Merge branch 'maint-0.4.5' into release-0.4.5
[tor.git] / src / test / test_crypto.c
blobffd6a25bd5fe5cbdac492fff488fc97de3d8824a
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2020, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
12 #include "siphash.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
23 #ifdef HAVE_SYS_STAT_H
24 #include <sys/stat.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING("-Wredundant-decls")
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING("-Wredundant-decls")
35 #endif /* defined(ENABLE_OPENSSL) */
37 /** Run unit tests for Diffie-Hellman functionality. */
38 static void
39 test_crypto_dh(void *arg)
41 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 crypto_dh_t *dh1_dup = NULL;
43 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 char p1[DH1024_KEY_LEN];
45 char p2[DH1024_KEY_LEN];
46 char s1[DH1024_KEY_LEN];
47 char s2[DH1024_KEY_LEN];
48 ssize_t s1len, s2len;
49 #ifdef ENABLE_OPENSSL
50 crypto_dh_t *dh3 = NULL;
51 DH *dh4 = NULL;
52 BIGNUM *pubkey_tmp = NULL;
53 #endif
55 (void)arg;
56 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
59 memset(p1, 0, DH1024_KEY_LEN);
60 memset(p2, 0, DH1024_KEY_LEN);
61 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
63 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
65 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
70 memset(s1, 0, DH1024_KEY_LEN);
71 memset(s2, 0xFF, DH1024_KEY_LEN);
72 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 tt_assert(s1len > 0);
75 tt_int_op(s1len,OP_EQ, s2len);
76 tt_mem_op(s1,OP_EQ, s2, s1len);
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup = crypto_dh_dup(dh1);
80 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 s1, 50);
82 tt_i64_op(s1len, OP_GE, 0);
83 tt_mem_op(s1,OP_EQ, s2, s1len);
86 /* Now fabricate some bad values and make sure they get caught. */
88 /* 1 and 0 should both fail. */
89 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 tt_int_op(-1, OP_EQ, s1len);
92 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 tt_int_op(-1, OP_EQ, s1len);
95 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 s1, 50);
98 tt_int_op(-1, OP_EQ, s1len);
100 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 s1, 50);
103 tt_int_op(-1, OP_EQ, s1len);
105 /* 2 is okay, though weird. */
106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 tt_int_op(50, OP_EQ, s1len);
109 /* 2 a second time is still okay, though weird. */
110 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 tt_int_op(50, OP_EQ, s1len);
113 const char P[] =
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1, sizeof(p1), P, strlen(P));
123 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 s1, 50);
125 tt_int_op(-1, OP_EQ, s1len);
127 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 s1, 50);
130 tt_int_op(-1, OP_EQ, s1len);
132 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 s1, 50);
135 tt_int_op(50, OP_EQ, s1len);
137 const char P_plus_one[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
144 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
146 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 s1, 50);
148 tt_int_op(-1, OP_EQ, s1len);
150 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 s1, 50);
153 tt_int_op(-1, OP_EQ, s1len);
155 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 s1, 50);
158 tt_int_op(-1, OP_EQ, s1len);
160 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 s1, 50);
163 tt_int_op(-1, OP_EQ, s1len);
167 /* provoke an error in the openssl DH_compute_key function; make sure we
168 * survive. */
169 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
171 crypto_dh_free(dh2);
172 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 p1, DH1024_KEY_LEN,
175 s1, 50);
176 tt_int_op(s1len, OP_EQ, -1);
179 #if defined(ENABLE_OPENSSL)
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3 = crypto_dh_new(DH_TYPE_TLS);
183 tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
185 dh4 = crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4));
187 const BIGNUM *pk=NULL;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM *sk=NULL;
190 DH_get0_key(dh4, &pk, &sk);
191 #else
192 pk = dh4->pub_key;
193 #endif /* defined(OPENSSL_1_1_API) */
194 tt_assert(pk);
195 tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 memset(p2, 0, sizeof(p2));
198 /* right-pad. */
199 BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
201 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 (unsigned char *)s1, sizeof(s1));
203 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
206 tt_int_op(s1len, OP_EQ, s2len);
207 tt_int_op(s1len, OP_GT, 0);
208 tt_mem_op(s1, OP_EQ, s2, s1len);
210 #endif /* defined(ENABLE_OPENSSL) */
212 done:
213 crypto_dh_free(dh1);
214 crypto_dh_free(dh2);
215 crypto_dh_free(dh1_dup);
216 #ifdef ENABLE_OPENSSL
217 crypto_dh_free(dh3);
218 if (dh4)
219 DH_free(dh4);
220 if (pubkey_tmp)
221 BN_free(pubkey_tmp);
222 #endif /* defined(ENABLE_OPENSSL) */
225 static void
226 test_crypto_openssl_version(void *arg)
228 (void)arg;
229 #ifdef ENABLE_NSS
230 tt_skip();
231 #else
232 const char *version = crypto_openssl_get_version_str();
233 const char *h_version = crypto_openssl_get_header_version_str();
234 tt_assert(version);
235 tt_assert(h_version);
236 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version, h_version));
240 if (strstr(version, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
243 int a=-1,b=-1,c=-1;
244 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 return;
246 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 tt_int_op(r, OP_EQ, 3);
248 tt_int_op(a, OP_GE, 0);
249 tt_int_op(b, OP_GE, 0);
250 tt_int_op(c, OP_GE, 0);
251 #endif /* defined(ENABLE_NSS) */
253 done:
257 /** Run unit tests for our AES128 functionality */
258 static void
259 test_crypto_aes128(void *arg)
261 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
262 crypto_cipher_t *env1 = NULL, *env2 = NULL;
263 int i, j;
264 char *mem_op_hex_tmp=NULL;
265 char key[CIPHER_KEY_LEN];
266 int use_evp = !strcmp(arg,"evp");
267 evaluate_evp_for_aes(use_evp);
268 evaluate_ctr_for_aes();
270 data1 = tor_malloc(1024);
271 data2 = tor_malloc(1024);
272 data3 = tor_malloc(1024);
274 /* Now, test encryption and decryption with stream cipher. */
275 data1[0]='\0';
276 for (i = 1023; i>0; i -= 35)
277 strncat(data1, "Now is the time for all good onions", i);
279 memset(data2, 0, 1024);
280 memset(data3, 0, 1024);
281 crypto_rand(key, sizeof(key));
282 env1 = crypto_cipher_new(key);
283 tt_ptr_op(env1, OP_NE, NULL);
284 env2 = crypto_cipher_new(key);
285 tt_ptr_op(env2, OP_NE, NULL);
287 /* Try encrypting 512 chars. */
288 crypto_cipher_encrypt(env1, data2, data1, 512);
289 crypto_cipher_decrypt(env2, data3, data2, 512);
290 tt_mem_op(data1,OP_EQ, data3, 512);
291 tt_mem_op(data1,OP_NE, data2, 512);
293 /* Now encrypt 1 at a time, and get 1 at a time. */
294 for (j = 512; j < 560; ++j) {
295 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
297 for (j = 512; j < 560; ++j) {
298 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
300 tt_mem_op(data1,OP_EQ, data3, 560);
301 /* Now encrypt 3 at a time, and get 5 at a time. */
302 for (j = 560; j < 1024-5; j += 3) {
303 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
305 for (j = 560; j < 1024-5; j += 5) {
306 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
308 tt_mem_op(data1,OP_EQ, data3, 1024-5);
309 /* Now make sure that when we encrypt with different chunk sizes, we get
310 the same results. */
311 crypto_cipher_free(env2);
312 env2 = NULL;
314 memset(data3, 0, 1024);
315 env2 = crypto_cipher_new(key);
316 tt_ptr_op(env2, OP_NE, NULL);
317 for (j = 0; j < 1024-16; j += 17) {
318 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
320 for (j= 0; j < 1024-16; ++j) {
321 if (data2[j] != data3[j]) {
322 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
325 tt_mem_op(data2,OP_EQ, data3, 1024-16);
326 crypto_cipher_free(env1);
327 env1 = NULL;
328 crypto_cipher_free(env2);
329 env2 = NULL;
331 /* NIST test vector for aes. */
332 /* IV starts at 0 */
333 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
334 "\x00\x00\x00\x00\x00\x00\x00\x00");
335 crypto_cipher_encrypt(env1, data1,
336 "\x00\x00\x00\x00\x00\x00\x00\x00"
337 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
338 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
340 /* Now test rollover. All these values are originally from a python
341 * script. */
342 crypto_cipher_free(env1);
343 env1 = crypto_cipher_new_with_iv(
344 "\x80\x00\x00\x00\x00\x00\x00\x00"
345 "\x00\x00\x00\x00\x00\x00\x00\x00",
346 "\x00\x00\x00\x00\x00\x00\x00\x00"
347 "\xff\xff\xff\xff\xff\xff\xff\xff");
348 memset(data2, 0, 1024);
349 crypto_cipher_encrypt(env1, data1, data2, 32);
350 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
351 "cdd0b917dbc7186908a6bfb5ffd574d3");
352 crypto_cipher_free(env1);
353 env1 = crypto_cipher_new_with_iv(
354 "\x80\x00\x00\x00\x00\x00\x00\x00"
355 "\x00\x00\x00\x00\x00\x00\x00\x00",
356 "\x00\x00\x00\x00\xff\xff\xff\xff"
357 "\xff\xff\xff\xff\xff\xff\xff\xff");
358 memset(data2, 0, 1024);
359 crypto_cipher_encrypt(env1, data1, data2, 32);
360 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
361 "3e63c721df790d2c6469cc1953a3ffac");
362 crypto_cipher_free(env1);
363 env1 = crypto_cipher_new_with_iv(
364 "\x80\x00\x00\x00\x00\x00\x00\x00"
365 "\x00\x00\x00\x00\x00\x00\x00\x00",
366 "\xff\xff\xff\xff\xff\xff\xff\xff"
367 "\xff\xff\xff\xff\xff\xff\xff\xff");
368 memset(data2, 0, 1024);
369 crypto_cipher_encrypt(env1, data1, data2, 32);
370 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
371 "0EDD33D3C621E546455BD8BA1418BEC8");
373 /* Now check rollover on inplace cipher. */
