From: Tobias Brunner Date: Fri, 28 Mar 2025 11:06:37 +0000 (+0100) Subject: Add configure option to disable testing key exchange methods X-Git-Tag: 6.0.2dr1~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6cbd93838bc17c57f20b4435c2d7b67adb1d908e;p=thirdparty%2Fstrongswan.git Add configure option to disable testing key exchange methods If this is used, the functionality to set a private key/value/seed for key exchange methods is removed (including from the interface to avoid accidentally forgetting to wrap implementations and uses of set_seed()). The set_seed() method is assigned outside the INIT() macro to avoid potentially undefined behavior (preprocessing directives in macro arguments). The test done by the crypto tester is a simple functionality test. --- diff --git a/configure.ac b/configure.ac index f0160dc2f0..c2c0212e85 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,7 @@ ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant ARG_WITH_SET([dev-headers], [no], [install strongSwan development headers to directory.]) ARG_WITH_SET([printf-hooks], [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).]) ARG_WITH_SET([rubygemdir], ["gem environment gemdir"], [path to install ruby gems to]) +ARG_WITH_SET([testable-ke], [yes], [make key exchange implementations testable by providing a set_seed() method]) if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) @@ -1351,6 +1352,10 @@ if test x$unwind_backtraces = xtrue; then AC_SUBST(UNWINDLIB) fi +if test "x$testable_ke" = xyes; then + AC_DEFINE([TESTABLE_KE], [1], [Define to 1 if key exchange methods should be testable.]) +fi + AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno]) if test x$dev_headers = xyes; then dev_headers="$includedir/strongswan" diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 1ce2522b30..2b0e2f716e 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -1690,6 +1690,8 @@ static u_int bench_ke(private_crypto_tester_t *this, return runs; } +#ifdef TESTABLE_KE + static bool test_single_ke(key_exchange_method_t method, ke_test_vector_t *v, ke_constructor_t create) { @@ -1769,14 +1771,54 @@ failure: chunk_free(&a_sec); chunk_free(&b_sec); DESTROY_IF(drbg); + return success; +} + +#else /* TESTABLE_KE */ + +static bool test_single_ke(key_exchange_method_t method, ke_constructor_t create) +{ + key_exchange_t *a = NULL, *b = NULL; + chunk_t a_pub, b_pub, a_sec, b_sec; + bool success = FALSE; + a_pub = b_pub = a_sec = b_sec = chunk_empty; + a = create(method); + b = create(method); + if (!a || !b) + { + goto failure; + } + if (!a->get_public_key(a, &a_pub) || + !b->set_public_key(b, a_pub) || + !b->get_shared_secret(b, &b_sec) || + !b->get_public_key(b, &b_pub) || + chunk_equals(a_pub, b_pub) || + !a->set_public_key(a, b_pub) || + !a->get_shared_secret(a, &a_sec) || + !chunk_equals(a_sec, b_sec)) + { + goto failure; + } + success = TRUE; + +failure: + DESTROY_IF(a); + DESTROY_IF(b); + chunk_free(&a_pub); + chunk_free(&b_pub); + chunk_free(&a_sec); + chunk_free(&b_sec); return success; } +#endif /* TESTABLE_KE */ + METHOD(crypto_tester_t, test_ke, bool, private_crypto_tester_t *this, key_exchange_method_t method, ke_constructor_t create, u_int *speed, const char *plugin_name) { +#ifdef TESTABLE_KE enumerator_t *enumerator; ke_test_vector_t *v; bool success = TRUE; @@ -1808,6 +1850,7 @@ METHOD(crypto_tester_t, test_ke, bool, key_exchange_method_names, method, plugin_name); return !this->required; } + if (success) { if (speed) @@ -1823,6 +1866,38 @@ METHOD(crypto_tester_t, test_ke, bool, } } return success; + +#else /* TESTABLE_KE */ + + if (method == MODP_CUSTOM) + { + DBG1(DBG_LIB, "enabled %N[%s]: untestable", + key_exchange_method_names, method, plugin_name); + return TRUE; + } + + if (!test_single_ke(method, create)) + { + DBG1(DBG_LIB, "disabled %N[%s]: failed basic test", + key_exchange_method_names, method, plugin_name); + return FALSE; + } + + if (speed) + { + *speed = bench_ke(this, method, create); + DBG1(DBG_LIB, "enabled %N[%s]: passed basic test (vector tests " + "disabled), %d points", key_exchange_method_names, method, + plugin_name, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N[%s]: passed basic test (vector tests " + "disabled)", key_exchange_method_names, method, plugin_name); + } + return TRUE; + +#endif /* TESTABLE_KE */ } METHOD(crypto_tester_t, add_crypter_vector, void, diff --git