--- /dev/null
+/* Copyright (c) 1998,2003-2005,2008 Apple Inc.
+ *
+ * pbeTest.c - test CSP PBE-style DeriveKey().
+ *
+ * Revision History
+ * ----------------
+ * 15 May 2000 Doug Mitchell
+ * Ported to X/CDSA2.
+ * 13 Aug 1998 Doug Mitchell at NeXT
+ * Created.
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+#include <string.h>
+#include <Security/cssm.h>
+#include "cspwrap.h"
+#include "common.h"
+#include "cspdlTesting.h"
+
+/* we need to know a little bit about AES for this test.... */
+#define AES_BLOCK_SIZE 16 /* bytes */
+
+/*
+ * Defaults.
+ */
+#define LOOPS_DEF 10
+#define MIN_PTEXT_SIZE AES_BLOCK_SIZE /* for non-padding tests */
+#define MAX_PTEXT_SIZE 1000
+#define MAX_PASSWORD_SIZE 64
+#define MAX_SALT_SIZE 32
+#define MIN_ITER_COUNT 1000
+#define MAX_ITER_COUNT 2000
+#define MAX_IV_SIZE AES_BLOCK_SIZE
+
+/* min values not currently exported by CSP */
+#define APPLE_PBE_MIN_PASSWORD 8
+#define APPLE_PBE_MIN_SALT 8
+
+/* static IV for derive algorithms which don't create one */
+CSSM_DATA staticIv = {MAX_IV_SIZE, (uint8 *)"someIvOrOther..."};
+
+/*
+ * Enumerate algs our own way to allow iteration.
+ */
+typedef unsigned privAlg;
+enum {
+ /* PBE algs */
+ pbe_pbkdf2 = 1,
+ // other unsupported for now
+ pbe_PKCS12 = 1,
+ pbe_MD5,
+ pbe_MD2,
+ pbe_SHA1,
+
+ /* key gen algs */
+ pka_ASC,
+ pka_RC4,
+ pka_DES,
+ pka_RC2,
+ pka_RC5,
+ pka_3DES,
+ pka_AES
+};
+
+#define PBE_ALG_FIRST pbe_pbkdf2
+#define PBE_ALG_LAST pbe_pbkdf2
+#define ENCR_ALG_FIRST pka_ASC
+#define ENCR_ALG_LAST pka_AES
+#define ENCR_ALG_LAST_EXPORT pka_RC5
+
+/*
+ * Args passed to each test
+ */
+typedef struct {
+ CSSM_CSP_HANDLE cspHand;
+ CSSM_ALGORITHMS keyAlg;
+ CSSM_ALGORITHMS encrAlg;
+ uint32 keySizeInBits;
+ uint32 effectiveKeySizeInBits; // 0 means not used
+ const char *keyAlgStr;
+ CSSM_ENCRYPT_MODE encrMode;
+ CSSM_PADDING encrPad;
+ CSSM_ALGORITHMS deriveAlg;
+ const char *deriveAlgStr;
+ CSSM_DATA_PTR ptext;
+ CSSM_DATA_PTR password;
+ CSSM_DATA_PTR salt;
+ uint32 iterCount;
+ CSSM_BOOL useInitVector; // encrypt needs an IV
+ uint32 ivSize;
+ CSSM_BOOL genInitVector; // DeriveKey generates an IV
+ CSSM_BOOL useRefKey;
+ CSSM_BOOL quiet;
+} testArgs;
+
+static void usage(char **argv)
+{
+ printf("usage: %s [options]\n", argv[0]);
+ printf(" Options:\n");
+ printf(" l=loops (default=%d; 0=forever)\n", LOOPS_DEF);
+ printf(" e(xport)\n");
+ printf(" r(epeatOnly)\n");
+ printf(" z(ero length password)\n");
+ printf(" p(ause after each loop)\n");
+ printf(" D (CSP/DL; default = bare CSP)\n");
+ printf(" q(uiet)\n");
+ printf(" h(elp)\n");
+ exit(1);
+}
+
+/*
+ * Given a privAlg value, return various associated stuff.
+ */
+static void algInfo(privAlg alg, // pbe_MD5, etc.
