Enable gtest and write testcases for Integrity & Conf algorithms
Resolves openbmc/openbmc#870
Resolves openbmc/openbmc#447
Change-Id: Idfeaf7b0c458faefc0e825419539f9500ee3ae8c
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
diff --git a/Makefile.am b/Makefile.am
index f4d7856..fbd2116 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -45,3 +45,5 @@
netipmid_LDFLAGS = $(SYSTEMD_LIBS) $(CRYPTO_LIBS) $(libmapper_LIBS) $(LIBADD_DLOPEN) -export-dynamic
netipmid_CXXFLAGS = $(SYSTEMD_CFLAGS) $(libmapper_CFLAGS)
+SUBDIRS = test
+
diff --git a/configure.ac b/configure.ac
index a16ddc8..715bf56 100644
--- a/configure.ac
+++ b/configure.ac
@@ -14,6 +14,27 @@
# Surpress the --with-libtool-sysroot error
LT_INIT
+# Check/set gtest specific functions.
+AX_PTHREAD([GTEST_CPPFLAGS="-DGTEST_HAS_PTHREAD=1"],[GTEST_CPPFLAGS="-DGTEST_HAS_PTHREAD=0"])
+AC_SUBST(GTEST_CPPFLAGS)
+AC_ARG_ENABLE([oe-sdk],
+ AS_HELP_STRING([--enable-oe-sdk], [Link testcases absolutely against OE SDK so they can be ran within it.])
+)
+AC_ARG_VAR(OECORE_TARGET_SYSROOT,
+ [Path to the OE SDK SYSROOT])
+AS_IF([test "x$enable_oe_sdk" == "xyes"],
+ AS_IF([test "x$OECORE_TARGET_SYSROOT" == "x"],
+ AC_MSG_ERROR([OECORE_TARGET_SYSROOT must be set with --enable-oe-sdk])
+ )
+ AC_MSG_NOTICE([Enabling OE-SDK at $OECORE_TARGET_SYSROOT])
+ [
+ testcase_flags="-Wl,-rpath,\${OECORE_TARGET_SYSROOT}/lib"
+ testcase_flags="${testcase_flags} -Wl,-rpath,\${OECORE_TARGET_SYSROOT}/usr/lib"
+ testcase_flags="${testcase_flags} -Wl,-dynamic-linker,`find \${OECORE_TARGET_SYSROOT}/lib/ld-*.so | sort -r -n | head -n1`"
+ ]
+ AC_SUBST([OESDK_TESTCASE_FLAGS], [$testcase_flags])
+)
+
# Checks for typedefs, structures, and compiler characteristics.
AX_CXX_COMPILE_STDCXX_14([noext])
AX_APPEND_COMPILE_FLAGS([-Wall -Werror], [CXXFLAGS])
@@ -31,5 +52,5 @@
LT_INIT([dlopen disable-static shared])
LT_LIB_DLLOAD
-AC_CONFIG_FILES([Makefile])
+AC_CONFIG_FILES([Makefile test/Makefile])
AC_OUTPUT
diff --git a/test/Makefile.am b/test/Makefile.am
new file mode 100644
index 0000000..b4996d0
--- /dev/null
+++ b/test/Makefile.am
@@ -0,0 +1,14 @@
+AM_CPPFLAGS = -I$(top_srcdir)
+
+# Run all 'check' test programs
+TESTS = $(check_PROGRAMS)
+
+# # Build/add utest to test suite
+check_PROGRAMS = utest
+utest_CPPFLAGS = -Igtest $(GTEST_CPPFLAGS) $(AM_CPPFLAGS)
+utest_CXXFLAGS = $(PTHREAD_CFLAGS)
+utest_LDFLAGS = -lgtest_main -lgtest $(PTHREAD_LIBS) $(OESDK_TESTCASE_FLAGS) $(CRYPTO_LIBS)
+utest_SOURCES = cipher.cpp
+utest_LDADD = \
+ $(top_builddir)/integrity_algo.cpp \
+ $(top_builddir)/crypt_algo.cpp
\ No newline at end of file
diff --git a/test/cipher.cpp b/test/cipher.cpp
new file mode 100644
index 0000000..84929d6
--- /dev/null
+++ b/test/cipher.cpp
@@ -0,0 +1,336 @@
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+#include <iostream>
+#include <vector>
+#include "crypt_algo.hpp"
+#include "integrity_algo.hpp"
+#include "message_parsers.hpp"
+#include <gtest/gtest.h>
+
+TEST(IntegrityAlgo, HMAC_SHA1_96_GenerateIntegrityDataCheck)
+{
+ /*
+ * Step-1 Generate Integrity Data for the packet, using the implemented API
+ */
+ // Packet = RMCP Session Header (4 bytes) + Packet (8 bytes)
+ std::vector<uint8_t> packet = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 };
+
+ // Hardcoded Session Integrity Key
+ std::vector<uint8_t> sik = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+
+ auto algoPtr = std::make_unique<cipher::integrity::AlgoSHA1>(sik);
+
+ ASSERT_EQ(true, (algoPtr != NULL));
+
+ // Generate the Integrity Data
+ auto response = algoPtr->generateIntegrityData(packet);
+
+ EXPECT_EQ(true, (response.size() ==
+ cipher::integrity::AlgoSHA1::SHA1_96_AUTHCODE_LENGTH));
+
+ /*
+ * Step-2 Generate Integrity data using OpenSSL SHA1 algorithm
+ */
+ cipher::integrity::Key K1;
+ constexpr cipher::integrity::Key const1 = { 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01
+ };
+
+ // Generated K1 for the integrity algorithm with the additional key keyed
+ // with SIK.
