mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 21:50:52 +02:00
531 lines
22 KiB
Rust
531 lines
22 KiB
Rust
#![cfg(chacha20_poly1305)]
|
|
|
|
use wolfssl_wolfcrypt::chacha20_poly1305::*;
|
|
use wolfssl_wolfcrypt::sys;
|
|
|
|
#[test]
|
|
fn test_chacha20_poly1305_1() {
|
|
let key1 = [
|
|
0x80u8, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
|
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
|
|
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
|
|
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
|
|
];
|
|
|
|
let plaintext1 = [
|
|
0x4cu8, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
|
|
0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
|
|
0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
|
|
0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
|
|
0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
|
|
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
|
|
0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
|
|
0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
|
|
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
|
|
0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
|
|
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
|
|
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
|
|
0x74, 0x2e
|
|
];
|
|
|
|
let iv1 = [
|
|
0x07u8, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
|
|
0x44, 0x45, 0x46, 0x47
|
|
];
|
|
|
|
let aad1 = [
|
|
0x50u8, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
|
|
0xc4, 0xc5, 0xc6, 0xc7
|
|
];
|
|
|
|
let cipher1 = [
|
|
0xd3u8, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
|
|
0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
|
|
0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
|
|
0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
|
|
0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
|
|
0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
|
|
0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
|
|
0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
|
|
0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
|
|
0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
|
|
0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
|
|
0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
|
|
0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
|
|
0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
|
|
0x61, 0x16
|
|
];
|
|
|
|
let auth_tag_1 = [
|
|
0x1au8, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
|
|
0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
|
|
];
|
|
|
|
/* Encrypt */
|
|
let mut ccp = ChaCha20Poly1305::new(&key1, &iv1, true).expect("Error with new()");
|
|
ccp.update_aad(&aad1).expect("Error with update_aad()");
|
|
let mut out_cipher1 = [0u8; 114];
|
|
ccp.update_data(&plaintext1, &mut out_cipher1).expect("Error with update_data()");
|
|
let mut out_auth_tag_1 = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
ccp.finalize(&mut out_auth_tag_1).expect("Error with finalize()");
|
|
assert_eq!(out_cipher1, cipher1);
|
|
assert_eq!(out_auth_tag_1, auth_tag_1);
|
|
|
|
/* Decrypt */
|
|
let mut ccp = ChaCha20Poly1305::new(&key1, &iv1, false).expect("Error with new()");
|
|
ccp.update_aad(&aad1).expect("Error with update_aad()");
|
|
let mut out_plaintext1 = [0u8; 114];
|
|
ccp.update_data(&cipher1, &mut out_plaintext1).expect("Error with update_data()");
|
|
let mut out_auth_tag_1 = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
ccp.finalize(&mut out_auth_tag_1).expect("Error with finalize()");
|
|
assert_eq!(out_plaintext1, plaintext1);
|
|
assert_eq!(out_auth_tag_1, auth_tag_1);
|
|
}
|
|
|
|
#[test]
|
|
fn test_chacha20_poly1305_2() {
|
|
let key2 = [
|
|
0x1cu8, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
|
|
0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
|
|
0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
|
|
0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
|
|
];
|
|
|
|
let plaintext2 = [
|
|
0x49u8, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
|
|
0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
|
|
0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
|
|
0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
|
|
0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
|
|
0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
|
|
0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
|
|
0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
|
|
0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
|
|
0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
|
|
0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
|
|
0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
|
|
0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
|
|
0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
|
|
0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
