themis_status_t secure_session_wrap(secure_session_t *session_ctx, const void *message, size_t message_length, void *wrapped_message, size_t *wrapped_message_length)
{
uint32_t *session_id = (uint32_t *)wrapped_message;
uint8_t *iv = (uint8_t *)(session_id + 1);
uint32_t *length = (uint32_t *)(iv + CIPHER_MAX_BLOCK_SIZE);
uint32_t *seq = length + 1;
uint8_t *ts = (uint8_t *)(seq + 1);
uint64_t curr_time;
themis_status_t res;
if ((NULL == session_ctx) || (NULL == message) || (0 == message_length) || (NULL == wrapped_message_length))
{
return THEMIS_INVALID_PARAMETER;
}
if ((NULL == wrapped_message) || (WRAPPED_SIZE(message_length) > *wrapped_message_length))
{
*wrapped_message_length = WRAPPED_SIZE(message_length);
return THEMIS_BUFFER_TOO_SMALL;
}
curr_time = time(NULL);
if (-1 == curr_time)
{
return THEMIS_FAIL;
}
*((uint64_t *)ts) = htobe64(curr_time);
*wrapped_message_length = WRAPPED_SIZE(message_length);
memmove(ts + 8, message, message_length);
*seq = htonl(session_ctx->out_seq);
*length = htonl(message_length + sizeof(uint32_t) + sizeof(uint64_t));
res = soter_rand(iv, CIPHER_MAX_BLOCK_SIZE);
if (THEMIS_SUCCESS != res)
{
return res;
}
res = encrypt_gcm(session_ctx->out_cipher_key, sizeof(session_ctx->out_cipher_key), iv, CIPHER_MAX_BLOCK_SIZE, length, message_length + sizeof(uint32_t) + sizeof(uint64_t) + sizeof(uint32_t), length, message_length + sizeof(uint32_t) + sizeof(uint64_t) + sizeof(uint32_t) + CIPHER_AUTH_TAG_SIZE);
if (THEMIS_SUCCESS != res)
{
return res;
}
*session_id = htonl(session_ctx->session_id);
session_ctx->out_seq++;
return THEMIS_SUCCESS;
}
themis_status_t themis_secure_message_rsa_encrypter_proceed(themis_secure_message_rsa_encrypter_t* ctx, const uint8_t* message, const size_t message_length, uint8_t* wrapped_message, size_t* wrapped_message_length){
size_t symm_passwd_length=0;
size_t seal_message_length=0;
THEMIS_CHECK(soter_asym_cipher_encrypt(ctx->asym_cipher, (const uint8_t*)"123", 3, NULL, &symm_passwd_length)==THEMIS_BUFFER_TOO_SMALL);
THEMIS_CHECK(themis_secure_cell_encrypt_seal((const uint8_t*)"123", 3, NULL, 0, message, message_length, NULL, &seal_message_length)==THEMIS_BUFFER_TOO_SMALL);
if(wrapped_message==NULL || (*wrapped_message_length)<(sizeof(themis_secure_rsa_encrypted_message_hdr_t)+symm_passwd_length+seal_message_length)){
(*wrapped_message_length)=(sizeof(themis_secure_rsa_encrypted_message_hdr_t)+symm_passwd_length+seal_message_length);
return THEMIS_BUFFER_TOO_SMALL;
}
// symm_init_ctx_t symm_passwd_salt;
uint8_t symm_passwd[THEMIS_RSA_SYMM_PASSWD_LENGTH];
THEMIS_CHECK(soter_rand(symm_passwd, sizeof(symm_passwd))==THEMIS_SUCCESS);
uint8_t* encrypted_symm_pass=wrapped_message+sizeof(themis_secure_rsa_encrypted_message_hdr_t);
size_t encrypted_symm_pass_length=symm_passwd_length;
THEMIS_CHECK(soter_asym_cipher_encrypt(ctx->asym_cipher, symm_passwd, sizeof(symm_passwd), encrypted_symm_pass, &encrypted_symm_pass_length)==THEMIS_SUCCESS);
(((themis_secure_rsa_encrypted_message_hdr_t*)wrapped_message)->encrypted_passwd_length)=(uint32_t)encrypted_symm_pass_length;
uint8_t* encrypted_message=encrypted_symm_pass+encrypted_symm_pass_length;
size_t encrypted_message_length=seal_message_length;
THEMIS_CHECK(themis_secure_cell_encrypt_seal(symm_passwd, sizeof(symm_passwd), NULL, 0, message, message_length, encrypted_message, &encrypted_message_length)==THEMIS_SUCCESS);
(*wrapped_message_length)=sizeof(themis_secure_rsa_encrypted_message_hdr_t)+encrypted_symm_pass_length+encrypted_message_length;
