Remove AES limitations, symmetric coverage bump

D3vl0per · Jan 7, 2024 · bace9d8 · bace9d8
1 parent 4b258b5
commit bace9d8
Show file tree

Hide file tree

Showing 5 changed files with 568 additions and 225 deletions.
diff --git a/insecure/asymmetric/asymmetric_test.go b/insecure/asymmetric/asymmetric_test.go
@@ -40,4 +40,8 @@ func TestE2EEEncryptDecryptBox(t *testing.T) {
 
 	r.Equal(t, expectedPlaintext, plaintext)
 	t.Log("Ciphertext:", ciphertext)
+
+	expectedPlaintextError, err := asymmetric.DecryptBox(sender.PK, recipient.SK, make([]byte, 32))
+	r.Nil(t, expectedPlaintextError)
+	r.ErrorContains(t, err, "decryption error")
 }
diff --git a/insecure/symmetric/symmetric.go b/insecure/symmetric/symmetric.go
@@ -42,10 +42,13 @@ func (s *SecretBox) Decrypt(key, payload []byte) ([]byte, error) {
 	if len(key) != 32 {
 		return nil, errors.New("invalid key size")
 	}
-
 	var secretKey [32]byte
 	subtle.ConstantTimeCopy(1, secretKey[:], key)
 
+	if len(payload) < 24 {
+		return nil, errors.New("payload is too short")
+	}
+
 	var nonce [24]byte
 	subtle.ConstantTimeCopy(1, nonce[:], payload[:24])
 
@@ -60,10 +63,6 @@ func (s *SecretBox) Decrypt(key, payload []byte) ([]byte, error) {
 type AesCTR struct{}
 
 func (a *AesCTR) Encrypt(key, payload []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, errors.New("invalid key size")
-	}
-
 	if generic.AllZero(key) {
 		return nil, errors.New("key is all zero")
 	}
@@ -79,21 +78,13 @@ func (a *AesCTR) Encrypt(key, payload []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	if generic.AllZero(iv) {
-		return nil, errors.New("iv is all zero")
-	}
-
 	stream := cipher.NewCTR(block, iv)
 	stream.XORKeyStream(ciphertext[aes.BlockSize:], payload)
 
 	return ciphertext, nil
 }
 
 func (a *AesCTR) Decrypt(key, payload []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, errors.New("invalid key size")
-	}
-
 	if generic.AllZero(key) {
 		return nil, errors.New("key is all zero")
 	}
@@ -117,10 +108,6 @@ func (a *AesCTR) Decrypt(key, payload []byte) ([]byte, error) {
 type AesCBC struct{}
 
 func (a *AesCBC) Encrypt(key, payload []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, errors.New("invalid key size")
-	}
-
 	if generic.AllZero(key) {
 		return nil, errors.New("key is all zero")
 	}
@@ -140,20 +127,12 @@ func (a *AesCBC) Encrypt(key, payload []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	if generic.AllZero(iv) {
-		return nil, errors.New("iv is all zero")
-	}
-
 	mode := cipher.NewCBCEncrypter(block, iv)
 	mode.CryptBlocks(ciphertext[aes.BlockSize:], payload)
 	return ciphertext, nil
 }
 
 func (a *AesCBC) Decrypt(key, payload []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, errors.New("invalid key size")
-	}
-
 	if generic.AllZero(key) {
 		return nil, errors.New("key is all zero")
 	}

diff --git a/insecure/symmetric/symmetric_test.go b/insecure/symmetric/symmetric_test.go
@@ -8,7 +8,7 @@ import (
 	r "github.com/stretchr/testify/require"
 )
 
-func TestSymmetricEncryption(t *testing.T) {
+func TestE2E(t *testing.T) {
 	testCases := []struct {
 		name    string
 		sym     symmetric.Symmetric
@@ -48,71 +48,190 @@ func TestSymmetricEncryption(t *testing.T) {
 	}
 }
 
