search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix typos from #28614
[tor.git] / src / test / test_crypto.c
blob0b57448bcf21fbddcb4540b133116ede54a43498
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2019, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
12 #include "siphash.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
22
23 #ifdef HAVE_SYS_STAT_H
24 #include <sys/stat.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
29
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING(redundant-decls)
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING(redundant-decls)
35 #endif
36
37 /** Run unit tests for Diffie-Hellman functionality. */
38 static void
39 test_crypto_dh(void *arg)
40 {
41 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 crypto_dh_t *dh1_dup = NULL;
43 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 char p1[DH1024_KEY_LEN];
45 char p2[DH1024_KEY_LEN];
46 char s1[DH1024_KEY_LEN];
47 char s2[DH1024_KEY_LEN];
48 ssize_t s1len, s2len;
49 #ifdef ENABLE_OPENSSL
50 crypto_dh_t *dh3 = NULL;
51 DH *dh4 = NULL;
52 BIGNUM *pubkey_tmp = NULL;
53 #endif
54
55 (void)arg;
56 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58
59 memset(p1, 0, DH1024_KEY_LEN);
60 memset(p2, 0, DH1024_KEY_LEN);
61 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62
63 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
64
65 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69
70 memset(s1, 0, DH1024_KEY_LEN);
71 memset(s2, 0xFF, DH1024_KEY_LEN);
72 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 tt_assert(s1len > 0);
75 tt_int_op(s1len,OP_EQ, s2len);
76 tt_mem_op(s1,OP_EQ, s2, s1len);
77
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup = crypto_dh_dup(dh1);
80 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 s1, 50);
82 tt_i64_op(s1len, OP_GE, 0);
83 tt_mem_op(s1,OP_EQ, s2, s1len);
84
85 {
86 /* Now fabricate some bad values and make sure they get caught. */
87
88 /* 1 and 0 should both fail. */
89 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 tt_int_op(-1, OP_EQ, s1len);
91
92 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 tt_int_op(-1, OP_EQ, s1len);
94
95 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 s1, 50);
98 tt_int_op(-1, OP_EQ, s1len);
99
100 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 s1, 50);
103 tt_int_op(-1, OP_EQ, s1len);
104
105 /* 2 is okay, though weird. */
106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 tt_int_op(50, OP_EQ, s1len);
108
109 /* 2 a second time is still okay, though weird. */
110 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 tt_int_op(50, OP_EQ, s1len);
112
113 const char P[] =
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
119
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1, sizeof(p1), P, strlen(P));
122
123 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 s1, 50);
125 tt_int_op(-1, OP_EQ, s1len);
126
127 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 s1, 50);
130 tt_int_op(-1, OP_EQ, s1len);
131
132 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 s1, 50);
135 tt_int_op(50, OP_EQ, s1len);
136
137 const char P_plus_one[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
143
144 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
145
146 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 s1, 50);
148 tt_int_op(-1, OP_EQ, s1len);
149
150 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 s1, 50);
153 tt_int_op(-1, OP_EQ, s1len);
154
155 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 s1, 50);
158 tt_int_op(-1, OP_EQ, s1len);
159
160 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 s1, 50);
163 tt_int_op(-1, OP_EQ, s1len);
164 }
165
166 {
167 /* provoke an error in the openssl DH_compute_key function; make sure we
168 * survive. */
169 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170
171 crypto_dh_free(dh2);
172 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 p1, DH1024_KEY_LEN,
175 s1, 50);
176 tt_int_op(s1len, OP_EQ, -1);
177 }
178
179 #if defined(ENABLE_OPENSSL)
180 {
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3 = crypto_dh_new(DH_TYPE_TLS);
183 tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
184
185 dh4 = crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4));
187 const BIGNUM *pk=NULL;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM *sk=NULL;
190 DH_get0_key(dh4, &pk, &sk);
191 #else
192 pk = dh4->pub_key;
193 #endif
194 tt_assert(pk);
195 tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 memset(p2, 0, sizeof(p2));
198 /* right-pad. */
199 BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
200
201 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 (unsigned char *)s1, sizeof(s1));
203 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
205
206 tt_int_op(s1len, OP_EQ, s2len);
207 tt_int_op(s1len, OP_GT, 0);
208 tt_mem_op(s1, OP_EQ, s2, s1len);
209 }
210 #endif
211
212 done:
213 crypto_dh_free(dh1);
214 crypto_dh_free(dh2);
215 crypto_dh_free(dh1_dup);
216 #ifdef ENABLE_OPENSSL
217 crypto_dh_free(dh3);
218 if (dh4)
219 DH_free(dh4);
220 if (pubkey_tmp)
221 BN_free(pubkey_tmp);
222 #endif
223 }
224
225 static void
226 test_crypto_openssl_version(void *arg)
227 {
228 (void)arg;
229 #ifdef ENABLE_NSS
230 tt_skip();
231 #else
232 const char *version = crypto_openssl_get_version_str();
233 const char *h_version = crypto_openssl_get_header_version_str();
234 tt_assert(version);
235 tt_assert(h_version);
236 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version, h_version));
239 }
240 if (strstr(version, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
242 }
243 int a=-1,b=-1,c=-1;
244 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 return;
246 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 tt_int_op(r, OP_EQ, 3);
248 tt_int_op(a, OP_GE, 0);
249 tt_int_op(b, OP_GE, 0);
250 tt_int_op(c, OP_GE, 0);
251 #endif
252
253 done:
254 ;
255 }
256
257 /** Run unit tests for our AES128 functionality */
258 static void
259 test_crypto_aes128(void *arg)
260 {
261 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
262 crypto_cipher_t *env1 = NULL, *env2 = NULL;
263 int i, j;
264 char *mem_op_hex_tmp=NULL;
265 char key[CIPHER_KEY_LEN];
266 int use_evp = !strcmp(arg,"evp");
267 evaluate_evp_for_aes(use_evp);
268 evaluate_ctr_for_aes();
269
270 data1 = tor_malloc(1024);
271 data2 = tor_malloc(1024);
272 data3 = tor_malloc(1024);
273
274 /* Now, test encryption and decryption with stream cipher. */
275 data1[0]='\0';
276 for (i = 1023; i>0; i -= 35)
277 strncat(data1, "Now is the time for all good onions", i);
278
279 memset(data2, 0, 1024);
280 memset(data3, 0, 1024);
281 crypto_rand(key, sizeof(key));
282 env1 = crypto_cipher_new(key);
283 tt_ptr_op(env1, OP_NE, NULL);
284 env2 = crypto_cipher_new(key);
285 tt_ptr_op(env2, OP_NE, NULL);
286
287 /* Try encrypting 512 chars. */
288 crypto_cipher_encrypt(env1, data2, data1, 512);
289 crypto_cipher_decrypt(env2, data3, data2, 512);
290 tt_mem_op(data1,OP_EQ, data3, 512);
291 tt_mem_op(data1,OP_NE, data2, 512);
292
293 /* Now encrypt 1 at a time, and get 1 at a time. */
294 for (j = 512; j < 560; ++j) {
295 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
296 }
297 for (j = 512; j < 560; ++j) {
298 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
299 }
300 tt_mem_op(data1,OP_EQ, data3, 560);
301 /* Now encrypt 3 at a time, and get 5 at a time. */
302 for (j = 560; j < 1024-5; j += 3) {
303 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
304 }
305 for (j = 560; j < 1024-5; j += 5) {
306 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
307 }
308 tt_mem_op(data1,OP_EQ, data3, 1024-5);
309 /* Now make sure that when we encrypt with different chunk sizes, we get
310 the same results. */
311 crypto_cipher_free(env2);
312 env2 = NULL;
313
314 memset(data3, 0, 1024);
315 env2 = crypto_cipher_new(key);
316 tt_ptr_op(env2, OP_NE, NULL);
317 for (j = 0; j < 1024-16; j += 17) {
318 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
319 }
320 for (j= 0; j < 1024-16; ++j) {
321 if (data2[j] != data3[j]) {
322 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
323 }
324 }
325 tt_mem_op(data2,OP_EQ, data3, 1024-16);
326 crypto_cipher_free(env1);
327 env1 = NULL;
328 crypto_cipher_free(env2);
329 env2 = NULL;
330
331 /* NIST test vector for aes. */
332 /* IV starts at 0 */
333 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
334 "\x00\x00\x00\x00\x00\x00\x00\x00");
335 crypto_cipher_encrypt(env1, data1,
336 "\x00\x00\x00\x00\x00\x00\x00\x00"
337 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
338 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
339
340 /* Now test rollover. All these values are originally from a python
341 * script. */
342 crypto_cipher_free(env1);
343 env1 = crypto_cipher_new_with_iv(
344 "\x80\x00\x00\x00\x00\x00\x00\x00"
345 "\x00\x00\x00\x00\x00\x00\x00\x00",
346 "\x00\x00\x00\x00\x00\x00\x00\x00"
347 "\xff\xff\xff\xff\xff\xff\xff\xff");
348 memset(data2, 0, 1024);
349 crypto_cipher_encrypt(env1, data1, data2, 32);
350 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
351 "cdd0b917dbc7186908a6bfb5ffd574d3");
352 crypto_cipher_free(env1);
353 env1 = crypto_cipher_new_with_iv(
354 "\x80\x00\x00\x00\x00\x00\x00\x00"
355 "\x00\x00\x00\x00\x00\x00\x00\x00",
356 "\x00\x00\x00\x00\xff\xff\xff\xff"
357 "\xff\xff\xff\xff\xff\xff\xff\xff");
358 memset(data2, 0, 1024);
359 crypto_cipher_encrypt(env1, data1, data2, 32);
360 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
361 "3e63c721df790d2c6469cc1953a3ffac");
362 crypto_cipher_free(env1);
363 env1 = crypto_cipher_new_with_iv(
364 "\x80\x00\x00\x00\x00\x00\x00\x00"
365 "\x00\x00\x00\x00\x00\x00\x00\x00",
366 "\xff\xff\xff\xff\xff\xff\xff\xff"
367 "\xff\xff\xff\xff\xff\xff\xff\xff");
368 memset(data2, 0, 1024);
369 crypto_cipher_encrypt(env1, data1, data2, 32);
370 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