+ CSSM_ALGORITHMS *cdsaAlg, // CSSM_ALGID_MD5_PBE, etc. RETURNED
+ // key alg for key gen algs
+ CSSM_ALGORITHMS *encrAlg, // encrypt/decrypt alg for key
+ // gen algs
+ CSSM_ENCRYPT_MODE *mode, // RETURNED
+ CSSM_PADDING *padding, // RETURNED
+ CSSM_BOOL *useInitVector, // RETURNED, for encrypt/decrypt
+ uint32 *ivSize, // RETURNED, in bytes
+ CSSM_BOOL *genInitVector, // RETURNED, for deriveKey
+ const char **algStr) // RETURNED
+{
+ /* default or irrelevant fields */
+ *mode = CSSM_ALGMODE_NONE;
+ *useInitVector = CSSM_FALSE;
+ *genInitVector = CSSM_FALSE; // DeriveKey doesn't do this now
+ *padding = CSSM_PADDING_PKCS1;
+ *ivSize = 8; // thje usual size, if needed
+ *encrAlg = CSSM_ALGID_NONE;
+
+ switch(alg) {
+ case pbe_pbkdf2:
+ *cdsaAlg = CSSM_ALGID_PKCS5_PBKDF2;
+ *algStr = "PBKDF2";
+ return;
+ /* these are not supported */
+ #if 0
+ case pbe_PKCS12:
+ *cdsaAlg = CSSM_ALGID_SHA1_PBE_PKCS12;
+ *algStr = "PKCS12";
+ return;
+ case pbe_MD5:
+ *cdsaAlg = CSSM_ALGID_MD5_PBE;
+ *algStr = "MD5";
+ return;
+ case pbe_MD2:
+ *cdsaAlg = CSSM_ALGID_MD2_PBE;
+ *algStr = "MD2";
+ return;
+ case pbe_SHA1:
+ *cdsaAlg = CSSM_ALGID_SHA1_PBE;
+ *algStr = "SHA1";
+ return;
+ case pka_ASC:
+ *cdsaAlg = CSSM_ALGID_ASC;
+ *algStr = "ASC";
+ return;
+ #endif
+ case pka_DES:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_DES;
+ *useInitVector = CSSM_TRUE;
+ *mode = CSSM_ALGMODE_CBCPadIV8;
+ *algStr = "DES";
+ return;
+ case pka_3DES:
+ *cdsaAlg = CSSM_ALGID_3DES_3KEY;
+ *encrAlg = CSSM_ALGID_3DES_3KEY_EDE;
+ *useInitVector = CSSM_TRUE;
+ *mode = CSSM_ALGMODE_CBCPadIV8;
+ *algStr = "3DES";
+ return;
+ case pka_AES:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_AES;
+ *useInitVector = CSSM_TRUE;
+ *mode = CSSM_ALGMODE_CBCPadIV8;
+ *padding = CSSM_PADDING_PKCS5;
+ *ivSize = AES_BLOCK_SIZE; // per the default block size
+ *algStr = "AES";
+ return;
+ case pka_RC2:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_RC2;
+ *useInitVector = CSSM_TRUE;
+ *mode = CSSM_ALGMODE_CBCPadIV8;
+ *algStr = "RC2";
+ return;
+ case pka_RC4:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_RC4;
+ /* initVector false */
+ *mode = CSSM_ALGMODE_NONE;
+ *algStr = "RC4";
+ return;
+ case pka_RC5:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_RC5;
+ *algStr = "RC5";
+ *mode = CSSM_ALGMODE_CBCPadIV8;
+ *useInitVector = CSSM_TRUE;
+ return;
+ case pka_ASC:
+ *cdsaAlg = *encrAlg = CSSM_ALGID_ASC;
+ /* initVector false */
+ *algStr = "ASC";
+ *mode = CSSM_ALGMODE_NONE;
+ return;
+ default:
+ printf("BRRZZZT! Update algInfo()!\n");
+ testError(CSSM_TRUE);
+ }
+}
+
+/* a handy "compare two CSSM_DATAs" ditty */
+static CSSM_BOOL compareData(const CSSM_DATA_PTR d1,
+ const CSSM_DATA_PTR d2)
+{
+ if(d1->Length != d2->Length) {
+ return CSSM_FALSE;
+ }
+ if(memcmp(d1->Data, d2->Data, d1->Length)) {
+ return CSSM_FALSE;
+ }
+ return CSSM_TRUE;
+}
+
+/* generate random one-bit byte */
+static uint8 randBit()
+{
+ return 1 << genRand(0, 7);
+}
+
+/*
+ * Writer debug - assertion failure when ctext[1].Data is NULL
+ * but length is nonzero
+ */
+#define SAFE_CTEXT_ARRAY 0
+
+/*
+ * Encrypt ptext using specified key, IV, effectiveKeySizeInBits
+ */
+static int encryptCom(CSSM_CSP_HANDLE cspHand,
+ const char *testName,
+ CSSM_DATA_PTR ptext,
+ CSSM_KEY_PTR key,
+ CSSM_ALGORITHMS alg,
+ CSSM_ENCRYPT_MODE mode,
+ CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc.
