static double perf_ccxts_set_tweak(unsigned long loops, unsigned long size CC_UNUSED, const void *arg)
{
const struct ccxts_perf_test *test=arg;
const struct ccmode_xts *xts=test->xts;
size_t keylen=test->keylen;
unsigned char keyd[keylen];
unsigned char tweakkeyd[keylen];
unsigned char tweakd[xts->block_size];
cc_zero(keylen,keyd);
ccxts_ctx_decl(xts->size, key);
ccxts_tweak_decl(xts->tweak_size, tweak);
ccxts_init(xts, key, keylen, keyd, tweakkeyd);
perf_start();
while(loops--)
ccxts_set_tweak(xts, key, tweak, tweakd);
return perf_time();
}
static int ECDSA_POST()
{
// Pair wise consistency test
size_t keySize = 256;
int iResult = 0;
struct ccrng_system_state system_rng;
struct ccrng_state *rng = (struct ccrng_state *)&system_rng;
ccrng_system_init(&system_rng);
ccec_const_cp_t cp = ccec_get_cp(keySize);
ccec_full_ctx_decl_cp(cp, full_ec_key);
size_t signedDataLen = ccec_sign_max_size(cp);
uint8_t signedData[signedDataLen];
cc_zero(signedDataLen, signedData);
iResult = ccec_generate_key_fips(cp, rng, full_ec_key);
ccec_full_ctx_clear_cp(cp, full_ec_key);
ccrng_system_done(&system_rng);
return iResult;
}
static double perf_cccbc_update(unsigned long loops, unsigned long size, const void *arg)
{
const struct cccbc_perf_test *test=arg;
const struct ccmode_cbc *cbc=test->cbc;
size_t keylen=test->keylen;
unsigned long nblocks=size/cbc->block_size;
unsigned char keyd[keylen];
unsigned char temp[nblocks*cbc->block_size];
cc_zero(keylen,keyd);
cccbc_ctx_decl(cbc->size, key);
cccbc_iv_decl(cbc->block_size, iv);
cccbc_init(cbc, key, keylen, keyd);
cccbc_set_iv(cbc, iv, NULL);
perf_start();
while(loops--)
cccbc_update(cbc, key, iv, nblocks, temp, temp);
return perf_time();
}
static int hmac_dbrg_instantiate_algorithm(struct ccdrbg_state *drbg,
size_t entropyLength, const void *entropy,
size_t nonceLength, const void *nonce,
size_t psLength, const void *ps)
{
// TODO: The NIST code passes nonce (i.e. HMAC key) to generate, but cc interface isn't set up that way
struct ccdrbg_nisthmac_state *state = (struct ccdrbg_nisthmac_state *)drbg;
// 1. seed_material = entropy_input || nonce || personalization_string.
// 2. Set Key to outlen bits of zeros.
cc_zero(state->keysize, state->key);
// 3. Set V to outlen/8 bytes of 0x01.
CC_MEMSET(state->vptr, 0x01, state->vsize);
// 4. (Key, V) = HMAC_DRBG_Update (seed_material, Key, V).
hmac_dbrg_update(drbg, entropyLength, entropy, nonceLength, nonce, psLength, ps);
// 5. reseed_counter = 1.
state->reseed_counter = 1;
return CCDRBG_STATUS_OK;
}
/* Private key static functions. */
static void SecRSAPrivateKeyDestroy(SecKeyRef key) {
/* Zero out the public key */
ccrsa_full_ctx_t fullkey;
fullkey.full = key->key;
cc_zero(ccrsa_full_ctx_size(ccn_sizeof_n(ccrsa_ctx_n(fullkey))), fullkey.full);
}
static OSStatus SecRSAPublicKeyRawVerify(SecKeyRef key, SecPadding padding,
const uint8_t *signedData, size_t signedDataLen,
const uint8_t *sig, size_t sigLen) {
OSStatus result = errSSLCrypto;
ccrsa_pub_ctx_t pubkey;
pubkey.pub = key->key;
cc_unit s[ccrsa_ctx_n(pubkey)];
ccn_read_uint(ccrsa_ctx_n(pubkey), s, sigLen, sig);
ccrsa_pub_crypt(pubkey, s, s);
ccn_swap(ccrsa_ctx_n(pubkey), s);
const uint8_t* sBytes = (uint8_t*) s;
const uint8_t* sEnd = (uint8_t*) (s + ccrsa_ctx_n(pubkey));
switch (padding) {
case kSecPaddingNone:
// Skip leading zeros as long as s is bigger than signedData.
