||
| pad[i] = byte(paddingLen - 1) | |||
| } | |||
| sealed = append(sealed, pad...) | |||
| } | |||
| if options.wrongPadding && paddingLen > 1 { | |||
| sealed[len(sealed)-2]++ | |||
| noSeal = true | |||
| if !*ssl3 { | |||
| // TLS specifies the all the padding bytes. | |||
| fails = true | |||
| } | |||
| } | |||
| sealed = append(sealed, pad...) | |||
| } | |||
| cbc.CryptBlocks(sealed, sealed) | |||
| } | |||
| @@ -233,10 +268,28 @@ func makeTestCase(length int) (*testCase, error) { | |||
| ad: ad, | |||
| ciphertext: sealed[:len(sealed)-hash.Size()], | |||
| tag: sealed[len(sealed)-hash.Size():], | |||
| noSeal: noSeal, | |||
| fails: fails, | |||
| } | |||
| return t, nil | |||
| } | |||
| func printTestCase(t *testCase) { | |||
| fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest)) | |||
| fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key)) | |||
| fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce)) | |||
| fmt.Printf("IN: %s\n", hex.EncodeToString(t.input)) | |||
| fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad)) | |||
| fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext)) | |||
| fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag)) | |||
| if t.noSeal { | |||
| fmt.Printf("NO_SEAL: 01\n") | |||
| } | |||
| if t.fails { | |||
| fmt.Printf("FAILS: 01\n") | |||
| } | |||
| } | |||
| func main() { | |||
| flag.Parse() | |||
| @@ -256,21 +309,49 @@ func main() { | |||
| fmt.Printf("# each test case.\n") | |||
| fmt.Printf("\n") | |||
| // For CBC-mode ciphers, emit tests for padding flexibility. | |||
| if *bulkCipher != "rc4" { | |||
| fmt.Printf("# Test with non-minimal padding.\n") | |||
| t, err := makeTestCase(5, options{extraPadding: true}) | |||
| if err != nil { | |||
| fmt.Fprintf(os.Stderr, "%s\n", err) | |||
| os.Exit(1) | |||
| } | |||
| printTestCase(t) | |||
| fmt.Printf("\n") | |||
| fmt.Printf("# Test with bad padding values.\n") | |||
| t, err = makeTestCase(5, options{wrongPadding: true}) | |||
| if err != nil { | |||
| fmt.Fprintf(os.Stderr, "%s\n", err) | |||
| os.Exit(1) | |||
| } | |||
| printTestCase(t) | |||
| fmt.Printf("\n") | |||
| fmt.Printf("# Test with no padding.\n") | |||
| hash, ok := getHash(*mac) | |||
| if !ok { | |||
| panic("unknown hash") | |||
| } | |||
| t, err = makeTestCase(64-hash.Size(), options{noPadding: true}) | |||
| if err != nil { | |||
| fmt.Fprintf(os.Stderr, "%s\n", err) | |||
| os.Exit(1) | |||
| } | |||
| printTestCase(t) | |||
| fmt.Printf("\n") | |||
| } | |||
| // Generate long enough of input to cover a non-zero num_starting_blocks | |||
| // value in the constant-time CBC logic. | |||
| for l := 0; l < 500; l += 5 { | |||
| t, err := makeTestCase(l) | |||
| t, err := makeTestCase(l, options{}) | |||
| if err != nil { | |||
| fmt.Fprintf(os.Stderr, "%s\n", err) | |||
| os.Exit(1) | |||
| } | |||
| fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest)) | |||
| fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key)) | |||
| fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce)) | |||
| fmt.Printf("IN: %s\n", hex.EncodeToString(t.input)) | |||
| fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad)) | |||
| fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext)) | |||
| fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag)) | |||
| printTestCase(t) | |||
| fmt.Printf("\n") | |||
| } | |||
| } | |||