pbeTest.c   [plain text]

/* Copyright (c) 1998,2003-2005,2008 Apple Inc.
 *
 * pbeTest.c - test CSP PBE-style DeriveKey().
 *
 * Revision History
 * ----------------
 *  15 May 2000 Doug Mitchell
 *		Ported to X/CDSA2. 
 *  13 Aug 1998	Doug Mitchell at NeXT
 *		Created.
 */
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include <string.h>
#include <Security/cssm.h>
#include "cspwrap.h"
#include "common.h"
#include "cspdlTesting.h"

/* we need to know a little bit about AES for this test.... */
#define AES_BLOCK_SIZE		16		/* bytes */

/*
 * Defaults.
 */
#define LOOPS_DEF			10
#define MIN_PTEXT_SIZE		AES_BLOCK_SIZE		/* for non-padding tests */
#define MAX_PTEXT_SIZE		1000
#define MAX_PASSWORD_SIZE	64
#define MAX_SALT_SIZE		32
#define MIN_ITER_COUNT		1000
#define MAX_ITER_COUNT		2000
#define MAX_IV_SIZE			AES_BLOCK_SIZE

/* min values not currently exported by CSP */
#define APPLE_PBE_MIN_PASSWORD	8
#define APPLE_PBE_MIN_SALT		8

/* static IV for derive algorithms which don't create one */
CSSM_DATA staticIv = {MAX_IV_SIZE, (uint8 *)"someIvOrOther..."};

/*
 * Enumerate algs our own way to allow iteration.
 */
typedef unsigned privAlg;
enum {
	/* PBE algs */
	pbe_pbkdf2 = 1,
	// other unsupported for now
	pbe_PKCS12 = 1,
	pbe_MD5,
	pbe_MD2,
	pbe_SHA1,
	
	/* key gen algs */
	pka_ASC,
	pka_RC4,
	pka_DES,
	pka_RC2,
	pka_RC5,
	pka_3DES,
	pka_AES
};

#define PBE_ALG_FIRST			pbe_pbkdf2
#define PBE_ALG_LAST			pbe_pbkdf2
#define ENCR_ALG_FIRST			pka_ASC
#define ENCR_ALG_LAST			pka_AES
#define ENCR_ALG_LAST_EXPORT	pka_RC5

/*
 * Args passed to each test
 */
typedef struct {
	CSSM_CSP_HANDLE 	cspHand;
	CSSM_ALGORITHMS		keyAlg;
	CSSM_ALGORITHMS		encrAlg;
	uint32				keySizeInBits;
	uint32				effectiveKeySizeInBits;	// 0 means not used
	const char 			*keyAlgStr;
	CSSM_ENCRYPT_MODE	encrMode;
	CSSM_PADDING		encrPad;
	CSSM_ALGORITHMS		deriveAlg;
	const char 			*deriveAlgStr;
	CSSM_DATA_PTR		ptext;
	CSSM_DATA_PTR		password;
	CSSM_DATA_PTR 		salt;
	uint32 				iterCount;
	CSSM_BOOL 			useInitVector;		// encrypt needs an IV
	uint32				ivSize;
	CSSM_BOOL			genInitVector;		// DeriveKey generates an IV
	CSSM_BOOL			useRefKey;
	CSSM_BOOL			quiet;
} testArgs;

static void usage(char **argv)
{
	printf("usage: %s [options]\n", argv[0]);
	printf("   Options:\n");
	printf("   l=loops (default=%d; 0=forever)\n", LOOPS_DEF);
	printf("   e(xport)\n");
	printf("   r(epeatOnly)\n");
	printf("   z(ero length password)\n");
	printf("   p(ause after each loop)\n");
	printf("   D (CSP/DL; default = bare CSP)\n");
	printf("   q(uiet)\n");
	printf("   h(elp)\n");
	exit(1);
}

/*
 * Given a privAlg value, return various associated stuff.
 */
static void algInfo(privAlg alg,			// pbe_MD5, etc.
	CSSM_ALGORITHMS		*cdsaAlg,		// CSSM_ALGID_MD5_PBE, etc. RETURNED
										//   key alg for key gen algs
	CSSM_ALGORITHMS		*encrAlg,		// encrypt/decrypt alg for key 
										//   gen algs
	CSSM_ENCRYPT_MODE	*mode,			// RETURNED
	CSSM_PADDING 		*padding,		// RETURNED
	CSSM_BOOL			*useInitVector,	// RETURNED, for encrypt/decrypt
	uint32				*ivSize,		// RETURNED, in bytes
	CSSM_BOOL			*genInitVector,	// RETURNED, for deriveKey
	const char			**algStr)		// RETURNED
{
	/* default or irrelevant fields */
	*mode = CSSM_ALGMODE_NONE;
	*useInitVector = CSSM_FALSE;
	*genInitVector = CSSM_FALSE;		// DeriveKey doesn't do this now
	*padding = CSSM_PADDING_PKCS1;
	*ivSize = 8;						// thje usual size, if needed
	*encrAlg = CSSM_ALGID_NONE;
	
