// Copyright 2019 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // /////////////////////////////////////////////////////////////////////////////// #include "tink/subtle/decrypting_random_access_stream.h" #include #include #include #include #include #include #include #include #include "gtest/gtest.h" #include "absl/memory/memory.h" #include "absl/status/status.h" #include "absl/strings/str_cat.h" #include "absl/strings/string_view.h" #include "tink/internal/test_random_access_stream.h" #include "tink/output_stream.h" #include "tink/random_access_stream.h" #include "tink/streaming_aead.h" #include "tink/subtle/random.h" #include "tink/subtle/test_util.h" #include "tink/util/ostream_output_stream.h" #include "tink/util/status.h" #include "tink/util/test_matchers.h" namespace crypto { namespace tink { namespace subtle { namespace { using ::crypto::tink::internal::TestRandomAccessStream; using crypto::tink::subtle::test::DummyStreamingAead; using crypto::tink::subtle::test::DummyStreamSegmentDecrypter; using crypto::tink::test::IsOk; using crypto::tink::test::StatusIs; using subtle::test::WriteToStream; using testing::HasSubstr; // A dummy RandomAccessStream that fakes its size. class DummyRandomAccessStream : public RandomAccessStream { public: explicit DummyRandomAccessStream(int64_t size, int ct_offset) : size_(size), ct_offset_(ct_offset) {} crypto::tink::util::Status PRead( int64_t position, int count, crypto::tink::util::Buffer* dest_buffer) override { if (position == ct_offset_) { // Someone attempts to read the header, return the same dummy value that // DummyStreamSegmentDecrypter expects. auto status = dest_buffer->set_size(count); if (!status.ok()) return status; std::memset(dest_buffer->get_mem_block(), 'h', count); } return util::OkStatus(); } crypto::tink::util::StatusOr size() override { return size_; } private: int64_t size_; int ct_offset_; }; // Returns a ciphertext resulting from encryption of 'pt' with 'aad' as // associated data, using 'saead'. std::string GetCiphertext(StreamingAead* saead, absl::string_view pt, absl::string_view aad, int ct_offset) { // Prepare ciphertext destination stream. auto ct_stream = absl::make_unique(); // Write ct_offset 'o'-characters for the ciphertext offset. *ct_stream << std::string(ct_offset, 'o'); // A reference to the ciphertext buffer. auto ct_buf = ct_stream->rdbuf(); std::unique_ptr ct_destination( absl::make_unique(std::move(ct_stream))); // Compute the ciphertext. auto enc_stream_result = saead->NewEncryptingStream(std::move(ct_destination), aad); EXPECT_THAT(enc_stream_result, IsOk()); EXPECT_THAT(WriteToStream(enc_stream_result.value().get(), pt), IsOk()); return ct_buf->str(); } // Creates an RandomAccessStream that contains ciphertext resulting // from encryption of 'pt' with 'aad' as associated data, using 'saead'. std::unique_ptr GetCiphertextSource(StreamingAead* saead, absl::string_view pt, absl::string_view aad, int ct_offset) { return std::make_unique( GetCiphertext(saead, pt, aad, ct_offset)); } TEST(DecryptingRandomAccessStreamTest, NegativeCiphertextOffset) { int pt_segment_size = 100; int header_size = 20; int ct_offset = -1; auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); int64_t ciphertext_size = 100; EXPECT_THAT( DecryptingRandomAccessStream::New( std::move(seg_decrypter), absl::make_unique( ciphertext_size, ct_offset)) .status(), StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("The ciphertext offset must be non-negative"))); } TEST(DecryptingRandomAccessStreamTest, SizeOfFirstSegmentIsSmallerOrEqualToZero) { int header_size = 20; int ct_offset = 0; // Make pt_segment_size equal to ct_offset + header_size. This means size of // the first segment is zero. int pt_segment_size = ct_offset + header_size; auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); int64_t ciphertext_size = 100; EXPECT_THAT( DecryptingRandomAccessStream::New( std::move(seg_decrypter), absl::make_unique( ciphertext_size, ct_offset)) .status(), StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("greater than 0"))); } TEST(DecryptingRandomAccessStreamTest, TooManySegments) { int