+ CSSM_DATA_PTR iv, // may be NULL
+ uint32 effectiveKeySizeInBits, // may be 0
+ CSSM_DATA_PTR ctext, // RETURNED
+ CSSM_BOOL quiet)
+{
+ CSSM_CC_HANDLE cryptHand;
+ CSSM_RETURN crtn;
+ CSSM_SIZE bytesEncrypted;
+ CSSM_DATA remData;
+ int rtn;
+ #if SAFE_CTEXT_ARRAY
+ CSSM_DATA safeCtext[2];
+ safeCtext[0] = *ctext;
+ safeCtext[1].Data = NULL;
+ safeCtext[1].Length = 10; // lie, but shouldn't use this!
+ #else
+ // printf("+++ ctext[0] = %d:0x%x; ctext[1] = %d:0x%x\n",
+ // ctext[0].Length, ctext[0].Data,
+ // ctext[1].Length, ctext[1].Data);
+ #endif
+
+ cryptHand = genCryptHandle(cspHand,
+ alg,
+ mode,
+ padding,
+ key,
+ NULL, // no 2nd key
+ iv, // InitVector
+ effectiveKeySizeInBits,
+ 0); // rounds
+ if(cryptHand == 0) {
+ return testError(quiet);
+ }
+
+ remData.Data = NULL;
+ remData.Length = 0;
+ crtn = CSSM_EncryptData(cryptHand,
+ ptext,
+ 1,
+ #if SAFE_CTEXT_ARRAY
+ &safeCtext[0],
+ #else
+ ctext,
+ #endif
+ 1,
+ &bytesEncrypted,
+ &remData);
+ #if SAFE_CTEXT_ARRAY
+ *ctext = safeCtext[0];
+ #endif
+
+ if(crtn) {
+ printError("CSSM_EncryptData", crtn);
+ rtn = testError(quiet);
+ goto done;
+ }
+ if(remData.Length != 0) {
+ //printf("***WARNING: nonzero remData on encrypt!\n");
+ /* new for CDSA2 - possible remData even if we ask the CSP to
+ * malloc ctext */
+ ctext->Data = (uint8 *)appRealloc(ctext->Data, bytesEncrypted, NULL);
+ memmove(ctext->Data + ctext->Length,
+ remData.Data,
+ bytesEncrypted - ctext->Length);
+ appFreeCssmData(&remData, CSSM_FALSE);
+ }
+ /* new for CDSA 2 */
+ ctext->Length = bytesEncrypted;
+ rtn = 0;
+done:
+ if(CSSM_DeleteContext(cryptHand)) {
+ printError("CSSM_DeleteContext", 0);
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * Decrypt ctext using specified key, IV, effectiveKeySizeInBits
+ */
+static int decryptCom(CSSM_CSP_HANDLE cspHand,
+ const char *testName,
+ CSSM_DATA_PTR ctext,
+ CSSM_KEY_PTR key,
+ CSSM_ALGORITHMS alg,
+ CSSM_ENCRYPT_MODE mode,
+ CSSM_PADDING padding,
+ CSSM_DATA_PTR iv, // may be NULL
+ uint32 effectiveKeySizeInBits, // may be 0
+ CSSM_DATA_PTR ptext, // RETURNED
+ CSSM_BOOL quiet)
+{
+ CSSM_CC_HANDLE cryptHand;
+ CSSM_RETURN crtn;
+ CSSM_SIZE bytesDecrypted;
+ CSSM_DATA remData;
+ int rtn;
+
+ cryptHand = genCryptHandle(cspHand,
+ alg,
+ mode,
+ padding,
+ key,
+ NULL, // no 2nd key
+ iv, // InitVector
+ effectiveKeySizeInBits,
+ 0); // rounds
+ if(cryptHand == 0) {
+ return testError(quiet);
+ }
+ remData.Data = NULL;
+ remData.Length = 0;
+ crtn = CSSM_DecryptData(cryptHand,
+ ctext,
+ 1,
+ ptext,
+ 1,
+ &bytesDecrypted,
+ &remData);
+ if(crtn) {
+ printError("CSSM_DecryptData", crtn);
+ rtn = testError(quiet);
+ goto done;
+ }
+ if(remData.Length != 0) {
+ //printf("***WARNING: nonzero remData on decrypt!\n");
+ /* new for CDSA2 - possible remData even if we ask the CSP to
+ * malloc ptext */
+ ptext->Data = (uint8 *)appRealloc(ptext->Data, bytesDecrypted, NULL);
+ memmove(ptext->Data + ptext->Length,
+ remData.Data,
+ bytesDecrypted - ptext->Length);
+ appFreeCssmData(&remData, CSSM_FALSE);
+ }
+ /* new for CDSA 2 */
+ ptext->Length = bytesDecrypted;
+ rtn = 0;
+done:
+ if(CSSM_DeleteContext(cryptHand)) {
+ printError("CSSM_DeleteContext", 0);
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * Common test portion
