/* * Copyright (C) 2014 - Julien Voisin * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License, version 2 only, as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * more details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 51 * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include #include #include #include #include #include GCRY_THREAD_OPTION_PTHREAD_IMPL; #define NUM_TESTS 38 /* * The re-implementation/inclusion of crypto stuff is necessary because libotr * doesn't expose them. */ static const char* DH1536_MODULUS_S = "0x" "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" "83655D23DCA3AD961C62F356208552BB9ED529077096966D" "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"; static const char *DH1536_GENERATOR_S = "0x02"; static const int DH1536_MOD_LEN_BITS = 1536; static gcry_mpi_t DH1536_MODULUS = NULL; static gcry_mpi_t DH1536_MODULUS_MINUS_2 = NULL; static gcry_mpi_t DH1536_GENERATOR = NULL; static void test_otrl_dh_keypair_init(void) { DH_keypair kp; otrl_dh_keypair_init(&kp); ok(kp.groupid == 0 && kp.priv == NULL && kp.pub == NULL, "Keypair initialized"); } static void test_otrl_dh_keypair_copy(void) { DH_keypair k1, k2; unsigned char *buf; k1.groupid = rand(); buf = gcry_random_bytes(32, GCRY_WEAK_RANDOM); gcry_mpi_scan(&(k1.priv), GCRYMPI_FMT_USG, buf, 32, NULL); gcry_free(buf); buf = gcry_random_bytes(32, GCRY_WEAK_RANDOM); gcry_mpi_scan(&(k1.pub), GCRYMPI_FMT_USG, buf, 32, NULL); gcry_free(buf); otrl_dh_keypair_copy(&k2, &k1); ok(k1.groupid == k2.groupid && gcry_mpi_cmp(k1.priv, k2.priv) == 0 && gcry_mpi_cmp(k1.pub, k2.pub) == 0, "Keypair copied"); gcry_mpi_release(k1.priv); gcry_mpi_release(k1.pub); gcry_mpi_release(k2.priv); gcry_mpi_release(k2.pub); } static void test_otrl_dh_session_free() { DH_sesskeys sess; DH_keypair kp1, kp2; otrl_dh_gen_keypair(DH1536_GROUP_ID, &(kp1)); otrl_dh_gen_keypair(DH1536_GROUP_ID, &(kp2)); otrl_dh_session(&sess, &kp1, kp2.pub); otrl_dh_session_free(&sess); ok(sess.sendenc == NULL && sess.sendmac == NULL && sess.rcvenc == NULL && sess.rcvmac == NULL && utils_is_zeroed(sess.sendctr, 16) && utils_is_zeroed(sess.rcvctr, 16) && utils_is_zeroed(sess.sendmackey, 16) && utils_is_zeroed(sess.rcvmackey, 16) && sess.sendmacused == 0 && sess.rcvmacused == 0 && utils_is_zeroed(sess.extrakey, OTRL_EXTRAKEY_BYTES), "Session freed"); } static void test_otrl_dh_session_blank() { DH_sesskeys sess; DH_keypair kp1, kp2; otrl_dh_gen_keypair(DH1536_GROUP_ID, &(kp1)); otrl_dh_gen_keypair(DH1536_GROUP_ID, &(kp2)); otrl_dh_session(&sess, &kp1, kp2.pub); otrl_dh_session_blank(&sess); ok(sess.sendenc == NULL && sess.sendmac == NULL && sess.rcvenc == NULL && sess.rcvmac == NULL && utils_is_zeroed(sess.sendctr, 16) && utils_is_zeroed(sess.rcvctr, 16) && utils_is_zeroed(sess.sendmackey, 16) && utils_is_zeroed(sess.rcvmackey, 16) && sess.sendmacused == 0 && sess.rcvmacused == 0 && utils_is_zeroed(sess.extrakey, OTRL_EXTRAKEY_BYTES), "Session blanked"); } static void