search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOR: update to v0.2.5.12
[tomato.git] / release / src / router / tor / src / test / test_crypto.c
blob5d8edb655001bac32565ca77d99b6606c747b771
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2013, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #include "or.h"
9 #include "test.h"
10 #include "aes.h"
11 #include "util.h"
12 #include "siphash.h"
13 #ifdef CURVE25519_ENABLED
14 #include "crypto_curve25519.h"
15 #endif
16
17 extern const char AUTHORITY_SIGNKEY_3[];
18 extern const char AUTHORITY_SIGNKEY_A_DIGEST[];
19 extern const char AUTHORITY_SIGNKEY_A_DIGEST256[];
20
21 /** Run unit tests for Diffie-Hellman functionality. */
22 static void
23 test_crypto_dh(void)
24 {
25 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
26 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
27 char p1[DH_BYTES];
28 char p2[DH_BYTES];
29 char s1[DH_BYTES];
30 char s2[DH_BYTES];
31 ssize_t s1len, s2len;
32
33 test_eq(crypto_dh_get_bytes(dh1), DH_BYTES);
34 test_eq(crypto_dh_get_bytes(dh2), DH_BYTES);
35
36 memset(p1, 0, DH_BYTES);
37 memset(p2, 0, DH_BYTES);
38 test_memeq(p1, p2, DH_BYTES);
39 test_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
40 test_memneq(p1, p2, DH_BYTES);
41 test_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
42 test_memneq(p1, p2, DH_BYTES);
43
44 memset(s1, 0, DH_BYTES);
45 memset(s2, 0xFF, DH_BYTES);
46 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
47 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
48 test_assert(s1len > 0);
49 test_eq(s1len, s2len);
50 test_memeq(s1, s2, s1len);
51
52 {
53 /* XXXX Now fabricate some bad values and make sure they get caught,
54 * Check 0, 1, N-1, >= N, etc.
55 */
56 }
57
58 done:
59 crypto_dh_free(dh1);
60 crypto_dh_free(dh2);
61 }
62
63 /** Run unit tests for our random number generation function and its wrappers.
64 */
65 static void
66 test_crypto_rng(void)
67 {
68 int i, j, allok;
69 char data1[100], data2[100];
70 double d;
71
72 /* Try out RNG. */
73 test_assert(! crypto_seed_rng(0));
74 crypto_rand(data1, 100);
75 crypto_rand(data2, 100);
76 test_memneq(data1,data2,100);
77 allok = 1;
78 for (i = 0; i < 100; ++i) {
79 uint64_t big;
80 char *host;
81 j = crypto_rand_int(100);
82 if (j < 0 || j >= 100)
83 allok = 0;
84 big = crypto_rand_uint64(U64_LITERAL(1)<<40);
85 if (big >= (U64_LITERAL(1)<<40))
86 allok = 0;
87 big = crypto_rand_uint64(U64_LITERAL(5));
88 if (big >= 5)
89 allok = 0;
90 d = crypto_rand_double();
91 test_assert(d >= 0);
92 test_assert(d < 1.0);
93 host = crypto_random_hostname(3,8,"www.",".onion");
94 if (strcmpstart(host,"www.") ||
95 strcmpend(host,".onion") ||
96 strlen(host) < 13 ||
97 strlen(host) > 18)
98 allok = 0;
99 tor_free(host);
100 }
101 test_assert(allok);
102 done:
103 ;
104 }
105
106 /** Run unit tests for our AES functionality */
107 static void
108 test_crypto_aes(void *arg)
109 {
110 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
111 crypto_cipher_t *env1 = NULL, *env2 = NULL;
112 int i, j;
113 char *mem_op_hex_tmp=NULL;
114
115 int use_evp = !strcmp(arg,"evp");
116 evaluate_evp_for_aes(use_evp);
117 evaluate_ctr_for_aes();
118
119 data1 = tor_malloc(1024);
120 data2 = tor_malloc(1024);
121 data3 = tor_malloc(1024);
122
123 /* Now, test encryption and decryption with stream cipher. */
124 data1[0]='\0';
125 for (i = 1023; i>0; i -= 35)
126 strncat(data1, "Now is the time for all good onions", i);
127
128 memset(data2, 0, 1024);
129 memset(data3, 0, 1024);
130 env1 = crypto_cipher_new(NULL);
131 test_neq_ptr(env1, 0);
132 env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
133 test_neq_ptr(env2, 0);
134
135 /* Try encrypting 512 chars. */
136 crypto_cipher_encrypt(env1, data2, data1, 512);
137 crypto_cipher_decrypt(env2, data3, data2, 512);
138 test_memeq(data1, data3, 512);
139 test_memneq(data1, data2, 512);
140
141 /* Now encrypt 1 at a time, and get 1 at a time. */
142 for (j = 512; j < 560; ++j) {
143 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
144 }
145 for (j = 512; j < 560; ++j) {
146 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
147 }
148 test_memeq(data1, data3, 560);
149 /* Now encrypt 3 at a time, and get 5 at a time. */
150 for (j = 560; j < 1024-5; j += 3) {
151 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
152 }
153 for (j = 560; j < 1024-5; j += 5) {
154 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
155 }
156 test_memeq(data1, data3, 1024-5);
157 /* Now make sure that when we encrypt with different chunk sizes, we get
158 the same results. */
159 crypto_cipher_free(env2);
160 env2 = NULL;
161
162 memset(data3, 0, 1024);
163 env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
164 test_neq_ptr(env2, NULL);
165 for (j = 0; j < 1024-16; j += 17) {
166 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
167 }
168 for (j= 0; j < 1024-16; ++j) {
169 if (data2[j] != data3[j]) {
170 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
171 }
172 }
173 test_memeq(data2, data3, 1024-16);
174 crypto_cipher_free(env1);
175 env1 = NULL;
176 crypto_cipher_free(env2);
177 env2 = NULL;
178
179 /* NIST test vector for aes. */
180 /* IV starts at 0 */
181 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
182 "\x00\x00\x00\x00\x00\x00\x00\x00");
183 crypto_cipher_encrypt(env1, data1,
184 "\x00\x00\x00\x00\x00\x00\x00\x00"
185 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
186 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
187
188 /* Now test rollover. All these values are originally from a python
