1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2020, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
23 #ifdef HAVE_SYS_STAT_H
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING("-Wredundant-decls")
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING("-Wredundant-decls")
35 #endif /* defined(ENABLE_OPENSSL) */
37 /** Run unit tests for Diffie-Hellman functionality. */
39 test_crypto_dh(void *arg
)
41 crypto_dh_t
*dh1
= crypto_dh_new(DH_TYPE_CIRCUIT
);
42 crypto_dh_t
*dh1_dup
= NULL
;
43 crypto_dh_t
*dh2
= crypto_dh_new(DH_TYPE_CIRCUIT
);
44 char p1
[DH1024_KEY_LEN
];
45 char p2
[DH1024_KEY_LEN
];
46 char s1
[DH1024_KEY_LEN
];
47 char s2
[DH1024_KEY_LEN
];
50 crypto_dh_t
*dh3
= NULL
;
52 BIGNUM
*pubkey_tmp
= NULL
;
56 tt_int_op(crypto_dh_get_bytes(dh1
),OP_EQ
, DH1024_KEY_LEN
);
57 tt_int_op(crypto_dh_get_bytes(dh2
),OP_EQ
, DH1024_KEY_LEN
);
59 memset(p1
, 0, DH1024_KEY_LEN
);
60 memset(p2
, 0, DH1024_KEY_LEN
);
61 tt_mem_op(p1
,OP_EQ
, p2
, DH1024_KEY_LEN
);
63 tt_int_op(-1, OP_EQ
, crypto_dh_get_public(dh1
, p1
, 6)); /* too short */
65 tt_assert(! crypto_dh_get_public(dh1
, p1
, DH1024_KEY_LEN
));
66 tt_mem_op(p1
,OP_NE
, p2
, DH1024_KEY_LEN
);
67 tt_assert(! crypto_dh_get_public(dh2
, p2
, DH1024_KEY_LEN
));
68 tt_mem_op(p1
,OP_NE
, p2
, DH1024_KEY_LEN
);
70 memset(s1
, 0, DH1024_KEY_LEN
);
71 memset(s2
, 0xFF, DH1024_KEY_LEN
);
72 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p2
, DH1024_KEY_LEN
, s1
, 50);
73 s2len
= crypto_dh_compute_secret(LOG_WARN
, dh2
, p1
, DH1024_KEY_LEN
, s2
, 50);
75 tt_int_op(s1len
,OP_EQ
, s2len
);
76 tt_mem_op(s1
,OP_EQ
, s2
, s1len
);
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup
= crypto_dh_dup(dh1
);
80 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1_dup
, p2
, DH1024_KEY_LEN
,
82 tt_i64_op(s1len
, OP_GE
, 0);
83 tt_mem_op(s1
,OP_EQ
, s2
, s1len
);
86 /* Now fabricate some bad values and make sure they get caught. */
88 /* 1 and 0 should both fail. */
89 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x01", 1, s1
, 50);
90 tt_int_op(-1, OP_EQ
, s1len
);
92 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x00", 1, s1
, 50);
93 tt_int_op(-1, OP_EQ
, s1len
);
95 memset(p1
, 0, DH1024_KEY_LEN
); /* 0 with padding. */
96 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
98 tt_int_op(-1, OP_EQ
, s1len
);
100 p1
[DH1024_KEY_LEN
-1] = 1; /* 1 with padding*/
101 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
103 tt_int_op(-1, OP_EQ
, s1len
);
105 /* 2 is okay, though weird. */
106 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x02", 1, s1
, 50);
107 tt_int_op(50, OP_EQ
, s1len
);
109 /* 2 a second time is still okay, though weird. */
110 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x02", 1, s1
, 50);
111 tt_int_op(50, OP_EQ
, s1len
);
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1
, sizeof(p1
), P
, strlen(P
));
123 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
125 tt_int_op(-1, OP_EQ
, s1len
);
127 p1
[DH1024_KEY_LEN
-1] = 0xFE; /* p-1 */
128 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
130 tt_int_op(-1, OP_EQ
, s1len
);
132 p1
[DH1024_KEY_LEN
-1] = 0xFD; /* p-2 works fine */
133 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
135 tt_int_op(50, OP_EQ
, s1len
);
137 const char P_plus_one
[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
144 base16_decode(p1
, sizeof(p1
), P_plus_one
, strlen(P_plus_one
));
146 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
148 tt_int_op(-1, OP_EQ
, s1len
);
150 p1
[DH1024_KEY_LEN
-1] = 0x01; /* p+2 */
151 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
153 tt_int_op(-1, OP_EQ
, s1len
);
155 p1
[DH1024_KEY_LEN
-1] = 0xff; /* p+256 */
156 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
158 tt_int_op(-1, OP_EQ
, s1len
);
160 memset(p1
, 0xff, DH1024_KEY_LEN
), /* 2^1024-1 */
161 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
163 tt_int_op(-1, OP_EQ
, s1len
);
167 /* provoke an error in the openssl DH_compute_key function; make sure we
169 tt_assert(! crypto_dh_get_public(dh1
, p1
, DH1024_KEY_LEN
));
172 dh2
= crypto_dh_new(DH_TYPE_CIRCUIT
); /* no private key set */
173 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh2
,
176 tt_int_op(s1len
, OP_EQ
, -1);
179 #if defined(ENABLE_OPENSSL)
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3
= crypto_dh_new(DH_TYPE_TLS
);
183 tt_assert(!crypto_dh_get_public(dh3
, p1
, DH1024_KEY_LEN
));
185 dh4
= crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4
));
187 const BIGNUM
*pk
=NULL
;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM
*sk
=NULL
;
190 DH_get0_key(dh4
, &pk
, &sk
);
193 #endif /* defined(OPENSSL_1_1_API) */
195 tt_int_op(BN_num_bytes(pk
), OP_LE
, DH1024_KEY_LEN
);
196 tt_int_op(BN_num_bytes(pk
), OP_GT
, 0);
197 memset(p2
, 0, sizeof(p2
));
199 BN_bn2bin(pk
, (unsigned char *)(p2
+DH1024_KEY_LEN
-BN_num_bytes(pk
)));
201 s1len
= crypto_dh_handshake(LOG_WARN
, dh3
, p2
, DH1024_KEY_LEN
,
202 (unsigned char *)s1
, sizeof(s1
));
203 pubkey_tmp
= BN_bin2bn((unsigned char *)p1
, DH1024_KEY_LEN
, NULL
);
204 s2len
= DH_compute_key((unsigned char *)s2
, pubkey_tmp
, dh4
);
206 tt_int_op(s1len
, OP_EQ
, s2len
);
207 tt_int_op(s1len
, OP_GT
, 0);
208 tt_mem_op(s1
, OP_EQ
, s2
, s1len
);
210 #endif /* defined(ENABLE_OPENSSL) */
215 crypto_dh_free(dh1_dup
);
216 #ifdef ENABLE_OPENSSL
222 #endif /* defined(ENABLE_OPENSSL) */
226 test_crypto_openssl_version(void *arg
)
232 const char *version
= crypto_openssl_get_version_str();
233 const char *h_version
= crypto_openssl_get_header_version_str();
235 tt_assert(h_version
);
236 if (strcmpstart(version
, h_version
)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version
, h_version
));
240 if (strstr(version
, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version
));
244 if (!strcmpstart(version
, "LibreSSL") || !strcmpstart(version
, "BoringSSL"))
246 int r
= tor_sscanf(version
, "%d.%d.%d", &a
,&b
,&c
);
247 tt_int_op(r
, OP_EQ
, 3);
248 tt_int_op(a
, OP_GE
, 0);
249 tt_int_op(b
, OP_GE
, 0);
250 tt_int_op(c
, OP_GE
, 0);
251 #endif /* defined(ENABLE_NSS) */
257 /** Run unit tests for our AES128 functionality */
259 test_crypto_aes128(void *arg
)
261 char *data1
= NULL
, *data2
= NULL
, *data3
= NULL
;
262 crypto_cipher_t
*env1
= NULL
, *env2
= NULL
;
264 char *mem_op_hex_tmp
=NULL
;
265 char key
[CIPHER_KEY_LEN
];
266 int use_evp
= !strcmp(arg
,"evp");
267 evaluate_evp_for_aes(use_evp
);
268 evaluate_ctr_for_aes();
270 data1
= tor_malloc(1024);
271 data2
= tor_malloc(1024);
272 data3
= tor_malloc(1024);
274 /* Now, test encryption and decryption with stream cipher. */
276 for (i
= 1023; i
>0; i
-= 35)
277 strncat(data1
, "Now is the time for all good onions", i
);
279 memset(data2
, 0, 1024);
280 memset(data3
, 0, 1024);
281 crypto_rand(key
, sizeof(key
));
282 env1
= crypto_cipher_new(key
);
283 tt_ptr_op(env1
, OP_NE
, NULL
);
284 env2
= crypto_cipher_new(key
);
285 tt_ptr_op(env2
, OP_NE
, NULL
);
287 /* Try encrypting 512 chars. */
288 crypto_cipher_encrypt(env1
, data2
, data1
, 512);
289 crypto_cipher_decrypt(env2
, data3
, data2
, 512);
290 tt_mem_op(data1
,OP_EQ
, data3
, 512);
291 tt_mem_op(data1
,OP_NE
, data2
, 512);
293 /* Now encrypt 1 at a time, and get 1 at a time. */
294 for (j
= 512; j
< 560; ++j
) {
295 crypto_cipher_encrypt(env1
, data2
+j
, data1
+j
, 1);
297 for (j
= 512; j
< 560; ++j
) {
298 crypto_cipher_decrypt(env2
, data3
+j
, data2
+j
, 1);
300 tt_mem_op(data1
,OP_EQ
, data3
, 560);
301 /* Now encrypt 3 at a time, and get 5 at a time. */
302 for (j
= 560; j
< 1024-5; j
+= 3) {
303 crypto_cipher_encrypt(env1
, data2
+j
, data1
+j
, 3);
305 for (j
= 560; j
< 1024-5; j
+= 5) {
306 crypto_cipher_decrypt(env2
, data3
+j
, data2
+j
, 5);
308 tt_mem_op(data1
,OP_EQ
, data3
, 1024-5);
309 /* Now make sure that when we encrypt with different chunk sizes, we get
311 crypto_cipher_free(env2
);
314 memset(data3
, 0, 1024);
315 env2
= crypto_cipher_new(key
);
316 tt_ptr_op(env2
, OP_NE
, NULL
);
317 for (j
= 0; j
< 1024-16; j
+= 17) {
318 crypto_cipher_encrypt(env2
, data3
+j
, data1
+j
, 17);
320 for (j
= 0; j
< 1024-16; ++j
) {
321 if (data2
[j
] != data3
[j
]) {
322 printf("%d: %d\t%d\n", j
, (int) data2
[j
], (int) data3
[j
]);
325 tt_mem_op(data2
,OP_EQ
, data3
, 1024-16);
326 crypto_cipher_free(env1
);
328 crypto_cipher_free(env2
);
331 /* NIST test vector for aes. */
333 env1
= crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
334 "\x00\x00\x00\x00\x00\x00\x00\x00");
335 crypto_cipher_encrypt(env1
, data1
,
336 "\x00\x00\x00\x00\x00\x00\x00\x00"
337 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
338 test_memeq_hex(data1
, "0EDD33D3C621E546455BD8BA1418BEC8");
340 /* Now test rollover. All these values are originally from a python
342 crypto_cipher_free(env1
);
343 env1
= crypto_cipher_new_with_iv(
344 "\x80\x00\x00\x00\x00\x00\x00\x00"
345 "\x00\x00\x00\x00\x00\x00\x00\x00",
346 "\x00\x00\x00\x00\x00\x00\x00\x00"
347 "\xff\xff\xff\xff\xff\xff\xff\xff");
348 memset(data2
, 0, 1024);
349 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
350 test_memeq_hex(data1
, "335fe6da56f843199066c14a00a40231"
351 "cdd0b917dbc7186908a6bfb5ffd574d3");
352 crypto_cipher_free(env1
);
353 env1
= crypto_cipher_new_with_iv(
354 "\x80\x00\x00\x00\x00\x00\x00\x00"
355 "\x00\x00\x00\x00\x00\x00\x00\x00",
356 "\x00\x00\x00\x00\xff\xff\xff\xff"
357 "\xff\xff\xff\xff\xff\xff\xff\xff");
358 memset(data2
, 0, 1024);
359 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
360 test_memeq_hex(data1
, "e627c6423fa2d77832a02b2794094b73"
361 "3e63c721df790d2c6469cc1953a3ffac");
362 crypto_cipher_free(env1
);
363 env1
= crypto_cipher_new_with_iv(
364 "\x80\x00\x00\x00\x00\x00\x00\x00"
365 "\x00\x00\x00\x00\x00\x00\x00\x00",
366 "\xff\xff\xff\xff\xff\xff\xff\xff"