	switch(alg) {
		case pbe_pbkdf2:
			*cdsaAlg = CSSM_ALGID_PKCS5_PBKDF2;
			*algStr = "PBKDF2";
			return;
		/* these are not supported */
		#if 0
		case pbe_PKCS12:
			*cdsaAlg = CSSM_ALGID_SHA1_PBE_PKCS12;
			*algStr = "PKCS12";
			return;
		case pbe_MD5:
			*cdsaAlg = CSSM_ALGID_MD5_PBE;
			*algStr = "MD5";
			return;
		case pbe_MD2:
			*cdsaAlg = CSSM_ALGID_MD2_PBE;
			*algStr = "MD2";
			return;
		case pbe_SHA1:
			*cdsaAlg = CSSM_ALGID_SHA1_PBE;
			*algStr = "SHA1";
			return;
		case pka_ASC:
			*cdsaAlg = CSSM_ALGID_ASC;
			*algStr = "ASC";
			return;
		#endif 
		case pka_DES:
			*cdsaAlg = *encrAlg = CSSM_ALGID_DES;
			*useInitVector = CSSM_TRUE;
			*mode = CSSM_ALGMODE_CBCPadIV8;
			*algStr = "DES";
			return;
		case pka_3DES:
			*cdsaAlg = CSSM_ALGID_3DES_3KEY;
			*encrAlg = CSSM_ALGID_3DES_3KEY_EDE;
			*useInitVector = CSSM_TRUE;
			*mode = CSSM_ALGMODE_CBCPadIV8;
			*algStr = "3DES";
			return;
		case pka_AES:
			*cdsaAlg = *encrAlg = CSSM_ALGID_AES;
			*useInitVector = CSSM_TRUE;
			*mode = CSSM_ALGMODE_CBCPadIV8;
			*padding = CSSM_PADDING_PKCS5;
			*ivSize = AES_BLOCK_SIZE;			// per the default block size
			*algStr = "AES";
			return;
		case pka_RC2:
			*cdsaAlg = *encrAlg = CSSM_ALGID_RC2;
			*useInitVector = CSSM_TRUE;
			*mode = CSSM_ALGMODE_CBCPadIV8;
			*algStr = "RC2";
			return;
		case pka_RC4:
			*cdsaAlg = *encrAlg = CSSM_ALGID_RC4;
			/* initVector false */
			*mode = CSSM_ALGMODE_NONE;
			*algStr = "RC4";
			return;
		case pka_RC5:
			*cdsaAlg = *encrAlg = CSSM_ALGID_RC5;
			*algStr = "RC5";
			*mode = CSSM_ALGMODE_CBCPadIV8;
			*useInitVector = CSSM_TRUE;
			return;
		case pka_ASC:
			*cdsaAlg = *encrAlg = CSSM_ALGID_ASC;
			/* initVector false */
			*algStr = "ASC";
			*mode = CSSM_ALGMODE_NONE;
			return;
		default:
			printf("BRRZZZT! Update algInfo()!\n");
			testError(CSSM_TRUE);
	}
}

/* a handy "compare two CSSM_DATAs" ditty */
static CSSM_BOOL compareData(const CSSM_DATA_PTR d1,
	const CSSM_DATA_PTR d2)
{
	if(d1->Length != d2->Length) {
		return CSSM_FALSE;
	}
	if(memcmp(d1->Data, d2->Data, d1->Length)) {
		return CSSM_FALSE;
	}
	return CSSM_TRUE;
}

/* generate random one-bit byte */
static uint8 randBit()
{
	return 1 << genRand(0, 7);
}

/*
 * Writer debug - assertion failure when ctext[1].Data is NULL
 * but length is nonzero
 */
#define SAFE_CTEXT_ARRAY	0