189 * script. */
190 crypto_cipher_free(env1);
191 env1 = crypto_cipher_new_with_iv(
192 "\x80\x00\x00\x00\x00\x00\x00\x00"
193 "\x00\x00\x00\x00\x00\x00\x00\x00",
194 "\x00\x00\x00\x00\x00\x00\x00\x00"
195 "\xff\xff\xff\xff\xff\xff\xff\xff");
196 memset(data2, 0, 1024);
197 crypto_cipher_encrypt(env1, data1, data2, 32);
198 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
199 "cdd0b917dbc7186908a6bfb5ffd574d3");
200 crypto_cipher_free(env1);
201 env1 = crypto_cipher_new_with_iv(
202 "\x80\x00\x00\x00\x00\x00\x00\x00"
203 "\x00\x00\x00\x00\x00\x00\x00\x00",
204 "\x00\x00\x00\x00\xff\xff\xff\xff"
205 "\xff\xff\xff\xff\xff\xff\xff\xff");
206 memset(data2, 0, 1024);
207 crypto_cipher_encrypt(env1, data1, data2, 32);
208 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
209 "3e63c721df790d2c6469cc1953a3ffac");
210 crypto_cipher_free(env1);
211 env1 = crypto_cipher_new_with_iv(
212 "\x80\x00\x00\x00\x00\x00\x00\x00"
213 "\x00\x00\x00\x00\x00\x00\x00\x00",
214 "\xff\xff\xff\xff\xff\xff\xff\xff"
215 "\xff\xff\xff\xff\xff\xff\xff\xff");
216 memset(data2, 0, 1024);
217 crypto_cipher_encrypt(env1, data1, data2, 32);
218 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
219 "0EDD33D3C621E546455BD8BA1418BEC8");
220
221 /* Now check rollover on inplace cipher. */
222 crypto_cipher_free(env1);
223 env1 = crypto_cipher_new_with_iv(
224 "\x80\x00\x00\x00\x00\x00\x00\x00"
225 "\x00\x00\x00\x00\x00\x00\x00\x00",
226 "\xff\xff\xff\xff\xff\xff\xff\xff"
227 "\xff\xff\xff\xff\xff\xff\xff\xff");
228 crypto_cipher_crypt_inplace(env1, data2, 64);
229 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
230 "0EDD33D3C621E546455BD8BA1418BEC8"
231 "93e2c5243d6839eac58503919192f7ae"
232 "1908e67cafa08d508816659c2e693191");
233 crypto_cipher_free(env1);
234 env1 = crypto_cipher_new_with_iv(
235 "\x80\x00\x00\x00\x00\x00\x00\x00"
236 "\x00\x00\x00\x00\x00\x00\x00\x00",
237 "\xff\xff\xff\xff\xff\xff\xff\xff"
238 "\xff\xff\xff\xff\xff\xff\xff\xff");
239 crypto_cipher_crypt_inplace(env1, data2, 64);
240 test_assert(tor_mem_is_zero(data2, 64));
241
242 done:
243 tor_free(mem_op_hex_tmp);
244 if (env1)
245 crypto_cipher_free(env1);
246 if (env2)
247 crypto_cipher_free(env2);
248 tor_free(data1);
249 tor_free(data2);
250 tor_free(data3);
251 }
252
253 /** Run unit tests for our SHA-1 functionality */
254 static void
255 test_crypto_sha(void)
256 {
257 crypto_digest_t *d1 = NULL, *d2 = NULL;
258 int i;
259 char key[160];
260 char digest[32];
261 char data[50];
262 char d_out1[DIGEST_LEN], d_out2[DIGEST256_LEN];
263 char *mem_op_hex_tmp=NULL;
264
265 /* Test SHA-1 with a test vector from the specification. */
266 i = crypto_digest(data, "abc", 3);
267 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
268 tt_int_op(i, ==, 0);
269
270 /* Test SHA-256 with a test vector from the specification. */
271 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
272 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
273 "96177A9CB410FF61F20015AD");
274 tt_int_op(i, ==, 0);
275
276 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
277
278 /* Case empty (wikipedia) */
279 crypto_hmac_sha256(digest, "", 0, "", 0);
280 test_streq(hex_str(digest, 32),
281 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
282
283 /* Case quick-brown (wikipedia) */
284 crypto_hmac_sha256(digest, "key", 3,
285 "The quick brown fox jumps over the lazy dog", 43);
286 test_streq(hex_str(digest, 32),
287 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
288
289 /* "Test Case 1" from RFC 4231 */
290 memset(key, 0x0b, 20);
291 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
292 test_memeq_hex(digest,
293 "b0344c61d8db38535ca8afceaf0bf12b"
294 "881dc200c9833da726e9376c2e32cff7");
295
296 /* "Test Case 2" from RFC 4231 */
297 memset(key, 0x0b, 20);
298 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
299 test_memeq_hex(digest,
300 "5bdcc146bf60754e6a042426089575c7"
301 "5a003f089d2739839dec58b964ec3843");
302
303 /* "Test case 3" from RFC 4231 */
304 memset(key, 0xaa, 20);
305 memset(data, 0xdd, 50);
306 crypto_hmac_sha256(digest, key, 20, data, 50);
307 test_memeq_hex(digest,
308 "773ea91e36800e46854db8ebd09181a7"
309 "2959098b3ef8c122d9635514ced565fe");
310
311 /* "Test case 4" from RFC 4231 */
312 base16_decode(key, 25,
313 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
314 memset(data, 0xcd, 50);
315 crypto_hmac_sha256(digest, key, 25, data, 50);
316 test_memeq_hex(digest,
317 "82558a389a443c0ea4cc819899f2083a"
318 "85f0faa3e578f8077a2e3ff46729665b");
319
320 /* "Test case 5" from RFC 4231 */
321 memset(key, 0x0c, 20);
322 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
323 test_memeq_hex(digest,
324 "a3b6167473100ee06e0c796c2955552b");
325
326 /* "Test case 6" from RFC 4231 */
327 memset(key, 0xaa, 131);
328 crypto_hmac_sha256(digest, key, 131,
329 "Test Using Larger Than Block-Size Key - Hash Key First",
330 54);
331 test_memeq_hex(digest,
332 "60e431591ee0b67f0d8a26aacbf5b77f"
333 "8e0bc6213728c5140546040f0ee37f54");
334
335 /* "Test case 7" from RFC 4231 */
336 memset(key, 0xaa, 131);
337 crypto_hmac_sha256(digest, key, 131,
338 "This is a test using a larger than block-size key and a "
339 "larger than block-size data. The key needs to be hashed "
340 "before being used by the HMAC algorithm.", 152);
341 test_memeq_hex(digest,
342 "9b09ffa71b942fcb27635fbcd5b0e944"
343 "bfdc63644f0713938a7f51535c3a35e2");
344
345 /* Incremental digest code. */
346 d1 = crypto_digest_new();
347 test_assert(d1);
348 crypto_digest_add_bytes(d1, "abcdef", 6);
