1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2018, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
23 #ifdef HAVE_SYS_STAT_H
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING(redundant
-decls
)
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING(redundant
-decls
)
37 /** Run unit tests for Diffie-Hellman functionality. */
39 test_crypto_dh(void *arg
)
41 crypto_dh_t
*dh1
= crypto_dh_new(DH_TYPE_CIRCUIT
);
42 crypto_dh_t
*dh1_dup
= NULL
;
43 crypto_dh_t
*dh2
= crypto_dh_new(DH_TYPE_CIRCUIT
);
44 char p1
[DH1024_KEY_LEN
];
45 char p2
[DH1024_KEY_LEN
];
46 char s1
[DH1024_KEY_LEN
];
47 char s2
[DH1024_KEY_LEN
];
50 crypto_dh_t
*dh3
= NULL
;
52 BIGNUM
*pubkey_tmp
= NULL
;
56 tt_int_op(crypto_dh_get_bytes(dh1
),OP_EQ
, DH1024_KEY_LEN
);
57 tt_int_op(crypto_dh_get_bytes(dh2
),OP_EQ
, DH1024_KEY_LEN
);
59 memset(p1
, 0, DH1024_KEY_LEN
);
60 memset(p2
, 0, DH1024_KEY_LEN
);
61 tt_mem_op(p1
,OP_EQ
, p2
, DH1024_KEY_LEN
);
63 tt_int_op(-1, OP_EQ
, crypto_dh_get_public(dh1
, p1
, 6)); /* too short */
65 tt_assert(! crypto_dh_get_public(dh1
, p1
, DH1024_KEY_LEN
));
66 tt_mem_op(p1
,OP_NE
, p2
, DH1024_KEY_LEN
);
67 tt_assert(! crypto_dh_get_public(dh2
, p2
, DH1024_KEY_LEN
));
68 tt_mem_op(p1
,OP_NE
, p2
, DH1024_KEY_LEN
);
70 memset(s1
, 0, DH1024_KEY_LEN
);
71 memset(s2
, 0xFF, DH1024_KEY_LEN
);
72 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p2
, DH1024_KEY_LEN
, s1
, 50);
73 s2len
= crypto_dh_compute_secret(LOG_WARN
, dh2
, p1
, DH1024_KEY_LEN
, s2
, 50);
75 tt_int_op(s1len
,OP_EQ
, s2len
);
76 tt_mem_op(s1
,OP_EQ
, s2
, s1len
);
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup
= crypto_dh_dup(dh1
);
80 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1_dup
, p2
, DH1024_KEY_LEN
,
82 tt_i64_op(s1len
, OP_GE
, 0);
83 tt_mem_op(s1
,OP_EQ
, s2
, s1len
);
86 /* Now fabricate some bad values and make sure they get caught. */
88 /* 1 and 0 should both fail. */
89 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x01", 1, s1
, 50);
90 tt_int_op(-1, OP_EQ
, s1len
);
92 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x00", 1, s1
, 50);
93 tt_int_op(-1, OP_EQ
, s1len
);
95 memset(p1
, 0, DH1024_KEY_LEN
); /* 0 with padding. */
96 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
98 tt_int_op(-1, OP_EQ
, s1len
);
100 p1
[DH1024_KEY_LEN
-1] = 1; /* 1 with padding*/
101 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
103 tt_int_op(-1, OP_EQ
, s1len
);
105 /* 2 is okay, though weird. */
106 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x02", 1, s1
, 50);
107 tt_int_op(50, OP_EQ
, s1len
);
109 /* 2 a second time is still okay, though weird. */
110 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, "\x02", 1, s1
, 50);
111 tt_int_op(50, OP_EQ
, s1len
);
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1
, sizeof(p1
), P
, strlen(P
));
123 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
125 tt_int_op(-1, OP_EQ
, s1len
);
127 p1
[DH1024_KEY_LEN
-1] = 0xFE; /* p-1 */
128 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
130 tt_int_op(-1, OP_EQ
, s1len
);
132 p1
[DH1024_KEY_LEN
-1] = 0xFD; /* p-2 works fine */
133 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
135 tt_int_op(50, OP_EQ
, s1len
);
137 const char P_plus_one
[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
144 base16_decode(p1
, sizeof(p1
), P_plus_one
, strlen(P_plus_one
));
146 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
148 tt_int_op(-1, OP_EQ
, s1len
);
150 p1
[DH1024_KEY_LEN
-1] = 0x01; /* p+2 */
151 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
153 tt_int_op(-1, OP_EQ
, s1len
);
155 p1
[DH1024_KEY_LEN
-1] = 0xff; /* p+256 */
156 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
158 tt_int_op(-1, OP_EQ
, s1len
);
160 memset(p1
, 0xff, DH1024_KEY_LEN
), /* 2^1024-1 */
161 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh1
, p1
, DH1024_KEY_LEN
,
163 tt_int_op(-1, OP_EQ
, s1len
);
167 /* provoke an error in the openssl DH_compute_key function; make sure we
169 tt_assert(! crypto_dh_get_public(dh1
, p1
, DH1024_KEY_LEN
));
172 dh2
= crypto_dh_new(DH_TYPE_CIRCUIT
); /* no private key set */
173 s1len
= crypto_dh_compute_secret(LOG_WARN
, dh2
,
176 tt_int_op(s1len
, OP_EQ
, -1);
179 #if defined(ENABLE_OPENSSL)
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3
= crypto_dh_new(DH_TYPE_TLS
);
183 tt_assert(!crypto_dh_get_public(dh3
, p1
, DH1024_KEY_LEN
));
185 dh4
= crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4
));
187 const BIGNUM
*pk
=NULL
;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM
*sk
=NULL
;
190 DH_get0_key(dh4
, &pk
, &sk
);
195 tt_int_op(BN_num_bytes(pk
), OP_LE
, DH1024_KEY_LEN
);
196 tt_int_op(BN_num_bytes(pk
), OP_GT
, 0);
197 memset(p2
, 0, sizeof(p2
));
199 BN_bn2bin(pk
, (unsigned char *)(p2
+DH1024_KEY_LEN
-BN_num_bytes(pk
)));
201 s1len
= crypto_dh_handshake(LOG_WARN
, dh3
, p2
, DH1024_KEY_LEN
,
202 (unsigned char *)s1
, sizeof(s1
));
203 pubkey_tmp
= BN_bin2bn((unsigned char *)p1
, DH1024_KEY_LEN
, NULL
);
204 s2len
= DH_compute_key((unsigned char *)s2
, pubkey_tmp
, dh4
);
206 tt_int_op(s1len
, OP_EQ
, s2len
);
207 tt_int_op(s1len
, OP_GT
, 0);
208 tt_mem_op(s1
, OP_EQ
, s2
, s1len
);
215 crypto_dh_free(dh1_dup
);
216 #ifdef ENABLE_OPENSSL
226 test_crypto_openssl_version(void *arg
)
232 const char *version
= crypto_openssl_get_version_str();
233 const char *h_version
= crypto_openssl_get_header_version_str();
235 tt_assert(h_version
);
236 if (strcmpstart(version
, h_version
)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version
, h_version
));
240 if (strstr(version
, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version
));
244 if (!strcmpstart(version
, "LibreSSL") || !strcmpstart(version
, "BoringSSL"))
246 int r
= tor_sscanf(version
, "%d.%d.%d", &a
,&b
,&c
);
247 tt_int_op(r
, OP_EQ
, 3);
248 tt_int_op(a
, OP_GE
, 0);
249 tt_int_op(b
, OP_GE
, 0);
250 tt_int_op(c
, OP_GE
, 0);
257 /** Run unit tests for our random number generation function and its wrappers.