/*
 * Encrypt ptext using specified key, IV, effectiveKeySizeInBits
 */
static int encryptCom(CSSM_CSP_HANDLE cspHand,
	const char *testName,
	CSSM_DATA_PTR ptext,
	CSSM_KEY_PTR key,
	CSSM_ALGORITHMS alg,
	CSSM_ENCRYPT_MODE mode,
	CSSM_PADDING padding,			// CSSM_PADDING_PKCS1, etc. 
	CSSM_DATA_PTR iv,				// may be NULL
	uint32 effectiveKeySizeInBits,	// may be 0
	CSSM_DATA_PTR ctext,			// RETURNED
	CSSM_BOOL quiet)
{
	CSSM_CC_HANDLE cryptHand;
	CSSM_RETURN crtn;
	CSSM_SIZE bytesEncrypted;
	CSSM_DATA remData;
	int rtn;
	#if 	SAFE_CTEXT_ARRAY
	CSSM_DATA safeCtext[2];
	safeCtext[0] = *ctext;
	safeCtext[1].Data = NULL;
	safeCtext[1].Length = 10;		// lie, but shouldn't use this!
	#else
	//	printf("+++ ctext[0] = %d:0x%x; ctext[1] = %d:0x%x\n",
	//		ctext[0].Length, ctext[0].Data,
	//		ctext[1].Length, ctext[1].Data);
	#endif
	
	cryptHand = genCryptHandle(cspHand,
		alg,
		mode,
		padding,		
		key,
		NULL,			// no 2nd key
		iv,				// InitVector
		effectiveKeySizeInBits,
		0);				// rounds
	if(cryptHand == 0) {
		return testError(quiet);
	}
	
	remData.Data = NULL;
	remData.Length = 0;
	crtn = CSSM_EncryptData(cryptHand,
		ptext,
		1,
		#if 	SAFE_CTEXT_ARRAY
		&safeCtext[0],
		#else
		ctext,
		#endif
		1,
		&bytesEncrypted,
		&remData);
	#if 	SAFE_CTEXT_ARRAY
	*ctext = safeCtext[0];
	#endif
	
	if(crtn) {
		printError("CSSM_EncryptData", crtn);
		rtn = testError(quiet);
		goto done;
	}
	if(remData.Length != 0) {
		//printf("***WARNING: nonzero remData on encrypt!\n");
		/* new for CDSA2 - possible remData even if we ask the CSP to 
		 * malloc ctext */
		ctext->Data = (uint8 *)appRealloc(ctext->Data, bytesEncrypted, NULL);
		memmove(ctext->Data + ctext->Length, 
			remData.Data, 
			bytesEncrypted - ctext->Length);
		appFreeCssmData(&remData, CSSM_FALSE);
	}
	/* new for CDSA 2 */
	ctext->Length = bytesEncrypted;
	rtn = 0;
done:
	if(CSSM_DeleteContext(cryptHand)) {
		printError("CSSM_DeleteContext", 0);
		rtn = 1;
	}
	return rtn;
}

/*
 * Decrypt ctext using specified key, IV, effectiveKeySizeInBits
 */
static int decryptCom(CSSM_CSP_HANDLE cspHand,
	const char *testName,
	CSSM_DATA_PTR ctext,
	CSSM_KEY_PTR key,
	CSSM_ALGORITHMS alg,
	CSSM_ENCRYPT_MODE mode,
	CSSM_PADDING padding,		
	CSSM_DATA_PTR iv,				// may be NULL
	uint32 effectiveKeySizeInBits,	// may be 0
	CSSM_DATA_PTR ptext,			// RETURNED
	CSSM_BOOL quiet)
{
	CSSM_CC_HANDLE cryptHand;
	CSSM_RETURN crtn;
	CSSM_SIZE bytesDecrypted;
	CSSM_DATA remData;
	int rtn;

	cryptHand = genCryptHandle(cspHand,
		alg,
		mode,
		padding,		
		key,
		NULL,			// no 2nd key
		iv,				// InitVector
		effectiveKeySizeInBits,
		0);				// rounds
	if(cryptHand == 0) {
		return testError(quiet);
	}
	remData.Data = NULL;
	remData.Length = 0;
	crtn = CSSM_DecryptData(cryptHand,
		ctext,
		1,
		ptext,
		1,
		&bytesDecrypted,
		&remData);
	if(crtn) {
		printError("CSSM_DecryptData", crtn);
		rtn = testError(quiet);
		goto done;
	}
	if(remData.Length != 0) {
		//printf("***WARNING: nonzero remData on decrypt!\n");
		/* new for CDSA2 - possible remData even if we ask the CSP to 
		 * malloc ptext */
		ptext->Data = (uint8 *)appRealloc(ptext->Data, bytesDecrypted, NULL);
		memmove(ptext->Data + ptext->Length, 
			remData.Data, 
			bytesDecrypted - ptext->Length);
		appFreeCssmData(&remData, CSSM_FALSE);
	}
	/* new for CDSA 2 */
	ptext->Length = bytesDecrypted;
	rtn = 0;
done:
	if(CSSM_DeleteContext(cryptHand)) {
		printError("CSSM_DeleteContext", 0);
		rtn = 1;
	}
	return rtn;
}

