From 506253d8ee3e583ca69164a48e1655ab27a7212c Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Tue, 26 Apr 2022 15:03:11 -0400 Subject: [PATCH 1/4] Fix UTs failing due to incorrect key length, remove UTs that shouldnt work with 32 byte SHA512 key, adding error catching previous issue, commented out two test for future commit to investigate a segfault --- include/crypto_error.h | 2 +- ...ryptography_interface_libgcrypt.template.c | 26 +- util/src_util/et_dt_validation.c | 602 +++++++++--------- 3 files changed, 316 insertions(+), 314 deletions(-) diff --git a/include/crypto_error.h b/include/crypto_error.h index 42094721..76a46e20 100644 --- a/include/crypto_error.h +++ b/include/crypto_error.h @@ -82,7 +82,7 @@ #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_MANAGED_PARAM_MAX_LIMIT (-29) #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_SPEC_LIMIT (-30) #define CRYPTO_LIB_ERR_UNSUPPORTED_ECS (-31) -#define CRYPTO_LIB_KEY_LENGTH_ERROR (-32) +#define CRYPTO_LIB_ERR_KEY_LENGTH_ERROR (-32) #define CRYPTO_LIB_ERR_NULL_ECS_PTR (-33) #define CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO (-34) #define CRYPTO_LIB_ERR_NULL_CIPHERS (-35) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index aefa14ee..1664b64a 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -591,13 +591,12 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->akid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); - if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { printf(KRED "ERROR: gcry_mac_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK); @@ -606,6 +605,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return status; } gcry_error = gcry_mac_setkey(tmp_mac_hd, key_ptr, len_key); + #ifdef SA_DEBUG uint32_t i; printf(KYEL "Auth MAC Printing Key:\n\t"); @@ -652,9 +652,10 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return status; } + uint32_t* tmac_size = &mac_size; gcry_error = gcry_mac_read(tmp_mac_hd, mac, // tag output - (size_t* )&mac_size // tag size // TODO - use sa_ptr->abm_len instead of hardcoded mac size? + (size_t* )tmac_size // tag size ); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { @@ -708,10 +709,11 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->akid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } + gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { @@ -768,7 +770,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le #ifdef MAC_DEBUG uint32_t* tmac_size = &mac_size; - uint8_t* tmac = malloc(*tmac_size); + uint8_t* tmac = calloc(1,*tmac_size); gcry_error = gcry_mac_read(tmp_mac_hd, tmac, // tag output (size_t *)tmac_size // tag size @@ -781,7 +783,11 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le } printf("Calculated Mac Size: %d\n", *tmac_size); - printf("Calculated MAC (truncated to sa_ptr->stmacf_len):\n\t"); + printf("Calculated MAC (full length):\n\t"); + for (uint32_t i = 0; i < *tmac_size; i ++){ + printf("%02X", tmac[i]); + } + printf("\nCalculated MAC (truncated to sa_ptr->stmacf_len):\n\t"); for (uint32_t i = 0; i < mac_size; i ++){ printf("%02X", tmac[i]); } @@ -860,7 +866,7 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, // Check that key length to be used is atleast as long as the algo requirement if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_NONE); @@ -1036,7 +1042,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, // Check that key length to be used is atleast as long as the algo requirement if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) { - return CRYPTO_LIB_KEY_LENGTH_ERROR; + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_NONE); diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c index cc96a59b..3bbf848d 100644 --- a/util/src_util/et_dt_validation.c +++ b/util/src_util/et_dt_validation.c @@ -2105,190 +2105,104 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) /** * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s **/ -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) -{ - uint8_t *ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - - // NIST supplied vectors - // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header | NIST CMAC Test Vector |FECF| - char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header - // Length is dependent on whatever the variable mac length to be updated in the header - // | Header |SPI| ARSN | NIST CMAC Frame Data | - // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 - // Trunc to first 16 bytes - // 64b8f7ccdbc86109a981c9f29243e365 - char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; - uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; - int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - - // Expose/setup SAs for testing - SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); - // Deactivate SA 1 - sadb_routine->sadb_get_sa_from_spi(1, &test_association); - test_association->sa_state = SA_NONE; - // Activate SA 9 - sadb_routine->sadb_get_sa_from_spi(9, &test_association); - test_association->ast = 1; - test_association->est = 0; - test_association->shivf_len = 0; - test_association->iv_len = 0; - test_association->shsnf_len = 4; - test_association->arsn_len = 4; - test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); - test_association->abm_len = 1024; - memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask - test_association->stmacf_len = 16; - test_association->sa_state = SA_OPERATIONAL; - test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); - *test_association->ecs = CRYPTO_CIPHER_NONE; - test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); - *test_association->acs = CRYPTO_MAC_HMAC_SHA512; - test_association->ekid = 0; - test_association->akid = 136; - - // Insert key into keyring of SA 9 - hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - - // Convert input plaintext - hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); - // Convert input mac - hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - - // Note: For comparison, primarily interested in the MAC - // Calc payload index: total length - pt length - uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; - } - - free(ptr_enc_frame); - free(buffer_frame_pt_b); - free(buffer_nist_key_b); - free(buffer_python_mac_b); -} - -/** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 1s - **/ -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) -{ - uint8_t *ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - - // NIST supplied vectors - // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header | NIST CMAC Test Vector |FECF| - char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header - // Length is dependent on whatever the variable mac length to be updated in the header - // | Header |SPI| ARSN | NIST CMAC Frame Data | - // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // Python output MAC - // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef - // Trunc to first 16 bytes - // 75c570016a9458a71cea6aaca6ff4697 - char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; - uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; - int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - - // Expose/setup SAs for testing - SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); - // Deactivate SA 1 - sadb_routine->sadb_get_sa_from_spi(1, &test_association); - test_association->sa_state = SA_NONE; - // Activate SA 9 - sadb_routine->sadb_get_sa_from_spi(9, &test_association); - test_association->ast = 1; - test_association->est = 0; - test_association->shivf_len = 0; - test_association->iv_len = 0; - test_association->shsnf_len = 4; - test_association->arsn_len = 4; - test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); - test_association->abm_len = 1024; - memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask - test_association->stmacf_len = 16; - test_association->sa_state = SA_OPERATIONAL; - test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); - *test_association->ecs = CRYPTO_CIPHER_NONE; - test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); - *test_association->acs = CRYPTO_MAC_HMAC_SHA512; - test_association->ekid = 0; - test_association->akid = 136; - - // Insert key into keyring of SA 9 - hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - - // Convert input plaintext - hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); - // Convert input mac - hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - - // Note: For comparison, primarily interested in the MAC - // Calc payload index: total length - pt length - uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; - } - - free(ptr_enc_frame); - free(buffer_frame_pt_b); - free(buffer_nist_key_b); - free(buffer_python_mac_b); -} +/* Causes as segfault, likely because the key length is importerly set (should be set to 32 as in TEST_1) +** Keeping for now so we can hopefully find a way to catch the segfault and exit gracefullyisher +*/ +// UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_SEG) +// { +// uint8_t *ptr_enc_frame = NULL; +// uint16_t enc_frame_len = 0; +// // Setup & Initialize CryptoLib +// Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, +// TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, +// TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); +// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); +// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); +// Crypto_Init(); +// SadbRoutine sadb_routine = get_sadb_routine_inmemory(); +// crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); + +// // NIST supplied vectors +// // NOTE: Added Transfer Frame header to the plaintext +// char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; +// // | Header | NIST CMAC Test Vector |FECF| +// char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; +// // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header +// // Length is dependent on whatever the variable mac length to be updated in the header +// // | Header |SPI| ARSN | NIST CMAC Frame Data | +// // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; +// // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" +// // Python output MAC +// // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 +// // Trunc to first 16 bytes +// // 64b8f7ccdbc86109a981c9f29243e365 +// char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; +// uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; +// int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; + +// // Expose/setup SAs for testing +// SecurityAssociation_t *test_association = NULL; +// test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); +// // Deactivate SA 1 +// sadb_routine->sadb_get_sa_from_spi(1, &test_association); +// test_association->sa_state = SA_NONE; +// // Activate SA 9 +// sadb_routine->sadb_get_sa_from_spi(9, &test_association); +// test_association->ast = 1; +// test_association->est = 0; +// test_association->shivf_len = 0; +// test_association->iv_len = 0; +// test_association->shsnf_len = 4; +// test_association->arsn_len = 4; +// test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); +// test_association->abm_len = 1024; +// memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask +// test_association->stmacf_len = 16; +// test_association->sa_state = SA_OPERATIONAL; +// test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); +// *test_association->ecs = CRYPTO_CIPHER_NONE; +// test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); +// *test_association->acs = CRYPTO_MAC_HMAC_SHA512; +// test_association->ekid = 0; +// test_association->akid = 136; + +// // Insert key into keyring of SA 9 +// hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); +// memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + +// // Convert input plaintext +// hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); +// // Convert input mac +// hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); + +// Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + +// // Note: For comparison, primarily interested in the MAC +// // Calc payload index: total length - pt length +// uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; +// Crypto_Shutdown(); + +// for (int i = 0; i < buffer_python_mac_len; i++) +// { +// printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); +// ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); +// enc_data_idx++; +// } + +// free(ptr_enc_frame); +// free(buffer_frame_pt_b); +// free(buffer_nist_key_b); +// free(buffer_python_mac_b); +// } /** * @brief Unit Test: Test HMAC SHA-512, key length 64 bytes, bitmask of 0s **/ -/* This test and next test cause some sort of issue -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) { uint8_t *ptr_enc_frame = NULL; uint16_t enc_frame_len = 0; + int32_t status; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2353,7 +2267,8 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); // Note: For comparison, primarily interested in the MAC // Calc payload index: total length - pt length @@ -2371,16 +2286,16 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -}*/ +} /** * @brief Unit Test: Test HMAC SHA-512, key length 64 bytes, bitmask of 1s **/ -/* -UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) { uint8_t *ptr_enc_frame = NULL; uint16_t enc_frame_len = 0; + int32_t status; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2410,7 +2325,7 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // Expose/setup SAs for testing SecurityAssociation_t *test_association = NULL; - test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); + test_association = calloc(1, sizeof(SecurityAssociation_t) * sizeof(uint8_t)); // Deactivate SA 1 sadb_routine->sadb_get_sa_from_spi(1, &test_association); test_association->sa_state = SA_NONE; @@ -2424,6 +2339,7 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) test_association->arsn_len = 4; test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); test_association->abm_len = 1024; + test_association->abm = calloc(1, test_association->abm_len * sizeof(uint8_t)); memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; @@ -2444,8 +2360,8 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - int32_t status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - ASSERT_EQ(status,CRYPTO_LIB_SUCCESS); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); // Note: For comparison, primarily interested in the MAC // Calc payload index: total length - pt length @@ -2454,16 +2370,16 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) for (int i = 0; i < buffer_python_mac_len; i++) { - printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); - ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); - enc_data_idx++; + printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx + i)); + ASSERT_EQ(*(ptr_enc_frame + enc_data_idx + i), buffer_python_mac_b[i]); + // enc_data_idx++; } free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -}*/ +} /** * @brief Unit Test: Test HMAC SHA-256, bitmask of 0s @@ -2527,8 +2443,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_0) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); @@ -2556,6 +2471,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_0) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); + free(tc_sdls_processed_frame); } /** @@ -2619,8 +2535,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); @@ -2647,11 +2562,107 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); + free(tc_sdls_processed_frame); } /** * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s **/ +// UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) +// { +// int32_t status = 0; +// uint8_t *ptr_enc_frame = NULL; +// // Setup & Initialize CryptoLib +// Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, +// TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, +// TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); +// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); +// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); +// Crypto_Init(); +// SadbRoutine sadb_routine = get_sadb_routine_inmemory(); +// crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); + +// // NIST supplied vectors +// // NOTE: Added Transfer Frame header to the plaintext +// char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; +// // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| +// char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425864b8f7ccdbc86109a981c9f29243e365a334"; +// // 2003005c00000900000000c66d322247ebf272e6a353f9940b00847cf78e27f2bc0c81a696db411e47c0e9630137d3fa860a71158e23d80b699e8006e52345fb7273b2e084407f19394258 +// // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header +// // Length is dependent on whatever the variable mac length