260 test_crypto_rng(void *arg
)
263 char data1
[100], data2
[100];
269 tt_assert(! crypto_seed_rng());
270 crypto_rand(data1
, 100);
271 crypto_rand(data2
, 100);
272 tt_mem_op(data1
,OP_NE
, data2
,100);
274 for (i
= 0; i
< 100; ++i
) {
277 j
= crypto_rand_int(100);
278 if (j
< 0 || j
>= 100)
280 big
= crypto_rand_uint64(UINT64_C(1)<<40);
281 if (big
>= (UINT64_C(1)<<40))
283 big
= crypto_rand_uint64(UINT64_C(5));
286 d
= crypto_rand_double();
289 host
= crypto_random_hostname(3,8,"www.",".onion");
290 if (strcmpstart(host
,"www.") ||
291 strcmpend(host
,".onion") ||
298 /* Make sure crypto_random_hostname clips its inputs properly. */
299 h
= crypto_random_hostname(20000, 9000, "www.", ".onion");
300 tt_assert(! strcmpstart(h
,"www."));
301 tt_assert(! strcmpend(h
,".onion"));
302 tt_int_op(63+4+6, OP_EQ
, strlen(h
));
310 test_crypto_rng_range(void *arg
)
312 int got_smallest
= 0, got_largest
= 0;
316 for (i
= 0; i
< 1000; ++i
) {
317 int x
= crypto_rand_int_range(5,9);
318 tt_int_op(x
, OP_GE
, 5);
319 tt_int_op(x
, OP_LT
, 9);
325 /* These fail with probability 1/10^603. */
326 tt_assert(got_smallest
);
327 tt_assert(got_largest
);
329 got_smallest
= got_largest
= 0;
330 const uint64_t ten_billion
= 10 * ((uint64_t)1000000000000);
331 for (i
= 0; i
< 1000; ++i
) {
332 uint64_t x
= crypto_rand_uint64_range(ten_billion
, ten_billion
+10);
333 tt_u64_op(x
, OP_GE
, ten_billion
);
334 tt_u64_op(x
, OP_LT
, ten_billion
+10);
335 if (x
== ten_billion
)
337 if (x
== ten_billion
+9)
341 tt_assert(got_smallest
);
342 tt_assert(got_largest
);
344 const time_t now
= time(NULL
);
345 for (i
= 0; i
< 2000; ++i
) {
346 time_t x
= crypto_rand_time_range(now
, now
+60);
347 tt_i64_op(x
, OP_GE
, now
);
348 tt_i64_op(x
, OP_LT
, now
+60);
355 tt_assert(got_smallest
);
356 tt_assert(got_largest
);
362 test_crypto_rng_strongest(void *arg
)
364 const char *how
= arg
;
369 } else if (!strcmp(how
, "nosyscall")) {
370 break_strongest_rng_syscall
= 1;
371 } else if (!strcmp(how
, "nofallback")) {
372 break_strongest_rng_fallback
= 1;
373 } else if (!strcmp(how
, "broken")) {
374 broken
= break_strongest_rng_syscall
= break_strongest_rng_fallback
= 1;
378 uint8_t combine_and
[N
];
379 uint8_t combine_or
[N
];
382 memset(combine_and
, 0xff, N
);
383 memset(combine_or
, 0, N
);
385 for (i
= 0; i
< 100; ++i
) { /* 2^-100 chances just don't happen. */
387 memset(output
, 0, N
);
389 /* this one can't fail. */
390 crypto_strongest_rand(output
, sizeof(output
));
392 int r
= crypto_strongest_rand_raw(output
, sizeof(output
));
395 goto done
; /* we're fine. */
397 /* This function is allowed to break, but only if it always breaks. */
398 tt_int_op(i
, OP_EQ
, 0);
404 for (j
= 0; j
< N
; ++j
) {
405 combine_and
[j
] &= output
[j
];
406 combine_or
[j
] |= output
[j
];
410 for (j
= 0; j
< N
; ++j
) {
411 tt_int_op(combine_and
[j
], OP_EQ
, 0);
412 tt_int_op(combine_or
[j
], OP_EQ
, 0xff);
419 /** Run unit tests for our AES128 functionality */
421 test_crypto_aes128(void *arg
)
423 char *data1
= NULL
, *data2
= NULL
, *data3
= NULL
;
424 crypto_cipher_t
*env1
= NULL
, *env2
= NULL
;
426 char *mem_op_hex_tmp
=NULL
;
427 char key
[CIPHER_KEY_LEN
];
428 int use_evp
= !strcmp(arg
,"evp");
429 evaluate_evp_for_aes(use_evp
);
430 evaluate_ctr_for_aes();
432 data1
= tor_malloc(1024);
433 data2
= tor_malloc(1024);
434 data3
= tor_malloc(1024);
436 /* Now, test encryption and decryption with stream cipher. */
438 for (i
= 1023; i
>0; i
-= 35)
439 strncat(data1
, "Now is the time for all good onions", i
);
441 memset(data2
, 0, 1024);
442 memset(data3
, 0, 1024);
443 crypto_rand(key
, sizeof(key
));
444 env1
= crypto_cipher_new(key
);
445 tt_ptr_op(env1
, OP_NE
, NULL
);
446 env2
= crypto_cipher_new(key
);
447 tt_ptr_op(env2
, OP_NE
, NULL
);
449 /* Try encrypting 512 chars. */
450 crypto_cipher_encrypt(env1
, data2
, data1
, 512);
451 crypto_cipher_decrypt(env2
, data3
, data2
, 512);
452 tt_mem_op(data1
,OP_EQ
, data3
, 512);
453 tt_mem_op(data1
,OP_NE
, data2
, 512);
455 /* Now encrypt 1 at a time, and get 1 at a time. */
456 for (j
= 512; j
