1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* plugins/preauth/pkinit/pkinit_kdf_test.c */
3
/*
4
 * Copyright (C) 2011 by the Massachusetts Institute of Technology.
5
 * All rights reserved.
6
 *
7
 * Export of this software from the United States of America may
8
 *   require a specific license from the United States Government.
9
 *   It is the responsibility of any person or organization contemplating
10
 *   export to obtain such a license before exporting.
11
 *
12
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13
 * distribute this software and its documentation for any purpose and
14
 * without fee is hereby granted, provided that the above copyright
15
 * notice appear in all copies and that both that copyright notice and
16
 * this permission notice appear in supporting documentation, and that
17
 * the name of M.I.T. not be used in advertising or publicity pertaining
18
 * to distribution of the software without specific, written prior
19
 * permission.  Furthermore if you modify this software you must label
20
 * your software as modified software and not distribute it in such a
21
 * fashion that it might be confused with the original M.I.T. software.
22
 * M.I.T. makes no representations about the suitability of
23
 * this software for any purpose.  It is provided "as is" without express
24
 * or implied warranty.
25
 */
26

27
/* Verify the correctness of pkinit_kdf() in pkinit_crypto_openssl, which
28
 * implements the key derivation function from RFC 8636. */
29

30
#include "k5-platform.h"
31
#include "pkinit.h"
32

33
/**
34
 * Initialize a krb5_data from @a s, a constant string. Note @a s is evaluated
35
 * multiple times; this is acceptable for constants.
36
 */
37
#define DATA_FROM_STRING(s)                     \
38
    {0, sizeof(s)-1, (char *) s}
39

40

41
/* values from test vectors in the pkinit-alg-agility draft */
42
int secret_len = 256;
43
char twenty_as[10];
44
char eighteen_bs[9];
45
char party_u_name[] = "[email protected]";
46
char party_v_name[] = "krbtgt/[email protected]";
47
int enctype_aes = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
48
int enctype_des3 = ENCTYPE_DES3_CBC_SHA1;
49
const krb5_data lha_data = DATA_FROM_STRING("lha");
50

51
krb5_octet key1_hex[] =
52
{0xe6, 0xAB, 0x38, 0xC9, 0x41, 0x3E, 0x03, 0x5B,
53
 0xB0, 0x79, 0x20, 0x1E, 0xD0, 0xB6, 0xB7, 0x3D,
54
 0x8D, 0x49, 0xA8, 0x14, 0xA7, 0x37, 0xC0, 0x4E,
55
 0xE6, 0x64, 0x96, 0x14, 0x20, 0x6F, 0x73, 0xAD};
56

57
krb5_octet key2_hex[] =
58
{0x77, 0xEF, 0x4E, 0x48, 0xC4, 0x20, 0xAE, 0x3F,
59
 0xEC, 0x75, 0x10, 0x9D, 0x79, 0x81, 0x69, 0x7E,
60
 0xED, 0x5D, 0x29, 0x5C, 0x90, 0xc6, 0x25, 0x64,
61
 0xF7, 0xBF, 0xD1, 0x01, 0xFA, 0x9b, 0xC1, 0xD5};
62

63
krb5_octet key3_hex[] =
64
{0xD3, 0xC7, 0x8A, 0x79, 0xD6, 0x52, 0x13, 0xEF,
65
 0xE9, 0xA8, 0x26, 0xF7, 0x5D, 0xFB, 0x01, 0xF7,
66
 0x23, 0x62, 0xFB, 0x16, 0xFB, 0x01, 0xDA, 0xD6};
67

68
int
69
main(int argc, char **argv)
70
{
71
    krb5_context context = 0;
72
    krb5_data secret;
73
    krb5_algorithm_identifier alg_id;
74
    krb5_data as_req;
75
    krb5_data pk_as_rep;
76
    krb5_keyblock key_block;
77

78
    /* other local variables */
79
    int retval = 0;
80
    krb5_enctype enctype = 0;
81
    krb5_principal u_principal = NULL;
82
    krb5_principal v_principal = NULL;
83

84
    /* initialize variables that get malloc'ed, so cleanup is safe */
85
    krb5_init_context (&context);
86
    memset(&alg_id, 0, sizeof(alg_id));
87
    memset(&as_req, 0, sizeof(as_req));
88
    memset(&pk_as_rep, 0, sizeof(pk_as_rep));
89
    memset(&key_block, 0, sizeof(key_block));
90

91
    /* set up a 256-byte, ALL-ZEROS secret */
92
    if (NULL == (secret.data = malloc(secret_len))) {
93
        printf("ERROR in pkinit_kdf_test: Memory allocation failed.");
94
        retval = ENOMEM;
95
        goto cleanup;
96
    }
97
    secret.length = secret_len;
98
    memset(secret.data, 0, secret_len);
99