+ * encrypt ptext with key1, iv1
+ * encrypt ptext with key2, iv2
+ * compare 2 ctexts; expect failure;
+ */
+
+#define TRAP_WRITER_ERR 1
+
+static int testCommon(CSSM_CSP_HANDLE cspHand,
+ const char *testName,
+ CSSM_ALGORITHMS encrAlg,
+ CSSM_ENCRYPT_MODE encrMode,
+ CSSM_PADDING encrPad,
+ uint32 effectiveKeySizeInBits,
+ CSSM_DATA_PTR ptext,
+ CSSM_KEY_PTR key1,
+ CSSM_DATA_PTR iv1,
+ CSSM_KEY_PTR key2,
+ CSSM_DATA_PTR iv2,
+ CSSM_BOOL quiet)
+{
+ CSSM_DATA ctext1;
+ CSSM_DATA ctext2;
+ ctext1.Data = NULL;
+ ctext1.Length = 0;
+ ctext2.Data = NULL;
+ ctext2.Length = 0;
+ if(encryptCom(cspHand,
+ testName,
+ ptext,
+ key1,
+ encrAlg,
+ encrMode,
+ encrPad,
+ iv1,
+ effectiveKeySizeInBits,
+ &ctext1,
+ quiet)) {
+ return 1;
+ }
+ #if TRAP_WRITER_ERR
+ if(ctext2.Data != NULL){
+ printf("Hey! encryptCom(ptext, ctext1 modified ctext2!\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ }
+ #endif
+ if(encryptCom(cspHand,
+ testName,
+ ptext,
+ key2,
+ encrAlg,
+ encrMode,
+ encrPad,
+ iv2,
+ effectiveKeySizeInBits,
+ &ctext2,
+ quiet)) {
+ return 1;
+ }
+ if(compareData(&ctext1, &ctext2)) {
+ printf("***%s: Unexpected Data compare!\n", testName);
+ return testError(quiet);
+ }
+ appFreeCssmData(&ctext1, CSSM_FALSE);
+ appFreeCssmData(&ctext2, CSSM_FALSE);
+ return 0;
+}
+
+/**
+ ** inidividual tests.
+ **/
+#define KEY_LABEL1 "noLabel1"
+#define KEY_LABEL2 "noLabel2"
+#define KEY_LABEL_LEN strlen(KEY_LABEL1)
+#define REPEAT_ON_ERROR 1
+
+/* test repeatability - the only test here which actually decrypts */
+static int repeatTest(testArgs *targs)
+{
+ /*
+ generate two keys with same params;
+ encrypt ptext with key1;
+ decrypt ctext with key2;
+ compare; expect success;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_KEY_PTR key2;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ CSSM_DATA_PTR ivp1;
+ CSSM_DATA_PTR ivp2;
+ CSSM_DATA ctext;
+ CSSM_DATA rptext;
+ CSSM_BOOL gotErr = CSSM_FALSE;
+
+ if(targs->useInitVector) {
+ if(targs->genInitVector) {
+ ivp1 = &iv1;
+ ivp2 = &iv2;
+ }
+ else {
+ staticIv.Length = targs->ivSize;
+ ivp1 = ivp2 = &staticIv;
+ }
+ }
+ else {
+ ivp1 = ivp2 = NULL;
+ }
+ /* these need to be init'd regardless */
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ iv2.Data = NULL;
+ iv2.Length = 0;
+ ctext.Data = NULL;
+ ctext.Length = 0;
+ rptext.Data = NULL;
+ rptext.Length = 0;
+repeatDerive:
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(targs->quiet);
+ }
+ key2 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL2,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_DECRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv2);
+ if(key2 == NULL) {
+ return testError(targs->quiet);
+ }
+repeatEnc:
+ if(encryptCom(targs->cspHand,
+ "repeatTest",
+ targs->ptext,
+ key1,
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ ivp1,
+ targs->effectiveKeySizeInBits,
+ &ctext,
+ targs->quiet)) {
+ return 1;
+ }
+ if(decryptCom(targs->cspHand,
+ "repeatTest",
+ &ctext,
+ key2,
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ ivp2,
+ targs->effectiveKeySizeInBits,
+ &rptext,
+ targs->quiet)) {
+ return 1;
+ }
+ if(gotErr || !compareData(targs->ptext, &rptext)) {
+ printf("***Data miscompare in repeatTest\n");
+ if(REPEAT_ON_ERROR) {
+ char str;
+
+ gotErr = CSSM_TRUE;