+ unsigned int mdLen = 0;
+ if (HMAC(EVP_sha1(), sik.data(), sik.size(), const1.data(),
+ const1.size(), K1.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating Key1 failed";
+ }
+
+ mdLen = 0;
+ cipher::integrity::Buffer output(SHA_DIGEST_LENGTH);
+ size_t length = packet.size() - message::parser::RMCP_SESSION_HEADER_SIZE;
+
+ if (HMAC(EVP_sha1(), K1.data(), K1.size(),
+ packet.data() + message::parser::RMCP_SESSION_HEADER_SIZE,
+ length,
+ output.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating integrity data failed";
+ }
+
+ output.resize(cipher::integrity::AlgoSHA1::SHA1_96_AUTHCODE_LENGTH);
+
+ /*
+ * Step-3 Check if the integrity data we generated using the implemented API
+ * matches with one generated by OpenSSL SHA1 algorithm.
+ */
+ auto check = std::equal(output.begin(), output.end(), response.begin());
+ EXPECT_EQ(true, check);
+}
+
+TEST(IntegrityAlgo, HMAC_SHA1_96_VerifyIntegrityDataPass)
+{
+ /*
+ * Step-1 Generate Integrity data using OpenSSL SHA1 algorithm
+ */
+
+ // Packet = RMCP Session Header (4 bytes) + Packet (8 bytes)
+ std::vector<uint8_t> packet = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 };
+
+ // Hardcoded Session Integrity Key
+ std::vector<uint8_t> sik = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+
+ cipher::integrity::Key K1;
+ constexpr cipher::integrity::Key const1 = { 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01
+ };
+
+ // Generated K1 for the integrity algorithm with the additional key keyed
+ // with SIK.
+ unsigned int mdLen = 0;
+ if (HMAC(EVP_sha1(), sik.data(), sik.size(), const1.data(),
+ const1.size(), K1.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating Key1 failed";
+ }
+
+ mdLen = 0;
+ cipher::integrity::Buffer output(SHA_DIGEST_LENGTH);
+ size_t length = packet.size() - message::parser::RMCP_SESSION_HEADER_SIZE;
+
+ if (HMAC(EVP_sha1(), K1.data(), K1.size(),
+ packet.data() + message::parser::RMCP_SESSION_HEADER_SIZE,
+ length,
+ output.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating integrity data failed";
+ }
+
+ output.resize(cipher::integrity::AlgoSHA1::SHA1_96_AUTHCODE_LENGTH);
+
+ /*
+ * Step-2 Insert the integrity data into the packet
+ */
+ auto packetSize = packet.size();
+ packet.insert(packet.end(), output.begin(), output.end());
+
+ // Point to the integrity data in the packet
+ auto integrityIter = packet.cbegin();
+ std::advance(integrityIter, packetSize);
+
+ /*
+ * Step-3 Invoke the verifyIntegrityData API and validate the response
+ */
+
+ auto algoPtr = std::make_unique<cipher::integrity::AlgoSHA1>(sik);
+ ASSERT_EQ(true, (algoPtr != NULL));
+
+ auto check = algoPtr->verifyIntegrityData(
+ packet,
+ packetSize - message::parser::RMCP_SESSION_HEADER_SIZE,
+ integrityIter);
+
+ EXPECT_EQ(true, check);
+}
+
+TEST(IntegrityAlgo, HMAC_SHA1_96_VerifyIntegrityDataFail)
+{
+ /*
+ * Step-1 Add hardcoded Integrity data to the packet
+ */
+
+ // Packet = RMCP Session Header (4 bytes) + Packet (8 bytes)
+ std::vector<uint8_t> packet = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 };
+
+ std::vector<uint8_t> integrity = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 };
+
+ packet.insert(packet.end(), integrity.begin(), integrity.end());
+
+ // Point to the integrity data in the packet
+ auto integrityIter = packet.cbegin();
+ std::advance(integrityIter, packet.size());
+
+ /*
+ * Step-2 Invoke the verifyIntegrityData API and validate the response
+ */
+
+ // Hardcoded Session Integrity Key
+ std::vector<uint8_t> sik = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+
+ auto algoPtr = std::make_unique<cipher::integrity::AlgoSHA1>(sik);
+
+ ASSERT_EQ(true, (algoPtr != NULL));
+
+
+ // Verify the Integrity Data
+ auto check = algoPtr->verifyIntegrityData(
+ packet,
+ packet.size() - message::parser::RMCP_SESSION_HEADER_SIZE,
+ integrityIter);
+
+ EXPECT_EQ(false, check);
+}
+
+TEST(CryptAlgo, AES_CBC_128_EncryptPayloadValidate)
+{
+ /*
+ * Step-1 Generate the encrypted data using the implemented API for
+ * AES-CBC-128
+ */
+ std::vector<uint8_t> payload = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 };
+
+ // Hardcoded Session Integrity Key
+ std::vector<uint8_t> sik = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+
+ auto cryptPtr = std::make_unique<cipher::crypt::AlgoAES128>(sik);
+
+ ASSERT_EQ(true, (cryptPtr != NULL));
+
+ auto cipher = cryptPtr->encryptPayload(payload);
+
+ /*
+ * Step-2 Decrypt the encrypted payload using OpenSSL EVP_aes_128_cbc()
+ * implementation
+ */
+
+ EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX_init(&ctx);
+ cipher::crypt::key k2;
+ unsigned int mdLen = 0;
+ constexpr cipher::crypt::key const1 = { 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02
+ };
+
+ // Generated K2 for the confidentiality algorithm with the additional key
+ // keyed with SIK.
