// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/quic/crypto/aes_128_gcm_12_decrypter.h"

#include "net/quic/test_tools/quic_test_utils.h"

using base::StringPiece;

namespace {

// The AES GCM test vectors come from the file gcmDecrypt128.rsp
// downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on
// 2013-02-01. The test vectors in that file look like this:
// [Keylen = 128]
// [IVlen = 96]
// [PTlen = 0]
// [AADlen = 0]
// [Taglen = 128]
// Count = 0
// Key = cf063a34d4a9a76c2c86787d3f96db71
// IV = 113b9785971864c83b01c787
// CT =
// AAD =
// Tag = 72ac8493e3a5228b5d130a69d2510e42
// PT =
// Count = 1
// Key = a49a5e26a2f8cb63d05546c2a62f5343
// IV = 907763b19b9b4ab6bd4f0281
// CT =
// AAD =
// Tag = a2be08210d8c470a8df6e8fbd79ec5cf
// ...
// The gcmDecrypt128.rsp file is huge (2.6 MB), so I selected just a
// few test vectors for this unit test.

// Describes a group of test vectors that all have a given key length, IV
// length, plaintext length, AAD length, and tag length.
struct TestGroupInfo {
  size_t key_len;
  size_t iv_len;
  size_t pt_len;
  size_t aad_len;
  size_t tag_len;

// Each test vector consists of six strings of lowercase hexadecimal digits.
// The strings may be empty (zero length). A test vector with a NULL |key|
// marks the end of an array of test vectors.
struct TestVector {
  // Input:
  const char* key;
  const char* iv;
  const char* ct;
  const char* aad;
  const char* tag;

  // Expected output:
  const char* pt;  // An empty string "" means decryption succeeded and
                   // the plaintext is zero-length. NULL means decryption
                   // failed.

const TestGroupInfo test_group_info[] = {
  { 128, 96, 0, 0, 128 },
  { 128, 96, 0, 128, 128 },
  { 128, 96, 128, 0, 128 },
  { 128, 96, 408, 160, 128 },
  { 128, 96, 408, 720, 128 },
  { 128, 96, 104, 0, 128 },

const TestVector test_group_0[] = {
  { "cf063a34d4a9a76c2c86787d3f96db71",
  { "a49a5e26a2f8cb63d05546c2a62f5343",
    NULL  // FAIL
  { NULL }

const TestVector test_group_1[] = {
  { "d1f6af919cde85661208bdce0c27cb22",
    NULL  // FAIL
  { "2370e320d4344208e0ff5683f243b213",
  { NULL }

const TestVector test_group_2[] = {
  { "e98b72a9881a84ca6b76e0f43e68647a",
  { "33240636cd3236165f1a553b773e728e",
  { "5164df856f1e9cac04a79b808dc5be39",
    NULL  // FAIL
  { NULL }

const TestVector test_group_3[] = {
  { "af57f42c60c0fc5a09adb81ab86ca1c3",
  { "ebc753e5422b377d3cb64b58ffa41b61",
  { "52bdbbf9cf477f187ec010589cb39d58",
    NULL  // FAIL
  { NULL }

const TestVector test_group_4[] = {
  { "da2bb7d581493d692380c77105590201",
  { "d74e4958717a9d5c0e235b76a926cae8",
  { "1986310c725ac94ecfe6422e75fc3ee7",
    NULL  // FAIL
  { NULL }

const TestVector test_group_5[] = {
  { "387218b246c1a8257748b56980e50c94",
  { "294de463721e359863887c820524b3d4",
  { "28ead7fd2179e0d12aa6d5d88c58c2dc",
  { "7d7b6c988137b8d470c57bf674a09c87",
    NULL  // FAIL
  { NULL }

const TestVector* const test_group_array[] = {

}  // namespace

namespace net {
namespace test {

// DecryptWithNonce wraps the |Decrypt| method of |decrypter| to allow passing
// in an nonce and also to allocate the buffer needed for the plaintext.
QuicData* DecryptWithNonce(Aes128Gcm12Decrypter* decrypter,
                           StringPiece nonce,
                           StringPiece associated_data,
                           StringPiece ciphertext) {
  size_t plaintext_size = ciphertext.length();
  scoped_ptr<char[]> plaintext(new char[plaintext_size]);

  if (!decrypter->Decrypt(nonce, associated_data, ciphertext,
                          reinterpret_cast<unsigned char*>(plaintext.get()),
                          &plaintext_size)) {
    return NULL;
  return new QuicData(plaintext.release(), plaintext_size, true);

TEST(Aes128Gcm12DecrypterTest, Decrypt) {
  for (size_t i = 0; i < arraysize(test_group_array); i++) {
    const TestVector* test_vectors = test_group_array[i];
    const TestGroupInfo& test_info = test_group_info[i];
    for (size_t j = 0; test_vectors[j].key != NULL; j++) {
      // If not present then decryption is expected to fail.
      bool has_pt = test_vectors[j].pt;

      // Decode the test vector.
      string key;
      string iv;
      string ct;
      string aad;
      string tag;
      string pt;
      ASSERT_TRUE(DecodeHexString(test_vectors[j].key, &key));
      ASSERT_TRUE(DecodeHexString(test_vectors[j].iv, &iv));
      ASSERT_TRUE(DecodeHexString(test_vectors[j].ct, &ct));
      ASSERT_TRUE(DecodeHexString(test_vectors[j].aad, &aad));
      ASSERT_TRUE(DecodeHexString(test_vectors[j].tag, &tag));
      if (has_pt) {
        ASSERT_TRUE(DecodeHexString(test_vectors[j].pt, &pt));

      // The test vector's lengths should look sane. Note that the lengths
      // in |test_info| are in bits.
      EXPECT_EQ(test_info.key_len, key.length() * 8);
      EXPECT_EQ(test_info.iv_len, iv.length() * 8);
      EXPECT_EQ(test_info.pt_len, ct.length() * 8);
      EXPECT_EQ(test_info.aad_len, aad.length() * 8);
      EXPECT_EQ(test_info.tag_len, tag.length() * 8);
      if (has_pt) {
        EXPECT_EQ(test_info.pt_len, pt.length() * 8);

      // The test vectors have 16 byte authenticators but this code only uses
      // the first 12.
      string ciphertext = ct + tag;

      Aes128Gcm12Decrypter decrypter;

      scoped_ptr<QuicData> decrypted(DecryptWithNonce(
          &decrypter, iv,
          // This deliberately tests that the decrypter can handle an AAD that
          // is set to NULL, as opposed to a zero-length, non-NULL pointer.
          aad.length() ? aad : StringPiece(), ciphertext));
      if (!decrypted.get()) {

      ASSERT_EQ(pt.length(), decrypted->length());
      test::CompareCharArraysWithHexError("plaintext", decrypted->data(),
                                          pt.length(), pt.data(), pt.length());

}  // namespace test
}  // namespace net