374 crypto_cipher_free(env1);
375 env1 = crypto_cipher_new_with_iv(
376 "\x80\x00\x00\x00\x00\x00\x00\x00"
377 "\x00\x00\x00\x00\x00\x00\x00\x00",
378 "\xff\xff\xff\xff\xff\xff\xff\xff"
379 "\xff\xff\xff\xff\xff\xff\xff\xff");
380 crypto_cipher_crypt_inplace(env1, data2, 64);
381 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
382 "0EDD33D3C621E546455BD8BA1418BEC8"
383 "93e2c5243d6839eac58503919192f7ae"
384 "1908e67cafa08d508816659c2e693191");
385 crypto_cipher_free(env1);
386 env1 = crypto_cipher_new_with_iv(
387 "\x80\x00\x00\x00\x00\x00\x00\x00"
388 "\x00\x00\x00\x00\x00\x00\x00\x00",
389 "\xff\xff\xff\xff\xff\xff\xff\xff"
390 "\xff\xff\xff\xff\xff\xff\xff\xff");
391 crypto_cipher_crypt_inplace(env1, data2, 64);
392 tt_assert(fast_mem_is_zero(data2, 64));
394 done:
395 tor_free(mem_op_hex_tmp);
396 if (env1)
397 crypto_cipher_free(env1);
398 if (env2)
399 crypto_cipher_free(env2);
400 tor_free(data1);
401 tor_free(data2);
402 tor_free(data3);
405 static void
406 test_crypto_aes_ctr_testvec(void *arg)
408 const char *bitstr = arg;
409 char *mem_op_hex_tmp=NULL;
410 crypto_cipher_t *c=NULL;
412 /* from NIST SP800-38a, section F.5 */
413 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
414 const char plaintext16[] =
415 "6bc1bee22e409f96e93d7e117393172a"
416 "ae2d8a571e03ac9c9eb76fac45af8e51"
417 "30c81c46a35ce411e5fbc1191a0a52ef"
418 "f69f2445df4f9b17ad2b417be66c3710";
419 const char *ciphertext16;
420 const char *key16;
421 int bits;
423 if (!strcmp(bitstr, "128")) {
424 ciphertext16 = /* section F.5.1 */
425 "874d6191b620e3261bef6864990db6ce"
426 "9806f66b7970fdff8617187bb9fffdff"
427 "5ae4df3edbd5d35e5b4f09020db03eab"
428 "1e031dda2fbe03d1792170a0f3009cee";
429 key16 = "2b7e151628aed2a6abf7158809cf4f3c";
430 bits = 128;
431 } else if (!strcmp(bitstr, "192")) {
432 ciphertext16 = /* section F.5.3 */
433 "1abc932417521ca24f2b0459fe7e6e0b"
434 "090339ec0aa6faefd5ccc2c6f4ce8e94"
435 "1e36b26bd1ebc670d1bd1d665620abf7"
436 "4f78a7f6d29809585a97daec58c6b050";
437 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
438 bits = 192;
439 } else if (!strcmp(bitstr, "256")) {
440 ciphertext16 = /* section F.5.5 */
441 "601ec313775789a5b7a7f504bbf3d228"
442 "f443e3ca4d62b59aca84e990cacaf5c5"
443 "2b0930daa23de94ce87017ba2d84988d"
444 "dfc9c58db67aada613c2dd08457941a6";
445 key16 =
446 "603deb1015ca71be2b73aef0857d7781"
447 "1f352c073b6108d72d9810a30914dff4";
448 bits = 256;
449 } else {
450 tt_abort_msg("AES doesn't support this number of bits.");
453 char key[32];
454 char iv[16];
455 char plaintext[16*4];
456 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
457 base16_decode(key, sizeof(key), key16, strlen(key16));
458 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
459 base16_decode(plaintext, sizeof(plaintext),
460 plaintext16, strlen(plaintext16));
462 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
463 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
464 test_memeq_hex(plaintext, ciphertext16);
466 done:
467 tor_free(mem_op_hex_tmp);
468 crypto_cipher_free(c);
471 /** Run unit tests for our SHA-1 functionality */
472 static void
473 test_crypto_sha(void *arg)
475 crypto_digest_t *d1 = NULL, *d2 = NULL;
476 int i;
477 #define RFC_4231_MAX_KEY_SIZE 131
478 char key[RFC_4231_MAX_KEY_SIZE];
479 char digest[DIGEST256_LEN];
480 char data[DIGEST512_LEN];
481 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
482 char *mem_op_hex_tmp=NULL;
484 /* Test SHA-1 with a test vector from the specification. */
485 (void)arg;
486 i = crypto_digest(data, "abc", 3);
487 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
488 tt_int_op(i, OP_EQ, 0);
490 /* Test SHA-256 with a test vector from the specification. */
491 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
492 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
493 "96177A9CB410FF61F20015AD");
494 tt_int_op(i, OP_EQ, 0);
496 /* Test SHA-512 with a test vector from the specification. */
497 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
498 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
499 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
500 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
501 tt_int_op(i, OP_EQ, 0);
503 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
505 /* Case empty (wikipedia) */
506 crypto_hmac_sha256(digest, "", 0, "", 0);
507 tt_str_op(hex_str(digest, 32),OP_EQ,
508 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
510 /* Case quick-brown (wikipedia) */
511 crypto_hmac_sha256(digest, "key", 3,
512 "The quick brown fox jumps over the lazy dog", 43);
513 tt_str_op(hex_str(digest, 32),OP_EQ,
514 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
516 /* "Test Case 1" from RFC 4231 */
517 memset(key, 0x0b, 20);
518 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
519 test_memeq_hex(digest,
520 "b0344c61d8db38535ca8afceaf0bf12b"
521 "881dc200c9833da726e9376c2e32cff7");
523 /* "Test Case 2" from RFC 4231 */
524 memset(key, 0x0b, 20);
525 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
526 test_memeq_hex(digest,
527 "5bdcc146bf60754e6a042426089575c7"
528 "5a003f089d2739839dec58b964ec3843");
530 /* "Test case 3" from RFC 4231 */
531 memset(key, 0xaa, 20);
532 memset(data, 0xdd, 50);
533 crypto_hmac_sha256(digest, key, 20, data, 50);
534 test_memeq_hex(digest,
535 "773ea91e36800e46854db8ebd09181a7"
536 "2959098b3ef8c122d9635514ced565fe");
538 /* "Test case 4" from RFC 4231 */
539 base16_decode(key, 25,
540 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
541 memset(data, 0xcd, 50);
542 crypto_hmac_sha256(digest, key, 25, data, 50);
543 test_memeq_hex(digest,
544 "82558a389a443c0ea4cc819899f2083a"
545 "85f0faa3e578f8077a2e3ff46729665b");
547 /* "Test case 5" from RFC 4231 */
548 memset(key, 0x0c, 20);
549 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
550 test_memeq_hex(digest,
551 "a3b6167473100ee06e0c796c2955552b");
553 /* "Test case 6" from RFC 4231 */
554 memset(key, 0xaa, 131);
555 crypto_hmac_sha256(digest, key, 131,
556 "Test Using Larger Than Block-Size Key - Hash Key First",
557 54);
558 test_memeq_hex(digest,
559 "60e431591ee0b67f0d8a26aacbf5b77f"
560 "8e0bc6213728c5140546040f0ee37f54");
562 /* "Test case 7" from RFC 4231 */
563 memset(key, 0xaa, 131);
564 crypto_hmac_sha256(digest, key, 131,
565 "This is a test using a larger than block-size key and a "
566 "larger than block-size data. The key needs to be hashed "
567 "before being used by the HMAC algorithm.", 152);
568 test_memeq_hex(digest,
569 "9b09ffa71b942fcb27635fbcd5b0e944"
570 "bfdc63644f0713938a7f51535c3a35e2");
572 /* Incremental digest code. */
573 d1 = crypto_digest_new();
574 tt_assert(d1);
575 crypto_digest_add_bytes(d1, "abcdef", 6);
576 d2 = crypto_digest_dup(d1);
577 tt_assert(d2);
578 crypto_digest_add_bytes(d2, "ghijkl", 6);
579 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
580 crypto_digest(d_out2, "abcdefghijkl", 12);
581 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
582 crypto_digest_assign(d2, d1);
583 crypto_digest_add_bytes(d2, "mno", 3);
584 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
585 crypto_digest(d_out2, "abcdefmno", 9);
586 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
587 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
588 crypto_digest(d_out2, "abcdef", 6);
589 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
590 crypto_digest_free(d1);
591 crypto_digest_free(d2);
593 /* Incremental digest code with sha256 */
594 d1 = crypto_digest256_new(DIGEST_SHA256);
595 tt_assert(d1);
596 crypto_digest_add_bytes(d1, "abcdef", 6);
597 d2 = crypto_digest_dup(d1);
598 tt_assert(d2);
599 crypto_digest_add_bytes(d2, "ghijkl", 6);
600 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
601 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
602 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
603 crypto_digest_assign(d2, d1);
604 crypto_digest_add_bytes(d2, "mno", 3);
605 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
606 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
607 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
608 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
609 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
610 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
611 crypto_digest_free(d1);
612 crypto_digest_free(d2);
614 /* Incremental digest code with sha512 */
615 d1 = crypto_digest512_new(DIGEST_SHA512);
616 tt_assert(d1);
617 crypto_digest_add_bytes(d1, "abcdef", 6);
618 d2 = crypto_digest_dup(d1);
619 tt_assert(d2);
620 crypto_digest_add_bytes(d2, "ghijkl", 6);
621 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
622 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
623 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
624 crypto_digest_assign(d2, d1);
625 crypto_digest_add_bytes(d2, "mno", 3);
626 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
627 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
628 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
629 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
630 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
631 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
633 done:
634 if (d1)
635 crypto_digest_free(d1);
636 if (d2)
637 crypto_digest_free(d2);
638 tor_free(mem_op_hex_tmp);
641 static void
642 test_crypto_sha3(void *arg)
644 crypto_digest_t *d1 = NULL, *d2 = NULL;
645 int i;
646 char data[DIGEST512_LEN];
647 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
648 char *mem_op_hex_tmp=NULL;
649 char *large = NULL;
651 (void)arg;
653 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
655 * NB: The code package's test vectors have length expressed in bits.