367 "\xff\xff\xff\xff\xff\xff\xff\xff");
368 memset(data2
, 0, 1024);
369 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
370 test_memeq_hex(data1
, "2aed2bff0de54f9328efd070bf48f70a"
371 "0EDD33D3C621E546455BD8BA1418BEC8");
373 /* Now check rollover on inplace cipher. */
374 crypto_cipher_free(env1
);
375 env1
= crypto_cipher_new_with_iv(
376 "\x80\x00\x00\x00\x00\x00\x00\x00"
377 "\x00\x00\x00\x00\x00\x00\x00\x00",
378 "\xff\xff\xff\xff\xff\xff\xff\xff"
379 "\xff\xff\xff\xff\xff\xff\xff\xff");
380 crypto_cipher_crypt_inplace(env1
, data2
, 64);
381 test_memeq_hex(data2
, "2aed2bff0de54f9328efd070bf48f70a"
382 "0EDD33D3C621E546455BD8BA1418BEC8"
383 "93e2c5243d6839eac58503919192f7ae"
384 "1908e67cafa08d508816659c2e693191");
385 crypto_cipher_free(env1
);
386 env1
= crypto_cipher_new_with_iv(
387 "\x80\x00\x00\x00\x00\x00\x00\x00"
388 "\x00\x00\x00\x00\x00\x00\x00\x00",
389 "\xff\xff\xff\xff\xff\xff\xff\xff"
390 "\xff\xff\xff\xff\xff\xff\xff\xff");
391 crypto_cipher_crypt_inplace(env1
, data2
, 64);
392 tt_assert(fast_mem_is_zero(data2
, 64));
395 tor_free(mem_op_hex_tmp
);
397 crypto_cipher_free(env1
);
399 crypto_cipher_free(env2
);
406 test_crypto_aes_ctr_testvec(void *arg
)
408 const char *bitstr
= arg
;
409 char *mem_op_hex_tmp
=NULL
;
410 crypto_cipher_t
*c
=NULL
;
412 /* from NIST SP800-38a, section F.5 */
413 const char ctr16
[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
414 const char plaintext16
[] =
415 "6bc1bee22e409f96e93d7e117393172a"
416 "ae2d8a571e03ac9c9eb76fac45af8e51"
417 "30c81c46a35ce411e5fbc1191a0a52ef"
418 "f69f2445df4f9b17ad2b417be66c3710";
419 const char *ciphertext16
;
423 if (!strcmp(bitstr
, "128")) {
424 ciphertext16
= /* section F.5.1 */
425 "874d6191b620e3261bef6864990db6ce"
426 "9806f66b7970fdff8617187bb9fffdff"
427 "5ae4df3edbd5d35e5b4f09020db03eab"
428 "1e031dda2fbe03d1792170a0f3009cee";
429 key16
= "2b7e151628aed2a6abf7158809cf4f3c";
431 } else if (!strcmp(bitstr
, "192")) {
432 ciphertext16
= /* section F.5.3 */
433 "1abc932417521ca24f2b0459fe7e6e0b"
434 "090339ec0aa6faefd5ccc2c6f4ce8e94"
435 "1e36b26bd1ebc670d1bd1d665620abf7"
436 "4f78a7f6d29809585a97daec58c6b050";
437 key16
= "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
439 } else if (!strcmp(bitstr
, "256")) {
440 ciphertext16
= /* section F.5.5 */
441 "601ec313775789a5b7a7f504bbf3d228"
442 "f443e3ca4d62b59aca84e990cacaf5c5"
443 "2b0930daa23de94ce87017ba2d84988d"
444 "dfc9c58db67aada613c2dd08457941a6";
446 "603deb1015ca71be2b73aef0857d7781"
447 "1f352c073b6108d72d9810a30914dff4";
450 tt_abort_msg("AES doesn't support this number of bits.");
455 char plaintext
[16*4];
456 memset(key
, 0xf9, sizeof(key
)); /* poison extra bytes */
457 base16_decode(key
, sizeof(key
), key16
, strlen(key16
));
458 base16_decode(iv
, sizeof(iv
), ctr16
, strlen(ctr16
));
459 base16_decode(plaintext
, sizeof(plaintext
),
460 plaintext16
, strlen(plaintext16
));
462 c
= crypto_cipher_new_with_iv_and_bits((uint8_t*)key
, (uint8_t*)iv
, bits
);
463 crypto_cipher_crypt_inplace(c
, plaintext
, sizeof(plaintext
));
464 test_memeq_hex(plaintext
, ciphertext16
);
467 tor_free(mem_op_hex_tmp
);
468 crypto_cipher_free(c
);
471 /** Run unit tests for our SHA-1 functionality */
473 test_crypto_sha(void *arg
)
475 crypto_digest_t
*d1
= NULL
, *d2
= NULL
;
477 #define RFC_4231_MAX_KEY_SIZE 131
478 char key
[RFC_4231_MAX_KEY_SIZE
];
479 char digest
[DIGEST256_LEN
];
480 char data
[DIGEST512_LEN
];
481 char d_out1
[DIGEST512_LEN
], d_out2
[DIGEST512_LEN
];
482 char *mem_op_hex_tmp
=NULL
;
484 /* Test SHA-1 with a test vector from the specification. */
486 i
= crypto_digest(data
, "abc", 3);
487 test_memeq_hex(data
, "A9993E364706816ABA3E25717850C26C9CD0D89D");
488 tt_int_op(i
, OP_EQ
, 0);
490 /* Test SHA-256 with a test vector from the specification. */
491 i
= crypto_digest256(data
, "abc", 3, DIGEST_SHA256
);
492 test_memeq_hex(data
, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
493 "96177A9CB410FF61F20015AD");
494 tt_int_op(i
, OP_EQ
, 0);
496 /* Test SHA-512 with a test vector from the specification. */
497 i
= crypto_digest512(data
, "abc", 3, DIGEST_SHA512
);
498 test_memeq_hex(data
, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
499 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
500 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
501 tt_int_op(i
, OP_EQ
, 0);
503 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
505 /* Case empty (wikipedia) */
506 crypto_hmac_sha256(digest
, "", 0, "", 0);
507 tt_str_op(hex_str(digest
, 32),OP_EQ
,
508 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
510 /* Case quick-brown (wikipedia) */
511 crypto_hmac_sha256(digest
, "key", 3,
512 "The quick brown fox jumps over the lazy dog", 43);
513 tt_str_op(hex_str(digest
, 32),OP_EQ
,
514 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
516 /* "Test Case 1" from RFC 4231 */
517 memset(key
, 0x0b, 20);
518 crypto_hmac_sha256(digest
, key
, 20, "Hi There", 8);
519 test_memeq_hex(digest
,
520 "b0344c61d8db38535ca8afceaf0bf12b"
521 "881dc200c9833da726e9376c2e32cff7");
523 /* "Test Case 2" from RFC 4231 */
524 memset(key
, 0x0b, 20);
525 crypto_hmac_sha256(digest
, "Jefe", 4, "what do ya want for nothing?", 28);
526 test_memeq_hex(digest
,
527 "5bdcc146bf60754e6a042426089575c7"
528 "5a003f089d2739839dec58b964ec3843");
530 /* "Test case 3" from RFC 4231 */
531 memset(key
, 0xaa, 20);
532 memset(data
, 0xdd, 50);
533 crypto_hmac_sha256(digest
, key
, 20, data
, 50);
534 test_memeq_hex(digest
,
535 "773ea91e36800e46854db8ebd09181a7"
536 "2959098b3ef8c122d9635514ced565fe");
538 /* "Test case 4" from RFC 4231 */
539 base16_decode(key
, 25,
540 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
541 memset(data
, 0xcd, 50);
542 crypto_hmac_sha256(digest
, key
, 25, data
, 50);
543 test_memeq_hex(digest
,
544 "82558a389a443c0ea4cc819899f2083a"
545 "85f0faa3e578f8077a2e3ff46729665b");
547 /* "Test case 5" from RFC 4231 */
548 memset(key
, 0x0c, 20);
549 crypto_hmac_sha256(digest
, key
, 20, "Test With Truncation", 20);
550 test_memeq_hex(digest
,
551 "a3b6167473100ee06e0c796c2955552b");
553 /* "Test case 6" from RFC 4231 */
554 memset(key
, 0xaa, 131);
555 crypto_hmac_sha256(digest
, key
, 131,
556 "Test Using Larger Than Block-Size Key - Hash Key First",
558 test_memeq_hex(digest
,
559 "60e431591ee0b67f0d8a26aacbf5b77f"
560 "8e0bc6213728c5140546040f0ee37f54");
562 /* "Test case 7" from RFC 4231 */
563 memset(key
, 0xaa, 131);
564 crypto_hmac_sha256(digest
, key
, 131,
565 "This is a test using a larger than block-size key and a "
566 "larger than block-size data. The key needs to be hashed "
567 "before being used by the HMAC algorithm.", 152);
568 test_memeq_hex(digest
,
569 "9b09ffa71b942fcb27635fbcd5b0e944"
570 "bfdc63644f0713938a7f51535c3a35e2");
572 /* Incremental digest code. */
573 d1
= crypto_digest_new();
575 crypto_digest_add_bytes(d1
, "abcdef", 6);
576 d2
= crypto_digest_dup(d1
);
578 crypto_digest_add_bytes(d2
, "ghijkl", 6);
579 crypto_digest_get_digest(d2
, d_out1
, DIGEST_LEN
);
580 crypto_digest(d_out2
, "abcdefghijkl", 12);
581 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
582 crypto_digest_assign(d2
, d1
);
583 crypto_digest_add_bytes(d2
, "mno", 3);
584 crypto_digest_get_digest(d2
, d_out1
, DIGEST_LEN
);
585 crypto_digest(d_out2
, "abcdefmno", 9);
586 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
587 crypto_digest_get_digest(d1
, d_out1
, DIGEST_LEN
);
588 crypto_digest(d_out2
, "abcdef", 6);
589 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
590 crypto_digest_free(d1
);
591 crypto_digest_free(d2
);
593 /* Incremental digest code with sha256 */
594 d1
= crypto_digest256_new(DIGEST_SHA256
);
596 crypto_digest_add_bytes(d1
, "abcdef", 6);
597 d2
= crypto_digest_dup(d1
);
599 crypto_digest_add_bytes(d2
, "ghijkl", 6);
600 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
601 crypto_digest256(d_out2
, "abcdefghijkl", 12, DIGEST_SHA256
);
602 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
603 crypto_digest_assign(d2
, d1
);
604 crypto_digest_add_bytes(d2
, "mno", 3);
605 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
606 crypto_digest256(d_out2
, "abcdefmno", 9, DIGEST_SHA256
);
607 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
608 crypto_digest_get_digest(d1
, d_out1
, DIGEST256_LEN
);
609 crypto_digest256(d_out2
, "abcdef", 6, DIGEST_SHA256
);
610 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
611 crypto_digest_free(d1
);
612 crypto_digest_free(d2
);
614 /* Incremental digest code with sha512 */
615 d1
= crypto_digest512_new(DIGEST_SHA512
);
617 crypto_digest_add_bytes(d1
, "abcdef", 6);
618 d2
= crypto_digest_dup(d1
);
620 crypto_digest_add_bytes(d2
, "ghijkl", 6);
621 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
622 crypto_digest512(d_out2
, "abcdefghijkl", 12, DIGEST_SHA512
);
623 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
624 crypto_digest_assign(d2
, d1
);
625 crypto_digest_add_bytes(d2
, "mno", 3);
626 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
627 crypto_digest512(d_out2
, "abcdefmno", 9, DIGEST_SHA512
);
628 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
629 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
630 crypto_digest512(d_out2
, "abcdef", 6, DIGEST_SHA512
);
631 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
635 crypto_digest_free(d1
);
637 crypto_digest_free(d2
);
638 tor_free(mem_op_hex_tmp
);
642 test_crypto_sha3(void *arg
)
644 crypto_digest_t
*d1
= NULL
, *d2
= NULL
;
646 char data
[DIGEST512_LEN
];
647 char d_out1
[DIGEST512_LEN
], d_out2
[DIGEST512_LEN
];
648 char *mem_op_hex_tmp
=NULL
;
653 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
655 * NB: The code package's test vectors have length expressed in bits.