349 d2 = crypto_digest_dup(d1);
350 test_assert(d2);
351 crypto_digest_add_bytes(d2, "ghijkl", 6);
352 crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
353 crypto_digest(d_out2, "abcdefghijkl", 12);
354 test_memeq(d_out1, d_out2, DIGEST_LEN);
355 crypto_digest_assign(d2, d1);
356 crypto_digest_add_bytes(d2, "mno", 3);
357 crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
358 crypto_digest(d_out2, "abcdefmno", 9);
359 test_memeq(d_out1, d_out2, DIGEST_LEN);
360 crypto_digest_get_digest(d1, d_out1, sizeof(d_out1));
361 crypto_digest(d_out2, "abcdef", 6);
362 test_memeq(d_out1, d_out2, DIGEST_LEN);
363 crypto_digest_free(d1);
364 crypto_digest_free(d2);
365
366 /* Incremental digest code with sha256 */
367 d1 = crypto_digest256_new(DIGEST_SHA256);
368 test_assert(d1);
369 crypto_digest_add_bytes(d1, "abcdef", 6);
370 d2 = crypto_digest_dup(d1);
371 test_assert(d2);
372 crypto_digest_add_bytes(d2, "ghijkl", 6);
373 crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
374 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
375 test_memeq(d_out1, d_out2, DIGEST_LEN);
376 crypto_digest_assign(d2, d1);
377 crypto_digest_add_bytes(d2, "mno", 3);
378 crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
379 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
380 test_memeq(d_out1, d_out2, DIGEST_LEN);
381 crypto_digest_get_digest(d1, d_out1, sizeof(d_out1));
382 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
383 test_memeq(d_out1, d_out2, DIGEST_LEN);
384
385 done:
386 if (d1)
387 crypto_digest_free(d1);
388 if (d2)
389 crypto_digest_free(d2);
390 tor_free(mem_op_hex_tmp);
391 }
392
393 /** Run unit tests for our public key crypto functions */
394 static void
395 test_crypto_pk(void)
396 {
397 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
398 char *encoded = NULL;
399 char data1[1024], data2[1024], data3[1024];
400 size_t size;
401 int i, len;
402
403 /* Public-key ciphers */
404 pk1 = pk_generate(0);
405 pk2 = crypto_pk_new();
406 test_assert(pk1 && pk2);
407 test_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
408 test_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
409 test_eq(0, crypto_pk_cmp_keys(pk1, pk2));
410
411 /* comparison between keys and NULL */
412 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), <, 0);
413 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), ==, 0);
414 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), >, 0);
415
416 test_eq(128, crypto_pk_keysize(pk1));
417 test_eq(1024, crypto_pk_num_bits(pk1));
418 test_eq(128, crypto_pk_keysize(pk2));
419 test_eq(1024, crypto_pk_num_bits(pk2));
420
421 test_eq(128, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
422 "Hello whirled.", 15,
423 PK_PKCS1_OAEP_PADDING));
424 test_eq(128, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
425 "Hello whirled.", 15,
426 PK_PKCS1_OAEP_PADDING));
427 /* oaep padding should make encryption not match */
428 test_memneq(data1, data2, 128);
429 test_eq(15, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
430 PK_PKCS1_OAEP_PADDING,1));
431 test_streq(data3, "Hello whirled.");
432 memset(data3, 0, 1024);
433 test_eq(15, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
434 PK_PKCS1_OAEP_PADDING,1));
435 test_streq(data3, "Hello whirled.");
436 /* Can't decrypt with public key. */
437 test_eq(-1, crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
438 PK_PKCS1_OAEP_PADDING,1));
439 /* Try again with bad padding */
440 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
441 test_eq(-1, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
442 PK_PKCS1_OAEP_PADDING,1));
443
444 /* File operations: save and load private key */
445 test_assert(! crypto_pk_write_private_key_to_filename(pk1,
446 get_fname("pkey1")));
447 /* failing case for read: can't read. */
448 test_assert(crypto_pk_read_private_key_from_filename(pk2,
449 get_fname("xyzzy")) < 0);
450 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
451 /* Failing case for read: no key. */
452 test_assert(crypto_pk_read_private_key_from_filename(pk2,
453 get_fname("xyzzy")) < 0);
454 test_assert(! crypto_pk_read_private_key_from_filename(pk2,
455 get_fname("pkey1")));
456 test_eq(15, crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
457 PK_PKCS1_OAEP_PADDING,1));
458
459 /* Now try signing. */
460 strlcpy(data1, "Ossifrage", 1024);
461 test_eq(128, crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
462 test_eq(10,
463 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
464 test_streq(data3, "Ossifrage");
465 /* Try signing digests. */
466 test_eq(128, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
467 data1, 10));
468 test_eq(20,
469 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
470 test_eq(0, crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
471 test_eq(-1, crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
472
473 /*XXXX test failed signing*/
474
475 /* Try encoding */
476 crypto_pk_free(pk2);
477 pk2 = NULL;
478 i = crypto_pk_asn1_encode(pk1, data1, 1024);
479 test_assert(i>0);
480 pk2 = crypto_pk_asn1_decode(data1, i);
481 test_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
482
483 /* Try with hybrid encryption wrappers. */
484 crypto_rand(data1, 1024);
485 for (i = 85; i < 140; ++i) {
486 memset(data2,0,1024);
487 memset(data3,0,1024);
488 len = crypto_pk_public_hybrid_encrypt(pk1,data2,sizeof(data2),
489 data1,i,PK_PKCS1_OAEP_PADDING,0);
490 test_assert(len>=0);
491 len = crypto_pk_private_hybrid_decrypt(pk1,data3,sizeof(data3),
492 data2,len,PK_PKCS1_OAEP_PADDING,1);