((themis_secure_encrypted_message_hdr_t*)wrapped_message)->message_hdr.message_type=THEMIS_SECURE_MESSAGE_RSA_ENCRYPTED;
((themis_secure_encrypted_message_hdr_t*)wrapped_message)->message_hdr.message_length=(uint32_t)(*wrapped_message_length);
return THEMIS_SUCCESS;
}
static void secure_comparator_api_test(void)
{
/* setup */
themis_status_t themis_status;
secret_length = rand_int(MAX_SECRET_SIZE);
if (SOTER_SUCCESS != soter_rand(secret, secret_length)) {
testsuite_fail_if(true, "soter_rand failed");
return;
}
/* match */
alice = secure_comparator_create();
if (!alice) {
testsuite_fail_if(true, "secure_comparator_create failed");
return;
}
bob = secure_comparator_create();
if (!bob) {
testsuite_fail_if(true, "secure_comparator_create failed");
secure_comparator_destroy(alice);
alice = NULL;
return;
}
testsuite_fail_unless(THEMIS_INVALID_PARAMETER
== secure_comparator_append_secret(NULL, secret, secret_length),
"secure_comparator_append_secret: invalid context");
testsuite_fail_unless(THEMIS_INVALID_PARAMETER
== secure_comparator_append_secret(alice, NULL, secret_length),
"secure_comparator_append_secret: invalid input buffer");
testsuite_fail_unless(THEMIS_INVALID_PARAMETER == secure_comparator_append_secret(alice, secret, 0),
"secure_comparator_append_secret: invalid input length");
themis_status = secure_comparator_append_secret(alice, secret, secret_length);
if (THEMIS_SUCCESS != themis_status) {
testsuite_fail_if(true, "secure_comparator_append_secret failed");
secure_comparator_destroy(bob);
bob = NULL;
secure_comparator_destroy(alice);
alice = NULL;
return;
}
themis_status = secure_comparator_append_secret(bob, secret, secret_length);
if (THEMIS_SUCCESS != themis_status) {
testsuite_fail_if(true, "secure_comparator_append_secret failed");
secure_comparator_destroy(bob);
bob = NULL;
secure_comparator_destroy(alice);
alice = NULL;
return;
}
schedule();
testsuite_fail_unless((THEMIS_SCOMPARE_MATCH == secure_comparator_get_result(alice))
&& (THEMIS_SCOMPARE_MATCH == secure_comparator_get_result(bob)),
"compare result match");
testsuite_fail_unless(THEMIS_INVALID_PARAMETER == secure_comparator_destroy(NULL),
"secure_comparator_destroy: invalid context");
testsuite_fail_unless(THEMIS_SUCCESS == secure_comparator_destroy(bob),
"secure_comparator_destroy: destroy bob");
testsuite_fail_unless(THEMIS_SUCCESS == secure_comparator_destroy(alice),
"secure_comparator_destroy: destroy alice");
bob = NULL;
alice = NULL;
alice = secure_comparator_create();
if (!alice) {
testsuite_fail_if(true, "secure_comparator_create failed");
return;
}
bob = secure_comparator_create();
if (!bob) {
testsuite_fail_if(true, "secure_comparator_create failed");
secure_comparator_destroy(alice);
alice = NULL;
return;
}
themis_status = secure_comparator_append_secret(alice, secret, secret_length);
if (THEMIS_SUCCESS != themis_status) {
testsuite_fail_if(true, "secure_comparator_append_secret failed");
secure_comparator_destroy(bob);
bob = NULL;
secure_comparator_destroy(alice);
alice = NULL;
return;
}
themis_status = secure_comparator_append_secret(bob, secret, secret_length - 1);
if (THEMIS_SUCCESS != themis_status) {
testsuite_fail_if(true, "secure_comparator_append_secret failed");
secure_comparator_destroy(bob);
bob = NULL;
secure_comparator_destroy(alice);
alice = NULL;
return;
}
schedule();
testsuite_fail_unless((THEMIS_SCOMPARE_NO_MATCH == secure_comparator_get_result(alice))