658 /* Len = 8, Msg = CC */
659 const uint8_t keccak_kat_msg8
[] = { 0xcc };
660 i
= crypto_digest256(data
, (const char*)keccak_kat_msg8
, 1, DIGEST_SHA3_256
);
661 test_memeq_hex(data
, "677035391CD3701293D385F037BA3279"
662 "6252BB7CE180B00B582DD9B20AAAD7F0");
663 tt_int_op(i
, OP_EQ
, 0);
664 i
= crypto_digest512(data
, (const char*)keccak_kat_msg8
, 1, DIGEST_SHA3_512
);
665 test_memeq_hex(data
, "3939FCC8B57B63612542DA31A834E5DC"
666 "C36E2EE0F652AC72E02624FA2E5ADEEC"
667 "C7DD6BB3580224B4D6138706FC6E8059"
668 "7B528051230B00621CC2B22999EAA205");
669 tt_int_op(i
, OP_EQ
, 0);
671 /* Len = 24, Msg = 1F877C */
672 const uint8_t keccak_kat_msg24
[] = { 0x1f, 0x87, 0x7c };
673 i
= crypto_digest256(data
, (const char*)keccak_kat_msg24
, 3,
675 test_memeq_hex(data
, "BC22345E4BD3F792A341CF18AC0789F1"
676 "C9C966712A501B19D1B6632CCD408EC5");
677 tt_int_op(i
, OP_EQ
, 0);
678 i
= crypto_digest512(data
, (const char*)keccak_kat_msg24
, 3,
680 test_memeq_hex(data
, "CB20DCF54955F8091111688BECCEF48C"
681 "1A2F0D0608C3A575163751F002DB30F4"
682 "0F2F671834B22D208591CFAF1F5ECFE4"
683 "3C49863A53B3225BDFD7C6591BA7658B");
684 tt_int_op(i
, OP_EQ
, 0);
686 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
687 const uint8_t keccak_kat_msg1080
[] = {
688 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
689 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
690 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
691 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
692 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
693 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
694 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
695 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
696 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
697 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
698 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
699 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
700 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
701 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
703 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1080
, 135,
705 test_memeq_hex(data
, "A19EEE92BB2097B64E823D597798AA18"
706 "BE9B7C736B8059ABFD6779AC35AC81B5");
707 tt_int_op(i
, OP_EQ
, 0);
708 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1080
, 135,
710 test_memeq_hex(data
, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
711 "CB78696773A212A5F62D02D14E3259D1"
712 "92A87EBA4407DD83893527331407B6DA"
713 "DAAD920DBC46489B677493CE5F20B595");
714 tt_int_op(i
, OP_EQ
, 0);
716 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
717 const uint8_t keccak_kat_msg1088
[] = {
718 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
719 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
720 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
721 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
722 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
723 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
724 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
725 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
726 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
727 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
728 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
729 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
730 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
731 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
733 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1088
, 136,
735 test_memeq_hex(data
, "DF673F4105379FF6B755EEAB20CEB0DC"
736 "77B5286364FE16C59CC8A907AFF07732");
737 tt_int_op(i
, OP_EQ
, 0);
738 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1088
, 136,
740 test_memeq_hex(data
, "2E293765022D48996CE8EFF0BE54E87E"
741 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
742 "FA3BA17A40B2FFA2163991B17786E51C"
743 "ABA79E5E0FFD34CF085E2A098BE8BACB");
744 tt_int_op(i
, OP_EQ
, 0);
746 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
747 const uint8_t keccak_kat_msg1096
[] = {
748 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
749 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
750 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
751 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
752 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
753 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
754 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
755 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
756 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
757 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
758 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
759 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
760 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
761 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
763 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1096
, 137,
765 test_memeq_hex(data
, "D52432CF3B6B4B949AA848E058DCD62D"
766 "735E0177279222E7AC0AF8504762FAA0");
767 tt_int_op(i
, OP_EQ
, 0);
768 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1096
, 137,
770 test_memeq_hex(data
, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
771 "40474041DE83D4A60645A826D7AF1ABE"
772 "1EEFCB7B74B62CA6A514E5F2697D585B"
773 "FECECE12931BBE1D4ED7EBF7B0BE660E");
774 tt_int_op(i
, OP_EQ
, 0);
776 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
777 const uint8_t keccak_kat_msg1144
[] = {
778 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
779 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
780 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
781 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
782 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
783 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
784 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
785 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
786 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
787 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
788 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
789 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
790 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
791 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
794 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1144
, 143,
796 test_memeq_hex(data
, "3A8E938C45F3F177991296B24565D9A6"
797 "605516615D96A062C8BE53A0D6C5A648"
798 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
799 "295F284BE7F82F3B92919033C9CE5D80");
800 tt_int_op(i
, OP_EQ
, 0);
801 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1144
, 143,
803 test_memeq_hex(data
, "E58A947E98D6DD7E932D2FE02D9992E6"
804 "118C0C2C606BDCDA06E7943D2C95E0E5");
805 tt_int_op(i
, OP_EQ
, 0);
807 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
808 const uint8_t keccak_kat_msg1152
[] = {
809 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
810 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
811 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
812 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
813 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
814 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
815 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
816 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
817 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
818 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
819 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
820 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
821 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
822 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
823 0x9E, 0xE0, 0x0C, 0x63,
825 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1152
, 144,
827 test_memeq_hex(data
, "FE45289874879720CE2A844AE34BB735"
828 "22775DCB6019DCD22B8885994672A088"
829 "9C69E8115C641DC8B83E39F7311815A1"
830 "64DC46E0BA2FCA344D86D4BC2EF2532C");
831 tt_int_op(i
, OP_EQ
, 0);
832 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1152
, 144,
834 test_memeq_hex(data
, "A936FB9AF87FB67857B3EAD5C76226AD"
835 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
836 tt_int_op(i
, OP_EQ
, 0);
838 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
839 const uint8_t keccak_kat_msg1160
[] = {
840 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
841 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
842 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
843 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
844 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
845 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
846 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
847 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
848 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
849 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
850 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
851 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
852 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
853 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
854 0x70, 0x11, 0x04, 0x4C, 0x53,
856 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1160
, 145,
858 test_memeq_hex(data
, "AFF61C6E11B98E55AC213B1A0BC7DE04"
859 "05221AC5EFB1229842E4614F4A029C9B"
860 "D14A0ED7FD99AF3681429F3F309FDB53"
861 "166AA9A3CD9F1F1223D04B4A9015E94A");
862 tt_int_op(i
, OP_EQ
, 0);
863 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1160
, 145,
865 test_memeq_hex(data
, "3A654B88F88086C2751EDAE6D3924814"
866 "3CF6235C6B0B7969342C45A35194B67E");
867 tt_int_op(i
, OP_EQ
, 0);
869 /* SHA3-[256,512] Empty case (wikipedia) */
870 i
= crypto_digest256(data
, "", 0, DIGEST_SHA3_256
);
871 test_memeq_hex(data
, "a7ffc6f8bf1ed76651c14756a061d662"
872 "f580ff4de43b49fa82d80a4b80f8434a");
873 tt_int_op(i
, OP_EQ
, 0);
874 i
= crypto_digest512(data
, "", 0, DIGEST_SHA3_512
);
875 test_memeq_hex(data
, "a69f73cca23a9ac5c8b567dc185a756e"
876 "97c982164fe25859e0d1dcc1475c80a6"
877 "15b2123af1f5f94c11e3e9402c3ac558"
878 "f500199d95b6d3e301758586281dcd26");
879 tt_int_op(i
, OP_EQ
, 0);
881 /* Incremental digest code with SHA3-256 */
882 d1
= crypto_digest256_new(DIGEST_SHA3_256
);
884 crypto_digest_add_bytes(d1
, "abcdef", 6);
885 d2
= crypto_digest_dup(d1
);
887 crypto_digest_add_bytes(d2
, "ghijkl", 6);
888 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
889 crypto_digest256(d_out2
, "abcdefghijkl", 12, DIGEST_SHA3_256
);
890 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
891 crypto_digest_assign(d2
, d1
);
892 crypto_digest_add_bytes(d2
, "mno", 3);
893 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
894 crypto_digest256(d_out2
, "abcdefmno", 9, DIGEST_SHA3_256
);
895 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
896 crypto_digest_get_digest(d1
, d_out1
, DIGEST256_LEN
);
897 crypto_digest256(d_out2
, "abcdef", 6, DIGEST_SHA3_256
);
898 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
899 crypto_digest_free(d1
);
900 crypto_digest_free(d2
);
902 /* Incremental digest code with SHA3-512 */
903 d1
= crypto_digest512_new(DIGEST_SHA3_512
);
905 crypto_digest_add_bytes(d1
, "abcdef", 6);
906 d2
= crypto_digest_dup(d1
);
908 crypto_digest_add_bytes(d2
, "ghijkl", 6);
909 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
910 crypto_digest512(d_out2
, "abcdefghijkl", 12, DIGEST_SHA3_512
);
911 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
912 crypto_digest_assign(d2
, d1
);
913 crypto_digest_add_bytes(d2
, "mno", 3);
914 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
915 crypto_digest512(d_out2
, "abcdefmno", 9, DIGEST_SHA3_512
);
916 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
917 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
918 crypto_digest512(d_out2
, "abcdef", 6, DIGEST_SHA3_512
);
919 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
920 crypto_digest_free(d1
);
922 /* Attempt to exercise the incremental hashing code by creating a randomized
923 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
924 * is used because it has a lowest rate of the family (the code is common,
925 * but the slower rate exercises more of it).
927 const size_t bufsz
= 30 * 1024;
929 large
= tor_malloc(bufsz
);
930 crypto_rand(large
, bufsz
);
931 d1
= crypto_digest512_new(DIGEST_SHA3_512
); /* Running digest. */
933 /* Pick how much data to add to the running digest. */
934 size_t incr
= (size_t)crypto_rand_int_range(1, 72 * 5);
935 incr
= MIN(bufsz
- j
, incr
);
937 /* Add the data, and calculate the hash. */
938 crypto_digest_add_bytes(d1
, large
+ j
, incr
);
939 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
941 /* One-shot hash the buffer up to the data that was just added,
942 * and ensure that the values match up.
944 * XXX/yawning: If this actually fails, it'll be rather difficult to
945 * reproduce. Improvements welcome.
947 i
= crypto_digest512(d_out2
, large
, j
+ incr
, DIGEST_SHA3_512
);
948 tt_int_op(i
, OP_EQ
, 0);
949 tt_mem_op(d_out1
, OP_EQ
, d_out2
, DIGEST512_LEN
);
956 crypto_digest_free(d1
);
958 crypto_digest_free(d2
);
960 tor_free(mem_op_hex_tmp
);
963 /** Run unit tests for our XOF. */
965 test_crypto_sha3_xof(void *arg
)
970 char *mem_op_hex_tmp
=NULL
;
974 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
975 base16_decode((char *)msg
, 255,
976 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
977 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
978 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
979 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
980 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