493 test_eq(len,i);
494 test_memeq(data1,data3,i);
495 }
496
497 /* Try copy_full */
498 crypto_pk_free(pk2);
499 pk2 = crypto_pk_copy_full(pk1);
500 test_assert(pk2 != NULL);
501 test_neq_ptr(pk1, pk2);
502 test_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
503
504 done:
505 if (pk1)
506 crypto_pk_free(pk1);
507 if (pk2)
508 crypto_pk_free(pk2);
509 tor_free(encoded);
510 }
511
512 static void
513 test_crypto_pk_fingerprints(void *arg)
514 {
515 crypto_pk_t *pk = NULL;
516 char encoded[512];
517 char d[DIGEST_LEN], d2[DIGEST_LEN];
518 char fingerprint[FINGERPRINT_LEN+1];
519 int n;
520 unsigned i;
521 char *mem_op_hex_tmp=NULL;
522
523 (void)arg;
524
525 pk = pk_generate(1);
526 tt_assert(pk);
527 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
528 tt_int_op(n, >, 0);
529 tt_int_op(n, >, 128);
530 tt_int_op(n, <, 256);
531
532 /* Is digest as expected? */
533 crypto_digest(d, encoded, n);
534 tt_int_op(0, ==, crypto_pk_get_digest(pk, d2));
535 test_memeq(d, d2, DIGEST_LEN);
536
537 /* Is fingerprint right? */
538 tt_int_op(0, ==, crypto_pk_get_fingerprint(pk, fingerprint, 0));
539 tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
540 test_memeq_hex(d, fingerprint);
541
542 /* Are spaces right? */
543 tt_int_op(0, ==, crypto_pk_get_fingerprint(pk, fingerprint, 1));
544 for (i = 4; i < strlen(fingerprint); i += 5) {
545 tt_int_op(fingerprint[i], ==, ' ');
546 }
547 tor_strstrip(fingerprint, " ");
548 tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
549 test_memeq_hex(d, fingerprint);
550
551 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
552 crypto_digest(d2, d, sizeof(d));
553 tt_int_op(0, ==, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
554 tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
555 test_memeq_hex(d2, fingerprint);
556
557 done:
558 crypto_pk_free(pk);
559 tor_free(mem_op_hex_tmp);
560 }
561
562 /** Sanity check for crypto pk digests */
563 static void
564 test_crypto_digests(void)
565 {
566 crypto_pk_t *k = NULL;
567 ssize_t r;
568 digests_t pkey_digests;
569 char digest[DIGEST_LEN];
570
571 k = crypto_pk_new();
572 test_assert(k);
573 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, -1);
574 test_assert(!r);
575
576 r = crypto_pk_get_digest(k, digest);
577 test_assert(r == 0);
578 test_memeq(hex_str(digest, DIGEST_LEN),
579 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
580
581 r = crypto_pk_get_all_digests(k, &pkey_digests);
582
583 test_memeq(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),
584 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
585 test_memeq(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),
586 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
587 done:
588 crypto_pk_free(k);
589 }
590
591 /** Run unit tests for misc crypto formatting functionality (base64, base32,
592 * fingerprints, etc) */
593 static void
594 test_crypto_formats(void)
595 {
596 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
597 int i, j, idx;
598
599 data1 = tor_malloc(1024);
600 data2 = tor_malloc(1024);
601 data3 = tor_malloc(1024);
602 test_assert(data1 && data2 && data3);
603
604 /* Base64 tests */
605 memset(data1, 6, 1024);
606 for (idx = 0; idx < 10; ++idx) {
607 i = base64_encode(data2, 1024, data1, idx);
608 test_assert(i >= 0);
609 j = base64_decode(data3, 1024, data2, i);
610 test_eq(j,idx);
611 test_memeq(data3, data1, idx);
612 }
613
614 strlcpy(data1, "Test string that contains 35 chars.", 1024);
615 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
616
617 i = base64_encode(data2, 1024, data1, 71);
618 test_assert(i >= 0);
619 j = base64_decode(data3, 1024, data2, i);
620 test_eq(j, 71);
621 test_streq(data3, data1);
622 test_assert(data2[i] == '\0');
623
624 crypto_rand(data1, DIGEST_LEN);
625 memset(data2, 100, 1024);
626 digest_to_base64(data2, data1);
627 test_eq(BASE64_DIGEST_LEN, strlen(data2));
628 test_eq(100, data2[BASE64_DIGEST_LEN+2]);
629 memset(data3, 99, 1024);
630 test_eq(digest_from_base64(data3, data2), 0);
631 test_memeq(data1, data3, DIGEST_LEN);
632 test_eq(99, data3[DIGEST_LEN+1]);
633
634 test_assert(digest_from_base64(data3, "###") < 0);
635
636 /* Encoding SHA256 */
637 crypto_rand(data2, DIGEST256_LEN);
638 memset(data2, 100, 1024);
639 digest256_to_base64(data2, data1);
640 test_eq(BASE64_DIGEST256_LEN, strlen(data2));
641 test_eq(100, data2[BASE64_DIGEST256_LEN+2]);
642 memset(data3, 99, 1024);
643 test_eq(digest256_from_base64(data3, data2), 0);
644 test_memeq(data1, data3, DIGEST256_LEN);
645 test_eq(99, data3[DIGEST256_LEN+1]);
646
647 /* Base32 tests */
648 strlcpy(data1, "5chrs", 1024);
649 /* bit pattern is: [35 63 68 72 73] ->
650 * [00110101 01100011 01101000 01110010 01110011]
651 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
652 */
653 base32_encode(data2, 9, data1, 5);
654 test_streq(data2, "gvrwq4tt");
655
656 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
657 base32_encode(data2, 30, data1, 10);
658 test_streq(data2, "772w2rfobvomsywe");
659
660 /* Base16 tests */
661 strlcpy(data1, "6chrs\xff", 1024);
662 base16_encode(data2, 13, data1, 6);
663 test_streq(data2, "3663687273FF");
664
665 strlcpy(data1, "f0d678affc000100", 1024);
666 i = base16_decode(data2, 8, data1, 16);
667 test_eq(i,0);
668 test_memeq(data2, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
669
670 /* now try some failing base16 decodes */
671 test_eq(-1, base16_decode(data2, 8, data1, 15)); /* odd input len */
672 test_eq(-1, base16_decode(data2, 7, data1, 16)); /* dest too short */