test_otrl_dh_gen_keypair(void) { DH_keypair kp; gcry_mpi_t pubkey = NULL; otrl_dh_keypair_init(&kp); ok(otrl_dh_gen_keypair(DH1536_GROUP_ID+1, &kp) == gcry_error(GPG_ERR_INV_VALUE), "Invalid group detected"); ok(otrl_dh_gen_keypair(DH1536_GROUP_ID, &kp) == gcry_error(GPG_ERR_NO_ERROR), "Valid group set"); ok(kp.groupid == DH1536_GROUP_ID, "Group set"); pubkey = gcry_mpi_new(DH1536_MOD_LEN_BITS); gcry_mpi_powm(pubkey, DH1536_GENERATOR, kp.priv, DH1536_MODULUS); ok(gcry_mpi_cmp(pubkey, kp.pub) == 0, "Matching pubkey"); otrl_dh_keypair_free(&kp); } static void test_otrl_dh_keypair_free(void) { DH_keypair kp; otrl_dh_gen_keypair(DH1536_GROUP_ID, &kp); otrl_dh_keypair_free(&kp); ok(kp.pub == NULL && kp.priv == NULL && kp.groupid == DH1536_GROUP_ID, "DH_keypair free'd with success"); } static void invert_DH_keypair(DH_keypair* kp1, DH_keypair* kp2) { DH_keypair tmp; otrl_dh_keypair_copy(&tmp, kp1); otrl_dh_keypair_copy(kp1, kp2); otrl_dh_keypair_copy(kp2, &tmp); otrl_dh_keypair_free(&tmp); } /* * This is an helper function. See the next one. */ static void _test_ortl_dh_session(const DH_keypair *kp, gcry_mpi_t y) { unsigned char *gabdata; unsigned char *hashdata; unsigned char encrypt[32] = {0}; unsigned char expected_encrypt[32] = {0}; unsigned char sendbyte, rcvbyte; const char test_vector[] = "This is a test vector"; DH_sesskeys sess; DH_sesskeys sess_expected; gcry_mpi_t gab; size_t gablen; otrl_dh_session_blank(&sess); otrl_dh_session(&sess, kp, y); gab = gcry_mpi_snew(DH1536_MOD_LEN_BITS); gcry_mpi_powm(gab, y, kp->priv, DH1536_MODULUS); gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &gablen, gab); gabdata = gcry_malloc_secure(gablen + 5); gabdata[1] = (gablen >> 24) & 0xff; gabdata[2] = (gablen >> 16) & 0xff; gabdata[3] = (gablen >> 8) & 0xff; gabdata[4] = gablen & 0xff; gcry_mpi_print(GCRYMPI_FMT_USG, gabdata + 5, gablen, NULL, gab); gcry_mpi_release(gab); hashdata = gcry_malloc_secure(20); if (gcry_mpi_cmp(kp->pub, y) > 0 ) { sendbyte = 0x01; rcvbyte = 0x02; } else { sendbyte = 0x02; rcvbyte = 0x01; } gabdata[0] = sendbyte; gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen + 5); gcry_cipher_open(&(sess_expected.sendenc), GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); gcry_cipher_setkey(sess_expected.sendenc, hashdata, 16); gcry_cipher_encrypt(sess_expected.sendenc, expected_encrypt, sizeof(expected_encrypt), test_vector, strlen(test_vector)); gcry_cipher_encrypt(sess.sendenc, encrypt, sizeof(encrypt), test_vector, strlen(test_vector)); ok(memcmp(encrypt, expected_encrypt, sizeof(encrypt)) == 0, "sendenc ok"); gcry_md_hash_buffer(GCRY_MD_SHA1, sess_expected.sendmackey, hashdata, 16); gcry_md_open(&(sess_expected.sendmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); gcry_md_setkey(sess_expected.sendmac, sess_expected.sendmackey, 20); gcry_md_write(sess_expected.sendmac, test_vector, sizeof(test_vector)); gcry_md_write(sess.sendmac, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(sess_expected.sendmac, 