1 /*
2  *  Copyright (c) 2016, The OpenThread Authors.
3  *  All rights reserved.
4  *
5  *  Redistribution and use in source and binary forms, with or without
6  *  modification, are permitted provided that the following conditions are met:
7  *  1. Redistributions of source code must retain the above copyright
8  *     notice, this list of conditions and the following disclaimer.
9  *  2. Redistributions in binary form must reproduce the above copyright
10  *     notice, this list of conditions and the following disclaimer in the
11  *     documentation and/or other materials provided with the distribution.
12  *  3. Neither the name of the copyright holder nor the
13  *     names of its contributors may be used to endorse or promote products
14  *     derived from this software without specific prior written permission.
15  *
16  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  *  POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include <openthread/config.h>
30 
31 #include "common/debug.hpp"
32 #include "crypto/aes_ccm.hpp"
33 
34 #include "test_platform.h"
35 #include "test_util.hpp"
36 
37 /**
38  * Verifies test vectors from IEEE 802.15.4-2006 Annex C Section C.2.1
39  */
TestMacBeaconFrame(void)40 void TestMacBeaconFrame(void)
41 {
42     uint8_t key[] = {
43         0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
44     };
45 
46     uint8_t test[] = {0x08, 0xD0, 0x84, 0x21, 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE,
47                       0xAC, 0x02, 0x05, 0x00, 0x00, 0x00, 0x55, 0xCF, 0x00, 0x00, 0x51, 0x52,
48                       0x53, 0x54, 0x22, 0x3B, 0xC1, 0xEC, 0x84, 0x1A, 0xB5, 0x53};
49 
50     uint8_t encrypted[] = {0x08, 0xD0, 0x84, 0x21, 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE,
51                            0xAC, 0x02, 0x05, 0x00, 0x00, 0x00, 0x55, 0xCF, 0x00, 0x00, 0x51, 0x52,
52                            0x53, 0x54, 0x22, 0x3B, 0xC1, 0xEC, 0x84, 0x1A, 0xB5, 0x53};
53 
54     uint8_t decrypted[] = {0x08, 0xD0, 0x84, 0x21, 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE,
55                            0xAC, 0x02, 0x05, 0x00, 0x00, 0x00, 0x55, 0xCF, 0x00, 0x00, 0x51, 0x52,
56                            0x53, 0x54, 0x22, 0x3B, 0xC1, 0xEC, 0x84, 0x1A, 0xB5, 0x53};
57 
58     otInstance        *instance = testInitInstance();
59     ot::Crypto::AesCcm aesCcm;
60     uint32_t           headerLength  = sizeof(test) - 8;
61     uint32_t           payloadLength = 0;
62     uint8_t            tagLength     = 8;
63 
64     uint8_t nonce[] = {
65         0xAC, 0xDE, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x02,
66     };
67 
68     VerifyOrQuit(instance != nullptr);
69 
70     aesCcm.SetKey(key, sizeof(key));
71     aesCcm.Init(headerLength, payloadLength, tagLength, nonce, sizeof(nonce));
72     aesCcm.Header(test, headerLength);
73     VerifyOrQuit(aesCcm.GetTagLength() == tagLength);
74     aesCcm.Finalize(test + headerLength);
75 
76     VerifyOrQuit(memcmp(test, encrypted, sizeof(encrypted)) == 0);
77 
78     aesCcm.Init(headerLength, payloadLength, tagLength, nonce, sizeof(nonce));
79     aesCcm.Header(test, headerLength);
80     VerifyOrQuit(aesCcm.GetTagLength() == tagLength);
81     aesCcm.Finalize(test + headerLength);
82 
83     VerifyOrQuit(memcmp(test, decrypted, sizeof(decrypted)) == 0);
84 
85     testFreeInstance(instance);
86 }
87 
88 /**
89  * Verifies test vectors from IEEE 802.15.4-2006 Annex C Section C.2.3
90  */
TestMacCommandFrame(void)91 void TestMacCommandFrame(void)
92 {
93     uint8_t key[] = {
94         0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
95     };
96 
97     uint8_t test[] = {