100
    /* set-up the partyUInfo and partyVInfo principals */
101
    if ((0 != (retval = krb5_parse_name(context, party_u_name,
102
                                        &u_principal))) ||
103
        (0 != (retval = krb5_parse_name(context, party_v_name,
104
                                        &v_principal)))) {
105
        printf("ERROR in pkinit_kdf_test: Error parsing names, retval = %d",
106
               retval);
107
        goto cleanup;
108
    }
109

110
    /* The test vectors in RFC 8636 implicitly use NT-PRINCIPAL names. */
111
    u_principal->type = KRB5_NT_PRINCIPAL;
112
    v_principal->type = KRB5_NT_PRINCIPAL;
113

114
    /* set-up the as_req and and pk_as_rep data */
115
    memset(twenty_as, 0xaa, sizeof(twenty_as));
116
    memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
117
    as_req.length = sizeof(twenty_as);
118
    as_req.data = twenty_as;
119

120
    pk_as_rep.length = sizeof(eighteen_bs);
121
    pk_as_rep.data = eighteen_bs;
122

123
    /* TEST 1:  SHA-1/AES */
124
    /* set up algorithm id */
125
    alg_id.algorithm = kdf_sha1_id;
126

127
    enctype = enctype_aes;
128

129
    retval = pkinit_kdf(context, &secret, &alg_id.algorithm, u_principal,
130
                        v_principal, enctype, &as_req, &pk_as_rep, &key_block);
131
    if (retval) {
132
        printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d\n",
133
               retval);
134
        goto cleanup;
135
    }
136

137
    /* compare key to expected key value */
138

139
    if ((key_block.length == sizeof(key1_hex)) &&
140
        (0 == memcmp(key_block.contents, key1_hex, key_block.length))) {
141
        printf("SUCCESS: TEST 1 (SHA-1/AES), Correct key value generated.\n");
142
        retval = 0;
143
        /* free the keyblock contents, so we can use it for the next test */
144
        krb5_free_keyblock_contents(context, &key_block);
145
    } else {
146
        printf("FAILURE: TEST 1 (SHA-1/AES), Incorrect key value generated!\n");
147
        retval = 1;
148
        goto cleanup;
149
    }
150

151
    /* TEST 2: SHA-256/AES */
152
    /* set up algorithm id */
153
    alg_id.algorithm = kdf_sha256_id;
154

155
    enctype = enctype_aes;
156

157
    retval = pkinit_kdf(context, &secret, &alg_id.algorithm, u_principal,
158
                        v_principal, enctype, &as_req, &pk_as_rep, &key_block);
159
    if (retval) {
160
        printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d\n",
161
               retval);
162
        goto cleanup;
163
    }
164

165
    /* compare key to expected key value */
166

167
    if ((key_block.length == sizeof(key2_hex)) &&
168
        (0 == memcmp(key_block.contents, key2_hex, key_block.length))) {
169
        printf("SUCCESS: TEST 2 (SHA-256/AES), Correct key value generated.\n");
170
        retval = 0;
171
        /* free the keyblock contents, so we can use it for the next test */
172
        krb5_free_keyblock_contents(context, &key_block);
173
    } else {
174
        printf("FAILURE: TEST 2 (SHA-256/AES), Incorrect key value generated!\n");
175
        retval = 1;
176
        goto cleanup;
177
    }
178

179
    /* TEST 3: SHA-512/DES3 */
180
    /* set up algorithm id */
181
    alg_id.algorithm = kdf_sha512_id;
182

183
    enctype = enctype_des3;
184

185
    retval = pkinit_kdf(context, &secret, &alg_id.algorithm, u_principal,
186
                        v_principal, enctype, &as_req, &pk_as_rep, &key_block);
187
    if (retval) {
188
        printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d\n",
189
               retval);
190
        goto cleanup;
191
    }
192

193
    /* compare key to expected key value */
194

195
    if ((key_block.length == sizeof(key3_hex)) &&
196
        (0 == memcmp(key_block.contents, key3_hex, key_block.length))) {
197
        printf("SUCCESS: TEST 3 (SHA-512/DES3), Correct key value generated.\n");
198
        retval = 0;
199
    } else {
200
        printf("FAILURE: TEST 2 (SHA-512/DES3), Incorrect key value generated!\n");
201
        retval = 1;
202
        goto cleanup;
203
    }
204

205
cleanup:
206
    /* release all allocated resources, whether good or bad return */
207
    free(secret.data);
208
    krb5_free_principal(context, u_principal);
209
    krb5_free_principal(context, v_principal);
210
    krb5_free_keyblock_contents(context, &key_block);
211
    krb5_free_context(context);
212
    return retval ? 1 : 0;
213
}
214

215