diff --git a/include/crypto_error.h b/include/crypto_error.h index 42094721..76a46e20 100644 --- a/include/crypto_error.h +++ b/include/crypto_error.h @@ -82,7 +82,7 @@ #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_MANAGED_PARAM_MAX_LIMIT (-29) #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_SPEC_LIMIT (-30) #define CRYPTO_LIB_ERR_UNSUPPORTED_ECS (-31) -#define CRYPTO_LIB_KEY_LENGTH_ERROR (-32) +#define CRYPTO_LIB_ERR_KEY_LENGTH_ERROR (-32) #define CRYPTO_LIB_ERR_NULL_ECS_PTR (-33) #define CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO (-34) #define CRYPTO_LIB_ERR_NULL_CIPHERS (-35) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index aefa14ee..3f8908a1 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -568,7 +568,6 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, { key_ptr = &(ek_ring[sa_ptr->akid].value[0]); } - // Need to copy the data over, since authentication won't change/move the data directly if(data_out != NULL) { @@ -578,11 +577,10 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, { return CRYPTO_LIB_ERR_NULL_BUFFER; } - // Using to fix warning len_data_out = len_data_out; ecs = ecs; - + // Select correct libgcrypt acs enum int32_t algo = cryptography_get_acs_algo(acs); if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ACS) @@ -591,13 +589,12 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->akid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); - if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { printf(KRED "ERROR: gcry_mac_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK); @@ -606,6 +603,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return status; } gcry_error = gcry_mac_setkey(tmp_mac_hd, key_ptr, len_key); + #ifdef SA_DEBUG uint32_t i; printf(KYEL "Auth MAC Printing Key:\n\t"); @@ -652,9 +650,10 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return status; } + uint32_t* tmac_size = &mac_size; gcry_error = gcry_mac_read(tmp_mac_hd, mac, // tag output - (size_t* )&mac_size // tag size // TODO - use sa_ptr->abm_len instead of hardcoded mac size? + (size_t* )tmac_size // tag size ); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { @@ -708,10 +707,11 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->akid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } + gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { @@ -768,7 +768,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le #ifdef MAC_DEBUG uint32_t* tmac_size = &mac_size; - uint8_t* tmac = malloc(*tmac_size); + uint8_t* tmac = calloc(1,*tmac_size); gcry_error = gcry_mac_read(tmp_mac_hd, tmac, // tag output (size_t *)tmac_size // tag size @@ -781,7 +781,11 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le } printf("Calculated Mac Size: %d\n", *tmac_size); - printf("Calculated MAC (truncated to sa_ptr->stmacf_len):\n\t"); + printf("Calculated MAC (full length):\n\t"); + for (uint32_t i = 0; i < *tmac_size; i ++){ + printf("%02X", tmac[i]); + } + printf("\nCalculated MAC (truncated to sa_ptr->stmacf_len):\n\t"); for (uint32_t i = 0; i < mac_size; i ++){ printf("%02X", tmac[i]); } @@ -858,9 +862,9 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->ekid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_NONE); @@ -1034,9 +1038,9 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->ekid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_NONE); diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c index cc96a59b..b3cff678 100644 --- a/util/src_util/et_dt_validation.c +++ b/util/src_util/et_dt_validation.c @@ -2102,193 +2102,14 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) free(buffer_python_mac_b); } -/** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s - **/ -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) -{ - uint8_t *ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - - // NIST supplied vectors - // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header | NIST CMAC Test Vector |FECF| - char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header - // Length is dependent on whatever the variable mac length to be updated in the header - // | Header |SPI| ARSN | NIST CMAC Frame Data | - // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 - // Trunc to first 16 bytes - // 64b8f7ccdbc86109a981c9f29243e365 - char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; - uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; - int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - - // Expose/setup SAs for testing - SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); - // Deactivate SA 1 - sadb_routine->sadb_get_sa_from_spi(1, &test_association); - test_association->sa_state = SA_NONE; - // Activate SA 9 - sadb_routine->sadb_get_sa_from_spi(9, &test_association); - test_association->ast = 1; - test_association->est = 0; - test_association->shivf_len = 0; - test_association->iv_len = 0; - test_association->shsnf_len = 4; - test_association->arsn_len = 4; - test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); - test_association->abm_len = 1024; - memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask - test_association->stmacf_len = 16; - test_association->sa_state = SA_OPERATIONAL; - test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); - *test_association->ecs = CRYPTO_CIPHER_NONE; - test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); - *test_association->acs = CRYPTO_MAC_HMAC_SHA512; - test_association->ekid = 0; - test_association->akid = 136; - - // Insert key into keyring of SA 9 - hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - - // Convert input plaintext - hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); - // Convert