Test that SSLv3 accepts arbitrary padding bytes (hello, POODLE) and rejects non-minimal padding, while TLS accepts non-minimal padding but rejects arbitrary padding bytes. Also test what happens when the MAC is correct, but there is no padding. This is the case that triggers a failing padding_ok check after the MAC check on padding_len = 0 passes. Change-Id: Ia1444c526437899fc57ceafcbcef9c8f5cb9a6c5 Reviewed-on: https://boringssl-review.googlesource.com/2702 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -51,11 +51,14 @@ enum { | |||||
CT, /* hex encoded ciphertext (not including the authenticator, | CT, /* hex encoded ciphertext (not including the authenticator, | ||||
which is next). */ | which is next). */ | ||||
TAG, /* hex encoded authenticator. */ | TAG, /* hex encoded authenticator. */ | ||||
NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG, | |||||
however open(CT+TAG) should still be IN. */ | |||||
FAILS, /* non-zero length if open(CT+TAG) is expected to fail. */ | |||||
NUM_TYPES, | NUM_TYPES, | ||||
}; | }; | ||||
static const char NAMES[6][NUM_TYPES] = { | |||||
"KEY", "NONCE", "IN", "AD", "CT", "TAG", | |||||
static const char NAMES[8][NUM_TYPES] = { | |||||
"KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS", | |||||
}; | }; | ||||
static unsigned char hex_digit(char h) { | static unsigned char hex_digit(char h) { | ||||
@@ -84,27 +87,33 @@ static int run_test_case(const EVP_AEAD *aead, | |||||
return 0; | return 0; | ||||
} | } | ||||
if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE], | |||||
lengths[NONCE], bufs[IN], lengths[IN], bufs[AD], | |||||
lengths[AD])) { | |||||
fprintf(stderr, "Failed to run AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (!lengths[NO_SEAL]) { | |||||
if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE], | |||||
lengths[NONCE], bufs[IN], lengths[IN], bufs[AD], | |||||
lengths[AD])) { | |||||
fprintf(stderr, "Failed to run AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (ciphertext_len != lengths[CT] + lengths[TAG]) { | |||||
fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no, | |||||
(unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG])); | |||||
return 0; | |||||
} | |||||
if (ciphertext_len != lengths[CT] + lengths[TAG]) { | |||||
fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no, | |||||
(unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG])); | |||||
return 0; | |||||
} | |||||
if (memcmp(out, bufs[CT], lengths[CT]) != 0) { | |||||
fprintf(stderr, "Bad output on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (memcmp(out, bufs[CT], lengths[CT]) != 0) { | |||||
fprintf(stderr, "Bad output on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { | |||||
fprintf(stderr, "Bad tag on line %u\n", line_no); | |||||
return 0; | |||||
if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) { | |||||
fprintf(stderr, "Bad tag on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
} else { | |||||
memcpy(out, bufs[CT], lengths[CT]); | |||||
memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]); | |||||
ciphertext_len = lengths[CT] + lengths[TAG]; | |||||
} | } | ||||
/* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | ||||
@@ -118,56 +127,65 @@ static int run_test_case(const EVP_AEAD *aead, | |||||
/* The "stateful" AEADs require |max_out| be |in_len| despite the final | /* The "stateful" AEADs require |max_out| be |in_len| despite the final | ||||
* output always being smaller by at least tag length. */ | * output always being smaller by at least tag length. */ | ||||
if (!EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, | |||||
bufs[NONCE], lengths[NONCE], out, ciphertext_len, | |||||
bufs[AD], lengths[AD])) { | |||||
fprintf(stderr, "Failed to decrypt on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (plaintext_len != lengths[IN]) { | |||||
fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no, | |||||
(unsigned)ciphertext_len); | |||||
return 0; | |||||
} | |||||
int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, | |||||
bufs[NONCE], lengths[NONCE], out, ciphertext_len, | |||||
bufs[AD], lengths[AD]); | |||||
if (lengths[FAILS]) { | |||||
if (ret) { | |||||
fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
ERR_clear_error(); | |||||
} else { | |||||
if (!ret) { | |||||
fprintf(stderr, "Failed to decrypt on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
/* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||||
* reset after each operation. */ | |||||
EVP_AEAD_CTX_cleanup(&ctx); | |||||
if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||||
NULL)) { | |||||
fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
if (plaintext_len != lengths[IN]) { | |||||
fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no, | |||||
(unsigned)ciphertext_len); | |||||
