Merge pull request #715 from cisco/bugfix/kda

Fix KDA check, remove hash msg MCT inclusion, interate version (throttle branch)
cisco · Aug 12, 2022 · e40e654 · e40e654
2 parents 32215c6 + d8e4d12
commit e40e654
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 73 deletions.
diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libacvp 1.5.0.
+# Generated by GNU Autoconf 2.69 for libacvp 1.5.2.
 #
 # Report bugs to <https://github.com/cisco/libacvp/issues>.
 #
@@ -729,8 +729,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libacvp'
 PACKAGE_TARNAME='libacvp'
-PACKAGE_VERSION='1.5.0'
-PACKAGE_STRING='libacvp 1.5.0'
+PACKAGE_VERSION='1.5.2'
+PACKAGE_STRING='libacvp 1.5.2'
 PACKAGE_BUGREPORT='https://github.com/cisco/libacvp/issues'
 PACKAGE_URL=''
 
@@ -1494,7 +1494,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libacvp 1.5.0 to adapt to many kinds of systems.
+\`configure' configures libacvp 1.5.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1564,7 +1564,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libacvp 1.5.0:";;
+     short | recursive ) echo "Configuration of libacvp 1.5.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1697,7 +1697,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libacvp configure 1.5.0
+libacvp configure 1.5.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1975,7 +1975,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libacvp $as_me 1.5.0, which was
+It was created by libacvp $as_me 1.5.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2874,7 +2874,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libacvp'
- VERSION='1.5.0'
+ VERSION='1.5.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -12109,7 +12109,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libacvp $as_me 1.5.0, which was
+This file was extended by libacvp $as_me 1.5.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -12166,7 +12166,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libacvp config.status 1.5.0
+libacvp config.status 1.5.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -13,7 +13,7 @@
 #
 m4_define([libacvp_major_version], [1])
 m4_define([libacvp_minor_version], [5])
-m4_define([libacvp_micro_version], [0])
+m4_define([libacvp_micro_version], [2])
 AC_INIT([libacvp], [libacvp_major_version.libacvp_minor_version.libacvp_micro_version], [https://github.com/cisco/libacvp/issues])
 
 # Safety checks in case user overwritten --srcdir

diff --git a/include/acvp/acvp_lcl.h b/include/acvp/acvp_lcl.h
@@ -13,8 +13,8 @@
 #include "parson.h"
 
 #define ACVP_VERSION    "1.0"
-#define ACVP_LIBRARY_VERSION_NUMBER "1.5.0"
-#define ACVP_LIBRARY_VERSION    "libacvp_oss-1.5.0"
+#define ACVP_LIBRARY_VERSION_NUMBER "1.5.2"
+#define ACVP_LIBRARY_VERSION    "libacvp_oss-1.5.2"
 
 
 #ifndef ACVP_LOG_ERR
@@ -842,7 +842,7 @@
 #define ACVP_KDA_FIXED_STR_MAX (ACVP_KDA_FIXED_BIT_MAX >> 2)
 #define ACVP_KDA_FIXED_BYTE_MAX (ACVP_KDA_FIXED_BIT_MAX >> 3)
 
-#define ACVP_KDA_SALT_BIT_MAX 512 //seems tied to hmac length, unclear
+#define ACVP_KDA_SALT_BIT_MAX 1152 //SHA maximum block size
 #define ACVP_KDA_SALT_STR_MAX (ACVP_KDA_SALT_BIT_MAX >> 2)
 #define ACVP_KDA_SALT_BYTE_MAX (ACVP_KDA_SALT_BIT_MAX >> 3)
 

diff --git a/src/acvp_hash.c b/src/acvp_hash.c
@@ -107,7 +107,6 @@ static ACVP_RESULT acvp_hash_mct_tc(ACVP_CTX *ctx,
     JSON_Value *r_tval = NULL;  /* Response testval */
     JSON_Object *r_tobj = NULL; /* Response testobj */
     char *tmp = NULL;
-    unsigned char *msg = NULL;
 
     tmp = calloc(ACVP_HASH_MSG_STR_MAX * 3, sizeof(char));
     if (!tmp) {
@@ -126,33 +125,11 @@ static ACVP_RESULT acvp_hash_mct_tc(ACVP_CTX *ctx,
         r_tval = json_value_init_object();
         r_tobj = json_value_get_object(r_tval);
 