371 "0EDD33D3C621E546455BD8BA1418BEC8");
372
373 /* Now check rollover on inplace cipher. */
374 crypto_cipher_free(env1);
375 env1 = crypto_cipher_new_with_iv(
376 "\x80\x00\x00\x00\x00\x00\x00\x00"
377 "\x00\x00\x00\x00\x00\x00\x00\x00",
378 "\xff\xff\xff\xff\xff\xff\xff\xff"
379 "\xff\xff\xff\xff\xff\xff\xff\xff");
380 crypto_cipher_crypt_inplace(env1, data2, 64);
381 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
382 "0EDD33D3C621E546455BD8BA1418BEC8"
383 "93e2c5243d6839eac58503919192f7ae"
384 "1908e67cafa08d508816659c2e693191");
385 crypto_cipher_free(env1);
386 env1 = crypto_cipher_new_with_iv(
387 "\x80\x00\x00\x00\x00\x00\x00\x00"
388 "\x00\x00\x00\x00\x00\x00\x00\x00",
389 "\xff\xff\xff\xff\xff\xff\xff\xff"
390 "\xff\xff\xff\xff\xff\xff\xff\xff");
391 crypto_cipher_crypt_inplace(env1, data2, 64);
392 tt_assert(tor_mem_is_zero(data2, 64));
393
394 done:
395 tor_free(mem_op_hex_tmp);
396 if (env1)
397 crypto_cipher_free(env1);
398 if (env2)
399 crypto_cipher_free(env2);
400 tor_free(data1);
401 tor_free(data2);
402 tor_free(data3);
403 }
404
405 static void
406 test_crypto_aes_ctr_testvec(void *arg)
407 {
408 const char *bitstr = arg;
409 char *mem_op_hex_tmp=NULL;
410 crypto_cipher_t *c=NULL;
411
412 /* from NIST SP800-38a, section F.5 */
413 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
414 const char plaintext16[] =
415 "6bc1bee22e409f96e93d7e117393172a"
416 "ae2d8a571e03ac9c9eb76fac45af8e51"
417 "30c81c46a35ce411e5fbc1191a0a52ef"
418 "f69f2445df4f9b17ad2b417be66c3710";
419 const char *ciphertext16;
420 const char *key16;
421 int bits;
422
423 if (!strcmp(bitstr, "128")) {
424 ciphertext16 = /* section F.5.1 */
425 "874d6191b620e3261bef6864990db6ce"
426 "9806f66b7970fdff8617187bb9fffdff"
427 "5ae4df3edbd5d35e5b4f09020db03eab"
428 "1e031dda2fbe03d1792170a0f3009cee";
429 key16 = "2b7e151628aed2a6abf7158809cf4f3c";
430 bits = 128;
431 } else if (!strcmp(bitstr, "192")) {
432 ciphertext16 = /* section F.5.3 */
433 "1abc932417521ca24f2b0459fe7e6e0b"
434 "090339ec0aa6faefd5ccc2c6f4ce8e94"
435 "1e36b26bd1ebc670d1bd1d665620abf7"
436 "4f78a7f6d29809585a97daec58c6b050";
437 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
438 bits = 192;
439 } else if (!strcmp(bitstr, "256")) {
440 ciphertext16 = /* section F.5.5 */
441 "601ec313775789a5b7a7f504bbf3d228"
442 "f443e3ca4d62b59aca84e990cacaf5c5"
443 "2b0930daa23de94ce87017ba2d84988d"
444 "dfc9c58db67aada613c2dd08457941a6";
445 key16 =
446 "603deb1015ca71be2b73aef0857d7781"
447 "1f352c073b6108d72d9810a30914dff4";
448 bits = 256;
449 } else {
450 tt_abort_msg("AES doesn't support this number of bits.");
451 }
452
453 char key[32];
454 char iv[16];
455 char plaintext[16*4];
456 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
457 base16_decode(key, sizeof(key), key16, strlen(key16));
458 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
459 base16_decode(plaintext, sizeof(plaintext),
460 plaintext16, strlen(plaintext16));
461
462 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
463 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
464 test_memeq_hex(plaintext, ciphertext16);
465
466 done:
467 tor_free(mem_op_hex_tmp);
468 crypto_cipher_free(c);
469 }
470
471 /** Run unit tests for our SHA-1 functionality */
472 static void
473 test_crypto_sha(void *arg)
474 {
475 crypto_digest_t *d1 = NULL, *d2 = NULL;
476 int i;
477 #define RFC_4231_MAX_KEY_SIZE 131
478 char key[RFC_4231_MAX_KEY_SIZE];
479 char digest[DIGEST256_LEN];
480 char data[DIGEST512_LEN];
481 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
482 char *mem_op_hex_tmp=NULL;
483
484 /* Test SHA-1 with a test vector from the specification. */
485 (void)arg;
486 i = crypto_digest(data, "abc", 3);
487 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
488 tt_int_op(i, OP_EQ, 0);
489
490 /* Test SHA-256 with a test vector from the specification. */
491 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
492 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
493 "96177A9CB410FF61F20015AD");
494 tt_int_op(i, OP_EQ, 0);
495
496 /* Test SHA-512 with a test vector from the specification. */
497 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
498 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
499 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
500 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
501 tt_int_op(i, OP_EQ, 0);
502
503 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
504
505 /* Case empty (wikipedia) */
506 crypto_hmac_sha256(digest, "", 0, "", 0);
507 tt_str_op(hex_str(digest, 32),OP_EQ,
508 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
509
510 /* Case quick-brown (wikipedia) */
511 crypto_hmac_sha256(digest, "key", 3,
512 "The quick brown fox jumps over the lazy dog", 43);
513 tt_str_op(hex_str(digest, 32),OP_EQ,
514 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
515
516 /* "Test Case 1" from RFC 4231 */
517 memset(key, 0x0b, 20);
518 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
519 test_memeq_hex(digest,
520 "b0344c61d8db38535ca8afceaf0bf12b"
521 "881dc200c9833da726e9376c2e32cff7");
522
523 /* "Test Case 2" from RFC 4231 */
524 memset(key, 0x0b, 20);
525 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
526 test_memeq_hex(digest,
527 "5bdcc146bf60754e6a042426089575c7"
528 "5a003f089d2739839dec58b964ec3843");
529
530 /* "Test case 3" from RFC 4231 */
531 memset(key, 0xaa, 20);
532 memset(data, 0xdd, 50);
533 crypto_hmac_sha256(digest, key, 20, data, 50);
534 test_memeq_hex(digest,
535 "773ea91e36800e46854db8ebd09181a7"
536 "2959098b3ef8c122d9635514ced565fe");
537
538 /* "Test case 4" from RFC 4231 */
539 base16_decode(key, 25,
540 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
541 memset(data, 0xcd, 50);
542 crypto_hmac_sha256(digest, key, 25, data, 50);
543 test_memeq_hex(digest,
544 "82558a389a443c0ea4cc819899f2083a"
545 "85f0faa3e578f8077a2e3ff46729665b");
546
547 /* "Test case 5" from RFC 4231 */
548 memset(key, 0x0c, 20);
549 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
550 test_memeq_hex(digest,
551 "a3b6167473100ee06e0c796c2955552b");
552
553 /* "Test case 6" from RFC 4231 */
554 memset(key, 0xaa, 131);
555 crypto_hmac_sha256(digest, key, 131,
556 "Test Using Larger Than Block-Size Key - Hash Key First",
557 54);
558 test_memeq_hex(digest,
559 "60e431591ee0b67f0d8a26aacbf5b77f"
560 "8e0bc6213728c5140546040f0ee37f54");
561
562 /* "Test case 7" from RFC 4231 */
563 memset(key, 0xaa, 131);
564 crypto_hmac_sha256(digest, key, 131,
565 "This is a test using a larger than block-size key and a "
566 "larger than block-size data. The key needs to be hashed "
567 "before being used by the HMAC algorithm.", 152);
568 test_memeq_hex(digest,
569 "9b09ffa71b942fcb27635fbcd5b0e944"
570 "bfdc63644f0713938a7f51535c3a35e2");
571
572 /* Incremental digest code. */
573 d1 = crypto_digest_new();
574 tt_assert(d1);
575 crypto_digest_add_bytes(d1, "abcdef", 6);
576 d2 = crypto_digest_dup(d1);
577 tt_assert(d2);
578 crypto_digest_add_bytes(d2, "ghijkl", 6);
579 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
580 crypto_digest(d_out2, "abcdefghijkl", 12);
581 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
582 crypto_digest_assign(d2, d1);
583 crypto_digest_add_bytes(d2, "mno", 3);
584 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
585 crypto_digest(d_out2, "abcdefmno", 9);
586 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
587 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
588 crypto_digest(d_out2, "abcdef", 6);
589 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
590 crypto_digest_free(d1);
591 crypto_digest_free(d2);
592
593 /* Incremental digest code with sha256 */
594 d1 = crypto_digest256_new(DIGEST_SHA256);
595 tt_assert(d1);
596 crypto_digest_add_bytes(d1, "abcdef", 6);
597 d2 = crypto_digest_dup(d1);
598 tt_assert(d2);
599 crypto_digest_add_bytes(d2, "ghijkl", 6);
600 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
601 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
602 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
603 crypto_digest_assign(d2, d1);
604 crypto_digest_add_bytes(d2, "mno", 3);
605 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
606 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
607 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
608 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
609 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
610 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
611 crypto_digest_free(d1);
612 crypto_digest_free(d2);
613
614 /* Incremental digest code with sha512 */
615 d1 = crypto_digest512_new(DIGEST_SHA512);
616 tt_assert(d1);
617 crypto_digest_add_bytes(d1, "abcdef", 6);
618 d2 = crypto_digest_dup(d1);
619 tt_assert(d2);
620 crypto_digest_add_bytes(d2, "ghijkl", 6);
621 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
622 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
623 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
624 crypto_digest_assign(d2, d1);
625 crypto_digest_add_bytes(d2, "mno", 3);
626 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
627 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
628 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
629 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
630 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
631 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
632
633 done:
634 if (d1)
635 crypto_digest_free(d1);
636 if (d2)
637 crypto_digest_free(d2);
638 tor_free(mem_op_hex_tmp);
639 }
640
641 static void
642 test_crypto_sha3(void *arg)
643 {
644 crypto_digest_t *d1 = NULL, *d2 = NULL;
645 int i;
646 char data[DIGEST512_LEN];
647 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
648 char *mem_op_hex_tmp=NULL;
649 char *large = NULL;
650
651 (void)arg;
652
653 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
654 *
655 * NB: The code package's test vectors have length expressed in bits.