a/src/libstrongswan/crypto/key_exchange.h b/src/libstrongswan/crypto/key_exchange.h index dd790f887e..bf369c9d03 100644 --- a/src/libstrongswan/crypto/key_exchange.h +++ b/src/libstrongswan/crypto/key_exchange.h @@ -153,6 +153,8 @@ struct key_exchange_t { bool (*get_public_key)(key_exchange_t *this, chunk_t *value) __attribute__((warn_unused_result)); +#ifdef TESTABLE_KE + /** * Set a seed used for the derivation of private key material. * @@ -167,6 +169,8 @@ struct key_exchange_t { bool (*set_seed)(key_exchange_t *this, chunk_t value, drbg_t *drbg) __attribute__((warn_unused_result)); +#endif /* TESTABLE_KE */ + /** * Get the key exchange method used. * diff --git a/src/libstrongswan/plugins/botan/botan_diffie_hellman.c b/src/libstrongswan/plugins/botan/botan_diffie_hellman.c index 150c426cd0..175fa6333f 100644 --- a/src/libstrongswan/plugins/botan/botan_diffie_hellman.c +++ b/src/libstrongswan/plugins/botan/botan_diffie_hellman.c @@ -134,6 +134,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_botan_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -141,6 +143,8 @@ METHOD(key_exchange_t, set_seed, bool, return load_private_key(this, value); } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_botan_diffie_hellman_t *this, chunk_t *secret) { @@ -186,7 +190,6 @@ static botan_diffie_hellman_t *create_generic(key_exchange_method_t group, .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -194,6 +197,10 @@ static botan_diffie_hellman_t *create_generic(key_exchange_method_t group, .group = group, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + if (!chunk_to_botan_mp(p, &this->p)) { destroy(this); diff --git a/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c b/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c index 7ec92ac432..c7c396f2a7 100644 --- a/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/botan/botan_ec_diffie_hellman.c @@ -107,6 +107,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_botan_ec_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -135,6 +137,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_botan_ec_diffie_hellman_t *this, chunk_t *secret) { @@ -177,7 +181,6 @@ botan_ec_diffie_hellman_t *botan_ec_diffie_hellman_create( .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -185,6 +188,10 @@ botan_ec_diffie_hellman_t *botan_ec_diffie_hellman_create( .group = group, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + switch (group) { case ECP_256_BIT: diff --git a/src/libstrongswan/plugins/botan/botan_kem.c b/src/libstrongswan/plugins/botan/botan_kem.c index 6391cca759..e01dbdfeef 100644 --- a/src/libstrongswan/plugins/botan/botan_kem.c +++ b/src/libstrongswan/plugins/botan/botan_kem.c @@ -291,6 +291,8 @@ METHOD(key_exchange_t, get_method, key_exchange_method_t, return this->method; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, chunk_t value, drbg_t *drbg) { @@ -303,6 +305,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, destroy, void, private_key_exchange_t *this) { @@ -343,12 +347,16 @@ key_exchange_t *botan_kem_create(key_exchange_method_t method) .get_public_key = _get_public_key, .set_public_key = _set_public_key, .get_shared_secret = _get_shared_secret, - .set_seed = _set_seed, .destroy = _destroy, }, .method = method, .name = strdup(name), ); + +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + return &this->public; } diff --git a/src/libstrongswan/plugins/botan/botan_x25519.c b/src/libstrongswan/plugins/botan/botan_x25519.c index 888e6d716a..18ea7d1a65 100644 --- a/src/libstrongswan/plugins/botan/botan_x25519.c +++ b/src/libstrongswan/plugins/botan/botan_x25519.c @@ -93,6 +93,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -115,6 +117,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_diffie_hellman_t *this, chunk_t *secret) { @@ -155,12 +159,15 @@ key_exchange_t *botan_x25519_create(key_exchange_method_t ke) .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, ); +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + if (!botan_get_rng(&rng, RNG_STRONG)) { free(this); diff --git a/src/libstrongswan/plugins/curve25519/curve25519_dh.c b/src/libstrongswan/plugins/curve25519/curve25519_dh.c index 3ccb9f2163..f39ff28767 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_dh.