98         0x2B, 0xDC, 0x84, 0x21, 0x43, 0x02, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC,
99         0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC, 0x06, 0x05, 0x00,
100         0x00, 0x00, 0x01, 0xCE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101     };
102 
103     static constexpr uint32_t kHeaderLength  = 29;
104     static constexpr uint32_t kPayloadLength = 1;
105     static constexpr uint8_t  kTagLength     = 8;
106 
107     uint8_t encrypted[] = {
108         0x2B, 0xDC, 0x84, 0x21, 0x43, 0x02, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC,
109         0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC, 0x06, 0x05, 0x00,
110         0x00, 0x00, 0x01, 0xD8, 0x4F, 0xDE, 0x52, 0x90, 0x61, 0xF9, 0xC6, 0xF1,
111     };
112 
113     uint8_t decrypted[] = {
114         0x2B, 0xDC, 0x84, 0x21, 0x43, 0x02, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC,
115         0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x48, 0xDE, 0xAC, 0x06, 0x05, 0x00,
116         0x00, 0x00, 0x01, 0xCE, 0x4F, 0xDE, 0x52, 0x90, 0x61, 0xF9, 0xC6, 0xF1,
117     };
118 
119     uint8_t nonce[] = {
120         0xAC, 0xDE, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x06,
121     };
122 
123     uint8_t tag[kTagLength];
124 
125     ot::Instance      *instance = testInitInstance();
126     ot::Message       *message;
127     ot::Crypto::AesCcm aesCcm;
128 
129     VerifyOrQuit(instance != nullptr);
130 
131     aesCcm.SetKey(key, sizeof(key));
132     aesCcm.Init(kHeaderLength, kPayloadLength, kTagLength, nonce, sizeof(nonce));
133     aesCcm.Header(test, kHeaderLength);
134     aesCcm.Payload(test + kHeaderLength, test + kHeaderLength, kPayloadLength, ot::Crypto::AesCcm::kEncrypt);
135     VerifyOrQuit(aesCcm.GetTagLength() == kTagLength);
136     aesCcm.Finalize(test + kHeaderLength + kPayloadLength);
137     VerifyOrQuit(memcmp(test, encrypted, sizeof(encrypted)) == 0);
138 
139     aesCcm.Init(kHeaderLength, kPayloadLength, kTagLength, nonce, sizeof(nonce));
140     aesCcm.Header(test, kHeaderLength);
141     aesCcm.Payload(test + kHeaderLength, test + kHeaderLength, kPayloadLength, ot::Crypto::AesCcm::kDecrypt);
142     VerifyOrQuit(aesCcm.GetTagLength() == kTagLength);
143     aesCcm.Finalize(test + kHeaderLength + kPayloadLength);
144 
145     VerifyOrQuit(memcmp(test, decrypted, sizeof(decrypted)) == 0);
146 
147     // Verify encryption/decryption in place within a message.
148 
149     message = instance->Get<ot::MessagePool>().Allocate(ot::Message::kTypeIp6);
150     VerifyOrQuit(message != nullptr);
151 
152     SuccessOrQuit(message->AppendBytes(test, kHeaderLength + kPayloadLength));
153 
154     aesCcm.Init(kHeaderLength, kPayloadLength, kTagLength, nonce, sizeof(nonce));
155     aesCcm.Header(test, kHeaderLength);
156 
157     aesCcm.Payload(*message, kHeaderLength, kPayloadLength, ot::Crypto::AesCcm::kEncrypt);
158     VerifyOrQuit(aesCcm.GetTagLength() == kTagLength);
159     aesCcm.Finalize(tag);
160     SuccessOrQuit(message->Append(tag));
161     VerifyOrQuit(message->GetLength() == sizeof(encrypted));
162     VerifyOrQuit(message->Compare(0, encrypted));
163 
164     aesCcm.Init(kHeaderLength, kPayloadLength, kTagLength, nonce, sizeof(nonce));
165     aesCcm.Header(test, kHeaderLength);
166     aesCcm.Payload(*message, kHeaderLength, kPayloadLength, ot::Crypto::AesCcm::kDecrypt);
167 
168     VerifyOrQuit(message->GetLength() == sizeof(encrypted));
169     VerifyOrQuit(message->Compare(0, decrypted));
170 
171     message->Free();
172     testFreeInstance(instance);
173 }
174 
175 /**
176  * Verifies in-place encryption/decryption.