981 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
982 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
983 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
984 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
985 const char *squeezed_hex
=
986 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
987 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
988 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
989 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
990 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
991 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
992 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
993 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
994 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
995 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
996 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
997 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
998 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
999 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1000 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1001 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1002 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1005 /* Test oneshot absorb/squeeze. */
1006 xof
= crypto_xof_new();
1008 crypto_xof_add_bytes(xof
, msg
, sizeof(msg
));
1009 crypto_xof_squeeze_bytes(xof
, out
, sizeof(out
));
1010 test_memeq_hex(out
, squeezed_hex
);
1011 crypto_xof_free(xof
);
1012 memset(out
, 0, sizeof(out
));
1014 /* Test one-function absorb/squeeze. */
1015 crypto_xof(out
, sizeof(out
), msg
, sizeof(msg
));
1016 test_memeq_hex(out
, squeezed_hex
);
1017 memset(out
, 0, sizeof(out
));
1019 /* Test incremental absorb/squeeze. */
1020 xof
= crypto_xof_new();
1022 for (size_t i
= 0; i
< sizeof(msg
); i
++)
1023 crypto_xof_add_bytes(xof
, msg
+ i
, 1);
1024 for (size_t i
= 0; i
< sizeof(out
); i
++) {
1025 crypto_xof_squeeze_bytes(xof
, out
+ i
, 1);
1027 test_memeq_hex(out
, squeezed_hex
);
1031 crypto_xof_free(xof
);
1032 tor_free(mem_op_hex_tmp
);
1035 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1036 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1037 * are gonna do is test our crypto_mac_sha3_256() function against manually
1038 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1039 * standarize an MAC construction and make test vectors, we should
1040 * incorporate them here. */
1042 test_crypto_mac_sha3(void *arg
)
1044 const char msg
[] = "i am in a library somewhere using my computer";
1045 const char key
[] = "i'm from the past talking to the future.";
1047 uint8_t hmac_test
[DIGEST256_LEN
];
1048 char hmac_manual
[DIGEST256_LEN
];
1052 /* First let's use our nice HMAC-SHA3 function */
1053 crypto_mac_sha3_256(hmac_test
, sizeof(hmac_test
),
1054 (uint8_t *) key
, strlen(key
),
1055 (uint8_t *) msg
, strlen(msg
));
1057 /* Now let's try a manual H(len(k) || k || m) construction */
1059 char *key_msg_concat
= NULL
, *all
= NULL
;
1061 const uint64_t key_len_netorder
= tor_htonll(strlen(key
));
1064 tor_asprintf(&key_msg_concat
, "%s%s", key
, msg
);
1065 all_len
= sizeof(key_len_netorder
) + strlen(key_msg_concat
);
1066 all
= tor_malloc_zero(all_len
);
1067 memcpy(all
, &key_len_netorder
, sizeof(key_len_netorder
));
1068 memcpy(all
+ sizeof(key_len_netorder
), key_msg_concat
,
1069 strlen(key_msg_concat
));
1071 result
= crypto_digest256(hmac_manual
, all
, all_len
, DIGEST_SHA3_256
);
1072 tor_free(key_msg_concat
);
1074 tt_int_op(result
, OP_EQ
, 0);
1077 /* Now compare the two results */
1078 tt_mem_op(hmac_test
, OP_EQ
, hmac_manual
, DIGEST256_LEN
);
1083 /** Run unit tests for our public key crypto functions */
1085 test_crypto_pk(void *arg
)
1087 crypto_pk_t
*pk1
= NULL
, *pk2
= NULL
;
1088 char *encoded
= NULL
;
1089 char data1
[1024], data2
[1024], data3
[1024];
1093 /* Public-key ciphers */
1095 pk1
= pk_generate(0);
1096 pk2
= crypto_pk_new();
1097 tt_assert(pk1
&& pk2
);
1098 tt_assert(! crypto_pk_write_public_key_to_string(pk1
, &encoded
, &size
));
1099 tt_assert(! crypto_pk_read_public_key_from_string(pk2
, encoded
, size
));
1100 tt_int_op(0,OP_EQ
, crypto_pk_cmp_keys(pk1
, pk2
));
1102 /* comparison between keys and NULL */
1103 tt_int_op(crypto_pk_cmp_keys(NULL
, pk1
), OP_LT
, 0);
1104 tt_int_op(crypto_pk_cmp_keys(NULL
, NULL
), OP_EQ
, 0);
1105 tt_int_op(crypto_pk_cmp_keys(pk1
, NULL
), OP_GT
, 0);
1107 tt_int_op(128,OP_EQ
, crypto_pk_keysize(pk1
));
1108 tt_int_op(1024,OP_EQ
, crypto_pk_num_bits(pk1
));
1109 tt_int_op(128,OP_EQ
, crypto_pk_keysize(pk2
));
1110 tt_int_op(1024,OP_EQ
, crypto_pk_num_bits(pk2
));
1112 tt_int_op(128,OP_EQ
, crypto_pk_public_encrypt(pk2
, data1
, sizeof(data1
),
1113 "Hello whirled.", 15,
1114 PK_PKCS1_OAEP_PADDING
));
1115 tt_int_op(128,OP_EQ
, crypto_pk_public_encrypt(pk1
, data2
, sizeof(data1
),
1116 "Hello whirled.", 15,
1117 PK_PKCS1_OAEP_PADDING
));
1118 /* oaep padding should make encryption not match */
1119 tt_mem_op(data1
,OP_NE
, data2
, 128);
1121 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data1
, 128,
1122 PK_PKCS1_OAEP_PADDING
,1));
1123 tt_str_op(data3
,OP_EQ
, "Hello whirled.");
1124 memset(data3
, 0, 1024);
1126 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data2
, 128,
1127 PK_PKCS1_OAEP_PADDING
,1));
1128 tt_str_op(data3
,OP_EQ
, "Hello whirled.");
1129 /* Can't decrypt with public key. */
1131 crypto_pk_private_decrypt(pk2
, data3
, sizeof(data3
), data2
, 128,
1132 PK_PKCS1_OAEP_PADDING
,1));
1133 /* Try again with bad padding */
1134 memcpy(data2
+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1136 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data2
, 128,
1137 PK_PKCS1_OAEP_PADDING
,1));
1139 /* File operations: save and load private key */
1140 tt_assert(! crypto_pk_write_private_key_to_filename(pk1
,
1141 get_fname("pkey1")));
1142 /* failing case for read: can't read. */
1143 tt_int_op(crypto_pk_read_private_key_from_filename(pk2
, get_fname("xyzzy")),
1145 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1146 /* Failing case for read: no key. */
1147 tt_int_op(crypto_pk_read_private_key_from_filename(pk2
, get_fname("xyzzy")),
1149 tt_assert(! crypto_pk_read_private_key_from_filename(pk2
,
1150 get_fname("pkey1")));
1152 crypto_pk_private_decrypt(pk2
, data3
, sizeof(data3
), data1
, 128,
1153 PK_PKCS1_OAEP_PADDING
,1));
1155 /* Now try signing. */
1156 strlcpy(data1
, "Ossifrage", 1024);
1157 tt_int_op(128,OP_EQ
,
1158 crypto_pk_private_sign(pk1
, data2
, sizeof(data2
), data1
, 10));
1160 crypto_pk_public_checksig(pk1
, data3
, sizeof(data3
), data2
, 128));
1161 tt_str_op(data3
,OP_EQ
, "Ossifrage");
1162 /* Try signing digests. */
1163 tt_int_op(128,OP_EQ
, crypto_pk_private_sign_digest(pk1
, data2
, sizeof(data2
),
1166 crypto_pk_public_checksig(pk1
, data3
, sizeof(data3
), data2
, 128));
1168 crypto_pk_public_checksig_digest(pk1
, data1
, 10, data2
, 128));
1170 crypto_pk_public_checksig_digest(pk1
, data1
, 11, data2
, 128));
1172 /*XXXX test failed signing*/
1175 crypto_pk_free(pk2
);
1177 i
= crypto_pk_asn1_encode(pk1
, data1
, 1024);
1178 tt_int_op(i
, OP_GT
, 0);
1179 pk2
= crypto_pk_asn1_decode(data1
, i
);
1180 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1182 /* Try with hybrid encryption wrappers. */
1183 crypto_rand(data1
, 1024);
1184 for (i
= 85; i
< 140; ++i
) {
1185 memset(data2
,0,1024);
1186 memset(data3
,0,1024);
1187 len
= crypto_pk_obsolete_public_hybrid_encrypt(pk1
,data2
,sizeof(data2
),
1188 data1
,i
,PK_PKCS1_OAEP_PADDING
,0);
1189 tt_int_op(len
, OP_GE
, 0);
1190 len
= crypto_pk_obsolete_private_hybrid_decrypt(pk1
,data3
,sizeof(data3
),
1191 data2
,len
,PK_PKCS1_OAEP_PADDING
,1);
1192 tt_int_op(len
,OP_EQ
, i
);
1193 tt_mem_op(data1
,OP_EQ
, data3
,i
);
1197 crypto_pk_free(pk2
);
1198 pk2
= crypto_pk_copy_full(pk1
);
1199 tt_ptr_op(pk2
, OP_NE
, NULL
);
1200 tt_ptr_op(pk1
, OP_NE
, pk2
);
1201 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1205 crypto_pk_free(pk1
);
1207 crypto_pk_free(pk2
);
1212 test_crypto_pk_fingerprints(void *arg
)
1214 crypto_pk_t
*pk
= NULL
;
1216 char d
[DIGEST_LEN
], d2
[DIGEST_LEN
];
1217 char fingerprint
[FINGERPRINT_LEN
+1];
1220 char *mem_op_hex_tmp
=NULL
;
1224 pk
= pk_generate(1);
1226 n
= crypto_pk_asn1_encode(pk
, encoded
, sizeof(encoded
));
1227 tt_int_op(n
, OP_GT
, 0);
1228 tt_int_op(n
, OP_GT
, 128);
1229 tt_int_op(n
, OP_LT
, 256);
1231 /* Is digest as expected? */
1232 crypto_digest(d
, encoded
, n
);
1233 tt_int_op(0, OP_EQ
, crypto_pk_get_digest(pk
, d2
));
1234 tt_mem_op(d
,OP_EQ
, d2
, DIGEST_LEN
);
1236 /* Is fingerprint right? */
1237 tt_int_op(0, OP_EQ
, crypto_pk_get_fingerprint(pk
, fingerprint
, 0));
1238 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1239 test_memeq_hex(d
, fingerprint
);
1241 /* Are spaces right? */
1242 tt_int_op(0, OP_EQ
, crypto_pk_get_fingerprint(pk
, fingerprint
, 1));
1243 for (i
= 4; i
< strlen(fingerprint
); i
+= 5) {
1244 tt_int_op(fingerprint
[i
], OP_EQ
, ' ');
1246 tor_strstrip(fingerprint
, " ");
1247 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1248 test_memeq_hex(d
, fingerprint
);
1250 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1251 crypto_digest(d2
, d
, sizeof(d
));
1252 tt_int_op(0, OP_EQ
, crypto_pk_get_hashed_fingerprint(pk
, fingerprint
));
1253 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1254 test_memeq_hex(d2
, fingerprint
);
1258 tor_free(mem_op_hex_tmp
);
1262 test_crypto_pk_base64(void *arg
)
1264 crypto_pk_t
*pk1
= NULL
;
1265 crypto_pk_t
*pk2
= NULL
;
1266 char *encoded
= NULL
;
1270 /* Test Base64 encoding a key. */
1271 pk1
= pk_generate(0);
1273 tt_int_op(0, OP_EQ
, crypto_pk_base64_encode_private(pk1
, &encoded
));
1276 /* Test decoding a valid key. */
1277 pk2
= crypto_pk_base64_decode_private(encoded
, strlen(encoded
));
1279 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1280 crypto_pk_free(pk2
);
1282 /* Test decoding a invalid key (not Base64). */
1283 static const char *invalid_b64
= "The key is in another castle!";
1284 pk2
= crypto_pk_base64_decode_private(invalid_b64
, strlen(invalid_b64
));
1285 tt_ptr_op(pk2
, OP_EQ
, NULL
);
1287 /* Test decoding a truncated Base64 blob. */
1288 pk2
= crypto_pk_base64_decode_private(encoded
, strlen(encoded
)/2);
1289 tt_ptr_op(pk2
, OP_EQ
, NULL
);
1292 crypto_pk_free(pk1
);
1293 crypto_pk_free(pk2
);
1298 test_crypto_pk_pem_encrypted(void *arg
)
1300 crypto_pk_t
*pk
= NULL
;
1303 pk
= crypto_pk_new();
1304 /* we need to make sure that we won't stall if somebody gives us a key
1305 that's encrypted with a password. */
1308 "-----BEGIN RSA PRIVATE KEY-----\n"
1309 "Proc-Type: 4,ENCRYPTED\n"
1310 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1312 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1313 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1314 "YntnROBDwiKmUnue6PJVYg==\n"
1315 "-----END RSA PRIVATE KEY-----\n";
1316 tt_int_op(-1, OP_EQ
,
1317 crypto_pk_read_private_key_from_string(pk
, s
, strlen(s
)));
1319 /* For fun, make sure we aren't hit by OpenSSL issue
1320 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1321 if a cipher doesn't use an IV.
1325 "-----BEGIN RSA PUBLIC KEY-----\n"
1326 "Proc-Type:4,ENCRYPTED\n"
1327 "DEK-Info:des-ede -\n"
1330 "-----END RSA PUBLIC KEY-----\n";
1331 tt_int_op(-1, OP_EQ
,
1332 crypto_pk_read_public_key_from_string(pk
, s
, strlen(s
)));
1339 test_crypto_pk_bad_size(void *arg
)
1342 crypto_pk_t
*pk1
= pk_generate(0);
1343 crypto_pk_t
*pk2
= NULL
;
1345 int n
= crypto_pk_asn1_encode_private(pk1
, buf
, sizeof(buf
));
1346 tt_int_op(n
, OP_GT
, 0);
1348 /* Set the max bit count smaller: we should refuse to decode the key.*/
1349 pk2
= crypto_pk_asn1_decode_private(buf
, n
, 1020);
1352 /* Set the max bit count one bit smaller: we should refuse to decode the
1354 pk2
= crypto_pk_asn1_decode_private(buf
, n
, 1023);
1357 /* Correct size: should work. */
1358 pk2
= crypto_pk_asn1_decode_private(buf
, n
, 1024);
1360 crypto_pk_free(pk2
);
1362 /* One bit larger: should work. */
1363 pk2
= crypto_pk_asn1_decode_private(buf
, n
, 1025);
1365 crypto_pk_free(pk2
);
1367 /* Set the max bit count larger: it should decode fine. */
1368 pk2
= crypto_pk_asn1_decode_private(buf
, n
, 2048);
1372 crypto_pk_free(pk1
);
1373 crypto_pk_free(pk2
);
1377 test_crypto_pk_invalid_private_key(void *arg
)
1380 /* Here is a simple invalid private key: it was produced by making
1381 * a regular private key, and then adding 2 to the modulus. */
1383 "-----BEGIN RSA PRIVATE KEY-----\n"
1384 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1385 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1386 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1387 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1388 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1389 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1390 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1391 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1392 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1393 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1394 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1395 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1396 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1397 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1398 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1399 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1400 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1401 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1402 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1403 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1404 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1405 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1406 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1407 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1408 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1409 "-----END RSA PRIVATE KEY-----\n";