to be updated in the header +// // | Header |SPI| ARSN | NIST CMAC Frame Data | +// // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; +// // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" +// // Python output MAC +// // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 +// // Trunc to first 16 bytes +// // 64b8f7ccdbc86109a981c9f29243e365 +// char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; +// uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; +// int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; + +// // Expose/setup SAs for testing +// SecurityAssociation_t *test_association = NULL; +// test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); +// // Deactivate SA 1 +// sadb_routine->sadb_get_sa_from_spi(1, &test_association); +// test_association->sa_state = SA_NONE; +// // Activate SA 9 +// sadb_routine->sadb_get_sa_from_spi(9, &test_association); +// test_association->ast = 1; +// test_association->est = 0; +// test_association->shivf_len = 0; +// test_association->iv_len = 0; +// test_association->shsnf_len = 4; +// test_association->arsn_len = 4; +// test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); +// test_association->abm_len = 1024; +// test_association->abm = calloc(1, test_association->abm_len * sizeof(uint8_t)); +// memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask +// test_association->stmacf_len = 16; +// test_association->sa_state = SA_OPERATIONAL; +// test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); +// *test_association->ecs = CRYPTO_CIPHER_NONE; +// test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); +// *test_association->acs = CRYPTO_MAC_HMAC_SHA512; +// test_association->ekid = 0; +// test_association->akid = 136; + +// TC_t *tc_sdls_processed_frame; +// tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); + +// // Insert key into keyring of SA 9 +// hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); +// memset(ek_ring[test_association->akid].value, 0x00, Crypto_Get_ACS_Algo_Keylen(*test_association->acs)); +// memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + +// // Convert input plaintext +// hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); +// // Convert input mac +// hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); + +// status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); +// ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + +// // Note: For comparison, primarily interested in the MAC +// Crypto_Shutdown(); + +// for (int i = 0; i < buffer_python_mac_len; i++) +// { +// printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); +// ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); +// } + +// free(ptr_enc_frame); +// free(buffer_frame_pt_b); +// free(buffer_nist_key_b); +// free(buffer_python_mac_b); +// free(tc_sdls_processed_frame); +// } + +/** + * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 0s + **/ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) { int32_t status = 0; @@ -2667,19 +2678,19 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425864b8f7ccdbc86109a981c9f29243e365a334"; + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258676e9ebdf306b7db7ad41892887342e80DC5"; // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 + // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + // Python output MAC + // 676e9ebdf306b7db7ad41892887342e892bcc59688caef44693c1659b6a683e844d584030b7c532105b8c2539e0aed51af6df77e87f1834e92c2085889d1c44b // Trunc to first 16 bytes - // 64b8f7ccdbc86109a981c9f29243e365 - char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; + // 676e9ebdf306b7db7ad41892887342e8 + char* buffer_python_mac_h = "676e9ebdf306b7db7ad41892887342e8"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2710,12 +2721,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + ek_ring[test_association->akid].key_len = 64; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2734,13 +2745,13 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); } - // free(buffer_frame_pt_b); - // free(buffer_nist_key_b); - // free(buffer_python_mac_b); + free(buffer_frame_pt_b); + free(buffer_nist_key_b); + free(buffer_python_mac_b); } /** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 1s + * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 1s **/ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) { @@ -2757,18 +2768,19 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425875c570016a9458a71cea6aaca6ff46970f67"; - // Python truth string passed below, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258907bbd1d9f2fd37e541f0b1ee12f5db0679a"; + // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // Python output MAC - // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef + // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + // Python output MAC + // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 // Trunc to first 16 bytes - // 75c570016a9458a71cea6aaca6ff4697 - char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; + // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 + char* buffer_python_mac_h = "907bbd1d9f2fd37e541f0b1ee12f5db0"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2799,12 +2811,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); + ek_ring[test_association->akid].key_len = 64; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2812,7 +2824,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); // Note: For comparison, primarily interested in the MAC Crypto_Shutdown(); @@ -2829,14 +2841,53 