+ if (HMAC(EVP_sha1(), sik.data(), sik.size(), const1.data(),
+ const1.size(), k2.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating K2 for confidentiality algorithm failed";
+ }
+
+ if (!EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, k2.data(),
+ cipher.data()))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ FAIL() << "EVP_DecryptInit_ex failed for type AES-CBC-128";
+ }
+
+ EVP_CIPHER_CTX_set_padding(&ctx, 0);
+ std::vector<uint8_t> output(
+ cipher.size() + cipher::crypt::AlgoAES128::AESCBC128BlockSize);
+ int outputLen = 0;
+
+ if (!EVP_DecryptUpdate(&ctx, output.data(), &outputLen,
+ cipher.data() +
+ cipher::crypt::AlgoAES128::AESCBC128ConfHeader,
+ cipher.size() -
+ cipher::crypt::AlgoAES128::AESCBC128ConfHeader))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ FAIL() << "EVP_DecryptUpdate failed";
+ }
+
+ output.resize(outputLen);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+
+ /*
+ * Step -3 Check if the plain payload matches with the decrypted one
+ */
+ auto check = std::equal(payload.begin(), payload.end(), output.begin());
+ EXPECT_EQ(true, check);
+}
+
+TEST(CryptAlgo, AES_CBC_128_DecryptPayloadValidate)
+{
+ /*
+ * Step-1 Encrypt the payload using OpenSSL EVP_aes_128_cbc()
+ * implementation
+ */
+
+ std::vector<uint8_t> payload = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+ payload.resize(payload.size() + 1);
+ payload.back() = 0;
+
+ // Hardcoded Session Integrity Key
+ std::vector<uint8_t> sik = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
+ 13, 14, 15, 16};
+ EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX_init(&ctx);
+ cipher::crypt::key k2;
+ unsigned int mdLen = 0;
+ constexpr cipher::crypt::key const1 = { 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02
+ };
+ std::vector<uint8_t> output(
+ payload.size() + cipher::crypt::AlgoAES128::AESCBC128BlockSize);
+
+ if (!RAND_bytes(output.data(),
+ cipher::crypt::AlgoAES128::AESCBC128ConfHeader))
+ {
+ FAIL() << "RAND_bytes failed";
+ }
+
+ // Generated K2 for the confidentiality algorithm with the additional key
+ // keyed with SIK.
+ if (HMAC(EVP_sha1(), sik.data(), sik.size(), const1.data(),
+ const1.size(), k2.data(), &mdLen) == NULL)
+ {
+ FAIL() << "Generating K2 for confidentiality algorithm failed";
+ }
+
+ if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, k2.data(),
+ output.data()))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ FAIL() << "EVP_EncryptInit_ex failed for type AES-CBC-128";
+ }
+
+ EVP_CIPHER_CTX_set_padding(&ctx, 0);
+ int outputLen = 0;
+
+ if (!EVP_EncryptUpdate(&ctx,
+ output.data() +
+ cipher::crypt::AlgoAES128::AESCBC128ConfHeader,
+ &outputLen,
+ payload.data(),
+ payload.size()))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ FAIL() << "EVP_EncryptUpdate failed";
+ }
+
+ output.resize(cipher::crypt::AlgoAES128::AESCBC128ConfHeader + outputLen);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+
+ /*
+ * Step-2 Decrypt the encrypted payload using the implemented API for
+ * AES-CBC-128
+ */
+
+ auto cryptPtr = std::make_unique<cipher::crypt::AlgoAES128>(sik);
+
+ ASSERT_EQ(true, (cryptPtr != NULL));
+
+ auto plain = cryptPtr->decryptPayload(output, 0, output.size());
+
+ /*
+ * Step -3 Check if the plain payload matches with the decrypted one
+ */
+ auto check = std::equal(payload.begin(), payload.end(), plain.begin());
+ EXPECT_EQ(true, check);
+}