177  *
178  */
TestInPlaceAesCcmProcessing(void)179 void TestInPlaceAesCcmProcessing(void)
180 {
181     static constexpr uint16_t kTagLength    = 4;
182     static constexpr uint32_t kHeaderLength = 19;
183 
184     static const uint8_t kKey[] = {
185         0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
186     };
187 
188     static const uint8_t kNonce[] = {
189         0xac, 0xde, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x06,
190     };
191 
192     static uint16_t kMessageLengths[] = {30, 400, 800};
193 
194     uint8_t tag[kTagLength];
195     uint8_t header[kHeaderLength];
196 
197     ot::Crypto::AesCcm aesCcm;
198     ot::Instance      *instance = testInitInstance();
199     ot::Message       *message;
200     ot::Message       *messageClone;
201 
202     VerifyOrQuit(instance != nullptr);
203 
204     message = instance->Get<ot::MessagePool>().Allocate(ot::Message::kTypeIp6);
205     VerifyOrQuit(message != nullptr);
206 
207     aesCcm.SetKey(kKey, sizeof(kKey));
208 
209     for (uint16_t msgLength : kMessageLengths)
210     {
211         printf("msgLength %d\n", msgLength);
212 
213         SuccessOrQuit(message->SetLength(0));
214 
215         for (uint16_t i = msgLength; i != 0; i--)
216         {
217             SuccessOrQuit(message->Append<uint8_t>(i & 0xff));
218         }
219 
220         messageClone = message->Clone();
221         VerifyOrQuit(messageClone != nullptr);
222         VerifyOrQuit(messageClone->GetLength() == msgLength);
223 
224         SuccessOrQuit(message->Read(0, header));
225 
226         // Encrypt in place
227         aesCcm.Init(kHeaderLength, msgLength - kHeaderLength, kTagLength, kNonce, sizeof(kNonce));
228         aesCcm.Header(header);
229         aesCcm.Payload(*message, kHeaderLength, msgLength - kHeaderLength, ot::Crypto::AesCcm::kEncrypt);
230 
231         // Append the tag
232         aesCcm.Finalize(tag);
233         SuccessOrQuit(message->Append(tag));
234 
235         VerifyOrQuit(message->GetLength() == msgLength + kTagLength);
236 
237         // Decrypt in place
238         aesCcm.Init(kHeaderLength, msgLength - kHeaderLength, kTagLength, kNonce, sizeof(kNonce));
239         aesCcm.Header(header);
240         aesCcm.Payload(*message, kHeaderLength, msgLength - kHeaderLength, ot::Crypto::AesCcm::kDecrypt);
241 
242         // Check the tag against what is the message
243         aesCcm.Finalize(tag);
244         VerifyOrQuit(message->Compare(msgLength, tag));
245 
246         // Check that decrypted message is the same as original (cloned) message
247         VerifyOrQuit(message->CompareBytes(0, *messageClone, 0, msgLength));
248 
249         messageClone->Free();
250     }
251 
252     message->Free();
253     testFreeInstance(instance);
254 }
255 
main(void)256 int main(void)
257 {
258     TestMacBeaconFrame();
259     TestMacCommandFrame();
260     TestInPlaceAesCcmProcessing();
261     printf("All tests passed\n");
262     return 0;
263 }
264