|
|
0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
|
|
0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
|
|
0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
|
|
0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
|
|
0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
|
|
0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
|
|
0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
|
|
0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
|
|
0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
|
|
0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
|
|
0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
|
|
0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
|
|
0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
|
|
0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
|
|
0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
|
|
0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
|
|
0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
|
|
0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
|
|
0x9d
|
|
];
|
|
|
|
let iv2 = [
|
|
0x00u8, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04,
|
|
0x05, 0x06, 0x07, 0x08
|
|
];
|
|
|
|
let aad2 = [
|
|
0xf3u8, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x4e, 0x91
|
|
];
|
|
|
|
let cipher2 = [
|
|
0x64u8, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
|
|
0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
|
|
0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
|
|
0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
|
|
0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
|
|
0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
|
|
0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
|
|
0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
|
|
0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
|
|
0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
|
|
0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
|
|
0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
|
|
0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
|
|
0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
|
|
0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
|
|
0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
|
|
0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
|
|
0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
|
|
0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
|
|
0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
|
|
0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
|
|
0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
|
|
0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
|
|
0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
|
|
0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
|
|
0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
|
|
0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
|
|
0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
|
|
0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
|
|
0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
|
|
0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
|
|
0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
|
|
0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
|
|
0x9b
|
|
];
|
|
|
|
let auth_tag_2 = [
|
|
0xeeu8, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22,
|
|
0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38
|
|
];
|
|
|
|
/* Encrypt */
|
|
let mut ccp = ChaCha20Poly1305::new(&key2, &iv2, true).expect("Error with new()");
|
|
ccp.update_aad(&aad2).expect("Error with update_aad()");
|
|
let mut out_cipher2 = [0u8; 265];
|
|
ccp.update_data(&plaintext2[0..128], &mut out_cipher2[0..128]).expect("Error with update_data()");
|
|
ccp.update_data(&plaintext2[128..265], &mut out_cipher2[128..265]).expect("Error with update_data()");
|
|
let mut out_auth_tag_2 = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
ccp.finalize(&mut out_auth_tag_2).expect("Error with finalize()");
|
|
assert_eq!(out_cipher2, cipher2);
|
|
assert_eq!(out_auth_tag_2, auth_tag_2);
|
|
|
|
/* Decrypt */
|
|
let mut ccp = ChaCha20Poly1305::new(&key2, &iv2, false).expect("Error with new()");
|
|
ccp.update_aad(&aad2).expect("Error with update_aad()");
|
|
let mut out_plaintext2 = [0u8; 265];
|
|
ccp.update_data(&cipher2[0..128], &mut out_plaintext2[0..128]).expect("Error with update_data()");
|
|
ccp.update_data(&cipher2[128..265], &mut out_plaintext2[128..265]).expect("Error with update_data()");
|
|
let mut out_auth_tag_2 = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
ccp.finalize(&mut out_auth_tag_2).expect("Error with finalize()");
|
|
assert_eq!(out_plaintext2, plaintext2);
|
|
assert_eq!(out_auth_tag_2, auth_tag_2);
|
|
}
|
|
|
|
#[test]
|
|
#[cfg(xchacha20_poly1305)]
|
|
fn test_xchacha20_poly1305() {
|
|