&& (THEMIS_SCOMPARE_NO_MATCH == secure_comparator_get_result(bob)),
"compare result no match");
testsuite_fail_unless(THEMIS_SUCCESS == secure_comparator_destroy(bob),
"secure_comparator_destroy: destroy bob");
testsuite_fail_unless(THEMIS_SUCCESS == secure_comparator_destroy(alice),
"secure_comparator_destroy: destroy alice");
bob = NULL;
alice = NULL;
}
static void soter_sign_api_test()
{
uint8_t priv[MAX_TEST_KEY];
size_t priv_length = sizeof(priv);
uint8_t pub[MAX_TEST_KEY];
size_t pub_length = sizeof(pub);
uint8_t message[MAX_TEST_DATA];
size_t message_length = rand_int(MAX_TEST_DATA);
uint8_t signature[MAX_TEST_DATA];
size_t signature_length = sizeof(signature);
soter_status_t res;
if (soter_rand(message, message_length))
{
testsuite_fail_if(true, "soter_rand failed");
return;
}
soter_sign_ctx_t *sign_ctx = soter_sign_create(SOTER_SIGN_ecdsa_none_pkcs8, NULL, 0, NULL, 0);
if (!sign_ctx)
{
testsuite_fail_if(true, "soter_sign_create failed");
return;
}
res = soter_sign_export_key(sign_ctx, priv, &priv_length, true);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_sign_export_key failed");
soter_sign_destroy(sign_ctx);
return;
}
res = soter_sign_export_key(sign_ctx, pub, &pub_length, false);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_sign_export_key failed");
soter_sign_destroy(sign_ctx);
return;
}
soter_sign_destroy(sign_ctx);
sign_ctx = soter_sign_create((soter_sign_alg_t)-1, priv, priv_length, NULL, 0);
testsuite_fail_if(sign_ctx, "soter_sign_create: invalid algorithm");
sign_ctx = soter_sign_create(SOTER_SIGN_ecdsa_none_pkcs8, priv, priv_length - 1, NULL, 0);
testsuite_fail_if(sign_ctx, "soter_sign_create: invalid private key length");
sign_ctx = soter_sign_create(SOTER_SIGN_ecdsa_none_pkcs8, priv, priv_length, NULL, 0);
if (!sign_ctx)
{
testsuite_fail_if(true, "soter_sign_create failed");
return;
}
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_sign_update(NULL, message, message_length), "soter_sign_update: invalid context");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_sign_update(sign_ctx, NULL, message_length), "soter_sign_update: invalid message");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_sign_update(sign_ctx, message, 0), "soter_sign_update: invalid message length");
res = soter_sign_update(sign_ctx, message, message_length);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_sign_update failed");
soter_sign_destroy(sign_ctx);
return;
}
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_sign_final(NULL, signature, &signature_length), "soter_sign_final: invalid context");
testsuite_fail_unless(SOTER_BUFFER_TOO_SMALL == soter_sign_final(sign_ctx, NULL, &signature_length), "soter_sign_final: get output size (NULL out buffer)");
signature_length--;
testsuite_fail_unless(SOTER_BUFFER_TOO_SMALL == soter_sign_final(sign_ctx, signature, &signature_length), "soter_sign_final: get output size (small out buffer)");
res = soter_sign_final(sign_ctx, signature, &signature_length);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_sign_final failed");
soter_sign_destroy(sign_ctx);
return;
}
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_sign_destroy(NULL), "soter_sign_destroy: invalid context");
res = soter_sign_destroy(sign_ctx);
if (SOTER_SUCCESS != res){
testsuite_fail_if(true, "soter_sign_destroy failed");
return;
}
sign_ctx = soter_verify_create((soter_sign_alg_t)-1, NULL, 0, pub, pub_length);