< 560; ++j
) {
457 crypto_cipher_encrypt(env1
, data2
+j
, data1
+j
, 1);
459 for (j
= 512; j
< 560; ++j
) {
460 crypto_cipher_decrypt(env2
, data3
+j
, data2
+j
, 1);
462 tt_mem_op(data1
,OP_EQ
, data3
, 560);
463 /* Now encrypt 3 at a time, and get 5 at a time. */
464 for (j
= 560; j
< 1024-5; j
+= 3) {
465 crypto_cipher_encrypt(env1
, data2
+j
, data1
+j
, 3);
467 for (j
= 560; j
< 1024-5; j
+= 5) {
468 crypto_cipher_decrypt(env2
, data3
+j
, data2
+j
, 5);
470 tt_mem_op(data1
,OP_EQ
, data3
, 1024-5);
471 /* Now make sure that when we encrypt with different chunk sizes, we get
473 crypto_cipher_free(env2
);
476 memset(data3
, 0, 1024);
477 env2
= crypto_cipher_new(key
);
478 tt_ptr_op(env2
, OP_NE
, NULL
);
479 for (j
= 0; j
< 1024-16; j
+= 17) {
480 crypto_cipher_encrypt(env2
, data3
+j
, data1
+j
, 17);
482 for (j
= 0; j
< 1024-16; ++j
) {
483 if (data2
[j
] != data3
[j
]) {
484 printf("%d: %d\t%d\n", j
, (int) data2
[j
], (int) data3
[j
]);
487 tt_mem_op(data2
,OP_EQ
, data3
, 1024-16);
488 crypto_cipher_free(env1
);
490 crypto_cipher_free(env2
);
493 /* NIST test vector for aes. */
495 env1
= crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
496 "\x00\x00\x00\x00\x00\x00\x00\x00");
497 crypto_cipher_encrypt(env1
, data1
,
498 "\x00\x00\x00\x00\x00\x00\x00\x00"
499 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
500 test_memeq_hex(data1
, "0EDD33D3C621E546455BD8BA1418BEC8");
502 /* Now test rollover. All these values are originally from a python
504 crypto_cipher_free(env1
);
505 env1
= crypto_cipher_new_with_iv(
506 "\x80\x00\x00\x00\x00\x00\x00\x00"
507 "\x00\x00\x00\x00\x00\x00\x00\x00",
508 "\x00\x00\x00\x00\x00\x00\x00\x00"
509 "\xff\xff\xff\xff\xff\xff\xff\xff");
510 memset(data2
, 0, 1024);
511 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
512 test_memeq_hex(data1
, "335fe6da56f843199066c14a00a40231"
513 "cdd0b917dbc7186908a6bfb5ffd574d3");
514 crypto_cipher_free(env1
);
515 env1
= crypto_cipher_new_with_iv(
516 "\x80\x00\x00\x00\x00\x00\x00\x00"
517 "\x00\x00\x00\x00\x00\x00\x00\x00",
518 "\x00\x00\x00\x00\xff\xff\xff\xff"
519 "\xff\xff\xff\xff\xff\xff\xff\xff");
520 memset(data2
, 0, 1024);
521 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
522 test_memeq_hex(data1
, "e627c6423fa2d77832a02b2794094b73"
523 "3e63c721df790d2c6469cc1953a3ffac");
524 crypto_cipher_free(env1
);
525 env1
= crypto_cipher_new_with_iv(
526 "\x80\x00\x00\x00\x00\x00\x00\x00"
527 "\x00\x00\x00\x00\x00\x00\x00\x00",
528 "\xff\xff\xff\xff\xff\xff\xff\xff"
529 "\xff\xff\xff\xff\xff\xff\xff\xff");
530 memset(data2
, 0, 1024);
531 crypto_cipher_encrypt(env1
, data1
, data2
, 32);
532 test_memeq_hex(data1
, "2aed2bff0de54f9328efd070bf48f70a"
533 "0EDD33D3C621E546455BD8BA1418BEC8");
535 /* Now check rollover on inplace cipher. */
536 crypto_cipher_free(env1
);
537 env1
= crypto_cipher_new_with_iv(
538 "\x80\x00\x00\x00\x00\x00\x00\x00"
539 "\x00\x00\x00\x00\x00\x00\x00\x00",
540 "\xff\xff\xff\xff\xff\xff\xff\xff"
541 "\xff\xff\xff\xff\xff\xff\xff\xff");
542 crypto_cipher_crypt_inplace(env1
, data2
, 64);
543 test_memeq_hex(data2
, "2aed2bff0de54f9328efd070bf48f70a"
544 "0EDD33D3C621E546455BD8BA1418BEC8"
545 "93e2c5243d6839eac58503919192f7ae"
546 "1908e67cafa08d508816659c2e693191");
547 crypto_cipher_free(env1
);
548 env1
= crypto_cipher_new_with_iv(
549 "\x80\x00\x00\x00\x00\x00\x00\x00"
550 "\x00\x00\x00\x00\x00\x00\x00\x00",
551 "\xff\xff\xff\xff\xff\xff\xff\xff"
552 "\xff\xff\xff\xff\xff\xff\xff\xff");
553 crypto_cipher_crypt_inplace(env1
, data2
, 64);
554 tt_assert(tor_mem_is_zero(data2
, 64));
557 tor_free(mem_op_hex_tmp
);
559 crypto_cipher_free(env1
);
561 crypto_cipher_free(env2
);
568 test_crypto_aes_ctr_testvec(void *arg
)
570 const char *bitstr
= arg
;
571 char *mem_op_hex_tmp
=NULL
;
572 crypto_cipher_t
*c
=NULL
;
574 /* from NIST SP800-38a, section F.5 */
575 const char ctr16
[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
576 const char plaintext16
[] =
577 "6bc1bee22e409f96e93d7e117393172a"
578 "ae2d8a571e03ac9c9eb76fac45af8e51"
579 "30c81c46a35ce411e5fbc1191a0a52ef"
