diff --git a/tst/Bootstrap.php b/tst/Bootstrap.php index 1b423b29..4adfba35 100644 --- a/tst/Bootstrap.php +++ b/tst/Bootstrap.php @@ -1,6 +1,7 @@ ServerSalt::generate(), + 'formatter' => Generator\elements('plaintext', 'syntaxhighlighting', 'markdown'), + 'postdate' => Generator\int(), + 'opendiscussion' => Generator\elements(true, false), + ); + $generatedMeta = array_merge($generatedMeta, $meta); + $example = array( + 'data' => Generator\associative(array( + 'iv' => Generator\vector(16, Generator\byte()), + 'v' => 1, + 'iter' => Generator\choose(100, 100000), + 'ks' => Generator\elements(128, 192, 256), + 'ts' => Generator\elements(64, 96, 128), + 'mode' => Generator\elements('ccm', 'ocb2', 'gcm'), + 'adata' => Generator\string(), + 'cipher'=> 'aes', + 'salt' => Generator\vector(8, Generator\byte()), + 'ct' => Generator\seq(Generator\byte()), + )), + 'meta' => Generator\associative($generatedMeta), + ); + if ($withAttachment) { + $example['attachment'] = $example['attachmentname'] = $example['data']; + } + return Generator\associative($example); + } + + /** + * get paste from generated random array + * + * @return array + */ + public static function getPasteFromGeneratedArray($paste) + { + $paste['data']['iv'] = self::byteArray2Base64($paste['data']['iv']); + $paste['data']['salt'] = self::byteArray2Base64($paste['data']['salt']); + // deflate cipher text to maximize entropy + $paste['data']['ct'] = self::byteArray2Base64($paste['data']['ct'], true); + $paste['data'] = json_encode($paste['data']); + if (array_key_exists('attachment', $paste)) { + $paste['attachment']['iv'] = self::byteArray2Base64($paste['attachment']['iv']); + $paste['attachment']['salt'] = self::byteArray2Base64($paste['attachment']['salt']); + $paste['attachment']['ct'] = self::byteArray2Base64($paste['attachment']['ct'], true); + $paste['attachment'] = json_encode($paste['attachment']); + } + if (array_key_exists('attachmentname', $paste)) { + $paste['attachmentname']['iv'] = self::byteArray2Base64($paste['attachmentname']['iv']); + $paste['attachmentname']['salt'] = self::byteArray2Base64($paste['attachmentname']['salt']); + $paste['attachmentname']['ct'] = self::byteArray2Base64($paste['attachmentname']['ct'], true); + $paste['attachmentname'] = json_encode($paste['attachmentname']); + } + return $paste; + } + /** * get example paste ID * @@ -282,6 +345,24 @@ class Helper } } + /** + * get example paste ID + * + * @param array $bytes + * @return string + */ + public static function byteArray2Base64($bytes, $deflate = false) + { + $string = implode( + array_map('chr', $bytes) + ); + // optional deflate to maximize entropy + if ($deflate) { + $string = gzdeflate($string); + } + return base64_encode($string); + } + /** * update all templates with the latest SRI hashes for all JS files * diff --git a/tst/SjclTest.php b/tst/SjclTest.php index 54cc30fc..37051d92 100644 --- a/tst/SjclTest.php +++ b/tst/SjclTest.php @@ -1,31 +1,89 @@ assertTrue(Sjcl::isValid($paste['data']), 'valid sjcl'); - $this->assertTrue(Sjcl::isValid($paste['attachment']), 'valid sjcl'); - $this->assertTrue(Sjcl::isValid($paste['attachmentname']), 'valid sjcl'); - $this->assertTrue(Sjcl::isValid(Helper::getComment()['data']), 'valid sjcl'); + $this->minimumEvaluationRatio(0.01)->forAll( + Helper::getPasteGenerator(array(), true), + Generator\string(), + Generator\string(), + Generator\choose(0,100) + )->then( + function ($pasteArray, $key, $value, $lowInt) + { + $paste = Helper::getPasteFromGeneratedArray($pasteArray); + $this->assertTrue(Sjcl::isValid($paste['data']), 'valid sjcl'); + $this->assertTrue(Sjcl::isValid($paste['attachment']), 'valid sjcl'); + $this->assertTrue(Sjcl::isValid($paste['attachmentname']), 'valid sjcl'); - $this->assertTrue(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'valid sjcl'); - $this->assertFalse(Sjcl::isValid('{"iv":"$","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid base64 encoding of iv'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"$","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid base64 encoding of salt'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"$"}'), 'invalid base64 encoding of ct'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"bm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhCg=="}'), 'low ct entropy'); - $this->assertFalse(Sjcl::isValid('{"iv":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'iv to long'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'salt to long'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA","foo":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA="}'), 'invalid additional key'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":0.9,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'unsupported version'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":100,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'not enough iterations'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":127,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid key size'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":63,"mode":"ccm","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid tag length'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"!#@","adata":"","cipher":"aes","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid mode'); - $this->assertFalse(Sjcl::isValid('{"iv":"83Ax/OdUav3SanDW9dcQPg","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"!#@","salt":"Gx1vA2/gQ3U","ct":"j7ImByuE5xCqD2YXm6aSyA"}'), 'invalid cipher'); - // @note adata is not validated, except as part of the total message length + // common error cases + $this->assertFalse(Sjcl::isValid($value), 'non-json data'); + + $sjclArray = json_decode($paste['data'], true); + $sjclError = $sjclArray; + $sjclError['iv'] = '$' . $value; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid base64 encoding of iv'); + + $sjclError = $sjclArray; + $sjclError['salt'] = '$' . $value; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid base64 encoding of salt'); + + $sjclError = $sjclArray; + $sjclError['ct'] = '$' . $value; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid base64 encoding of ct'); + + $sjclError = $sjclArray; + $sjclError['ct'] = 'bm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhCg=='; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'low ct entropy'); + + $sjclError = $sjclArray; + $sjclError['iv'] = 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTA='; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'iv to long'); + + $sjclError = $sjclArray; + $sjclError['salt'] = 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTA='; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'salt to long'); + + $sjclError = $sjclArray; + $sjclError[$key] = $value; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid additional key'); + + if (!in_array($key, array('1', 'ccm', 'ocb2', 'gcm', 'aes'))) { + $sjclError = $sjclArray; + $sjclError['v'] = $key; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'unsupported version'); + + $sjclError = $sjclArray; + $sjclError['mode'] = $key; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid mode'); + + $sjclError = $sjclArray; + $sjclError['cipher'] = $key; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid cipher'); + } + + $sjclError = $sjclArray; + $sjclError['iter'] = $lowInt; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'not enough iterations'); + + if (!in_array($lowInt, array(64, 96))) { + $sjclError = $sjclArray; + $sjclError['ks'] = $lowInt; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid key size'); + + $sjclError = $sjclArray; + $sjclError['ts'] = $lowInt; + $this->assertFalse(Sjcl::isValid(json_encode($sjclError)), 'invalid authentication strength'); + } + // @note adata is not validated, except as part of the total message length + } + ); + $this->assertTrue(Sjcl::isValid(Helper::getComment()['data']), 'valid sjcl'); } }