src/crypto/internal/cryptotest/block.go

// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package cryptotest

import (
	"bytes"
	"crypto/cipher"
	"testing"
)

type MakeBlock func(key []byte) (cipher.Block, error)

// TestBlock performs a set of tests on cipher.Block implementations, checking
// the documented requirements of BlockSize, Encrypt, and Decrypt.
func TestBlock(t *testing.T, keySize int, mb MakeBlock) {
	// Generate random key
	key := make([]byte, keySize)
	newRandReader(t).Read(key)
	t.Logf("Cipher key: 0x%x", key)

	block, err := mb(key)
	if err != nil {
		t.Fatal(err)
	}

	blockSize := block.BlockSize()

	t.Run("Encryption", func(t *testing.T) {
		testCipher(t, block.Encrypt, blockSize)
	})

	t.Run("Decryption", func(t *testing.T) {
		testCipher(t, block.Decrypt, blockSize)
	})

	// Checks baseline Encrypt/Decrypt functionality.  More thorough
	// implementation-specific characterization/golden tests should be done
	// for each block cipher implementation.
	t.Run("Roundtrip", func(t *testing.T) {
		rng := newRandReader(t)

		// Check Decrypt inverts Encrypt
		before, ciphertext, after := make([]byte, blockSize), make([]byte, blockSize), make([]byte, blockSize)

		rng.Read(before)

		block.Encrypt(ciphertext, before)
		block.Decrypt(after, ciphertext)

		if !bytes.Equal(after, before) {
			t.Errorf("plaintext is different after an encrypt/decrypt cycle; got %x, want %x", after, before)
		}

		// Check Encrypt inverts Decrypt (assumes block ciphers are deterministic)
		before, plaintext, after := make([]byte, blockSize), make([]byte, blockSize), make([]byte, blockSize)

		rng.Read(before)

		block.Decrypt(plaintext, before)
		block.Encrypt(after, plaintext)

		if !bytes.Equal(after, before) {
			t.Errorf("ciphertext is different after a decrypt/encrypt cycle; got %x, want %x", after, before)
		}
	})

}

func testCipher(t *testing.T, cipher func(dst, src []byte), blockSize int) {
	t.Run("AlterInput", func(t *testing.T) {
		rng := newRandReader(t)

		// Make long src that shouldn't be modified at all, within block
		// size scope or beyond it
		src, before := make([]byte, blockSize*2), make([]byte, blockSize*2)
		rng.Read(src)
		copy(before, src)

		dst := make([]byte, blockSize)

		cipher(dst, src)
		if !bytes.Equal(src, before) {
			t.Errorf("block cipher modified src; got %x, want %x", src, before)
		}
	})

	t.Run("Aliasing", func(t *testing.T) {
		rng := newRandReader(t)

		buff, expectedOutput := make([]byte, blockSize), make([]byte, blockSize)

		// Record what output is when src and dst are different
		rng.Read(buff)
		cipher(expectedOutput, buff)

		// Check that the same output is generated when src=dst alias to the same
		// memory
		cipher(buff, buff)
		if !bytes.Equal(buff, expectedOutput) {
			t.Errorf("block cipher produced different output when dst = src; got %x, want %x", buff, expectedOutput)
		}
	})

	t.Run("OutOfBoundsWrite", func(t *testing.T) {
		rng := newRandReader(t)

		src := make([]byte, blockSize)
		rng.Read(src)

		// Make a buffer with dst in the middle and data on either end
		buff := make([]byte, blockSize*3)
		endOfPrefix, startOfSuffix := blockSize, blockSize*2
		rng.Read(buff[:endOfPrefix])
		rng.Read(buff[startOfSuffix:])
		dst := buff[endOfPrefix:startOfSuffix]

		// Record the prefix and suffix data to make sure they aren't written to
		initPrefix, initSuffix := make([]byte, blockSize), make([]byte, blockSize)
		copy(initPrefix, buff[:endOfPrefix])
		copy(initSuffix, buff[startOfSuffix:])

		// Write to dst (the middle of the buffer) and make sure it doesn't write
		// beyond the dst slice
		cipher(dst, src)
		if !bytes.Equal(buff[startOfSuffix:], initSuffix) {
			t.Errorf("block cipher did out of bounds write after end of dst slice; got %x, want %x", buff[startOfSuffix:], initSuffix)
		}
		if !bytes.Equal(buff[:endOfPrefix], initPrefix) {
			t.Errorf("block cipher did out of bounds write before beginning of dst slice; got %x, want %x", buff[:endOfPrefix], initPrefix)
		}

