search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'tor-github/pr/392' into maint-0.2.9
[tor.git] / src / test / test_crypto_slow.c
blob0be58c93893acdf22801db3c2a86c6416f8e44a6
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_S2K_PRIVATE
8 #include "or.h"
9 #include "test.h"
10 #include "crypto_s2k.h"
11 #include "crypto_pwbox.h"
12
13 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
14 #define HAVE_LIBSCRYPT
15 #include <libscrypt.h>
16 #endif
17
18 #include <openssl/evp.h>
19
20 /** Run unit tests for our secret-to-key passphrase hashing functionality. */
21 static void
22 test_crypto_s2k_rfc2440(void *arg)
23 {
24 char buf[29];
25 char buf2[29];
26 char *buf3 = NULL;
27 int i;
28
29 (void)arg;
30 memset(buf, 0, sizeof(buf));
31 memset(buf2, 0, sizeof(buf2));
32 buf3 = tor_malloc(65536);
33 memset(buf3, 0, 65536);
34
35 secret_to_key_rfc2440(buf+9, 20, "", 0, buf);
36 crypto_digest(buf2+9, buf3, 1024);
37 tt_mem_op(buf,OP_EQ, buf2, 29);
38
39 memcpy(buf,"vrbacrda",8);
40 memcpy(buf2,"vrbacrda",8);
41 buf[8] = 96;
42 buf2[8] = 96;
43 secret_to_key_rfc2440(buf+9, 20, "12345678", 8, buf);
44 for (i = 0; i < 65536; i += 16) {
45 memcpy(buf3+i, "vrbacrda12345678", 16);
46 }
47 crypto_digest(buf2+9, buf3, 65536);
48 tt_mem_op(buf,OP_EQ, buf2, 29);
49
50 done:
51 tor_free(buf3);
52 }
53
54 static void
55 run_s2k_tests(const unsigned flags, const unsigned type,
56 int speclen, const int keylen, int legacy)
57 {
58 uint8_t buf[S2K_MAXLEN], buf2[S2K_MAXLEN], buf3[S2K_MAXLEN];
59 int r;
60 size_t sz;
61 const char pw1[] = "You can't come in here unless you say swordfish!";
62 const char pw2[] = "Now, I give you one more guess.";
63
64 r = secret_to_key_new(buf, sizeof(buf), &sz,
65 pw1, strlen(pw1), flags);
66 tt_int_op(r, OP_EQ, S2K_OKAY);
67 tt_int_op(buf[0], OP_EQ, type);
68
69 tt_int_op(sz, OP_EQ, keylen + speclen);
70
71 if (legacy) {
72 memmove(buf, buf+1, sz-1);
73 --sz;
74 --speclen;
75 }
76
77 tt_int_op(S2K_OKAY, OP_EQ,
78 secret_to_key_check(buf, sz, pw1, strlen(pw1)));
79
80 tt_int_op(S2K_BAD_SECRET, OP_EQ,
81 secret_to_key_check(buf, sz, pw2, strlen(pw2)));
82
83 /* Move key to buf2, and clear it. */
84 memset(buf3, 0, sizeof(buf3));
85 memcpy(buf2, buf+speclen, keylen);
86 memset(buf+speclen, 0, sz - speclen);
87
88 /* Derivekey should produce the same results. */
89 tt_int_op(S2K_OKAY, OP_EQ,
90 secret_to_key_derivekey(buf3, keylen, buf, speclen, pw1, strlen(pw1)));
91
92 tt_mem_op(buf2, OP_EQ, buf3, keylen);
93
94 /* Derivekey with a longer output should fill the output. */
95 memset(buf2, 0, sizeof(buf2));
96 tt_int_op(S2K_OKAY, OP_EQ,
97 secret_to_key_derivekey(buf2, sizeof(buf2), buf, speclen,
98 pw1, strlen(pw1)));
99
100 tt_mem_op(buf2, OP_NE, buf3, sizeof(buf2));
101
102 memset(buf3, 0, sizeof(buf3));
103 tt_int_op(S2K_OKAY, OP_EQ,
104 secret_to_key_derivekey(buf3, sizeof(buf3), buf, speclen,
105 pw1, strlen(pw1)));
106 tt_mem_op(buf2, OP_EQ, buf3, sizeof(buf3));
107 tt_assert(!tor_mem_is_zero((char*)buf2+keylen, sizeof(buf2)-keylen));
108
109 done:
110 ;
111 }
112
113 static void
114 test_crypto_s2k_general(void *arg)
115 {
116 const char *which = arg;
117
118 if (!strcmp(which, "scrypt")) {