return 0; | |||||
} | |||||
/* Garbage at the end isn't ignored. */ | |||||
out[ciphertext_len] = 0; | |||||
if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1, bufs[NONCE], | |||||
lengths[NONCE], out, ciphertext_len + 1, bufs[AD], | |||||
lengths[AD])) { | |||||
fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
ERR_clear_error(); | |||||
/* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||||
* reset after each operation. */ | |||||
EVP_AEAD_CTX_cleanup(&ctx); | |||||
if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||||
NULL)) { | |||||
fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
/* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||||
* reset after each operation. */ | |||||
EVP_AEAD_CTX_cleanup(&ctx); | |||||
if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||||
NULL)) { | |||||
fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
/* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be | |||||
* reset after each operation. */ | |||||
EVP_AEAD_CTX_cleanup(&ctx); | |||||
if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG], | |||||
NULL)) { | |||||
fprintf(stderr, "Failed to init AEAD on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
/* Verify integrity is checked. */ | |||||
out[0] ^= 0x80; | |||||
if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE], | |||||
lengths[NONCE], out, ciphertext_len, bufs[AD], | |||||
lengths[AD])) { | |||||
fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||||
return 0; | |||||
/* Garbage at the end isn't ignored. */ | |||||
out[ciphertext_len] = 0; | |||||
if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1, | |||||
bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1, | |||||
bufs[AD], lengths[AD])) { | |||||
fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
ERR_clear_error(); | |||||
/* Verify integrity is checked. */ | |||||
out[0] ^= 0x80; | |||||
if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE], | |||||
lengths[NONCE], out, ciphertext_len, bufs[AD], | |||||
lengths[AD])) { | |||||
fprintf(stderr, "Decrypted bad data on line %u\n", line_no); | |||||
return 0; | |||||
} | |||||
ERR_clear_error(); | |||||
} | } | ||||
ERR_clear_error(); | |||||
EVP_AEAD_CTX_cleanup(&ctx); | EVP_AEAD_CTX_cleanup(&ctx); | ||||
return 1; | return 1; | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: b7b9920735d05707f3640947f30968fd28b859368f54f0640312ac25 | |||||
TAG: 0fd5c300f0bc1e4c696b6b18c7049fba428940f5 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: b7b9920735d05707f3640947 | |||||
TAG: f30968fda5d36eed80b2be5e31b53279d1ffabe8 | |||||
NO_SEAL: 01 | |||||
# Test with no padding. | |||||
# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||||
KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99 | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7 | |||||
CT: cd8df431309589084bfa5bcce99cbe08433cba6fd69fbb3e22a492644f3dfa7697d9bec176735e241721025b | |||||
TAG: 158cf6c3158503d5e540f784482988db925b4405 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | ||||
KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d | |||||
TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2 | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: c6281c1cd562c1935946013b | |||||
TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312 | |||||
TAG: ead153f0c9488b88357e81187178465d2416ca97 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8 | |||||
NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d | |||||
TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2 | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8 | |||||
NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: c6281c1cd562c1935946013b | |||||
TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | |||||
NONCE: c55b436965aabe477e0cdd46be99371e | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312 | |||||
TAG: ead153f0c9488b88357e81187178465d2416ca97 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4 | ||||
NONCE: 183aa23fd8d7efd88503f78b8ed1c8e9 | NONCE: 183aa23fd8d7efd88503f78b8ed1c8e9 | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba | |||||
NONCE: 2fd6773e0d0c302a5f47e037446f5891 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d25f286de17a05e3727d1399c895b02464357998b11b7f98525ac704f9cd130a | |||||
TAG: ced325c6691591a3f137a8cf4d6332b007edc59c516e3641b9c0e02fe218521e | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba | |||||
NONCE: 2fd6773e0d0c302a5f47e037446f5891 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d25f286de17a05e3727d1399c895b024 | |||||
TAG: 64357998b11b7f98525ac704f9cd130a810efebe69fd479ccc46f0cd15a2ba47 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7 | |||||
KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | |||||