/*
 * Common test portion
 *   encrypt ptext with key1, iv1
 *   encrypt ptext with key2, iv2
 *	 compare 2 ctexts; expect failure;
 */
 
#define TRAP_WRITER_ERR	1

static int testCommon(CSSM_CSP_HANDLE cspHand,
	const char *testName,
	CSSM_ALGORITHMS encrAlg,
	CSSM_ENCRYPT_MODE encrMode,
	CSSM_PADDING encrPad,
	uint32 effectiveKeySizeInBits,
	CSSM_DATA_PTR ptext,
	CSSM_KEY_PTR key1,
	CSSM_DATA_PTR iv1,
	CSSM_KEY_PTR key2,
	CSSM_DATA_PTR iv2,
	CSSM_BOOL quiet)
{
	CSSM_DATA		ctext1;
	CSSM_DATA		ctext2;
	ctext1.Data = NULL;
	ctext1.Length = 0;
	ctext2.Data = NULL;
	ctext2.Length = 0;
	if(encryptCom(cspHand,
			testName,
			ptext,
			key1,
			encrAlg,
			encrMode,
			encrPad,
			iv1,
			effectiveKeySizeInBits,
			&ctext1,
			quiet)) {
		return 1;
	}
	#if	TRAP_WRITER_ERR
	if(ctext2.Data != NULL){
		printf("Hey! encryptCom(ptext, ctext1 modified ctext2!\n");
		if(testError(quiet)) {
			return 1;
		}
	}
	#endif
	if(encryptCom(cspHand,
			testName,
			ptext,
			key2,
			encrAlg,
			encrMode,
			encrPad,
			iv2,
			effectiveKeySizeInBits,
			&ctext2,
			quiet)) {
		return 1;
	}
	if(compareData(&ctext1, &ctext2)) {
		printf("***%s: Unexpected Data compare!\n", testName);
		return testError(quiet);
	}
	appFreeCssmData(&ctext1, CSSM_FALSE);
	appFreeCssmData(&ctext2, CSSM_FALSE);
	return 0;
}

/**
 ** inidividual tests.
 **/
#define KEY_LABEL1		"noLabel1"
#define KEY_LABEL2		"noLabel2"
#define KEY_LABEL_LEN	strlen(KEY_LABEL1)
#define REPEAT_ON_ERROR	1

/* test repeatability - the only test here which actually decrypts */
static int repeatTest(testArgs *targs)
{
	/*
	generate two keys with same params;
	encrypt ptext with key1;
	decrypt ctext with key2;
	compare; expect success;
	*/
	CSSM_KEY_PTR	key1;
	CSSM_KEY_PTR	key2;
	CSSM_DATA		iv1;
	CSSM_DATA		iv2;
	CSSM_DATA_PTR	ivp1;
	CSSM_DATA_PTR	ivp2;
	CSSM_DATA		ctext;
	CSSM_DATA		rptext;
	CSSM_BOOL		gotErr = CSSM_FALSE;
	
	if(targs->useInitVector) {
		if(targs->genInitVector) {
			ivp1 = &iv1;
			ivp2 = &iv2;
		}
		else {
			staticIv.Length = targs->ivSize;
			ivp1 = ivp2 = &staticIv;
		}
	}
	else {
		ivp1 = ivp2 = NULL;
	}
	/* these need to be init'd regardless */
	iv1.Data = NULL;
	iv1.Length = 0;
	iv2.Data = NULL;
	iv2.Length = 0;
	ctext.Data = NULL;
	ctext.Length = 0;
	rptext.Data = NULL;
	rptext.Length = 0;
repeatDerive:
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(targs->quiet);
	}
	key2 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL2,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_DECRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv2);
	if(key2 == NULL) {
		return testError(targs->quiet);
	}
repeatEnc:
	if(encryptCom(targs->cspHand,
			"repeatTest",
			targs->ptext,
			key1,
			targs->encrAlg,
			targs->encrMode,
			targs->encrPad,
			ivp1,
			targs->effectiveKeySizeInBits,
			&ctext,
			targs->quiet)) {
		return 1;
	}
	if(decryptCom(targs->cspHand,
			"repeatTest",
			&ctext,
			key2,
			targs->encrAlg,
			targs->encrMode,
			targs->encrPad,
			ivp2,
			targs->effectiveKeySizeInBits,
			&rptext,
			targs->quiet)) {
		return 1;
	}
	if(gotErr || !compareData(targs->ptext, &rptext)) {
		printf("***Data miscompare in repeatTest\n");
		if(REPEAT_ON_ERROR) {
			char str;
			