const PLAINTEXT: &[u8] = &[
|
|
0x4cu8, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
|
|
0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c, /* Ladies and Gentl */
|
|
0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, /* emen of the clas */
|
|
0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
|
|
0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, /* s of '99: If I c */
|
|
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
|
|
0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, /* ould offer you o */
|
|
0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
|
|
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, /* nly one tip for */
|
|
0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
|
|
0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73, /* the future, suns */
|
|
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
|
|
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */
|
|
0x74, 0x2e ]; /* t. */
|
|
|
|
let aad = [
|
|
0x50u8, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
|
|
0xc4, 0xc5, 0xc6, 0xc7
|
|
]; /* PQRS........ */
|
|
|
|
let key = [
|
|
0x80u8, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
|
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
|
|
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
|
|
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
|
|
];
|
|
|
|
let iv = [
|
|
0x40u8, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
|
|
0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, /* @ABCDEFGHIJKLMNO */
|
|
0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57 /* PQRSTUVW */
|
|
];
|
|
|
|
let expected_ciphertext = [
|
|
0xbdu8, 0x6d, 0x17, 0x9d, 0x3e, 0x83, 0xd4, 0x3b,
|
|
0x95, 0x76, 0x57, 0x94, 0x93, 0xc0, 0xe9, 0x39,
|
|
0x57, 0x2a, 0x17, 0x00, 0x25, 0x2b, 0xfa, 0xcc,
|
|
0xbe, 0xd2, 0x90, 0x2c, 0x21, 0x39, 0x6c, 0xbb,
|
|
0x73, 0x1c, 0x7f, 0x1b, 0x0b, 0x4a, 0xa6, 0x44,
|
|
0x0b, 0xf3, 0xa8, 0x2f, 0x4e, 0xda, 0x7e, 0x39,
|
|
0xae, 0x64, 0xc6, 0x70, 0x8c, 0x54, 0xc2, 0x16,
|
|
0xcb, 0x96, 0xb7, 0x2e, 0x12, 0x13, 0xb4, 0x52,
|
|
0x2f, 0x8c, 0x9b, 0xa4, 0x0d, 0xb5, 0xd9, 0x45,
|
|
0xb1, 0x1b, 0x69, 0xb9, 0x82, 0xc1, 0xbb, 0x9e,
|
|
0x3f, 0x3f, 0xac, 0x2b, 0xc3, 0x69, 0x48, 0x8f,
|
|
0x76, 0xb2, 0x38, 0x35, 0x65, 0xd3, 0xff, 0xf9,
|
|
0x21, 0xf9, 0x66, 0x4c, 0x97, 0x63, 0x7d, 0xa9,
|
|
0x76, 0x88, 0x12, 0xf6, 0x15, 0xc6, 0x8b, 0x13,
|
|
0xb5, 0x2e
|
|
];
|
|
|
|
let expected_tag = [
|
|
0xc0u8, 0x87, 0x59, 0x24, 0xc1, 0xc7, 0x98, 0x79,
|
|
0x47, 0xde, 0xaf, 0xd8, 0x78, 0x0a, 0xcf, 0x49
|
|
];
|
|
|
|
let mut ciphertext_buffer = [0u8; PLAINTEXT.len() + XChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
XChaCha20Poly1305::encrypt(&key, &iv, &aad, PLAINTEXT, &mut ciphertext_buffer).expect("Error with encrypt()");
|
|
assert_eq!(ciphertext_buffer[0..expected_ciphertext.len()], expected_ciphertext);
|
|
assert_eq!(ciphertext_buffer[expected_ciphertext.len()..], expected_tag);
|
|
let mut plaintext_buffer = [0u8; PLAINTEXT.len()];
|
|
XChaCha20Poly1305::decrypt(&key, &iv, &aad, &ciphertext_buffer, &mut plaintext_buffer).expect("Error with decrypt()");
|
|
assert_eq!(plaintext_buffer, PLAINTEXT);
|
|
}
|
|
|
|
#[test]
|
|
fn test_chacha20_poly1305_encrypt_short_ciphertext_buffer() {
|
|
let key = [0x55u8; ChaCha20Poly1305::KEYSIZE];
|
|
let iv = [0x66u8; ChaCha20Poly1305::IV_SIZE];
|
|
let aad = [];
|
|
let plaintext = [0u8; 32];
|
|
let mut ciphertext = [0u8; 16]; /* shorter than plaintext */
|
|
let mut auth_tag = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
let rc = ChaCha20Poly1305::encrypt(&key, &iv, &aad, &plaintext,
|
|
&mut ciphertext, &mut auth_tag)
|
|
.expect_err("encrypt() should fail with short ciphertext buffer");
|
|
assert_eq!(rc, sys::wolfCrypt_ErrorCodes_BUFFER_E);
|
|
}
|
|
|
|
#[test]
|
|
fn test_chacha20_poly1305_decrypt_short_plaintext_buffer() {
|
|
let key = [0x55u8; ChaCha20Poly1305::KEYSIZE];
|
|
let iv = [0x66u8; ChaCha20Poly1305::IV_SIZE];
|
|
let aad = [];
|
|
let ciphertext = [0u8; 32];
|
|
let mut plaintext = [0u8; 16]; /* shorter than ciphertext */
|
|
let auth_tag = [0u8; ChaCha20Poly1305::AUTH_TAG_SIZE];
|
|
let rc = ChaCha20Poly1305::decrypt(&key, &iv, &aad, &ciphertext,
|
|
&auth_tag, &mut plaintext)
|
|
.expect_err("decrypt() should fail with short plaintext buffer");
|
|
assert_eq!(rc, sys::wolfCrypt_ErrorCodes_BUFFER_E);
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// ChaCha20-Poly1305 aead trait implementations
|
|
// ---------------------------------------------------------------------------
|
|
|
|
#[cfg(feature = "aead")]
|
|
use aead::{Aead, AeadInPlace, KeyInit, Payload};
|
|
|
|
/// RFC 8439, Section 2.8.2 test vector.
|
|
///
|
|
/// Key = 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f
|
|
/// IV = 070000004041424344454647
|
|
/// AAD = 50515253c0c1c2c3c4c5c6c7
|
|
/// PT = 4c61646965732061...