656 */
657
658 /* Len = 8, Msg = CC */
659 const uint8_t keccak_kat_msg8[] = { 0xcc };
660 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
661 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
662 "6252BB7CE180B00B582DD9B20AAAD7F0");
663 tt_int_op(i, OP_EQ, 0);
664 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
665 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
666 "C36E2EE0F652AC72E02624FA2E5ADEEC"
667 "C7DD6BB3580224B4D6138706FC6E8059"
668 "7B528051230B00621CC2B22999EAA205");
669 tt_int_op(i, OP_EQ, 0);
670
671 /* Len = 24, Msg = 1F877C */
672 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
673 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
674 DIGEST_SHA3_256);
675 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
676 "C9C966712A501B19D1B6632CCD408EC5");
677 tt_int_op(i, OP_EQ, 0);
678 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
679 DIGEST_SHA3_512);
680 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
681 "1A2F0D0608C3A575163751F002DB30F4"
682 "0F2F671834B22D208591CFAF1F5ECFE4"
683 "3C49863A53B3225BDFD7C6591BA7658B");
684 tt_int_op(i, OP_EQ, 0);
685
686 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
687 const uint8_t keccak_kat_msg1080[] = {
688 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
689 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
690 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
691 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
692 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
693 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
694 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
695 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
696 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
697 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
698 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
699 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
700 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
701 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
702 };
703 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
704 DIGEST_SHA3_256);
705 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
706 "BE9B7C736B8059ABFD6779AC35AC81B5");
707 tt_int_op(i, OP_EQ, 0);
708 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
709 DIGEST_SHA3_512);
710 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
711 "CB78696773A212A5F62D02D14E3259D1"
712 "92A87EBA4407DD83893527331407B6DA"
713 "DAAD920DBC46489B677493CE5F20B595");
714 tt_int_op(i, OP_EQ, 0);
715
716 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
717 const uint8_t keccak_kat_msg1088[] = {
718 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
719 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
720 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
721 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
722 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
723 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
724 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
725 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
726 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
727 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
728 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
729 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
730 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
731 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
732 };
733 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
734 DIGEST_SHA3_256);
735 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
736 "77B5286364FE16C59CC8A907AFF07732");
737 tt_int_op(i, OP_EQ, 0);
738 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
739 DIGEST_SHA3_512);
740 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
741 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
742 "FA3BA17A40B2FFA2163991B17786E51C"
743 "ABA79E5E0FFD34CF085E2A098BE8BACB");
744 tt_int_op(i, OP_EQ, 0);
745
746 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
747 const uint8_t keccak_kat_msg1096[] = {
748 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
749 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
750 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
751 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
752 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
753 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
754 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
755 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
756 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
757 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
758 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
759 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
760 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
761 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
762 };
763 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
764 DIGEST_SHA3_256);
765 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
766 "735E0177279222E7AC0AF8504762FAA0");
767 tt_int_op(i, OP_EQ, 0);
768 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
769 DIGEST_SHA3_512);
770 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
771 "40474041DE83D4A60645A826D7AF1ABE"
772 "1EEFCB7B74B62CA6A514E5F2697D585B"
773 "FECECE12931BBE1D4ED7EBF7B0BE660E");
774 tt_int_op(i, OP_EQ, 0);
775
776 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
777 const uint8_t keccak_kat_msg1144[] = {
778 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
779 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
780 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
781 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
782 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
783 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
784 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
785 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
786 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
787 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
788 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
789 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
790 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
791 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
792 0xDF, 0xAF, 0xEC,
793 };
794 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
795 DIGEST_SHA3_512);
796 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
797 "605516615D96A062C8BE53A0D6C5A648"
798 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
799 "295F284BE7F82F3B92919033C9CE5D80");
800 tt_int_op(i, OP_EQ, 0);
801 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
802 DIGEST_SHA3_256);
803 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
804 "118C0C2C606BDCDA06E7943D2C95E0E5");
805 tt_int_op(i, OP_EQ, 0);
806
807 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
808 const uint8_t keccak_kat_msg1152[] = {
809 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
810 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
811 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
812 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
813 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
814 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
815 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
816 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
817 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
818 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
819 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
820 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
821 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
822 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
823 0x9E, 0xE0, 0x0C, 0x63,
824 };
825 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
826 DIGEST_SHA3_512);
827 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
828 "22775DCB6019DCD22B8885994672A088"
829 "9C69E8115C641DC8B83E39F7311815A1"
830 "64DC46E0BA2FCA344D86D4BC2EF2532C");
831 tt_int_op(i, OP_EQ, 0);
832 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
833 DIGEST_SHA3_256);
834 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
835 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
836 tt_int_op(i, OP_EQ, 0);
837
838 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
839 const uint8_t keccak_kat_msg1160[] = {
840 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
841 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
842 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
843 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
844 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
845 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
846 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
847 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
848 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
849 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
850 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
851 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
852 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
853 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
854 0x70, 0x11, 0x04, 0x4C, 0x53,
855 };
856 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
857 DIGEST_SHA3_512);
858 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
859 "05221AC5EFB1229842E4614F4A029C9B"
860 "D14A0ED7FD99AF3681429F3F309FDB53"
861 "166AA9A3CD9F1F1223D04B4A9015E94A");
862 tt_int_op(i, OP_EQ, 0);
863 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
864 DIGEST_SHA3_256);
865 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
866 "3CF6235C6B0B7969342C45A35194B67E");
867 tt_int_op(i, OP_EQ, 0);
868
869 /* SHA3-[256,512] Empty case (wikipedia) */
870 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
871 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
872 "f580ff4de43b49fa82d80a4b80f8434a");
873 tt_int_op(i, OP_EQ, 0);
874 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
875 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
876 "97c982164fe25859e0d1dcc1475c80a6"
877 "15b2123af1f5f94c11e3e9402c3ac558"
878 "f500199d95b6d3e301758586281dcd26");
879 tt_int_op(i, OP_EQ, 0);
880
881 /* Incremental digest code with SHA3-256 */
882 d1 = crypto_digest256_new(DIGEST_SHA3_256);
883 tt_assert(d1);
884 crypto_digest_add_bytes(d1, "abcdef", 6);
885 d2 = crypto_digest_dup(d1);
886 tt_assert(d2);
887 crypto_digest_add_bytes(d2, "ghijkl", 6);
888 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
889 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
890 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
891 crypto_digest_assign(d2, d1);
892 crypto_digest_add_bytes(d2, "mno", 3);
893 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
894 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
895 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
896 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
897 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
898 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
899 crypto_digest_free(d1);
900 crypto_digest_free(d2);
901
902 /* Incremental digest code with SHA3-512 */
903 d1 = crypto_digest512_new(DIGEST_SHA3_512);
904 tt_assert(d1);
905 crypto_digest_add_bytes(d1, "abcdef", 6);
906 d2 = crypto_digest_dup(d1);
907 tt_assert(d2);
908 crypto_digest_add_bytes(d2, "ghijkl", 6);
909 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
910 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
911 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
912 crypto_digest_assign(d2, d1);
913 crypto_digest_add_bytes(d2, "mno", 3);
914 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
915 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
916 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
917 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
918 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
919 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
920 crypto_digest_free(d1);
921
922 /* Attempt to exercise the incremental hashing code by creating a randomized
923 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
924 * is used because it has a lowest rate of the family (the code is common,
925 * but the slower rate exercises more of it).
926 */
927 const size_t bufsz = 30 * 1024;
928 size_t j = 0;
929 large = tor_malloc(bufsz);
930 crypto_rand(large, bufsz);
931 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
932 while (j < bufsz) {
933 /* Pick how much data to add to the running digest. */
934 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
935 incr = MIN(bufsz - j, incr);
936
937 /* Add the data, and calculate the hash. */
938 crypto_digest_add_bytes(d1, large + j, incr);
939 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
940
941 /* One-shot hash the buffer up to the data that was just added,
942 * and ensure that the values match up.
943 *
944 * XXX/yawning: If this actually fails, it'll be rather difficult to
945 * reproduce. Improvements welcome.