673 strlcpy(data1, "f0dz!8affc000100", 1024);
674 test_eq(-1, base16_decode(data2, 8, data1, 16));
675
676 tor_free(data1);
677 tor_free(data2);
678 tor_free(data3);
679
680 /* Add spaces to fingerprint */
681 {
682 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
683 test_eq(strlen(data1), 40);
684 data2 = tor_malloc(FINGERPRINT_LEN+1);
685 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
686 test_streq(data2, "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
687 tor_free(data1);
688 tor_free(data2);
689 }
690
691 done:
692 tor_free(data1);
693 tor_free(data2);
694 tor_free(data3);
695 }
696
697 /** Run unit tests for our secret-to-key passphrase hashing functionality. */
698 static void
699 test_crypto_s2k(void)
700 {
701 char buf[29];
702 char buf2[29];
703 char *buf3 = NULL;
704 int i;
705
706 memset(buf, 0, sizeof(buf));
707 memset(buf2, 0, sizeof(buf2));
708 buf3 = tor_malloc(65536);
709 memset(buf3, 0, 65536);
710
711 secret_to_key(buf+9, 20, "", 0, buf);
712 crypto_digest(buf2+9, buf3, 1024);
713 test_memeq(buf, buf2, 29);
714
715 memcpy(buf,"vrbacrda",8);
716 memcpy(buf2,"vrbacrda",8);
717 buf[8] = 96;
718 buf2[8] = 96;
719 secret_to_key(buf+9, 20, "12345678", 8, buf);
720 for (i = 0; i < 65536; i += 16) {
721 memcpy(buf3+i, "vrbacrda12345678", 16);
722 }
723 crypto_digest(buf2+9, buf3, 65536);
724 test_memeq(buf, buf2, 29);
725
726 done:
727 tor_free(buf3);
728 }
729
730 /** Test AES-CTR encryption and decryption with IV. */
731 static void
732 test_crypto_aes_iv(void *arg)
733 {
734 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
735 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
736 char key1[16], key2[16];
737 ssize_t encrypted_size, decrypted_size;
738
739 int use_evp = !strcmp(arg,"evp");
740 evaluate_evp_for_aes(use_evp);
741
742 plain = tor_malloc(4095);
743 encrypted1 = tor_malloc(4095 + 1 + 16);
744 encrypted2 = tor_malloc(4095 + 1 + 16);
745 decrypted1 = tor_malloc(4095 + 1);
746 decrypted2 = tor_malloc(4095 + 1);
747
748 crypto_rand(plain, 4095);
749 crypto_rand(key1, 16);
750 crypto_rand(key2, 16);
751 crypto_rand(plain_1, 1);
752 crypto_rand(plain_15, 15);
753 crypto_rand(plain_16, 16);
754 crypto_rand(plain_17, 17);
755 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
756 /* Encrypt and decrypt with the same key. */
757 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
758 plain, 4095);
759
760 test_eq(encrypted_size, 16 + 4095);
761 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
762 * greater than 0, but its truth is not
763 * obvious to all analysis tools. */
764 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
765 encrypted1, encrypted_size);
766
767 test_eq(decrypted_size, 4095);
768 tt_assert(decrypted_size > 0);
769 test_memeq(plain, decrypted1, 4095);
770 /* Encrypt a second time (with a new random initialization vector). */
771 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
772 plain, 4095);
773
774 test_eq(encrypted_size, 16 + 4095);
775 tt_assert(encrypted_size > 0);
776 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
777 encrypted2, encrypted_size);
778 test_eq(decrypted_size, 4095);
779 tt_assert(decrypted_size > 0);
780 test_memeq(plain, decrypted2, 4095);
781 test_memneq(encrypted1, encrypted2, encrypted_size);
782 /* Decrypt with the wrong key. */
783 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
784 encrypted1, encrypted_size);
785 test_eq(decrypted_size, 4095);
786 test_memneq(plain, decrypted2, decrypted_size);
787 /* Alter the initialization vector. */
788 encrypted1[0] += 42;
789 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
790 encrypted1, encrypted_size);
791 test_eq(decrypted_size, 4095);
792 test_memneq(plain, decrypted2, 4095);
793 /* Special length case: 1. */
794 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
795 plain_1, 1);
796 test_eq(encrypted_size, 16 + 1);
797 tt_assert(encrypted_size > 0);
798 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
799 encrypted1, encrypted_size);
800 test_eq(decrypted_size, 1);
801 tt_assert(decrypted_size > 0);
802 test_memeq(plain_1, decrypted1, 1);
803 /* Special length case: 15. */
804 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
805 plain_15, 15);
806 test_eq(encrypted_size, 16 + 15);
807 tt_assert(encrypted_size > 0);
808 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
809 encrypted1, encrypted_size);
810 test_eq(decrypted_size, 15);
811 tt_assert(decrypted_size > 0);
812 test_memeq(plain_15, decrypted1, 15);
813 /* Special length case: 16. */
814 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
815 plain_16, 16);
816 test_eq(encrypted_size, 16 + 16);
817 tt_assert(encrypted_size > 0);
818 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
819 encrypted1, encrypted_size);
820 test_eq(decrypted_size, 16);
821 tt_assert(decrypted_size > 0);
822 test_memeq(plain_16, decrypted1, 16);
823 /* Special length case: 17. */
824 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
825 plain_17, 17);
826 test_eq(encrypted_size, 16 + 17);
827 tt_assert(encrypted_size > 0);
828 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
829 encrypted1, encrypted_size);
830 test_eq(decrypted_size, 17);
831 tt_assert(decrypted_size > 0);
832 test_memeq(plain_17, decrypted1, 17);
833
834 done:
835 /* Free memory. */
836 tor_free(plain);
837 tor_free(encrypted1);
838 tor_free(encrypted2);
839 tor_free(decrypted1);
840 tor_free(decrypted2);
841 }
842
843 /** Test base32 decoding. */
844 static void
845 test_crypto_base32_decode(void)
846 {
847 char plain[60], encoded[96 + 1], decoded[60];
