/* * ks_volatile.c * ------------- * Keystore implementation in normal volatile internal memory. * * NB: This is only suitable for cases where you do not want the keystore * to survive library exit, eg, for storing PKCS #11 session keys. * * Authors: Rob Austein * Copyright (c) 2015, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * - Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * - Neither the name of the NORDUnet nor the names of its contributors may * be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include "hal.h" #include "hal_internal.h" /* * Splitting the different keystore backends out into separate files * seemed like a good idea at the time, but the code is getting * somewhat repetitive. Might want to re-merge and conditionalize in * some other way. Deferred until we sort out ks_flash.c. */ /* * Use a one-element array here so that references can be pointer-based * as in the other implementations, to ease re-merge at some later date. */ static hal_ks_keydb_t db[1]; /* * There's no good place to store the master key (KEK) in this volatile memory implementation. * We might be able to add a bit of protection doing things like using locked physical memory, * as gpg does, or obfuscating the KEK a bit to make it harder to pull out of a crash dump, * but, really, there's not a lot we can do against a determined opponant in this case. * * For now, we just go through the motions. */ static uint8_t kekbuf[bitsToBytes(256)]; const hal_ks_keydb_t *hal_ks_get_keydb(void) { return db; } hal_error_t hal_ks_set_keydb(const hal_ks_key_t * const key, const int loc, const int updating) { if (key == NULL || loc < 0 || loc >= sizeof(db->keys)/sizeof(*db->keys) || (!key->in_use != !updating)) return HAL_ERROR_BAD_ARGUMENTS; db->keys[loc] = *key; db->keys[loc].in_use = 1; return HAL_OK; } hal_error_t hal_ks_del_keydb(const int loc) { if (loc < 0 || loc >= sizeof(db->keys)/sizeof(*db->keys)) return HAL_ERROR_BAD_ARGUMENTS; memset(&db->keys[loc], 0, sizeof(db->keys[loc])); return HAL_OK; } hal_error_t hal_ks_set_pin(const hal_user_t user, const hal_ks_pin_t * const pin) { if (pin == NULL) return HAL_ERROR_BAD_ARGUMENTS; hal_ks_pin_t *p = NULL; switch (user) { case HAL_USER_WHEEL: p = &db->wheel_pin; break; case HAL_USER_SO: p = &db->so_pin; break; case HAL_USER_NORMAL: p = &db->user_pin; break; default: return HAL_ERROR_BAD_ARGUMENTS; } *p = *pin; return HAL_OK; } hal_error_t hal_ks_get_kek(uint8_t *kek, size_t *kek_len, const size_t kek_max) { if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128)) return HAL_ERROR_BAD_ARGUMENTS; hal_error_t err; const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) : (kek_max < bitsToBytes(256)) ? bitsToBytes(192) : bitsToBytes(256)); uint8_t t = 0; for (int i = 0; i < sizeof(kekbuf); i++) t |= kekbuf[i]; if (t == 0 && (err = hal_rpc_get_random(kekbuf, sizeof(kekbuf))) != HAL_OK) return err; memcpy(kek, kekbuf, len); *kek_len = len; return HAL_OK; } /* * Local variables: * indent-tabs-mode: nil * End: */ '>39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
/*
 * test-ecdsa.c
 * ------------
 * Test harness for Cryptech ECDSA code.
 *
 * At the moment, the ECDSA code is a pure software implementation,
 * Verilog will be along eventually.
 *
 * Testing ECDSA is a bit tricky because ECDSA depends heavily on
 * using a new random secret for each signature.  So we can test some
 * things against the normal ECDSA implemenation, but some tests
 * require a side door replacement of the random number generator so
 * that we can use a known values from our test vector in place of the
 * random secret that would be used in real operation.  Test code for
 * the latter mode depends on the library having been compiled with
 * the testing hook enable, which it should not be for production use.
 *
 * Authors: Rob Austein
 * Copyright (c) 2015, NORDUnet A/S
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>

#include <sys/time.h>

#include <hal.h>

#include "test-ecdsa.h"