946 */
947 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
948 tt_int_op(i, OP_EQ, 0);
949 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
950
951 j += incr;
952 }
953
954 done:
955 if (d1)
956 crypto_digest_free(d1);
957 if (d2)
958 crypto_digest_free(d2);
959 tor_free(large);
960 tor_free(mem_op_hex_tmp);
961 }
962
963 /** Run unit tests for our XOF. */
964 static void
965 test_crypto_sha3_xof(void *arg)
966 {
967 uint8_t msg[255];
968 uint8_t out[512];
969 crypto_xof_t *xof;
970 char *mem_op_hex_tmp=NULL;
971
972 (void)arg;
973
974 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
975 base16_decode((char *)msg, 255,
976 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
977 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
978 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
979 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
980 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
981 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
982 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
983 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
984 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
985 const char *squeezed_hex =
986 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
987 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
988 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
989 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
990 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
991 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
992 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
993 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
994 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
995 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
996 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
997 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
998 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
999 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1000 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1001 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1002 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1003 "73D4";
1004
1005 /* Test oneshot absorb/squeeze. */
1006 xof = crypto_xof_new();
1007 tt_assert(xof);
1008 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1009 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1010 test_memeq_hex(out, squeezed_hex);
1011 crypto_xof_free(xof);
1012 memset(out, 0, sizeof(out));
1013
1014 /* Test incremental absorb/squeeze. */
1015 xof = crypto_xof_new();
1016 tt_assert(xof);
1017 for (size_t i = 0; i < sizeof(msg); i++)
1018 crypto_xof_add_bytes(xof, msg + i, 1);
1019 for (size_t i = 0; i < sizeof(out); i++)
1020 crypto_xof_squeeze_bytes(xof, out + i, 1);
1021 test_memeq_hex(out, squeezed_hex);
1022
1023 done:
1024 if (xof)
1025 crypto_xof_free(xof);
1026 tor_free(mem_op_hex_tmp);
1027 }
1028
1029 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1030 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1031 * are gonna do is test our crypto_mac_sha3_256() function against manually
1032 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1033 * standarize an MAC construction and make test vectors, we should
1034 * incorporate them here. */
1035 static void
1036 test_crypto_mac_sha3(void *arg)
1037 {
1038 const char msg[] = "i am in a library somewhere using my computer";
1039 const char key[] = "i'm from the past talking to the future.";
1040
1041 uint8_t hmac_test[DIGEST256_LEN];
1042 char hmac_manual[DIGEST256_LEN];
1043
1044 (void) arg;
1045
1046 /* First let's use our nice HMAC-SHA3 function */
1047 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1048 (uint8_t *) key, strlen(key),
1049 (uint8_t *) msg, strlen(msg));
1050
1051 /* Now let's try a manual H(len(k) || k || m) construction */
1052 {
1053 char *key_msg_concat = NULL, *all = NULL;
1054 int result;
1055 const uint64_t key_len_netorder = tor_htonll(strlen(key));
1056 size_t all_len;
1057
1058 tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1059 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1060 all = tor_malloc_zero(all_len);
1061 memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1062 memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1063 strlen(key_msg_concat));
1064
1065 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1066 tor_free(key_msg_concat);
1067 tor_free(all);
1068 tt_int_op(result, OP_EQ, 0);
1069 }
1070
1071 /* Now compare the two results */
1072 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1073
1074 done: ;
1075 }
1076
1077 /** Run unit tests for our public key crypto functions */
1078 static void
1079 test_crypto_pk(void *arg)
1080 {
1081 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1082 char *encoded = NULL;
1083 char data1[1024], data2[1024], data3[1024];
1084 size_t size;
1085 int i, len;
1086
1087 /* Public-key ciphers */
1088 (void)arg;
1089 pk1 = pk_generate(0);
1090 pk2 = crypto_pk_new();
1091 tt_assert(pk1 && pk2);
1092 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1093 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1094 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1095
1096 /* comparison between keys and NULL */
1097 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1098 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1099 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1100
1101 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1102 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1103 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1104 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1105
1106 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1107 "Hello whirled.", 15,
1108 PK_PKCS1_OAEP_PADDING));
1109 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1110 "Hello whirled.", 15,
1111 PK_PKCS1_OAEP_PADDING));
1112 /* oaep padding should make encryption not match */
1113 tt_mem_op(data1,OP_NE, data2, 128);
1114 tt_int_op(15,OP_EQ,
1115 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1116 PK_PKCS1_OAEP_PADDING,1));
1117 tt_str_op(data3,OP_EQ, "Hello whirled.");
1118 memset(data3, 0, 1024);
1119 tt_int_op(15,OP_EQ,
1120 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1121 PK_PKCS1_OAEP_PADDING,1));
1122 tt_str_op(data3,OP_EQ, "Hello whirled.");
1123 /* Can't decrypt with public key. */
1124 tt_int_op(-1,OP_EQ,
1125 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1126 PK_PKCS1_OAEP_PADDING,1));
1127 /* Try again with bad padding */
1128 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1129 tt_int_op(-1,OP_EQ,
1130 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1131 PK_PKCS1_OAEP_PADDING,1));
1132
1133 /* File operations: save and load private key */
1134 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1135 get_fname("pkey1")));
1136 /* failing case for read: can't read. */
1137 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1138 OP_LT, 0);
1139 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1140 /* Failing case for read: no key. */
1141 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1142 OP_LT, 0);
1143 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1144 get_fname("pkey1")));
1145 tt_int_op(15,OP_EQ,
1146 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1147 PK_PKCS1_OAEP_PADDING,1));
1148
1149 /* Now try signing. */
1150 strlcpy(data1, "Ossifrage", 1024);
1151 tt_int_op(128,OP_EQ,
1152 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1153 tt_int_op(10,OP_EQ,
1154 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1155 tt_str_op(data3,OP_EQ, "Ossifrage");
1156 /* Try signing digests. */
1157 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1158 data1, 10));
1159 tt_int_op(20,OP_EQ,
1160 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1161 tt_int_op(0,OP_EQ,
1162 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1163 tt_int_op(-1,OP_EQ,
1164 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1165
1166 /*XXXX test failed signing*/
1167
1168 /* Try encoding */
1169 crypto_pk_free(pk2);
1170 pk2 = NULL;
1171 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1172 tt_int_op(i, OP_GT, 0);
1173 pk2 = crypto_pk_asn1_decode(data1, i);
1174 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1175
1176 /* Try with hybrid encryption wrappers. */
1177 crypto_rand(data1, 1024);
1178 for (i = 85; i < 140; ++i) {
1179 memset(data2,0,1024);
1180 memset(data3,0,1024);
1181 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1182 data1,i,PK_PKCS1_OAEP_PADDING,0);
1183 tt_int_op(len, OP_GE, 0);
1184 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1185 data2,len,PK_PKCS1_OAEP_PADDING,1);
1186 tt_int_op(len,OP_EQ, i);
1187 tt_mem_op(data1,OP_EQ, data3,i);
1188 }
1189
1190 /* Try copy_full */
1191 crypto_pk_free(pk2);
1192 pk2 = crypto_pk_copy_full(pk1);
1193 tt_ptr_op(pk2, OP_NE, NULL);
1194 tt_ptr_op(pk1, OP_NE, pk2);
1195 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1196
1197 done:
1198 if (pk1)
1199 crypto_pk_free(pk1);
1200 if (pk2)
1201 crypto_pk_free(pk2);
1202 tor_free(encoded);
1203 }
1204
1205 static void
1206 test_crypto_pk_fingerprints(void *arg)
1207 {
1208 crypto_pk_t *pk = NULL;
1209 char encoded[512];
1210 char d[DIGEST_LEN], d2[DIGEST_LEN];
1211 char fingerprint[FINGERPRINT_LEN+1];
1212 int n;
1213 unsigned i;
1214 char *mem_op_hex_tmp=NULL;
1215
1216 (void)arg;
1217
1218 pk = pk_generate(1);
1219 tt_assert(pk);
1220 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1221 tt_int_op(n, OP_GT, 0);
1222 tt_int_op(n, OP_GT, 128);
1223 tt_int_op(n, OP_LT, 256);
1224
1225 /* Is digest as expected? */
1226 crypto_digest(d, encoded, n);
1227 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1228 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1229
1230 /* Is fingerprint right? */
1231 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1232 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1233 test_memeq_hex(d, fingerprint);
1234
1235 /* Are spaces right? */
1236 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1237 for (i = 4; i < strlen(fingerprint); i += 5) {
1238 tt_int_op(fingerprint[i], OP_EQ, ' ');
1239 }
1240 tor_strstrip(fingerprint, " ");
1241 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1242 test_memeq_hex(d, fingerprint);
1243
1244 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1245 crypto_digest(d2, d, sizeof(d));
1246 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1247 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1248 test_memeq_hex(d2, fingerprint);
1249
1250 done:
1251 crypto_pk_free(pk);
1252 tor_free(mem_op_hex_tmp);
1253 }
1254
1255 static void
1256 test_crypto_pk_base64(void *arg)
1257 {
1258 crypto_pk_t *pk1 = NULL;
1259 crypto_pk_t *pk2 = NULL;
1260 char *encoded = NULL;
1261
1262 (void)arg;
1263
1264 /* Test Base64 encoding a key. */
1265 pk1 = pk_generate(0);
1266 tt_assert(pk1);
1267 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1268 tt_assert(encoded);
1269
1270 /* Test decoding a valid key. */
1271 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1272 tt_assert(pk2);
1273 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1274 crypto_pk_free(pk2);
1275
1276 /* Test decoding a invalid key (not Base64). */
1277 static const char *invalid_b64 = "The key is in another castle!";
1278 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1279 tt_ptr_op(pk2, OP_EQ, NULL);
1280
1281 /* Test decoding a truncated Base64 blob. */
1282 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1283 tt_ptr_op(pk2, OP_EQ, NULL);
1284
1285 done:
1286 crypto_pk_free(pk1);
1287 crypto_pk_free(pk2);
1288 tor_free(encoded);
1289 }
1290
1291 static void
1292 test_crypto_pk_pem_encrypted(void *arg)
1293 {
1294 crypto_pk_t *pk = NULL;
1295 (void)arg;
1296
1297 pk = crypto_pk_new();
1298 /* we need to make sure that we won't stall if somebody gives us a key
1299 that's encrypted with a password. */
1300 {
1301 const char *s =
1302 "-----BEGIN RSA PRIVATE KEY-----\n"
1303 "Proc-Type: 4,ENCRYPTED\n"
1304 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1305 "\n"
1306 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1307 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1308 "YntnROBDwiKmUnue6PJVYg==\n"
1309 "-----END RSA PRIVATE KEY-----\n";
1310 tt_int_op(-1, OP_EQ,
1311 crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1312 }
1313 /* For fun, make sure we aren't hit by OpenSSL issue
1314 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1315 if a cipher doesn't use an IV.