|
|
/// Tag = 1ae10b594f09e26a7e902ecbd0600691
|
|
#[test]
|
|
#[cfg(feature = "aead")]
|
|
fn test_chacha20poly1305_rfc8439_encrypt() {
|
|
let key = [
|
|
0x80u8, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
|
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
|
|
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
|
|
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
|
|
];
|
|
let nonce = [
|
|
0x07u8, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
|
|
0x44, 0x45, 0x46, 0x47,
|
|
];
|
|
let aad = [
|
|
0x50u8, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
|
|
0xc4, 0xc5, 0xc6, 0xc7,
|
|
];
|
|
let mut plaintext = [
|
|
0x4cu8, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
|
|
0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
|
|
0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
|
|
0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
|
|
0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
|
|
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
|
|
0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
|
|
0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
|
|
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
|
|
0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
|
|
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
|
|
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
|
|
0x74, 0x2e,
|
|
];
|
|
let expected_ciphertext = [
|
|
0xd3u8, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
|
|
0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
|
|
0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
|
|
0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
|
|
0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
|
|
0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
|
|
0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
|
|
0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
|
|
0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
|
|
0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
|
|
0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
|
|
0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
|
|
0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
|
|
0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
|
|
0x61, 0x16,
|
|
];
|
|
let expected_tag = [
|
|
0x1au8, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
|
|
0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91,
|
|
];
|
|
|
|
let cipher = ChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce_arr: aead::Nonce<ChaCha20Poly1305Aead> = nonce.into();
|
|
let tag = cipher
|
|
.encrypt_in_place_detached(&nonce_arr, &aad, &mut plaintext)
|
|
.expect("ChaCha20-Poly1305 encrypt failed");
|
|
|
|
assert_eq!(plaintext, expected_ciphertext);
|
|
assert_eq!(&tag[..], &expected_tag);
|
|
}
|
|
|
|
/// Roundtrip test for ChaCha20-Poly1305 using `aead::Aead`.
|
|
#[test]
|
|
#[cfg(feature = "aead")]
|
|
fn test_chacha20poly1305_aead_roundtrip() {
|
|
let key = [0x55u8; 32];
|
|
let nonce_bytes = [0x66u8; 12];
|
|
let aad = b"chacha20 aad";
|
|
let plaintext = b"ChaCha20-Poly1305 roundtrip";
|
|
|
|
let cipher = ChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce: aead::Nonce<ChaCha20Poly1305Aead> = nonce_bytes.into();
|
|
|
|
let ciphertext = cipher
|
|
.encrypt(&nonce, Payload { msg: plaintext, aad })
|
|
.expect("encrypt failed");
|
|
|
|
let recovered = cipher
|
|
.decrypt(&nonce, Payload { msg: &ciphertext, aad })
|
|
.expect("decrypt failed");
|
|
|
|
assert_eq!(recovered, plaintext);
|
|
}
|
|
|
|
/// Verify that ChaCha20-Poly1305 rejects a tampered message.
|
|
#[test]
|
|
#[cfg(feature = "aead")]
|
|
fn test_chacha20poly1305_reject_tampered() {
|
|
let key = [0x77u8; 32];
|
|
let nonce_bytes = [0x88u8; 12];
|
|
let plaintext = b"tamper me!";
|
|
|
|
let cipher = ChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce: aead::Nonce<ChaCha20Poly1305Aead> = nonce_bytes.into();
|
|
|
|
let mut ct = cipher.encrypt(&nonce, plaintext.as_ref()).expect("encrypt failed");
|
|
ct[0] ^= 0x01;
|
|
assert!(cipher.decrypt(&nonce, ct.as_slice()).is_err());
|
|
}
|
|
|
|
/// Roundtrip test for XChaCha20-Poly1305 using `aead::Aead`.
|
|
#[test]
|
|
#[cfg(all(feature = "aead", xchacha20_poly1305))]
|
|
fn test_xchacha20poly1305_aead_roundtrip() {
|
|
let key = [0xaau8; 32];
|
|
let nonce_bytes = [0xbbu8; 24];
|
|
let aad = b"xchacha20 aad";
|
|
let plaintext = b"XChaCha20-Poly1305 roundtrip";
|
|
|
|
let cipher = XChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce: aead::Nonce<XChaCha20Poly1305Aead> = nonce_bytes.into();
|
|
|
|
let ciphertext = cipher
|
|
.encrypt(&nonce, Payload { msg: plaintext, aad })
|
|
.expect("XChaCha20-Poly1305 encrypt failed");
|
|
|
|
let recovered = cipher
|
|
.decrypt(&nonce, Payload { msg: &ciphertext, aad })
|
|
.expect("XChaCha20-Poly1305 decrypt failed");
|
|
|
|
assert_eq!(recovered, plaintext);
|
|
}
|
|
|
|
/// RFC 8439-based XChaCha20-Poly1305 known-answer test.