+ fpurge(stdin);
+ printf("Repeat enc/dec (r), repeat derive (d), continue (c), abort (any)? ");
+ str = getchar();
+ switch(str) {
+ case 'r':
+ appFreeCssmData(&ctext, CSSM_FALSE);
+ appFreeCssmData(&rptext, CSSM_FALSE);
+ goto repeatEnc;
+ case 'd':
+ appFreeCssmData(&ctext, CSSM_FALSE);
+ appFreeCssmData(&rptext, CSSM_FALSE);
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ goto repeatDerive;
+ case 'c':
+ break;
+ default:
+ return 1;
+ }
+ }
+ else {
+ return testError(targs->quiet);
+ }
+ }
+ appFreeCssmData(&ctext, CSSM_FALSE);
+ appFreeCssmData(&rptext, CSSM_FALSE);
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ CSSM_FREE(key1);
+ CSSM_FREE(key2);
+ return 0;
+}
+
+/* ensure iterCount alters key */
+static int iterTest(testArgs *targs)
+{
+ /*
+ generate key1(iterCount), key2(iterCount+1);
+ encrypt ptext with key1;
+ encrypt ptext with key2;
+ compare 2 ctexts; expect failure;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_KEY_PTR key2;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ CSSM_DATA_PTR ivp1;
+ CSSM_DATA_PTR ivp2;
+ if(targs->useInitVector) {
+ if(targs->genInitVector) {
+ ivp1 = &iv1;
+ ivp2 = &iv2;
+ }
+ else {
+ staticIv.Length = targs->ivSize;
+ ivp1 = ivp2 = &staticIv;
+ }
+ }
+ else {
+ ivp1 = ivp2 = NULL;
+ }
+ /* these need to be init'd regardless */
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ iv2.Data = NULL;
+ iv2.Length = 0;
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(targs->quiet);
+ }
+ key2 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL2,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount + 1, // the changed param
+ &iv2);
+ if(key2 == NULL) {
+ return testError(targs->quiet);
+ }
+ if(testCommon(targs->cspHand,
+ "iterTest",
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ targs->effectiveKeySizeInBits,
+ targs->ptext,
+ key1,
+ ivp1,
+ key2,
+ ivp2,
+ targs->quiet)) {
+ return 1;
+ }
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ CSSM_FREE(key1);
+ CSSM_FREE(key2);
+ return 0;
+}
+
+/* ensure password alters key */
+static int passwordTest(testArgs *targs)
+{
+ /*
+ generate key1(password), key2(munged password);
+ encrypt ptext with key1;
+ encrypt ptext with key2;
+ compare 2 ctexts; expect failure;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_KEY_PTR key2;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ CSSM_DATA_PTR ivp1;
+ CSSM_DATA_PTR ivp2;
+ uint32 mungeDex;
+ uint32 mungeBits;
+ if(targs->useInitVector) {
+ if(targs->genInitVector) {
+ ivp1 = &iv1;
+ ivp2 = &iv2;
+ }
+ else {
+ staticIv.Length = targs->ivSize;
+ ivp1 = ivp2 = &staticIv;
+ }
+ }
+ else {
+ ivp1 = ivp2 = NULL;
+ }
+ /* these need to be init'd regardless */
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ iv2.Data = NULL;
+ iv2.Length = 0;
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(targs->quiet);
+ }
+ /* munge password */
+ mungeDex = genRand(0, targs->password->Length - 1);
+ mungeBits = randBit();
+ targs->password->Data[mungeDex] ^= mungeBits;
+ key2 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL2,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password, // the changed param
+ targs->salt,
+ targs->iterCount,
+ &iv2);
+ if(key2 == NULL) {
+ return testError(targs->quiet);
+ }