1316 */
1317 {
1318 const char *s =
1319 "-----BEGIN RSA PUBLIC KEY-----\n"
1320 "Proc-Type:4,ENCRYPTED\n"
1321 "DEK-Info:des-ede -\n"
1322 "\n"
1323 "iRqK\n"
1324 "-----END RSA PUBLIC KEY-----\n";
1325 tt_int_op(-1, OP_EQ,
1326 crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1327 }
1328 done:
1329 crypto_pk_free(pk);
1330 }
1331
1332 static void
1333 test_crypto_pk_invalid_private_key(void *arg)
1334 {
1335 (void)arg;
1336 /* Here is a simple invalid private key: it was produced by making
1337 * a regular private key, and then adding 2 to the modulus. */
1338 const char pem[] =
1339 "-----BEGIN RSA PRIVATE KEY-----\n"
1340 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1341 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1342 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1343 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1344 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1345 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1346 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1347 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1348 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1349 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1350 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1351 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1352 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1353 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1354 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1355 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1356 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1357 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1358 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1359 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1360 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1361 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1362 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1363 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1364 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1365 "-----END RSA PRIVATE KEY-----\n";
1366
1367 crypto_pk_t *pk = NULL;
1368
1369 pk = crypto_pk_new();
1370 setup_capture_of_logs(LOG_WARN);
1371 tt_int_op(-1, OP_EQ,
1372 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1373 #ifdef ENABLE_NSS
1374 expect_single_log_msg_containing("received bad data");
1375 #else
1376 expect_single_log_msg_containing("while checking RSA key");
1377 #endif
1378 done:
1379 teardown_capture_of_logs();
1380 crypto_pk_free(pk);
1381 }
1382
1383 #ifdef HAVE_TRUNCATE
1384 #define do_truncate truncate
1385 #else
1386 static int
1387 do_truncate(const char *fname, size_t len)
1388 {
1389 struct stat st;
1390 char *bytes;
1391
1392 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1393 if (!bytes)
1394 return -1;
1395 /* This cast isn't so great, but it should be safe given the actual files
1396 * and lengths we're using. */
1397 if (st.st_size < (off_t)len)
1398 len = MIN(len, (size_t)st.st_size);
1399
1400 int r = write_bytes_to_file(fname, bytes, len, 1);
1401 tor_free(bytes);
1402 return r;
1403 }
1404 #endif /* defined(HAVE_TRUNCATE) */
1405
1406 /** Sanity check for crypto pk digests */
1407 static void
1408 test_crypto_digests(void *arg)
1409 {
1410 crypto_pk_t *k = NULL;
1411 ssize_t r;
1412 common_digests_t pkey_digests;
1413 char digest[DIGEST_LEN];
1414
1415 (void)arg;
1416 k = crypto_pk_new();
1417 tt_assert(k);
1418 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1419 strlen(AUTHORITY_SIGNKEY_3));
1420 tt_assert(!r);
1421
1422 r = crypto_pk_get_digest(k, digest);
1423 tt_assert(r == 0);
1424 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1425 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1426
1427 r = crypto_pk_get_common_digests(k, &pkey_digests);
1428 tt_int_op(r, OP_EQ, 0);
1429
1430 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1431 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1432 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1433 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1434 done:
1435 crypto_pk_free(k);
1436 }
1437
1438 static void
1439 test_crypto_digest_names(void *arg)
1440 {
1441 static const struct {
1442 int a; const char *n;
1443 } names[] = {
1444 { DIGEST_SHA1, "sha1" },
1445 { DIGEST_SHA256, "sha256" },
1446 { DIGEST_SHA512, "sha512" },
1447 { DIGEST_SHA3_256, "sha3-256" },
1448 { DIGEST_SHA3_512, "sha3-512" },
1449 { -1, NULL }
1450 };
1451 (void)arg;
1452
1453 int i;
1454 for (i = 0; names[i].n; ++i) {
1455 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1456 tt_int_op(names[i].a,
1457 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1458 }
1459 tt_int_op(-1, OP_EQ,
1460 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1461 done:
1462 ;
1463 }
1464
1465 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1466 * fingerprints, etc) */
1467 static void
1468 test_crypto_formats(void *arg)
1469 {
1470 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1471 int i, j, idx;
1472
1473 (void)arg;
1474 data1 = tor_malloc(1024);
1475 data2 = tor_malloc(1024);
1476 data3 = tor_malloc(1024);
1477 tt_assert(data1 && data2 && data3);
1478
1479 /* Base64 tests */
1480 memset(data1, 6, 1024);
1481 for (idx = 0; idx < 10; ++idx) {
1482 i = base64_encode(data2, 1024, data1, idx, 0);
1483 tt_int_op(i, OP_GE, 0);
1484 tt_int_op(i, OP_EQ, strlen(data2));
1485 j = base64_decode(data3, 1024, data2, i);
1486 tt_int_op(j,OP_EQ, idx);
1487 tt_mem_op(data3,OP_EQ, data1, idx);
1488
1489 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1490 tt_int_op(i, OP_GE, 0);
1491 tt_int_op(i, OP_EQ, strlen(data2));
1492 tt_assert(! strchr(data2, '='));
1493 j = base64_decode(data3, 1024, data2, i);
1494 tt_int_op(j, OP_EQ, idx);
1495 tt_mem_op(data3,OP_EQ, data1, idx);
1496 }
1497
1498 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1499 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1500
1501 i = base64_encode(data2, 1024, data1, 71, 0);
1502 tt_int_op(i, OP_GE, 0);
1503 j = base64_decode(data3, 1024, data2, i);
1504 tt_int_op(j,OP_EQ, 71);
1505 tt_str_op(data3,OP_EQ, data1);
1506 tt_int_op(data2[i], OP_EQ, '\0');
1507
1508 crypto_rand(data1, DIGEST_LEN);
1509 memset(data2, 100, 1024);
1510 digest_to_base64(data2, data1);
1511 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1512 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1513 memset(data3, 99, 1024);
1514 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1515 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1516 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1517
1518 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1519
1520 /* Encoding SHA256 */
1521 crypto_rand(data2, DIGEST256_LEN);
1522 memset(data2, 100, 1024);
1523 digest256_to_base64(data2, data1);
1524 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1525 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1526 memset(data3, 99, 1024);
1527 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1528 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1529 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1530
1531 /* Base32 tests */
1532 strlcpy(data1, "5chrs", 1024);
1533 /* bit pattern is: [35 63 68 72 73] ->
1534 * [00110101 01100011 01101000 01110010 01110011]
1535 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1536 */
1537 base32_encode(data2, 9, data1, 5);
1538 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1539
1540 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1541 base32_encode(data2, 30, data1, 10);
1542 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1543
1544 /* Base16 tests */
1545 strlcpy(data1, "6chrs\xff", 1024);
1546 base16_encode(data2, 13, data1, 6);
1547 tt_str_op(data2,OP_EQ, "3663687273FF");
1548
1549 strlcpy(data1, "f0d678affc000100", 1024);
1550 i = base16_decode(data2, 8, data1, 16);
1551 tt_int_op(i,OP_EQ, 8);
1552 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1553
1554 /* now try some failing base16 decodes */
1555 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1556 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1557 strlcpy(data1, "f0dz!8affc000100", 1024);
1558 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1559
1560 tor_free(data1);
1561 tor_free(data2);
1562 tor_free(data3);
1563
1564 /* Add spaces to fingerprint */
1565 {
1566 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1567 tt_int_op(strlen(data1),OP_EQ, 40);
1568 data2 = tor_malloc(FINGERPRINT_LEN+1);
1569 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1570 tt_str_op(data2, OP_EQ,
1571 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1572 tor_free(data1);
1573 tor_free(data2);
1574 }
1575
1576 done:
1577 tor_free(data1);
1578 tor_free(data2);
1579 tor_free(data3);
1580 }
1581
1582 /** Test AES-CTR encryption and decryption with IV. */
1583 static void
1584 test_crypto_aes_iv(void *arg)
1585 {
1586 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1587 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1588 char key1[16], key2[16];
1589 ssize_t encrypted_size, decrypted_size;
1590
1591 int use_evp = !strcmp(arg,"evp");
1592 evaluate_evp_for_aes(use_evp);
1593
1594 plain = tor_malloc(4095);
1595 encrypted1 = tor_malloc(4095 + 1 + 16);
1596 encrypted2 = tor_malloc(4095 + 1 + 16);
1597 decrypted1 = tor_malloc(4095 + 1);
1598 decrypted2 = tor_malloc(4095 + 1);
1599
1600 crypto_rand(plain, 4095);
1601 crypto_rand(key1, 16);
1602 crypto_rand(key2, 16);
1603 crypto_rand(plain_1, 1);
1604 crypto_rand(plain_15, 15);
1605 crypto_rand(plain_16, 16);
1606 crypto_rand(plain_17, 17);
1607 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1608 /* Encrypt and decrypt with the same key. */
1609 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1610 plain, 4095);
1611
1612 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1613 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1614 * greater than 0, but its truth is not
1615 * obvious to all analysis tools. */
1616 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1617 encrypted1, encrypted_size);
1618
1619 tt_int_op(decrypted_size,OP_EQ, 4095);
1620 tt_assert(decrypted_size > 0);
1621 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1622 /* Encrypt a second time (with a new random initialization vector). */
1623 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1624 plain, 4095);
1625
1626 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1627 tt_assert(encrypted_size > 0);
1628 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1629 encrypted2, encrypted_size);
1630 tt_int_op(decrypted_size,OP_EQ, 4095);
1631 tt_assert(decrypted_size > 0);
1632 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1633 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1634 /* Decrypt with the wrong key. */
1635 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1636 encrypted1, encrypted_size);
1637 tt_int_op(decrypted_size,OP_EQ, 4095);
1638 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1639 /* Alter the initialization vector. */
1640 encrypted1[0] += 42;
1641 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1642 encrypted1, encrypted_size);
1643 tt_int_op(decrypted_size,OP_EQ, 4095);
1644 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1645 /* Special length case: 1. */
1646 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1647 plain_1, 1);
1648 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1649 tt_assert(encrypted_size > 0);
1650 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1651 encrypted1, encrypted_size);
1652 tt_int_op(decrypted_size,OP_EQ, 1);
1653 tt_assert(decrypted_size > 0);
1654 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1655 /* Special length case: 15. */
1656 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1657 plain_15, 15);
1658 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1659 tt_assert(encrypted_size > 0);
1660 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1661 encrypted1, encrypted_size);
1662 tt_int_op(decrypted_size,OP_EQ, 15);
1663 tt_assert(decrypted_size > 0);
1664 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1665 /* Special length case: 16. */
1666 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1667 plain_16, 16);
1668 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1669 tt_assert(encrypted_size > 0);
1670 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1671 encrypted1, encrypted_size);
1672 tt_int_op(decrypted_size,OP_EQ, 16);
1673 tt_assert(decrypted_size > 0);
1674 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1675 /* Special length case: 17. */
1676 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1677 plain_17, 17);
1678 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1679 tt_assert(encrypted_size > 0);
1680 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1681 encrypted1, encrypted_size);
1682 tt_int_op(decrypted_size,OP_EQ, 17);
1683 tt_assert(decrypted_size > 0);
1684 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1685
1686 done:
1687 /* Free memory. */
1688 tor_free(plain);
1689 tor_free(encrypted1);
1690 tor_free(encrypted2);
1691 tor_free(decrypted1);
1692 tor_free(decrypted2);
1693 }
1694
1695 /** Test base32 decoding. */
1696 static void
1697 test_crypto_base32_decode(void *arg)
1698 {
1699 char plain[60], encoded[96 + 1], decoded[60];
1700 int res;
1701 (void)arg;
1702 crypto_rand(plain, 60);
1703 /* Encode and decode a random string. */
1704 base32_encode(encoded, 96 + 1, plain, 60);
1705 res = base32_decode(decoded, 60, encoded, 96);
1706 tt_int_op(res,OP_EQ, 0);
1707 tt_mem_op(plain,OP_EQ, decoded, 60);
1708 /* Encode, uppercase, and decode a random string. */
1709 base32_encode(encoded, 96 + 1, plain, 60);
1710 tor_strupper(encoded);
1711 res = base32_decode(decoded, 60, encoded, 96);
1712 tt_int_op(res,OP_EQ, 0);
1713 tt_mem_op(plain,OP_EQ, decoded, 60);
1714 /* Change encoded string and decode. */
1715 if (encoded[0] == 'A' || encoded[0] == 'a')
1716 encoded[0] = 'B';
1717 else
1718 encoded[0] = 'A';
1719 res = base32_decode(decoded, 60, encoded, 96);
1720 tt_int_op(res,OP_EQ, 0);
1721 tt_mem_op(plain,OP_NE, decoded, 60);
1722 /* Bad encodings. */
1723 encoded[0] = '!';
1724 res = base32_decode(decoded, 60, encoded, 96);
1725 tt_int_op(0, OP_GT, res);
1726
1727 done:
1728 ;
1729 }
1730
1731 static void
1732 test_crypto_kdf_TAP(void *arg)
1733 {
1734 uint8_t key_material[100];
1735 int r;
1736 char *mem_op_hex_tmp = NULL;
1737
1738 (void)arg;
1739 #define EXPAND(s) \
1740 r = crypto_expand_key_material_TAP( \
1741 (const uint8_t*)(s), strlen(s), \
1742 key_material, 100)
1743
1744 /* Test vectors generated with a little python script; feel free to write
1745 * your own. */
1746 memset(key_material, 0, sizeof(key_material));
1747 EXPAND("");
1748 tt_int_op(r, OP_EQ, 0);
1749 test_memeq_hex(key_material,
1750 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1751 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1752 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1753 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1754