NONCE: c55b436965aabe477e0cdd46be99371e | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8 | |||||
AD: afa22993a340b9b3c589c7 | |||||
CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f271 | |||||
TAG: 713c1f8817ca022f454f0c6c7d6efea46b86d79baaa4341843404a416f301640 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b | ||||
NONCE: 8ed1c8e9ba2fd6773e0d0c302a5f47e0 | NONCE: 8ed1c8e9ba2fd6773e0d0c302a5f47e0 | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: c38859c09150f4c2dcbd409a6ff0d4d748ec14027a3a88c8117b119c | |||||
TAG: 2fbbebe4693c8fa8e966cac88a81834c0d8ff6ff | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: c38859c09150f4c2dcbd409a | |||||
TAG: 6ff0d4d77699ab8772483a69168bd80c869b5f30 | |||||
NO_SEAL: 01 | |||||
# Test with no padding. | |||||
# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||||
KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39 | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7 | |||||
CT: c24738f07b81998c80b1c66a0d4e9c4c2f6c80c13eb9e557e70768f86382a300724998cfc1b0850270e9b4c4 | |||||
TAG: 25ab146e770a444418e57b6ab4bbcb78b2f1140c | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | ||||
KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744 | KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb | |||||
TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315 | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d88861dcbb181ebd603365ed | |||||
TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0 | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07 | |||||
TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: 0d0c302a5f47e037446f5891d77df660 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb | |||||
TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315 | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: 0d0c302a5f47e037446f5891d77df660 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: d88861dcbb181ebd603365ed | |||||
TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||||
NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07 | |||||
TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | ||||
NONCE: ba2fd6773e0d0c302a5f47e037446f58 | NONCE: ba2fd6773e0d0c302a5f47e037446f58 | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891 | |||||
NONCE: d77df660ed82933f62be8dc55b436965 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 5485a389637bd49a1ea251ed03f3478129a62964bc26d5d16c69be13c2e657f1 | |||||
TAG: 0e971352bae57fd40d369aa902d9e8d365c498a4f4829af1a7e0da1bbd913e36 | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891 | |||||
NONCE: d77df660ed82933f62be8dc55b436965 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 5485a389637bd49a1ea251ed03f34781 | |||||
TAG: 29a62964bc26d5d16c69be13c2e657f1b36726df0f322286f368847fecaa5977 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7 | |||||
KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||||
NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8 | |||||
AD: afa22993a340b9b3c589c7 | |||||
CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae1 | |||||
TAG: bc33ca235ae35aad13e540cc9f0714dab00678652cc476d57c543967c39dddc9 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0 | ||||
NONCE: 37446f5891d77df660ed82933f62be8d | NONCE: 37446f5891d77df660ed82933f62be8d | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965 | |||||
NONCE: aabe477e0cdd46be99371eb8da7dac99 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: f6f8de8547cadb667c8c823a2ff44444bdc80dc7de80e5faffb40880dcf4d20f | |||||
TAG: 706109ef1d8fb6bed697545eeb0060e7f680d30dd70e8ecd3135b7e01e895983de56fb0889a4ab0856040dba57e94dcb | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965 | |||||
NONCE: aabe477e0cdd46be99371eb8da7dac99 | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: f6f8de8547cadb667c8c823a2ff44444 | |||||
TAG: bdc80dc7de80e5faffb40880dcf4d20f706109ef1d8fb6bed697545eeb0060e77a4c251b2e25daddee81248b6d121fa2 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: 43a413967bf0fc76201e7b4427191338c74b86300fbb5a193e01a1a4c743a36168ec2f52433b8ad4075186e5c7fed1c0 | |||||
KEY: f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||||
NONCE: b8da7dac997deafd64b1fc65de39f4f0 | |||||
IN: 936a91d0b5d2c0267218cb7090c61713 | |||||
AD: 86d641b87797b684e0fb56 | |||||
CT: c90e0c2567341ea7e9d968dbde46ecb4 | |||||
TAG: 8b4323f68c2cb1882cff4dd9ed10f49aa406481275509633d33028a0b510a77e780d4297ab8ad09b60445146ce85b21e | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: 2e6894abd3cfac4d4020094d02c6db6450cb7367b405443de9b5f2ab444b281848ef5da3aed9ebfc054ae89af094ddd6 | # DIGEST: 2e6894abd3cfac4d4020094d02c6db6450cb7367b405443de9b5f2ab444b281848ef5da3aed9ebfc054ae89af094ddd6 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d | ||||