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_1) } /** - * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 0s + * @brief Unit Test: Encrypts a frame, then decrypts the output to ensure the reverse doesn't error **/ -UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) +UTEST(PLAINTEXT, ENCRYPT_DECRYPT) +{ + int32_t status = CRYPTO_LIB_ERROR; + uint8_t* ptr_enc_frame = NULL; + uint16_t enc_frame_len = 0; + // Setup & Initialize CryptoLib + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, + TC_IGNORE_SA_STATE_TRUE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, + TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); + Crypto_Init(); + + char* jpl_frame_pt_h = "2003001c00ff000100001880d03e000a197f0b000300020093d4ba21c4555555555555"; + uint8_t* jpl_frame_pt_b = NULL; + int jpl_frame_pt_len = 0; + TC_t* tc_sdls_processed_frame; + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); + + // Convert input jpl frame + hex_conversion(jpl_frame_pt_h, (char**) &jpl_frame_pt_b, &jpl_frame_pt_len); + + // Apply, save the generated frame + status = Crypto_TC_ApplySecurity(jpl_frame_pt_b, jpl_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + + // Process the generated frame + int len = (int)enc_frame_len; + status = Crypto_TC_ProcessSecurity(ptr_enc_frame, &len, tc_sdls_processed_frame); + Crypto_Shutdown(); + ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); +} + +/** + * @brief Unit Test: Test HMAC SHA-512, encryption key length too short + * Supply a 32-byte key when SHA512 requires a 64-byte key + **/ +UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_SHORT_KEY) { int32_t status = 0; + uint8_t *ptr_enc_frame = NULL; + uint16_t enc_frame_len = 0; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, + TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); @@ -2846,19 +2897,18 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258676e9ebdf306b7db7ad41892887342e80DC5"; + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header | NIST CMAC Test Vector |FECF| + char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 676e9ebdf306b7db7ad41892887342e892bcc59688caef44693c1659b6a683e844d584030b7c532105b8c2539e0aed51af6df77e87f1834e92c2085889d1c44b + // Python output MAC + // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef // Trunc to first 16 bytes - // 676e9ebdf306b7db7ad41892887342e8 - char* buffer_python_mac_h = "676e9ebdf306b7db7ad41892887342e8"; + // 75c570016a9458a71cea6aaca6ff4697 + char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2878,7 +2928,7 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) test_association->arsn_len = 4; test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); test_association->abm_len = 1024; - memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask + memset(test_association->abm, 0xFF, (test_association->abm_len * sizeof(uint8_t))); // Bitmask test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); @@ -2888,43 +2938,34 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_2) test_association->ekid = 0; test_association->akid = 136; - TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); - // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - ek_ring[test_association->akid].key_len = 64; + ek_ring[test_association->akid].key_len = 32; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); // Convert input mac hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + status = Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); + ASSERT_EQ(status, CRYPTO_LIB_ERR_KEY_LENGTH_ERROR); - // Note: For comparison, primarily interested in the MAC Crypto_Shutdown(); - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); - ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); - } - + free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); } /** - * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 1s + * @brief Unit Test: Test HMAC SHA-512, decryption key too short for algorithm **/ -UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) +UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_SHORT_KEY) { int32_t status = 0; + uint8_t *ptr_enc_frame = NULL; // Setup & Initialize CryptoLib Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, @@ -2937,19 +2978,18 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext - char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; - // | Header |SPI | ARSN | Payload | SHA 512 HMAC |FECF| - char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258907bbd1d9f2fd37e541f0b1ee12f5db0679a"; - // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header + char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; + // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| + char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425875c570016a9458a71cea6aaca6ff46970f67"; + // Python truth string passed below, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header // Length is dependent on whatever the variable mac length to be updated in the header // | Header |SPI| ARSN | NIST CMAC Frame Data | // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; - // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - // Python output MAC - // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 + // Python output MAC + // 75c570016a9458a71cea6aaca6ff46971ea007ed0a84e97fd2df79f6634c3efbb62edef3d1fb6549d0c9319e2d1dea866f634f67a2006c435b5bd2a3dd314fef // Trunc to first 16 bytes - // 907bbd1d9f2fd37e541f0b1ee12f5db0b1e0cbc57cfe08aecfc74b001371db711abb39caf658ee692d418725dc92cabd8d0a93ce423ff7594adf3fd91e7a6435 - char* buffer_python_mac_h = "907bbd1d9f2fd37e541f0b1ee12f5db0"; + // 75c570016a9458a71cea6aaca6ff4697 + char* buffer_python_mac_h = "75c570016a9458a71cea6aaca6ff4697"; uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; @@ -2980,13 +3020,12 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) test_association->akid = 136; TC_t *tc_sdls_processed_frame; - tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE); - memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE)); + tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - ek_ring[test_association->akid].key_len = 64; + ek_ring[test_association->akid].key_len = 32; // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); @@ -2994,56 +3033,13 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_3) hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); - - // Note: For comparison, primarily interested in the MAC - Crypto_Shutdown(); - - for (int i = 0; i < buffer_python_mac_len; i++) - { - printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); - ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); - } + ASSERT_EQ(CRYPTO_LIB_ERR_KEY_LENGTH_ERROR, status); + free(ptr_enc_frame); free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); -} - -/** - * @brief Unit Test: Encrypts a frame, then decrypts the output to ensure the reverse doesn't error - **/ -UTEST(PLAINTEXT, ENCRYPT_DECRYPT) -{ - int32_t status = CRYPTO_LIB_ERROR; - uint8_t* ptr_enc_frame = NULL; - uint16_t enc_frame_len = 0; - // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, - TC_IGNORE_SA_STATE_TRUE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); - Crypto_Init(); - - char* jpl_frame_pt_h = "2003001c00ff000100001880d03e000a197f0b000300020093d4ba21c4555555555555"; - uint8_t* jpl_frame_pt_b = NULL; - int jpl_frame_pt_len = 0; - TC_t* tc_sdls_processed_frame; - tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); - - // Convert input jpl frame - hex_conversion(jpl_frame_pt_h, (char**) &jpl_frame_pt_b, &jpl_frame_pt_len); - - // Apply, save the generated frame - status = Crypto_TC_ApplySecurity(jpl_frame_pt_b, jpl_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); - - // Process the generated frame - int len = (int)enc_frame_len; - status = Crypto_TC_ProcessSecurity(ptr_enc_frame, &len, tc_sdls_processed_frame); - Crypto_Shutdown(); - ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); + free(tc_sdls_processed_frame); } UTEST_MAIN(); \ No newline at end of file From f6dc8a1613ab16f459ca4b87407e6c0667585335 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Wed, 27 Apr 2022 10:20:54 -0400 Subject: [PATCH 2/4] Fix UTs setup improperly --- .../src_libgcrypt/cryptography_interface_libgcrypt.template.c | 4 ++-- util/src_util/ut_tc_apply.c | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index 1664b64a..5f358c80 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -864,7 +864,7 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->ekid].key_len) { return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } @@ -1040,7 +1040,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, } // Check that key length to be used is atleast as long as the algo requirement - if (sa_ptr != NULL && len_key < ek_ring[sa_ptr->ekid].key_len) + if (sa_ptr != NULL && len_key > ek_ring[sa_ptr->ekid].key_len) { return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } diff --git a/util/src_util/ut_tc_apply.c b/util/src_util/ut_tc_apply.c index db88f215..62363ad8 100644 --- a/util/src_util/ut_tc_apply.c +++ b/util/src_util/ut_tc_apply.c @@ -353,6 +353,8 @@ UTEST(TC_APPLY_SECURITY, HAPPY_PATH_APPLY_NONTRANSMITTED_INCREMENTING_ARSN_ROLLO test_association->shsnf_len = 2; test_association->arsn = calloc(1,test_association->arsn_len); memcpy(test_association->arsn, (uint8_t *)new_arsn_b, new_arsn_len); + // This TA was originally setup for AESGCM, need to specify an akid so we can use it for a MAC + test_association->akid = 130; return_val = Crypto_TC_ApplySecurity((uint8_t* )raw_tc_sdls_ping_b, raw_tc_sdls_ping_len, &ptr_enc_frame, &enc_frame_len); From 5223befc59570b19788480d72f54b8878f1bf5f1 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Wed, 27 Apr 2022 10:54:05 -0400 Subject: [PATCH 3/4] Update UT originally created with wrong MAC key --- util/src_util/ut_tc_process.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/util/src_util/ut_tc_process.c b/util/src_util/ut_tc_process.c index 81d10ee2..d2f92b5b 100644 --- a/util/src_util/ut_tc_process.c +++ b/util/src_util/ut_tc_process.c @@ -431,16 +431,16 @@ UTEST(TC_PROCESS, HAPPY_PATH_PROCESS_NONTRANSMITTED_INCREMENTING_ARSN_ROLLOVER) Crypto_Init_Unit_Test(); Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, - TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); + TC_CHECK_FECF_FALSE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); SadbRoutine sadb_routine = get_sadb_routine_inmemory(); - + char* dec_test_fe_h = - "2003002900000004FFFE80D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D0741"; + "2003002900000004FFFE80D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B502760741"; char* dec_test_ff_h = - "2003002900000004FFFF80D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D8968"; + "2003002900000004FFFF80D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B502768968"; char* dec_test_00_h = - "2003002900000004000080D2C70008197F0B00310000B1FE1C9119D059698FFE5AAE811572FA678D7824"; + "2003002900000004000080D2C70008197F0B00310000B1FE7F97816F523951BAF0445DB078B50276E797"; uint8_t *dec_test_fe_b, *dec_test_ff_b, *dec_test_00_b = NULL; int dec_test_fe_len, dec_test_ff_len, dec_test_00_len = 0; @@ -488,6 +488,9 @@ UTEST(TC_PROCESS, HAPPY_PATH_PROCESS_NONTRANSMITTED_INCREMENTING_ARSN_ROLLOVER) test_association->arsn[1] = 0xFF; test_association->arsn[2] = 0xFD; + // This TA was originally setup for AESGCM, need to specify an akid so we can use it for a MAC + test_association->akid = 130; + Crypto_saPrint(test_association); return_val = Crypto_TC_ProcessSecurity(dec_test_fe_b, &dec_test_fe_len, tc_sdls_processed_frame); ASSERT_EQ(CRYPTO_LIB_SUCCESS, return_val); From afce6dce2dfb4103d11d22d93e885d1242c6520a Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Tue, 26 Apr 2022 15:29:02 -0400 Subject: [PATCH 4/4] Segfault was caused by UT error, not a code error. Since the relevant code is already exercised, removed problematic UTs. --- ...ryptography_interface_libgcrypt.template.c | 6 +- util/src_util/et_dt_validation.c | 188 ------------------ 2 files changed, 2 insertions(+), 192 deletions(-) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index 5f358c80..3f8908a1 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -568,7 +568,6 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, { key_ptr = &(ek_ring[sa_ptr->akid].value[0]); } - // Need to copy the data over, since authentication won't change/move the data directly if(data_out != NULL) { @@ -578,11 +577,10 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, { return CRYPTO_LIB_ERR_NULL_BUFFER; } - // Using to fix warning len_data_out = len_data_out; ecs = ecs; - + // Select correct libgcrypt acs enum int32_t algo = cryptography_get_acs_algo(acs); if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ACS) @@ -605,7 +603,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return status; } gcry_error = gcry_mac_setkey(tmp_mac_hd, key_ptr, len_key); - + #ifdef SA_DEBUG uint32_t i; printf(KYEL "Auth MAC Printing Key:\n\t"); diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c index 3bbf848d..b3cff678 100644 --- a/util/src_util/et_dt_validation.c +++ b/util/src_util/et_dt_validation.c @@ -2102,99 +2102,6 @@ UTEST(NIST_ENC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) free(buffer_python_mac_b); } -/** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s - **/ -/* Causes as segfault, likely because the key length is importerly set (should be set to 32 as in TEST_1) -** Keeping for now so we can hopefully find a way to catch the segfault and exit gracefullyisher -*/ -// UTEST(NIST_ENC_HMAC_VALIDATION, SHA_512_SEG) -// { -// uint8_t *ptr_enc_frame = NULL; -// uint16_t enc_frame_len = 0; -// // Setup & Initialize CryptoLib -// Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, -// TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, -// TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); -// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); -// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); -// Crypto_Init(); -// SadbRoutine sadb_routine = get_sadb_routine_inmemory(); -// crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - -// // NIST supplied vectors -// // NOTE: Added Transfer Frame header to the plaintext -// char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; -// // | Header | NIST CMAC Test Vector |FECF| -// char *buffer_frame_pt_h = "2003004600C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258C925"; -// // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header -// // Length is dependent on whatever the variable mac length to be updated in the header -// // | Header |SPI| ARSN | NIST CMAC Frame Data | -// // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; -// // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" -// // Python output MAC -// // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 -// // Trunc to first 16 bytes -// // 64b8f7ccdbc86109a981c9f29243e365 -// char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; -// uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; -// int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - -// // Expose/setup SAs for testing -// SecurityAssociation_t *test_association = NULL; -// test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); -// // Deactivate SA 1 -// sadb_routine->sadb_get_sa_from_spi(1, &test_association); -// test_association->sa_state = SA_NONE; -// // Activate SA 9 -// sadb_routine->sadb_get_sa_from_spi(9, &test_association); -// test_association->ast = 1; -// test_association->est = 0; -// test_association->shivf_len = 0; -// test_association->iv_len = 0; -// test_association->shsnf_len = 4; -// test_association->arsn_len = 4; -// test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); -// test_association->abm_len = 1024; -// memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask -// test_association->stmacf_len = 16; -// test_association->sa_state = SA_OPERATIONAL; -// test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); -// *test_association->ecs = CRYPTO_CIPHER_NONE; -// test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); -// *test_association->acs = CRYPTO_MAC_HMAC_SHA512; -// test_association->ekid = 0; -// test_association->akid = 136; - -// // Insert key into keyring of SA 9 -// hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); -// memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - -// // Convert input plaintext -// hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); -// // Convert input mac -// hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - -// Crypto_TC_ApplySecurity(buffer_frame_pt_b, buffer_frame_pt_len, &ptr_enc_frame, &enc_frame_len); - -// // Note: For comparison, primarily interested in the MAC -// // Calc payload index: total length - pt length -// uint16_t enc_data_idx = enc_frame_len - buffer_python_mac_len - 2; -// Crypto_Shutdown(); - -// for (int i = 0; i < buffer_python_mac_len; i++) -// { -// printf("[%d] Truth: %02x, Actual: %02x\n", enc_data_idx, buffer_python_mac_b[i], *(ptr_enc_frame + enc_data_idx)); -// ASSERT_EQ(*(ptr_enc_frame + enc_data_idx), buffer_python_mac_b[i]); -// enc_data_idx++; -// } - -// free(ptr_enc_frame); -// free(buffer_frame_pt_b); -// free(buffer_nist_key_b); -// free(buffer_python_mac_b); -// } - /** * @brief Unit Test: Test HMAC SHA-512, key length 64 bytes, bitmask of 0s **/ @@ -2565,101 +2472,6 @@ UTEST(NIST_DEC_HMAC_VALIDATION, SHA_256_PT_128_TEST_1) free(tc_sdls_processed_frame); } -/** - * @brief Unit Test: Test HMAC SHA-512, bitmask of 0s - **/ -// UTEST(NIST_DEC_HMAC_VALIDATION, SHA_512_PT_128_TEST_0) -// { -// int32_t status = 0; -// uint8_t *ptr_enc_frame = NULL; -// // Setup & Initialize CryptoLib -// Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR, -// TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, -// TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE); -// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); -// Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS, 1024); -// Crypto_Init(); -// SadbRoutine sadb_routine = get_sadb_routine_inmemory(); -// crypto_key_t* ek_ring = cryptography_if->get_ek_ring(); - -// // NIST supplied vectors -// // NOTE: Added Transfer Frame header to the plaintext -// char *buffer_nist_key_h = "b228c753292acd5df351000a591bf960d8555c3f6284afe7c6846cbb6c6f5445"; -// // | Header |SPI | arsn | Payload | SHA 512 HMAC |FECF| -// char *buffer_frame_pt_h = "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F1939425864b8f7ccdbc86109a981c9f29243e365a334"; -// // 2003005c00000900000000c66d322247ebf272e6a353f9940b00847cf78e27f2bc0c81a696db411e47c0e9630137d3fa860a71158e23d80b699e8006e52345fb7273b2e084407f19394258 -// // Python truth string passed below is ZEROed out, not including a MAC or FECF which isn't hashed against, but the LENGTH (including fecf) needs to be updated in the Tf Header -// // Length is dependent on whatever the variable mac length to be updated in the header -// // | Header |SPI| ARSN | NIST CMAC Frame Data | -// // "2003005C00000900000000C66D322247EBF272E6A353F9940B00847CF78E27F2BC0C81A696DB411E47C0E9630137D3FA860A71158E23D80B699E8006E52345FB7273B2E084407F19394258"; -// // "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" -// // Python output MAC -// // 64b8f7ccdbc86109a981c9f29243e36548716e94f5ef30ade090c41ecd6fa2a226909d706bdebcf3baeb24c4ed8373ae1bcd9a32a5596136e24e0f1ae68a8ac0 -// // Trunc to first 16 bytes -// // 64b8f7ccdbc86109a981c9f29243e365 -// char* buffer_python_mac_h = "64b8f7ccdbc86109a981c9f29243e365"; -// uint8_t *buffer_frame_pt_b, *buffer_nist_key_b, *buffer_python_mac_b = NULL; -// int buffer_frame_pt_len, buffer_nist_key_len, buffer_python_mac_len = 0; - -// // Expose/setup SAs for testing -// SecurityAssociation_t *test_association = NULL; -// test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(uint8_t)); -// // Deactivate SA 1 -// sadb_routine->sadb_get_sa_from_spi(1, &test_association); -// test_association->sa_state = SA_NONE; -// // Activate SA 9 -// sadb_routine->sadb_get_sa_from_spi(9, &test_association); -// test_association->ast = 1; -// test_association->est = 0; -// test_association->shivf_len = 0; -// test_association->iv_len = 0; -// test_association->shsnf_len = 4; -// test_association->arsn_len = 4; -// test_association->arsn = calloc(1, test_association->arsn_len * sizeof(uint8_t)); -// test_association->abm_len = 1024; -// test_association->abm = calloc(1, test_association->abm_len * sizeof(uint8_t)); -// memset(test_association->abm, 0x00, (test_association->abm_len * sizeof(uint8_t))); // Bitmask -// test_association->stmacf_len = 16; -// test_association->sa_state = SA_OPERATIONAL; -// test_association->ecs = calloc(1, test_association->ecs_len * sizeof(uint8_t)); -// *test_association->ecs = CRYPTO_CIPHER_NONE; -// test_association->acs = calloc(1, test_association->acs_len * sizeof(uint8_t)); -// *test_association->acs = CRYPTO_MAC_HMAC_SHA512; -// test_association->ekid = 0; -// test_association->akid = 136; - -// TC_t *tc_sdls_processed_frame; -// tc_sdls_processed_frame = calloc(1, sizeof(uint8_t) * TC_SIZE); - -// // Insert key into keyring of SA 9 -// hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len); -// memset(ek_ring[test_association->akid].value, 0x00, Crypto_Get_ACS_Algo_Keylen(*test_association->acs)); -// memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); - -// // Convert input plaintext -// hex_conversion(buffer_frame_pt_h, (char **)&buffer_frame_pt_b, &buffer_frame_pt_len); -// // Convert input mac -// hex_conversion(buffer_python_mac_h, (char **)&buffer_python_mac_b, &buffer_python_mac_len); - -// status = Crypto_TC_ProcessSecurity(buffer_frame_pt_b, &buffer_frame_pt_len, tc_sdls_processed_frame); -// ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); - -// // Note: For comparison, primarily interested in the MAC -// Crypto_Shutdown(); - -// for (int i = 0; i < buffer_python_mac_len; i++) -// { -// printf("[%d] Truth: %02x, Actual: %02x\n", i, buffer_python_mac_b[i], *(tc_sdls_processed_frame->tc_sec_trailer.mac + i)); -// ASSERT_EQ(*(tc_sdls_processed_frame->tc_sec_trailer.mac + i), buffer_python_mac_b[i]); -// } - -// free(ptr_enc_frame); -// free(buffer_frame_pt_b); -// free(buffer_nist_key_b); -// free(buffer_python_mac_b); -// free(tc_sdls_processed_frame); -// } - /** * @brief Unit Test: Test HMAC SHA-512, keylength of 64 bytes, bitmask of 0s **/