		// Check that dst isn't written to beyond BlockSize even if there is room
		// in the slice
		dst = buff[endOfPrefix:] // Extend dst to include suffix
		cipher(dst, src)
		if !bytes.Equal(buff[startOfSuffix:], initSuffix) {
			t.Errorf("block cipher modified dst past BlockSize bytes; got %x, want %x", buff[startOfSuffix:], initSuffix)
		}
	})

	// Check that output of cipher isn't affected by adjacent data beyond input
	// slice scope
	// For encryption, this assumes block ciphers encrypt deterministically
	t.Run("OutOfBoundsRead", func(t *testing.T) {
		rng := newRandReader(t)

		src := make([]byte, blockSize)
		rng.Read(src)
		expectedDst := make([]byte, blockSize)
		cipher(expectedDst, src)

		// Make a buffer with src in the middle and data on either end
		buff := make([]byte, blockSize*3)
		endOfPrefix, startOfSuffix := blockSize, blockSize*2

		copy(buff[endOfPrefix:startOfSuffix], src)
		rng.Read(buff[:endOfPrefix])
		rng.Read(buff[startOfSuffix:])

		testDst := make([]byte, blockSize)
		cipher(testDst, buff[endOfPrefix:startOfSuffix])
		if !bytes.Equal(testDst, expectedDst) {
			t.Errorf("block cipher affected by data outside of src slice bounds; got %x, want %x", testDst, expectedDst)
		}

		// Check that src isn't read from beyond BlockSize even if the slice is
		// longer and contains data in the suffix
		cipher(testDst, buff[endOfPrefix:]) // Input long src
		if !bytes.Equal(testDst, expectedDst) {
			t.Errorf("block cipher affected by src data beyond BlockSize bytes; got %x, want %x", buff[startOfSuffix:], expectedDst)
		}
	})

	t.Run("NonZeroDst", func(t *testing.T) {
		rng := newRandReader(t)

		// Record what the cipher writes into a destination of zeroes
		src := make([]byte, blockSize)
		rng.Read(src)
		expectedDst := make([]byte, blockSize)

		cipher(expectedDst, src)

		// Make nonzero dst
		dst := make([]byte, blockSize*2)
		rng.Read(dst)

		// Remember the random suffix which shouldn't be written to
		expectedDst = append(expectedDst, dst[blockSize:]...)

		cipher(dst, src)
		if !bytes.Equal(dst, expectedDst) {
			t.Errorf("block cipher behavior differs when given non-zero dst; got %x, want %x", dst, expectedDst)
		}
	})

	t.Run("BufferOverlap", func(t *testing.T) {
		rng := newRandReader(t)

		buff := make([]byte, blockSize*2)
		rng.Read((buff))

		// Make src and dst slices point to same array with inexact overlap
		src := buff[:blockSize]
		dst := buff[1 : blockSize+1]
		mustPanic(t, "invalid buffer overlap", func() { cipher(dst, src) })

		// Only overlap on one byte
		src = buff[:blockSize]
		dst = buff[blockSize-1 : 2*blockSize-1]
		mustPanic(t, "invalid buffer overlap", func() { cipher(dst, src) })

		// src comes after dst with one byte overlap
		src = buff[blockSize-1 : 2*blockSize-1]
		dst = buff[:blockSize]
		mustPanic(t, "invalid buffer overlap", func() { cipher(dst, src) })
	})

	// Test short input/output.
	// Assembly used to not notice.
	// See issue 7928.
	t.Run("ShortBlock", func(t *testing.T) {
		// Returns slice of n bytes of an n+1 length array.  Lets us test that a
		// slice is still considered too short even if the underlying array it
		// points to is large enough
		byteSlice := func(n int) []byte { return make([]byte, n+1)[0:n] }

		// Off by one byte
		mustPanic(t, "input not full block", func() { cipher(byteSlice(blockSize), byteSlice(blockSize-1)) })
		mustPanic(t, "output not full block", func() { cipher(byteSlice(blockSize-1), byteSlice(blockSize)) })

		// Small slices
		mustPanic(t, "input not full block", func() { cipher(byteSlice(1), byteSlice(1)) })
		mustPanic(t, "input not full block", func() { cipher(byteSlice(100), byteSlice(1)) })
		mustPanic(t, "output not full block", func() { cipher(byteSlice(1), byteSlice(100)) })
	})
}

func mustPanic(t *testing.T, msg string, f func()) {
	t.Helper()

	defer func() {
		t.Helper()

		err := recover()

		if err == nil {
			t.Errorf("function did not panic for %q", msg)
		}
	}()
	f()
}