			gotErr = CSSM_TRUE;
			fpurge(stdin);
			printf("Repeat enc/dec (r), repeat derive (d), continue (c), abort (any)? ");
			str = getchar();
			switch(str) {
				case 'r':
					appFreeCssmData(&ctext, CSSM_FALSE);	
					appFreeCssmData(&rptext, CSSM_FALSE);	
					goto repeatEnc;
				case 'd':
					appFreeCssmData(&ctext, CSSM_FALSE);	
					appFreeCssmData(&rptext, CSSM_FALSE);	
					appFreeCssmData(&iv1, CSSM_FALSE);
					appFreeCssmData(&iv2, CSSM_FALSE);
					cspFreeKey(targs->cspHand, key1);
					cspFreeKey(targs->cspHand, key2);
					goto repeatDerive;
				case 'c':
					break;
				default:
					return 1;
			}
		}
		else {
			return testError(targs->quiet);
		}
	}
	appFreeCssmData(&ctext, CSSM_FALSE);
	appFreeCssmData(&rptext, CSSM_FALSE);
	appFreeCssmData(&iv1, CSSM_FALSE);
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	cspFreeKey(targs->cspHand, key2);
	CSSM_FREE(key1);
	CSSM_FREE(key2);
	return 0;
}

/* ensure iterCount alters key */
static int iterTest(testArgs *targs)
{
	/*
	generate key1(iterCount), key2(iterCount+1);
	encrypt ptext with key1;
	encrypt ptext with key2;
	compare 2 ctexts; expect failure;
	*/
	CSSM_KEY_PTR	key1;
	CSSM_KEY_PTR	key2;
	CSSM_DATA		iv1;
	CSSM_DATA		iv2;
	CSSM_DATA_PTR	ivp1;
	CSSM_DATA_PTR	ivp2;
	if(targs->useInitVector) {
		if(targs->genInitVector) {
			ivp1 = &iv1;
			ivp2 = &iv2;
		}
		else {
			staticIv.Length = targs->ivSize;
			ivp1 = ivp2 = &staticIv;
		}
	}
	else {
		ivp1 = ivp2 = NULL;
	}
	/* these need to be init'd regardless */
	iv1.Data = NULL;
	iv1.Length = 0;
	iv2.Data = NULL;
	iv2.Length = 0;
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(targs->quiet);
	}
	key2 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL2,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount + 1,		// the changed param
		&iv2);
	if(key2 == NULL) {
		return testError(targs->quiet);
	}
	if(testCommon(targs->cspHand,
				"iterTest",
				targs->encrAlg,
				targs->encrMode,
				targs->encrPad,
				targs->effectiveKeySizeInBits,
				targs->ptext,
			 	key1,
				ivp1,
				key2,
				ivp2,
				targs->quiet)) {
		return 1;
	}
	appFreeCssmData(&iv1, CSSM_FALSE);
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	cspFreeKey(targs->cspHand, key2);
	CSSM_FREE(key1);
	CSSM_FREE(key2);
	return 0;
}

/* ensure password alters key */
static int passwordTest(testArgs *targs)
{
	/*
	generate key1(password), key2(munged password);
	encrypt ptext with key1;
	encrypt ptext with key2;
	compare 2 ctexts; expect failure;
	*/
	CSSM_KEY_PTR	key1;
	CSSM_KEY_PTR	key2;
	CSSM_DATA		iv1;
	CSSM_DATA		iv2;
	CSSM_DATA_PTR	ivp1;
	CSSM_DATA_PTR	ivp2;
	uint32			mungeDex;
	uint32			mungeBits;
	if(targs->useInitVector) {
		if(targs->genInitVector) {
			ivp1 = &iv1;
			ivp2 = &iv2;
		}
		else {
			staticIv.Length = targs->ivSize;
			ivp1 = ivp2 = &staticIv;
		}
	}
	else {
		ivp1 = ivp2 = NULL;
	}
	/* these need to be init'd regardless */
	iv1.Data = NULL;
	iv1.Length = 0;
	iv2.Data = NULL;
	iv2.Length = 0;
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(targs->quiet);
	}
	/* munge password */
	mungeDex = genRand(0, targs->password->Length - 1);
	mungeBits = randBit();
	targs->password->Data[mungeDex] ^= mungeBits;
	key2 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL2,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,			// the changed param
		targs->salt,
		targs->iterCount,
		&iv2);
	if(key2 == NULL) {
		return testError(targs->quiet);
	}
	if(testCommon(targs->cspHand,
				"passwordTest",
				targs->encrAlg,
				targs->encrMode,
				targs->encrPad,
				targs->effectiveKeySizeInBits,
				targs->ptext,
			 	key1,
				ivp1,
				key2,
				ivp2,
				targs->quiet)) {
		return 1;
	}
	/* restore  */
	targs->password->Data[mungeDex] ^= mungeBits;
	appFreeCssmData(&iv1, CSSM_FALSE);
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	cspFreeKey(targs->cspHand, key2);
	CSSM_FREE(key1);
	CSSM_FREE(key2);
	return 0;
}

