Add tests for padding variations.

Test that SSLv3 accepts arbitrary padding bytes (hello, POODLE) and rejects non-minimal padding, while TLS accepts non-minimal padding but rejects arbitrary padding bytes. Also test what happens when the MAC is correct, but there is no padding. This is the case that triggers a failing padding_ok check after the MAC check on padding_len = 0 passes. Change-Id: Ia1444c526437899fc57ceafcbcef9c8f5cb9a6c5 Reviewed-on: https://boringssl-review.googlesource.com/2702 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-12-25 13:14:18 +0300
committer: Adam Langley <agl@google.com> 2015-01-15 00:09:16 +0300
commit: 0ebfac554e25b8bad3cd17ddfc825e4822423888 (patch)
tree: 6defeb8d6f72a2b820ac3048747c7ca144a37f40 /crypto
parent: e9e38375a65044bc8f4f08c3752d79db192d35d4 (diff)
14 files changed, 567 insertions, 84 deletions
diff --git a/crypto/cipher/aead_test.c b/crypto/cipher/aead_test.c
index 921a8175..df8123b0 100644
--- a/crypto/cipher/aead_test.c
+++ b/crypto/cipher/aead_test.c
@@ -51,11 +51,14 @@ enum {
   CT,      /* hex encoded ciphertext (not including the authenticator,
               which is next). */
   TAG,     /* hex encoded authenticator. */
+  NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG,
+              however open(CT+TAG) should still be IN. */
+  FAILS,   /* non-zero length if open(CT+TAG) is expected to fail. */
   NUM_TYPES,
 };
 
-static const char NAMES[6][NUM_TYPES] = {
-    "KEY", "NONCE", "IN", "AD", "CT", "TAG",
+static const char NAMES[8][NUM_TYPES] = {
+  "KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS",
 };
 
 static unsigned char hex_digit(char h) {
@@ -84,27 +87,33 @@ static int run_test_case(const EVP_AEAD *aead,
     return 0;
   }
 
-  if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE],
-                         lengths[NONCE], bufs[IN], lengths[IN], bufs[AD],
-                         lengths[AD])) {
-    fprintf(stderr, "Failed to run AEAD on line %u\n", line_no);
-    return 0;
-  }
+  if (!lengths[NO_SEAL]) {
+    if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE],
+                           lengths[NONCE], bufs[IN], lengths[IN], bufs[AD],
+                           lengths[AD])) {
+      fprintf(stderr, "Failed to run AEAD on line %u\n", line_no);
+      return 0;
+    }
 
-  if (ciphertext_len != lengths[CT] + lengths[TAG]) {
-    fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no,
-            (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG]));
-    return 0;
-  }
+    if (ciphertext_len != lengths[CT] + lengths[TAG]) {
+      fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no,
+              (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG]));
+      return 0;
+    }
 
-  if (memcmp(out, bufs[CT], lengths[CT]) != 0) {
-    fprintf(stderr, "Bad output on line %u\n", line_no);
-    return 0;
-  }
+    if (memcmp(out, bufs[CT], lengths[CT]) != 0) {
+      fprintf(stderr, "Bad output on line %u\n", line_no);
+      return 0;
+    }
 
-  if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) {
-    fprintf(stderr, "Bad tag on line %u\n", line_no);
-    return 0;
+    if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) {
+      fprintf(stderr, "Bad tag on line %u\n", line_no);
+      return 0;
+    }
+  } else {
+    memcpy(out, bufs[CT], lengths[CT]);
+    memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]);
+    ciphertext_len = lengths[CT] + lengths[TAG];
   }
 
   /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
@@ -118,56 +127,65 @@ static int run_test_case(const EVP_AEAD *aead,
 