#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM

/*
 * Code to let us replace ECDSA's random numbers with test data, if
 * the ECDSA library code has been compiled with support for this.
 */

typedef hal_error_t (*rng_override_test_function_t)(void *, const size_t);

extern rng_override_test_function_t hal_ecdsa_set_rng_override_test_function(rng_override_test_function_t new_func);

static const uint8_t               *next_random_value = NULL;
static size_t                       next_random_length = 0;

static hal_error_t next_random_handler(void *data, const size_t length)
{
  if (data == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  if (next_random_value == NULL || length < next_random_length)
    return HAL_ERROR_IMPOSSIBLE;

  memset(data, 0, length);
  memcpy(data + length - next_random_length, next_random_value, next_random_length);

  next_random_value  = NULL;
  next_random_length = 0;

  (void) hal_ecdsa_set_rng_override_test_function(0);

  return HAL_OK;
}

static void set_next_random(const uint8_t * const data, const size_t length)
{
  (void) hal_ecdsa_set_rng_override_test_function(next_random_handler);
  next_random_value  = data;
  next_random_length = length;
}

/*
 * Run one keygen test from test vectors.
 */

static int test_against_static_vectors(const ecdsa_tc_t * const tc)

{
  char fn[sizeof("test-ecdsa-private-key-xxxxxx.der")];
  hal_error_t err;
  FILE *f;

  printf("Starting static test vector tests for P-%lu\n", (unsigned long) (tc->d_len * 8));

  set_next_random(tc->d, tc->d_len);

  uint8_t keybuf1[hal_ecdsa_key_t_size];
  hal_ecdsa_key_t *key1 = NULL;

  if ((err = hal_ecdsa_key_gen(NULL, &key1, keybuf1, sizeof(keybuf1), tc->curve)) != HAL_OK)
    return printf("hal_ecdsa_key_gen() failed: %s\n", hal_error_string(err)), 0;

  uint8_t Qx[tc->Qx_len], Qy[tc->Qy_len];
  size_t Qx_len, Qy_len;

  if ((err = hal_ecdsa_key_get_public(key1, Qx, &Qx_len, sizeof(Qx), Qy, &Qy_len, sizeof(Qy))) != HAL_OK)
    return printf("hal_ecdsa_key_get_public() failed: %s\n", hal_error_string(err)), 0;

  if (tc->Qx_len != Qx_len || memcmp(tc->Qx, Qx, Qx_len) != 0)
    return printf("Qx mismatch\n"), 0;

  if (tc->Qy_len != Qy_len || memcmp(tc->Qy, Qy, Qy_len) != 0)
    return printf("Qy mismatch\n"), 0;

  if (hal_ecdsa_private_key_to_der_len(key1) != tc->key_len)
    return printf("DER Key length mismatch\n"), 0;

  uint8_t der[tc->key_len];
  size_t der_len;

  err = hal_ecdsa_private_key_to_der(key1, der, &der_len, sizeof(der));

  snprintf(fn, sizeof(fn), "test-ecdsa-private-key-p%u.der", (unsigned) tc->d_len * 8);

  if ((f = fopen(fn, "wb")) == NULL)
    return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0;

  if (fwrite(der, der_len, 1, f) != 1)
    return printf("Length mismatch writing %s\n", fn), 0;

  if (fclose(f) == EOF)
    return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0;

  /* Deferred error from hal_ecdsa_private_key_to_der() */
  if (err != HAL_OK)
    return printf("hal_ecdsa_private_key_to_der() failed: %s\n", hal_error_string(err)), 0;

  uint8_t keybuf2[hal_ecdsa_key_t_size];
  hal_ecdsa_key_t *key2 = NULL;

  if ((err = hal_ecdsa_private_key_from_der(&key2, keybuf2, sizeof(keybuf2), der, der_len)) != HAL_OK)
    return printf("hal_ecdsa_private_key_from_der() failed: %s\n", hal_error_string(err)), 0;

  if (memcmp(key1, key2, hal_ecdsa_key_t_size) != 0)
    return printf("Private key mismatch after read/write cycle\n"), 0;

  set_next_random(tc->k, tc->k_len);

  uint8_t sig[tc->sig_len + 4];
  size_t  sig_len;

  if ((err = hal_ecdsa_sign(NULL, key1, tc->H, tc->H_len, sig, &sig_len, sizeof(sig))) != HAL_OK)
    return printf("hal_ecdsa_sign() failed: %s\n", hal_error_string(err)), 0;

  if (sig_len != tc->sig_len || memcmp(sig, tc->sig, tc->sig_len) != 0)
    return printf("Signature mismatch\n"), 0;

  if ((err = hal_ecdsa_verify(NULL, key2, tc->H, tc->H_len, sig, sig_len)) != HAL_OK)
    return printf("hal_ecdsa_verify(private) failed: %s\n", hal_error_string(err)), 0;