119 run_s2k_tests(0, 2, 19, 32, 0);
120 } else if (!strcmp(which, "scrypt-low")) {
121 run_s2k_tests(S2K_FLAG_LOW_MEM, 2, 19, 32, 0);
122 } else if (!strcmp(which, "pbkdf2")) {
123 run_s2k_tests(S2K_FLAG_USE_PBKDF2, 1, 18, 20, 0);
124 } else if (!strcmp(which, "rfc2440")) {
125 run_s2k_tests(S2K_FLAG_NO_SCRYPT, 0, 10, 20, 0);
126 } else if (!strcmp(which, "rfc2440-legacy")) {
127 run_s2k_tests(S2K_FLAG_NO_SCRYPT, 0, 10, 20, 1);
128 } else {
129 tt_fail();
130 }
131 }
132
133 #if defined(HAVE_LIBSCRYPT) && defined(HAVE_EVP_PBE_SCRYPT)
134 static void
135 test_libscrypt_eq_openssl(void *arg)
136 {
137 uint8_t buf1[64];
138 uint8_t buf2[64];
139
140 uint64_t N;
141 uint32_t r, p;
142 uint64_t maxmem = 0; // --> SCRYPT_MAX_MEM in OpenSSL.
143
144 int libscrypt_retval, openssl_retval;
145
146 size_t dk_len = 64;
147
148 (void)arg;
149
150 memset(buf1,0,64);
151 memset(buf2,0,64);
152
153 /* NOTE: we're using N,r the way OpenSSL and libscrypt define them,
154 * not the way draft-josefsson-scrypt-kdf-00.txt define them.
155 */
156 N = 16;
157 r = 1;
158 p = 1;
159
160 libscrypt_retval =
161 libscrypt_scrypt((const uint8_t *)"", 0, (const uint8_t *)"", 0,
162 N, r, p, buf1, dk_len);
163 openssl_retval =
164 EVP_PBE_scrypt((const char *)"", 0, (const unsigned char *)"", 0,
165 N, r, p, maxmem, buf2, dk_len);
166
167 tt_int_op(libscrypt_retval, ==, 0);
168 tt_int_op(openssl_retval, ==, 1);
169
170 tt_mem_op(buf1, ==, buf2, 64);
171
172 memset(buf1,0,64);
173 memset(buf2,0,64);
174
175 N = 1024;
176 r = 8;
177 p = 16;
178
179 libscrypt_retval =
180 libscrypt_scrypt((const uint8_t *)"password", strlen("password"),
181 (const uint8_t *)"NaCl", strlen("NaCl"),
182 N, r, p, buf1, dk_len);
183 openssl_retval =
184 EVP_PBE_scrypt((const char *)"password", strlen("password"),
185 (const unsigned char *)"NaCl", strlen("NaCl"),
186 N, r, p, maxmem, buf2, dk_len);
187
188 tt_int_op(libscrypt_retval, ==, 0);
189 tt_int_op(openssl_retval, ==, 1);
190
191 tt_mem_op(buf1, ==, buf2, 64);
192
193 memset(buf1,0,64);
194 memset(buf2,0,64);
195
196 N = 16384;
197 r = 8;
198 p = 1;
199
200 libscrypt_retval =
201 libscrypt_scrypt((const uint8_t *)"pleaseletmein",
202 strlen("pleaseletmein"),
203 (const uint8_t *)"SodiumChloride",
204 strlen("SodiumChloride"),
205 N, r, p, buf1, dk_len);
206 openssl_retval =
207 EVP_PBE_scrypt((const char *)"pleaseletmein",
208 strlen("pleaseletmein"),
209 (const unsigned char *)"SodiumChloride",
210 strlen("SodiumChloride"),
211 N, r, p, maxmem, buf2, dk_len);
212
213 tt_int_op(libscrypt_retval, ==, 0);
214 tt_int_op(openssl_retval, ==, 1);
215
216 tt_mem_op(buf1, ==, buf2, 64);
217
218 memset(buf1,0,64);
219 memset(buf2,0,64);
220
221 N = 1048576;
222 maxmem = 2 * 1024 * 1024 * (uint64_t)1024; // 2 GB
223
224 libscrypt_retval =
225 libscrypt_scrypt((const uint8_t *)"pleaseletmein",
226 strlen("pleaseletmein"),
227 (const uint8_t *)"SodiumChloride",
228 strlen("SodiumChloride"),
229 N, r, p, buf1, dk_len);
230 openssl_retval =
231 EVP_PBE_scrypt((const char *)"pleaseletmein",
232 strlen("pleaseletmein"),
233 (const unsigned char *)"SodiumChloride",
234 strlen("SodiumChloride"),
