Monday, May 14, 2018

Vendor lock-in or let's have some fun with libucrypto

Vendor lock-in or let's have some fun with libucrypto

So one of the new features of Solaris 11.4 is the libucrypto library. They sell it as:

a lightweight library that provides access to hardware accelerated cryptography

Sadly the documentation is... scarce. The only opensource program that seems to be using it is Java.

Anyway, let's code a small sample RC4 (don't ever use RC4 for real world crypto!) program today and verify the cipher text against a known-good test vector. And yes, the plain text input is all zeros.

$ cat ucrypto_rc4.c
#include <libucrypto.h>

#include <assert.h>
#include <stdio.h>
#include <strings.h> // memcmp()

// https://tools.ietf.org/html/rfc6229
static const uchar_t key_str[] = {
    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
};

static const uchar_t tv3_out[] = {
    0x97, 0xab, 0x8a, 0x1b, 0xf0, 0xaf, 0xb9, 0x61,
    0x32, 0xf2, 0xf6, 0x72, 0x58, 0xda, 0x15, 0xa8,
    0x82, 0x63, 0xef, 0xdb, 0x45, 0xc4, 0xa1, 0x86,
    0x84, 0xef, 0x87, 0xe6, 0xb1, 0x9e, 0x5b, 0x09
};

int
main(void)
{
    const ucrypto_mech_t mech = CRYPTO_RC4;
    int rv = CRYPTO_FAILED;
    int ret = -1;

    size_t out_len = sizeof(tv3_out);

    uchar_t in[out_len];
    memset(&in, 0x0, sizeof(in));

    uchar_t out[out_len];
    memset(&out, 0x1, sizeof(out));

    printf("RFC 6229 key: 0x0102030405060708\n");
    rv = ucrypto_encrypt(mech, key_str, sizeof(key_str),
            NULL, 0,
            in, sizeof(in),
            out, &out_len);
    //printf("errror is %s\n", ucrypto_strerror(rv));
    assert(rv == CRYPTO_SUCCESS);
    ret = memcmp(out, tv3_out, sizeof(tv3_out));
    assert(ret == 0);

    printf("All tests passed\n");

    return 0;
}

$ cc -m64 -Wall ucrypto_rc4.c -lucrypto
$ ./a.out
RFC 6229 key: 0x0102030405060708
All tests passed

Well I'm pretty sure it would be more lines of code with OpenSSL. I'd still advice to use NaCL or OpenSSL though. And please don't use RC4 for anything anymore!

Links

No comments:

Post a Comment

389 Directory Server 1.3.x LDAP client authentication

389 Directory Server 1.3.x LDAP client authentication Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Repl...