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_dh.c @@ -103,6 +103,8 @@ METHOD(key_exchange_t, get_public_key, bool, return FALSE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_curve25519_dh_t *this, chunk_t value, drbg_t *drbg) { @@ -113,6 +115,8 @@ METHOD(key_exchange_t, set_seed, bool, return this->drv->set_key(this->drv, value.ptr); } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_curve25519_dh_t *this, chunk_t *secret) { @@ -157,7 +161,6 @@ curve25519_dh_t *curve25519_dh_create(key_exchange_method_t group) .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -165,6 +168,10 @@ curve25519_dh_t *curve25519_dh_create(key_exchange_method_t group) .drv = curve25519_drv_probe(), ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + if (!this->drv) { free(this); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index f4cb0463db..b92433045f 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -143,6 +143,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_gcrypt_dh_t *this, chunk_t value, drbg_t *drbg) { @@ -161,6 +163,8 @@ METHOD(key_exchange_t, set_seed, bool, return !err; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_gcrypt_dh_t *this, chunk_t *secret) { @@ -208,7 +212,6 @@ static gcrypt_dh_t *create_generic(key_exchange_method_t group, size_t exp_len, .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -216,6 +219,11 @@ static gcrypt_dh_t *create_generic(key_exchange_method_t group, size_t exp_len, .group = group, .p_len = p.len, ); + +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL); if (err) { diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index 8ce44f5ac0..df95f0064c 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -135,6 +135,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_gmp_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -144,6 +146,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_gmp_diffie_hellman_t *this, chunk_t *secret) { @@ -228,7 +232,6 @@ static gmp_diffie_hellman_t *create_generic(key_exchange_method_t group, .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -237,6 +240,10 @@ static gmp_diffie_hellman_t *create_generic(key_exchange_method_t group, .p_len = p.len, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + mpz_init(this->p); mpz_init(this->yb); mpz_init(this->ya); diff --git a/src/libstrongswan/plugins/ml/ml_kem.c b/src/libstrongswan/plugins/ml/ml_kem.c index 409b580842..a19a7a4f16 100644 --- a/src/libstrongswan/plugins/ml/ml_kem.c +++ b/src/libstrongswan/plugins/ml/ml_kem.c @@ -941,6 +941,8 @@ METHOD(key_exchange_t, get_shared_secret, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, chunk_t value, drbg_t *drbg) { @@ -949,6 +951,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, destroy, void, private_key_exchange_t *this) { @@ -985,7 +989,6 @@ key_exchange_t *ml_kem_create(key_exchange_method_t method) .get_public_key = _get_public_key, .set_public_key = _set_public_key, .get_shared_secret = _get_shared_secret, - .set_seed = _set_seed, .destroy = _destroy, }, .method = method, @@ -996,6 +999,10 @@ key_exchange_t *ml_kem_create(key_exchange_method_t method) .H = lib->crypto->create_hasher(lib->crypto, HASH_SHA3_256), ); +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + if (!this->shake128 || !this->shake256 || !this->G || !this->H) { destroy(this); diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index ee1d03529a..1f0fbb7251 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -180,6 +180,7 @@ METHOD(key_exchange_t, set_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE #if OPENSSL_VERSION_NUMBER >= 0x30000000L /** @@ -273,6 +274,7 @@ METHOD(key_exchange_t, set_seed, bool, } #endif /* OPENSSL_VERSION_NUMBER */ +#endif /* TESTABLE_KE */ METHOD(key_exchange_t, destroy, void, private_openssl_diffie_hellman_t *this) @@ -304,7 +306,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -312,6 +313,10 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( .group = group, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + if (group == MODP_CUSTOM) { chunk_t g_chunk, p_chunk; diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 77933f4f59..70ce6dde0b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -305,6 +305,8 @@ int openssl_ecdh_group_to_nid(key_exchange_method_t group) } } +#ifdef TESTABLE_KE + /** * Parse the given private key as BIGNUM and calculate the corresponding public * key as EC_POINT. @@ -429,6 +431,7 @@ error: } #endif /* OPENSSL_VERSION_NUMBER */ +#endif /* TESTABLE_KE */ METHOD(key_exchange_t, destroy, void, private_openssl_ec_diffie_hellman_t *this) @@ -460,7 +463,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(key_exchange_metho .