while (((ptrdiff_t)signedDataLen < (sEnd - sBytes)) && (*sBytes == 0))
++sBytes;
break;
case kSecPaddingPKCS1:
{
// Verify and skip PKCS1 padding:
//
// 0x00, 0x01 (RSA_PKCS1_PAD_SIGN), 0xFF .. 0x00, signedData
//
size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(pubkey)) - m_size;
while (prefix_zeros--)
require_quiet(*sBytes++ == 0x00, errOut);
require_quiet(*sBytes++ == 0x00, errOut);
require_quiet(*sBytes++ == RSA_PKCS1_PAD_SIGN, errOut);
while (*sBytes == 0xFF) {
require_quiet(++sBytes < sEnd, errOut);
}
// Required to have at least 8 0xFFs
require_quiet((sBytes - (uint8_t*)s) - 2 >= 8, errOut);
require_quiet(*sBytes == 0x00, errOut);
require_quiet(++sBytes < sEnd, errOut);
break;
}
case kSecPaddingOAEP:
result = errSecParam;
goto errOut;
default:
result = errSecUnimplemented;
goto errOut;
}
// Compare the rest.
require_quiet((sEnd - sBytes) == (ptrdiff_t)signedDataLen, errOut);
require_quiet(memcmp(sBytes, signedData, signedDataLen) == 0, errOut);
result = errSecSuccess;
errOut:
cc_zero(ccrsa_ctx_n(pubkey), s);
return result;
}
/* Public key static functions. */
static void SecRSAPublicKeyDestroy(SecKeyRef key) {
/* Zero out the public key */
ccrsa_pub_ctx_t pubkey;
pubkey.pub = key->key;
cc_zero(ccrsa_pub_ctx_size(ccn_sizeof_n(ccrsa_ctx_n(pubkey))), pubkey.pub);
}
static void done(struct ccdrbg_state *drbg)
{
struct ccdrbg_nisthmac_state *state=(struct ccdrbg_nisthmac_state *)drbg;
cc_zero(sizeof(state->v), state->v);
cc_zero(sizeof(state->key), state->key);
}
int ccdh_test_compute_vector(const struct ccdh_compute_vector *v)
{
int result,r1,r2;
const cc_size n = ccn_nof(v->len);
const size_t s = ccn_sizeof_n(n);
unsigned char z[v->zLen];
size_t zLen;
unsigned char tmp[v->zLen]; // for negative testing
uint32_t status=0;
uint32_t nb_test=0;
ccdh_gp_decl(s, gp);
ccdh_full_ctx_decl(s, a);
ccdh_full_ctx_decl(s, b);
cc_unit p[n];
cc_unit g[n];
cc_unit r[n];
cc_unit q[n];
// Bail to errOut when unexpected error happens.
