#include <stdlib.h>

#include <popt.h>

#include <check.h>

#include "util/util.h"

#include "tests/common_check.h"

#include "util/crypto/sss_crypto.h"

#include "util/crypto/nss/nss_util.h"

static TALLOC_CTX *test_ctx = NULL;

#ifdef HAVE_NSS

START_TEST(test_nss_init)

{

int ret;

ret = nspr_nss_init();

fail_if(ret != EOK);

ret = nspr_nss_cleanup();

fail_if(ret != EOK);

}

#endif

START_TEST(test_sss_password_encrypt_decrypt)

{

const char *password[] = { "test123", /* general */

"12345678901234567", /* just above blocksize */

"", /* empty */

NULL}; /* sentinel */

int i;

char *obfpwd = NULL;

char *ctpwd = NULL;

int ret;

int expected;

#if defined(HAVE_NSS) || defined(HAVE_LIBCRYPTO)

expected = EOK;

#else

#error Unknown crypto back end

#endif

test_ctx = talloc_new(NULL);

fail_if(test_ctx == NULL);

ck_leaks_push(test_ctx);

for (i=0; password[i]; i++) {

ret = sss_password_encrypt(test_ctx, password[i], strlen(password[i])+1,

AES_256, &obfpwd);

fail_if(ret != expected);

ret = sss_password_decrypt(test_ctx, obfpwd, &ctpwd);

fail_if(ret != expected);

fail_if(ctpwd && strcmp(password[i], ctpwd) != 0);

talloc_free(obfpwd);

talloc_free(ctpwd);

}

ck_leaks_pop(test_ctx);

talloc_free(test_ctx);

}

START_TEST(test_hmac_sha1)

{

const char *message = "test message";

const char *keys[] = {

"short",

"proper6789012345678901234567890123456789012345678901234567890123",

"longlonglonglonglonglonglonglonglonglonglonglonglonglonglonglonglong",

NULL };

const char *results[] = {

"\x2b\x27\x53\x07\x17\xd8\xc0\x8f\x97\x27\xdd\xb3\xec\x41\xd8\xa3\x94\x97\xaa\x35",

"\x37\xe7\x0a\x6f\x71\x0b\xa9\x93\x81\x53\x8f\x5c\x06\x83\x44\x2f\xc9\x41\xe3\xed",

"\xbd\x99\xa7\x7f\xfc\x5e\xde\x04\x32\x7f\x7b\x71\x4d\xc0\x3f\x51\x2d\x25\x01\x28",

NULL };

unsigned char out[SSS_SHA1_LENGTH];

int ret, expected;

int i;

#if defined(HAVE_NSS) || defined(HAVE_LIBCRYPTO)

expected = EOK;

#else

#error Unknown crypto back end

#endif

for (i = 0; keys[i]; i++) {

ret = sss_hmac_sha1((const unsigned char *)keys[i], strlen(keys[i]),

(const unsigned char *)message, strlen(message),

out);

fail_if(ret != expected);

fail_if(ret == EOK && memcmp(out, results[i], SSS_SHA1_LENGTH) != 0);

}

}

START_TEST(test_base64_encode)

{

const unsigned char obfbuf[] = "test";

const char expected[] = "dGVzdA==";

char *obfpwd = NULL;

test_ctx = talloc_new(NULL);

fail_if(test_ctx == NULL);

/* Base64 encode the buffer */

obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf));

fail_if(obfpwd == NULL);

fail_if(strcmp(obfpwd,expected) != 0);

talloc_free(test_ctx);

}

START_TEST(test_base64_decode)

{

unsigned char *obfbuf = NULL;

size_t obflen;

const char b64encoded[] = "dGVzdA==";

const unsigned char expected[] = "test";

test_ctx = talloc_new(NULL);

fail_if(test_ctx == NULL);

/* Base64 decode the buffer */

obfbuf = sss_base64_decode(test_ctx, b64encoded, &obflen);

fail_if(!obfbuf);

fail_if(obflen != strlen((const char*)expected));

fail_if(memcmp(obfbuf, expected, obflen) != 0);

talloc_free(test_ctx);

}

START_TEST(test_sss_encrypt_decrypt)

{

uint8_t key[] = {

0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,

0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,

0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f

};

size_t key_len = sizeof(key); /* need to be 32 */

const char input_text[] = "Secret text";

const size_t input_text_len = sizeof(input_text) - 1;

uint8_t *cipher_text;

size_t cipher_text_len;

uint8_t *plain_text;

size_t plain_text_len;

int ret;

test_ctx = talloc_new(NULL);

fail_if(test_ctx == NULL);

ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len,

(const uint8_t *)input_text, input_text_len,

&cipher_text, &cipher_text_len);

fail_if(ret != 0);

fail_if(cipher_text_len == 0);

ret = memcmp(input_text, cipher_text, input_text_len);

fail_if(ret == 0, "Input and encrypted text has common prefix");

ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len,

cipher_text, cipher_text_len,

&plain_text, &plain_text_len);

fail_if(ret != 0);

fail_if(plain_text_len != input_text_len);

ret = memcmp(plain_text, input_text, input_text_len);

fail_if(ret != 0, "input text is not the same as de-encrypted text");

talloc_free(test_ctx);

}

Suite *crypto_suite(void)

{

Suite *s = suite_create("sss_crypto");

TCase *tc = tcase_create("sss crypto tests");

tcase_add_checked_fixture(tc, ck_leak_check_setup, ck_leak_check_teardown);

/* Do some testing */

#ifdef HAVE_NSS

tcase_add_test(tc, test_nss_init);

#endif

tcase_add_test(tc, test_sss_password_encrypt_decrypt);

tcase_add_test(tc, test_hmac_sha1);

tcase_add_test(tc, test_base64_encode);

tcase_add_test(tc, test_base64_decode);

tcase_add_test(tc, test_sss_encrypt_decrypt);

/* Add all test cases to the test suite */

suite_add_tcase(s, tc);

return s;

}

int main(int argc, const char *argv[])

{

int opt;

poptContext pc;

int number_failed;

struct poptOption long_options[] = {

POPT_AUTOHELP

{ "debug-level", 'd', POPT_ARG_INT, &debug_level, 0, "Set debug level", NULL },

POPT_TABLEEND

};

/* Set debug level to invalid value so we can deside if -d 0 was used. */

debug_level = SSSDBG_INVALID;

pc = poptGetContext(argv[0], argc, argv, long_options, 0);

while((opt = poptGetNextOpt(pc)) != -1) {

switch(opt) {

default:

fprintf(stderr, "\nInvalid option %s: %s\n\n",

poptBadOption(pc, 0), poptStrerror(opt));

poptPrintUsage(pc, stderr, 0);

return 1;

}

}

poptFreeContext(pc);

DEBUG_CLI_INIT(debug_level);

tests_set_cwd();

Suite *s = crypto_suite();

SRunner *sr = srunner_create(s);

srunner_run_all(sr, CK_ENV);

number_failed = srunner_ntests_failed(sr);

srunner_free(sr);

return (number_failed == 0 ? EXIT_SUCCESS : EXIT_FAILURE);

}