658 /* Len = 8, Msg = CC */
659 const uint8_t keccak_kat_msg8[] = { 0xcc };
660 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
661 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
662 "6252BB7CE180B00B582DD9B20AAAD7F0");
663 tt_int_op(i, OP_EQ, 0);
664 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
665 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
666 "C36E2EE0F652AC72E02624FA2E5ADEEC"
667 "C7DD6BB3580224B4D6138706FC6E8059"
668 "7B528051230B00621CC2B22999EAA205");
669 tt_int_op(i, OP_EQ, 0);
671 /* Len = 24, Msg = 1F877C */
672 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
673 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
674 DIGEST_SHA3_256);
675 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
676 "C9C966712A501B19D1B6632CCD408EC5");
677 tt_int_op(i, OP_EQ, 0);
678 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
679 DIGEST_SHA3_512);
680 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
681 "1A2F0D0608C3A575163751F002DB30F4"
682 "0F2F671834B22D208591CFAF1F5ECFE4"
683 "3C49863A53B3225BDFD7C6591BA7658B");
684 tt_int_op(i, OP_EQ, 0);
686 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
687 const uint8_t keccak_kat_msg1080[] = {
688 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
689 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
690 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
691 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
692 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
693 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
694 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
695 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
696 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
697 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
698 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
699 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
700 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
701 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
703 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
704 DIGEST_SHA3_256);
705 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
706 "BE9B7C736B8059ABFD6779AC35AC81B5");
707 tt_int_op(i, OP_EQ, 0);
708 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
709 DIGEST_SHA3_512);
710 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
711 "CB78696773A212A5F62D02D14E3259D1"
712 "92A87EBA4407DD83893527331407B6DA"
713 "DAAD920DBC46489B677493CE5F20B595");
714 tt_int_op(i, OP_EQ, 0);
716 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
717 const uint8_t keccak_kat_msg1088[] = {
718 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
719 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
720 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
721 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
722 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
723 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
724 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
725 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
726 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
727 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
728 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
729 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
730 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
731 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
733 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
734 DIGEST_SHA3_256);
735 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
736 "77B5286364FE16C59CC8A907AFF07732");
737 tt_int_op(i, OP_EQ, 0);
738 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
739 DIGEST_SHA3_512);
740 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
741 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
742 "FA3BA17A40B2FFA2163991B17786E51C"
743 "ABA79E5E0FFD34CF085E2A098BE8BACB");
744 tt_int_op(i, OP_EQ, 0);
746 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
747 const uint8_t keccak_kat_msg1096[] = {
748 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
749 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
750 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
751 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
752 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
753 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
754 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
755 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
756 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
757 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
758 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
759 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
760 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
761 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
763 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
764 DIGEST_SHA3_256);
765 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
766 "735E0177279222E7AC0AF8504762FAA0");
767 tt_int_op(i, OP_EQ, 0);
768 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
769 DIGEST_SHA3_512);
770 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
771 "40474041DE83D4A60645A826D7AF1ABE"
772 "1EEFCB7B74B62CA6A514E5F2697D585B"
773 "FECECE12931BBE1D4ED7EBF7B0BE660E");
774 tt_int_op(i, OP_EQ, 0);
776 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
777 const uint8_t keccak_kat_msg1144[] = {
778 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
779 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
780 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
781 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
782 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
783 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
784 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
785 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
786 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
787 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
788 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
789 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
790 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
791 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
792 0xDF, 0xAF, 0xEC,
794 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
795 DIGEST_SHA3_512);
796 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
797 "605516615D96A062C8BE53A0D6C5A648"
798 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
799 "295F284BE7F82F3B92919033C9CE5D80");
800 tt_int_op(i, OP_EQ, 0);
801 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
802 DIGEST_SHA3_256);
803 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
804 "118C0C2C606BDCDA06E7943D2C95E0E5");
805 tt_int_op(i, OP_EQ, 0);
807 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
808 const uint8_t keccak_kat_msg1152[] = {
809 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
810 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
811 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
812 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
813 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
814 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
815 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
816 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
817 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
818 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
819 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
820 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
821 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
822 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
823 0x9E, 0xE0, 0x0C, 0x63,
825 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
826 DIGEST_SHA3_512);
827 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
828 "22775DCB6019DCD22B8885994672A088"
829 "9C69E8115C641DC8B83E39F7311815A1"
830 "64DC46E0BA2FCA344D86D4BC2EF2532C");
831 tt_int_op(i, OP_EQ, 0);
832 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
833 DIGEST_SHA3_256);
834 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
835 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
836 tt_int_op(i, OP_EQ, 0);
838 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
839 const uint8_t keccak_kat_msg1160[] = {
840 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
841 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
842 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
843 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
844 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
845 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
846 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
847 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
848 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
849 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
850 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
851 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
852 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
853 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
854 0x70, 0x11, 0x04, 0x4C, 0x53,
856 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
857 DIGEST_SHA3_512);
858 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
859 "05221AC5EFB1229842E4614F4A029C9B"
860 "D14A0ED7FD99AF3681429F3F309FDB53"
861 "166AA9A3CD9F1F1223D04B4A9015E94A");
862 tt_int_op(i, OP_EQ, 0);
863 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
864 DIGEST_SHA3_256);
865 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
866 "3CF6235C6B0B7969342C45A35194B67E");
867 tt_int_op(i, OP_EQ, 0);
869 /* SHA3-[256,512] Empty case (wikipedia) */
870 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
871 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
872 "f580ff4de43b49fa82d80a4b80f8434a");
873 tt_int_op(i, OP_EQ, 0);
874 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
875 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
876 "97c982164fe25859e0d1dcc1475c80a6"
877 "15b2123af1f5f94c11e3e9402c3ac558"
878 "f500199d95b6d3e301758586281dcd26");
879 tt_int_op(i, OP_EQ, 0);
881 /* Incremental digest code with SHA3-256 */
882 d1 = crypto_digest256_new(DIGEST_SHA3_256);
883 tt_assert(d1);
884 crypto_digest_add_bytes(d1, "abcdef", 6);
885 d2 = crypto_digest_dup(d1);
886 tt_assert(d2);
887 crypto_digest_add_bytes(d2, "ghijkl", 6);
888 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
889 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
890 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
891 crypto_digest_assign(d2, d1);
892 crypto_digest_add_bytes(d2, "mno", 3);
893 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
894 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
895 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
896 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
897 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
898 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
899 crypto_digest_free(d1);
900 crypto_digest_free(d2);
902 /* Incremental digest code with SHA3-512 */
903 d1 = crypto_digest512_new(DIGEST_SHA3_512);
904 tt_assert(d1);
905 crypto_digest_add_bytes(d1, "abcdef", 6);
906 d2 = crypto_digest_dup(d1);
907 tt_assert(d2);
908 crypto_digest_add_bytes(d2, "ghijkl", 6);
909 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
910 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
911 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
912 crypto_digest_assign(d2, d1);
913 crypto_digest_add_bytes(d2, "mno", 3);
914 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
915 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
916 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
917 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
918 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
919 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
920 crypto_digest_free(d1);
922 /* Attempt to exercise the incremental hashing code by creating a randomized
923 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
924 * is used because it has a lowest rate of the family (the code is common,
925 * but the slower rate exercises more of it).
927 const size_t bufsz = 30 * 1024;
928 size_t j = 0;
929 large = tor_malloc(bufsz);
930 crypto_rand(large, bufsz);
931 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
932 while (j < bufsz) {
933 /* Pick how much data to add to the running digest. */
934 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
935 incr = MIN(bufsz - j, incr);
937 /* Add the data, and calculate the hash. */
938 crypto_digest_add_bytes(d1, large + j, incr);
939 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
941 /* One-shot hash the buffer up to the data that was just added,
942 * and ensure that the values match up.
944 * XXX/yawning: If this actually fails, it'll be rather difficult to
945 * reproduce. Improvements welcome.