1755 EXPAND("Tor");
1756 tt_int_op(r, OP_EQ, 0);
1757 test_memeq_hex(key_material,
1758 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1759 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1760 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1761 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1762
1763 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1764 tt_int_op(r, OP_EQ, 0);
1765 test_memeq_hex(key_material,
1766 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1767 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1768 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1769 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1770
1771 done:
1772 tor_free(mem_op_hex_tmp);
1773
1774 #undef EXPAND
1775 }
1776
1777 static void
1778 test_crypto_hkdf_sha256(void *arg)
1779 {
1780 uint8_t key_material[100];
1781 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1782 const size_t salt_len = strlen((char*)salt);
1783 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1784 const size_t m_expand_len = strlen((char*)m_expand);
1785 int r;
1786 char *mem_op_hex_tmp = NULL;
1787
1788 (void)arg;
1789
1790 #define EXPAND(s) \
1791 r = crypto_expand_key_material_rfc5869_sha256( \
1792 (const uint8_t*)(s), strlen(s), \
1793 salt, salt_len, \
1794 m_expand, m_expand_len, \
1795 key_material, 100)
1796
1797 /* Test vectors generated with ntor_ref.py */
1798 EXPAND("Tor");
1799 tt_int_op(r, OP_EQ, 0);
1800 test_memeq_hex(key_material,
1801 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1802 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1803 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1804 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1805
1806 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1807 tt_int_op(r, OP_EQ, 0);
1808 test_memeq_hex(key_material,
1809 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1810 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1811 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1812 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1813 done:
1814 tor_free(mem_op_hex_tmp);
1815 #undef EXPAND
1816 }
1817
1818 static void
1819 test_crypto_hkdf_sha256_testvecs(void *arg)
1820 {
1821 (void) arg;
1822 /* Test vectors from RFC5869, sections A.1 through A.3 */
1823 const struct {
1824 const char *ikm16, *salt16, *info16;
1825 int L;
1826 const char *okm16;
1827 } vecs[] = {
1828 { /* from A.1 */
1829 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1830 "000102030405060708090a0b0c",
1831 "f0f1f2f3f4f5f6f7f8f9",
1832 42,
1833 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1834 "34007208d5b887185865"
1835 },
1836 { /* from A.2 */
1837 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1838 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1839 "404142434445464748494a4b4c4d4e4f",
1840 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1841 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1842 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1843 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1844 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1845 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1846 82,
1847 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1848 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1849 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1850 },
1851 { /* from A.3 */
1852 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1853 "",
1854 "",
1855 42,
1856 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1857 "9d201395faa4b61a96c8",
1858 },
1859 { NULL, NULL, NULL, -1, NULL }
1860 };
1861
1862 int i;
1863 char *ikm = NULL;
1864 char *salt = NULL;
1865 char *info = NULL;
1866 char *okm = NULL;
1867 char *mem_op_hex_tmp = NULL;
1868
1869 for (i = 0; vecs[i].ikm16; ++i) {
1870 size_t ikm_len = strlen(vecs[i].ikm16)/2;
1871 size_t salt_len = strlen(vecs[i].salt16)/2;
1872 size_t info_len = strlen(vecs[i].info16)/2;
1873 size_t okm_len = vecs[i].L;
1874
1875 ikm = tor_malloc(ikm_len);
1876 salt = tor_malloc(salt_len);
1877 info = tor_malloc(info_len);
1878 okm = tor_malloc(okm_len);
1879
1880 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
1881 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
1882 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
1883
1884 int r = crypto_expand_key_material_rfc5869_sha256(
1885 (const uint8_t*)ikm, ikm_len,
1886 (const uint8_t*)salt, salt_len,
1887 (const uint8_t*)info, info_len,
1888 (uint8_t*)okm, okm_len);
1889 tt_int_op(r, OP_EQ, 0);
1890 test_memeq_hex(okm, vecs[i].okm16);
1891 tor_free(ikm);
1892 tor_free(salt);
1893 tor_free(info);
1894 tor_free(okm);
1895 }
1896 done:
1897 tor_free(ikm);
1898 tor_free(salt);
1899 tor_free(info);
1900 tor_free(okm);
1901 tor_free(mem_op_hex_tmp);
1902 }
1903
1904 static void
1905 test_crypto_curve25519_impl(void *arg)
1906 {
1907 /* adapted from curve25519_donna, which adapted it from test-curve25519
1908 version 20050915, by D. J. Bernstein, Public domain. */
1909
1910 const int randomize_high_bit = (arg != NULL);
1911
1912 #ifdef SLOW_CURVE25519_TEST
1913 const int loop_max=10000;
1914 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
1915 "7e0329f4dd2819f5f32d130f1296b500";
1916 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
1917 "e0544770bc7de853b38f9100489e3e79";
1918 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
1919 "bd13861475516bc2cd2b6e005e805064";
1920 #else /* !(defined(SLOW_CURVE25519_TEST)) */
1921 const int loop_max=200;
1922 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
1923 "c6a1037d74cceb3712e9206871dcf654";
1924 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1925 "8e3ee1a63c7d14274ea5d4c67f065467";
1926 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
1927 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1928 #endif /* defined(SLOW_CURVE25519_TEST) */
1929
1930 unsigned char e1k[32];
1931 unsigned char e2k[32];
1932 unsigned char e1e2k[32];
1933 unsigned char e2e1k[32];
1934 unsigned char e1[32] = {3};
1935 unsigned char e2[32] = {5};
1936 unsigned char k[32] = {9};
1937 int loop, i;
1938
1939 char *mem_op_hex_tmp = NULL;
1940
1941 for (loop = 0; loop < loop_max; ++loop) {
1942 curve25519_impl(e1k,e1,k);
1943 curve25519_impl(e2e1k,e2,e1k);
1944 curve25519_impl(e2k,e2,k);
1945 if (randomize_high_bit) {
1946 /* We require that the high bit of the public key be ignored. So if
1947 * we're doing this variant test, we randomize the high bit of e2k, and
1948 * make sure that the handshake still works out the same as it would
1949 * otherwise. */
1950 uint8_t byte;
1951 crypto_rand((char*)&byte, 1);
1952 e2k[31] |= (byte & 0x80);
1953 }
1954 curve25519_impl(e1e2k,e1,e2k);
1955 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
1956 if (loop == loop_max-1) {
1957 break;
1958 }
1959 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
1960 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
1961 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
1962 }
1963
1964 test_memeq_hex(e1, e1_expected);
1965 test_memeq_hex(e2k, e2k_expected);
1966 test_memeq_hex(e1e2k, e1e2k_expected);
1967
1968 done:
1969 tor_free(mem_op_hex_tmp);
1970 }
1971
1972 static void
1973 test_crypto_curve25519_basepoint(void *arg)
1974 {
1975 uint8_t secret[32];
1976 uint8_t public1[32];
1977 uint8_t public2[32];
1978 const int iters = 2048;
1979 int i;
1980 (void) arg;
1981
1982 for (i = 0; i < iters; ++i) {
1983 crypto_rand((char*)secret, 32);
1984 curve25519_set_impl_params(1); /* Use optimization */
1985 curve25519_basepoint_impl(public1, secret);
1986 curve25519_set_impl_params(0); /* Disable optimization */
1987 curve25519_basepoint_impl(public2, secret);
1988 tt_mem_op(public1, OP_EQ, public2, 32);
1989 }
1990
1991 done:
1992 ;
1993 }
1994
1995 static void
1996 test_crypto_curve25519_testvec(void *arg)
1997 {
1998 (void)arg;
1999 char *mem_op_hex_tmp = NULL;
2000
2001 /* From RFC 7748, section 6.1 */
2002 /* Alice's private key, a: */
2003 const char a16[] =
2004 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2005 /* Alice's public key, X25519(a, 9): */
2006 const char a_pub16[] =
2007 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2008 /* Bob's private key, b: */
2009 const char b16[] =
2010 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2011 /* Bob's public key, X25519(b, 9): */
2012 const char b_pub16[] =
2013 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2014 /* Their shared secret, K: */
2015 const char k16[] =
2016 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2017
2018 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2019 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2020 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2021 curve25519_basepoint_impl(a_pub, a);
2022 curve25519_basepoint_impl(b_pub, b);
2023 curve25519_impl(k1, a, b_pub);
2024 curve25519_impl(k2, b, a_pub);
2025
2026 test_memeq_hex(a, a16);
2027 test_memeq_hex(b, b16);
2028 test_memeq_hex(a_pub, a_pub16);
2029 test_memeq_hex(b_pub, b_pub16);
2030 test_memeq_hex(k1, k16);
2031 test_memeq_hex(k2, k16);
2032 done:
2033 tor_free(mem_op_hex_tmp);
2034 }
2035
2036 static void
2037 test_crypto_curve25519_wrappers(void *arg)
2038 {
2039 curve25519_public_key_t pubkey1, pubkey2;
2040 curve25519_secret_key_t seckey1, seckey2;
2041
2042 uint8_t output1[CURVE25519_OUTPUT_LEN];
2043 uint8_t output2[CURVE25519_OUTPUT_LEN];
2044 (void)arg;
2045
2046 /* Test a simple handshake, serializing and deserializing some stuff. */
2047 curve25519_secret_key_generate(&seckey1, 0);
2048 curve25519_secret_key_generate(&seckey2, 1);
2049 curve25519_public_key_generate(&pubkey1, &seckey1);
2050 curve25519_public_key_generate(&pubkey2, &seckey2);
2051 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2052 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2053 curve25519_handshake(output1, &seckey1, &pubkey2);
2054 curve25519_handshake(output2, &seckey2, &pubkey1);
2055 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2056
2057 done:
2058 ;
2059 }
2060
2061 static void
2062 test_crypto_curve25519_encode(void *arg)
2063 {
2064 curve25519_secret_key_t seckey;
2065 curve25519_public_key_t key1, key2, key3;
2066 char buf[64];
2067
2068 (void)arg;
2069
2070 curve25519_secret_key_generate(&seckey, 0);
2071 curve25519_public_key_generate(&key1, &seckey);
2072 tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
2073 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2074
2075 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2076 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2077
2078 buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
2079 tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
2080 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
2081 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2082
2083 /* Now try bogus parses. */
2084 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2085 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2086
2087 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2088 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2089
2090 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2091 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2092
2093 done:
2094 ;
2095 }
2096
2097 static void
2098 test_crypto_curve25519_persist(void *arg)
2099 {
2100 curve25519_keypair_t keypair, keypair2;
2101 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2102 char *tag = NULL;
2103 char *content = NULL;
2104 const char *cp;
2105 struct stat st;
2106 size_t taglen;
2107
2108 (void)arg;
2109
2110 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2111
2112 tt_int_op(0,OP_EQ,
2113 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2114 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2115 tt_str_op(tag,OP_EQ,"testing");
2116 tor_free(tag);
2117
2118 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2119 keypair2.pubkey.public_key,
2120 CURVE25519_PUBKEY_LEN);
2121 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2122 keypair2.seckey.secret_key,
2123 CURVE25519_SECKEY_LEN);
2124
2125 content = read_file_to_str(fname, RFTS_BIN, &st);
2126 tt_assert(content);
2127 taglen = strlen("== c25519v1: testing ==");
2128 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2129 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2130 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2131 tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
2132 cp = content + 32;
2133 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2134 cp,
2135 CURVE25519_SECKEY_LEN);
2136 cp += CURVE25519_SECKEY_LEN;
2137 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2138 cp,
2139 CURVE25519_SECKEY_LEN);
2140
2141 tor_free(fname);
2142 fname = tor_strdup(get_fname("bogus_keypair"));
2143
2144 tt_int_op(-1, OP_EQ,
2145 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2146 tor_free(tag);
2147
2148 content[69] ^= 0xff;
2149 tt_int_op(0, OP_EQ,
2150 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2151 tt_int_op(-1, OP_EQ,
2152 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2153
2154 done:
2155 tor_free(fname);
2156 tor_free(content);
2157 tor_free(tag);
2158 }
2159
2160 static void
2161 test_crypto_ed25519_simple(void *arg)
2162 {
2163 ed25519_keypair_t kp1, kp2;
2164 ed25519_public_key_t pub1, pub2;
2165 ed25519_secret_key_t sec1, sec2;
2166 ed25519_signature_t sig1, sig2;
2167 const uint8_t msg[] =
2168 "GNU will be able to run Unix programs, "
2169 "but will not be identical to Unix.";
2170 const uint8_t msg2[] =
2171 "Microsoft Windows extends the features of the DOS operating system, "
2172 "yet is compatible with most existing applications that run under DOS.";
2173 size_t msg_len = strlen((const char*)msg);
2174 size_t msg2_len = strlen((const char*)msg2);
2175
2176 (void)arg;
2177
2178 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2179 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2180
2181 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2182 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2183
2184 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2185 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2186
2187 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2188 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2189 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2190
2191 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2192 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2193 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2194 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2195
2196 /* Ed25519 signatures are deterministic */
2197 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2198
2199 /* Basic signature is valid. */
2200 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2201
2202 /* Altered signature doesn't work. */
2203 sig1.sig[0] ^= 3;
2204 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2205
2206 /* Wrong public key doesn't work. */