580 "f69f2445df4f9b17ad2b417be66c3710";
581 const char *ciphertext16
;
585 if (!strcmp(bitstr
, "128")) {
586 ciphertext16
= /* section F.5.1 */
587 "874d6191b620e3261bef6864990db6ce"
588 "9806f66b7970fdff8617187bb9fffdff"
589 "5ae4df3edbd5d35e5b4f09020db03eab"
590 "1e031dda2fbe03d1792170a0f3009cee";
591 key16
= "2b7e151628aed2a6abf7158809cf4f3c";
593 } else if (!strcmp(bitstr
, "192")) {
594 ciphertext16
= /* section F.5.3 */
595 "1abc932417521ca24f2b0459fe7e6e0b"
596 "090339ec0aa6faefd5ccc2c6f4ce8e94"
597 "1e36b26bd1ebc670d1bd1d665620abf7"
598 "4f78a7f6d29809585a97daec58c6b050";
599 key16
= "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
601 } else if (!strcmp(bitstr
, "256")) {
602 ciphertext16
= /* section F.5.5 */
603 "601ec313775789a5b7a7f504bbf3d228"
604 "f443e3ca4d62b59aca84e990cacaf5c5"
605 "2b0930daa23de94ce87017ba2d84988d"
606 "dfc9c58db67aada613c2dd08457941a6";
608 "603deb1015ca71be2b73aef0857d7781"
609 "1f352c073b6108d72d9810a30914dff4";
612 tt_abort_msg("AES doesn't support this number of bits.");
617 char plaintext
[16*4];
618 memset(key
, 0xf9, sizeof(key
)); /* poison extra bytes */
619 base16_decode(key
, sizeof(key
), key16
, strlen(key16
));
620 base16_decode(iv
, sizeof(iv
), ctr16
, strlen(ctr16
));
621 base16_decode(plaintext
, sizeof(plaintext
),
622 plaintext16
, strlen(plaintext16
));
624 c
= crypto_cipher_new_with_iv_and_bits((uint8_t*)key
, (uint8_t*)iv
, bits
);
625 crypto_cipher_crypt_inplace(c
, plaintext
, sizeof(plaintext
));
626 test_memeq_hex(plaintext
, ciphertext16
);
629 tor_free(mem_op_hex_tmp
);
630 crypto_cipher_free(c
);
633 /** Run unit tests for our SHA-1 functionality */
635 test_crypto_sha(void *arg
)
637 crypto_digest_t
*d1
= NULL
, *d2
= NULL
;
639 #define RFC_4231_MAX_KEY_SIZE 131
640 char key
[RFC_4231_MAX_KEY_SIZE
];
641 char digest
[DIGEST256_LEN
];
642 char data
[DIGEST512_LEN
];
643 char d_out1
[DIGEST512_LEN
], d_out2
[DIGEST512_LEN
];
644 char *mem_op_hex_tmp
=NULL
;
646 /* Test SHA-1 with a test vector from the specification. */
648 i
= crypto_digest(data
, "abc", 3);
649 test_memeq_hex(data
, "A9993E364706816ABA3E25717850C26C9CD0D89D");
650 tt_int_op(i
, OP_EQ
, 0);
652 /* Test SHA-256 with a test vector from the specification. */
653 i
= crypto_digest256(data
, "abc", 3, DIGEST_SHA256
);
654 test_memeq_hex(data
, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
655 "96177A9CB410FF61F20015AD");
656 tt_int_op(i
, OP_EQ
, 0);
658 /* Test SHA-512 with a test vector from the specification. */
659 i
= crypto_digest512(data
, "abc", 3, DIGEST_SHA512
);
660 test_memeq_hex(data
, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
661 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
662 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
663 tt_int_op(i
, OP_EQ
, 0);
665 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
667 /* Case empty (wikipedia) */
668 crypto_hmac_sha256(digest
, "", 0, "", 0);
669 tt_str_op(hex_str(digest
, 32),OP_EQ
,
670 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
672 /* Case quick-brown (wikipedia) */
673 crypto_hmac_sha256(digest
, "key", 3,
674 "The quick brown fox jumps over the lazy dog", 43);
675 tt_str_op(hex_str(digest
, 32),OP_EQ
,
676 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
678 /* "Test Case 1" from RFC 4231 */
679 memset(key
, 0x0b, 20);
680 crypto_hmac_sha256(digest
, key
, 20, "Hi There", 8);
681 test_memeq_hex(digest
,
682 "b0344c61d8db38535ca8afceaf0bf12b"
683 "881dc200c9833da726e9376c2e32cff7");
685 /* "Test Case 2" from RFC 4231 */
686 memset(key
, 0x0b, 20);
687 crypto_hmac_sha256(digest
, "Jefe", 4, "what do ya want for nothing?", 28);
688 test_memeq_hex(digest
,
689 "5bdcc146bf60754e6a042426089575c7"
690 "5a003f089d2739839dec58b964ec3843");
692 /* "Test case 3" from RFC 4231 */
693 memset(key
, 0xaa, 20);
694 memset(data
, 0xdd, 50);
695 crypto_hmac_sha256(digest
, key
, 20, data
, 50);
696 test_memeq_hex(digest
,
697 "773ea91e36800e46854db8ebd09181a7"
698 "2959098b3ef8c122d9635514ced565fe");
700 /* "Test case 4" from RFC 4231 */
701 base16_decode(key
, 25,