/* ensure salt alters key */
static int saltTest(testArgs *targs)
{
	/*
	generate key1(seed), key2(munged seed);
	encrypt ptext with key1;
	encrypt ptext with key2;
	compare 2 ctexts; expect failure;
	*/
	CSSM_KEY_PTR	key1;
	CSSM_KEY_PTR	key2;
	CSSM_DATA		iv1;
	CSSM_DATA		iv2;
	CSSM_DATA_PTR	ivp1;
	CSSM_DATA_PTR	ivp2;
	uint32			mungeDex;
	uint32			mungeBits;
	if(targs->useInitVector) {
		if(targs->genInitVector) {
			ivp1 = &iv1;
			ivp2 = &iv2;
		}
		else {
			staticIv.Length = targs->ivSize;
			ivp1 = ivp2 = &staticIv;
		}
	}
	else {
		ivp1 = ivp2 = NULL;
	}
	/* these need to be init'd regardless */
	iv1.Data = NULL;
	iv1.Length = 0;
	iv2.Data = NULL;
	iv2.Length = 0;
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(targs->quiet);
	}
	/* munge salt */
	mungeDex = genRand(0, targs->salt->Length - 1);
	mungeBits = randBit();
	targs->salt->Data[mungeDex] ^= mungeBits;
	key2 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL2,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,				// the changed param
		targs->iterCount,
		&iv2);
	if(key2 == NULL) {
		return testError(targs->quiet);
	}
	if(testCommon(targs->cspHand,
				"saltTest",
				targs->encrAlg,
				targs->encrMode,
				targs->encrPad,
				targs->effectiveKeySizeInBits,
				targs->ptext,
			 	key1,
				ivp1,
				key2,
				ivp2,
				targs->quiet)) {
		return 1;
	}
	/* restore  */
	targs->salt->Data[mungeDex] ^= mungeBits;
	appFreeCssmData(&iv1, CSSM_FALSE);
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	cspFreeKey(targs->cspHand, key2);
	CSSM_FREE(key1);
	CSSM_FREE(key2);
	return 0;
}

/* ensure initVector alters ctext. This isn't testing PBE per se, but
 * it's a handy place to verify this function. */
static int initVectTest(testArgs *targs)
{
	/*
	generate key1;
	encrypt ptext with key1 and initVector;
	encrypt ptext with key1 and munged initVector;
	compare 2 ctexts; expect failure;
	*/
	CSSM_KEY_PTR	key1;
	CSSM_DATA		iv1;
	CSSM_DATA		iv2;
	uint32			mungeDex;
	uint32			mungeBits;
	
	if(targs->genInitVector) {
		iv1.Data = NULL;
		iv1.Length = 0;
	}
	else  {
		iv1 = staticIv;
	}
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(targs->quiet);
	}
	
	/* get munged copy of iv */
	iv2.Data = (uint8 *)CSSM_MALLOC(iv1.Length);
	iv2.Length = iv1.Length;
	memmove(iv2.Data, iv1.Data, iv1.Length);
	mungeDex = genRand(0, iv1.Length - 1);
	mungeBits = randBit();
	iv2.Data[mungeDex] ^= mungeBits;
	if(testCommon(targs->cspHand,
				"initVectTest",
				targs->encrAlg,
				targs->encrMode,
				targs->encrPad,
				targs->effectiveKeySizeInBits,
				targs->ptext,
			 	key1,
				&iv1,
				key1,
				&iv2,	// the changed param
				targs->quiet)) {	
		return 1;
	}
	if(targs->genInitVector) {
		appFreeCssmData(&iv1, CSSM_FALSE);
	}
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	CSSM_FREE(key1);
	return 0;
}

#if 0
/* only one algorithm supported */
/* ensure deriveAlg alters key */
static int deriveAlgTest(testArgs *targs)
{
	/*
	generate key1(deriveAlg), key2(some other deriveAlg);
	encrypt ptext with key1;
	encrypt ptext with key2;
	compare 2 ctexts; expect failure;
	*/
	CSSM_KEY_PTR    key1;
	CSSM_KEY_PTR    key2;
	CSSM_DATA       iv1;
	CSSM_DATA       iv2;
	CSSM_DATA_PTR   ivp1;
	CSSM_DATA_PTR   ivp2;
	uint32          mungeAlg;
	
	if(targs->useInitVector) {
		if(targs->genInitVector) {
			ivp1 = &iv1;
			ivp2 = &iv2;
		}
		else {
			staticIv.Length = targs->ivSize;
			ivp1 = ivp2 = &staticIv;
		}
	}
	else {
		ivp1 = ivp2 = NULL;
	}
	