testsuite_fail_if(sign_ctx, "soter_verify_create: invalid algorithm");
sign_ctx = soter_verify_create(SOTER_SIGN_ecdsa_none_pkcs8, NULL, 0, pub, pub_length - 1);
testsuite_fail_if(sign_ctx, "soter_verify_create: invalid public key length");
sign_ctx = soter_verify_create(SOTER_SIGN_ecdsa_none_pkcs8, NULL, 0, pub, pub_length);
if (!sign_ctx)
{
testsuite_fail_if(true, "soter_verify_create failed");
return;
}
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_update(NULL, message, message_length), "soter_verify_update: invalid context");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_update(sign_ctx, NULL, message_length), "soter_verify_update: invalid message");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_update(sign_ctx, message, 0), "soter_verify_update: invalid message length");
res = soter_verify_update(sign_ctx, message, message_length);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_verify_update failed");
soter_verify_destroy(sign_ctx);
return;
}
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_final(NULL, signature, signature_length), "soter_verify_final: invalid context");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_final(sign_ctx, NULL, signature_length), "soter_verify_final: invalid signature buffer");
testsuite_fail_unless(SOTER_INVALID_SIGNATURE == soter_verify_final(sign_ctx, signature, signature_length - 1), "soter_verify_final: invalid signature length");
signature[signature_length / 2]++;
testsuite_fail_unless(SOTER_INVALID_SIGNATURE == soter_verify_final(sign_ctx, signature, signature_length), "soter_verify_final: invalid signature value");
signature[signature_length / 2]--;
testsuite_fail_unless(SOTER_SUCCESS == soter_verify_final(sign_ctx, signature, signature_length), "soter_verify_final: normal flow");
testsuite_fail_unless(SOTER_INVALID_PARAMETER == soter_verify_destroy(NULL), "soter_verify_destroy: invalid context");
res = soter_verify_destroy(sign_ctx);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_verify_destroy failed");
return;
}
sign_ctx = soter_verify_create(SOTER_SIGN_ecdsa_none_pkcs8, NULL, 0, pub, pub_length);
if (!sign_ctx)
{
testsuite_fail_if(true, "soter_verify_create failed");
return;
}
message[message_length / 2]++;
res = soter_verify_update(sign_ctx, message, message_length);
if (SOTER_SUCCESS != res)
{
testsuite_fail_if(true, "soter_verify_update failed");
soter_verify_destroy(sign_ctx);
return;
}
message[message_length / 2]--;
testsuite_fail_unless(SOTER_INVALID_SIGNATURE == soter_verify_final(sign_ctx, signature, signature_length), "soter_verify_final: wrong signed message");
soter_verify_destroy(sign_ctx);
}
static int client_function_no_transport(void)
{
static bool connected = false;
themis_status_t res;
uint8_t recv_buf[2048];
ssize_t bytes_received = 0;
uint8_t processing_buf[2048];
size_t processing_buf_size = 0;
/* Client is not connected yet. Initiate key agreement */
if (!connected) {
res = secure_session_generate_connect_request((client.session),
processing_buf,
(size_t*)(&processing_buf_size));
if (THEMIS_BUFFER_TOO_SMALL != res) {
testsuite_fail_if(res, "secure_session_generate_connect_request failed");
return TEST_STOP_ERROR;
}
res = secure_session_generate_connect_request((client.session),
processing_buf,
(size_t*)(&processing_buf_size));
if (THEMIS_SUCCESS == res) {
/* This test-send function never fails, so we do not check for error here */
on_send_data(processing_buf, processing_buf_size, NULL);
connected = true;
