TestCacheCrypto.cpp

Enable keyboard shortcuts

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <cstring>

#include "CacheCrypto.h"

#include "gtest/gtest.h"

#include "mozilla/Preferences.h"

#include "nsCOMPtr.h"

#include "nsIX509CertDB.h"

#include "nsServiceManagerUtils.h"

#include "nsTArray.h"

using namespace mozilla;

using namespace mozilla::net;

namespace {

// CacheCrypto needs NSS (PK11) and a loaded key. Getting the cert DB service

// initializes NSS; InitForTesting() then loads or generates the key without

// depending on the "once"-mirrored enabled pref. Returns the usable instance,

// or null if setup failed.

static already_AddRefed<CacheCrypto> InitCryptoForTest() {

  nsCOMPtr<nsIX509CertDB> certDB(do_GetService(NS_X509CERTDB_CONTRACTID));

  EXPECT_TRUE(certDB);

  CacheCrypto::InitForTesting();

  return CacheCrypto::GetInstanceOrNull();

}  // namespace

TEST(CacheCrypto, RoundTrip)

  RefPtr<CacheCrypto> crypto = InitCryptoForTest();

  ASSERT_TRUE(crypto);

  // Length deliberately not a multiple of the AES block size.

  const char* msg = "The quick brown fox jumps over the lazy dog -- 0123456789";

  const uint32_t len = strlen(msg);

  nsTArray<uint8_t> block;

  block.SetLength(len + CacheCrypto::kBlockOverhead);

  nsTArray<uint8_t> roundtrip;

  roundtrip.SetLength(len);

  for (uint64_t blockNumber :

       {uint64_t(0), uint64_t(1), uint64_t(7), uint64_t(12345),

        CacheCrypto::kMetadataBlockNumber}) {

    ASSERT_EQ(NS_OK, crypto->EncryptBlock(blockNumber,

                                          reinterpret_cast<const uint8_t*>(msg),

                                          len, block.Elements()));

    // Ciphertext differs from plaintext.

    EXPECT_NE(0, memcmp(block.Elements(), msg, len));

    ASSERT_EQ(NS_OK, crypto->DecryptBlock(blockNumber, block.Elements(), len,

                                          roundtrip.Elements()));

    EXPECT_EQ(0, memcmp(roundtrip.Elements(), msg, len));

  CacheCrypto::Shutdown();

TEST(CacheCrypto, TamperAndWrongBlockFail)

  RefPtr<CacheCrypto> crypto = InitCryptoForTest();

  ASSERT_TRUE(crypto);

  const char* msg = "authenticated payload";

  const uint32_t len = strlen(msg);

  nsTArray<uint8_t> block;

  block.SetLength(len + CacheCrypto::kBlockOverhead);

  nsTArray<uint8_t> out;

  out.SetLength(len);

  ASSERT_EQ(NS_OK,

            crypto->EncryptBlock(3, reinterpret_cast<const uint8_t*>(msg), len,

                                 block.Elements()));

  // Decrypting with a different block number fails: the block number is bound

  // as additional authenticated data.

  EXPECT_NE(NS_OK,

            crypto->DecryptBlock(4, block.Elements(), len, out.Elements()));

  // Tampered ciphertext fails the AEAD tag check.

  nsTArray<uint8_t> tampered = block.Clone();

  tampered[0] ^= 0x01;

  EXPECT_NE(NS_OK,

            crypto->DecryptBlock(3, tampered.Elements(), len, out.Elements()));

  // The untouched block at its own block number still decrypts.

  EXPECT_EQ(NS_OK,

            crypto->DecryptBlock(3, block.Elements(), len, out.Elements()));

  EXPECT_EQ(0, memcmp(out.Elements(), msg, len));

  CacheCrypto::Shutdown();

TEST(CacheCrypto, WrongKeyFails)

  // Encrypt a block with the session's key.

  RefPtr<CacheCrypto> crypto = InitCryptoForTest();

  ASSERT_TRUE(crypto);

  const char* msg = "secret cache contents";

  const uint32_t len = strlen(msg);

  nsTArray<uint8_t> block;

  block.SetLength(len + CacheCrypto::kBlockOverhead);

  ASSERT_EQ(NS_OK,

            crypto->EncryptBlock(0, reinterpret_cast<const uint8_t*>(msg), len,

                                 block.Elements()));

  // Model a later session whose key pref is empty / different: clearing the key

  // pref makes Init() generate a fresh (different) key. This covers both "the

  // key pref is empty" and "the key does not match".

  CacheCrypto::Shutdown();

  Preferences::SetCString("browser.cache.disk.encryption.key", ""_ns);

  CacheCrypto::InitForTesting();

  RefPtr<CacheCrypto> crypto2 = CacheCrypto::GetInstanceOrNull();

  ASSERT_TRUE(crypto2);

  // Decrypting the block written with the old key must fail (AEAD auth).

  nsTArray<uint8_t> out;

  out.SetLength(len);

  EXPECT_NE(NS_OK,

            crypto2->DecryptBlock(0, block.Elements(), len, out.Elements()));

  CacheCrypto::Shutdown();

TEST(CacheCrypto, FreshNoncePerEncryption)

  RefPtr<CacheCrypto> crypto = InitCryptoForTest();

  ASSERT_TRUE(crypto);

  const char* msg = "identical plaintext, identical block number";

  const uint32_t len = strlen(msg);

  nsTArray<uint8_t> b1, b2;

  b1.SetLength(len + CacheCrypto::kBlockOverhead);

  b2.SetLength(len + CacheCrypto::kBlockOverhead);

  ASSERT_EQ(NS_OK,

            crypto->EncryptBlock(0, reinterpret_cast<const uint8_t*>(msg), len,

                                 b1.Elements()));

  ASSERT_EQ(NS_OK,

            crypto->EncryptBlock(0, reinterpret_cast<const uint8_t*>(msg), len,

                                 b2.Elements()));

  // Same key/block/plaintext, but a fresh random nonce per encryption means the

  // ciphertext (and nonce) differ. This is what prevents keystream/nonce reuse

  // when a block is rewritten.

  EXPECT_NE(0, memcmp(b1.Elements(), b2.Elements(),

                      len + CacheCrypto::kBlockOverhead));

  CacheCrypto::Shutdown();