header_size = 1; int ct_offset = 0; // Use a valid pt_segment_size which is larger than ct_offset + header_size. int pt_segment_size = ct_offset + header_size + 1; auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); // Use an invalid segment_count larger than 2^32. int64_t segment_count = static_cast(std::numeric_limits::max()) + 2; // Based on this calculation: // segment_count = ciphertext_size / ciphertext_segment_size // -> ciphertext_size = segment_count * ciphertext_segment_size int64_t ciphertext_size = segment_count * seg_decrypter->get_ciphertext_segment_size(); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(seg_decrypter), absl::make_unique(ciphertext_size, ct_offset)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); auto result = dec_stream->size(); EXPECT_EQ(absl::StatusCode::kInvalidArgument, result.status().code()); EXPECT_THAT(std::string(result.status().message()), HasSubstr("too many segments")); } TEST(DecryptingRandomAccessStreamTest, BasicDecryption) { for (int pt_size : {1, 5, 20, 42, 100, 1000, 10000}) { std::string plaintext = subtle::Random::GetRandomBytes(pt_size); for (int pt_segment_size : {50, 100, 123}) { for (int header_size : {5, 10, 15}) { for (int ct_offset : {0, 1, 5, 12}) { SCOPED_TRACE(absl::StrCat( "pt_size = ", pt_size, ", pt_segment_size = ", pt_segment_size, ", header_size = ", header_size, ", ct_offset = ", ct_offset)); DummyStreamingAead saead(pt_segment_size, header_size, ct_offset); // Pre-compute the ciphertext. auto ciphertext = GetCiphertextSource(&saead, plaintext, "some aad", ct_offset); // Check the decryption of the pre-computed ciphertext. auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(seg_decrypter), std::move(ciphertext)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); EXPECT_EQ(pt_size, dec_stream->size().value()); std::string decrypted; auto status = internal::ReadAllFromRandomAccessStream( dec_stream.get(), decrypted); EXPECT_THAT(status, StatusIs(absl::StatusCode::kOutOfRange, HasSubstr("EOF"))); EXPECT_EQ(plaintext, decrypted); } } } } } TEST(DecryptingRandomAccessStreamTest, SelectiveDecryption) { for (int pt_size : {1, 20, 42, 100, 1000, 10000}) { std::string plaintext = subtle::Random::GetRandomBytes(pt_size); for (int pt_segment_size : {50, 100, 200}) { for (int header_size : {5, 10, 20}) { for (int ct_offset : {0, 1, 10}) { SCOPED_TRACE(absl::StrCat( "pt_size = ", pt_size, ", pt_segment_size = ", pt_segment_size, ", header_size = ", header_size, ", ct_offset = ", ct_offset)); DummyStreamingAead saead(pt_segment_size, header_size, ct_offset); // Pre-compute the ciphertext. auto ciphertext = GetCiphertextSource(&saead, plaintext, "some aad", ct_offset); // Check the decryption of the pre-computed ciphertext. auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(seg_decrypter), std::move(ciphertext)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); for (int position : {0, 1, 2, pt_size / 2, pt_size - 1}) { for (int chunk_size : {1, pt_size / 2, pt_size}) { SCOPED_TRACE(absl::StrCat("position = ", position, ", chunk_size = ", chunk_size)); auto buffer = std::move(util::Buffer::New(std::max(chunk_size, 1)).value()); auto status = dec_stream->PRead(position, chunk_size, buffer.get()); if (position <= pt_size) { EXPECT_TRUE(status.ok() || status.code() == absl::StatusCode::kOutOfRange); } else { EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); } EXPECT_EQ(std::min(chunk_size, std::max(pt_size - position, 0)), buffer->size()); EXPECT_EQ(0, std::memcmp(plaintext.data() + position, buffer->get_mem_block(), buffer->size())); } } } } } } } TEST(DecryptingRandomAccessStreamTest, TruncatedCiphertextDecryption) { for (int pt_size : {100, 200, 1000}) { std::string plaintext = subtle::Random::GetRandomBytes(pt_size); for (int pt_segment_size : {50, 70}) { for (int header_size : {5, 10, 20}) { for (int ct_offset : {0, 1, 10}) { SCOPED_TRACE(absl::StrCat( "pt_size = ", pt_size, ", pt_segment_size = ", pt_segment_size, ", header_size = ", header_size, ", ct_offset = ", ct_offset)); DummyStreamingAead