-func TestAesCBCKeyFault(t *testing.T) {
-	testCases := []struct {
+func TestE2EFault(t *testing.T) {
+
+	type cases struct {
+		name string
 		key         []byte
 		payload     []byte
 		expectedErr string
+	}
+
+	type testStructue struct {
+		name   string
 		sym     symmetric.Symmetric
-	}{	
+		encrypt []cases
+		decrypt []cases
+	}
+
+	testCases := []testStructue{
 		{
-			key:         generateKey(t, 31),
-			payload:     make([]byte, 16),
-			expectedErr: "invalid key size",
+			name:  "NaClSecretBox",
 			sym: &symmetric.SecretBox{},
+			encrypt: []cases{
+				{	
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+			},
+			decrypt: []cases{
+				{	
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"non-decryptable payload, decryption error",
+					key:         make([]byte, 32),
+					payload:     make([]byte, 32),
+					expectedErr: "decryption error",
+				},
+				{
+					name:        "invalid payload,payload is too short",
+					key:         generateKey(t, 32),
+					payload:     make([]byte, 16),
+					expectedErr: "payload is too short",
+				},
+			},
 		},
 		{
-			key:         generateKey(t, 31),
-			payload:     make([]byte, 16),
-			expectedErr: "invalid key size",
-			sym: &symmetric.AesCTR{},
-		},
-		{
-			key:         generateKey(t, 33),
-			payload:     make([]byte, 16),
-			expectedErr: "invalid key size",
-			sym: &symmetric.AesCTR{},
-		},
-		{
-			key:         make([]byte, 32),
-			payload:     make([]byte, 16),
-			expectedErr: "key is all zero",
+			name:  "AES-CTR",
 			sym: &symmetric.AesCTR{},
+			encrypt: []cases{
+				{	
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 33, invalid key size",
+					key:         generateKey(t, 33),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key is all zero",
+					key:         make([]byte, 32),
+					payload:     make([]byte, 16),
+					expectedErr: "key is all zero",
+				},
+			},
+			decrypt: []cases{
+				{	
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 33, invalid key size",
+					key:         generateKey(t, 33),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key is all zero",
+					key:         make([]byte, 32),
+					payload:     make([]byte, 16),
+					expectedErr: "key is all zero",
+				},
+				{
+					name:        "invalid payload, payload is too short",
+					key:         generateKey(t, 32),
+					payload:     make([]byte, 15),
+					expectedErr: "payload is too short",
+				},
+			},
 		},
 		{
-			key:         generateKey(t, 31),
-			payload:     make([]byte, 16),
-			expectedErr: "invalid key size",
-			sym: &symmetric.AesCBC{},
-		},
-		{
-			key:         generateKey(t, 33),
-			payload:     make([]byte, 16),
-			expectedErr: "invalid key size",
-			sym: &symmetric.AesCBC{},
-		},
-		{
-			key:         make([]byte, 32),
-			payload:     make([]byte, 16),
-			expectedErr: "key is all zero",
-			sym: &symmetric.AesCBC{},
-		},
-		{
-			key:         generateKey(t, 32),
-			payload:     make([]byte, 14),
-			expectedErr: "payload is not a multiple of the block size",
+			name:  "AES-CBC",
 			sym: &symmetric.AesCBC{},
+			encrypt: []cases{
+				{
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 33, invalid key size",
+					key:         generateKey(t, 33),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 15, invalid key size",
+					key:         generateKey(t, 15),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key is all zero",
+					key:         make([]byte, 32),
+					payload:     make([]byte, 16),
+					expectedErr: "key is all zero",
+				}, 
+				{
+					name: 	  	"payload is not a multiple of the block size",
+					key:         generateKey(t, 32),
+					payload:     make([]byte, 14),
+					expectedErr: "payload is not a multiple of the block size",
+				},
+			},
+			decrypt: []cases{
+				{	
+					name: 	  	"key size 31, invalid key size",
+					key:         generateKey(t, 31),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 33, invalid key size",
+					key:         generateKey(t, 33),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key size 15, invalid key size",
+					key:         generateKey(t, 15),
+					payload:     make([]byte, 16),
+					expectedErr: "invalid key size",
+				},
+				{
+					name: 	  	"key is all zero",
+					key:         make([]byte, 32),
+					payload:     make([]byte, 16),
+					expectedErr: "key is all zero",
+				}, 
+				{
+					name: 	  	"payload is not a multiple of the block size",
+					key:         generateKey(t, 32),
+					payload:     make([]byte, 14),
+					expectedErr: "payload is not a multiple of the block size",
+				},
+			},
 		},
 	}
 
 	for _, tc := range testCases {
-		ciphertext, err := tc.sym.Encrypt(tc.key, tc.payload)
-		r.Nil(t, ciphertext)
-		r.ErrorContains(t, err, tc.expectedErr)
-
-		plaintext, err := tc.sym.Decrypt(tc.key, ciphertext)
-		r.Nil(t, plaintext)
-		r.ErrorContains(t, err, tc.expectedErr)
+		for _, c := range tc.encrypt {
+			t.Run(tc.name+ "/encryption/" + c.name, func(t *testing.T) {
+				ciphertext, err := tc.sym.Encrypt(c.key, c.payload)
+				r.Nil(t, ciphertext)
+				r.ErrorContains(t, err, c.expectedErr)
+			})
+		}
+		for _, c := range tc.decrypt {
+			t.Run(tc.name+ "/decryption/" + c.name, func(t *testing.T) {
+				plaintext, err := tc.sym.Decrypt(c.key, c.payload)
+				r.Nil(t, plaintext)
+				r.ErrorContains(t, err, c.expectedErr)
+			})
+		}
 	}
 }