-        msg = calloc(ACVP_HASH_MSG_BYTE_MAX * 3, sizeof(unsigned char));
-        if (!msg) {
-            ACVP_LOG_ERR("Unable to malloc");
-            free(tmp);
-            json_value_free(r_tval);
-            return ACVP_MALLOC_FAIL;
-        }
-
-        memcpy_s(msg, ACVP_HASH_MSG_BYTE_MAX, stc->m1, stc->msg_len);
-        memcpy_s(msg + stc->msg_len, (ACVP_HASH_MSG_BYTE_MAX - stc->msg_len), stc->m2, stc->msg_len);
-        memcpy_s(msg + (stc->msg_len * 2), (ACVP_HASH_MSG_BYTE_MAX - (stc->msg_len * 2)), stc->m3, stc->msg_len);
-
-        rv = acvp_bin_to_hexstr(msg, stc->msg_len * 3, tmp, ACVP_HASH_MSG_STR_MAX * 3);
-        if (rv != ACVP_SUCCESS) {
-            ACVP_LOG_ERR("hex conversion failure (msg)");
-            free(msg);
-            free(tmp);
-            json_value_free(r_tval);
-            return rv;
-        }
-        json_object_set_string(r_tobj, "msg", tmp);
         for (j = 0; j < ACVP_HASH_MCT_INNER; ++j) {
             /* Process the current SHA test vector... */
             rv = (cap->crypto_handler)(tc);
             if (rv != ACVP_SUCCESS) {
                 ACVP_LOG_ERR("crypto module failed the operation");
-                free(msg);
                 free(tmp);
                 json_value_free(r_tval);
                 return ACVP_CRYPTO_MODULE_FAIL;
@@ -164,7 +141,6 @@ static ACVP_RESULT acvp_hash_mct_tc(ACVP_CTX *ctx,
             rv = acvp_hash_mct_iterate_tc(stc);
             if (rv != ACVP_SUCCESS) {
                 ACVP_LOG_ERR("Failed the MCT iteration changes");
-                free(msg);
                 free(tmp);
                 json_value_free(r_tval);
                 return rv;
@@ -176,7 +152,6 @@ static ACVP_RESULT acvp_hash_mct_tc(ACVP_CTX *ctx,
         rv = acvp_hash_output_mct_tc(ctx, stc, r_tobj);
         if (rv != ACVP_SUCCESS) {
             ACVP_LOG_ERR("JSON output failure in HASH module");
-            free(msg);
             free(tmp);
             json_value_free(r_tval);
             return rv;
@@ -188,7 +163,6 @@ static ACVP_RESULT acvp_hash_mct_tc(ACVP_CTX *ctx,
         memcpy_s(stc->m1, ACVP_HASH_MD_BYTE_MAX, stc->m3, stc->msg_len);
         memcpy_s(stc->m2, ACVP_HASH_MD_BYTE_MAX, stc->m3, stc->msg_len);
 
-        free(msg);
     }
 
     free(tmp);
@@ -210,13 +184,6 @@ static ACVP_RESULT acvp_hash_sha3_mct(ACVP_CTX *ctx,
     ACVP_RESULT rv = 0;
     JSON_Value *r_tval = NULL;  /* Response testval */
     JSON_Object *r_tobj = NULL; /* Response testobj */
-    char *tmp = NULL;
-
-    tmp = calloc(ACVP_HASH_MSG_STR_MAX, sizeof(char));
-    if (!tmp) {
-        ACVP_LOG_ERR("Unable to malloc");
-        return ACVP_MALLOC_FAIL;
-    }
 
     /* ***********
      * OUTER LOOP
@@ -229,14 +196,6 @@ static ACVP_RESULT acvp_hash_sha3_mct(ACVP_CTX *ctx,
         r_tval = json_value_init_object();
         r_tobj = json_value_get_object(r_tval);
 
-        rv = acvp_bin_to_hexstr(stc->msg, stc->msg_len, tmp, ACVP_HASH_MSG_STR_MAX);
-        if (rv != ACVP_SUCCESS) {
-            ACVP_LOG_ERR("hex conversion failure (msg)");
-            goto end;
-        }
-
-        json_object_set_string(r_tobj, "msg", tmp);
-
         /* ***********
          * INNER LOOP
          * ***********
@@ -287,7 +246,6 @@ static ACVP_RESULT acvp_hash_sha3_mct(ACVP_CTX *ctx,
     }
 
 end:
-    if (tmp) free(tmp);
     if (rv != ACVP_SUCCESS && r_tval) json_value_free(r_tval);
 
     return rv;

diff --git a/src/acvp_kda.c b/src/acvp_kda.c
@@ -796,15 +796,13 @@ static ACVP_RESULT acvp_kda_process(ACVP_CTX *ctx,
             rv = ACVP_MALFORMED_JSON;
             goto err;
         }
-        /** temporarily disabling this check due to issue with NIST server
         saltLen = json_object_get_number(configobj, "saltLen");
-        //saltLen seems tied to hashAlg bit length. Spec unclear as of writing.
-        if (saltLen % 8 != 0 || saltLen < 0 || saltLen > 512) {
+        if (saltLen % 8 != 0 || saltLen < 0 || saltLen > ACVP_KDA_SALT_BIT_MAX) {
             ACVP_LOG_ERR("Invalid saltLen provided by server");
             rv = ACVP_MALFORMED_JSON;
             goto err;
         }
-        */
+
         l = json_object_get_number(configobj, "l");
         if (cipher == ACVP_KDA_HKDF) {
             kdfcap = acvp_locate_cap_entry(ctx, ACVP_KDA_HKDF);
@@ -879,24 +877,12 @@ static ACVP_RESULT acvp_kda_process(ACVP_CTX *ctx,
                     rv = ACVP_MALFORMED_JSON;
                     goto err;
                 }
-                //assume max salt len is mac alg max length, currently 512
-                /** temporarily disabling this check due to issue with NIST server
-                if ((int)strnlen_s(salt, 128) != saltLen / 4) {
+                if ((int)strnlen_s(salt, ACVP_KDA_SALT_STR_MAX + 1) != saltLen / 4) {
                     ACVP_LOG_ERR("salt wrong length, should match provided saltLen %d",
                                 saltLen);
                     rv = ACVP_MALFORMED_JSON;
                     goto err;
                 }
-                */
-            }
-            //temporary saltLen measurement
-            saltLen = strnlen_s(salt, 129);
-            if (saltLen > 128) {
-                ACVP_LOG_ERR("saltLen too long");
-                rv = ACVP_MALFORMED_JSON;
-                goto err;
-            } else {
-                saltLen *= 4;
             }
 
             z = json_object_get_string(paramobj, "z");