|
|
#[test]
|
|
#[cfg(all(feature = "aead", xchacha20_poly1305))]
|
|
fn test_xchacha20poly1305_known_answer() {
|
|
let key = [
|
|
0x80u8, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
|
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
|
|
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
|
|
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
|
|
];
|
|
let nonce = [
|
|
0x40u8, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
|
|
0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
|
|
0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
|
|
];
|
|
let aad = [
|
|
0x50u8, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
|
|
0xc4, 0xc5, 0xc6, 0xc7,
|
|
];
|
|
let mut plaintext = [
|
|
0x4cu8, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
|
|
0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
|
|
0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
|
|
0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
|
|
0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
|
|
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
|
|
0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
|
|
0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
|
|
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
|
|
0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
|
|
0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
|
|
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
|
|
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
|
|
0x74, 0x2e,
|
|
];
|
|
let expected_ciphertext = [
|
|
0xbdu8, 0x6d, 0x17, 0x9d, 0x3e, 0x83, 0xd4, 0x3b,
|
|
0x95, 0x76, 0x57, 0x94, 0x93, 0xc0, 0xe9, 0x39,
|
|
0x57, 0x2a, 0x17, 0x00, 0x25, 0x2b, 0xfa, 0xcc,
|
|
0xbe, 0xd2, 0x90, 0x2c, 0x21, 0x39, 0x6c, 0xbb,
|
|
0x73, 0x1c, 0x7f, 0x1b, 0x0b, 0x4a, 0xa6, 0x44,
|
|
0x0b, 0xf3, 0xa8, 0x2f, 0x4e, 0xda, 0x7e, 0x39,
|
|
0xae, 0x64, 0xc6, 0x70, 0x8c, 0x54, 0xc2, 0x16,
|
|
0xcb, 0x96, 0xb7, 0x2e, 0x12, 0x13, 0xb4, 0x52,
|
|
0x2f, 0x8c, 0x9b, 0xa4, 0x0d, 0xb5, 0xd9, 0x45,
|
|
0xb1, 0x1b, 0x69, 0xb9, 0x82, 0xc1, 0xbb, 0x9e,
|
|
0x3f, 0x3f, 0xac, 0x2b, 0xc3, 0x69, 0x48, 0x8f,
|
|
0x76, 0xb2, 0x38, 0x35, 0x65, 0xd3, 0xff, 0xf9,
|
|
0x21, 0xf9, 0x66, 0x4c, 0x97, 0x63, 0x7d, 0xa9,
|
|
0x76, 0x88, 0x12, 0xf6, 0x15, 0xc6, 0x8b, 0x13,
|
|
0xb5, 0x2e,
|
|
];
|
|
let expected_tag = [
|
|
0xc0u8, 0x87, 0x59, 0x24, 0xc1, 0xc7, 0x98, 0x79,
|
|
0x47, 0xde, 0xaf, 0xd8, 0x78, 0x0a, 0xcf, 0x49,
|
|
];
|
|
|
|
let cipher = XChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce_arr: aead::Nonce<XChaCha20Poly1305Aead> = nonce.into();
|
|
let tag = cipher
|
|
.encrypt_in_place_detached(&nonce_arr, &aad, &mut plaintext)
|
|
.expect("XChaCha20-Poly1305 encrypt failed");
|
|
|
|
assert_eq!(plaintext, expected_ciphertext);
|
|
assert_eq!(&tag[..], &expected_tag);
|
|
}
|
|
|
|
/// Verify that XChaCha20-Poly1305 decryption rejects a tampered ciphertext.
|
|
#[test]
|
|
#[cfg(all(feature = "aead", xchacha20_poly1305))]
|
|
fn test_xchacha20poly1305_reject_tampered() {
|
|
let key = [0x55u8; 32];
|
|
let nonce_bytes = [0x66u8; 24];
|
|
let plaintext = b"XChaCha tamper test";
|
|
|
|
let cipher = XChaCha20Poly1305Aead::new_from_slice(&key).unwrap();
|
|
let nonce: aead::Nonce<XChaCha20Poly1305Aead> = nonce_bytes.into();
|
|
|
|
let mut ct = cipher.encrypt(&nonce, plaintext.as_ref()).expect("encrypt failed");
|
|
ct[0] ^= 0x01;
|
|
assert!(cipher.decrypt(&nonce, ct.as_slice()).is_err());
|
|
}
|