1411 crypto_pk_t
*pk
= NULL
;
1413 pk
= crypto_pk_new();
1414 setup_capture_of_logs(LOG_WARN
);
1415 tt_int_op(-1, OP_EQ
,
1416 crypto_pk_read_private_key_from_string(pk
, pem
, strlen(pem
)));
1418 expect_single_log_msg_containing("received bad data");
1420 expect_single_log_msg_containing("while checking RSA key");
1423 teardown_capture_of_logs();
1427 #ifdef HAVE_TRUNCATE
1428 #define do_truncate truncate
1431 do_truncate(const char *fname
, size_t len
)
1436 bytes
= read_file_to_str(fname
, RFTS_BIN
, &st
);
1439 /* This cast isn't so great, but it should be safe given the actual files
1440 * and lengths we're using. */
1441 if (st
.st_size
< (off_t
)len
)
1442 len
= MIN(len
, (size_t)st
.st_size
);
1444 int r
= write_bytes_to_file(fname
, bytes
, len
, 1);
1448 #endif /* defined(HAVE_TRUNCATE) */
1450 /** Sanity check for crypto pk digests */
1452 test_crypto_digests(void *arg
)
1454 crypto_pk_t
*k
= NULL
;
1456 common_digests_t pkey_digests
;
1457 char digest
[DIGEST_LEN
];
1460 k
= crypto_pk_new();
1462 r
= crypto_pk_read_private_key_from_string(k
, AUTHORITY_SIGNKEY_3
,
1463 strlen(AUTHORITY_SIGNKEY_3
));
1466 r
= crypto_pk_get_digest(k
, digest
);
1468 tt_mem_op(hex_str(digest
, DIGEST_LEN
),OP_EQ
,
1469 AUTHORITY_SIGNKEY_A_DIGEST
, HEX_DIGEST_LEN
);
1471 r
= crypto_pk_get_common_digests(k
, &pkey_digests
);
1472 tt_int_op(r
, OP_EQ
, 0);
1474 tt_mem_op(hex_str(pkey_digests
.d
[DIGEST_SHA1
], DIGEST_LEN
),OP_EQ
,
1475 AUTHORITY_SIGNKEY_A_DIGEST
, HEX_DIGEST_LEN
);
1476 tt_mem_op(hex_str(pkey_digests
.d
[DIGEST_SHA256
], DIGEST256_LEN
),OP_EQ
,
1477 AUTHORITY_SIGNKEY_A_DIGEST256
, HEX_DIGEST256_LEN
);
1483 test_crypto_digest_names(void *arg
)
1485 static const struct {
1486 int a
; const char *n
;
1488 { DIGEST_SHA1
, "sha1" },
1489 { DIGEST_SHA256
, "sha256" },
1490 { DIGEST_SHA512
, "sha512" },
1491 { DIGEST_SHA3_256
, "sha3-256" },
1492 { DIGEST_SHA3_512
, "sha3-512" },
1498 for (i
= 0; names
[i
].n
; ++i
) {
1499 tt_str_op(names
[i
].n
, OP_EQ
,crypto_digest_algorithm_get_name(names
[i
].a
));
1500 tt_int_op(names
[i
].a
,
1501 OP_EQ
,crypto_digest_algorithm_parse_name(names
[i
].n
));
1503 tt_int_op(-1, OP_EQ
,
1504 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1509 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1510 * fingerprints, etc) */
1512 test_crypto_formats(void *arg
)
1514 char *data1
= NULL
, *data2
= NULL
, *data3
= NULL
;
1518 data1
= tor_malloc(1024);
1519 data2
= tor_malloc(1024);
1520 data3
= tor_malloc(1024);
1521 tt_assert(data1
&& data2
&& data3
);
1524 memset(data1
, 6, 1024);
1525 for (idx
= 0; idx
< 10; ++idx
) {
1526 i
= base64_encode(data2
, 1024, data1
, idx
, 0);
1527 tt_int_op(i
, OP_GE
, 0);
1528 tt_int_op(i
, OP_EQ
, strlen(data2
));
1529 j
= base64_decode(data3
, 1024, data2
, i
);
1530 tt_int_op(j
,OP_EQ
, idx
);
1531 tt_mem_op(data3
,OP_EQ
, data1
, idx
);
1533 i
= base64_encode_nopad(data2
, 1024, (uint8_t*)data1
, idx
);
1534 tt_int_op(i
, OP_GE
, 0);
1535 tt_int_op(i
, OP_EQ
, strlen(data2
));
1536 tt_assert(! strchr(data2
, '='));
1537 j
= base64_decode(data3
, 1024, data2
, i
);
1538 tt_int_op(j
, OP_EQ
, idx
);
1539 tt_mem_op(data3
,OP_EQ
, data1
, idx
);
1542 strlcpy(data1
, "Test string that contains 35 chars.", 1024);
1543 strlcat(data1
, " 2nd string that contains 35 chars.", 1024);
1545 i
= base64_encode(data2
, 1024, data1
, 71, 0);
1546 tt_int_op(i
, OP_GE
, 0);
1547 j
= base64_decode(data3
, 1024, data2
, i
);
1548 tt_int_op(j
,OP_EQ
, 71);
1549 tt_str_op(data3
,OP_EQ
, data1
);
1550 tt_int_op(data2
[i
], OP_EQ
, '\0');
1552 crypto_rand(data1
, DIGEST_LEN
);
1553 memset(data2
, 100, 1024);
1554 digest_to_base64(data2
, data1
);
1555 tt_int_op(BASE64_DIGEST_LEN
,OP_EQ
, strlen(data2
));
1556 tt_int_op(100,OP_EQ
, data2
[BASE64_DIGEST_LEN
+2]);
1557 memset(data3
, 99, 1024);
1558 tt_int_op(digest_from_base64(data3
, data2
),OP_EQ
, 0);
1559 tt_mem_op(data1
,OP_EQ
, data3
, DIGEST_LEN
);
1560 tt_int_op(99,OP_EQ
, data3
[DIGEST_LEN
+1]);
1562 tt_int_op(digest_from_base64(data3
, "###"), OP_LT
, 0);
1564 /* Encoding SHA256 */
1565 crypto_rand(data2
, DIGEST256_LEN
);
1566 memset(data2
, 100, 1024);
1567 digest256_to_base64(data2
, data1
);
1568 tt_int_op(BASE64_DIGEST256_LEN
,OP_EQ
, strlen(data2
));
1569 tt_int_op(100,OP_EQ
, data2
[BASE64_DIGEST256_LEN
+2]);
1570 memset(data3
, 99, 1024);
1571 tt_int_op(digest256_from_base64(data3
, data2
),OP_EQ
, 0);
1572 tt_mem_op(data1
,OP_EQ
, data3
, DIGEST256_LEN
);
1573 tt_int_op(99,OP_EQ
, data3
[DIGEST256_LEN
+1]);
1576 strlcpy(data1
, "5chrs", 1024);
1577 /* bit pattern is: [35 63 68 72 73] ->
1578 * [00110101 01100011 01101000 01110010 01110011]
1579 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1581 base32_encode(data2
, 9, data1
, 5);
1582 tt_str_op(data2
,OP_EQ
, "gvrwq4tt");
1584 strlcpy(data1
, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1585 base32_encode(data2
, 30, data1
, 10);
1586 tt_str_op(data2
,OP_EQ
, "772w2rfobvomsywe");
1589 strlcpy(data1
, "6chrs\xff", 1024);
1590 base16_encode(data2
, 13, data1
, 6);
1591 tt_str_op(data2
,OP_EQ
, "3663687273FF");
1593 strlcpy(data1
, "f0d678affc000100", 1024);
1594 i
= base16_decode(data2
, 8, data1
, 16);
1595 tt_int_op(i
,OP_EQ
, 8);
1596 tt_mem_op(data2
,OP_EQ
, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1598 /* now try some failing base16 decodes */
1599 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 8, data1
, 15)); /* odd input len */
1600 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 7, data1
, 16)); /* dest too short */
1601 strlcpy(data1
, "f0dz!8affc000100", 1024);
1602 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 8, data1
, 16));
1608 /* Add spaces to fingerprint */
1610 data1
= tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1611 tt_int_op(strlen(data1
),OP_EQ
, 40);
1612 data2
= tor_malloc(FINGERPRINT_LEN
+1);
1613 crypto_add_spaces_to_fp(data2
, FINGERPRINT_LEN
+1, data1
);
1614 tt_str_op(data2
, OP_EQ
,
1615 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1626 /** Test AES-CTR encryption and decryption with IV. */
1628 test_crypto_aes_iv(void *arg
)
1630 char *plain
, *encrypted1
, *encrypted2
, *decrypted1
, *decrypted2
;
1631 char plain_1
[1], plain_15
[15], plain_16
[16], plain_17
[17];
1632 char key1
[16], key2
[16];
1633 ssize_t encrypted_size
, decrypted_size
;
1635 int use_evp
= !strcmp(arg
,"evp");
1636 evaluate_evp_for_aes(use_evp
);
1638 plain
= tor_malloc(4095);
1639 encrypted1
= tor_malloc(4095 + 1 + 16);
1640 encrypted2
= tor_malloc(4095 + 1 + 16);
1641 decrypted1
= tor_malloc(4095 + 1);
1642 decrypted2
= tor_malloc(4095 + 1);
1644 crypto_rand(plain
, 4095);
1645 crypto_rand(key1
, 16);
1646 crypto_rand(key2
, 16);
1647 crypto_rand(plain_1
, 1);
1648 crypto_rand(plain_15
, 15);
1649 crypto_rand(plain_16
, 16);
1650 crypto_rand(plain_17
, 17);
1651 key1
[0] = key2
[0] + 128; /* Make sure that contents are different. */
1652 /* Encrypt and decrypt with the same key. */
1653 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 4095,
1656 tt_int_op(encrypted_size
,OP_EQ
, 16 + 4095);
1657 tt_assert(encrypted_size
> 0); /* This is obviously true, since 4111 is
1658 * greater than 0, but its truth is not
1659 * obvious to all analysis tools. */
1660 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 4095,
1661 encrypted1
, encrypted_size
);
1663 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1664 tt_assert(decrypted_size
> 0);
1665 tt_mem_op(plain
,OP_EQ
, decrypted1
, 4095);
1666 /* Encrypt a second time (with a new random initialization vector). */
1667 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted2
, 16 + 4095,
1670 tt_int_op(encrypted_size
,OP_EQ
, 16 + 4095);
1671 tt_assert(encrypted_size
> 0);
1672 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted2
, 4095,
1673 encrypted2
, encrypted_size
);
1674 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1675 tt_assert(decrypted_size
> 0);
1676 tt_mem_op(plain
,OP_EQ
, decrypted2
, 4095);
1677 tt_mem_op(encrypted1
,OP_NE
, encrypted2
, encrypted_size
);
1678 /* Decrypt with the wrong key. */
1679 decrypted_size
= crypto_cipher_decrypt_with_iv(key2
, decrypted2
, 4095,
1680 encrypted1
, encrypted_size
);
1681 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1682 tt_mem_op(plain
,OP_NE
, decrypted2
, decrypted_size
);
1683 /* Alter the initialization vector. */
1684 encrypted1
[0] += 42;
1685 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 4095,
1686 encrypted1
, encrypted_size
);
1687 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1688 tt_mem_op(plain
,OP_NE
, decrypted2
, 4095);
1689 /* Special length case: 1. */
1690 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 1,
1692 tt_int_op(encrypted_size
,OP_EQ
, 16 + 1);
1693 tt_assert(encrypted_size
> 0);
1694 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 1,
1695 encrypted1
, encrypted_size
);
1696 tt_int_op(decrypted_size
,OP_EQ
, 1);
1697 tt_assert(decrypted_size
> 0);
1698 tt_mem_op(plain_1
,OP_EQ
, decrypted1
, 1);
1699 /* Special length case: 15. */
1700 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 15,
1702 tt_int_op(encrypted_size
,OP_EQ
, 16 + 15);
1703 tt_assert(encrypted_size
> 0);
1704 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 15,
1705 encrypted1
, encrypted_size
);
1706 tt_int_op(decrypted_size
,OP_EQ
, 15);
1707 tt_assert(decrypted_size
> 0);
1708 tt_mem_op(plain_15
,OP_EQ
, decrypted1
, 15);
1709 /* Special length case: 16. */
1710 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 16,
1712 tt_int_op(encrypted_size
,OP_EQ
, 16 + 16);
1713 tt_assert(encrypted_size
> 0);
1714 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 16,
1715 encrypted1
, encrypted_size
);
1716 tt_int_op(decrypted_size
,OP_EQ
, 16);
1717 tt_assert(decrypted_size
> 0);
1718 tt_mem_op(plain_16
,OP_EQ
, decrypted1
, 16);
1719 /* Special length case: 17. */
1720 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 17,
1722 tt_int_op(encrypted_size
,OP_EQ
, 16 + 17);
1723 tt_assert(encrypted_size
> 0);
1724 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 17,
1725 encrypted1
, encrypted_size
);
1726 tt_int_op(decrypted_size
,OP_EQ
, 17);
1727 tt_assert(decrypted_size
> 0);
1728 tt_mem_op(plain_17
,OP_EQ
, decrypted1
, 17);
1733 tor_free(encrypted1
);
1734 tor_free(encrypted2
);
1735 tor_free(decrypted1
);
1736 tor_free(decrypted2
);
1739 /** Test base32 decoding. */
1741 test_crypto_base32_decode(void *arg
)
1743 char plain
[60], encoded
[96 + 1], decoded
[60];
1746 crypto_rand(plain
, 60);
1747 /* Encode and decode a random string. */
1748 base32_encode(encoded
, 96 + 1, plain
, 60);
1749 res
= base32_decode(decoded
, 60, encoded
, 96);
1750 tt_int_op(res
, OP_EQ
, 60);
1751 tt_mem_op(plain
,OP_EQ
, decoded
, 60);
1752 /* Encode, uppercase, and decode a random string. */
1753 base32_encode(encoded
, 96 + 1, plain
, 60);
1754 tor_strupper(encoded
);
1755 res
= base32_decode(decoded
, 60, encoded
, 96);
1756 tt_int_op(res
, OP_EQ
, 60);
1757 tt_mem_op(plain
,OP_EQ
, decoded
, 60);
1758 /* Change encoded string and decode. */
1759 if (encoded
[0] == 'A' || encoded
[0] == 'a')
1763 res
= base32_decode(decoded
, 60, encoded
, 96);
1764 tt_int_op(res
, OP_EQ
, 60);
1765 tt_mem_op(plain
,OP_NE
, decoded
, 60);
1766 /* Bad encodings. */
1768 res
= base32_decode(decoded
, 60, encoded
, 96);
1769 tt_int_op(res
, OP_LT
, 0);
1776 test_crypto_kdf_TAP(void *arg
)
1778 uint8_t key_material
[100];
1780 char *mem_op_hex_tmp
= NULL
;
1784 r = crypto_expand_key_material_TAP( \
1785 (const uint8_t*)(s), strlen(s), \
1788 /* Test vectors generated with a little python script; feel free to write
1790 memset(key_material
, 0, sizeof(key_material
));
1792 tt_int_op(r
, OP_EQ
, 0);
1793 test_memeq_hex(key_material
,
1794 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1795 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1796 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1797 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1800 tt_int_op(r
, OP_EQ
, 0);
1801 test_memeq_hex(key_material
,
1802 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1803 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1804 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1805 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1807 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1808 tt_int_op(r
, OP_EQ
, 0);
1809 test_memeq_hex(key_material
,
1810 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1811 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1812 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1813 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1816 tor_free(mem_op_hex_tmp
);
1822 test_crypto_hkdf_sha256(void *arg
)
1824 uint8_t key_material
[100];
1825 const uint8_t salt
[] = "ntor-curve25519-sha256-1:key_extract";
1826 const size_t salt_len
= strlen((char*)salt
);
1827 const uint8_t m_expand
[] = "ntor-curve25519-sha256-1:key_expand";
1828 const size_t m_expand_len
= strlen((char*)m_expand
);
1830 char *mem_op_hex_tmp
= NULL
;
1835 r = crypto_expand_key_material_rfc5869_sha256( \
1836 (const uint8_t*)(s), strlen(s), \
1838 m_expand, m_expand_len, \
1841 /* Test vectors generated with ntor_ref.py */
1843 tt_int_op(r
, OP_EQ
, 0);
1844 test_memeq_hex(key_material
,