0), gcry_md_read(sess.sendmac, 0), 32) == 0, "Sendmac ok"); gabdata[0] = rcvbyte; gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen + 5); gcry_cipher_open(&(sess_expected.rcvenc), GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); gcry_cipher_setkey(sess_expected.rcvenc, hashdata, 16); gcry_cipher_encrypt(sess_expected.rcvenc, expected_encrypt, sizeof(expected_encrypt), test_vector, strlen(test_vector)); gcry_cipher_encrypt(sess.rcvenc, encrypt, sizeof(encrypt), test_vector, strlen(test_vector)); ok(memcmp(encrypt, expected_encrypt, sizeof(encrypt)) == 0, "Sendenc ok"); gcry_md_hash_buffer(GCRY_MD_SHA1, sess_expected.rcvmackey, hashdata, 16); gcry_md_open(&(sess_expected.rcvmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); gcry_md_setkey(sess_expected.rcvmac, sess_expected.rcvmackey, 20); gcry_md_write(sess_expected.rcvmac, test_vector, sizeof(test_vector)); gcry_md_write(sess.rcvmac, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(sess_expected.sendmac, 0), gcry_md_read(sess.sendmac, 0), 32) == 0, "rcvmac ok"); gabdata[0] = 0xff; gcry_md_hash_buffer(GCRY_MD_SHA256, sess_expected.extrakey, gabdata, gablen + 5); ok(memcmp(sess_expected.extrakey, sess.extrakey, 32) == 0, "extrakey set"); gcry_free(gabdata); gcry_free(hashdata); } /* * This function is a little bit tricky, since it uses an array of 3 * DH_keypair. The first one has a smaller pubkey than the second, which has a * smaller pubkey than the third one. * * The second key is used as "main" key. The two other ones are used to test * the otrl_dh_session, with a biggest and a smallest key than the "main" one. */ static void test_otrl_dh_session(void) { int i; DH_keypair kp[3]; /* kp[0] < kp[1] < kp[2] */ DH_sesskeys sess; for (i = 0; i < 3; i++) { otrl_dh_gen_keypair(DH1536_GROUP_ID, &(kp[i])); } /* Sort the array. */ for (i = 0; i < 2; i++) { if (gcry_mpi_cmp(kp[i].pub, kp[i + 1].pub) > 0) { invert_DH_keypair(kp + i, kp + i + 1); } } if (gcry_mpi_cmp(kp[0].pub, kp[1].pub) > 0) { invert_DH_keypair(kp, kp + 1); } kp[1].groupid++; ok(otrl_dh_session(&sess, &(kp[1]), kp[0].pub) == gcry_error(GPG_ERR_INV_VALUE), "Invalid group detected"); kp[1].groupid--; _test_ortl_dh_session(&(kp[1]), kp[0].pub); _test_ortl_dh_session(&(kp[1]), kp[2].pub); } static void test_otrl_dh_compute_v2_auth_keys(void) { const char test_vector[] = "This is a test vector"; size_t slen = 0; size_t sessionidlenp = 0; unsigned char *sdata = NULL; unsigned char *hashdata = NULL; gcry_mpi_t s = NULL; unsigned char ctr[16] = {0}; DH_keypair our_dh, their_dh; gcry_mpi_t public_key = NULL; unsigned char sessionid[8]; gcry_md_hd_t mac_m1 = NULL, mac_m1p = NULL, mac_m2 = NULL, mac_m2p = NULL; gcry_cipher_hd_t enc_c = NULL, enc_cp = NULL; unsigned char encrypt[32] = {0}; unsigned char sessionid_expected[8]; gcry_md_hd_t mac_m1_expected = NULL, mac_m1p_expected = NULL; gcry_md_hd_t mac_m2_expected = NULL, mac_m2p_expected = NULL; gcry_cipher_hd_t enc_c_expected = NULL, enc_cp_expected = NULL; unsigned char