947 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
948 tt_int_op(i, OP_EQ, 0);
949 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
951 j += incr;
954 done:
955 if (d1)
956 crypto_digest_free(d1);
957 if (d2)
958 crypto_digest_free(d2);
959 tor_free(large);
960 tor_free(mem_op_hex_tmp);
963 /** Run unit tests for our XOF. */
964 static void
965 test_crypto_sha3_xof(void *arg)
967 uint8_t msg[255];
968 uint8_t out[512];
969 crypto_xof_t *xof;
970 char *mem_op_hex_tmp=NULL;
972 (void)arg;
974 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
975 base16_decode((char *)msg, 255,
976 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
977 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
978 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
979 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
980 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
981 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
982 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
983 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
984 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
985 const char *squeezed_hex =
986 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
987 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
988 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
989 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
990 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
991 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
992 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
993 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
994 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
995 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
996 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
997 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
998 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
999 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1000 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1001 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1002 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1003 "73D4";
1005 /* Test oneshot absorb/squeeze. */
1006 xof = crypto_xof_new();
1007 tt_assert(xof);
1008 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1009 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1010 test_memeq_hex(out, squeezed_hex);
1011 crypto_xof_free(xof);
1012 memset(out, 0, sizeof(out));
1014 /* Test one-function absorb/squeeze. */
1015 crypto_xof(out, sizeof(out), msg, sizeof(msg));
1016 test_memeq_hex(out, squeezed_hex);
1017 memset(out, 0, sizeof(out));
1019 /* Test incremental absorb/squeeze. */
1020 xof = crypto_xof_new();
1021 tt_assert(xof);
1022 for (size_t i = 0; i < sizeof(msg); i++)
1023 crypto_xof_add_bytes(xof, msg + i, 1);
1024 for (size_t i = 0; i < sizeof(out); i++) {
1025 crypto_xof_squeeze_bytes(xof, out + i, 1);
1027 test_memeq_hex(out, squeezed_hex);
1029 done:
1030 if (xof)
1031 crypto_xof_free(xof);
1032 tor_free(mem_op_hex_tmp);
1035 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1036 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1037 * are gonna do is test our crypto_mac_sha3_256() function against manually
1038 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1039 * standarize an MAC construction and make test vectors, we should
1040 * incorporate them here. */
1041 static void
1042 test_crypto_mac_sha3(void *arg)
1044 const char msg[] = "i am in a library somewhere using my computer";
1045 const char key[] = "i'm from the past talking to the future.";
1047 uint8_t hmac_test[DIGEST256_LEN];
1048 char hmac_manual[DIGEST256_LEN];
1050 (void) arg;
1052 /* First let's use our nice HMAC-SHA3 function */
1053 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1054 (uint8_t *) key, strlen(key),
1055 (uint8_t *) msg, strlen(msg));
1057 /* Now let's try a manual H(len(k) || k || m) construction */
1059 char *key_msg_concat = NULL, *all = NULL;
1060 int result;
1061 const uint64_t key_len_netorder = tor_htonll(strlen(key));
1062 size_t all_len;
1064 tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1065 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1066 all = tor_malloc_zero(all_len);
1067 memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1068 memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1069 strlen(key_msg_concat));
1071 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1072 tor_free(key_msg_concat);
1073 tor_free(all);
1074 tt_int_op(result, OP_EQ, 0);
1077 /* Now compare the two results */
1078 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1080 done: ;
1083 /** Run unit tests for our public key crypto functions */
1084 static void
1085 test_crypto_pk(void *arg)
1087 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1088 char *encoded = NULL;
1089 char data1[1024], data2[1024], data3[1024];
1090 size_t size;
1091 int i, len;
1093 /* Public-key ciphers */
1094 (void)arg;
1095 pk1 = pk_generate(0);
1096 pk2 = crypto_pk_new();
1097 tt_assert(pk1 && pk2);
1098 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1099 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1100 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1102 /* comparison between keys and NULL */
1103 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1104 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1105 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1107 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1108 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1109 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1110 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1112 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1113 "Hello whirled.", 15,
1114 PK_PKCS1_OAEP_PADDING));
1115 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1116 "Hello whirled.", 15,
1117 PK_PKCS1_OAEP_PADDING));
1118 /* oaep padding should make encryption not match */
1119 tt_mem_op(data1,OP_NE, data2, 128);
1120 tt_int_op(15,OP_EQ,
1121 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1122 PK_PKCS1_OAEP_PADDING,1));
1123 tt_str_op(data3,OP_EQ, "Hello whirled.");
1124 memset(data3, 0, 1024);
1125 tt_int_op(15,OP_EQ,
1126 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1127 PK_PKCS1_OAEP_PADDING,1));
1128 tt_str_op(data3,OP_EQ, "Hello whirled.");
1129 /* Can't decrypt with public key. */
1130 tt_int_op(-1,OP_EQ,
1131 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1132 PK_PKCS1_OAEP_PADDING,1));
1133 /* Try again with bad padding */
1134 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1135 tt_int_op(-1,OP_EQ,
1136 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1137 PK_PKCS1_OAEP_PADDING,1));
1139 /* File operations: save and load private key */
1140 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1141 get_fname("pkey1")));
1142 /* failing case for read: can't read. */
1143 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1144 OP_LT, 0);
1145 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1146 /* Failing case for read: no key. */
1147 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1148 OP_LT, 0);
1149 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1150 get_fname("pkey1")));
1151 tt_int_op(15,OP_EQ,
1152 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1153 PK_PKCS1_OAEP_PADDING,1));
1155 /* Now try signing. */
1156 strlcpy(data1, "Ossifrage", 1024);
1157 tt_int_op(128,OP_EQ,
1158 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1159 tt_int_op(10,OP_EQ,
1160 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1161 tt_str_op(data3,OP_EQ, "Ossifrage");
1162 /* Try signing digests. */
1163 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1164 data1, 10));
1165 tt_int_op(20,OP_EQ,
1166 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1167 tt_int_op(0,OP_EQ,
1168 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1169 tt_int_op(-1,OP_EQ,
1170 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1172 /*XXXX test failed signing*/
1174 /* Try encoding */
1175 crypto_pk_free(pk2);
1176 pk2 = NULL;
1177 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1178 tt_int_op(i, OP_GT, 0);
1179 pk2 = crypto_pk_asn1_decode(data1, i);
1180 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1182 /* Try with hybrid encryption wrappers. */
1183 crypto_rand(data1, 1024);
1184 for (i = 85; i < 140; ++i) {
1185 memset(data2,0,1024);
1186 memset(data3,0,1024);
1187 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1188 data1,i,PK_PKCS1_OAEP_PADDING,0);
1189 tt_int_op(len, OP_GE, 0);
1190 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1191 data2,len,PK_PKCS1_OAEP_PADDING,1);
1192 tt_int_op(len,OP_EQ, i);
1193 tt_mem_op(data1,OP_EQ, data3,i);
1196 /* Try copy_full */
1197 crypto_pk_free(pk2);
1198 pk2 = crypto_pk_copy_full(pk1);
1199 tt_ptr_op(pk2, OP_NE, NULL);
1200 tt_ptr_op(pk1, OP_NE, pk2);
1201 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1203 done:
1204 if (pk1)
1205 crypto_pk_free(pk1);
1206 if (pk2)
1207 crypto_pk_free(pk2);
1208 tor_free(encoded);
1211 static void
1212 test_crypto_pk_fingerprints(void *arg)
1214 crypto_pk_t *pk = NULL;
1215 char encoded[512];
1216 char d[DIGEST_LEN], d2[DIGEST_LEN];
1217 char fingerprint[FINGERPRINT_LEN+1];
1218 int n;
1219 unsigned i;
1220 char *mem_op_hex_tmp=NULL;
1222 (void)arg;
1224 pk = pk_generate(1);
1225 tt_assert(pk);
1226 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1227 tt_int_op(n, OP_GT, 0);
1228 tt_int_op(n, OP_GT, 128);
1229 tt_int_op(n, OP_LT, 256);
1231 /* Is digest as expected? */
1232 crypto_digest(d, encoded, n);
1233 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1234 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1236 /* Is fingerprint right? */
1237 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1238 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1239 test_memeq_hex(d, fingerprint);
1241 /* Are spaces right? */
1242 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1243 for (i = 4; i < strlen(fingerprint); i += 5) {
1244 tt_int_op(fingerprint[i], OP_EQ, ' ');
1246 tor_strstrip(fingerprint, " ");
1247 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1248 test_memeq_hex(d, fingerprint);
1250 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1251 crypto_digest(d2, d, sizeof(d));
1252 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1253 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1254 test_memeq_hex(d2, fingerprint);
1256 done:
1257 crypto_pk_free(pk);
1258 tor_free(mem_op_hex_tmp);
1261 static void
1262 test_crypto_pk_base64(void *arg)
1264 crypto_pk_t *pk1 = NULL;
1265 crypto_pk_t *pk2 = NULL;
1266 char *encoded = NULL;
1268 (void)arg;
1270 /* Test Base64 encoding a key. */
1271 pk1 = pk_generate(0);
1272 tt_assert(pk1);
1273 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1274 tt_assert(encoded);
1276 /* Test decoding a valid key. */
1277 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1278 tt_assert(pk2);
1279 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1280 crypto_pk_free(pk2);
1282 /* Test decoding a invalid key (not Base64). */
1283 static const char *invalid_b64 = "The key is in another castle!";
1284 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1285 tt_ptr_op(pk2, OP_EQ, NULL);
1287 /* Test decoding a truncated Base64 blob. */
1288 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1289 tt_ptr_op(pk2, OP_EQ, NULL);
1291 done:
1292 crypto_pk_free(pk1);
1293 crypto_pk_free(pk2);
1294 tor_free(encoded);
1297 static void
1298 test_crypto_pk_pem_encrypted(void *arg)
1300 crypto_pk_t *pk = NULL;
1301 (void)arg;
1303 pk = crypto_pk_new();
1304 /* we need to make sure that we won't stall if somebody gives us a key
1305 that's encrypted with a password. */
1307 const char *s =
1308 "-----BEGIN RSA PRIVATE KEY-----\n"
1309 "Proc-Type: 4,ENCRYPTED\n"
1310 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1311 "\n"
1312 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1313 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1314 "YntnROBDwiKmUnue6PJVYg==\n"
1315 "-----END RSA PRIVATE KEY-----\n";
1316 tt_int_op(-1, OP_EQ,
1317 crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1319 /* For fun, make sure we aren't hit by OpenSSL issue
1320 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1321 if a cipher doesn't use an IV.