702 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
703 memset(data
, 0xcd, 50);
704 crypto_hmac_sha256(digest
, key
, 25, data
, 50);
705 test_memeq_hex(digest
,
706 "82558a389a443c0ea4cc819899f2083a"
707 "85f0faa3e578f8077a2e3ff46729665b");
709 /* "Test case 5" from RFC 4231 */
710 memset(key
, 0x0c, 20);
711 crypto_hmac_sha256(digest
, key
, 20, "Test With Truncation", 20);
712 test_memeq_hex(digest
,
713 "a3b6167473100ee06e0c796c2955552b");
715 /* "Test case 6" from RFC 4231 */
716 memset(key
, 0xaa, 131);
717 crypto_hmac_sha256(digest
, key
, 131,
718 "Test Using Larger Than Block-Size Key - Hash Key First",
720 test_memeq_hex(digest
,
721 "60e431591ee0b67f0d8a26aacbf5b77f"
722 "8e0bc6213728c5140546040f0ee37f54");
724 /* "Test case 7" from RFC 4231 */
725 memset(key
, 0xaa, 131);
726 crypto_hmac_sha256(digest
, key
, 131,
727 "This is a test using a larger than block-size key and a "
728 "larger than block-size data. The key needs to be hashed "
729 "before being used by the HMAC algorithm.", 152);
730 test_memeq_hex(digest
,
731 "9b09ffa71b942fcb27635fbcd5b0e944"
732 "bfdc63644f0713938a7f51535c3a35e2");
734 /* Incremental digest code. */
735 d1
= crypto_digest_new();
737 crypto_digest_add_bytes(d1
, "abcdef", 6);
738 d2
= crypto_digest_dup(d1
);
740 crypto_digest_add_bytes(d2
, "ghijkl", 6);
741 crypto_digest_get_digest(d2
, d_out1
, DIGEST_LEN
);
742 crypto_digest(d_out2
, "abcdefghijkl", 12);
743 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
744 crypto_digest_assign(d2
, d1
);
745 crypto_digest_add_bytes(d2
, "mno", 3);
746 crypto_digest_get_digest(d2
, d_out1
, DIGEST_LEN
);
747 crypto_digest(d_out2
, "abcdefmno", 9);
748 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
749 crypto_digest_get_digest(d1
, d_out1
, DIGEST_LEN
);
750 crypto_digest(d_out2
, "abcdef", 6);
751 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST_LEN
);
752 crypto_digest_free(d1
);
753 crypto_digest_free(d2
);
755 /* Incremental digest code with sha256 */
756 d1
= crypto_digest256_new(DIGEST_SHA256
);
758 crypto_digest_add_bytes(d1
, "abcdef", 6);
759 d2
= crypto_digest_dup(d1
);
761 crypto_digest_add_bytes(d2
, "ghijkl", 6);
762 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
763 crypto_digest256(d_out2
, "abcdefghijkl", 12, DIGEST_SHA256
);
764 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
765 crypto_digest_assign(d2
, d1
);
766 crypto_digest_add_bytes(d2
, "mno", 3);
767 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
768 crypto_digest256(d_out2
, "abcdefmno", 9, DIGEST_SHA256
);
769 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
770 crypto_digest_get_digest(d1
, d_out1
, DIGEST256_LEN
);
771 crypto_digest256(d_out2
, "abcdef", 6, DIGEST_SHA256
);
772 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
773 crypto_digest_free(d1
);
774 crypto_digest_free(d2
);
776 /* Incremental digest code with sha512 */
777 d1
= crypto_digest512_new(DIGEST_SHA512
);
779 crypto_digest_add_bytes(d1
, "abcdef", 6);
780 d2
= crypto_digest_dup(d1
);
782 crypto_digest_add_bytes(d2
, "ghijkl", 6);
783 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
784 crypto_digest512(d_out2
, "abcdefghijkl", 12, DIGEST_SHA512
);
785 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
786 crypto_digest_assign(d2
, d1
);
787 crypto_digest_add_bytes(d2
, "mno", 3);
788 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
789 crypto_digest512(d_out2
, "abcdefmno", 9, DIGEST_SHA512
);
790 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
791 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
792 crypto_digest512(d_out2
, "abcdef", 6, DIGEST_SHA512
);
793 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
797 crypto_digest_free(d1
);
799 crypto_digest_free(d2
);
800 tor_free(mem_op_hex_tmp
);
804 test_crypto_sha3(void *arg
)
806 crypto_digest_t
*d1
= NULL
, *d2
= NULL
;
808 char data
[DIGEST512_LEN
];
809 char d_out1
[DIGEST512_LEN
], d_out2
[DIGEST512_LEN
];
810 char *mem_op_hex_tmp
=NULL
;
815 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
817 * NB: The code package's test vectors have length expressed in bits.