848 int res;
849 crypto_rand(plain, 60);
850 /* Encode and decode a random string. */
851 base32_encode(encoded, 96 + 1, plain, 60);
852 res = base32_decode(decoded, 60, encoded, 96);
853 test_eq(res, 0);
854 test_memeq(plain, decoded, 60);
855 /* Encode, uppercase, and decode a random string. */
856 base32_encode(encoded, 96 + 1, plain, 60);
857 tor_strupper(encoded);
858 res = base32_decode(decoded, 60, encoded, 96);
859 test_eq(res, 0);
860 test_memeq(plain, decoded, 60);
861 /* Change encoded string and decode. */
862 if (encoded[0] == 'A' || encoded[0] == 'a')
863 encoded[0] = 'B';
864 else
865 encoded[0] = 'A';
866 res = base32_decode(decoded, 60, encoded, 96);
867 test_eq(res, 0);
868 test_memneq(plain, decoded, 60);
869 /* Bad encodings. */
870 encoded[0] = '!';
871 res = base32_decode(decoded, 60, encoded, 96);
872 test_assert(res < 0);
873
874 done:
875 ;
876 }
877
878 static void
879 test_crypto_kdf_TAP(void *arg)
880 {
881 uint8_t key_material[100];
882 int r;
883 char *mem_op_hex_tmp = NULL;
884
885 (void)arg;
886 #define EXPAND(s) \
887 r = crypto_expand_key_material_TAP( \
888 (const uint8_t*)(s), strlen(s), \
889 key_material, 100)
890
891 /* Test vectors generated with a little python script; feel free to write
892 * your own. */
893 memset(key_material, 0, sizeof(key_material));
894 EXPAND("");
895 tt_int_op(r, ==, 0);
896 test_memeq_hex(key_material,
897 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
898 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
899 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
900 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
901
902 EXPAND("Tor");
903 tt_int_op(r, ==, 0);
904 test_memeq_hex(key_material,
905 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
906 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
907 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
908 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
909
910 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
911 tt_int_op(r, ==, 0);
912 test_memeq_hex(key_material,
913 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
914 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
915 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
916 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
917
918 done:
919 tor_free(mem_op_hex_tmp);
920
921 #undef EXPAND
922 }
923
924 static void
925 test_crypto_hkdf_sha256(void *arg)
926 {
927 uint8_t key_material[100];
928 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
929 const size_t salt_len = strlen((char*)salt);
930 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
931 const size_t m_expand_len = strlen((char*)m_expand);
932 int r;
933 char *mem_op_hex_tmp = NULL;
934
935 (void)arg;
936
937 #define EXPAND(s) \
938 r = crypto_expand_key_material_rfc5869_sha256( \
939 (const uint8_t*)(s), strlen(s), \
940 salt, salt_len, \
941 m_expand, m_expand_len, \
942 key_material, 100)
943
944 /* Test vectors generated with ntor_ref.py */
945 memset(key_material, 0, sizeof(key_material));
946 EXPAND("");
947 tt_int_op(r, ==, 0);
948 test_memeq_hex(key_material,
949 "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75"
950 "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd"
951 "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7"
952 "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8");
953
954 EXPAND("Tor");
955 tt_int_op(r, ==, 0);
956 test_memeq_hex(key_material,
957 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
958 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
959 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
960 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
961
962 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
963 tt_int_op(r, ==, 0);
964 test_memeq_hex(key_material,
965 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
966 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
967 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
968 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
969
970 done:
971 tor_free(mem_op_hex_tmp);
972 #undef EXPAND
973 }
974
975 #ifdef CURVE25519_ENABLED
976 static void
977 test_crypto_curve25519_impl(void *arg)
978 {
979 /* adapted from curve25519_donna, which adapted it from test-curve25519
980 version 20050915, by D. J. Bernstein, Public domain. */
981
982 const int randomize_high_bit = (arg != NULL);
983
984 #ifdef SLOW_CURVE25519_TEST
985 const int loop_max=10000;
986 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
987 "7e0329f4dd2819f5f32d130f1296b500";
988 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
989 "e0544770bc7de853b38f9100489e3e79";
990 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
991 "bd13861475516bc2cd2b6e005e805064";
992 #else
993 const int loop_max=200;
994 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
995 "c6a1037d74cceb3712e9206871dcf654";
996 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
997 "8e3ee1a63c7d14274ea5d4c67f065467";
998 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
999 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1000 #endif
1001
1002 unsigned char e1k[32];
1003 unsigned char e2k[32];
1004 unsigned char e1e2k[32];
1005 unsigned char e2e1k[32];
1006 unsigned char e1[32] = {3};
1007 unsigned char e2[32] = {5};
1008 unsigned char k[32] = {9};
1009 int loop, i;
1010
1011 char *mem_op_hex_tmp = NULL;
1012
1013 for (loop = 0; loop < loop_max; ++loop) {
1014 curve25519_impl(e1k,e1,k);
1015 curve25519_impl(e2e1k,e2,e1k);
1016 curve25519_impl(e2k,e2,k);