+ if(testCommon(targs->cspHand,
+ "passwordTest",
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ targs->effectiveKeySizeInBits,
+ targs->ptext,
+ key1,
+ ivp1,
+ key2,
+ ivp2,
+ targs->quiet)) {
+ return 1;
+ }
+ /* restore */
+ targs->password->Data[mungeDex] ^= mungeBits;
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ CSSM_FREE(key1);
+ CSSM_FREE(key2);
+ return 0;
+}
+
+/* ensure salt alters key */
+static int saltTest(testArgs *targs)
+{
+ /*
+ generate key1(seed), key2(munged seed);
+ encrypt ptext with key1;
+ encrypt ptext with key2;
+ compare 2 ctexts; expect failure;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_KEY_PTR key2;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ CSSM_DATA_PTR ivp1;
+ CSSM_DATA_PTR ivp2;
+ uint32 mungeDex;
+ uint32 mungeBits;
+ if(targs->useInitVector) {
+ if(targs->genInitVector) {
+ ivp1 = &iv1;
+ ivp2 = &iv2;
+ }
+ else {
+ staticIv.Length = targs->ivSize;
+ ivp1 = ivp2 = &staticIv;
+ }
+ }
+ else {
+ ivp1 = ivp2 = NULL;
+ }
+ /* these need to be init'd regardless */
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ iv2.Data = NULL;
+ iv2.Length = 0;
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(targs->quiet);
+ }
+ /* munge salt */
+ mungeDex = genRand(0, targs->salt->Length - 1);
+ mungeBits = randBit();
+ targs->salt->Data[mungeDex] ^= mungeBits;
+ key2 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL2,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt, // the changed param
+ targs->iterCount,
+ &iv2);
+ if(key2 == NULL) {
+ return testError(targs->quiet);
+ }
+ if(testCommon(targs->cspHand,
+ "saltTest",
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ targs->effectiveKeySizeInBits,
+ targs->ptext,
+ key1,
+ ivp1,
+ key2,
+ ivp2,
+ targs->quiet)) {
+ return 1;
+ }
+ /* restore */
+ targs->salt->Data[mungeDex] ^= mungeBits;
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ CSSM_FREE(key1);
+ CSSM_FREE(key2);
+ return 0;
+}
+
+/* ensure initVector alters ctext. This isn't testing PBE per se, but
+ * it's a handy place to verify this function. */
+static int initVectTest(testArgs *targs)
+{
+ /*
+ generate key1;
+ encrypt ptext with key1 and initVector;
+ encrypt ptext with key1 and munged initVector;
+ compare 2 ctexts; expect failure;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ uint32 mungeDex;
+ uint32 mungeBits;
+
+ if(targs->genInitVector) {
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ }
+ else {
+ iv1 = staticIv;
+ }
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(targs->quiet);
+ }
+
+ /* get munged copy of iv */
+ iv2.Data = (uint8 *)CSSM_MALLOC(iv1.Length);
+ iv2.Length = iv1.Length;
+ memmove(iv2.Data, iv1.Data, iv1.Length);
+ mungeDex = genRand(0, iv1.Length - 1);
+ mungeBits = randBit();
+ iv2.Data[mungeDex] ^= mungeBits;
+ if(testCommon(targs->cspHand,
+ "initVectTest",
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ targs->effectiveKeySizeInBits,
+ targs->ptext,
+ key1,
+ &iv1,
+ key1,
+ &iv2, // the changed param
+ targs->quiet)) {
+ return 1;
+ }
+ if(targs->genInitVector) {
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ }
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ CSSM_FREE(key1);
+ return 0;
+}
+
+#if 0
+/* only one algorithm supported */