235 N, r, p, maxmem, buf2, dk_len);
236
237 tt_int_op(libscrypt_retval, ==, 0);
238 tt_int_op(openssl_retval, ==, 1);
239
240 tt_mem_op(buf1, ==, buf2, 64);
241
242 done:
243 return;
244 }
245 #endif
246
247 static void
248 test_crypto_s2k_errors(void *arg)
249 {
250 uint8_t buf[S2K_MAXLEN], buf2[S2K_MAXLEN];
251 size_t sz;
252
253 (void)arg;
254
255 /* Bogus specifiers: simple */
256 tt_int_op(S2K_BAD_LEN, OP_EQ,
257 secret_to_key_derivekey(buf, sizeof(buf),
258 (const uint8_t*)"", 0, "ABC", 3));
259 tt_int_op(S2K_BAD_ALGORITHM, OP_EQ,
260 secret_to_key_derivekey(buf, sizeof(buf),
261 (const uint8_t*)"\x10", 1, "ABC", 3));
262 tt_int_op(S2K_BAD_LEN, OP_EQ,
263 secret_to_key_derivekey(buf, sizeof(buf),
264 (const uint8_t*)"\x01\x02", 2, "ABC", 3));
265
266 tt_int_op(S2K_BAD_LEN, OP_EQ,
267 secret_to_key_check((const uint8_t*)"", 0, "ABC", 3));
268 tt_int_op(S2K_BAD_ALGORITHM, OP_EQ,
269 secret_to_key_check((const uint8_t*)"\x10", 1, "ABC", 3));
270 tt_int_op(S2K_BAD_LEN, OP_EQ,
271 secret_to_key_check((const uint8_t*)"\x01\x02", 2, "ABC", 3));
272
273 /* too long gets "BAD_LEN" too */
274 memset(buf, 0, sizeof(buf));
275 buf[0] = 2;
276 tt_int_op(S2K_BAD_LEN, OP_EQ,
277 secret_to_key_derivekey(buf2, sizeof(buf2),
278 buf, sizeof(buf), "ABC", 3));
279
280 /* Truncated output */
281 #ifdef HAVE_LIBSCRYPT
282 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 50, &sz,
283 "ABC", 3, 0));
284 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 50, &sz,
285 "ABC", 3, S2K_FLAG_LOW_MEM));
286 #endif
287 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 37, &sz,
288 "ABC", 3, S2K_FLAG_USE_PBKDF2));
289 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 29, &sz,
290 "ABC", 3, S2K_FLAG_NO_SCRYPT));
291
292 #ifdef HAVE_LIBSCRYPT
293 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 18, 0));
294 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 18,
295 S2K_FLAG_LOW_MEM));
296 #endif
297 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 17,
298 S2K_FLAG_USE_PBKDF2));
299 tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 9,
300 S2K_FLAG_NO_SCRYPT));
301
302 /* Now try using type-specific bogus specifiers. */
303
304 /* It's a bad pbkdf2 buffer if it has an iteration count that would overflow
305 * int32_t. */
306 memset(buf, 0, sizeof(buf));
307 buf[0] = 1; /* pbkdf2 */
308 buf[17] = 100; /* 1<<100 is much bigger than INT32_MAX */
309 tt_int_op(S2K_BAD_PARAMS, OP_EQ,
310 secret_to_key_derivekey(buf2, sizeof(buf2),
311 buf, 18, "ABC", 3));
312
313 #ifdef HAVE_LIBSCRYPT
314 /* It's a bad scrypt buffer if N would overflow uint64 */
315 memset(buf, 0, sizeof(buf));
316 buf[0] = 2; /* scrypt */
317 buf[17] = 100; /* 1<<100 is much bigger than UINT64_MAX */
318 tt_int_op(S2K_BAD_PARAMS, OP_EQ,
319 secret_to_key_derivekey(buf2, sizeof(buf2),
320 buf, 19, "ABC", 3));
321 #endif
322
323 done:
324 ;
325 }
326
327 static void
328 test_crypto_scrypt_vectors(void *arg)
329 {
330 char *mem_op_hex_tmp = NULL;
331 uint8_t spec[64], out[64];
332
333 (void)arg;
334 #ifndef HAVE_LIBSCRYPT
335 if (1)
336 tt_skip();
337 #endif
338
339 /* Test vectors from
340 http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00 section 11.