   /* The "stateful" AEADs require |max_out| be |in_len| despite the final
    * output always being smaller by at least tag length. */
-  if (!EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len,
-                         bufs[NONCE], lengths[NONCE], out, ciphertext_len,
-                         bufs[AD], lengths[AD])) {
-    fprintf(stderr, "Failed to decrypt on line %u\n", line_no);
-    return 0;
-  }
-
-  if (plaintext_len != lengths[IN]) {
-    fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
-            (unsigned)ciphertext_len);
-    return 0;
-  }
+  int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len,
+                              bufs[NONCE], lengths[NONCE], out, ciphertext_len,
+                              bufs[AD], lengths[AD]);
+  if (lengths[FAILS]) {
+    if (ret) {
+      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
+      return 0;
+    }
+    ERR_clear_error();
+  } else {
+    if (!ret) {
+      fprintf(stderr, "Failed to decrypt on line %u\n", line_no);
+      return 0;
+    }
 
-  /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-   * reset after each operation. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                         NULL)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
+    if (plaintext_len != lengths[IN]) {
+      fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
+              (unsigned)ciphertext_len);
+      return 0;
+    }
 
-  /* Garbage at the end isn't ignored. */
-  out[ciphertext_len] = 0;
-  if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1, bufs[NONCE],
-                        lengths[NONCE], out, ciphertext_len + 1, bufs[AD],
-                        lengths[AD])) {
-    fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-    return 0;
-  }
-  ERR_clear_error();
+    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+     * reset after each operation. */
+    EVP_AEAD_CTX_cleanup(&ctx);
+    if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
+                           NULL)) {
+      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
+      return 0;
+    }
 
-  /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-   * reset after each operation. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                         NULL)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
+    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+     * reset after each operation. */
+    EVP_AEAD_CTX_cleanup(&ctx);
+    if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
+                           NULL)) {
+      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
+      return 0;
+    }
 
-  /* Verify integrity is checked. */
-  out[0] ^= 0x80;
-  if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE],
-                        lengths[NONCE], out, ciphertext_len, bufs[AD],
-                        lengths[AD])) {
-    fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-    return 0;
+    /* Garbage at the end isn't ignored. */
+    out[ciphertext_len] = 0;
+    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len + 1,
+                          bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1,
+                          bufs[AD], lengths[AD])) {
+      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
+      return 0;
+    }
+    ERR_clear_error();
+
+    /* Verify integrity is checked. */
+    out[0] ^= 0x80;
+    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, ciphertext_len, bufs[NONCE],
+                          lengths[NONCE], out, ciphertext_len, bufs[AD],
+                          lengths[AD])) {
+      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
+      return 0;
+    }
+    ERR_clear_error();
   }
-  ERR_clear_error();
 