+/* ensure deriveAlg alters key */
+static int deriveAlgTest(testArgs *targs)
+{
+ /*
+ generate key1(deriveAlg), key2(some other deriveAlg);
+ encrypt ptext with key1;
+ encrypt ptext with key2;
+ compare 2 ctexts; expect failure;
+ */
+ CSSM_KEY_PTR key1;
+ CSSM_KEY_PTR key2;
+ CSSM_DATA iv1;
+ CSSM_DATA iv2;
+ CSSM_DATA_PTR ivp1;
+ CSSM_DATA_PTR ivp2;
+ uint32 mungeAlg;
+
+ if(targs->useInitVector) {
+ if(targs->genInitVector) {
+ ivp1 = &iv1;
+ ivp2 = &iv2;
+ }
+ else {
+ staticIv.Length = targs->ivSize;
+ ivp1 = ivp2 = &staticIv;
+ }
+ }
+ else {
+ ivp1 = ivp2 = NULL;
+ }
+
+ /* these need to be init'd regardless */
+ iv1.Data = NULL;
+ iv1.Length = 0;
+ iv2.Data = NULL;
+ iv2.Length = 0;
+ key1 = cspDeriveKey(targs->cspHand,
+ targs->deriveAlg,
+ targs->keyAlg,
+ KEY_LABEL1,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password,
+ targs->salt,
+ targs->iterCount,
+ &iv1);
+ if(key1 == NULL) {
+ return testError(quiet);
+ }
+
+ /* munge deriveAlg */
+ switch(targs->deriveAlg) {
+ case CSSM_ALGID_MD5_PBE:
+ mungeAlg = CSSM_ALGID_MD2_PBE;
+ break;
+ case CSSM_ALGID_MD2_PBE:
+ mungeAlg = CSSM_ALGID_SHA1_PBE;
+ break;
+ case CSSM_ALGID_SHA1_PBE:
+ mungeAlg = CSSM_ALGID_SHA1_PBE_PKCS12;
+ break;
+ case CSSM_ALGID_SHA1_PBE_PKCS12:
+ mungeAlg = CSSM_ALGID_MD5_PBE;
+ break;
+ default:
+ printf("BRRRZZZT! Update deriveAlgTest()!\n");
+ return testError(quiet);
+ }
+ key2 = cspDeriveKey(targs->cspHand,
+ mungeAlg, // the changed param
+ targs->keyAlg,
+ KEY_LABEL2,
+ KEY_LABEL_LEN,
+ CSSM_KEYUSE_ENCRYPT,
+ targs->keySizeInBits,
+ targs->useRefKey,
+ targs->password, // the changed param
+ targs->salt,
+ targs->iterCount,
+ &iv2);
+ if(key2 == NULL) {
+ return testError(quiet);
+ }
+ if(testCommon(targs->cspHand,
+ "deriveAlgTest",
+ targs->encrAlg,
+ targs->encrMode,
+ targs->encrPad,
+ targs->effectiveKeySizeInBits,
+ targs->ptext,
+ key1,
+ ivp1,
+ key2,
+ ivp2,
+ targs->quiet)) {
+ return 1;
+ }
+ appFreeCssmData(&iv1, CSSM_FALSE);
+ appFreeCssmData(&iv2, CSSM_FALSE);
+ cspFreeKey(targs->cspHand, key1);
+ cspFreeKey(targs->cspHand, key2);
+ CSSM_FREE(key1);
+ CSSM_FREE(key2);
+ return 0;
+}
+#endif
+
+int main(int argc, char **argv)
+{
+ int arg;
+ char *argp;
+ unsigned loop;
+ CSSM_DATA ptext;
+ testArgs targs;
+ CSSM_DATA pwd;
+ CSSM_DATA salt;
+ privAlg pbeAlg;
+ privAlg encrAlg;
+ privAlg lastEncrAlg;
+ int rtn = 0;
+ CSSM_BOOL fooBool;
+ CSSM_BOOL refKeysOnly = CSSM_FALSE;
+ int i;
+
+ /*
+ * User-spec'd params
+ */
+ unsigned loops = LOOPS_DEF;
+ CSSM_BOOL quiet = CSSM_FALSE;
+ CSSM_BOOL doPause = CSSM_FALSE;
+ CSSM_BOOL doExport = CSSM_FALSE;
+ CSSM_BOOL repeatOnly = CSSM_FALSE;
+ CSSM_BOOL bareCsp = CSSM_TRUE;
+ CSSM_BOOL zeroLenPassword = CSSM_FALSE;
+
+ #if macintosh
+ argc = ccommand(&argv);
+ #endif
+ for(arg=1; arg<argc; arg++) {
+ argp = argv[arg];
+ switch(argp[0]) {
+ case 'l':
+ loops = atoi(&argp[2]);
+ break;
+ case 'q':
+ quiet = CSSM_TRUE;
+ break;
+ case 'D':
+ bareCsp = CSSM_FALSE;
+ #if CSPDL_ALL_KEYS_ARE_REF
+ refKeysOnly = CSSM_TRUE;
+ #endif
+ break;
+ case 'p':
+ doPause = CSSM_TRUE;
+ break;
+ case 'e':
+ doExport = CSSM_TRUE;
+ break;
+ case 'r':
+ repeatOnly = CSSM_TRUE;
+ break;
+ case 'z':
+ zeroLenPassword = CSSM_TRUE;
+ break;
+ case 'h':
+ default:
+ usage(argv);
+ }
+ }