expected_encrypt[32] = {0}; otrl_dh_gen_keypair(DH1536_GROUP_ID, &our_dh); otrl_dh_gen_keypair(DH1536_GROUP_ID, &their_dh); our_dh.groupid++; ok(otrl_dh_compute_v2_auth_keys(&our_dh, their_dh.pub, sessionid, &sessionidlenp, &enc_c, &enc_cp, &mac_m1, &mac_m1p, &mac_m2, &mac_m2p) == gcry_error(GPG_ERR_INV_VALUE), "Invalid group detected"); our_dh.groupid--; gcry_mpi_scan(&public_key, GCRYMPI_FMT_USG, "1", 0, NULL); ok(otrl_dh_compute_v2_auth_keys(&our_dh, public_key, sessionid, &sessionidlenp, &enc_c, &enc_cp, &mac_m1, &mac_m1p, &mac_m2, &mac_m2p) == gcry_error(GPG_ERR_INV_VALUE), "Public key too small"); gcry_mpi_scan(&public_key, GCRYMPI_FMT_HEX, (const unsigned char *) DH1536_MODULUS_S, 0, NULL); gcry_mpi_add_ui(public_key, DH1536_MODULUS, 1); ok(otrl_dh_compute_v2_auth_keys(&our_dh, DH1536_MODULUS, sessionid, &sessionidlenp, &enc_c, &enc_cp, &mac_m1, &mac_m1p, &mac_m2, &mac_m2p) == gcry_error(GPG_ERR_INV_VALUE), "Public key too big"); ok(otrl_dh_compute_v2_auth_keys(&our_dh, their_dh.pub, sessionid, &sessionidlenp, &enc_c, &enc_cp, &mac_m1, &mac_m1p, &mac_m2, &mac_m2p) == gcry_error(GPG_ERR_NO_ERROR), "Auth keys generated"); ok(sessionidlenp == 8, "Session id len p set to correct value"); s = gcry_mpi_snew(DH1536_MOD_LEN_BITS); gcry_mpi_powm(s, their_dh.pub, our_dh.priv, DH1536_MODULUS); gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &slen, s); sdata = gcry_malloc_secure(slen + 5); sdata[1] = (slen >> 24) & 0xff; sdata[2] = (slen >> 16) & 0xff; sdata[3] = (slen >> 8) & 0xff; sdata[4] = slen & 0xff; gcry_mpi_print(GCRYMPI_FMT_USG, sdata+5, slen, NULL, s); gcry_mpi_release(s); hashdata = gcry_malloc_secure(32); sdata[0] = 0x00; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); memmove(sessionid_expected, hashdata, 8); ok(memcmp(sessionid_expected, sessionid, 8) == 0, "Session id is correct"); sdata[0] = 0x01; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); gcry_cipher_open(&enc_c_expected, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); gcry_cipher_setkey(enc_c_expected, hashdata, 16); gcry_cipher_setctr(enc_c_expected, ctr, 16); gcry_cipher_encrypt(enc_c_expected, expected_encrypt, sizeof(expected_encrypt), test_vector, strlen(test_vector)); gcry_cipher_encrypt(enc_c, encrypt, sizeof(encrypt), test_vector, strlen(test_vector)); ok(memcmp(encrypt, expected_encrypt, sizeof(encrypt)) == 0, "Enc ok"); gcry_cipher_open(&(enc_cp_expected), GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); gcry_cipher_setkey(enc_cp_expected, hashdata+16, 16); gcry_cipher_setctr(enc_cp_expected, ctr, 16); gcry_cipher_encrypt(enc_cp_expected, expected_encrypt, sizeof(expected_encrypt), test_vector, strlen(test_vector)); gcry_cipher_encrypt(enc_cp, encrypt, sizeof(encrypt), test_vector, strlen(test_vector)); ok(memcmp(encrypt, expected_encrypt, sizeof(encrypt)) == 0, "Encp ok"); sdata[0] = 0x02; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); gcry_md_open(&mac_m1_expected, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); gcry_md_setkey(mac_m1_expected, hashdata, 