   EVP_AEAD_CTX_cleanup(&ctx);
   return 1;
diff --git a/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt b/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
index 48b04e7f..5bc08f07 100644
--- a/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
+++ b/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: b7b9920735d05707f3640947f30968fd28b859368f54f0640312ac25
+TAG: 0fd5c300f0bc1e4c696b6b18c7049fba428940f5
+NO_SEAL: 01
+FAILS: 01
+
+# Test with bad padding values.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: b7b9920735d05707f3640947
+TAG: f30968fda5d36eed80b2be5e31b53279d1ffabe8
+NO_SEAL: 01
+
+# Test with no padding.
+# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107
+KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7
+CT: cd8df431309589084bfa5bcce99cbe08433cba6fd69fbb3e22a492644f3dfa7697d9bec176735e241721025b
+TAG: 158cf6c3158503d5e540f784482988db925b4405
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f
 KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1
 NONCE: 
diff --git a/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt b/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
index a712a909..477f1eb1 100644
--- a/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
+++ b/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d
+TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: c6281c1cd562c1935946013b
+TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312
+TAG: ead153f0c9488b88357e81187178465d2416ca97
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9
 NONCE: 
diff --git a/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt b/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
index f89df29f..2b34b7bf 100644
--- a/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
+++ b/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8
+NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: c6281c1cd562c1935946013b946a2342f00e08a2a3e0f0bf6c98426d
+TAG: ce5d0ff98773f9560831e8ef348f50b35a2fbbf2
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8
+NONCE: d7efd88503f78b8ed1c8e9ba2fd6773e
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: c6281c1cd562c1935946013b
+TAG: 946a234257dce6ada126887baada8ee4e2b9f5ee
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+NONCE: c55b436965aabe477e0cdd46be99371e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312
+TAG: ead153f0c9488b88357e81187178465d2416ca97
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4
 NONCE: 183aa23fd8d7efd88503f78b8ed1c8e9
diff --git a/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt b/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
index 25b8b3e5..c6419fa6 100644
--- a/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
+++ b/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+NONCE: 2fd6773e0d0c302a5f47e037446f5891
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d25f286de17a05e3727d1399c895b02464357998b11b7f98525ac704f9cd130a
+TAG: ced325c6691591a3f137a8cf4d6332b007edc59c516e3641b9c0e02fe218521e
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+NONCE: 2fd6773e0d0c302a5f47e037446f5891
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d25f286de17a05e3727d1399c895b024
+TAG: 64357998b11b7f98525ac704f9cd130a810efebe69fd479ccc46f0cd15a2ba47
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7
+KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+NONCE: c55b436965aabe477e0cdd46be99371e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8
+AD: afa22993a340b9b3c589c7
+CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f271
+TAG: 713c1f8817ca022f454f0c6c7d6efea46b86d79baaa4341843404a416f301640
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b
 NONCE: 8ed1c8e9ba2fd6773e0d0c302a5f47e0
diff --git a/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt b/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
index 96163034..a6441689 100644
--- a/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
+++ b/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: c38859c09150f4c2dcbd409a6ff0d4d748ec14027a3a88c8117b119c
+TAG: 2fbbebe4693c8fa8e966cac88a81834c0d8ff6ff
+NO_SEAL: 01
+FAILS: 01
+
+# Test with bad padding values.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: c38859c09150f4c2dcbd409a
+TAG: 6ff0d4d77699ab8772483a69168bd80c869b5f30
+NO_SEAL: 01
+
+# Test with no padding.
+# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107
+KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7
+CT: c24738f07b81998c80b1c66a0d4e9c4c2f6c80c13eb9e557e70768f86382a300724998cfc1b0850270e9b4c4
+TAG: 25ab146e770a444418e57b6ab4bbcb78b2f1140c
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f
 KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
 NONCE: 
diff --git a/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt b/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
index 13610005..06ce309b 100644
--- a/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
+++ b/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb
+TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d88861dcbb181ebd603365ed
+TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07
+TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
 NONCE: 
diff --git a/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt b/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
index 9cd8ec86..9cbeb39e 100644
--- a/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
+++ b/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 0d0c302a5f47e037446f5891d77df660
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d88861dcbb181ebd603365ed262b8f2faf5b86ab90a8930bfc0c55cb
+TAG: 9f1c88defe20893b2d5eb8ee6809c2452f302315
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 0d0c302a5f47e037446f5891d77df660
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: d88861dcbb181ebd603365ed
+TAG: 262b8f2f50b02faefb172ea4c7478e6f7477abf5
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+NONCE: b8da7dac997deafd64b1fc65de39f4f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07
+TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9
 NONCE: ba2fd6773e0d0c302a5f47e037446f58
diff --git a/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt b/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
index 632df039..c6142766 100644
--- a/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
+++ b/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+NONCE: d77df660ed82933f62be8dc55b436965
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 5485a389637bd49a1ea251ed03f3478129a62964bc26d5d16c69be13c2e657f1
+TAG: 0e971352bae57fd40d369aa902d9e8d365c498a4f4829af1a7e0da1bbd913e36
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 9c95dd31953799bae5073105f0694f1a0e48afce9277fe009ff26b28ca9ce072
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+NONCE: d77df660ed82933f62be8dc55b436965
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 5485a389637bd49a1ea251ed03f34781
+TAG: 29a62964bc26d5d16c69be13c2e657f1b36726df0f322286f368847fecaa5977
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7
+KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+NONCE: b8da7dac997deafd64b1fc65de39f4f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8
+AD: afa22993a340b9b3c589c7
+CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae1
+TAG: bc33ca235ae35aad13e540cc9f0714dab00678652cc476d57c543967c39dddc9
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f1402641d69b3d67d63e5bd137ba006c70582fc0ac760c7cc005f22b69aead4b
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
 NONCE: 37446f5891d77df660ed82933f62be8d
diff --git a/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt b/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
index d08ac5af..9f38bb01 100644
--- a/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
+++ b/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+NONCE: aabe477e0cdd46be99371eb8da7dac99
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: f6f8de8547cadb667c8c823a2ff44444bdc80dc7de80e5faffb40880dcf4d20f
+TAG: 706109ef1d8fb6bed697545eeb0060e7f680d30dd70e8ecd3135b7e01e895983de56fb0889a4ab0856040dba57e94dcb
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 2e661c639db0b3d4e89d27c55e03361e12fab46ed2e8c795f131ead30d185257790e87bcaf3af7fa0399583386f12648
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+NONCE: aabe477e0cdd46be99371eb8da7dac99
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: f6f8de8547cadb667c8c823a2ff44444
+TAG: bdc80dc7de80e5faffb40880dcf4d20f706109ef1d8fb6bed697545eeb0060e77a4c251b2e25daddee81248b6d121fa2
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: 43a413967bf0fc76201e7b4427191338c74b86300fbb5a193e01a1a4c743a36168ec2f52433b8ad4075186e5c7fed1c0
+KEY: f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+NONCE: b8da7dac997deafd64b1fc65de39f4f0
+IN: 936a91d0b5d2c0267218cb7090c61713
+AD: 86d641b87797b684e0fb56
+CT: c90e0c2567341ea7e9d968dbde46ecb4
+TAG: 8b4323f68c2cb1882cff4dd9ed10f49aa406481275509633d33028a0b510a77e780d4297ab8ad09b60445146ce85b21e
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: 2e6894abd3cfac4d4020094d02c6db6450cb7367b405443de9b5f2ab444b281848ef5da3aed9ebfc054ae89af094ddd6
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
 NONCE: c55b436965aabe477e0cdd46be99371e
diff --git a/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt b/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
index d098a16f..2b57c8d8 100644
--- a/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
+++ b/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: 267abdc1b983e49bc0b906878f32d6a4c8181e7d
+TAG: 5acf3fc5024062031c33e0801c44319a66c01882
+NO_SEAL: 01
+FAILS: 01
+
+# Test with bad padding values.
+# DIGEST: 4a7464217ea94d95668d31736693ae851eb0e39a
+KEY: 171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c6
+CT: 267abdc1b983e49bc0b90687
+TAG: 8f32d6a4c8181e7d5acf3fc5a3bf9078433cc5a8
+NO_SEAL: 01
+
+# Test with no padding.
+# DIGEST: eef6209c94b929218349114d6ef8d5c1fb3f7107
+KEY: efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7
+CT: 66bbceb66b6010154b427f3a425cb4002071d7237093a9f29612e09cf241bcf9dbba5b5ef26c5f468763ee11
+TAG: 997c66a777945bb051934aa50dc6b8e3e58cd0b6
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: 095a8f557f75cba8e2452ddf97c053904b48827f
 KEY: 18cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1
 NONCE: 
diff --git a/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt b/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
index 0e2211ea..ef97ddf0 100644
--- a/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
+++ b/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b
+TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+NONCE: 
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 144c98ca1f4a40ffe530b338
+TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f
+TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9
 NONCE: 
diff --git a/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt b/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
index a6c749dc..19fd026f 100644
--- a/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
+++ b/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
@@ -6,6 +6,38 @@
 # split isn't meaningful. The unencrypted MAC is included in the 'DIGEST' tag above
 # each test case.
 