	/* these need to be init'd regardless */
	iv1.Data = NULL;
	iv1.Length = 0;
	iv2.Data = NULL;
	iv2.Length = 0;
	key1 = cspDeriveKey(targs->cspHand,
		targs->deriveAlg,
		targs->keyAlg,
		KEY_LABEL1,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,
		targs->salt,
		targs->iterCount,
		&iv1);
	if(key1 == NULL) {
		return testError(quiet);
	}
	
	/* munge deriveAlg */
	switch(targs->deriveAlg) {
		case CSSM_ALGID_MD5_PBE:
			mungeAlg = CSSM_ALGID_MD2_PBE;
			break;
		case CSSM_ALGID_MD2_PBE:
			mungeAlg = CSSM_ALGID_SHA1_PBE;
			break;
		case CSSM_ALGID_SHA1_PBE:
			mungeAlg = CSSM_ALGID_SHA1_PBE_PKCS12;
			break;
		case CSSM_ALGID_SHA1_PBE_PKCS12:
			mungeAlg = CSSM_ALGID_MD5_PBE;
			break;
		default:
			printf("BRRRZZZT! Update deriveAlgTest()!\n");
			return testError(quiet);
	}
	key2 = cspDeriveKey(targs->cspHand,
		mungeAlg,                               // the changed param
		targs->keyAlg,
		KEY_LABEL2,
		KEY_LABEL_LEN,
		CSSM_KEYUSE_ENCRYPT,
		targs->keySizeInBits,
		targs->useRefKey,
		targs->password,                        // the changed param
		targs->salt,
		targs->iterCount,
		&iv2);
	if(key2 == NULL) {
		return testError(quiet);
	}
	if(testCommon(targs->cspHand,
			"deriveAlgTest",
			targs->encrAlg,
			targs->encrMode,
			targs->encrPad,
			targs->effectiveKeySizeInBits,
			targs->ptext,
			key1,
			ivp1,
			key2,
			ivp2,
			targs->quiet)) {
		return 1;
	}
	appFreeCssmData(&iv1, CSSM_FALSE);
	appFreeCssmData(&iv2, CSSM_FALSE);
	cspFreeKey(targs->cspHand, key1);
	cspFreeKey(targs->cspHand, key2);
	CSSM_FREE(key1);
	CSSM_FREE(key2);
	return 0;
}
#endif

int main(int argc, char **argv)
{
	int					arg;
	char				*argp;
	unsigned			loop;
	CSSM_DATA			ptext;
	testArgs			targs;
	CSSM_DATA			pwd;
	CSSM_DATA			salt;
	privAlg				pbeAlg;
	privAlg				encrAlg;
	privAlg				lastEncrAlg;
	int 				rtn = 0;
	CSSM_BOOL 			fooBool;
	CSSM_BOOL			refKeysOnly = CSSM_FALSE;
	int					i;
	
	/*
	 * User-spec'd params
	 */
	unsigned	loops = LOOPS_DEF;
	CSSM_BOOL	quiet = CSSM_FALSE;
	CSSM_BOOL	doPause = CSSM_FALSE;
	CSSM_BOOL	doExport = CSSM_FALSE;
	CSSM_BOOL	repeatOnly = CSSM_FALSE;
	CSSM_BOOL	bareCsp = CSSM_TRUE;
	CSSM_BOOL	zeroLenPassword = CSSM_FALSE;
	
	#if	macintosh
	argc = ccommand(&argv);
	#endif
	for(arg=1; arg<argc; arg++) {
		argp = argv[arg];
		switch(argp[0]) {
		    case 'l':
				loops = atoi(&argp[2]);
				break;
		    case 'q':
		    	quiet = CSSM_TRUE;
				break;
			case 'D':
				bareCsp = CSSM_FALSE;
				#if CSPDL_ALL_KEYS_ARE_REF
				refKeysOnly = CSSM_TRUE;
				#endif
				break;
		    case 'p':
		    	doPause = CSSM_TRUE;
				break;
			case 'e':
				doExport = CSSM_TRUE;
				break;
			case 'r':
				repeatOnly = CSSM_TRUE;
				break;
			case 'z':
				zeroLenPassword = CSSM_TRUE;
				break;
		    case 'h':
		    default:
				usage(argv);
		}
	}