32); gcry_md_write(mac_m1_expected, test_vector, sizeof(test_vector)); gcry_md_write(mac_m1, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(mac_m1_expected, 0), gcry_md_read(mac_m1, 0), 32) == 0, "mac_m1 set"); sdata[0] = 0x03; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); gcry_md_open(&mac_m2_expected, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); gcry_md_setkey(mac_m2_expected, hashdata, 32); gcry_md_write(mac_m2_expected, test_vector, sizeof(test_vector)); gcry_md_write(mac_m2, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(mac_m2_expected, 0), gcry_md_read(mac_m2, 0), 32) == 0, "mac_m2 set"); sdata[0] = 0x04; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); gcry_md_open(&mac_m1p_expected, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); gcry_md_setkey(mac_m1p_expected, hashdata, 32); gcry_md_write(mac_m1p_expected, test_vector, sizeof(test_vector)); gcry_md_write(mac_m1p, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(mac_m1p_expected, 0), gcry_md_read(mac_m1p, 0), 32) == 0, "mac_m1p set"); sdata[0] = 0x05; gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); gcry_md_open(&mac_m2p_expected, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); gcry_md_setkey(mac_m2p_expected, hashdata, 32); gcry_md_write(mac_m2p_expected, test_vector, sizeof(test_vector)); gcry_md_write(mac_m2p, test_vector, sizeof(test_vector)); ok(memcmp(gcry_md_read(mac_m2p_expected, 0), gcry_md_read(mac_m2p, 0), 32) == 0, "mac_m2p set"); gcry_free(sdata); gcry_free(hashdata); } static void test_otrl_dh_incctr() { unsigned char ctr[8] = {0}; otrl_dh_incctr(ctr); ok(ctr[7] == 1 && utils_is_zeroed(ctr, 7), "Counter set"); ctr[7] = 255; otrl_dh_incctr(ctr); ok(ctr[7] == 0 && ctr[6] == 1 && utils_is_zeroed(ctr, 5), "Counter set"); memset(ctr, 255, sizeof(ctr)); otrl_dh_incctr(ctr); ok(utils_is_zeroed(ctr, sizeof(ctr)), "Counter set"); } static void test_otrl_dh_cmpctr() { unsigned char ctr1[8] = {0}, ctr2[8] = {0}; ok(otrl_dh_cmpctr(ctr1, ctr2) == 0, "Null counters are equals"); ctr1[1]++; ok(otrl_dh_cmpctr(ctr1, ctr2) > 0, "Ctr1 is bigger than ctr2"); ctr2[0]++; ok(otrl_dh_cmpctr(ctr1, ctr2) < 0, "Ctr2 is bigger than ctr1"); } int main(int argc, char **argv) { plan_tests(NUM_TESTS); gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); OTRL_INIT; otrl_dh_init(); gcry_mpi_scan(&DH1536_MODULUS, GCRYMPI_FMT_HEX, (const unsigned char *)DH1536_MODULUS_S, 0, NULL); gcry_mpi_scan(&DH1536_GENERATOR, GCRYMPI_FMT_HEX, (const unsigned char *)DH1536_GENERATOR_S, 0, NULL); DH1536_MODULUS_MINUS_2 = gcry_mpi_new(DH1536_MOD_LEN_BITS); gcry_mpi_sub_ui(DH1536_MODULUS_MINUS_2, DH1536_MODULUS, 2); test_otrl_dh_gen_keypair(); test_otrl_dh_keypair_free(); test_otrl_dh_keypair_init(); test_otrl_dh_compute_v2_auth_keys(); test_otrl_dh_session(); test_otrl_dh_keypair_copy(); test_otrl_dh_session_blank(); test_otrl_dh_session_free(); test_otrl_dh_incctr(); test_otrl_dh_cmpctr(); return 0; }