1324 const char *s =
1325 "-----BEGIN RSA PUBLIC KEY-----\n"
1326 "Proc-Type:4,ENCRYPTED\n"
1327 "DEK-Info:des-ede -\n"
1328 "\n"
1329 "iRqK\n"
1330 "-----END RSA PUBLIC KEY-----\n";
1331 tt_int_op(-1, OP_EQ,
1332 crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1334 done:
1335 crypto_pk_free(pk);
1338 static void
1339 test_crypto_pk_bad_size(void *arg)
1341 (void)arg;
1342 crypto_pk_t *pk1 = pk_generate(0);
1343 crypto_pk_t *pk2 = NULL;
1344 char buf[2048];
1345 int n = crypto_pk_asn1_encode_private(pk1, buf, sizeof(buf));
1346 tt_int_op(n, OP_GT, 0);
1348 /* Set the max bit count smaller: we should refuse to decode the key.*/
1349 pk2 = crypto_pk_asn1_decode_private(buf, n, 1020);
1350 tt_assert(! pk2);
1352 /* Set the max bit count one bit smaller: we should refuse to decode the
1353 key.*/
1354 pk2 = crypto_pk_asn1_decode_private(buf, n, 1023);
1355 tt_assert(! pk2);
1357 /* Correct size: should work. */
1358 pk2 = crypto_pk_asn1_decode_private(buf, n, 1024);
1359 tt_assert(pk2);
1360 crypto_pk_free(pk2);
1362 /* One bit larger: should work. */
1363 pk2 = crypto_pk_asn1_decode_private(buf, n, 1025);
1364 tt_assert(pk2);
1365 crypto_pk_free(pk2);
1367 /* Set the max bit count larger: it should decode fine. */
1368 pk2 = crypto_pk_asn1_decode_private(buf, n, 2048);
1369 tt_assert(pk2);
1371 done:
1372 crypto_pk_free(pk1);
1373 crypto_pk_free(pk2);
1376 static void
1377 test_crypto_pk_invalid_private_key(void *arg)
1379 (void)arg;
1380 /* Here is a simple invalid private key: it was produced by making
1381 * a regular private key, and then adding 2 to the modulus. */
1382 const char pem[] =
1383 "-----BEGIN RSA PRIVATE KEY-----\n"
1384 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1385 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1386 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1387 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1388 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1389 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1390 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1391 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1392 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1393 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1394 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1395 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1396 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1397 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1398 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1399 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1400 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1401 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1402 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1403 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1404 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1405 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1406 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1407 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1408 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1409 "-----END RSA PRIVATE KEY-----\n";
1411 crypto_pk_t *pk = NULL;
1413 pk = crypto_pk_new();
1414 setup_capture_of_logs(LOG_WARN);
1415 tt_int_op(-1, OP_EQ,
1416 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1417 #ifdef ENABLE_NSS
1418 expect_single_log_msg_containing("received bad data");
1419 #else
1420 expect_single_log_msg_containing("while checking RSA key");
1421 #endif
1422 done:
1423 teardown_capture_of_logs();
1424 crypto_pk_free(pk);
1427 #ifdef HAVE_TRUNCATE
1428 #define do_truncate truncate
1429 #else
1430 static int
1431 do_truncate(const char *fname, size_t len)
1433 struct stat st;
1434 char *bytes;
1436 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1437 if (!bytes)
1438 return -1;
1439 /* This cast isn't so great, but it should be safe given the actual files
1440 * and lengths we're using. */
1441 if (st.st_size < (off_t)len)
1442 len = MIN(len, (size_t)st.st_size);
1444 int r = write_bytes_to_file(fname, bytes, len, 1);
1445 tor_free(bytes);
1446 return r;
1448 #endif /* defined(HAVE_TRUNCATE) */
1450 /** Sanity check for crypto pk digests */
1451 static void
1452 test_crypto_digests(void *arg)
1454 crypto_pk_t *k = NULL;
1455 ssize_t r;
1456 common_digests_t pkey_digests;
1457 char digest[DIGEST_LEN];
1459 (void)arg;
1460 k = crypto_pk_new();
1461 tt_assert(k);
1462 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1463 strlen(AUTHORITY_SIGNKEY_3));
1464 tt_assert(!r);
1466 r = crypto_pk_get_digest(k, digest);
1467 tt_assert(r == 0);
1468 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1469 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1471 r = crypto_pk_get_common_digests(k, &pkey_digests);
1472 tt_int_op(r, OP_EQ, 0);
1474 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1475 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1476 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1477 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1478 done:
1479 crypto_pk_free(k);
1482 static void
1483 test_crypto_digest_names(void *arg)
1485 static const struct {
1486 int a; const char *n;
1487 } names[] = {
1488 { DIGEST_SHA1, "sha1" },
1489 { DIGEST_SHA256, "sha256" },
1490 { DIGEST_SHA512, "sha512" },
1491 { DIGEST_SHA3_256, "sha3-256" },
1492 { DIGEST_SHA3_512, "sha3-512" },
1493 { -1, NULL }
1495 (void)arg;
1497 int i;
1498 for (i = 0; names[i].n; ++i) {
1499 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1500 tt_int_op(names[i].a,
1501 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1503 tt_int_op(-1, OP_EQ,
1504 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1505 done:
1509 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1510 * fingerprints, etc) */
1511 static void
1512 test_crypto_formats(void *arg)
1514 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1515 int i, j, idx;
1517 (void)arg;
1518 data1 = tor_malloc(1024);
1519 data2 = tor_malloc(1024);
1520 data3 = tor_malloc(1024);
1521 tt_assert(data1 && data2 && data3);
1523 /* Base64 tests */
1524 memset(data1, 6, 1024);
1525 for (idx = 0; idx < 10; ++idx) {
1526 i = base64_encode(data2, 1024, data1, idx, 0);
1527 tt_int_op(i, OP_GE, 0);
1528 tt_int_op(i, OP_EQ, strlen(data2));
1529 j = base64_decode(data3, 1024, data2, i);
1530 tt_int_op(j,OP_EQ, idx);
1531 tt_mem_op(data3,OP_EQ, data1, idx);
1533 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1534 tt_int_op(i, OP_GE, 0);
1535 tt_int_op(i, OP_EQ, strlen(data2));
1536 tt_assert(! strchr(data2, '='));
1537 j = base64_decode(data3, 1024, data2, i);
1538 tt_int_op(j, OP_EQ, idx);
1539 tt_mem_op(data3,OP_EQ, data1, idx);
1542 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1543 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1545 i = base64_encode(data2, 1024, data1, 71, 0);
1546 tt_int_op(i, OP_GE, 0);
1547 j = base64_decode(data3, 1024, data2, i);
1548 tt_int_op(j,OP_EQ, 71);
1549 tt_str_op(data3,OP_EQ, data1);
1550 tt_int_op(data2[i], OP_EQ, '\0');
1552 crypto_rand(data1, DIGEST_LEN);
1553 memset(data2, 100, 1024);
1554 digest_to_base64(data2, data1);
1555 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1556 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1557 memset(data3, 99, 1024);
1558 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1559 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1560 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1562 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1564 /* Encoding SHA256 */
1565 crypto_rand(data2, DIGEST256_LEN);
1566 memset(data2, 100, 1024);
1567 digest256_to_base64(data2, data1);
1568 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1569 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1570 memset(data3, 99, 1024);
1571 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1572 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1573 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1575 /* Base32 tests */
1576 strlcpy(data1, "5chrs", 1024);
1577 /* bit pattern is: [35 63 68 72 73] ->
1578 * [00110101 01100011 01101000 01110010 01110011]
1579 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1581 base32_encode(data2, 9, data1, 5);
1582 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1584 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1585 base32_encode(data2, 30, data1, 10);
1586 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1588 /* Base16 tests */
1589 strlcpy(data1, "6chrs\xff", 1024);
1590 base16_encode(data2, 13, data1, 6);
1591 tt_str_op(data2,OP_EQ, "3663687273FF");
1593 strlcpy(data1, "f0d678affc000100", 1024);
1594 i = base16_decode(data2, 8, data1, 16);
1595 tt_int_op(i,OP_EQ, 8);
1596 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1598 /* now try some failing base16 decodes */
1599 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1600 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1601 strlcpy(data1, "f0dz!8affc000100", 1024);
1602 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1604 tor_free(data1);
1605 tor_free(data2);
1606 tor_free(data3);
1608 /* Add spaces to fingerprint */
1610 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1611 tt_int_op(strlen(data1),OP_EQ, 40);
1612 data2 = tor_malloc(FINGERPRINT_LEN+1);
1613 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1614 tt_str_op(data2, OP_EQ,
1615 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1616 tor_free(data1);
1617 tor_free(data2);
1620 done:
1621 tor_free(data1);
1622 tor_free(data2);
1623 tor_free(data3);
1626 /** Test AES-CTR encryption and decryption with IV. */
1627 static void
1628 test_crypto_aes_iv(void *arg)
1630 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1631 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1632 char key1[16], key2[16];
1633 ssize_t encrypted_size, decrypted_size;
1635 int use_evp = !strcmp(arg,"evp");
1636 evaluate_evp_for_aes(use_evp);
1638 plain = tor_malloc(4095);
1639 encrypted1 = tor_malloc(4095 + 1 + 16);
1640 encrypted2 = tor_malloc(4095 + 1 + 16);
1641 decrypted1 = tor_malloc(4095 + 1);
1642 decrypted2 = tor_malloc(4095 + 1);
1644 crypto_rand(plain, 4095);
1645 crypto_rand(key1, 16);
1646 crypto_rand(key2, 16);
1647 crypto_rand(plain_1, 1);
1648 crypto_rand(plain_15, 15);
1649 crypto_rand(plain_16, 16);
1650 crypto_rand(plain_17, 17);
1651 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1652 /* Encrypt and decrypt with the same key. */
1653 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1654 plain, 4095);
1656 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1657 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1658 * greater than 0, but its truth is not
1659 * obvious to all analysis tools. */
1660 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1661 encrypted1, encrypted_size);
1663 tt_int_op(decrypted_size,OP_EQ, 4095);
1664 tt_assert(decrypted_size > 0);
1665 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1666 /* Encrypt a second time (with a new random initialization vector). */
1667 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1668 plain, 4095);
1670 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1671 tt_assert(encrypted_size > 0);
1672 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1673 encrypted2, encrypted_size);
1674 tt_int_op(decrypted_size,OP_EQ, 4095);
1675 tt_assert(decrypted_size > 0);
1676 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1677 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1678 /* Decrypt with the wrong key. */
1679 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1680 encrypted1, encrypted_size);
1681 tt_int_op(decrypted_size,OP_EQ, 4095);
1682 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1683 /* Alter the initialization vector. */
1684 encrypted1[0] += 42;
1685 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1686 encrypted1, encrypted_size);
1687 tt_int_op(decrypted_size,OP_EQ, 4095);
1688 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1689 /* Special length case: 1. */
1690 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1691 plain_1, 1);
1692 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1693 tt_assert(encrypted_size > 0);
1694 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1695 encrypted1, encrypted_size);
1696 tt_int_op(decrypted_size,OP_EQ, 1);
1697 tt_assert(decrypted_size > 0);
1698 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1699 /* Special length case: 15. */
1700 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1701 plain_15, 15);
1702 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1703 tt_assert(encrypted_size > 0);
1704 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1705 encrypted1, encrypted_size);
1706 tt_int_op(decrypted_size,OP_EQ, 15);
1707 tt_assert(decrypted_size > 0);
1708 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1709 /* Special length case: 16. */
1710 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1711 plain_16, 16);
1712 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1713 tt_assert(encrypted_size > 0);
1714 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1715 encrypted1, encrypted_size);
1716 tt_int_op(decrypted_size,OP_EQ, 16);
1717 tt_assert(decrypted_size > 0);
1718 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1719 /* Special length case: 17. */
1720 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1721 plain_17, 17);
1722 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1723 tt_assert(encrypted_size > 0);
1724 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1725 encrypted1, encrypted_size);
1726 tt_int_op(decrypted_size,OP_EQ, 17);
1727 tt_assert(decrypted_size > 0);
1728 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1730 done:
1731 /* Free memory. */
1732 tor_free(plain);
1733 tor_free(encrypted1);
1734 tor_free(encrypted2);
1735 tor_free(decrypted1);
1736 tor_free(decrypted2);
1739 /** Test base32 decoding. */
1740 static void
1741 test_crypto_base32_decode(void *arg)
1743 char plain[60], encoded[96 + 1], decoded[60];
1744 int res;
1745 (void)arg;
1746 crypto_rand(plain, 60);
1747 /* Encode and decode a random string. */
1748 base32_encode(encoded, 96 + 1, plain, 60);
1749 res = base32_decode(decoded, 60, encoded, 96);
1750 tt_int_op(res, OP_EQ, 60);
1751 tt_mem_op(plain,OP_EQ, decoded, 60);
1752 /* Encode, uppercase, and decode a random string. */
1753 base32_encode(encoded, 96 + 1, plain, 60);
1754 tor_strupper(encoded);
1755 res = base32_decode(decoded, 60, encoded, 96);
1756 tt_int_op(res, OP_EQ, 60);
1757 tt_mem_op(plain,OP_EQ, decoded, 60);
1758 /* Change encoded string and decode. */
1759 if (encoded[0] == 'A' || encoded[0] == 'a')
1760 encoded[0] = 'B';
1761 else
1762 encoded[0] = 'A';
1763 res = base32_decode(decoded, 60, encoded, 96);