saead(pt_segment_size, header_size, ct_offset); // Pre-compute the ciphertext. auto ct = GetCiphertext(&saead, plaintext, "some aad", ct_offset); // Check the decryption of a truncated ciphertext. auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); for (int trunc_ct_size : {header_size + ct_offset, static_cast(ct.size()) - 1, static_cast(ct.size()) - pt_segment_size, static_cast(ct.size()) - seg_decrypter->get_ciphertext_segment_size()}) { for (int chunk_size : {pt_size}) { SCOPED_TRACE(absl::StrCat("ct_size = ", ct.size(), ", trunc_ct_size = ", trunc_ct_size, ", chunk_size = ", chunk_size)); auto trunc_ct = std::make_unique( ct.substr(0, trunc_ct_size)); int position = 0; auto per_stream_seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(per_stream_seg_decrypter), std::move(trunc_ct)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); auto buffer = std::move(util::Buffer::New(chunk_size).value()); auto status = dec_stream->PRead(position, chunk_size, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); } } } } } } } TEST(DecryptingRandomAccessStreamTest, OutOfRangeDecryption) { for (int pt_size : {0, 20, 42, 100, 1000, 10000}) { std::string plaintext = subtle::Random::GetRandomBytes(pt_size); for (int pt_segment_size : {50, 100, 123}) { for (int header_size : {5, 10, 20}) { SCOPED_TRACE(absl::StrCat("pt_size = ", pt_size, ", pt_segment_size = ", pt_segment_size, ", header_size = ", header_size)); int ct_offset = 0; DummyStreamingAead saead(pt_segment_size, header_size, ct_offset); // Pre-compute the ciphertext. auto ciphertext = GetCiphertextSource(&saead, plaintext, "some aad", ct_offset); // Check the decryption of the pre-computed ciphertext. auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(seg_decrypter), std::move(ciphertext)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); int chunk_size = 1; auto buffer = std::move(util::Buffer::New(chunk_size).value()); int position = pt_size; // Negative chunk size. auto status = dec_stream->PRead(position, -1, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); // Negative position. status = dec_stream->PRead(-1, chunk_size, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); // Reading at EOF. status = dec_stream->PRead(position, chunk_size, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kOutOfRange)); // Reading past EOF. status = dec_stream->PRead(position + 1 , chunk_size, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); } } } } TEST(DecryptingRandomAccessStreamTest, WrongCiphertext) { int pt_segment_size = 42; int header_size = 10; int ct_offset = 0; for (int ct_size : {0, 10, 100}) { SCOPED_TRACE(absl::StrCat("ct_size = ", ct_size)); // Try decrypting a wrong ciphertext. auto wrong_ct = std::make_unique( subtle::Random::GetRandomBytes(ct_size)); auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New( std::move(seg_decrypter), std::move(wrong_ct)); EXPECT_THAT(dec_stream_result, IsOk()); auto dec_stream = std::move(dec_stream_result.value()); std::string decrypted; int chunk_size = 1; int position = 0; auto buffer = std::move(util::Buffer::New(chunk_size).value()); auto status = dec_stream->PRead(position, chunk_size, buffer.get()); EXPECT_THAT(status, StatusIs(absl::StatusCode::kInvalidArgument)); } } TEST(DecryptingRandomAccessStreamTest, NullSegmentDecrypter) { auto ct_stream = std::make_unique("some ciphertext contents"); auto dec_stream_result = DecryptingRandomAccessStream::New(nullptr, std::move(ct_stream)); EXPECT_THAT(dec_stream_result.status(), StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("segment_decrypter must be non-null"))); } TEST(DecryptingRandomAccessStreamTest, NullCiphertextSource) { int pt_segment_size = 42; int header_size = 10; int ct_offset = 0; auto seg_decrypter = absl::make_unique( pt_segment_size, header_size, ct_offset); auto dec_stream_result = DecryptingRandomAccessStream::New(std::move(seg_decrypter), nullptr); EXPECT_THAT(dec_stream_result.status(), StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("cipertext_source must be non-null"))); } } // namespace } // namespace subtle } // namespace tink } // namespace crypto