return TEST_CONTINUE;
}
testsuite_fail_if(res, "secure_session_generate_connect_request failed");
return TEST_STOP_ERROR;
}
if (secure_session_is_established((client.session))) {
size_t remote_id_length = 0;
if (THEMIS_BUFFER_TOO_SMALL
!= secure_session_get_remote_id(client.session, NULL, &remote_id_length)) {
testsuite_fail_if(true, "remote id getting failed (length_determination)");
return TEST_STOP_ERROR;
}
uint8_t* remote_id = malloc(remote_id_length);
assert(remote_id);
if (THEMIS_SUCCESS
!= secure_session_get_remote_id(client.session, remote_id, &remote_id_length)) {
testsuite_fail_if(true, "remote id getting failed");
free(remote_id);
return TEST_STOP_ERROR;
}
testsuite_fail_unless(remote_id_length == strlen(server.id)
&& 0 == memcmp(remote_id, server.id, strlen(server.id)),
"secure_session remote id getting");
free(remote_id);
static int messages_to_send = MESSAGES_TO_SEND;
/* Connection is already established. */
static uint8_t data_to_send[MAX_MESSAGE_SIZE];
static size_t length_to_send;
processing_buf_size = sizeof(processing_buf);
/* If there is anything to receive, receive it */
if (current_length) {
bytes_received = on_receive_data(recv_buf, sizeof(recv_buf), NULL);
if (bytes_received > 0) {
res = secure_session_unwrap((client.session),
recv_buf,
(size_t)bytes_received,
processing_buf,
(size_t*)(&processing_buf_size));
if (THEMIS_SUCCESS != res) {
testsuite_fail_if(res, "secure_session_unwrap failed");
return TEST_STOP_ERROR;
}
/* The server should echo our previously sent data */
testsuite_fail_if(current_length == (size_t)processing_buf_size,
"secure_session message send/receive");
messages_to_send--;
if (!messages_to_send) {
return TEST_STOP_SUCCESS;
}
} else {
/* We shoud receive something. */
testsuite_fail_if(bytes_received, "secure_session_receive failed");
return TEST_STOP_ERROR;
}
}
length_to_send = rand_int(MAX_MESSAGE_SIZE - 64);
if (THEMIS_SUCCESS != soter_rand(data_to_send, length_to_send)) {
testsuite_fail_if(true, "soter_rand failed");
return TEST_STOP_ERROR;
}
processing_buf_size = sizeof(processing_buf);
res = secure_session_wrap((client.session),
data_to_send,
length_to_send,
processing_buf,
(size_t*)(&processing_buf_size));
if (THEMIS_SUCCESS != res) {
testsuite_fail_if(res, "secure_session_wrap failed");
return TEST_STOP_ERROR;
}
/* This test-send function never fails, so we do not check for error here */
on_send_data(processing_buf, processing_buf_size, NULL);
testsuite_fail_if(length_to_send == current_length, "secure_session client message wrap");
return TEST_CONTINUE;
}
/* Connection is not established. We should receive some key agreement data. */
bytes_received = on_receive_data(recv_buf, sizeof(recv_buf), NULL);
if (bytes_received <= 0) {
testsuite_fail_if(bytes_received, "secure_session_receive failed");
return TEST_STOP_ERROR;
}
res = secure_session_unwrap((client.session),
recv_buf,
bytes_received,
processing_buf,
(size_t*)(&processing_buf_size));
if (THEMIS_SUCCESS == res) {
if (secure_session_is_established((client.session))) {
/* Negotiation completed. Clear the shared memory. */
current_length = 0;
return TEST_CONTINUE;
}
testsuite_fail_if(true, "secure_session_unwrap failed");
return TEST_STOP_ERROR;
}
if (THEMIS_BUFFER_TOO_SMALL != res) {
testsuite_fail_if(true, "secure_session_unwrap failed");
return TEST_STOP_ERROR;
}
res = secure_session_unwrap((client.session),
recv_buf,
bytes_received,
processing_buf,
(size_t*)(&processing_buf_size));