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -468,6 +470,10 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(key_exchange_metho .group = group, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + #if OPENSSL_VERSION_NUMBER >= 0x30000000L this->ec_group = EC_GROUP_new_by_curve_name(curve); this->key = EVP_EC_gen(OSSL_EC_curve_nid2name(curve)); diff --git a/src/libstrongswan/plugins/openssl/openssl_kem.c b/src/libstrongswan/plugins/openssl/openssl_kem.c index 4026672182..3a749a317a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_kem.c +++ b/src/libstrongswan/plugins/openssl/openssl_kem.c @@ -324,6 +324,8 @@ METHOD(key_exchange_t, set_public_key, bool, private_key_exchange_t *this, return openssl_kem_encapsulate(this, value); } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, chunk_t ignore, drbg_t *seed) { @@ -336,6 +338,8 @@ METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, destroy, void, private_key_exchange_t *this) { EVP_PKEY_free(this->pkey); @@ -357,12 +361,16 @@ key_exchange_t *openssl_kem_create(key_exchange_method_t method) .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, .group = method ); + +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + return &this->public; } #endif /* OPENSSL_IS_AWSLC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c index 16c3edf5a6..1a75c043ec 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c @@ -114,6 +114,8 @@ METHOD(key_exchange_t, get_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, chunk_t value, drbg_t *drbg) { @@ -127,6 +129,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_shared_secret, bool, private_key_exchange_t *this, chunk_t *secret) { @@ -193,13 +197,17 @@ key_exchange_t *openssl_x_diffie_hellman_create(key_exchange_method_t ke) .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, .ke = ke, .key = key, ); + +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + return &this->public; } diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_diffie_hellman.c b/src/libstrongswan/plugins/wolfssl/wolfssl_diffie_hellman.c index f0ad41f3b4..b32b40e058 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_diffie_hellman.c @@ -124,6 +124,8 @@ METHOD(key_exchange_t, set_public_key, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_wolfssl_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -150,6 +152,8 @@ METHOD(key_exchange_t, set_seed, bool, return success; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, get_method, key_exchange_method_t, private_wolfssl_diffie_hellman_t *this) { @@ -223,7 +227,6 @@ static wolfssl_diffie_hellman_t *create_generic(key_exchange_method_t group, .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -232,6 +235,10 @@ static wolfssl_diffie_hellman_t *create_generic(key_exchange_method_t group, .len = p.len, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + if (wc_InitDhKey(&this->dh) != 0) { free(this); diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c index 4951b05f0b..969099b790 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c @@ -100,6 +100,41 @@ static bool ecp2chunk(int keysize, ecc_point *point, chunk_t *chunk, return wolfssl_mp_cat(keysize, point->x, y, chunk); } +METHOD(key_exchange_t, set_public_key, bool, + private_wolfssl_ec_diffie_hellman_t *this, chunk_t value) +{ + chunk_t uncomp; + + if (!key_exchange_verify_pubkey(this->group, value)) + { + return FALSE; + } + + /* prepend 0x04 to indicate uncompressed point format */ + uncomp = chunk_cata("cc", chunk_from_chars(0x04), value); + if (wc_ecc_import_x963_ex(uncomp.ptr, uncomp.len, &this->pubkey, + this->curve_id) != 0) + { + DBG1(DBG_LIB, "ECDH public value is malformed"); + return FALSE; + } + + if (wc_ecc_check_key(&this->pubkey) != 0) + { + DBG1(DBG_LIB, "ECDH public value is invalid"); + return FALSE; + } + return TRUE; +} + +METHOD(key_exchange_t, get_public_key, bool, + private_wolfssl_ec_diffie_hellman_t *this,chunk_t *value) +{ + return ecp2chunk(this->keysize, &this->key.pubkey, value, FALSE); +} + +#ifdef TESTABLE_KE + /** * Perform the elliptic curve scalar multiplication. */ @@ -136,39 +171,6 @@ static bool wolfssl_ecc_multiply(const ecc_set_type *ecc_set, mp_int *scalar, return ret == 0; } -METHOD(key_exchange_t, set_public_key, bool, - private_wolfssl_ec_diffie_hellman_t *this, chunk_t value) -{ - chunk_t uncomp; - - if (!key_exchange_verify_pubkey(this->group, value)) - { - return FALSE; - } - - /* prepend 0x04 to indicate uncompressed point format */ - uncomp = chunk_cata("cc", chunk_from_chars(0x04), value); - if (wc_ecc_import_x963_ex(uncomp.ptr, uncomp.len, &this->pubkey, - this->curve_id) != 0) - { - DBG1(DBG_LIB, "ECDH public value is malformed"); - return FALSE; - } - - if (wc_ecc_check_key(&this->pubkey) != 0) - { - DBG1(DBG_LIB, "ECDH public value is invalid"); - return FALSE; - } - return TRUE; -} - -METHOD(key_exchange_t, get_public_key, bool, - private_wolfssl_ec_diffie_hellman_t *this,chunk_t *value) -{ - return ecp2chunk(this->keysize, &this->key.pubkey, value, FALSE); -} - METHOD(key_exchange_t, set_seed, bool, private_wolfssl_ec_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -209,6 +211,8 @@ METHOD(key_exchange_t, set_seed, bool, return success; } +#endif /* TESTABLE_KE */ + /** * Derive the shared secret */ @@ -291,7 +295,6 @@ wolfssl_ec_diffie_hellman_t *wolfssl_ec_diffie_hellman_create(key_exchange_metho .get_shared_secret = _get_shared_secret, .set_public_key = _set_public_key, .get_public_key = _get_public_key, - .set_seed = _set_seed, .get_method = _get_method, .destroy = _destroy, }, @@ -299,6 +302,10 @@ wolfssl_ec_diffie_hellman_t *wolfssl_ec_diffie_hellman_create(key_exchange_metho .group = group, ); +#ifdef TESTABLE_KE + this->public.ke.set_seed = _set_seed; +#endif + if (wc_ecc_init(&this->key) != 0 || wc_ecc_init(&this->pubkey) != 0) { DBG1(DBG_LIB, "key init failed, ecdh create failed"); diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_kem.c b/src/libstrongswan/plugins/wolfssl/wolfssl_kem.c index 4dbec640e4..91b9db2cbd 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_kem.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_kem.c @@ -254,6 +254,8 @@ METHOD(key_exchange_t, get_method, key_exchange_method_t, return this->method; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed, bool, private_key_exchange_t *this, chunk_t value, drbg_t *drbg) { @@ -266,6 +268,8 @@ METHOD(key_exchange_t, set_seed, bool, return TRUE; } +#endif /* TESTABLE_KE */ + METHOD(key_exchange_t, destroy, void, private_key_exchange_t *this) { @@ -312,12 +316,16 @@ key_exchange_t *wolfssl_kem_create(key_exchange_method_t method) .get_public_key = _get_public_key, .set_public_key = _set_public_key, .get_shared_secret = _get_shared_secret, - .set_seed = _set_seed, .destroy = _destroy, }, .method = method, .type = type, ); + +#ifdef TESTABLE_KE + this->public.set_seed = _set_seed; +#endif + return &this->public; } diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c b/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c index d211cb3a73..821d590907 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c @@ -142,6 +142,8 @@ METHOD(key_exchange_t, get_public_key_25519, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed_25519, bool, private_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -170,7 +172,7 @@ METHOD(key_exchange_t, set_seed_25519, bool, } return ret == 0; } - +#endif /* TESTABLE_KE */ #endif /* HAVE_CURVE25519 */ #ifdef HAVE_CURVE448 @@ -229,6 +231,8 @@ METHOD(key_exchange_t, get_public_key_448, bool, return TRUE; } +#ifdef TESTABLE_KE + METHOD(key_exchange_t, set_seed_448, bool, private_diffie_hellman_t *this, chunk_t value, drbg_t *drbg) { @@ -258,6 +262,7 @@ METHOD(key_exchange_t, set_seed_448, bool, return ret == 0; } +#endif /* TESTABLE_KE */ #endif /* HAVE_CURVE448 */ METHOD(key_exchange_t, get_method, key_exchange_method_t, @@ -317,7 +322,9 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group) this->public.get_shared_secret = _get_shared_secret_25519; this->public.set_public_key = _set_public_key_25519; this->public.get_public_key = _get_public_key_25519; +#ifdef TESTABLE_KE this->public.set_seed = _set_seed_25519; +#endif if (wc_curve25519_init(&this->key.key25519) != 0 || wc_curve25519_init(&this->pub.key25519) != 0) @@ -336,7 +343,9 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group) this->public.get_shared_secret = _get_shared_secret_448; this->public.set_public_key = _set_public_key_448; this->public.get_public_key = _get_public_key_448; +#ifdef TESTABLE_KE this->public.set_seed = _set_seed_448; +#endif if (wc_curve448_init(&this->key.key448) != 0 || wc_curve448_init(&this->pub.key448) != 0)