1764 tt_int_op(res, OP_EQ, 60);
1765 tt_mem_op(plain,OP_NE, decoded, 60);
1766 /* Bad encodings. */
1767 encoded[0] = '!';
1768 res = base32_decode(decoded, 60, encoded, 96);
1769 tt_int_op(res, OP_LT, 0);
1771 done:
1775 static void
1776 test_crypto_kdf_TAP(void *arg)
1778 uint8_t key_material[100];
1779 int r;
1780 char *mem_op_hex_tmp = NULL;
1782 (void)arg;
1783 #define EXPAND(s) \
1784 r = crypto_expand_key_material_TAP( \
1785 (const uint8_t*)(s), strlen(s), \
1786 key_material, 100)
1788 /* Test vectors generated with a little python script; feel free to write
1789 * your own. */
1790 memset(key_material, 0, sizeof(key_material));
1791 EXPAND("");
1792 tt_int_op(r, OP_EQ, 0);
1793 test_memeq_hex(key_material,
1794 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1795 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1796 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1797 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1799 EXPAND("Tor");
1800 tt_int_op(r, OP_EQ, 0);
1801 test_memeq_hex(key_material,
1802 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1803 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1804 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1805 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1807 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1808 tt_int_op(r, OP_EQ, 0);
1809 test_memeq_hex(key_material,
1810 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1811 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1812 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1813 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1815 done:
1816 tor_free(mem_op_hex_tmp);
1818 #undef EXPAND
1821 static void
1822 test_crypto_hkdf_sha256(void *arg)
1824 uint8_t key_material[100];
1825 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1826 const size_t salt_len = strlen((char*)salt);
1827 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1828 const size_t m_expand_len = strlen((char*)m_expand);
1829 int r;
1830 char *mem_op_hex_tmp = NULL;
1832 (void)arg;
1834 #define EXPAND(s) \
1835 r = crypto_expand_key_material_rfc5869_sha256( \
1836 (const uint8_t*)(s), strlen(s), \
1837 salt, salt_len, \
1838 m_expand, m_expand_len, \
1839 key_material, 100)
1841 /* Test vectors generated with ntor_ref.py */
1842 EXPAND("Tor");
1843 tt_int_op(r, OP_EQ, 0);
1844 test_memeq_hex(key_material,
1845 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1846 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1847 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1848 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1850 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1851 tt_int_op(r, OP_EQ, 0);
1852 test_memeq_hex(key_material,
1853 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1854 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1855 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1856 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1857 done:
1858 tor_free(mem_op_hex_tmp);
1859 #undef EXPAND
1862 static void
1863 test_crypto_hkdf_sha256_testvecs(void *arg)
1865 (void) arg;
1866 /* Test vectors from RFC5869, sections A.1 through A.3 */
1867 const struct {
1868 const char *ikm16, *salt16, *info16;
1869 int L;
1870 const char *okm16;
1871 } vecs[] = {
1872 { /* from A.1 */
1873 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1874 "000102030405060708090a0b0c",
1875 "f0f1f2f3f4f5f6f7f8f9",
1877 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1878 "34007208d5b887185865"
1880 { /* from A.2 */
1881 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1882 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1883 "404142434445464748494a4b4c4d4e4f",
1884 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1885 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1886 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1887 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1888 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1889 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1891 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1892 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1893 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1895 { /* from A.3 */
1896 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1900 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1901 "9d201395faa4b61a96c8",
1903 { NULL, NULL, NULL, -1, NULL }
1906 int i;
1907 char *ikm = NULL;
1908 char *salt = NULL;
1909 char *info = NULL;
1910 char *okm = NULL;
1911 char *mem_op_hex_tmp = NULL;
1913 for (i = 0; vecs[i].ikm16; ++i) {
1914 size_t ikm_len = strlen(vecs[i].ikm16)/2;
1915 size_t salt_len = strlen(vecs[i].salt16)/2;
1916 size_t info_len = strlen(vecs[i].info16)/2;
1917 size_t okm_len = vecs[i].L;
1919 ikm = tor_malloc(ikm_len);
1920 salt = tor_malloc(salt_len);
1921 info = tor_malloc(info_len);
1922 okm = tor_malloc(okm_len);
1924 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
1925 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
1926 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
1928 int r = crypto_expand_key_material_rfc5869_sha256(
1929 (const uint8_t*)ikm, ikm_len,
1930 (const uint8_t*)salt, salt_len,
1931 (const uint8_t*)info, info_len,
1932 (uint8_t*)okm, okm_len);
1933 tt_int_op(r, OP_EQ, 0);
1934 test_memeq_hex(okm, vecs[i].okm16);
1935 tor_free(ikm);
1936 tor_free(salt);
1937 tor_free(info);
1938 tor_free(okm);
1940 done:
1941 tor_free(ikm);
1942 tor_free(salt);
1943 tor_free(info);
1944 tor_free(okm);
1945 tor_free(mem_op_hex_tmp);
1948 static void
1949 test_crypto_curve25519_impl(void *arg)
1951 /* adapted from curve25519_donna, which adapted it from test-curve25519
1952 version 20050915, by D. J. Bernstein, Public domain. */
1954 const int randomize_high_bit = (arg != NULL);
1956 #ifdef SLOW_CURVE25519_TEST
1957 const int loop_max=10000;
1958 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
1959 "7e0329f4dd2819f5f32d130f1296b500";
1960 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
1961 "e0544770bc7de853b38f9100489e3e79";
1962 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
1963 "bd13861475516bc2cd2b6e005e805064";
1964 #else /* !defined(SLOW_CURVE25519_TEST) */
1965 const int loop_max=200;
1966 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
1967 "c6a1037d74cceb3712e9206871dcf654";
1968 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1969 "8e3ee1a63c7d14274ea5d4c67f065467";
1970 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
1971 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1972 #endif /* defined(SLOW_CURVE25519_TEST) */
1974 unsigned char e1k[32];
1975 unsigned char e2k[32];
1976 unsigned char e1e2k[32];
1977 unsigned char e2e1k[32];
1978 unsigned char e1[32] = {3};
1979 unsigned char e2[32] = {5};
1980 unsigned char k[32] = {9};
1981 int loop, i;
1983 char *mem_op_hex_tmp = NULL;
1985 for (loop = 0; loop < loop_max; ++loop) {
1986 curve25519_impl(e1k,e1,k);
1987 curve25519_impl(e2e1k,e2,e1k);
1988 curve25519_impl(e2k,e2,k);
1989 if (randomize_high_bit) {
1990 /* We require that the high bit of the public key be ignored. So if
1991 * we're doing this variant test, we randomize the high bit of e2k, and
1992 * make sure that the handshake still works out the same as it would
1993 * otherwise. */
1994 uint8_t byte;
1995 crypto_rand((char*)&byte, 1);
1996 e2k[31] |= (byte & 0x80);
1998 curve25519_impl(e1e2k,e1,e2k);
1999 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
2000 if (loop == loop_max-1) {
2001 break;
2003 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
2004 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
2005 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
2008 test_memeq_hex(e1, e1_expected);
2009 test_memeq_hex(e2k, e2k_expected);
2010 test_memeq_hex(e1e2k, e1e2k_expected);
2012 done:
2013 tor_free(mem_op_hex_tmp);
2016 static void
2017 test_crypto_curve25519_basepoint(void *arg)
2019 uint8_t secret[32];
2020 uint8_t public1[32];
2021 uint8_t public2[32];
2022 const int iters = 2048;
2023 int i;
2024 (void) arg;
2026 for (i = 0; i < iters; ++i) {
2027 crypto_rand((char*)secret, 32);
2028 curve25519_set_impl_params(1); /* Use optimization */
2029 curve25519_basepoint_impl(public1, secret);
2030 curve25519_set_impl_params(0); /* Disable optimization */
2031 curve25519_basepoint_impl(public2, secret);
2032 tt_mem_op(public1, OP_EQ, public2, 32);
2035 done:
2039 static void
2040 test_crypto_curve25519_testvec(void *arg)
2042 (void)arg;
2043 char *mem_op_hex_tmp = NULL;
2045 /* From RFC 7748, section 6.1 */
2046 /* Alice's private key, a: */
2047 const char a16[] =
2048 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2049 /* Alice's public key, X25519(a, 9): */
2050 const char a_pub16[] =
2051 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2052 /* Bob's private key, b: */
2053 const char b16[] =
2054 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2055 /* Bob's public key, X25519(b, 9): */
2056 const char b_pub16[] =
2057 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2058 /* Their shared secret, K: */
2059 const char k16[] =
2060 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2062 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2063 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2064 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2065 curve25519_basepoint_impl(a_pub, a);
2066 curve25519_basepoint_impl(b_pub, b);
2067 curve25519_impl(k1, a, b_pub);
2068 curve25519_impl(k2, b, a_pub);
2070 test_memeq_hex(a, a16);
2071 test_memeq_hex(b, b16);
2072 test_memeq_hex(a_pub, a_pub16);
2073 test_memeq_hex(b_pub, b_pub16);
2074 test_memeq_hex(k1, k16);
2075 test_memeq_hex(k2, k16);
2076 done:
2077 tor_free(mem_op_hex_tmp);
2080 static void
2081 test_crypto_curve25519_wrappers(void *arg)
2083 curve25519_public_key_t pubkey1, pubkey2;
2084 curve25519_secret_key_t seckey1, seckey2;
2086 uint8_t output1[CURVE25519_OUTPUT_LEN];
2087 uint8_t output2[CURVE25519_OUTPUT_LEN];
2088 (void)arg;
2090 /* Test a simple handshake, serializing and deserializing some stuff. */
2091 curve25519_secret_key_generate(&seckey1, 0);
2092 curve25519_secret_key_generate(&seckey2, 1);
2093 curve25519_public_key_generate(&pubkey1, &seckey1);
2094 curve25519_public_key_generate(&pubkey2, &seckey2);
2095 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2096 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2097 curve25519_handshake(output1, &seckey1, &pubkey2);
2098 curve25519_handshake(output2, &seckey2, &pubkey1);
2099 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2101 done:
2105 static void
2106 test_crypto_curve25519_encode(void *arg)
2108 curve25519_secret_key_t seckey;
2109 curve25519_public_key_t key1, key2, key3;
2110 char buf[64], buf_nopad[64];
2112 (void)arg;
2114 curve25519_secret_key_generate(&seckey, 0);
2115 curve25519_public_key_generate(&key1, &seckey);
2116 curve25519_public_to_base64(buf, &key1, true);
2117 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2119 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2120 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2122 curve25519_public_to_base64(buf_nopad, &key1, false);
2123 tt_int_op(CURVE25519_BASE64_LEN, OP_EQ, strlen(buf_nopad));
2124 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf_nopad));
2125 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2127 /* Now try bogus parses. */
2128 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2129 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2131 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2132 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2134 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2135 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2137 done:
2141 static void
2142 test_crypto_curve25519_persist(void *arg)
2144 curve25519_keypair_t keypair, keypair2;
2145 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2146 char *tag = NULL;
2147 char *content = NULL;
2148 const char *cp;
2149 struct stat st;
2150 size_t taglen;
2152 (void)arg;
2154 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2156 tt_int_op(0,OP_EQ,
2157 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2158 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2159 tt_str_op(tag,OP_EQ,"testing");
2160 tor_free(tag);
2162 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2163 keypair2.pubkey.public_key,
2164 CURVE25519_PUBKEY_LEN);
2165 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2166 keypair2.seckey.secret_key,
2167 CURVE25519_SECKEY_LEN);
2169 content = read_file_to_str(fname, RFTS_BIN, &st);
2170 tt_assert(content);
2171 taglen = strlen("== c25519v1: testing ==");
2172 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2173 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2174 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2175 tt_assert(fast_mem_is_zero(content+taglen, 32-taglen));
2176 cp = content + 32;
2177 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2179 CURVE25519_SECKEY_LEN);
2180 cp += CURVE25519_SECKEY_LEN;
2181 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2183 CURVE25519_SECKEY_LEN);
2185 tor_free(fname);
2186 fname = tor_strdup(get_fname("bogus_keypair"));
2188 tt_int_op(-1, OP_EQ,
2189 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2190 tor_free(tag);
2192 content[69] ^= 0xff;
2193 tt_int_op(0, OP_EQ,
2194 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2195 tt_int_op(-1, OP_EQ,
2196 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2198 done:
2199 tor_free(fname);
2200 tor_free(content);
2201 tor_free(tag);
2204 static void
2205 test_crypto_ed25519_simple(void *arg)
2207 ed25519_keypair_t kp1, kp2;
2208 ed25519_public_key_t pub1, pub2;
2209 ed25519_secret_key_t sec1, sec2;
2210 ed25519_signature_t sig1, sig2;
2211 const uint8_t msg[] =
2212 "GNU will be able to run Unix programs, "
2213 "but will not be identical to Unix.";
2214 const uint8_t msg2[] =
2215 "Microsoft Windows extends the features of the DOS operating system, "
2216 "yet is compatible with most existing applications that run under DOS.";
2217 size_t msg_len = strlen((const char*)msg);
2218 size_t msg2_len = strlen((const char*)msg2);
2220 (void)arg;
2222 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2223 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2225 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2226 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2228 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2229 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2231 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2232 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2233 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2235 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2236 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2237 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2238 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2240 /* Ed25519 signatures are deterministic */