1845 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1846 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1847 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1848 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1850 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1851 tt_int_op(r
, OP_EQ
, 0);
1852 test_memeq_hex(key_material
,
1853 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1854 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1855 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1856 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1858 tor_free(mem_op_hex_tmp
);
1863 test_crypto_hkdf_sha256_testvecs(void *arg
)
1866 /* Test vectors from RFC5869, sections A.1 through A.3 */
1868 const char *ikm16
, *salt16
, *info16
;
1873 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1874 "000102030405060708090a0b0c",
1875 "f0f1f2f3f4f5f6f7f8f9",
1877 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1878 "34007208d5b887185865"
1881 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1882 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1883 "404142434445464748494a4b4c4d4e4f",
1884 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1885 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1886 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1887 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1888 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1889 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1891 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1892 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1893 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1896 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1900 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1901 "9d201395faa4b61a96c8",
1903 { NULL
, NULL
, NULL
, -1, NULL
}
1911 char *mem_op_hex_tmp
= NULL
;
1913 for (i
= 0; vecs
[i
].ikm16
; ++i
) {
1914 size_t ikm_len
= strlen(vecs
[i
].ikm16
)/2;
1915 size_t salt_len
= strlen(vecs
[i
].salt16
)/2;
1916 size_t info_len
= strlen(vecs
[i
].info16
)/2;
1917 size_t okm_len
= vecs
[i
].L
;
1919 ikm
= tor_malloc(ikm_len
);
1920 salt
= tor_malloc(salt_len
);
1921 info
= tor_malloc(info_len
);
1922 okm
= tor_malloc(okm_len
);
1924 base16_decode(ikm
, ikm_len
, vecs
[i
].ikm16
, strlen(vecs
[i
].ikm16
));
1925 base16_decode(salt
, salt_len
, vecs
[i
].salt16
, strlen(vecs
[i
].salt16
));
1926 base16_decode(info
, info_len
, vecs
[i
].info16
, strlen(vecs
[i
].info16
));
1928 int r
= crypto_expand_key_material_rfc5869_sha256(
1929 (const uint8_t*)ikm
, ikm_len
,
1930 (const uint8_t*)salt
, salt_len
,
1931 (const uint8_t*)info
, info_len
,
1932 (uint8_t*)okm
, okm_len
);
1933 tt_int_op(r
, OP_EQ
, 0);
1934 test_memeq_hex(okm
, vecs
[i
].okm16
);
1945 tor_free(mem_op_hex_tmp
);
1949 test_crypto_curve25519_impl(void *arg
)
1951 /* adapted from curve25519_donna, which adapted it from test-curve25519
1952 version 20050915, by D. J. Bernstein, Public domain. */
1954 const int randomize_high_bit
= (arg
!= NULL
);
1956 #ifdef SLOW_CURVE25519_TEST
1957 const int loop_max
=10000;
1958 const char e1_expected
[] = "4faf81190869fd742a33691b0e0824d5"
1959 "7e0329f4dd2819f5f32d130f1296b500";
1960 const char e2k_expected
[] = "05aec13f92286f3a781ccae98995a3b9"
1961 "e0544770bc7de853b38f9100489e3e79";
1962 const char e1e2k_expected
[] = "cd6e8269104eb5aaee886bd2071fba88"
1963 "bd13861475516bc2cd2b6e005e805064";
1964 #else /* !defined(SLOW_CURVE25519_TEST) */
1965 const int loop_max
=200;
1966 const char e1_expected
[] = "bc7112cde03f97ef7008cad1bdc56be3"
1967 "c6a1037d74cceb3712e9206871dcf654";
1968 const char e2k_expected
[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1969 "8e3ee1a63c7d14274ea5d4c67f065467";
1970 const char e1e2k_expected
[] = "7ddb98bd89025d2347776b33901b3e7e"
1971 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1972 #endif /* defined(SLOW_CURVE25519_TEST) */
1974 unsigned char e1k
[32];
1975 unsigned char e2k
[32];
1976 unsigned char e1e2k
[32];
1977 unsigned char e2e1k
[32];
1978 unsigned char e1
[32] = {3};
1979 unsigned char e2
[32] = {5};
1980 unsigned char k
[32] = {9};
1983 char *mem_op_hex_tmp
= NULL
;
1985 for (loop
= 0; loop
< loop_max
; ++loop
) {
1986 curve25519_impl(e1k
,e1
,k
);
1987 curve25519_impl(e2e1k
,e2
,e1k
);
1988 curve25519_impl(e2k
,e2
,k
);
1989 if (randomize_high_bit
) {
1990 /* We require that the high bit of the public key be ignored. So if
1991 * we're doing this variant test, we randomize the high bit of e2k, and
1992 * make sure that the handshake still works out the same as it would
1995 crypto_rand((char*)&byte
, 1);
1996 e2k
[31] |= (byte
& 0x80);
1998 curve25519_impl(e1e2k
,e1
,e2k
);
1999 tt_mem_op(e1e2k
,OP_EQ
, e2e1k
, 32);
2000 if (loop
== loop_max
-1) {
2003 for (i
= 0;i
< 32;++i
) e1
[i
] ^= e2k
[i
];
2004 for (i
= 0;i
< 32;++i
) e2
[i
] ^= e1k
[i
];
2005 for (i
= 0;i
< 32;++i
) k
[i
] ^= e1e2k
[i
];
2008 test_memeq_hex(e1
, e1_expected
);
2009 test_memeq_hex(e2k
, e2k_expected
);
2010 test_memeq_hex(e1e2k
, e1e2k_expected
);
2013 tor_free(mem_op_hex_tmp
);
2017 test_crypto_curve25519_basepoint(void *arg
)
2020 uint8_t public1
[32];
2021 uint8_t public2
[32];
2022 const int iters
= 2048;
2026 for (i
= 0; i
< iters
; ++i
) {
2027 crypto_rand((char*)secret
, 32);
2028 curve25519_set_impl_params(1); /* Use optimization */
2029 curve25519_basepoint_impl(public1
, secret
);
2030 curve25519_set_impl_params(0); /* Disable optimization */
2031 curve25519_basepoint_impl(public2
, secret
);
2032 tt_mem_op(public1
, OP_EQ
, public2
, 32);
2040 test_crypto_curve25519_testvec(void *arg
)
2043 char *mem_op_hex_tmp
= NULL
;
2045 /* From RFC 7748, section 6.1 */
2046 /* Alice's private key, a: */
2048 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2049 /* Alice's public key, X25519(a, 9): */
2050 const char a_pub16
[] =
2051 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2052 /* Bob's private key, b: */
2054 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2055 /* Bob's public key, X25519(b, 9): */
2056 const char b_pub16
[] =
2057 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2058 /* Their shared secret, K: */
2060 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2062 uint8_t a
[32], b
[32], a_pub
[32], b_pub
[32], k1
[32], k2
[32];
2063 base16_decode((char*)a
, sizeof(a
), a16
, strlen(a16
));
2064 base16_decode((char*)b
, sizeof(b
), b16
, strlen(b16
));
2065 curve25519_basepoint_impl(a_pub
, a
);
2066 curve25519_basepoint_impl(b_pub
, b
);
2067 curve25519_impl(k1
, a
, b_pub
);
2068 curve25519_impl(k2
, b
, a_pub
);
2070 test_memeq_hex(a
, a16
);
2071 test_memeq_hex(b
, b16
);
2072 test_memeq_hex(a_pub
, a_pub16
);
2073 test_memeq_hex(b_pub
, b_pub16
);
2074 test_memeq_hex(k1
, k16
);
2075 test_memeq_hex(k2
, k16
);
2077 tor_free(mem_op_hex_tmp
);
2081 test_crypto_curve25519_wrappers(void *arg
)
2083 curve25519_public_key_t pubkey1
, pubkey2
;
2084 curve25519_secret_key_t seckey1
, seckey2
;
2086 uint8_t output1
[CURVE25519_OUTPUT_LEN
];
2087 uint8_t output2
[CURVE25519_OUTPUT_LEN
];
2090 /* Test a simple handshake, serializing and deserializing some stuff. */
2091 curve25519_secret_key_generate(&seckey1
, 0);
2092 curve25519_secret_key_generate(&seckey2
, 1);
2093 curve25519_public_key_generate(&pubkey1
, &seckey1
);
2094 curve25519_public_key_generate(&pubkey2
, &seckey2
);
2095 tt_assert(curve25519_public_key_is_ok(&pubkey1
));
2096 tt_assert(curve25519_public_key_is_ok(&pubkey2
));
2097 curve25519_handshake(output1
, &seckey1
, &pubkey2
);
2098 curve25519_handshake(output2
, &seckey2
, &pubkey1
);
2099 tt_mem_op(output1
,OP_EQ
, output2
, sizeof(output1
));
2106 test_crypto_curve25519_encode(void *arg
)
2108 curve25519_secret_key_t seckey
;
2109 curve25519_public_key_t key1
, key2
, key3
;
2110 char buf
[64], buf_nopad
[64];
2114 curve25519_secret_key_generate(&seckey
, 0);
2115 curve25519_public_key_generate(&key1
, &seckey
);
2116 curve25519_public_to_base64(buf
, &key1
, true);
2117 tt_int_op(CURVE25519_BASE64_PADDED_LEN
, OP_EQ
, strlen(buf
));
2119 tt_int_op(0, OP_EQ
, curve25519_public_from_base64(&key2
, buf
));
2120 tt_mem_op(key1
.public_key
,OP_EQ
, key2
.public_key
, CURVE25519_PUBKEY_LEN
);
2122 curve25519_public_to_base64(buf_nopad
, &key1
, false);
2123 tt_int_op(CURVE25519_BASE64_LEN
, OP_EQ
, strlen(buf_nopad
));
2124 tt_int_op(0, OP_EQ
, curve25519_public_from_base64(&key3
, buf_nopad
));
2125 tt_mem_op(key1
.public_key
,OP_EQ
, key3
.public_key
, CURVE25519_PUBKEY_LEN
);
2127 /* Now try bogus parses. */
2128 strlcpy(buf
, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf
));
2129 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2131 strlcpy(buf
, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf
));
2132 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2134 strlcpy(buf
, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf
));
2135 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2142 test_crypto_curve25519_persist(void *arg
)
2144 curve25519_keypair_t keypair
, keypair2
;
2145 char *fname
= tor_strdup(get_fname("curve25519_keypair"));
2147 char *content
= NULL
;
2154 tt_int_op(0,OP_EQ
,curve25519_keypair_generate(&keypair
, 0));
2157 curve25519_keypair_write_to_file(&keypair
, fname
, "testing"));
2158 tt_int_op(0,OP_EQ
,curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2159 tt_str_op(tag
,OP_EQ
,"testing");
2162 tt_mem_op(keypair
.pubkey
.public_key
,OP_EQ
,
2163 keypair2
.pubkey
.public_key
,
2164 CURVE25519_PUBKEY_LEN
);
2165 tt_mem_op(keypair
.seckey
.secret_key
,OP_EQ
,
2166 keypair2
.seckey
.secret_key
,
2167 CURVE25519_SECKEY_LEN
);
2169 content
= read_file_to_str(fname
, RFTS_BIN
, &st
);
2171 taglen
= strlen("== c25519v1: testing ==");
2172 tt_u64_op((uint64_t)st
.st_size
, OP_EQ
,
2173 32+CURVE25519_PUBKEY_LEN
+CURVE25519_SECKEY_LEN
);
2174 tt_assert(fast_memeq(content
, "== c25519v1: testing ==", taglen
));
2175 tt_assert(fast_mem_is_zero(content
+taglen
, 32-taglen
));
2177 tt_mem_op(keypair
.seckey
.secret_key
,OP_EQ
,
2179 CURVE25519_SECKEY_LEN
);
2180 cp
+= CURVE25519_SECKEY_LEN
;
2181 tt_mem_op(keypair
.pubkey
.public_key
,OP_EQ
,
2183 CURVE25519_SECKEY_LEN
);
2186 fname
= tor_strdup(get_fname("bogus_keypair"));
2188 tt_int_op(-1, OP_EQ
,
2189 curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2192 content
[69] ^= 0xff;
2194 write_bytes_to_file(fname
, content
, (size_t)st
.st_size
, 1));
2195 tt_int_op(-1, OP_EQ
,
2196 curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2205 test_crypto_ed25519_simple(void *arg
)
2207 ed25519_keypair_t kp1
, kp2
;
2208 ed25519_public_key_t pub1
, pub2
;
2209 ed25519_secret_key_t sec1
, sec2
;
2210 ed25519_signature_t sig1
, sig2
;
2211 const uint8_t msg
[] =
2212 "GNU will be able to run Unix programs, "
2213 "but will not be identical to Unix.";
2214 const uint8_t msg2
[] =
2215 "Microsoft Windows extends the features of the DOS operating system, "
2216 "yet is compatible with most existing applications that run under DOS.";
2217 size_t msg_len
= strlen((const char*)msg
);
2218 size_t msg2_len
= strlen((const char*)msg2
);
2222 tt_int_op(0, OP_EQ
, ed25519_secret_key_generate(&sec1
, 0));
2223 tt_int_op(0, OP_EQ
, ed25519_secret_key_generate(&sec2
, 1));
2225 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub1
, &sec1
));
2226 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub2
, &sec1
));
2228 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, 0);
2229 tt_int_op(ed25519_validate_pubkey(&pub2
), OP_EQ
, 0);
2231 tt_mem_op(pub1
.pubkey
, OP_EQ
, pub2
.pubkey
, sizeof(pub1
.pubkey
));
2232 tt_assert(ed25519_pubkey_eq(&pub1
, &pub2
));
2233 tt_assert(ed25519_pubkey_eq(&pub1
, &pub1
));
2235 memcpy(&kp1
.pubkey
, &pub1
, sizeof(pub1
));
2236 memcpy(&kp1
.seckey
, &sec1
, sizeof(sec1
));
2237 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, msg
, msg_len
, &kp1
));
2238 tt_int_op(0, OP_EQ
, ed25519_sign(&sig2
, msg
, msg_len
, &kp1
));
2240 /* Ed25519 signatures are deterministic */
2241 tt_mem_op(sig1
.sig
, OP_EQ
, sig2
.sig
, sizeof(sig1
.sig
));
2243 /* Basic signature is valid. */
2244 tt_int_op(0, OP_EQ
, ed25519_checksig(&sig1
, msg
, msg_len
, &pub1
));
2246 /* Altered signature doesn't work. */
2248 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig1
, msg
, msg_len
, &pub1
));
2250 /* Wrong public key doesn't work. */
2251 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub2
, &sec2
));
2252 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
, &pub2
));
2253 tt_assert(! ed25519_pubkey_eq(&pub1
, &pub2
));
2255 /* Wrong message doesn't work. */
2256 tt_int_op(0, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
, &pub1
));
2257 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
-1, &pub1
));
2258 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg2
, msg2_len
, &pub1
));
2260 /* Batch signature checking works with some bad. */
2261 tt_int_op(0, OP_EQ
, ed25519_keypair_generate(&kp2
, 0));
2262 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, msg
, msg_len
, &kp2
));
2264 ed25519_checkable_t ch
[] = {
2265 { &pub1
, sig2
, msg
, msg_len
}, /*ok*/
2266 { &pub1
, sig2
, msg
, msg_len
-1 }, /*bad*/
2267 { &kp2
.pubkey
, sig2
, msg2
, msg2_len
}, /*bad*/
2268 { &kp2
.pubkey
, sig1
, msg
, msg_len
}, /*ok*/
2271 tt_int_op(-2, OP_EQ
, ed25519_checksig_batch(okay
, ch
, 4));
2272 tt_int_op(okay
[0], OP_EQ
, 1);
2273 tt_int_op(okay
[1], OP_EQ
, 0);
2274 tt_int_op(okay
[2], OP_EQ
, 0);
2275 tt_int_op(okay
[3], OP_EQ
, 1);
2276 tt_int_op(-2, OP_EQ
, ed25519_checksig_batch(NULL
, ch
, 4));
2279 /* Batch signature checking works with all good. */
2281 ed25519_checkable_t ch
[] = {
2282 { &pub1
, sig2
, msg
, msg_len
}, /*ok*/
2283 { &kp2
.pubkey
, sig1
, msg