1017 if (randomize_high_bit) {
1018 /* We require that the high bit of the public key be ignored. So if
1019 * we're doing this variant test, we randomize the high bit of e2k, and
1020 * make sure that the handshake still works out the same as it would
1021 * otherwise. */
1022 uint8_t byte;
1023 crypto_rand((char*)&byte, 1);
1024 e2k[31] |= (byte & 0x80);
1025 }
1026 curve25519_impl(e1e2k,e1,e2k);
1027 test_memeq(e1e2k, e2e1k, 32);
1028 if (loop == loop_max-1) {
1029 break;
1030 }
1031 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
1032 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
1033 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
1034 }
1035
1036 test_memeq_hex(e1, e1_expected);
1037 test_memeq_hex(e2k, e2k_expected);
1038 test_memeq_hex(e1e2k, e1e2k_expected);
1039
1040 done:
1041 tor_free(mem_op_hex_tmp);
1042 }
1043
1044 static void
1045 test_crypto_curve25519_wrappers(void *arg)
1046 {
1047 curve25519_public_key_t pubkey1, pubkey2;
1048 curve25519_secret_key_t seckey1, seckey2;
1049
1050 uint8_t output1[CURVE25519_OUTPUT_LEN];
1051 uint8_t output2[CURVE25519_OUTPUT_LEN];
1052 (void)arg;
1053
1054 /* Test a simple handshake, serializing and deserializing some stuff. */
1055 curve25519_secret_key_generate(&seckey1, 0);
1056 curve25519_secret_key_generate(&seckey2, 1);
1057 curve25519_public_key_generate(&pubkey1, &seckey1);
1058 curve25519_public_key_generate(&pubkey2, &seckey2);
1059 test_assert(curve25519_public_key_is_ok(&pubkey1));
1060 test_assert(curve25519_public_key_is_ok(&pubkey2));
1061 curve25519_handshake(output1, &seckey1, &pubkey2);
1062 curve25519_handshake(output2, &seckey2, &pubkey1);
1063 test_memeq(output1, output2, sizeof(output1));
1064
1065 done:
1066 ;
1067 }
1068
1069 static void
1070 test_crypto_curve25519_encode(void *arg)
1071 {
1072 curve25519_secret_key_t seckey;
1073 curve25519_public_key_t key1, key2, key3;
1074 char buf[64];
1075
1076 (void)arg;
1077
1078 curve25519_secret_key_generate(&seckey, 0);
1079 curve25519_public_key_generate(&key1, &seckey);
1080 tt_int_op(0, ==, curve25519_public_to_base64(buf, &key1));
1081 tt_int_op(CURVE25519_BASE64_PADDED_LEN, ==, strlen(buf));
1082
1083 tt_int_op(0, ==, curve25519_public_from_base64(&key2, buf));
1084 test_memeq(key1.public_key, key2.public_key, CURVE25519_PUBKEY_LEN);
1085
1086 buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
1087 tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, ==, strlen(buf));
1088 tt_int_op(0, ==, curve25519_public_from_base64(&key3, buf));
1089 test_memeq(key1.public_key, key3.public_key, CURVE25519_PUBKEY_LEN);
1090
1091 /* Now try bogus parses. */
1092 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
1093 tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
1094
1095 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
1096 tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
1097
1098 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
1099 tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
1100
1101 done:
1102 ;
1103 }
1104
1105 static void
1106 test_crypto_curve25519_persist(void *arg)
1107 {
1108 curve25519_keypair_t keypair, keypair2;
1109 char *fname = tor_strdup(get_fname("curve25519_keypair"));
1110 char *tag = NULL;
1111 char *content = NULL;
1112 const char *cp;
1113 struct stat st;
1114 size_t taglen;
1115
1116 (void)arg;
1117
1118 tt_int_op(0,==,curve25519_keypair_generate(&keypair, 0));
1119
1120 tt_int_op(0,==,curve25519_keypair_write_to_file(&keypair, fname, "testing"));
1121 tt_int_op(0,==,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
1122 tt_str_op(tag,==,"testing");
1123 tor_free(tag);
1124
1125 test_memeq(keypair.pubkey.public_key,
1126 keypair2.pubkey.public_key,
1127 CURVE25519_PUBKEY_LEN);
1128 test_memeq(keypair.seckey.secret_key,
1129 keypair2.seckey.secret_key,
1130 CURVE25519_SECKEY_LEN);
1131
1132 content = read_file_to_str(fname, RFTS_BIN, &st);
1133 tt_assert(content);
1134 taglen = strlen("== c25519v1: testing ==");
1135 tt_u64_op((uint64_t)st.st_size, ==,
1136 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
1137 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
1138 tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
1139 cp = content + 32;
1140 test_memeq(keypair.seckey.secret_key,
1141 cp,
1142 CURVE25519_SECKEY_LEN);
1143 cp += CURVE25519_SECKEY_LEN;
1144 test_memeq(keypair.pubkey.public_key,
1145 cp,
1146 CURVE25519_SECKEY_LEN);
1147
1148 tor_free(fname);
1149 fname = tor_strdup(get_fname("bogus_keypair"));
1150
1151 tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname));
1152 tor_free(tag);
1153
1154 content[69] ^= 0xff;
1155 tt_int_op(0, ==, write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
1156 tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname));
1157
1158 done:
1159 tor_free(fname);
1160 tor_free(content);
1161 tor_free(tag);
1162 }
1163
1164 #endif
1165
1166 static void
1167 test_crypto_siphash(void *arg)
1168 {
1169 /* From the reference implementation, taking
1170 k = 00 01 02 ... 0f
1171 and in = 00; 00 01; 00 01 02; ...
1172 */
1173 const uint8_t VECTORS[64][8] =
1174 {
1175 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
1176 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
1177 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
1178 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
1179 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
1180 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
1181 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