+# Test with non-minimal padding.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e
+NONCE: d1c8e9ba2fd6773e
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 144c98ca1f4a40ffe530b338e5173a8e62c8530b
+TAG: 0c14b15046d12f2ca3158ad71effd0f46b29b3ae
+NO_SEAL: 01
+
+# Test with bad padding values.
+# DIGEST: 7f3a0e20bde700d3c5596909282e5c3e764c99e7
+KEY: 86d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8e
+NONCE: d1c8e9ba2fd6773e
+IN: 936a91d0b5
+AD: d2c0267218cb7090c61713
+CT: 144c98ca1f4a40ffe530b338
+TAG: e5173a8e62c8530b0c14b15088f70f550ab57e02
+NO_SEAL: 01
+FAILS: 01
+
+# Test with no padding.
+# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
+KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+NONCE: 7e0cdd46be99371e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
+AD: 1df3f4183aa23fd8d7efd8
+CT: 17944422f667bf1356c234189f9c6cf7af52b2832b2fbaa990ccef4e7f9bc3841e59e25c00e3686d5bd5c29f
+TAG: 3ebd1b0bee840e8a6e992421c62de5a8fda3a82f
+NO_SEAL: 01
+FAILS: 01
+
 # DIGEST: f0f82752a691ef5866413f2b2e5c1d0ebb41ccc8
 KEY: 7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd8
 NONCE: 8503f78b8ed1c8e9
diff --git a/crypto/cipher/test/make_legacy_aead_tests.go b/crypto/cipher/test/make_legacy_aead_tests.go
index cebed81e..40b8a015 100644
--- a/crypto/cipher/test/make_legacy_aead_tests.go
+++ b/crypto/cipher/test/make_legacy_aead_tests.go
@@ -118,9 +118,22 @@ type testCase struct {
 	ad         []byte
 	ciphertext []byte
 	tag        []byte
+	noSeal     bool
+	fails      bool
 }
 