NONCE: c55b436965aabe477e0cdd46be99371e | NONCE: c55b436965aabe477e0cdd46be99371e | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: 267abdc1b983e49bc0b906878f32d6a4c8181e7d | |||||
TAG: 5acf3fc5024062031c33e0801c44319a66c01882 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a | |||||
KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6 | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c6 | |||||
CT: 267abdc1b983e49bc0b90687 | |||||
TAG: 8f32d6a4c8181e7d5acf3fc5a3bf9078433cc5a8 | |||||
NO_SEAL: 01 | |||||
# Test with no padding. | |||||
# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107 | |||||
KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99 | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7 | |||||
CT: 66bbceb66b6010154b427f3a425cb4002071d7237093a9f29612e09cf241bcf9dbba5b5ef26c5f468763ee11 | |||||
TAG: 997c66a777945bb051934aa50dc6b8e3e58cd0b6 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f | ||||
KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b | |||||
TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e | |||||
NONCE: | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 144c98ca1f4a40ffe530b338 | |||||
TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e | |||||
NONCE: | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f | |||||
TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9 | ||||
NONCE: | NONCE: | ||||
@@ -6,6 +6,38 @@ | |||||
# split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above | ||||
# each test case. | # each test case. | ||||
# Test with non-minimal padding. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e | |||||
NONCE: d1c8e9ba2fd6773e | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b | |||||
TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae | |||||
NO_SEAL: 01 | |||||
# Test with bad padding values. | |||||
# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7 | |||||
KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e | |||||
NONCE: d1c8e9ba2fd6773e | |||||
IN: 936a91d0b5 | |||||
AD: d2c0267218cb7090c61713 | |||||
CT: 144c98ca1f4a40ffe530b338 | |||||
TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02 | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# Test with no padding. | |||||
# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137 | |||||
KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47 | |||||
NONCE: 7e0cdd46be99371e | |||||
IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748 | |||||
AD: 1df3f4183aa23fd8d7efd8 | |||||
CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f | |||||
TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f | |||||
NO_SEAL: 01 | |||||
FAILS: 01 | |||||
# DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8 | ||||
KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd8 | KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd8 | ||||
NONCE: 8503f78b8ed1c8e9 | NONCE: 8503f78b8ed1c8e9 | ||||
@@ -118,9 +118,22 @@ type testCase struct { | |||||
ad []byte | ad []byte | ||||
ciphertext []byte | ciphertext []byte | ||||
tag []byte | tag []byte | ||||
noSeal bool | |||||
fails bool | |||||
} | } | ||||
func makeTestCase(length int) (*testCase, error) { | |||||
// options adds additional options for a test. | |||||
type options struct { | |||||
// extraPadding causes an extra block of padding to be added. | |||||
extraPadding bool | |||||
// wrongPadding causes one of the padding bytes to be wrong. | |||||
wrongPadding bool | |||||
// noPadding causes padding is to be omitted. The plaintext + MAC must | |||||
// be a multiple of the block size. | |||||
noPadding bool | |||||
} | |||||
func makeTestCase(length int, options options) (*testCase, error) { | |||||
rand, err := newRc4Stream("input stream") | rand, err := newRc4Stream("input stream") | ||||
if err != nil { | if err != nil { | ||||
return nil, err | return nil, err | ||||
@@ -171,6 +184,7 @@ func makeTestCase(length int) (*testCase, error) { | |||||
var fixedIV []byte | var fixedIV []byte | ||||
var nonce []byte | var nonce []byte | ||||
var sealed []byte | var sealed []byte | ||||
var noSeal, fails bool | |||||
if *bulkCipher == "rc4" { | if *bulkCipher == "rc4" { | ||||
if *implicitIV { | if *implicitIV { | ||||
return nil, fmt.Errorf("implicit IV enabled on a stream cipher") | return nil, fmt.Errorf("implicit IV enabled on a stream cipher") | ||||
@@ -205,18 +219,39 @@ func makeTestCase(length int) (*testCase, error) { | |||||
sealed = append(sealed, input...) | sealed = append(sealed, input...) | ||||
sealed = append(sealed, digest...) | sealed = append(sealed, digest...) | ||||
paddingLen := cbc.BlockSize() - (len(sealed) % cbc.BlockSize()) | paddingLen := cbc.BlockSize() - (len(sealed) % cbc.BlockSize()) | ||||
// TODO(davidben): Add tests for non-minimal padding (SSL3 | |||||
// forbids, TLS allows) and arbitrary padding bytes (SSL3 | |||||