1182 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
1183 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
1184 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
1185 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
1186 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
1187 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
1188 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
1189 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
1190 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
1191 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
1192 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
1193 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
1194 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
1195 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
1196 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
1197 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
1198 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
1199 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
1200 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
1201 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
1202 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
1203 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
1204 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
1205 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
1206 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
1207 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
1208 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
1209 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
1210 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
1211 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
1212 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
1213 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
1214 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
1215 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
1216 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
1217 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
1218 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
1219 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
1220 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
1221 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
1222 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
1223 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
1224 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
1225 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
1226 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
1227 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
1228 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
1229 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
1230 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
1231 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
1232 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
1233 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
1234 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
1235 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
1236 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
1237 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
1238 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
1239 };
1240
1241 const struct sipkey K = { U64_LITERAL(0x0706050403020100),
1242 U64_LITERAL(0x0f0e0d0c0b0a0908) };
1243 uint8_t input[64];
1244 int i, j;
1245
1246 (void)arg;
1247
1248 for (i = 0; i < 64; ++i)
1249 input[i] = i;
1250
1251 for (i = 0; i < 64; ++i) {
1252 uint64_t r = siphash24(input, i, &K);
1253 for (j = 0; j < 8; ++j) {
1254 tt_int_op( (r >> (j*8)) & 0xff, ==, VECTORS[i][j]);
1255 }
1256 }
1257
1258 done:
1259 ;
1260 }
1261
1262 static void *
1263 pass_data_setup_fn(const struct testcase_t *testcase)
1264 {
1265 return testcase->setup_data;
1266 }
1267 static int
1268 pass_data_cleanup_fn(const struct testcase_t *testcase, void *ptr)
1269 {
1270 (void)ptr;
1271 (void)testcase;
1272 return 1;
1273 }
1274 static const struct testcase_setup_t pass_data = {
1275 pass_data_setup_fn, pass_data_cleanup_fn
1276 };
1277
1278 #define CRYPTO_LEGACY(name) \
1279 { #name, legacy_test_helper, 0, &legacy_setup, test_crypto_ ## name }
1280
1281 struct testcase_t crypto_tests[] = {
1282 CRYPTO_LEGACY(formats),
1283 CRYPTO_LEGACY(rng),
1284 { "aes_AES", test_crypto_aes, TT_FORK, &pass_data, (void*)"aes" },
1285 { "aes_EVP", test_crypto_aes, TT_FORK, &pass_data, (void*)"evp" },
1286 CRYPTO_LEGACY(sha),
1287 CRYPTO_LEGACY(pk),
1288 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
1289 CRYPTO_LEGACY(digests),
1290 CRYPTO_LEGACY(dh),
1291 CRYPTO_LEGACY(s2k),
1292 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &pass_data, (void*)"aes" },
1293 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &pass_data, (void*)"evp" },
1294 CRYPTO_LEGACY(base32_decode),
1295 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
1296 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
1297 #ifdef CURVE25519_ENABLED
1298 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
1299 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
1300 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
1301 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
1302 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
1303 #endif
1304 { "siphash", test_crypto_siphash, 0, NULL, NULL },
1305 END_OF_TESTCASES
1306 };
1307
Tomato firmware and modifications.