341
342 Note that the names of 'r' and 'N' are switched in that section. Or
343 possibly in libscrypt.
344 */
345
346 base16_decode((char*)spec, sizeof(spec),
347 "0400", 4);
348 memset(out, 0x00, sizeof(out));
349 tt_int_op(64, OP_EQ,
350 secret_to_key_compute_key(out, 64, spec, 2, "", 0, 2));
351 test_memeq_hex(out,
352 "77d6576238657b203b19ca42c18a0497"
353 "f16b4844e3074ae8dfdffa3fede21442"
354 "fcd0069ded0948f8326a753a0fc81f17"
355 "e8d3e0fb2e0d3628cf35e20c38d18906");
356
357 base16_decode((char*)spec, sizeof(spec),
358 "4e61436c" "0A34", 12);
359 memset(out, 0x00, sizeof(out));
360 tt_int_op(64, OP_EQ,
361 secret_to_key_compute_key(out, 64, spec, 6, "password", 8, 2));
362 test_memeq_hex(out,
363 "fdbabe1c9d3472007856e7190d01e9fe"
364 "7c6ad7cbc8237830e77376634b373162"
365 "2eaf30d92e22a3886ff109279d9830da"
366 "c727afb94a83ee6d8360cbdfa2cc0640");
367
368 base16_decode((char*)spec, sizeof(spec),
369 "536f6469756d43686c6f72696465" "0e30", 32);
370 memset(out, 0x00, sizeof(out));
371 tt_int_op(64, OP_EQ,
372 secret_to_key_compute_key(out, 64, spec, 16,
373 "pleaseletmein", 13, 2));
374 test_memeq_hex(out,
375 "7023bdcb3afd7348461c06cd81fd38eb"
376 "fda8fbba904f8e3ea9b543f6545da1f2"
377 "d5432955613f0fcf62d49705242a9af9"
378 "e61e85dc0d651e40dfcf017b45575887");
379
380 base16_decode((char*)spec, sizeof(spec),
381 "536f6469756d43686c6f72696465" "1430", 32);
382 memset(out, 0x00, sizeof(out));
383 tt_int_op(64, OP_EQ,
384 secret_to_key_compute_key(out, 64, spec, 16,
385 "pleaseletmein", 13, 2));
386 test_memeq_hex(out,
387 "2101cb9b6a511aaeaddbbe09cf70f881"
388 "ec568d574a2ffd4dabe5ee9820adaa47"
389 "8e56fd8f4ba5d09ffa1c6d927c40f4c3"
390 "37304049e8a952fbcbf45c6fa77a41a4");
391
392 done:
393 tor_free(mem_op_hex_tmp);
394 }
395
396 static void
397 test_crypto_pbkdf2_vectors(void *arg)
398 {
399 char *mem_op_hex_tmp = NULL;
400 uint8_t spec[64], out[64];
401 (void)arg;
402
403 /* Test vectors from RFC6070, section 2 */
404 base16_decode((char*)spec, sizeof(spec),
405 "73616c74" "00" , 10);
406 memset(out, 0x00, sizeof(out));
407 tt_int_op(20, OP_EQ,
408 secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
409 test_memeq_hex(out, "0c60c80f961f0e71f3a9b524af6012062fe037a6");
410
411 base16_decode((char*)spec, sizeof(spec),
412 "73616c74" "01" , 10);
413 memset(out, 0x00, sizeof(out));
414 tt_int_op(20, OP_EQ,
415 secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
416 test_memeq_hex(out, "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957");
417
418 base16_decode((char*)spec, sizeof(spec),
419 "73616c74" "0C" , 10);
420 memset(out, 0x00, sizeof(out));
421 tt_int_op(20, OP_EQ,
422 secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
423 test_memeq_hex(out, "4b007901b765489abead49d926f721d065a429c1");
424
425 /* This is the very slow one here. When enabled, it accounts for roughly
426 * half the time spent in test-slow. */
427 /*