, msg_len
}, /*ok*/
2286 tt_int_op(0, OP_EQ
, ed25519_checksig_batch(okay
, ch
, 2));
2287 tt_int_op(okay
[0], OP_EQ
, 1);
2288 tt_int_op(okay
[1], OP_EQ
, 1);
2289 tt_int_op(0, OP_EQ
, ed25519_checksig_batch(NULL
, ch
, 2));
2292 /* Test the string-prefixed sign/checksig functions */
2294 ed25519_signature_t manual_sig
;
2297 /* Generate a signature with a prefixed msg. */
2298 tt_int_op(0, OP_EQ
, ed25519_sign_prefixed(&sig1
, msg
, msg_len
,
2299 "always in the mood",
2302 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2303 if we had manually prefixed the msg ourselves. */
2304 tor_asprintf(&prefixed_msg
, "%s%s", "always in the mood", msg
);
2305 tt_int_op(0, OP_EQ
, ed25519_sign(&manual_sig
, (uint8_t *)prefixed_msg
,
2306 strlen(prefixed_msg
), &kp1
));
2307 tor_free(prefixed_msg
);
2308 tt_assert(fast_memeq(sig1
.sig
, manual_sig
.sig
, sizeof(sig1
.sig
)));
2310 /* Test that prefixed checksig verifies it properly. */
2311 tt_int_op(0, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2312 "always in the mood",
2315 /* Test that checksig with wrong prefix fails. */
2316 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2317 "always in the moo",
2319 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2320 "always in the moon",
2322 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2323 "always in the mood!",
2332 test_crypto_ed25519_test_vectors(void *arg
)
2334 char *mem_op_hex_tmp
=NULL
;
2342 /* These test vectors were generated with the "ref" implementation of
2343 * ed25519 from SUPERCOP-20130419 */
2344 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2345 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2346 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2347 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2348 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2349 "204e554c2d7465726d696e617465642e"
2352 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2353 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2354 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2355 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2356 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2357 "204e554c2d7465726d696e617465642e"
2359 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2360 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2361 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2362 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2363 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2364 "204e554c2d7465726d696e617465642e"
2367 /* These come from "sign.input" in ed25519's page */
2368 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2369 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2370 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2371 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2372 "5a8d9d0a22357e6655f9c785"
2374 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2375 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2376 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2377 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2378 "b87d3813e03f58cf19fd0b6395"
2380 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2381 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2382 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2383 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2384 "55c7fa434f5ed8cdec2b7aeac173",
2386 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2387 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2388 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2389 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2390 "0a688e79be24f866286d4646b5d81c"
2392 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2394 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2395 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2396 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2397 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2401 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2402 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2403 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2404 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2408 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2409 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2410 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2411 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2412 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2413 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2414 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2415 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2416 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2417 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2418 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2419 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2420 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2421 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2422 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2423 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2424 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2425 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2426 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2427 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2428 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2429 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2430 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2431 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2432 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2433 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2434 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2435 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2436 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2437 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2438 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2439 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2440 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2441 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2442 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2443 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2446 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2447 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2448 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2449 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2450 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2451 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2453 { NULL
, NULL
, NULL
, NULL
}
2458 for (i
= 0; items
[i
].pk
; ++i
) {
2459 ed25519_keypair_t kp
;
2460 ed25519_signature_t sig
;
2461 uint8_t sk_seed
[32];
2464 base16_decode((char*)sk_seed
, sizeof(sk_seed
),
2466 ed25519_secret_key_from_seed(&kp
.seckey
, sk_seed
);
2467 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&kp
.pubkey
, &kp
.seckey
));
2468 test_memeq_hex(kp
.pubkey
.pubkey
, items
[i
].pk
);
2470 msg_len
= strlen(items
[i
].msg
) / 2;
2471 msg
= tor_malloc(msg_len
);
2472 base16_decode((char*)msg
, msg_len
, items
[i
].msg
, strlen(items
[i
].msg
));
2474 tt_int_op(0, OP_EQ
, ed25519_sign(&sig
, msg
, msg_len
, &kp
));
2475 test_memeq_hex(sig
.sig
, items
[i
].sig
);
2481 tor_free(mem_op_hex_tmp
);
2485 test_crypto_ed25519_encode(void *arg
)
2487 char buf
[ED25519_SIG_BASE64_LEN
+1];
2488 ed25519_keypair_t kp
;
2489 ed25519_public_key_t pk
;
2490 ed25519_signature_t sig1
, sig2
;
2491 char *mem_op_hex_tmp
= NULL
;
2494 /* Test roundtrip. */
2495 tt_int_op(0, OP_EQ
, ed25519_keypair_generate(&kp
, 0));
2496 ed25519_public_to_base64(buf
, &kp
.pubkey
);
2497 tt_int_op(ED25519_BASE64_LEN
, OP_EQ
, strlen(buf
));
2498 tt_int_op(0, OP_EQ
, ed25519_public_from_base64(&pk
, buf
));
2499 tt_mem_op(kp
.pubkey
.pubkey
, OP_EQ
, pk
.pubkey
, ED25519_PUBKEY_LEN
);
2501 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, (const uint8_t*)"ABC", 3, &kp
));
2502 ed25519_signature_to_base64(buf
, &sig1
);
2503 tt_int_op(0, OP_EQ
, ed25519_signature_from_base64(&sig2
, buf
));
2504 tt_mem_op(sig1
.sig
, OP_EQ
, sig2
.sig
, ED25519_SIG_LEN
);
2506 /* Test known value. */
2507 tt_int_op(0, OP_EQ
, ed25519_public_from_base64(&pk
,
2508 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2509 test_memeq_hex(pk
.pubkey
,
2510 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2513 tor_free(mem_op_hex_tmp
);
2517 test_crypto_ed25519_convert(void *arg
)
2519 const uint8_t msg
[] =
2520 "The eyes are not here / There are no eyes here.";
2525 for (i
= 0; i
< N
; ++i
) {
2526 curve25519_keypair_t curve25519_keypair
;
2527 ed25519_keypair_t ed25519_keypair
;
2528 ed25519_public_key_t ed25519_pubkey
;
2531 ed25519_signature_t sig
;
2533 tt_int_op(0,OP_EQ
,curve25519_keypair_generate(&curve25519_keypair
, i
&1));
2534 tt_int_op(0,OP_EQ
,ed25519_keypair_from_curve25519_keypair(
2535 &ed25519_keypair
, &bit
, &curve25519_keypair
));
2536 tt_int_op(0,OP_EQ
,ed25519_public_key_from_curve25519_public_key(
2537 &ed25519_pubkey
, &curve25519_keypair
.pubkey
, bit
));
2538 tt_mem_op(ed25519_pubkey
.pubkey
, OP_EQ
, ed25519_keypair
.pubkey
.pubkey
, 32);
2540 tt_int_op(0,OP_EQ
,ed25519_sign(&sig
, msg
, sizeof(msg
), &ed25519_keypair
));
2541 tt_int_op(0,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2544 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
)-1,
2547 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2556 test_crypto_ed25519_blinding(void *arg
)
2558 const uint8_t msg
[] =
2559 "Eyes I dare not meet in dreams / In death's dream kingdom";
2565 for (i
= 0; i
< N
; ++i
) {
2566 uint8_t blinding
[32];
2567 ed25519_keypair_t ed25519_keypair
;
2568 ed25519_keypair_t ed25519_keypair_blinded
;
2569 ed25519_public_key_t ed25519_pubkey_blinded
;
2571 ed25519_signature_t sig
;
2573 crypto_rand((char*) blinding
, sizeof(blinding
));
2575 tt_int_op(0,OP_EQ
,ed25519_keypair_generate(&ed25519_keypair
, 0));
2576 tt_int_op(0,OP_EQ
,ed25519_keypair_blind(&ed25519_keypair_blinded
,
2577 &ed25519_keypair
, blinding
));
2579 tt_int_op(0,OP_EQ
,ed25519_public_blind(&ed25519_pubkey_blinded
,
2580 &ed25519_keypair
.pubkey
, blinding
));
2582 tt_mem_op(ed25519_pubkey_blinded
.pubkey
, OP_EQ
,
2583 ed25519_keypair_blinded
.pubkey
.pubkey
, 32);
2585 tt_int_op(0,OP_EQ
,ed25519_sign(&sig
, msg
, sizeof(msg
),
2586 &ed25519_keypair_blinded
));
2588 tt_int_op(0,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2589 &ed25519_pubkey_blinded
));
2591 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
)-1,
2592 &ed25519_pubkey_blinded
));
2594 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2595 &ed25519_pubkey_blinded
));
2602 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2604 test_crypto_ed25519_blinding_fail(void *arg
)
2607 uint8_t param
[32] = {2};
2608 ed25519_public_key_t pub
;
2609 ed25519_public_key_t pub_blinded
;
2613 /* This point is not on the curve: the blind routines should fail */
2614 const char badkey
[] =
2615 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2616 retval
= base16_decode((char*)pub
.pubkey
, sizeof(pub
.pubkey
),
2617 badkey
, strlen(badkey
));
2618 tt_int_op(retval
, OP_EQ
, sizeof(pub
.pubkey
));
2619 retval
= ed25519_public_blind(&pub_blinded
, &pub
, param
);
2620 tt_int_op(retval
, OP_EQ
, -1);
2622 /* This point is legit: blind routines should be happy */
2623 const char goodkey
[] =
2624 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2625 retval
= base16_decode((char*)pub
.pubkey
, sizeof(pub
.pubkey
),
2626 goodkey
, strlen(goodkey
));
2627 tt_int_op(retval
, OP_EQ
, sizeof(pub
.pubkey
));
2628 retval
= ed25519_public_blind(&pub_blinded
, &pub
, param
);
2629 tt_int_op(retval
, OP_EQ
, 0);
2636 test_crypto_ed25519_testvectors(void *arg
)
2639 char *mem_op_hex_tmp
= NULL
;
2642 for (i
= 0; i
< ARRAY_LENGTH(ED25519_SECRET_KEYS
); ++i
) {
2644 ed25519_secret_key_t esk
;
2645 ed25519_public_key_t pk
, blind_pk
, pkfromcurve
;
2646 ed25519_keypair_t keypair
, blind_keypair
;
2647 curve25519_keypair_t curvekp
;
2648 uint8_t blinding_param
[32];
2649 ed25519_signature_t sig
;
2652 memset(&curvekp
, 0xd0, sizeof(curvekp
));
2654 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2655 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2657 tt_int_op(sizeof(sk
), OP_EQ
, DECODE(sk
, ED25519_SECRET_KEYS
[i
]));
2658 tt_int_op(sizeof(blinding_param
), OP_EQ
, DECODE(blinding_param
,
2659 ED25519_BLINDING_PARAMS
[i
]));
2661 tt_int_op(0, OP_EQ
, ed25519_secret_key_from_seed(&esk
, sk
));
2662 EQ(esk
.seckey
, ED25519_EXPANDED_SECRET_KEYS
[i
]);
2664 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pk
, &esk
));
2665 EQ(pk
.pubkey
, ED25519_PUBLIC_KEYS
[i
]);
2667 memcpy(&curvekp
.seckey
.secret_key
, esk
.seckey
, 32);
2668 curve25519_public_key_generate(&curvekp
.pubkey
, &curvekp
.seckey
);
2671 ed25519_keypair_from_curve25519_keypair(&keypair
, &sign
, &curvekp
));
2672 tt_int_op(0, OP_EQ
, ed25519_public_key_from_curve25519_public_key(
2673 &pkfromcurve
, &curvekp
.pubkey
, sign
));
2674 tt_mem_op(keypair
.pubkey
.pubkey
, OP_EQ
, pkfromcurve
.pubkey
, 32);
2675 EQ(curvekp
.pubkey
.public_key
, ED25519_CURVE25519_PUBLIC_KEYS
[i
]);
2678 memcpy(&keypair
.seckey
, &esk
, sizeof(esk
));
2679 memcpy(&keypair
.pubkey
, &pk
, sizeof(pk
));
2681 tt_int_op(0, OP_EQ
, ed25519_sign(&sig
, pk
.pubkey
, 32, &keypair
));
2683 EQ(sig
.sig
, ED25519_SELF_SIGNATURES
[i
]);
2687 ed25519_keypair_blind(&blind_keypair
, &keypair
, blinding_param
));
2689 ed25519_public_blind(&blind_pk
, &pk
, blinding_param
));
2691 EQ(blind_keypair
.seckey
.seckey
, ED25519_BLINDED_SECRET_KEYS