// Try all usecases otherwise
if((result=ccn_read_uint(n, p, v->pLen, v->p)))
goto errOut;
if((result=ccn_read_uint(n, g, v->gLen, v->g)))
goto errOut;
if((result=ccn_read_uint(n, q, v->qLen, v->q)))
goto errOut;
ccdh_init_gp_with_order(gp, n, p, g, q);
ccdh_ctx_init(gp, a);
ccdh_ctx_init(gp, b);
if((result=ccn_read_uint(n, ccdh_ctx_x(a), v->xaLen, v->xa))) // private key
goto errOut;
if((result=ccn_read_uint(n, ccdh_ctx_y(a), v->yaLen, v->ya))) // public key
goto errOut;
if((result=ccn_read_uint(n, ccdh_ctx_x(b), v->xbLen, v->xb))) // private key
goto errOut;
if((result=ccn_read_uint(n, ccdh_ctx_y(b), v->ybLen, v->yb))) // public key
goto errOut;
/*
* Main test
*/
/* try one side */
zLen = v->zLen;
r1=ccdh_compute_key(a, b, r);
ccn_write_uint_padded(n, r, zLen, z);
r1|=memcmp(z, v->z, zLen);
/* try the other side */
zLen = v->zLen;
r2=ccdh_compute_key(b, a, r);
ccn_write_uint_padded(n, r, zLen, z);
r2|=memcmp(z, v->z, zLen);
if ((!(r1||r2) && v->valid)||((r1||r2) && !v->valid))
{
status|=1<<nb_test;
}
nb_test++;
// We are done if the test is not valid
if (!v->valid) goto doneOut;
/*
* Corner case / negative testing
* Only applicable for valid tests
*/
/* Output is 1 (use private key is (p-1)/2)*/
if((result=ccn_read_uint(n, ccdh_ctx_x(a), v->pLen, v->p))) // private key
goto errOut;
ccn_sub1(n,ccdh_ctx_x(a),ccdh_ctx_x(a),1);
ccn_shift_right(n,ccdh_ctx_x(a),ccdh_ctx_x(a),1);
if ((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
if((result=ccn_read_uint(n, ccdh_ctx_x(a), v->xaLen, v->xa))) // restore private key
goto errOut;
nb_test++;
/* negative testing (1 < y < p-1)*/
/* public y = 0 */
zLen = v->zLen;
cc_zero(sizeof(tmp),tmp);
if((result=ccn_read_uint(n, ccdh_ctx_y(b), zLen, tmp)))
{
goto errOut;
}
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
/* public y = 1 */
zLen = v->zLen;
cc_zero(sizeof(tmp),tmp);
tmp[zLen-1]=1;
if((result=ccn_read_uint(n, ccdh_ctx_y(b), zLen, tmp)))
{
goto errOut;
}
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
/* public y = p */
if((result=ccn_read_uint(n, ccdh_ctx_y(b), v->pLen, v->p)))
goto errOut;
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
/* public y = p-1 */
if((result=ccn_read_uint(n, ccdh_ctx_y(b), v->pLen, v->p)))
{
goto errOut;
}
ccn_sub1(n,ccdh_ctx_y(b),ccdh_ctx_y(b),1);
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
/*
* When the order is in defined in the group
* check that the implementation check the order of the public value:
* public y = g+1 (for rfc5114 groups, g+1 is not of order q)
*/
if (ccdh_gp_order_bitlen(gp))
{
if((result=ccn_read_uint(n, ccdh_ctx_y(b), v->gLen, v->g)))
{
goto errOut;
}
ccn_add1(n,ccdh_ctx_y(b),ccdh_ctx_y(b),1);
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
}
/* positive testing at the boundaries of (1 < y < p-1)*/
// Don't set the order in gp because 2 and p-2 are not of order q
ccdh_init_gp(gp, n, p, g, 0);
/* public y = 2 */
zLen = v->zLen;
cc_zero(sizeof(tmp),tmp);
tmp[zLen-1]=2;
if((result=ccn_read_uint(n, ccdh_ctx_y(b), zLen, tmp)))
{
goto errOut;
}
if((result=ccdh_compute_key(a, b, r))==0)
{
status|=1<<nb_test;
}
nb_test++;
/* public y = p-2 */
if((result=ccn_read_uint(n, ccdh_ctx_y(b), v->pLen, v->p)))
{
goto errOut;
}
ccn_sub1(n,ccdh_ctx_y(b),ccdh_ctx_y(b),2);
if((result=ccdh_compute_key(a, b, r))==0)
{
status|=1<<nb_test;
}
nb_test++;
/* Negative testing: p is even */
if((result=ccn_read_uint(n, p, v->pLen, v->p)))
goto errOut;
ccn_set_bit(p,0,0); // Set LS bit to 0
ccdh_init_gp(gp, n, p, g, 0);
ccdh_ctx_init(gp, a);
ccdh_ctx_init(gp, b);
if((result=ccdh_compute_key(a, b, r))!=0)
{
status|=1<<nb_test;
}
nb_test++;
/* Test aftermath */
doneOut:
if ((nb_test==0) || (status!=((1<<nb_test)-1)))
{
result=1;
}
else
{
result=0; // Test is successful, Yeah!
}
errOut:
return result;
}