428 base16_decode((char*)spec, sizeof(spec),
429 "73616c74" "18" , 10);
430 memset(out, 0x00, sizeof(out));
431 tt_int_op(20, OP_EQ,
432 secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
433 test_memeq_hex(out, "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984");
434 */
435
436 base16_decode((char*)spec, sizeof(spec),
437 "73616c7453414c5473616c7453414c5473616c745"
438 "3414c5473616c7453414c5473616c74" "0C" , 74);
439 memset(out, 0x00, sizeof(out));
440 tt_int_op(25, OP_EQ,
441 secret_to_key_compute_key(out, 25, spec, 37,
442 "passwordPASSWORDpassword", 24, 1));
443 test_memeq_hex(out, "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038");
444
445 base16_decode((char*)spec, sizeof(spec),
446 "7361006c74" "0c" , 12);
447 memset(out, 0x00, sizeof(out));
448 tt_int_op(16, OP_EQ,
449 secret_to_key_compute_key(out, 16, spec, 6, "pass\0word", 9, 1));
450 test_memeq_hex(out, "56fa6aa75548099dcc37d7f03425e0c3");
451
452 done:
453 tor_free(mem_op_hex_tmp);
454 }
455
456 static void
457 test_crypto_pwbox(void *arg)
458 {
459 uint8_t *boxed=NULL, *decoded=NULL;
460 size_t len, dlen;
461 unsigned i;
462 const char msg[] = "This bunny reminds you that you still have a "
463 "salamander in your sylladex. She is holding the bunny Dave got you. "
464 "It’s sort of uncanny how similar they are, aside from the knitted "
465 "enhancements. Seriously, what are the odds?? So weird.";
466 const char pw[] = "I'm a night owl and a wise bird too";
467
468 const unsigned flags[] = { 0,
469 S2K_FLAG_NO_SCRYPT,
470 S2K_FLAG_LOW_MEM,
471 S2K_FLAG_NO_SCRYPT|S2K_FLAG_LOW_MEM,
472 S2K_FLAG_USE_PBKDF2 };
473 (void)arg;
474
475 for (i = 0; i < ARRAY_LENGTH(flags); ++i) {
476 tt_int_op(0, OP_EQ, crypto_pwbox(&boxed, &len,
477 (const uint8_t*)msg, strlen(msg),
478 pw, strlen(pw), flags[i]));
479 tt_assert(boxed);
480 tt_assert(len > 128+32);
481
482 tt_int_op(0, OP_EQ, crypto_unpwbox(&decoded, &dlen, boxed, len,
483 pw, strlen(pw)));
484
485 tt_assert(decoded);
486 tt_uint_op(dlen, OP_EQ, strlen(msg));
487 tt_mem_op(decoded, OP_EQ, msg, dlen);
488
489 tor_free(decoded);
490
491 tt_int_op(UNPWBOX_BAD_SECRET, OP_EQ, crypto_unpwbox(&decoded, &dlen,
492 boxed, len,
493 pw, strlen(pw)-1));
494 boxed[len-1] ^= 1;
495 tt_int_op(UNPWBOX_BAD_SECRET, OP_EQ, crypto_unpwbox(&decoded, &dlen,
496 boxed, len,
497 pw, strlen(pw)));
498 boxed[0] = 255;
499 tt_int_op(UNPWBOX_CORRUPTED, OP_EQ, crypto_unpwbox(&decoded, &dlen,
500 boxed, len,
501 pw, strlen(pw)));
502
503 tor_free(boxed);
504 }
505
506 done:
507 tor_free(boxed);
508 tor_free(decoded);
509 }
510
511 static void
512 test_crypto_ed25519_fuzz_donna(void *arg)
513 {
514 const unsigned iters = 1024;
515 uint8_t msg[1024];
516 unsigned i;
517 (void)arg;
518
519 tt_assert(sizeof(msg) == iters);
520 crypto_rand((char*) msg, sizeof(msg));
521
522 /* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
523 * generate keys/sign per iteration.