  hal_ecdsa_key_clear(key2);
  key2 = NULL;

  if ((err = hal_ecdsa_key_load_private(&key2, keybuf2, sizeof(keybuf2), tc->curve,
                                        tc->Qx, tc->Qx_len, tc->Qy, tc->Qy_len, tc->d, tc->d_len)) != HAL_OK)
    return printf("hal_ecdsa_load_private() failed: %s\n", hal_error_string(err)), 0;

  if (memcmp(key1, key2, hal_ecdsa_key_t_size) != 0)
    return printf("Key mismatch after hal_ecdsa_load_private_key()\n"), 0;

  hal_ecdsa_key_clear(key2);
  key2 = NULL;

  if ((err = hal_ecdsa_key_load_public(&key2, keybuf2, sizeof(keybuf2), tc->curve,
                                       tc->Qx, tc->Qx_len, tc->Qy, tc->Qy_len)) != HAL_OK)
    return printf("hal_ecdsa_load_public() failed: %s\n", hal_error_string(err)), 0;

  if ((err = hal_ecdsa_verify(NULL, key2, tc->H, tc->H_len, sig, sig_len)) != HAL_OK)
    return printf("hal_ecdsa_verify(public) failed: %s\n", hal_error_string(err)), 0;

  uint8_t point[hal_ecdsa_key_to_ecpoint_len(key1)];
  size_t  point_len;

  if ((err = hal_ecdsa_key_to_ecpoint(key1, point, &point_len, sizeof(point))) != HAL_OK)
    return printf("hal_ecdsa_key_to_point() failed: %s\n", hal_error_string(err)), 0;

  hal_ecdsa_key_clear(key1);
  key1 = NULL;

  if ((err = hal_ecdsa_key_from_ecpoint(&key1, keybuf1, sizeof(keybuf1), point, point_len, tc->curve)) != HAL_OK)
    return printf("hal_ecdsa_key_from_point() failed: %s\n", hal_error_string(err)), 0;

  if (memcmp(key1, key2, hal_ecdsa_key_t_size) != 0)
    return printf("Public key mismatch after first read/write cycle\n"), 0;

  hal_ecdsa_key_clear(key2);
  key2 = NULL;

  err = hal_ecdsa_public_key_to_der(key1, der, &der_len, sizeof(der));

  snprintf(fn, sizeof(fn), "test-ecdsa-public-key-p%u.der", (unsigned) tc->d_len * 8);

  if ((f = fopen(fn, "wb")) == NULL)
    return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0;

  if (fwrite(der, der_len, 1, f) != 1)
    return printf("Length mismatch writing %s\n", fn), 0;

  if (fclose(f) == EOF)
    return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0;

  /* Deferred error from hal_ecdsa_public_key_to_der() */
  if (err != HAL_OK)
    return printf("hal_ecdsa_public_key_to_der() failed: %s\n", hal_error_string(err)), 0;

  if ((err = hal_ecdsa_public_key_from_der(&key2, keybuf2, sizeof(keybuf2), der, der_len)) != HAL_OK)
    return printf("hal_ecdsa_public_key_from_der() failed: %s\n", hal_error_string(err)), 0;

  if (memcmp(key1, key2, hal_ecdsa_key_t_size) != 0)
    return printf("Public key mismatch after second read/write cycle\n"), 0;

  hal_ecdsa_key_clear(key1);
  hal_ecdsa_key_clear(key2);

  return 1;
}

#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */

/*
 * Run one keygen/sign/verify test with a newly generated key.
 */

static int test_keygen_sign_verify(const hal_curve_name_t curve)

{
  const hal_hash_descriptor_t *hash_descriptor = NULL;
  uint8_t keybuf[hal_ecdsa_key_t_size];
  hal_ecdsa_key_t *key = NULL;
  hal_error_t err;

  switch (curve) {

  case HAL_CURVE_P256:
    printf("ECDSA P-256 key generation / signature / verification test\n");
    hash_descriptor = hal_hash_sha256;
    break;

  case HAL_CURVE_P384:
    printf("ECDSA P-384 key generation / signature / verification test\n");
    hash_descriptor = hal_hash_sha384;
    break;

  case HAL_CURVE_P521:
    printf("ECDSA P-521 key generation / signature / verification test\n");
    hash_descriptor = hal_hash_sha512;
    break;

  default:
    printf("Unsupported ECDSA curve type\n");
    return 0;
  }

  printf("Generating key\n");

  if ((err =  hal_ecdsa_key_gen(NULL, &key, keybuf, sizeof(keybuf), curve)) != HAL_OK)
    return printf("hal_ecdsa_key_gen() failed: %s\n", hal_error_string(err)), 0;

  printf("Generating digest\n");

  uint8_t hashbuf[hash_descriptor->digest_length];