+
+ /* statically allocate ptext, password and seed; data and length
+ * change in test loop */
+ pwd.Data = (uint8 *)CSSM_MALLOC(MAX_PASSWORD_SIZE);
+ ptext.Data = (uint8 *)CSSM_MALLOC(MAX_PTEXT_SIZE);
+ salt.Data = (uint8 *)CSSM_MALLOC(MAX_SALT_SIZE);
+ printf("Starting pbeTest; args: ");
+ for(i=1; i<argc; i++) {
+ printf("%s ", argv[i]);
+ }
+ printf("\n");
+ targs.cspHand = cspDlDbStartup(bareCsp, NULL);
+ if(targs.cspHand == 0) {
+ exit(1);
+ }
+ targs.ptext = &ptext;
+ targs.password = &pwd;
+ targs.salt = &salt;
+ targs.quiet = quiet;
+ if(doExport) {
+ lastEncrAlg = ENCR_ALG_LAST_EXPORT;
+ }
+ else {
+ lastEncrAlg = ENCR_ALG_LAST;
+ }
+ for(loop=1; ; loop++) {
+ if(!quiet) {
+ printf("...loop %d\n", loop);
+ }
+ /* change once per outer loop */
+ simpleGenData(&ptext, MIN_PTEXT_SIZE, MAX_PTEXT_SIZE);
+ if(zeroLenPassword) {
+ pwd.Length = 0; // fixed
+ }
+ else {
+ simpleGenData(&pwd, APPLE_PBE_MIN_PASSWORD, MAX_PASSWORD_SIZE);
+ }
+ simpleGenData(&salt, APPLE_PBE_MIN_SALT, MAX_SALT_SIZE);
+ targs.iterCount = genRand(MIN_ITER_COUNT, MAX_ITER_COUNT);
+ if(refKeysOnly) {
+ targs.useRefKey = CSSM_TRUE;
+ }
+ else {
+ targs.useRefKey = (loop & 1) ? CSSM_FALSE : CSSM_TRUE;
+ }
+
+ for(encrAlg=ENCR_ALG_FIRST; encrAlg<=lastEncrAlg; encrAlg++) {
+ /* Cook up encryption-related args */
+ algInfo(encrAlg,
+ &targs.keyAlg,
+ &targs.encrAlg,
+ &targs.encrMode,
+ &targs.encrPad,
+ &targs.useInitVector,
+ &targs.ivSize,
+ &fooBool, // genInitVector
+ &targs.keyAlgStr);
+ /* random key size */
+ targs.effectiveKeySizeInBits = randKeySizeBits(targs.keyAlg, OT_Encrypt);
+ targs.keySizeInBits = (targs.effectiveKeySizeInBits + 7) & ~7;
+ if(targs.keySizeInBits == targs.effectiveKeySizeInBits) {
+ /* same size, ignore effective */
+ targs.effectiveKeySizeInBits = 0;
+ }
+ if(!quiet) {
+ printf(" ...Encrypt alg %s keySizeInBits %u effectKeySize %u\n",
+ targs.keyAlgStr, (unsigned)targs.keySizeInBits,
+ (unsigned)targs.effectiveKeySizeInBits);
+ }
+ for(pbeAlg=PBE_ALG_FIRST; pbeAlg<=PBE_ALG_LAST; pbeAlg++) {
+ /* Cook up pbe-related args */
+ uint32 foo;
+ algInfo(pbeAlg,
+ &targs.deriveAlg,
+ &foo, // encrAlg
+ &foo, // mode
+ &foo,
+ &fooBool, // useInitVector
+ &foo, // ivSize
+ &targs.genInitVector,
+ &targs.deriveAlgStr);
+ if(!quiet) {
+ printf(" ...PBE alg %s\n", targs.deriveAlgStr);
+ }
+ /* grind thru the tests */
+ if(repeatTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ if(repeatOnly) {
+ continue;
+ }
+ if(iterTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ #if 0
+ // not supported yet
+ if(deriveAlgTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ #endif
+ if(!zeroLenPassword) {
+ /* won't work with zero length password */
+ if(passwordTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ }
+ if(saltTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ if(targs.useInitVector) {
+ if(initVectTest(&targs)) {
+ rtn = 1;
+ goto testDone;
+ }
+ }
+ } /* for pbeAlg */
+ } /* for encrAlg */
+ if(doPause) {
+ if(testError(quiet)) {
+ break;
+ }
+ }
+ if(loops && (loop == loops)) {
+ break;
+ }
+ } /* for loop */
+
+testDone:
+ CSSM_ModuleDetach(targs.cspHand);
+ if(!quiet && (rtn == 0)) {
+ printf("%s test complete\n", argv[0]);
+ }
+ return rtn;
+}
projects / apple / security.git / blobdiff