input mac - hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - - // Note: For comparison, primarily interested in the MAC - // Calc payload index: total length - pt length - uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; - } - - free(ptr_enc_frame); - free(buffer_frame_pt_b); - free(buffer_nist_key_b); - free(buffer_python_mac_b); -} - -/** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 1s - **/ -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) -{ - uint8_t *ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - - // NIST supplied vectors - // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header | NIST CMAC Test Vector |FECF| - char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header - // Length is dependent on whatever the variable mac length to be updated in the header - // | Header |SPI| ARSN | NIST CMAC Frame Data | - // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // Python output MAC - // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef - // Trunc to first 16 bytes - // 75c570016a9458a71cea6aaca6ff4697 - char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; - uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; - int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - - // Expose/setup SAs for testing - SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); - // Deactivate SA 1 - sadb_routine->sadb_get_sa_from_spi(1, &test_association); - test_association->sa_state = SA_NONE; - // Activate SA 9 - sadb_routine->sadb_get_sa_from_spi(9, &test_association); - test_association->ast = 1; - test_association->est = 0; - test_association->shivf_len = 0; - test_association->iv_len = 0; - test_association->shsnf_len = 4; - test_association->arsn_len = 4; - test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); - test_association->abm_len = 1024; - memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask - test_association->stmacf_len = 16; - test_association->sa_state = SA_OPERATIONAL; - test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); - *test_association->ecs = CRYPTO_CIPHER_NONE; - test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); - *test_association->acs = CRYPTO_MAC_HMAC_SHA512; - test_association->ekid = 0; - test_association->akid = 136; - - // Insert key into keyring of SA 9 - hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - - // Convert input plaintext - hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); - // Convert input mac - hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - - // Note: For comparison, primarily interested in the MAC - // Calc payload index: total length - pt length - uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; - } - - free(ptr_enc_frame); - free(buffer_frame_pt_b); - free(buffer_nist_key_b); - free(buffer_python_mac_b); -} - /** * @brief Unit Test: Test HMAC SHA-512, key length 64 bytes, bitmask of 0s **/ -/* This test and next test cause some sort of issue -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) { uint8_t *ptr_enc_frame = NULL; uint16_t enc_frame_len = 0; + int32_t status; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2353,7 +2174,8 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); // Note: For comparison, primarily interested in the MAC // Calc payload index: total length - pt length @@ -2371,16 +2193,16 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -}*/ +} /** * @brief Unit Test: Test HMAC SHA-512, key length 64 bytes, bitmask of 1s **/ -/* -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) { uint8_t *ptr_enc_frame = NULL; uint16_t enc_frame_len = 0; + int32_t status; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2410,7 +2232,7 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // Expose/setup SAs for testing SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); + test_association = calloc(1, sizeof(SecurityAssociation_t) * sizeof(uint8_t)); // Deactivate SA 1 sadb_routine->sadb_get_sa_from_spi(1, &test_association); test_association->sa_state = SA_NONE; @@ -2424,6 +2246,7 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) test_association->arsn_len = 4; test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); test_association->abm_len = 1024; + test_association->abm = calloc(1, test_association->abm_len * sizeof(uint8_t)); memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; @@ -2444,8 +2267,8 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - int32_t status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - ASSERT_EQ(status,CRYPTO_LIB_SUCCESS); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); // Note: For comparison, primarily interested in the MAC // Calc payload index: total length - pt length @@ -2454,16 +2277,16 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) for (int i = 0; i < buffer_python_mac_len; i++) { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; + printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx + i)); + ASSERT_EQ(*(ptr_enc_frame + enc_data_idx + i), buffer_python_mac_b[i]); + // enc_data_idx++; } free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -}*/ +} /** * @brief Unit Test: Test HMAC SHA-256, bitmask of 0s @@ -2527,8 +2350,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_0) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); @@ -2556,6 +2378,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_0) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); + free(tc_sdls_processed_frame); } /** @@ -2619,8 +2442,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); @@ -2647,10 +2469,11 