  {
    const uint8_t plaintext[] = "So long, and thanks...";
    uint8_t statebuf[hash_descriptor->hash_state_length];
    hal_hash_state_t *state = NULL;

    if ((err = hal_hash_initialize(NULL, hash_descriptor, &state, statebuf, sizeof(statebuf))) != HAL_OK ||
        (err = hal_hash_update(state, plaintext, strlen((const char *) plaintext))) != HAL_OK ||
        (err = hal_hash_finalize(state, hashbuf, sizeof(hashbuf))) != HAL_OK)
      return printf("Couldn't hash plaintext: %s\n", hal_error_string(err)), 0;
  }

  /*
   * Lazy but probably-good-enough guess on signature size -- want
   * explicit number in ecdsa_curve_t?
   */
  uint8_t sigbuf[hash_descriptor->digest_length * 3];
  size_t  siglen;

  printf("Signing\n");

  if ((err = hal_ecdsa_sign(NULL, key, hashbuf, sizeof(hashbuf),
                            sigbuf, &siglen, sizeof(sigbuf))) != HAL_OK)
    return printf("hal_ecdsa_sign() failed: %s\n", hal_error_string(err)), 0;

  printf("Verifying\n");

  if ((err = hal_ecdsa_verify(NULL, key, hashbuf, sizeof(hashbuf), sigbuf, siglen)) != HAL_OK)
    return printf("hal_ecdsa_verify() failed: %s\n", hal_error_string(err)), 0;

  return 1;
}

/*
 * Time a test.
 */

static void _time_check(const struct timeval t0, const int ok)
{
  struct timeval t;
  gettimeofday(&t, NULL);
  t.tv_sec -= t0.tv_sec;
  t.tv_usec -= t0.tv_usec;
  if (t.tv_usec < 0) {
    t.tv_usec += 1000000;
    t.tv_sec  -= 1;
  }
  printf("Elapsed time %lu.%06lu seconds, %s\n",
         (unsigned long) t.tv_sec,
         (unsigned long) t.tv_usec,
         ok ? "OK" : "FAILED");
}

#define time_check(_expr_)                      \
  do {                                          \
    struct timeval _t;                          \
    gettimeofday(&_t, NULL);                    \
    int _ok = (_expr_);                         \
    _time_check(_t, _ok);                       \
    ok &= _ok;                                  \
  } while (0)


static void show_core(const hal_core_t *core, const char *whinge)
{
  const hal_core_info_t *core_info = hal_core_info(core);
  if (core_info != NULL)
    printf("\"%8.8s\"  \"%4.4s\"\n", core_info->name, core_info->version);
  else if (whinge != NULL)
    printf("%s core not present\n", whinge);
}

int main(int argc, char *argv[])
{
  const hal_core_t *sha256_core = hal_core_find(SHA256_NAME, NULL);
  const hal_core_t *sha512_core = hal_core_find(SHA512_NAME, NULL);
  const hal_core_t *csprng_core = hal_core_find(CSPRNG_NAME, NULL);

  show_core(sha256_core, "sha-256");
  show_core(sha512_core, "sha-512");
  show_core(csprng_core, "csprng");

  int ok = 1;

#if HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM
  /*
   * Test vectors (where we have them).
   */
  for (int i = 0; i < sizeof(ecdsa_tc)/sizeof(*ecdsa_tc); i++)
    time_check(test_against_static_vectors(&ecdsa_tc[i]));
#endif

  /*
   * Generate/sign/verify test for each curve.
   */

  if (csprng_core != NULL && sha256_core != NULL) {
    time_check(test_keygen_sign_verify(HAL_CURVE_P256));
  }

  if (csprng_core != NULL && sha512_core != NULL) {
    time_check(test_keygen_sign_verify(HAL_CURVE_P384));
    time_check(test_keygen_sign_verify(HAL_CURVE_P521));
  }

  return !ok;
}

/*
 * Local variables:
 * indent-tabs-mode: nil
 * End:
 */