// allows, TLS forbids). | |||||
if *ssl3 { | |||||
sealed = append(sealed, make([]byte, paddingLen-1)...) | |||||
sealed = append(sealed, byte(paddingLen-1)) | |||||
if options.noPadding { | |||||
if paddingLen != cbc.BlockSize() { | |||||
return nil, fmt.Errorf("invalid length for noPadding") | |||||
} | |||||
noSeal = true | |||||
fails = true | |||||
} else { | } else { | ||||
pad := make([]byte, paddingLen) | |||||
for i := range pad { | |||||
pad[i] = byte(paddingLen - 1) | |||||
if options.extraPadding { | |||||
paddingLen += cbc.BlockSize() | |||||
noSeal = true | |||||
if *ssl3 { | |||||
// SSLv3 padding must be minimal. | |||||
fails = true | |||||
} | |||||
} | |||||
if *ssl3 { | |||||
sealed = append(sealed, make([]byte, paddingLen-1)...) | |||||
sealed = append(sealed, byte(paddingLen-1)) | |||||
} else { | |||||
pad := make([]byte, paddingLen) | |||||
for i := range pad { | |||||
pad[i] = byte(paddingLen - 1) | |||||
} | |||||
sealed = append(sealed, pad...) | |||||
} | |||||
if options.wrongPadding && paddingLen > 1 { | |||||
sealed[len(sealed)-2]++ | |||||
noSeal = true | |||||
if !*ssl3 { | |||||
// TLS specifies the all the padding bytes. | |||||
fails = true | |||||
} | |||||
} | } | ||||
sealed = append(sealed, pad...) | |||||
} | } | ||||
cbc.CryptBlocks(sealed, sealed) | cbc.CryptBlocks(sealed, sealed) | ||||
} | } | ||||
@@ -233,10 +268,28 @@ func makeTestCase(length int) (*testCase, error) { | |||||
ad: ad, | ad: ad, | ||||
ciphertext: sealed[:len(sealed)-hash.Size()], | ciphertext: sealed[:len(sealed)-hash.Size()], | ||||
tag: sealed[len(sealed)-hash.Size():], | tag: sealed[len(sealed)-hash.Size():], | ||||
noSeal: noSeal, | |||||
fails: fails, | |||||
} | } | ||||
return t, nil | return t, nil | ||||
} | } | ||||
func printTestCase(t *testCase) { | |||||
fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest)) | |||||
fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key)) | |||||
fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce)) | |||||
fmt.Printf("IN: %s\n", hex.EncodeToString(t.input)) | |||||
fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad)) | |||||
fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext)) | |||||
fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag)) | |||||
if t.noSeal { | |||||
fmt.Printf("NO_SEAL: 01\n") | |||||
} | |||||
if t.fails { | |||||
fmt.Printf("FAILS: 01\n") | |||||
} | |||||
} | |||||
func main() { | func main() { | ||||
flag.Parse() | flag.Parse() | ||||
@@ -256,21 +309,49 @@ func main() { | |||||
fmt.Printf("# each test case.\n") | fmt.Printf("# each test case.\n") | ||||
fmt.Printf("\n") | fmt.Printf("\n") | ||||
// For CBC-mode ciphers, emit tests for padding flexibility. | |||||
if *bulkCipher != "rc4" { | |||||
fmt.Printf("# Test with non-minimal padding.\n") | |||||
t, err := makeTestCase(5, options{extraPadding: true}) | |||||
if err != nil { | |||||
fmt.Fprintf(os.Stderr, "%s\n", err) | |||||
os.Exit(1) | |||||
} | |||||
printTestCase(t) | |||||
fmt.Printf("\n") | |||||
fmt.Printf("# Test with bad padding values.\n") | |||||
t, err = makeTestCase(5, options{wrongPadding: true}) | |||||
if err != nil { | |||||
fmt.Fprintf(os.Stderr, "%s\n", err) | |||||
os.Exit(1) | |||||
} | |||||
printTestCase(t) | |||||
fmt.Printf("\n") | |||||
fmt.Printf("# Test with no padding.\n") | |||||
hash, ok := getHash(*mac) | |||||
if !ok { | |||||
panic("unknown hash") | |||||
} | |||||
t, err = makeTestCase(64-hash.Size(), options{noPadding: true}) | |||||
if err != nil { | |||||
fmt.Fprintf(os.Stderr, "%s\n", err) | |||||
os.Exit(1) | |||||
} | |||||
printTestCase(t) | |||||
fmt.Printf("\n") | |||||
} | |||||
// Generate long enough of input to cover a non-zero num_starting_blocks | // Generate long enough of input to cover a non-zero num_starting_blocks | ||||
// value in the constant-time CBC logic. | // value in the constant-time CBC logic. | ||||
for l := 0; l < 500; l += 5 { | for l := 0; l < 500; l += 5 { | ||||
t, err := makeTestCase(l) | |||||
t, err := makeTestCase(l, options{}) | |||||
if err != nil { | if err != nil { | ||||
fmt.Fprintf(os.Stderr, "%s\n", err) | fmt.Fprintf(os.Stderr, "%s\n", err) | ||||
os.Exit(1) | os.Exit(1) | ||||
} | } | ||||
fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest)) | |||||
fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key)) | |||||
fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce)) | |||||
fmt.Printf("IN: %s\n", hex.EncodeToString(t.input)) | |||||
fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad)) | |||||
fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext)) | |||||
fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag)) | |||||
printTestCase(t) | |||||
fmt.Printf("\n") | fmt.Printf("\n") | ||||
} | } | ||||
} | } |