2207 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2208 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2209 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2210
2211 /* Wrong message doesn't work. */
2212 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2213 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2214 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2215
2216 /* Batch signature checking works with some bad. */
2217 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2218 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2219 {
2220 ed25519_checkable_t ch[] = {
2221 { &pub1, sig2, msg, msg_len }, /*ok*/
2222 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2223 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2224 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2225 };
2226 int okay[4];
2227 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2228 tt_int_op(okay[0], OP_EQ, 1);
2229 tt_int_op(okay[1], OP_EQ, 0);
2230 tt_int_op(okay[2], OP_EQ, 0);
2231 tt_int_op(okay[3], OP_EQ, 1);
2232 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2233 }
2234
2235 /* Batch signature checking works with all good. */
2236 {
2237 ed25519_checkable_t ch[] = {
2238 { &pub1, sig2, msg, msg_len }, /*ok*/
2239 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2240 };
2241 int okay[2];
2242 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2243 tt_int_op(okay[0], OP_EQ, 1);
2244 tt_int_op(okay[1], OP_EQ, 1);
2245 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2246 }
2247
2248 /* Test the string-prefixed sign/checksig functions */
2249 {
2250 ed25519_signature_t manual_sig;
2251 char *prefixed_msg;
2252
2253 /* Generate a signature with a prefixed msg. */
2254 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2255 "always in the mood",
2256 &kp1));
2257
2258 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2259 if we had manually prefixed the msg ourselves. */
2260 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2261 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2262 strlen(prefixed_msg), &kp1));
2263 tor_free(prefixed_msg);
2264 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2265
2266 /* Test that prefixed checksig verifies it properly. */
2267 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2268 "always in the mood",
2269 &pub1));
2270
2271 /* Test that checksig with wrong prefix fails. */
2272 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2273 "always in the moo",
2274 &pub1));
2275 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2276 "always in the moon",
2277 &pub1));
2278 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2279 "always in the mood!",
2280 &pub1));
2281 }
2282
2283 done:
2284 ;
2285 }
2286
2287 static void
2288 test_crypto_ed25519_test_vectors(void *arg)
2289 {
2290 char *mem_op_hex_tmp=NULL;
2291 int i;
2292 struct {
2293 const char *sk;
2294 const char *pk;
2295 const char *sig;
2296 const char *msg;
2297 } items[] = {
2298 /* These test vectors were generated with the "ref" implementation of
2299 * ed25519 from SUPERCOP-20130419 */
2300 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2301 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2302 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2303 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2304 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2305 "204e554c2d7465726d696e617465642e"
2306 },
2307
2308 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2309 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2310 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2311 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2312 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2313 "204e554c2d7465726d696e617465642e"
2314 },
2315 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2316 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2317 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2318 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2319 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2320 "204e554c2d7465726d696e617465642e"
2321 },
2322
2323 /* These come from "sign.input" in ed25519's page */
2324 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2325 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2326 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2327 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2328 "5a8d9d0a22357e6655f9c785"
2329 },
2330 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2331 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2332 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2333 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2334 "b87d3813e03f58cf19fd0b6395"
2335 },
2336 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2337 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2338 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2339 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2340 "55c7fa434f5ed8cdec2b7aeac173",
2341 },
2342 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2343 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2344 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2345 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2346 "0a688e79be24f866286d4646b5d81c"
2347 },
2348 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2349 {
2350 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2351 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2352 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2353 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2354 ""
2355 },
2356 {
2357 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2358 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2359 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2360 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2361 "72"
2362 },
2363 {
2364 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2365 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2366 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2367 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2368 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2369 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2370 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2371 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2372 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2373 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2374 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2375 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2376 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2377 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2378 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2379 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2380 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2381 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2382 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2383 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2384 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2385 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2386 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2387 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2388 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2389 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2390 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2391 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2392 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2393 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2394 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2395 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2396 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2397 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2398 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2399 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2400 },
2401 {
2402 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2403 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2404 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2405 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2406 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2407 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2408 },
2409 { NULL, NULL, NULL, NULL}
2410 };
2411
2412 (void)arg;
2413
2414 for (i = 0; items[i].pk; ++i) {
2415 ed25519_keypair_t kp;
2416 ed25519_signature_t sig;
2417 uint8_t sk_seed[32];
2418 uint8_t *msg;
2419 size_t msg_len;
2420 base16_decode((char*)sk_seed, sizeof(sk_seed),
2421 items[i].sk, 64);
2422 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2423 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2424 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2425
2426 msg_len = strlen(items[i].msg) / 2;
2427 msg = tor_malloc(msg_len);
2428 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2429
2430 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2431 test_memeq_hex(sig.sig, items[i].sig);
2432
2433 tor_free(msg);
2434 }
2435
2436 done:
2437 tor_free(mem_op_hex_tmp);
2438 }
2439
2440 static void
2441 test_crypto_ed25519_encode(void *arg)
2442 {
2443 char buf[ED25519_SIG_BASE64_LEN+1];
2444 ed25519_keypair_t kp;
2445 ed25519_public_key_t pk;
2446 ed25519_signature_t sig1, sig2;
2447 char *mem_op_hex_tmp = NULL;
2448 (void) arg;
2449
2450 /* Test roundtrip. */
2451 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2452 tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
2453 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2454 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2455 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2456
2457 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2458 tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
2459 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2460 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2461
2462 /* Test known value. */
2463 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2464 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2465 test_memeq_hex(pk.pubkey,
2466 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2467
2468 done:
2469 tor_free(mem_op_hex_tmp);
2470 }
2471
2472 static void
2473 test_crypto_ed25519_convert(void *arg)
2474 {
2475 const uint8_t msg[] =
2476 "The eyes are not here / There are no eyes here.";
2477 const int N = 30;
2478 int i;
2479 (void)arg;
2480
2481 for (i = 0; i < N; ++i) {
2482 curve25519_keypair_t curve25519_keypair;
2483 ed25519_keypair_t ed25519_keypair;
2484 ed25519_public_key_t ed25519_pubkey;
2485
2486 int bit=0;
2487 ed25519_signature_t sig;
2488
2489 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2490 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2491 &ed25519_keypair, &bit, &curve25519_keypair));
2492 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2493 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2494 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2495
2496 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2497 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2498 &ed25519_pubkey));
2499
2500 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2501 &ed25519_pubkey));
2502 sig.sig[0] ^= 15;
2503 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2504 &ed25519_pubkey));
2505 }
2506
2507 done:
2508 ;
2509 }
2510
2511 static void
2512 test_crypto_ed25519_blinding(void *arg)
2513 {
2514 const uint8_t msg[] =
2515 "Eyes I dare not meet in dreams / In death's dream kingdom";
2516
2517 const int N = 30;
2518 int i;
2519 (void)arg;
2520
2521 for (i = 0; i < N; ++i) {
2522 uint8_t blinding[32];
2523 ed25519_keypair_t ed25519_keypair;
2524 ed25519_keypair_t ed25519_keypair_blinded;
2525 ed25519_public_key_t ed25519_pubkey_blinded;
2526
2527 ed25519_signature_t sig;
2528
2529 crypto_rand((char*) blinding, sizeof(blinding));
2530
2531 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2532 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2533 &ed25519_keypair, blinding));
2534
2535 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2536 &ed25519_keypair.pubkey, blinding));
2537
2538 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2539 ed25519_keypair_blinded.pubkey.pubkey, 32);
2540
2541 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2542 &ed25519_keypair_blinded));
2543
2544 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2545 &ed25519_pubkey_blinded));
2546
2547 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2548 &ed25519_pubkey_blinded));
2549 sig.sig[0] ^= 15;
2550 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2551 &ed25519_pubkey_blinded));
2552 }
2553
2554 done:
2555 ;
2556 }
2557
2558 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2559 static void
2560 test_crypto_ed25519_blinding_fail(void *arg)
2561 {
2562 int retval;
2563 uint8_t param[32] = {2};
2564 ed25519_public_key_t pub;
2565 ed25519_public_key_t pub_blinded;
2566
2567 (void)arg;
2568
2569 /* This point is not on the curve: the blind routines should fail */
2570 const char badkey[] =
2571 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2572 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2573 badkey, strlen(badkey));
2574 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2575 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2576 tt_int_op(retval, OP_EQ, -1);
2577
2578 /* This point is legit: blind routines should be happy */
2579 const char goodkey[] =
2580 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2581 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2582 goodkey, strlen(goodkey));
2583 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2584 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2585 tt_int_op(retval, OP_EQ, 0);
2586
2587 done:
2588 ;
2589 }
2590
2591 static void
2592 test_crypto_ed25519_testvectors(void *arg)
2593 {
2594 unsigned i;
2595 char *mem_op_hex_tmp = NULL;
2596 (void)arg;
2597
2598 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2599 uint8_t sk[32];
2600 ed25519_secret_key_t esk;
2601 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2602 ed25519_keypair_t keypair, blind_keypair;
2603 curve25519_keypair_t curvekp;
2604 uint8_t blinding_param[32];
2605 ed25519_signature_t sig;
2606 int sign;
2607
2608 memset(&curvekp, 0xd0, sizeof(curvekp));
2609
2610 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2611 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2612
2613 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2614 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2615 ED25519_BLINDING_PARAMS[i]));
2616
2617 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2618 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2619
2620 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2621 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2622
2623 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2624 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2625
2626 tt_int_op(0, OP_EQ,