-func makeTestCase(length int) (*testCase, error) {
+// options adds additional options for a test.
+type options struct {
+	// extraPadding causes an extra block of padding to be added.
+	extraPadding bool
+	// wrongPadding causes one of the padding bytes to be wrong.
+	wrongPadding bool
+	// noPadding causes padding is to be omitted. The plaintext + MAC must
+	// be a multiple of the block size.
+	noPadding bool
+}
+
+func makeTestCase(length int, options options) (*testCase, error) {
 	rand, err := newRc4Stream("input stream")
 	if err != nil {
 		return nil, err
@@ -171,6 +184,7 @@ func makeTestCase(length int) (*testCase, error) {
 	var fixedIV []byte
 	var nonce []byte
 	var sealed []byte
+	var noSeal, fails bool
 	if *bulkCipher == "rc4" {
 		if *implicitIV {
 			return nil, fmt.Errorf("implicit IV enabled on a stream cipher")
@@ -205,18 +219,39 @@ func makeTestCase(length int) (*testCase, error) {
 		sealed = append(sealed, input...)
 		sealed = append(sealed, digest...)
 		paddingLen := cbc.BlockSize() - (len(sealed) % cbc.BlockSize())
-		// TODO(davidben): Add tests for non-minimal padding (SSL3
-		// forbids, TLS allows) and arbitrary padding bytes (SSL3
-		// allows, TLS forbids).
-		if *ssl3 {
-			sealed = append(sealed, make([]byte, paddingLen-1)...)
-			sealed = append(sealed, byte(paddingLen-1))
+		if options.noPadding {
+			if paddingLen != cbc.BlockSize() {
+				return nil, fmt.Errorf("invalid length for noPadding")
+			}
+			noSeal = true
+			fails = true
 		} else {
-			pad := make([]byte, paddingLen)
-			for i := range pad {
-				pad[i] = byte(paddingLen - 1)
+			if options.extraPadding {
+				paddingLen += cbc.BlockSize()
+				noSeal = true
+				if *ssl3 {
+					// SSLv3 padding must be minimal.
+					fails = true
+				}
+			}
+			if *ssl3 {
+				sealed = append(sealed, make([]byte, paddingLen-1)...)
+				sealed = append(sealed, byte(paddingLen-1))
+			} else {
+				pad := make([]byte, paddingLen)
+				for i := range pad {
+					pad[i] = byte(paddingLen - 1)
+				}
+				sealed = append(sealed, pad...)
+			}
+			if options.wrongPadding && paddingLen > 1 {
+				sealed[len(sealed)-2]++
+				noSeal = true
+				if !*ssl3 {
+					// TLS specifies the all the padding bytes.
+					fails = true
+				}
 			}
-			sealed = append(sealed, pad...)
 		}
 		cbc.CryptBlocks(sealed, sealed)
 	}
@@ -233,10 +268,28 @@ func makeTestCase(length int) (*testCase, error) {
 		ad:         ad,
 		ciphertext: sealed[:len(sealed)-hash.Size()],
 		tag:        sealed[len(sealed)-hash.Size():],
+		noSeal:     noSeal,
+		fails:      fails,
 	}
 	return t, nil
 }
 