820 /* Len = 8, Msg = CC */
821 const uint8_t keccak_kat_msg8
[] = { 0xcc };
822 i
= crypto_digest256(data
, (const char*)keccak_kat_msg8
, 1, DIGEST_SHA3_256
);
823 test_memeq_hex(data
, "677035391CD3701293D385F037BA3279"
824 "6252BB7CE180B00B582DD9B20AAAD7F0");
825 tt_int_op(i
, OP_EQ
, 0);
826 i
= crypto_digest512(data
, (const char*)keccak_kat_msg8
, 1, DIGEST_SHA3_512
);
827 test_memeq_hex(data
, "3939FCC8B57B63612542DA31A834E5DC"
828 "C36E2EE0F652AC72E02624FA2E5ADEEC"
829 "C7DD6BB3580224B4D6138706FC6E8059"
830 "7B528051230B00621CC2B22999EAA205");
831 tt_int_op(i
, OP_EQ
, 0);
833 /* Len = 24, Msg = 1F877C */
834 const uint8_t keccak_kat_msg24
[] = { 0x1f, 0x87, 0x7c };
835 i
= crypto_digest256(data
, (const char*)keccak_kat_msg24
, 3,
837 test_memeq_hex(data
, "BC22345E4BD3F792A341CF18AC0789F1"
838 "C9C966712A501B19D1B6632CCD408EC5");
839 tt_int_op(i
, OP_EQ
, 0);
840 i
= crypto_digest512(data
, (const char*)keccak_kat_msg24
, 3,
842 test_memeq_hex(data
, "CB20DCF54955F8091111688BECCEF48C"
843 "1A2F0D0608C3A575163751F002DB30F4"
844 "0F2F671834B22D208591CFAF1F5ECFE4"
845 "3C49863A53B3225BDFD7C6591BA7658B");
846 tt_int_op(i
, OP_EQ
, 0);
848 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
849 const uint8_t keccak_kat_msg1080
[] = {
850 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
851 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
852 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
853 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
854 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
855 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
856 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
857 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
858 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
859 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
860 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
861 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
862 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
863 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
865 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1080
, 135,
867 test_memeq_hex(data
, "A19EEE92BB2097B64E823D597798AA18"
868 "BE9B7C736B8059ABFD6779AC35AC81B5");
869 tt_int_op(i
, OP_EQ
, 0);
870 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1080
, 135,
872 test_memeq_hex(data
, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
873 "CB78696773A212A5F62D02D14E3259D1"
874 "92A87EBA4407DD83893527331407B6DA"
875 "DAAD920DBC46489B677493CE5F20B595");
876 tt_int_op(i
, OP_EQ
, 0);
878 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
879 const uint8_t keccak_kat_msg1088
[] = {
880 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
881 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
882 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
883 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
884 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
885 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
886 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
887 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
888 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
889 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
890 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
891 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
892 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
893 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
895 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1088
, 136,
897 test_memeq_hex(data
, "DF673F4105379FF6B755EEAB20CEB0DC"
898 "77B5286364FE16C59CC8A907AFF07732");
899 tt_int_op(i
, OP_EQ
, 0);
900 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1088
, 136,
902 test_memeq_hex(data
, "2E293765022D48996CE8EFF0BE54E87E"
903 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
904 "FA3BA17A40B2FFA2163991B17786E51C"
905 "ABA79E5E0FFD34CF085E2A098BE8BACB");
906 tt_int_op(i
, OP_EQ
, 0);
908 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
909 const uint8_t keccak_kat_msg1096
[] = {
910 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
911 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
912 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
913 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
914 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
915 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
916 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
917 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
918 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
919 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
920 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
921 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
922 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
923 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
925 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1096
, 137,
927 test_memeq_hex(data
, "D52432CF3B6B4B949AA848E058DCD62D"
928 "735E0177279222E7AC0AF8504762FAA0");
929 tt_int_op(i
, OP_EQ
, 0);
930 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1096
, 137,
932 test_memeq_hex(data
, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
933 "40474041DE83D4A60645A826D7AF1ABE"
934 "1EEFCB7B74B62CA6A514E5F2697D585B"
935 "FECECE12931BBE1D4ED7EBF7B0BE660E");
936 tt_int_op(i
, OP_EQ
, 0);
938 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
939 const uint8_t keccak_kat_msg1144
[] = {
940 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
941 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
942 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
943 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
944 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
945 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
946 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
947 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
948 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
949 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
950 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
951 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
952 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
953 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
956 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1144
, 143,
958 test_memeq_hex(data
, "3A8E938C45F3F177991296B24565D9A6"
959 "605516615D96A062C8BE53A0D6C5A648"
960 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
961 "295F284BE7F82F3B92919033C9CE5D80");
962 tt_int_op(i
, OP_EQ
, 0);
963 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1144
, 143,
965 test_memeq_hex(data
, "E58A947E98D6DD7E932D2FE02D9992E6"
966 "118C0C2C606BDCDA06E7943D2C95E0E5");
967 tt_int_op(i
, OP_EQ
, 0);
969 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
970 const uint8_t keccak_kat_msg1152
[] = {
971 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
972 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