[i
]);
2692 EQ(blind_pk
.pubkey
, ED25519_BLINDED_PUBLIC_KEYS
[i
]);
2694 tt_mem_op(blind_pk
.pubkey
, OP_EQ
, blind_keypair
.pubkey
.pubkey
, 32);
2700 tor_free(mem_op_hex_tmp
);
2704 test_crypto_ed25519_storage(void *arg
)
2707 ed25519_keypair_t
*keypair
= NULL
;
2708 ed25519_public_key_t pub
;
2709 ed25519_secret_key_t sec
;
2710 char *fname_1
= tor_strdup(get_fname("ed_seckey_1"));
2711 char *fname_2
= tor_strdup(get_fname("ed_pubkey_2"));
2712 char *contents
= NULL
;
2715 keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
2716 tt_int_op(0,OP_EQ
,ed25519_keypair_generate(keypair
, 0));
2718 ed25519_seckey_write_to_file(&keypair
->seckey
, fname_1
, "foo"));
2720 ed25519_pubkey_write_to_file(&keypair
->pubkey
, fname_2
, "bar"));
2722 tt_int_op(-1, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_1
));
2723 tt_ptr_op(tag
, OP_EQ
, NULL
);
2724 tt_int_op(-1, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_2
));
2725 tt_ptr_op(tag
, OP_EQ
, NULL
);
2727 tt_int_op(0, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_2
));
2728 tt_str_op(tag
, OP_EQ
, "bar");
2730 tt_int_op(0, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_1
));
2731 tt_str_op(tag
, OP_EQ
, "foo");
2734 /* whitebox test: truncated keys. */
2735 tt_int_op(0, OP_EQ
, do_truncate(fname_1
, 40));
2736 tt_int_op(0, OP_EQ
, do_truncate(fname_2
, 40));
2737 tt_int_op(-1, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_2
));
2738 tt_ptr_op(tag
, OP_EQ
, NULL
);
2740 tt_int_op(-1, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_1
));
2741 tt_ptr_op(tag
, OP_EQ
, NULL
);
2748 ed25519_keypair_free(keypair
);
2752 test_crypto_siphash(void *arg
)
2754 /* From the reference implementation, taking
2756 and in = 00; 00 01; 00 01 02; ...
2758 const uint8_t VECTORS
[64][8] =
2760 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2761 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2762 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2763 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2764 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2765 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2766 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2767 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2768 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2769 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2770 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2771 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2772 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2773 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2774 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2775 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2776 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2777 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2778 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2779 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2780 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2781 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2782 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2783 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2784 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2785 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2786 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2787 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2788 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2789 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2790 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2791 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2792 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2793 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2794 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2795 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2796 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2797 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2798 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2799 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2800 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2801 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2802 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2803 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2804 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2805 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2806 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2807 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2808 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2809 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2810 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2811 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2812 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2813 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2814 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2815 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2816 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2817 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2818 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2819 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2820 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2821 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2822 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2823 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2826 const struct sipkey K
= { UINT64_C(0x0706050403020100),
2827 UINT64_C(0x0f0e0d0c0b0a0908) };
2833 for (i
= 0; i
< 64; ++i
)
2836 for (i
= 0; i
< 64; ++i
) {
2837 uint64_t r
= siphash24(input
, i
, &K
);
2838 for (j
= 0; j
< 8; ++j
) {
2839 tt_int_op( (r
>> (j
*8)) & 0xff, OP_EQ
, VECTORS
[i
][j
]);
2847 /* We want the likelihood that the random buffer exhibits any regular pattern
2848 * to be far less than the memory bit error rate in the int return value.
2849 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2850 * 3 functions, leading to an overall error rate of 1/10^616.
2851 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2853 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2855 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2856 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2857 * or -1 when it fails. */
2859 crypto_rand_check_failure_mode_zero(void)
2861 char buf
[FAILURE_MODE_BUFFER_SIZE
];
2863 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE
);
2864 crypto_rand(buf
, FAILURE_MODE_BUFFER_SIZE
);
2866 for (size_t i
= 0; i
< FAILURE_MODE_BUFFER_SIZE
; i
++) {
2875 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2876 * the same. Return 0 when the check passes, or -1 when it fails. */
2878 crypto_rand_check_failure_mode_identical(void)
2880 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2881 #define FAILURE_MODE_BUFFER_SIZE_I64 \
2882 (FAILURE_MODE_BUFFER_SIZE/8)
2883 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2884 (FAILURE_MODE_BUFFER_SIZE_I64*8)
2886 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2887 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
2890 int64_t buf
[FAILURE_MODE_BUFFER_SIZE_I64
];
2892 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES
);
2893 crypto_rand((char *)buf
, FAILURE_MODE_BUFFER_SIZE_I64_BYTES
);
2895 for (size_t i
= 1; i
< FAILURE_MODE_BUFFER_SIZE_I64
; i
++) {
2896 if (buf
[i
] != buf
[i
-1]) {
2904 /** Check crypto_rand for a failure mode where it increments the "random"
2905 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2906 * Return 0 when the check passes, or -1 when it fails. */
2908 crypto_rand_check_failure_mode_predict(void)
2910 unsigned char buf
[FAILURE_MODE_BUFFER_SIZE
];
2912 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE
);
2913 crypto_rand((char *)buf
, FAILURE_MODE_BUFFER_SIZE
);
2915 for (size_t i
= 1; i
< FAILURE_MODE_BUFFER_SIZE
; i
++) {
2916 /* check if the last byte was incremented by 1, including integer
2918 if (buf
[i
] - buf
[i
-1] != 1 && buf
[i
-1] - buf
[i
] != 255) {
2926 #undef FAILURE_MODE_BUFFER_SIZE
2928 /** Test that our ed25519 validation function rejects evil public keys and
2929 * accepts good ones. */
2931 test_crypto_ed25519_validation(void *arg
)
2936 ed25519_public_key_t pub1
;
2938 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
2939 for a list of points with torsion components in ed25519. */
2941 { /* Point with torsion component (order 8l) */
2942 const char badkey
[] =
2943 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
2944 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
2945 badkey
, strlen(badkey
));
2946 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
2947 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
2950 { /* Point with torsion component (order 4l) */
2951 const char badkey
[] =
2952 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
2953 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
2954 badkey
, strlen(badkey
));
2955 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
2956 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
2959 { /* Point with torsion component (order 2l) */
2960 const char badkey
[] =
2961 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
2962 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
2963 badkey
, strlen(badkey
));
2964 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
2965 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
2968 { /* This point is not even on the curve */
2969 const char badkey
[] =
2970 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2971 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
2972 badkey
, strlen(badkey
));
2973 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
2974 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
2977 { /* This one is a good key */
2978 const char goodkey
[] =
2979 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2980 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
2981 goodkey
, strlen(goodkey
));
2982 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
2983 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, 0);
2990 test_crypto_failure_modes(void *arg
)
2995 rv
= crypto_early_init();
2996 tt_int_op(rv
, OP_EQ
, 0);
2998 /* Check random works */
2999 rv
= crypto_rand_check_failure_mode_zero();
3000 tt_int_op(rv
, OP_EQ
, 0);
3002 rv
= crypto_rand_check_failure_mode_identical();
3003 tt_int_op(rv
, OP_EQ
, 0);
3005 rv
= crypto_rand_check_failure_mode_predict();
3006 tt_int_op(rv
, OP_EQ
, 0);
3013 #define CRYPTO_LEGACY(name) \
3014 { #name, test_crypto_ ## name , 0, NULL, NULL }
3016 #define ED25519_TEST_ONE(name, fl, which) \
3017 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3018 &ed25519_test_setup, (void*)which }
3020 #define ED25519_TEST(name, fl) \
3021 ED25519_TEST_ONE(name, (fl), "donna"), \
3022 ED25519_TEST_ONE(name, (fl), "ref10")
3023 #endif /* !defined(COCCI) */
3025 struct testcase_t crypto_tests
[] = {
3026 CRYPTO_LEGACY(formats
),
3027 { "openssl_version", test_crypto_openssl_version
, TT_FORK
, NULL
, NULL
},
3028 { "aes_AES", test_crypto_aes128
, TT_FORK
, &passthrough_setup
, (void*)"aes" },
3029 { "aes_EVP", test_crypto_aes128
, TT_FORK
, &passthrough_setup
, (void*)"evp" },
3030 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3031 &passthrough_setup
, (void*)"128" },
3032 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3033 &passthrough_setup
, (void*)"192" },
3034 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3035 &passthrough_setup
, (void*)"256" },
3038 { "pk_fingerprints", test_crypto_pk_fingerprints
, TT_FORK
, NULL
, NULL
},
3039 { "pk_base64", test_crypto_pk_base64
, TT_FORK
, NULL
, NULL
},
3040 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted
, TT_FORK
, NULL
, NULL
},
3041 { "pk_bad_size", test_crypto_pk_bad_size
, 0, NULL
, NULL
},
3042 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key
, 0,
3044 CRYPTO_LEGACY(digests
),
3045 { "digest_names", test_crypto_digest_names
, 0, NULL
, NULL
},
3046 { "sha3", test_crypto_sha3
, TT_FORK
, NULL
, NULL
},
3047 { "sha3_xof", test_crypto_sha3_xof
, TT_FORK
, NULL
, NULL
},
3048 { "mac_sha3", test_crypto_mac_sha3
, TT_FORK
, NULL
, NULL
},
3050 { "aes_iv_AES", test_crypto_aes_iv
, TT_FORK
, &passthrough_setup
,
3052 { "aes_iv_EVP", test_crypto_aes_iv
, TT_FORK
, &passthrough_setup
,
3054 CRYPTO_LEGACY(base32_decode
),
3055 { "kdf_TAP", test_crypto_kdf_TAP
, 0, NULL
, NULL
},
3056 { "hkdf_sha256", test_crypto_hkdf_sha256
, 0, NULL
, NULL
},
3057 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs
, 0, NULL
, NULL
},
3058 { "curve25519_impl", test_crypto_curve25519_impl
, 0, NULL
, NULL
},
3059 { "curve25519_impl_hibit", test_crypto_curve25519_impl
, 0, NULL
, (void*)"y"},
3060 { "curve25516_testvec", test_crypto_curve25519_testvec
, 0, NULL
, NULL
},
3061 { "curve25519_basepoint",
3062 test_crypto_curve25519_basepoint
, TT_FORK
, NULL
, NULL
},
3063 { "curve25519_wrappers", test_crypto_curve25519_wrappers
, 0, NULL
, NULL
},
3064 { "curve25519_encode", test_crypto_curve25519_encode
, 0, NULL
, NULL
},
3065 { "curve25519_persist", test_crypto_curve25519_persist
, 0, NULL
, NULL
},
3066 ED25519_TEST(simple
, 0),
3067 ED25519_TEST(test_vectors
, 0),
3068 ED25519_TEST(encode
, 0),
3069 ED25519_TEST(convert
, 0),
3070 ED25519_TEST(blinding
, 0),
3071 ED25519_TEST(blinding_fail
, 0),
3072 ED25519_TEST(testvectors
, 0),
3073 ED25519_TEST(validation
, 0),
3074 { "ed25519_storage", test_crypto_ed25519_storage
, 0, NULL
, NULL
},
3075 { "siphash", test_crypto_siphash
, 0, NULL
, NULL
},
3076 { "failure_modes", test_crypto_failure_modes
, TT_FORK
, NULL
, NULL
},