2241 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2243 /* Basic signature is valid. */
2244 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2246 /* Altered signature doesn't work. */
2247 sig1.sig[0] ^= 3;
2248 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2250 /* Wrong public key doesn't work. */
2251 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2252 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2253 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2255 /* Wrong message doesn't work. */
2256 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2257 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2258 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2260 /* Batch signature checking works with some bad. */
2261 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2262 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2264 ed25519_checkable_t ch[] = {
2265 { &pub1, sig2, msg, msg_len }, /*ok*/
2266 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2267 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2268 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2270 int okay[4];
2271 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2272 tt_int_op(okay[0], OP_EQ, 1);
2273 tt_int_op(okay[1], OP_EQ, 0);
2274 tt_int_op(okay[2], OP_EQ, 0);
2275 tt_int_op(okay[3], OP_EQ, 1);
2276 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2279 /* Batch signature checking works with all good. */
2281 ed25519_checkable_t ch[] = {
2282 { &pub1, sig2, msg, msg_len }, /*ok*/
2283 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2285 int okay[2];
2286 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2287 tt_int_op(okay[0], OP_EQ, 1);
2288 tt_int_op(okay[1], OP_EQ, 1);
2289 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2292 /* Test the string-prefixed sign/checksig functions */
2294 ed25519_signature_t manual_sig;
2295 char *prefixed_msg;
2297 /* Generate a signature with a prefixed msg. */
2298 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2299 "always in the mood",
2300 &kp1));
2302 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2303 if we had manually prefixed the msg ourselves. */
2304 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2305 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2306 strlen(prefixed_msg), &kp1));
2307 tor_free(prefixed_msg);
2308 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2310 /* Test that prefixed checksig verifies it properly. */
2311 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2312 "always in the mood",
2313 &pub1));
2315 /* Test that checksig with wrong prefix fails. */
2316 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2317 "always in the moo",
2318 &pub1));
2319 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2320 "always in the moon",
2321 &pub1));
2322 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2323 "always in the mood!",
2324 &pub1));
2327 done:
2331 static void
2332 test_crypto_ed25519_test_vectors(void *arg)
2334 char *mem_op_hex_tmp=NULL;
2335 int i;
2336 struct {
2337 const char *sk;
2338 const char *pk;
2339 const char *sig;
2340 const char *msg;
2341 } items[] = {
2342 /* These test vectors were generated with the "ref" implementation of
2343 * ed25519 from SUPERCOP-20130419 */
2344 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2345 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2346 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2347 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2348 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2349 "204e554c2d7465726d696e617465642e"
2352 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2353 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2354 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2355 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2356 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2357 "204e554c2d7465726d696e617465642e"
2359 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2360 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2361 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2362 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2363 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2364 "204e554c2d7465726d696e617465642e"
2367 /* These come from "sign.input" in ed25519's page */
2368 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2369 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2370 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2371 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2372 "5a8d9d0a22357e6655f9c785"
2374 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2375 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2376 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2377 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2378 "b87d3813e03f58cf19fd0b6395"
2380 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2381 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2382 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2383 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2384 "55c7fa434f5ed8cdec2b7aeac173",
2386 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2387 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2388 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2389 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2390 "0a688e79be24f866286d4646b5d81c"
2392 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2394 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2395 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2396 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2397 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2401 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2402 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2403 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2404 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2405 "72"
2408 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2409 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2410 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2411 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2412 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2413 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2414 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2415 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2416 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2417 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2418 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2419 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2420 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2421 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2422 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2423 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2424 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2425 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2426 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2427 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2428 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2429 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2430 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2431 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2432 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2433 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2434 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2435 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2436 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2437 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2438 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2439 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2440 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2441 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2442 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2443 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2446 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2447 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2448 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2449 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2450 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2451 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2453 { NULL, NULL, NULL, NULL}
2456 (void)arg;
2458 for (i = 0; items[i].pk; ++i) {
2459 ed25519_keypair_t kp;
2460 ed25519_signature_t sig;
2461 uint8_t sk_seed[32];
2462 uint8_t *msg;
2463 size_t msg_len;
2464 base16_decode((char*)sk_seed, sizeof(sk_seed),
2465 items[i].sk, 64);
2466 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2467 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2468 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2470 msg_len = strlen(items[i].msg) / 2;
2471 msg = tor_malloc(msg_len);
2472 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2474 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2475 test_memeq_hex(sig.sig, items[i].sig);
2477 tor_free(msg);
2480 done:
2481 tor_free(mem_op_hex_tmp);
2484 static void
2485 test_crypto_ed25519_encode(void *arg)
2487 char buf[ED25519_SIG_BASE64_LEN+1];
2488 ed25519_keypair_t kp;
2489 ed25519_public_key_t pk;
2490 ed25519_signature_t sig1, sig2;
2491 char *mem_op_hex_tmp = NULL;
2492 (void) arg;
2494 /* Test roundtrip. */
2495 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2496 ed25519_public_to_base64(buf, &kp.pubkey);
2497 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2498 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2499 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2501 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2502 ed25519_signature_to_base64(buf, &sig1);
2503 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2504 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2506 /* Test known value. */
2507 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2508 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2509 test_memeq_hex(pk.pubkey,
2510 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2512 done:
2513 tor_free(mem_op_hex_tmp);
2516 static void
2517 test_crypto_ed25519_convert(void *arg)
2519 const uint8_t msg[] =
2520 "The eyes are not here / There are no eyes here.";
2521 const int N = 30;
2522 int i;
2523 (void)arg;
2525 for (i = 0; i < N; ++i) {
2526 curve25519_keypair_t curve25519_keypair;
2527 ed25519_keypair_t ed25519_keypair;
2528 ed25519_public_key_t ed25519_pubkey;
2530 int bit=0;
2531 ed25519_signature_t sig;
2533 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2534 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2535 &ed25519_keypair, &bit, &curve25519_keypair));
2536 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2537 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2538 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2540 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2541 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2542 &ed25519_pubkey));
2544 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2545 &ed25519_pubkey));
2546 sig.sig[0] ^= 15;
2547 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2548 &ed25519_pubkey));
2551 done:
2555 static void
2556 test_crypto_ed25519_blinding(void *arg)
2558 const uint8_t msg[] =
2559 "Eyes I dare not meet in dreams / In death's dream kingdom";
2561 const int N = 30;
2562 int i;
2563 (void)arg;
2565 for (i = 0; i < N; ++i) {
2566 uint8_t blinding[32];
2567 ed25519_keypair_t ed25519_keypair;
2568 ed25519_keypair_t ed25519_keypair_blinded;
2569 ed25519_public_key_t ed25519_pubkey_blinded;
2571 ed25519_signature_t sig;
2573 crypto_rand((char*) blinding, sizeof(blinding));
2575 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2576 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2577 &ed25519_keypair, blinding));
2579 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2580 &ed25519_keypair.pubkey, blinding));
2582 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2583 ed25519_keypair_blinded.pubkey.pubkey, 32);
2585 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2586 &ed25519_keypair_blinded));
2588 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2589 &ed25519_pubkey_blinded));
2591 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2592 &ed25519_pubkey_blinded));
2593 sig.sig[0] ^= 15;
2594 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2595 &ed25519_pubkey_blinded));
2598 done:
2602 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2603 static void
2604 test_crypto_ed25519_blinding_fail(void *arg)
2606 int retval;
2607 uint8_t param[32] = {2};
2608 ed25519_public_key_t pub;
2609 ed25519_public_key_t pub_blinded;
2611 (void)arg;
2613 /* This point is not on the curve: the blind routines should fail */
2614 const char badkey[] =
2615 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2616 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2617 badkey, strlen(badkey));
2618 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2619 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2620 tt_int_op(retval, OP_EQ, -1);
2622 /* This point is legit: blind routines should be happy */
2623 const char goodkey[] =
2624 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2625 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2626 goodkey, strlen(goodkey));
2627 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2628 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2629 tt_int_op(retval, OP_EQ, 0);
2631 done:
2635 static void
2636 test_crypto_ed25519_testvectors(void *arg)
2638 unsigned i;
2639 char *mem_op_hex_tmp = NULL;
2640 (void)arg;
2642 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2643 uint8_t sk[32];
2644 ed25519_secret_key_t esk;
2645 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2646 ed25519_keypair_t keypair, blind_keypair;
2647 curve25519_keypair_t curvekp;
2648 uint8_t blinding_param[32];
2649 ed25519_signature_t sig;
2650 int sign;
2652 memset(&curvekp, 0xd0, sizeof(curvekp));
2654 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2655 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2657 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2658 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2659 ED25519_BLINDING_PARAMS[i]));
2661 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2662 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2664 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2665 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2667 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2668 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2670 tt_int_op(0, OP_EQ,