	/* statically allocate ptext, password and seed; data and length
	 * change in test loop */
	pwd.Data = (uint8 *)CSSM_MALLOC(MAX_PASSWORD_SIZE);
	ptext.Data = (uint8 *)CSSM_MALLOC(MAX_PTEXT_SIZE);
	salt.Data = (uint8 *)CSSM_MALLOC(MAX_SALT_SIZE);
	printf("Starting pbeTest; args: ");
	for(i=1; i<argc; i++) {
		printf("%s ", argv[i]);
	}
	printf("\n");
	targs.cspHand = cspDlDbStartup(bareCsp, NULL);
	if(targs.cspHand == 0) {
		exit(1);
	}
	targs.ptext 	= &ptext;
	targs.password 	= &pwd;
	targs.salt 		= &salt;
	targs.quiet     = quiet;
	if(doExport) {
		lastEncrAlg = ENCR_ALG_LAST_EXPORT;
	}
	else {
		lastEncrAlg = ENCR_ALG_LAST;
	}
	for(loop=1; ; loop++) {
		if(!quiet) {
			printf("...loop %d\n", loop);
		}
		/* change once per outer loop */
		simpleGenData(&ptext, MIN_PTEXT_SIZE, MAX_PTEXT_SIZE);
		if(zeroLenPassword) {
			pwd.Length = 0;	// fixed
		}
		else {
			simpleGenData(&pwd, APPLE_PBE_MIN_PASSWORD, MAX_PASSWORD_SIZE);
		}
		simpleGenData(&salt, APPLE_PBE_MIN_SALT, MAX_SALT_SIZE);
		targs.iterCount = genRand(MIN_ITER_COUNT, MAX_ITER_COUNT);
		if(refKeysOnly) {
			targs.useRefKey = CSSM_TRUE;
		}
		else {
			targs.useRefKey = (loop & 1) ? CSSM_FALSE : CSSM_TRUE;
		}
		
		for(encrAlg=ENCR_ALG_FIRST; encrAlg<=lastEncrAlg; encrAlg++) {
			/* Cook up encryption-related args */
			algInfo(encrAlg,
				&targs.keyAlg,
				&targs.encrAlg,
				&targs.encrMode,
				&targs.encrPad,
				&targs.useInitVector,
				&targs.ivSize,
				&fooBool,				// genInitVector
				&targs.keyAlgStr);
			/* random key size */
			targs.effectiveKeySizeInBits = randKeySizeBits(targs.keyAlg, OT_Encrypt);
			targs.keySizeInBits = (targs.effectiveKeySizeInBits + 7) & ~7;
			if(targs.keySizeInBits == targs.effectiveKeySizeInBits) {
				/* same size, ignore effective */
				targs.effectiveKeySizeInBits = 0;
			}
			if(!quiet) {
				printf("   ...Encrypt alg %s keySizeInBits %u effectKeySize %u\n",
					targs.keyAlgStr, (unsigned)targs.keySizeInBits,
					(unsigned)targs.effectiveKeySizeInBits);
			}
			for(pbeAlg=PBE_ALG_FIRST; pbeAlg<=PBE_ALG_LAST; pbeAlg++) {
				/* Cook up pbe-related args */
				uint32 foo;
				algInfo(pbeAlg,
					&targs.deriveAlg,
					&foo, 			// encrAlg
					&foo,			// mode
					&foo,
					&fooBool,		// useInitVector
					&foo,			// ivSize
					&targs.genInitVector,
					&targs.deriveAlgStr);
				if(!quiet) {
					printf("      ...PBE alg %s\n", targs.deriveAlgStr);
				}
				/* grind thru the tests */
				if(repeatTest(&targs)) {
					rtn = 1;
					goto testDone;
				}
				if(repeatOnly) {
					continue;
				}
				if(iterTest(&targs)) {
					rtn = 1;
					goto testDone;
				}
				#if 0
				// not supported yet 
				if(deriveAlgTest(&targs)) {
					rtn = 1;
					goto testDone;
				}
				#endif
				if(!zeroLenPassword) {
					/* won't work with zero length password */
					if(passwordTest(&targs)) {
						rtn = 1;
						goto testDone;
					}
				}
				if(saltTest(&targs)) {
					rtn = 1;
					goto testDone;
				}
				if(targs.useInitVector) {
					if(initVectTest(&targs)) {
						rtn = 1;
						goto testDone;
					}
				}
			} /* for pbeAlg */
		} /* for encrAlg */
		if(doPause) {
			if(testError(quiet)) {
				break;
			}
		}
		if(loops && (loop == loops)) {
			break;
		}
	} /* for loop */
	
testDone:
	CSSM_ModuleDetach(targs.cspHand);
	if(!quiet && (rtn == 0)) {
		printf("%s test complete\n", argv[0]);
	}
	return rtn;
}