if ((THEMIS_SSESSION_SEND_OUTPUT_TO_PEER == res) && (processing_buf_size > 0)) {
/* This test-send function never fails, so we do not check for error here */
on_send_data(processing_buf, processing_buf_size, NULL);
return TEST_CONTINUE;
}
testsuite_fail_if(true, "secure_session_unwrap failed");
return TEST_STOP_ERROR;
}
static int client_function(void)
{
static bool connected = false;
themis_status_t res;
uint8_t recv_buf[2048];
ssize_t bytes_received;
ssize_t bytes_sent;
/* Client is not connected yet. Initiate key agreement */
if (!connected) {
res = secure_session_connect((client.session));
if (THEMIS_SUCCESS == res) {
connected = true;
return TEST_CONTINUE;
}
testsuite_fail_if(res, "secure_session_connect failed");
return TEST_STOP_ERROR;
}
if (secure_session_is_established(client.session)) {
size_t remote_id_length = 0;
if (THEMIS_BUFFER_TOO_SMALL
!= secure_session_get_remote_id(client.session, NULL, &remote_id_length)) {
testsuite_fail_if(true, "remote id getting failed (length_determination)");
return TEST_STOP_ERROR;
}
uint8_t* remote_id = malloc(remote_id_length);
assert(remote_id);
if (THEMIS_SUCCESS
!= secure_session_get_remote_id(client.session, remote_id, &remote_id_length)) {
testsuite_fail_if(true, "remote id getting failed");
free(remote_id);
return TEST_STOP_ERROR;
}
testsuite_fail_unless(remote_id_length == strlen(server.id)
&& 0 == memcmp(remote_id, server.id, strlen(server.id)),
"secure_session remote id getting");
free(remote_id);
static int messages_to_send = MESSAGES_TO_SEND;
/* Connection is already established. */
static uint8_t data_to_send[MAX_MESSAGE_SIZE];
static size_t length_to_send;
/* If there is anything to receive, receive it */
if (current_length) {
bytes_received = secure_session_receive(client.session, recv_buf, sizeof(recv_buf));
if (bytes_received > 0) {
/* The server should echo our previously sent data */
testsuite_fail_unless((length_to_send == (size_t)bytes_received)
&& (!memcmp(recv_buf, data_to_send, bytes_received)),
"secure_session message send/receive");
messages_to_send--;
if (!messages_to_send) {
return TEST_STOP_SUCCESS;
}
} else {
/* We shoud receive something. */
testsuite_fail_if(bytes_received, "secure_session_receive failed");
return TEST_STOP_ERROR;
}
}
length_to_send = rand_int(MAX_MESSAGE_SIZE);
if (THEMIS_SUCCESS != soter_rand(data_to_send, length_to_send)) {
testsuite_fail_if(true, "soter_rand failed");
return TEST_STOP_ERROR;
}
bytes_sent = secure_session_send((client.session), data_to_send, length_to_send);
if (bytes_sent > 0) {
/* Check whether data was indeed encrypted (it should not be the same as in
* data_to_send) */
testsuite_fail_if((length_to_send == current_length)
|| (!memcmp(data_to_send, shared_mem, length_to_send)),
"secure_session client message wrap");
return TEST_CONTINUE;
}
testsuite_fail_if(true, "secure_session_send failed");
return TEST_STOP_ERROR;
}
/* Connection is not established. We should receive some key agreement data. */
bytes_received = secure_session_receive((client.session), recv_buf, sizeof(recv_buf));
/* When key agreement data is received and processed client gets 0 in return value (no data
* for client is received) */
if (bytes_received) {
testsuite_fail_if(bytes_received, "secure_session_receive failed");
return TEST_STOP_ERROR;
}
if (secure_session_is_established((client.session))) {
/* Negotiation completed. Clear the shared memory. */
current_length = 0;
}
return TEST_CONTINUE;
}