2671 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2672 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2673 &pkfromcurve, &curvekp.pubkey, sign));
2674 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2675 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2677 /* Self-signing */
2678 memcpy(&keypair.seckey, &esk, sizeof(esk));
2679 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2681 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2683 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2685 /* Blinding */
2686 tt_int_op(0, OP_EQ,
2687 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2688 tt_int_op(0, OP_EQ,
2689 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2691 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2692 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2694 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2696 #undef DECODE
2697 #undef EQ
2699 done:
2700 tor_free(mem_op_hex_tmp);
2703 static void
2704 test_crypto_ed25519_storage(void *arg)
2706 (void)arg;
2707 ed25519_keypair_t *keypair = NULL;
2708 ed25519_public_key_t pub;
2709 ed25519_secret_key_t sec;
2710 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2711 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2712 char *contents = NULL;
2713 char *tag = NULL;
2715 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2716 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2717 tt_int_op(0,OP_EQ,
2718 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2719 tt_int_op(0,OP_EQ,
2720 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2722 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2723 tt_ptr_op(tag, OP_EQ, NULL);
2724 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2725 tt_ptr_op(tag, OP_EQ, NULL);
2727 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2728 tt_str_op(tag, OP_EQ, "bar");
2729 tor_free(tag);
2730 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2731 tt_str_op(tag, OP_EQ, "foo");
2732 tor_free(tag);
2734 /* whitebox test: truncated keys. */
2735 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2736 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2737 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2738 tt_ptr_op(tag, OP_EQ, NULL);
2739 tor_free(tag);
2740 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2741 tt_ptr_op(tag, OP_EQ, NULL);
2743 done:
2744 tor_free(fname_1);
2745 tor_free(fname_2);
2746 tor_free(contents);
2747 tor_free(tag);
2748 ed25519_keypair_free(keypair);
2751 static void
2752 test_crypto_siphash(void *arg)
2754 /* From the reference implementation, taking
2755 k = 00 01 02 ... 0f
2756 and in = 00; 00 01; 00 01 02; ...
2758 const uint8_t VECTORS[64][8] =
2760 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2761 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2762 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2763 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2764 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2765 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2766 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2767 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2768 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2769 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2770 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2771 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2772 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2773 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2774 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2775 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2776 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2777 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2778 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2779 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2780 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2781 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2782 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2783 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2784 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2785 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2786 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2787 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2788 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2789 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2790 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2791 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2792 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2793 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2794 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2795 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2796 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2797 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2798 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2799 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2800 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2801 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2802 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2803 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2804 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2805 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2806 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2807 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2808 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2809 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2810 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2811 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2812 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2813 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2814 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2815 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2816 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2817 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2818 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2819 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2820 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2821 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2822 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2823 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2826 const struct sipkey K = { UINT64_C(0x0706050403020100),
2827 UINT64_C(0x0f0e0d0c0b0a0908) };
2828 uint8_t input[64];
2829 int i, j;
2831 (void)arg;
2833 for (i = 0; i < 64; ++i)
2834 input[i] = i;
2836 for (i = 0; i < 64; ++i) {
2837 uint64_t r = siphash24(input, i, &K);
2838 for (j = 0; j < 8; ++j) {
2839 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2843 done:
2847 /* We want the likelihood that the random buffer exhibits any regular pattern
2848 * to be far less than the memory bit error rate in the int return value.
2849 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2850 * 3 functions, leading to an overall error rate of 1/10^616.
2851 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2853 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2855 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2856 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2857 * or -1 when it fails. */
2858 static int
2859 crypto_rand_check_failure_mode_zero(void)
2861 char buf[FAILURE_MODE_BUFFER_SIZE];
2863 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2864 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2866 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2867 if (buf[i] != 0) {
2868 return 0;
2872 return -1;
2875 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2876 * the same. Return 0 when the check passes, or -1 when it fails. */
2877 static int
2878 crypto_rand_check_failure_mode_identical(void)
2880 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2881 #define FAILURE_MODE_BUFFER_SIZE_I64 \
2882 (FAILURE_MODE_BUFFER_SIZE/8)
2883 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2884 (FAILURE_MODE_BUFFER_SIZE_I64*8)
2886 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2887 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
2888 #endif
2890 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
2892 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2893 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2895 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
2896 if (buf[i] != buf[i-1]) {
2897 return 0;
2901 return -1;
2904 /** Check crypto_rand for a failure mode where it increments the "random"
2905 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2906 * Return 0 when the check passes, or -1 when it fails. */
2907 static int
2908 crypto_rand_check_failure_mode_predict(void)
2910 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
2912 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2913 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
2915 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2916 /* check if the last byte was incremented by 1, including integer
2917 * wrapping */
2918 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
2919 return 0;
2923 return -1;
2926 #undef FAILURE_MODE_BUFFER_SIZE
2928 /** Test that our ed25519 validation function rejects evil public keys and
2929 * accepts good ones. */
2930 static void
2931 test_crypto_ed25519_validation(void *arg)
2933 (void) arg;
2935 int retval;
2936 ed25519_public_key_t pub1;
2938 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
2939 for a list of points with torsion components in ed25519. */
2941 { /* Point with torsion component (order 8l) */
2942 const char badkey[] =
2943 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
2944 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2945 badkey, strlen(badkey));
2946 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2947 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2950 { /* Point with torsion component (order 4l) */
2951 const char badkey[] =
2952 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
2953 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2954 badkey, strlen(badkey));
2955 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2956 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2959 { /* Point with torsion component (order 2l) */
2960 const char badkey[] =
2961 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
2962 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2963 badkey, strlen(badkey));
2964 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2965 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2968 { /* This point is not even on the curve */
2969 const char badkey[] =
2970 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2971 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2972 badkey, strlen(badkey));
2973 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2974 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2977 { /* This one is a good key */
2978 const char goodkey[] =
2979 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2980 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2981 goodkey, strlen(goodkey));
2982 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2983 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2986 done: ;
2989 static void
2990 test_crypto_failure_modes(void *arg)
2992 int rv = 0;
2993 (void)arg;
2995 rv = crypto_early_init();
2996 tt_int_op(rv, OP_EQ, 0);
2998 /* Check random works */
2999 rv = crypto_rand_check_failure_mode_zero();
3000 tt_int_op(rv, OP_EQ, 0);
3002 rv = crypto_rand_check_failure_mode_identical();
3003 tt_int_op(rv, OP_EQ, 0);
3005 rv = crypto_rand_check_failure_mode_predict();
3006 tt_int_op(rv, OP_EQ, 0);
3008 done:
3012 #ifndef COCCI
3013 #define CRYPTO_LEGACY(name) \
3014 { #name, test_crypto_ ## name , 0, NULL, NULL }
3016 #define ED25519_TEST_ONE(name, fl, which) \
3017 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3018 &ed25519_test_setup, (void*)which }
3020 #define ED25519_TEST(name, fl) \
3021 ED25519_TEST_ONE(name, (fl), "donna"), \
3022 ED25519_TEST_ONE(name, (fl), "ref10")
3023 #endif /* !defined(COCCI) */
3025 struct testcase_t crypto_tests[] = {
3026 CRYPTO_LEGACY(formats),
3027 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
3028 { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
3029 { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
3030 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3031 &passthrough_setup, (void*)"128" },
3032 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3033 &passthrough_setup, (void*)"192" },
3034 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3035 &passthrough_setup, (void*)"256" },
3036 CRYPTO_LEGACY(sha),
3037 CRYPTO_LEGACY(pk),
3038 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
3039 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
3040 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
3041 { "pk_bad_size", test_crypto_pk_bad_size, 0, NULL, NULL },
3042 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
3043 NULL, NULL },
3044 CRYPTO_LEGACY(digests),
3045 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
3046 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3047 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3048 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3049 CRYPTO_LEGACY(dh),
3050 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3051 (void*)"aes" },
3052 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3053 (void*)"evp" },
3054 CRYPTO_LEGACY(base32_decode),
3055 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3056 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3057 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3058 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3059 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3060 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3061 { "curve25519_basepoint",
3062 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3063 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3064 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3065 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3066 ED25519_TEST(simple, 0),
3067 ED25519_TEST(test_vectors, 0),
3068 ED25519_TEST(encode, 0),
3069 ED25519_TEST(convert, 0),
3070 ED25519_TEST(blinding, 0),
3071 ED25519_TEST(blinding_fail, 0),
3072 ED25519_TEST(testvectors, 0),
3073 ED25519_TEST(validation, 0),
3074 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3075 { "siphash", test_crypto_siphash, 0, NULL, NULL },
3076 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3077 END_OF_TESTCASES