+func printTestCase(t *testCase) {
+	fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest))
+	fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key))
+	fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce))
+	fmt.Printf("IN: %s\n", hex.EncodeToString(t.input))
+	fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad))
+	fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext))
+	fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag))
+	if t.noSeal {
+		fmt.Printf("NO_SEAL: 01\n")
+	}
+	if t.fails {
+		fmt.Printf("FAILS: 01\n")
+	}
+}
+
 func main() {
 	flag.Parse()
 
@@ -256,21 +309,49 @@ func main() {
 	fmt.Printf("# each test case.\n")
 	fmt.Printf("\n")
 
+	// For CBC-mode ciphers, emit tests for padding flexibility.
+	if *bulkCipher != "rc4" {
+		fmt.Printf("# Test with non-minimal padding.\n")
+		t, err := makeTestCase(5, options{extraPadding: true})
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%s\n", err)
+			os.Exit(1)
+		}
+		printTestCase(t)
+		fmt.Printf("\n")
+
+		fmt.Printf("# Test with bad padding values.\n")
+		t, err = makeTestCase(5, options{wrongPadding: true})
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%s\n", err)
+			os.Exit(1)
+		}
+		printTestCase(t)
+		fmt.Printf("\n")
+
+		fmt.Printf("# Test with no padding.\n")
+		hash, ok := getHash(*mac)
+		if !ok {
+			panic("unknown hash")
+		}
+		t, err = makeTestCase(64-hash.Size(), options{noPadding: true})
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%s\n", err)
+			os.Exit(1)
+		}
+		printTestCase(t)
+		fmt.Printf("\n")
+	}
+
 	// Generate long enough of input to cover a non-zero num_starting_blocks
 	// value in the constant-time CBC logic.
 	for l := 0; l < 500; l += 5 {
-		t, err := makeTestCase(l)
+		t, err := makeTestCase(l, options{})
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "%s\n", err)
 			os.Exit(1)
 		}
-		fmt.Printf("# DIGEST: %s\n", hex.EncodeToString(t.digest))
-		fmt.Printf("KEY: %s\n", hex.EncodeToString(t.key))
-		fmt.Printf("NONCE: %s\n", hex.EncodeToString(t.nonce))
-		fmt.Printf("IN: %s\n", hex.EncodeToString(t.input))
-		fmt.Printf("AD: %s\n", hex.EncodeToString(t.ad))
-		fmt.Printf("CT: %s\n", hex.EncodeToString(t.ciphertext))
-		fmt.Printf("TAG: %s\n", hex.EncodeToString(t.tag))
+		printTestCase(t)
 		fmt.Printf("\n")
 	}
 }
author	David Benjamin <davidben@chromium.org>	2014-12-25 13:14:18 +0300
committer	Adam Langley <agl@google.com>	2015-01-15 00:09:16 +0300
commit	0ebfac554e25b8bad3cd17ddfc825e4822423888 (patch)
tree	6defeb8d6f72a2b820ac3048747c7ca144a37f40 /crypto
parent	e9e38375a65044bc8f4f08c3752d79db192d35d4 (diff)