2627 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2628 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2629 &pkfromcurve, &curvekp.pubkey, sign));
2630 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2631 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2632
2633 /* Self-signing */
2634 memcpy(&keypair.seckey, &esk, sizeof(esk));
2635 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2636
2637 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2638
2639 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2640
2641 /* Blinding */
2642 tt_int_op(0, OP_EQ,
2643 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2644 tt_int_op(0, OP_EQ,
2645 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2646
2647 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2648 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2649
2650 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2651
2652 #undef DECODE
2653 #undef EQ
2654 }
2655 done:
2656 tor_free(mem_op_hex_tmp);
2657 }
2658
2659 static void
2660 test_crypto_ed25519_storage(void *arg)
2661 {
2662 (void)arg;
2663 ed25519_keypair_t *keypair = NULL;
2664 ed25519_public_key_t pub;
2665 ed25519_secret_key_t sec;
2666 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2667 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2668 char *contents = NULL;
2669 char *tag = NULL;
2670
2671 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2672 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2673 tt_int_op(0,OP_EQ,
2674 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2675 tt_int_op(0,OP_EQ,
2676 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2677
2678 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2679 tt_ptr_op(tag, OP_EQ, NULL);
2680 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2681 tt_ptr_op(tag, OP_EQ, NULL);
2682
2683 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2684 tt_str_op(tag, OP_EQ, "bar");
2685 tor_free(tag);
2686 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2687 tt_str_op(tag, OP_EQ, "foo");
2688 tor_free(tag);
2689
2690 /* whitebox test: truncated keys. */
2691 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2692 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2693 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2694 tt_ptr_op(tag, OP_EQ, NULL);
2695 tor_free(tag);
2696 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2697 tt_ptr_op(tag, OP_EQ, NULL);
2698
2699 done:
2700 tor_free(fname_1);
2701 tor_free(fname_2);
2702 tor_free(contents);
2703 tor_free(tag);
2704 ed25519_keypair_free(keypair);
2705 }
2706
2707 static void
2708 test_crypto_siphash(void *arg)
2709 {
2710 /* From the reference implementation, taking
2711 k = 00 01 02 ... 0f
2712 and in = 00; 00 01; 00 01 02; ...
2713 */
2714 const uint8_t VECTORS[64][8] =
2715 {
2716 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2717 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2718 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2719 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2720 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2721 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2722 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2723 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2724 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2725 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2726 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2727 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2728 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2729 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2730 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2731 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2732 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2733 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2734 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2735 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2736 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2737 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2738 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2739 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2740 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2741 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2742 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2743 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2744 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2745 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2746 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2747 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2748 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2749 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2750 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2751 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2752 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2753 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2754 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2755 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2756 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2757 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2758 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2759 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2760 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2761 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2762 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2763 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2764 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2765 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2766 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2767 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2768 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2769 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2770 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2771 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2772 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2773 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2774 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2775 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2776 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2777 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2778 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2779 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2780 };
2781
2782 const struct sipkey K = { UINT64_C(0x0706050403020100),
2783 UINT64_C(0x0f0e0d0c0b0a0908) };
2784 uint8_t input[64];
2785 int i, j;
2786
2787 (void)arg;
2788
2789 for (i = 0; i < 64; ++i)
2790 input[i] = i;
2791
2792 for (i = 0; i < 64; ++i) {
2793 uint64_t r = siphash24(input, i, &K);
2794 for (j = 0; j < 8; ++j) {
2795 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2796 }
2797 }
2798
2799 done:
2800 ;
2801 }
2802
2803 /* We want the likelihood that the random buffer exhibits any regular pattern
2804 * to be far less than the memory bit error rate in the int return value.
2805 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2806 * 3 functions, leading to an overall error rate of 1/10^616.
2807 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2808 */
2809 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2810
2811 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2812 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2813 * or -1 when it fails. */
2814 static int
2815 crypto_rand_check_failure_mode_zero(void)
2816 {
2817 char buf[FAILURE_MODE_BUFFER_SIZE];
2818
2819 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2820 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2821
2822 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2823 if (buf[i] != 0) {
2824 return 0;
2825 }
2826 }
2827
2828 return -1;
2829 }
2830
2831 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2832 * the same. Return 0 when the check passes, or -1 when it fails. */
2833 static int
2834 crypto_rand_check_failure_mode_identical(void)
2835 {
2836 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2837 #define FAILURE_MODE_BUFFER_SIZE_I64 \
2838 (FAILURE_MODE_BUFFER_SIZE/8)
2839 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2840 (FAILURE_MODE_BUFFER_SIZE_I64*8)
2841
2842 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2843 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
2844 #endif
2845
2846 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
2847
2848 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2849 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2850
2851 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
2852 if (buf[i] != buf[i-1]) {
2853 return 0;
2854 }
2855 }
2856
2857 return -1;
2858 }
2859
2860 /** Check crypto_rand for a failure mode where it increments the "random"
2861 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2862 * Return 0 when the check passes, or -1 when it fails. */
2863 static int
2864 crypto_rand_check_failure_mode_predict(void)
2865 {
2866 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
2867
2868 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2869 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
2870
2871 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2872 /* check if the last byte was incremented by 1, including integer
2873 * wrapping */
2874 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
2875 return 0;
2876 }
2877 }
2878
2879 return -1;
2880 }
2881
2882 #undef FAILURE_MODE_BUFFER_SIZE
2883
2884 /** Test that our ed25519 validation function rejects evil public keys and
2885 * accepts good ones. */
2886 static void
2887 test_crypto_ed25519_validation(void *arg)
2888 {
2889 (void) arg;
2890
2891 int retval;
2892 ed25519_public_key_t pub1;
2893
2894 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
2895 for a list of points with torsion components in ed25519. */
2896
2897 { /* Point with torsion component (order 8l) */
2898 const char badkey[] =
2899 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
2900 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2901 badkey, strlen(badkey));
2902 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2903 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2904 }
2905
2906 { /* Point with torsion component (order 4l) */
2907 const char badkey[] =
2908 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
2909 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2910 badkey, strlen(badkey));
2911 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2912 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2913 }
2914
2915 { /* Point with torsion component (order 2l) */
2916 const char badkey[] =
2917 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
2918 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2919 badkey, strlen(badkey));
2920 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2921 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2922 }
2923
2924 { /* This point is not even on the curve */
2925 const char badkey[] =
2926 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2927 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2928 badkey, strlen(badkey));
2929 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2930 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2931 }
2932
2933 { /* This one is a good key */
2934 const char goodkey[] =
2935 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2936 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2937 goodkey, strlen(goodkey));
2938 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2939 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2940 }
2941
2942 done: ;
2943 }
2944
2945 static void
2946 test_crypto_failure_modes(void *arg)
2947 {
2948 int rv = 0;
2949 (void)arg;
2950
2951 rv = crypto_early_init();
2952 tt_int_op(rv, OP_EQ, 0);
2953
2954 /* Check random works */
2955 rv = crypto_rand_check_failure_mode_zero();
2956 tt_int_op(rv, OP_EQ, 0);
2957
2958 rv = crypto_rand_check_failure_mode_identical();
2959 tt_int_op(rv, OP_EQ, 0);
2960
2961 rv = crypto_rand_check_failure_mode_predict();
2962 tt_int_op(rv, OP_EQ, 0);
2963
2964 done:
2965 ;
2966 }
2967
2968 #define CRYPTO_LEGACY(name) \
2969 { #name, test_crypto_ ## name , 0, NULL, NULL }
2970
2971 #define ED25519_TEST_ONE(name, fl, which) \
2972 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
2973 &ed25519_test_setup, (void*)which }
2974
2975 #define ED25519_TEST(name, fl) \
2976 ED25519_TEST_ONE(name, (fl), "donna"), \
2977 ED25519_TEST_ONE(name, (fl), "ref10")
2978
2979 struct testcase_t crypto_tests[] = {
2980 CRYPTO_LEGACY(formats),
2981 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
2982 { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
2983 { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
2984 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
2985 &passthrough_setup, (void*)"128" },
2986 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
2987 &passthrough_setup, (void*)"192" },
2988 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
2989 &passthrough_setup, (void*)"256" },
2990 CRYPTO_LEGACY(sha),
2991 CRYPTO_LEGACY(pk),
2992 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
2993 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
2994 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
2995 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
2996 NULL, NULL },
2997 CRYPTO_LEGACY(digests),
2998 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
2999 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3000 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3001 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3002 CRYPTO_LEGACY(dh),
3003 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3004 (void*)"aes" },
3005 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3006 (void*)"evp" },
3007 CRYPTO_LEGACY(base32_decode),
3008 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3009 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3010 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3011 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3012 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3013 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3014 { "curve25519_basepoint",
3015 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3016 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3017 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3018 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3019 ED25519_TEST(simple, 0),
3020 ED25519_TEST(test_vectors, 0),
3021 ED25519_TEST(encode, 0),
3022 ED25519_TEST(convert, 0),
3023 ED25519_TEST(blinding, 0),
3024 ED25519_TEST(blinding_fail, 0),
3025 ED25519_TEST(testvectors, 0),
3026 ED25519_TEST(validation, 0),
3027 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3028 { "siphash", test_crypto_siphash, 0, NULL, NULL },
3029 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3030 END_OF_TESTCASES
3031 };
The Onion Router