524 */
525 for (i = 0; i < iters; ++i) {
526 const int use_donna = i & 1;
527 uint8_t blinding[32];
528 curve25519_keypair_t ckp;
529 ed25519_keypair_t kp, kp_blind, kp_curve25519;
530 ed25519_public_key_t pk, pk_blind, pk_curve25519;
531 ed25519_signature_t sig, sig_blind;
532 int bit = 0;
533
534 crypto_rand((char*) blinding, sizeof(blinding));
535
536 /* Impl. A:
537 * 1. Generate a keypair.
538 * 2. Blinded the keypair.
539 * 3. Sign a message (unblinded).
540 * 4. Sign a message (blinded).
541 * 5. Generate a curve25519 keypair, and convert it to Ed25519.
542 */
543 ed25519_set_impl_params(use_donna);
544 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
545 tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
546 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
547 tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
548
549 tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
550 tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
551 &kp_curve25519, &bit, &ckp));
552
553 /* Impl. B:
554 * 1. Validate the public key by rederiving it.
555 * 2. Validate the blinded public key by rederiving it.
556 * 3. Validate the unblinded signature (and test a invalid signature).
557 * 4. Validate the blinded signature.
558 * 5. Validate the public key (from Curve25519) by rederiving it.
559 */
560 ed25519_set_impl_params(!use_donna);
561 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
562 tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
563
564 tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
565 tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
566
567 tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
568 sig.sig[0] ^= 15;
569 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
570
571 tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
572
573 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
574 &pk_curve25519, &ckp.pubkey, bit));
575 tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
576 }
577
578 done:
579 ;
580 }
581
582 #define CRYPTO_LEGACY(name) \
583 { #name, test_crypto_ ## name , 0, NULL, NULL }
584
585 #define ED25519_TEST_ONE(name, fl, which) \
586 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
587 &ed25519_test_setup, (void*)which }
588
589 #define ED25519_TEST(name, fl) \
590 ED25519_TEST_ONE(name, (fl), "donna"), \
591 ED25519_TEST_ONE(name, (fl), "ref10")
592
593 struct testcase_t slow_crypto_tests[] = {
594 CRYPTO_LEGACY(s2k_rfc2440),
595 #ifdef HAVE_LIBSCRYPT
596 { "s2k_scrypt", test_crypto_s2k_general, 0, &passthrough_setup,
597 (void*)"scrypt" },
598 { "s2k_scrypt_low", test_crypto_s2k_general, 0, &passthrough_setup,
599 (void*)"scrypt-low" },
600 #ifdef HAVE_EVP_PBE_SCRYPT
601 { "libscrypt_eq_openssl", test_libscrypt_eq_openssl, 0, NULL, NULL },
602 #endif
603 #endif
604 { "s2k_pbkdf2", test_crypto_s2k_general, 0, &passthrough_setup,
605 (void*)"pbkdf2" },
606 { "s2k_rfc2440_general", test_crypto_s2k_general, 0, &passthrough_setup,
607 (void*)"rfc2440" },
608 { "s2k_rfc2440_legacy", test_crypto_s2k_general, 0, &passthrough_setup,
609 (void*)"rfc2440-legacy" },
610 { "s2k_errors", test_crypto_s2k_errors, 0, NULL, NULL },
611 { "scrypt_vectors", test_crypto_scrypt_vectors, 0, NULL, NULL },
612 { "pbkdf2_vectors", test_crypto_pbkdf2_vectors, 0, NULL, NULL },
613 { "pwbox", test_crypto_pwbox, 0, NULL, NULL },
614 ED25519_TEST(fuzz_donna, TT_FORK),
615 END_OF_TESTCASES
616 };
617
The Onion Router