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); + free(tc_sdls_processed_frame); } /** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s + * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 0s **/ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) { @@ -2667,19 +2490,19 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425864b8f7ccdbc86109a981c9f29243e365a334"; + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258676e9ebdf306b7db7ad41892887342e80DC5"; // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 + // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + // Python output MAC + // 676e9ebdf306b7db7ad41892887342e892bcc59688caef44693c1659b6a683e844d584030b7c532105b8c2539e0aed51af6df77e87f1834e92c2085889d1c44b // Trunc to first 16 bytes - // 64b8f7ccdbc86109a981c9f29243e365 - char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; + // 676e9ebdf306b7db7ad41892887342e8 + char* buffer_python_mac_h = "676e9ebdf306b7db7ad41892887342e8"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2710,12 +2533,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + ek_ring[test_association->akid].key_len = 64; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2734,13 +2557,13 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); } - // free(buffer_frame_pt_b); - // free(buffer_nist_key_b); - // free(buffer_python_mac_b); + free(buffer_frame_pt_b); + free(buffer_nist_key_b); + free(buffer_python_mac_b); } /** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 1s + * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 1s **/ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) { @@ -2757,18 +2580,19 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425875c570016a9458a71cea6aaca6ff46970f67"; - // Python truth string passed below, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258907bbd1d9f2fd37e541f0b1ee12f5db0679a"; + // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // Python output MAC - // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef + // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + // Python output MAC + // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 // Trunc to first 16 bytes - // 75c570016a9458a71cea6aaca6ff4697 - char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; + // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 + char* buffer_python_mac_h = "907bbd1d9f2fd37e541f0b1ee12f5db0"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2799,12 +2623,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + ek_ring[test_association->akid].key_len = 64; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2812,7 +2636,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); // Note: For comparison, primarily interested in the MAC Crypto_Shutdown(); @@ -2829,14 +2653,53 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) } /** - * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 0s + * @brief Unit Test: Encrypts a frame, then decrypts the output to ensure the reverse doesn't error **/ -UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) +UTEST(PLAINTEXT, ENCRYPT_DECRYPT) +{ + int32_t status = CRYPTO_LIB_ERROR; + uint8_t* ptr_enc_frame = NULL; + uint16_t enc_frame_len = 0; + // Setup & Initialize CryptoLib + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, + TC_IGNORE_SA_STATE_TRUE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, + TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); + Crypto_Init(); + + char* jpl_frame_pt_h = "2003001c00ff000100001880d03e000a197f0b000300020093d4ba21c4555555555555"; + uint8_t* jpl_frame_pt_b = NULL; + int jpl_frame_pt_len = 0; + TC_t* tc_sdls_processed_frame; + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); + + // Convert input jpl frame + hex_conversion(jpl_frame_pt_h, (char**) &jpl_frame_pt_b, &jpl_frame_pt_len); + + // Apply, save the generated frame + status = Crypto_TC_ApplySecurity(jpl_frame_pt_b, jpl_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + + // Process the generated frame + int len = (int)enc_frame_len; + status = Crypto_TC_ProcessSecurity(ptr_enc_frame, &len, tc_sdls_processed_frame); + Crypto_Shutdown(); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); +} + +/** + * @brief Unit Test: Test HMAC SHA-512, encryption key length too short + * Supply a 32-byte key when SHA512 requires a 64-byte key + **/ +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_SHORT_KEY) { int32_t status = 0; + uint8_t *ptr_enc_frame = NULL; + uint16_t enc_frame_len = 0; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, + TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); @@ -2846,19 +2709,18 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258676e9ebdf306b7db7ad41892887342e80DC5"; + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header | NIST CMAC Test Vector |FECF| + char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 676e9ebdf306b7db7ad41892887342e892bcc59688caef44693c1659b6a683e844d584030b7c532105b8c2539e0aed51af6df77e87f1834e92c2085889d1c44b + // Python output MAC + // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef // Trunc to first 16 bytes - // 676e9ebdf306b7db7ad41892887342e8 - char* buffer_python_mac_h = "676e9ebdf306b7db7ad41892887342e8"; + // 75c570016a9458a71cea6aaca6ff4697 + char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2878,7 +2740,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) test_association->arsn_len = 4; test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); test_association->abm_len = 1024; - memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask + memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); @@ -2888,43 +2750,34 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) test_association->ekid = 0; test_association->akid = 136; - TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); - // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - ek_ring[test_association->akid].key_len = 64; + ek_ring[test_association->akid].key_len = 32; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_ERR_KEY_LENGTH_ERROR); - // Note: For comparison, primarily interested in the MAC Crypto_Shutdown(); - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); - ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); - } - + free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); } /** - * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 1s + * @brief Unit Test: Test HMAC SHA-512, decryption key too short for algorithm **/ -UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) +UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_SHORT_KEY) { int32_t status = 0; + uint8_t *ptr_enc_frame = NULL; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2937,19 +2790,18 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258907bbd1d9f2fd37e541f0b1ee12f5db0679a"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425875c570016a9458a71cea6aaca6ff46970f67"; + // Python truth string passed below, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 + // Python output MAC + // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef // Trunc to first 16 bytes - // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 - char* buffer_python_mac_h = "907bbd1d9f2fd37e541f0b1ee12f5db0"; + // 75c570016a9458a71cea6aaca6ff4697 + char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2980,13 +2832,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - ek_ring[test_association->akid].key_len = 64; + ek_ring[test_association->akid].key_len = 32; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2994,56 +2845,13 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); - - // Note: For comparison, primarily interested in the MAC - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); - ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); - } + ASSERT_EQ(CRYPTO_LIB_ERR_KEY_LENGTH_ERROR, status); + free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -} - -/** - * @brief Unit Test: Encrypts a frame, then decrypts the output to ensure the reverse doesn't error - **/ -UTEST(PLAINTEXT, ENCRYPT_DECRYPT) -{ - int32_t status = CRYPTO_LIB_ERROR; - uint8_t* ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_TRUE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - - char* jpl_frame_pt_h = "2003001c00ff000100001880d03e000a197f0b000300020093d4ba21c4555555555555"; - uint8_t* jpl_frame_pt_b = NULL; - int jpl_frame_pt_len = 0; - TC_t* tc_sdls_processed_frame; - tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); - - // Convert input jpl frame - hex_conversion(jpl_frame_pt_h, (char**) &jpl_frame_pt_b, &jpl_frame_pt_len); - - // Apply, save the generated frame - status = Crypto_TC_ApplySecurity(jpl_frame_pt_b, jpl_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); - - // Process the generated frame - int len = (int)enc_frame_len; - status = Crypto_TC_ProcessSecurity(ptr_enc_frame, &len, tc_sdls_processed_frame); - Crypto_Shutdown(); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + free(tc_sdls_processed_frame); } UTEST_MAIN(); \ No newline at end of file diff --git a/util/src_util/ut_tc_apply.c b/util/src_util/ut_tc_apply.c index db88f215..62363ad8 100644 --- a/util/src_util/ut_tc_apply.c +++ b/util/src_util/ut_tc_apply.c @@ -353,6 +353,8 @@ UTEST(TC_APPLY_SECURITY, HAPPY_PATH_APPLY_NONTRANSMITTED_INCREMENTING_ARSN_ROLLO test_association->shsnf_len = 2; test_association->arsn = calloc(1,test_association->arsn_len); memcpy(test_association->arsn, (uint8_t *)new_arsn_b, new_arsn_len); + // This TA was originally setup for AESGCM, need to specify an akid so we can use it for a MAC + test_association->akid = 130; return_val = Crypto_TC_ApplySecurity((uint8_t* )raw_tc_sdls_ping_b, raw_tc_sdls_ping_len, &ptr_enc_frame, &enc_frame_len); diff --git a/util/src_util/ut_tc_process.c b/util/src_util/ut_tc_process.c index 81d10ee2..d2f92b5b 100644 --- a/util/src_util/ut_tc_process.c +++ b/util/src_util/ut_tc_process.c @@ -431,16 +431,16 @@ UTEST(TC_PROCESS, HAPPY_PATH_PROCESS_NONTRANSMITTED_INCREMENTING_ARSN_ROLLOVER) Crypto_Init_Unit_Test(); Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); + TC_CHECK_FECF_FALSE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - + char* dec_test_fe_h = - "2003002900000004FFFE80D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D0741"; + "2003002900000004FFFE80D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B502760741"; char* dec_test_ff_h = - "2003002900000004FFFF80D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D8968"; + "2003002900000004FFFF80D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B502768968"; char* dec_test_00_h = - "2003002900000004000080D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D7824"; + "2003002900000004000080D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B50276E797"; uint8_t *dec_test_fe_b, *dec_test_ff_b, *dec_test_00_b = NULL; int dec_test_fe_len, dec_test_ff_len, dec_test_00_len = 0; @@ -488,6 +488,9 @@ UTEST(TC_PROCESS, HAPPY_PATH_PROCESS_NONTRANSMITTED_INCREMENTING_ARSN_ROLLOVER) test_association->arsn[1] = 0xFF; test_association->arsn[2] = 0xFD; + // This TA was originally setup for AESGCM, need to specify an akid so we can use it for a MAC + test_association->akid = 130; + Crypto_saPrint(test_association); return_val = Crypto_TC_ProcessSecurity(dec_test_fe_b, &dec_test_fe_len, tc_sdls_processed_frame); ASSERT_EQ(CRYPTO_LIB_SUCCESS, return_val);