973 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
974 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
975 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
976 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
977 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
978 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
979 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
980 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
981 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
982 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
983 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
984 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
985 0x9E, 0xE0, 0x0C, 0x63,
987 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1152
, 144,
989 test_memeq_hex(data
, "FE45289874879720CE2A844AE34BB735"
990 "22775DCB6019DCD22B8885994672A088"
991 "9C69E8115C641DC8B83E39F7311815A1"
992 "64DC46E0BA2FCA344D86D4BC2EF2532C");
993 tt_int_op(i
, OP_EQ
, 0);
994 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1152
, 144,
996 test_memeq_hex(data
, "A936FB9AF87FB67857B3EAD5C76226AD"
997 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
998 tt_int_op(i
, OP_EQ
, 0);
1000 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
1001 const uint8_t keccak_kat_msg1160
[] = {
1002 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
1003 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
1004 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
1005 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
1006 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
1007 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
1008 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
1009 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
1010 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
1011 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
1012 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
1013 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
1014 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
1015 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
1016 0x70, 0x11, 0x04, 0x4C, 0x53,
1018 i
= crypto_digest512(data
, (const char*)keccak_kat_msg1160
, 145,
1020 test_memeq_hex(data
, "AFF61C6E11B98E55AC213B1A0BC7DE04"
1021 "05221AC5EFB1229842E4614F4A029C9B"
1022 "D14A0ED7FD99AF3681429F3F309FDB53"
1023 "166AA9A3CD9F1F1223D04B4A9015E94A");
1024 tt_int_op(i
, OP_EQ
, 0);
1025 i
= crypto_digest256(data
, (const char*)keccak_kat_msg1160
, 145,
1027 test_memeq_hex(data
, "3A654B88F88086C2751EDAE6D3924814"
1028 "3CF6235C6B0B7969342C45A35194B67E");
1029 tt_int_op(i
, OP_EQ
, 0);
1031 /* SHA3-[256,512] Empty case (wikipedia) */
1032 i
= crypto_digest256(data
, "", 0, DIGEST_SHA3_256
);
1033 test_memeq_hex(data
, "a7ffc6f8bf1ed76651c14756a061d662"
1034 "f580ff4de43b49fa82d80a4b80f8434a");
1035 tt_int_op(i
, OP_EQ
, 0);
1036 i
= crypto_digest512(data
, "", 0, DIGEST_SHA3_512
);
1037 test_memeq_hex(data
, "a69f73cca23a9ac5c8b567dc185a756e"
1038 "97c982164fe25859e0d1dcc1475c80a6"
1039 "15b2123af1f5f94c11e3e9402c3ac558"
1040 "f500199d95b6d3e301758586281dcd26");
1041 tt_int_op(i
, OP_EQ
, 0);
1043 /* Incremental digest code with SHA3-256 */
1044 d1
= crypto_digest256_new(DIGEST_SHA3_256
);
1046 crypto_digest_add_bytes(d1
, "abcdef", 6);
1047 d2
= crypto_digest_dup(d1
);
1049 crypto_digest_add_bytes(d2
, "ghijkl", 6);
1050 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
1051 crypto_digest256(d_out2
, "abcdefghijkl", 12, DIGEST_SHA3_256
);
1052 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
1053 crypto_digest_assign(d2
, d1
);
1054 crypto_digest_add_bytes(d2
, "mno", 3);
1055 crypto_digest_get_digest(d2
, d_out1
, DIGEST256_LEN
);
1056 crypto_digest256(d_out2
, "abcdefmno", 9, DIGEST_SHA3_256
);
1057 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
1058 crypto_digest_get_digest(d1
, d_out1
, DIGEST256_LEN
);
1059 crypto_digest256(d_out2
, "abcdef", 6, DIGEST_SHA3_256
);
1060 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST256_LEN
);
1061 crypto_digest_free(d1
);
1062 crypto_digest_free(d2
);
1064 /* Incremental digest code with SHA3-512 */
1065 d1
= crypto_digest512_new(DIGEST_SHA3_512
);
1067 crypto_digest_add_bytes(d1
, "abcdef", 6);
1068 d2
= crypto_digest_dup(d1
);
1070 crypto_digest_add_bytes(d2
, "ghijkl", 6);
1071 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
1072 crypto_digest512(d_out2
, "abcdefghijkl", 12, DIGEST_SHA3_512
);
1073 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
1074 crypto_digest_assign(d2
, d1
);
1075 crypto_digest_add_bytes(d2
, "mno", 3);
1076 crypto_digest_get_digest(d2
, d_out1
, DIGEST512_LEN
);
1077 crypto_digest512(d_out2
, "abcdefmno", 9, DIGEST_SHA3_512
);
1078 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
1079 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
1080 crypto_digest512(d_out2
, "abcdef", 6, DIGEST_SHA3_512
);
1081 tt_mem_op(d_out1
,OP_EQ
, d_out2
, DIGEST512_LEN
);
1082 crypto_digest_free(d1
);
1084 /* Attempt to exercise the incremental hashing code by creating a randomized
1085 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
1086 * is used because it has a lowest rate of the family (the code is common,
1087 * but the slower rate exercises more of it).
1089 const size_t bufsz
= 30 * 1024;
1091 large
= tor_malloc(bufsz
);
1092 crypto_rand(large
, bufsz
);
1093 d1
= crypto_digest512_new(DIGEST_SHA3_512
); /* Running digest. */
1095 /* Pick how much data to add to the running digest. */
1096 size_t incr
= (size_t)crypto_rand_int_range(1, 72 * 5);
1097 incr
= MIN(bufsz
- j
, incr
);
1099 /* Add the data, and calculate the hash. */
1100 crypto_digest_add_bytes(d1
, large
+ j
, incr
);
1101 crypto_digest_get_digest(d1
, d_out1
, DIGEST512_LEN
);
1103 /* One-shot hash the buffer up to the data that was just added,
1104 * and ensure that the values match up.
1106 * XXX/yawning: If this actually fails, it'll be rather difficult to
1107 * reproduce. Improvements welcome.
1109 i
= crypto_digest512(d_out2
, large
, j
+ incr
, DIGEST_SHA3_512
);
1110 tt_int_op(i
, OP_EQ
, 0);
1111 tt_mem_op(d_out1
, OP_EQ
, d_out2
, DIGEST512_LEN
);
1118 crypto_digest_free(d1
);
1120 crypto_digest_free(d2
);
1122 tor_free(mem_op_hex_tmp
);
1125 /** Run unit tests for our XOF. */
1127 test_crypto_sha3_xof(void *arg
)
1132 char *mem_op_hex_tmp
=NULL
;
1136 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
1137 base16_decode((char *)msg
, 255,
1138 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
1139 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
1140 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
1141 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
1142 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
1143 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
1144 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
1145 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
1146 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
1147 const char *squeezed_hex
=
1148 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
1149 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
1150 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
1151 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
1152 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
1153 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
1154 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
1155 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
1156 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
1157 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
1158 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
1159 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
1160 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
1161 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1162 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1163 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1164 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1167 /* Test oneshot absorb/squeeze. */
1168 xof
= crypto_xof_new();
1170 crypto_xof_add_bytes(xof
, msg
, sizeof(msg
));
1171 crypto_xof_squeeze_bytes(xof
, out
, sizeof(out
));
1172 test_memeq_hex(out
, squeezed_hex
);
1173 crypto_xof_free(xof
);
1174 memset(out
, 0, sizeof(out
));
1176 /* Test incremental absorb/squeeze. */
1177 xof
= crypto_xof_new();
1179 for (size_t i
= 0; i
< sizeof(msg
); i
++)
1180 crypto_xof_add_bytes(xof
, msg
+ i
, 1);
1181 for (size_t i
= 0; i
< sizeof(out
); i
++)
1182 crypto_xof_squeeze_bytes(xof
, out
+ i
, 1);
1183 test_memeq_hex(out
, squeezed_hex
);
1187 crypto_xof_free(xof
);
1188 tor_free(mem_op_hex_tmp
);
1191 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1192 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1193 * are gonna do is test our crypto_mac_sha3_256() function against manually
1194 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1195 * standarize an MAC construction and make test vectors, we should
1196 * incorporate them here. */
1198 test_crypto_mac_sha3(void *arg
)
1200 const char msg
[] = "i am in a library somewhere using my computer";
1201 const char key
[] = "i'm from the past talking to the future.";
1203 uint8_t hmac_test
[DIGEST256_LEN
];
1204 char hmac_manual
[DIGEST256_LEN
];
1208 /* First let's use our nice HMAC-SHA3 function */
1209 crypto_mac_sha3_256(hmac_test
, sizeof(hmac_test
),
1210 (uint8_t *) key
, strlen(key
),
1211 (uint8_t *) msg
, strlen(msg
));
1213 /* Now let's try a manual H(len(k) || k || m) construction */
1215 char *key_msg_concat
= NULL
, *all
= NULL
;
1217 const uint64_t key_len_netorder
= tor_htonll(strlen(key
));
1220 tor_asprintf(&key_msg_concat
, "%s%s", key
, msg
);
1221 all_len
= sizeof(key_len_netorder
) + strlen(key_msg_concat
);
1222 all
= tor_malloc_zero(all_len
);
1223 memcpy(all
, &key_len_netorder
, sizeof(key_len_netorder
));
1224 memcpy(all
+ sizeof(key_len_netorder
), key_msg_concat
,
1225 strlen(key_msg_concat
));
1227 result
= crypto_digest256(hmac_manual
, all
, all_len
, DIGEST_SHA3_256
);
1228 tor_free(key_msg_concat
);
1230 tt_int_op(result
, OP_EQ
, 0);
1233 /* Now compare the two results */
1234 tt_mem_op(hmac_test
, OP_EQ
, hmac_manual
, DIGEST256_LEN
);
1239 /** Run unit tests for our public key crypto functions */
1241 test_crypto_pk(void *arg
)
1243 crypto_pk_t
*pk1
= NULL
, *pk2
= NULL
;
1244 char *encoded
= NULL
;
1245 char data1
[1024], data2
[1024], data3
[1024];
1249 /* Public-key ciphers */
1251 pk1
= pk_generate(0);
1252 pk2
= crypto_pk_new();
1253 tt_assert(pk1
&& pk2
);
1254 tt_assert(! crypto_pk_write_public_key_to_string(pk1
, &encoded
, &size
));
1255 tt_assert(! crypto_pk_read_public_key_from_string(pk2
, encoded
, size
));
1256 tt_int_op(0,OP_EQ
, crypto_pk_cmp_keys(pk1
, pk2
));
1258 /* comparison between keys and NULL */
1259 tt_int_op(crypto_pk_cmp_keys(NULL
, pk1
), OP_LT
, 0);
1260 tt_int_op(crypto_pk_cmp_keys(NULL
, NULL
), OP_EQ
, 0);
1261 tt_int_op(crypto_pk_cmp_keys(pk1
, NULL
), OP_GT
, 0);
1263 tt_int_op(128,OP_EQ
, crypto_pk_keysize(pk1
));
1264 tt_int_op(1024,OP_EQ
, crypto_pk_num_bits(pk1
));
1265 tt_int_op(128,OP_EQ
, crypto_pk_keysize(pk2
));
1266 tt_int_op(1024,OP_EQ
, crypto_pk_num_bits(pk2
));
1268 tt_int_op(128,OP_EQ
, crypto_pk_public_encrypt(pk2
, data1
, sizeof(data1
),
1269 "Hello whirled.", 15,
1270 PK_PKCS1_OAEP_PADDING
));
1271 tt_int_op(128,OP_EQ
, crypto_pk_public_encrypt(pk1
, data2
, sizeof(data1
),
1272 "Hello whirled.", 15,
1273 PK_PKCS1_OAEP_PADDING
));
1274 /* oaep padding should make encryption not match */
1275 tt_mem_op(data1
,OP_NE
, data2
, 128);
1277 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data1
, 128,
1278 PK_PKCS1_OAEP_PADDING
,1));
1279 tt_str_op(data3
,OP_EQ
, "Hello whirled.");
1280 memset(data3
, 0, 1024);
1282 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data2
, 128,
1283 PK_PKCS1_OAEP_PADDING
,1));
1284 tt_str_op(data3
,OP_EQ
, "Hello whirled.");
1285 /* Can't decrypt with public key. */
1287 crypto_pk_private_decrypt(pk2
, data3
, sizeof(data3
), data2
, 128,
1288 PK_PKCS1_OAEP_PADDING
,1));
1289 /* Try again with bad padding */
1290 memcpy(data2
+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1292 crypto_pk_private_decrypt(pk1
, data3
, sizeof(data3
), data2
, 128,
1293 PK_PKCS1_OAEP_PADDING
,1));
1295 /* File operations: save and load private key */
1296 tt_assert(! crypto_pk_write_private_key_to_filename(pk1
,
1297 get_fname("pkey1")));
1298 /* failing case for read: can't read. */
1299 tt_int_op(crypto_pk_read_private_key_from_filename(pk2
, get_fname("xyzzy")),
1301 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1302 /* Failing case for read: no key. */
1303 tt_int_op(crypto_pk_read_private_key_from_filename(pk2
, get_fname("xyzzy")),
1305 tt_assert(! crypto_pk_read_private_key_from_filename(pk2
,
1306 get_fname("pkey1")));
1308 crypto_pk_private_decrypt(pk2
, data3
, sizeof(data3
), data1
, 128,
1309 PK_PKCS1_OAEP_PADDING
,1));
1311 /* Now try signing. */
1312 strlcpy(data1
, "Ossifrage", 1024);
1313 tt_int_op(128,OP_EQ
,
1314 crypto_pk_private_sign(pk1
, data2
, sizeof(data2
), data1
, 10));
1316 crypto_pk_public_checksig(pk1
, data3
, sizeof(data3
), data2
, 128));
1317 tt_str_op(data3
,OP_EQ
, "Ossifrage");
1318 /* Try signing digests. */
1319 tt_int_op(128,OP_EQ
, crypto_pk_private_sign_digest(pk1
, data2
, sizeof(data2
),
1322 crypto_pk_public_checksig(pk1
, data3
, sizeof(data3
), data2
, 128));
1324 crypto_pk_public_checksig_digest(pk1
, data1
, 10, data2
, 128));
1326 crypto_pk_public_checksig_digest(pk1
, data1
, 11, data2
, 128));
1328 /*XXXX test failed signing*/
1331 crypto_pk_free(pk2
);
1333 i
= crypto_pk_asn1_encode(pk1
, data1
, 1024);
1334 tt_int_op(i
, OP_GT
, 0);
1335 pk2
= crypto_pk_asn1_decode(data1
, i
);
1336 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1338 /* Try with hybrid encryption wrappers. */
1339 crypto_rand(data1
, 1024);
1340 for (i
= 85; i
< 140; ++i
) {
1341 memset(data2
,0,1024);
1342 memset(data3
,0,1024);
1343 len
= crypto_pk_obsolete_public_hybrid_encrypt(pk1
,data2
,sizeof(data2
),
1344 data1
,i
,PK_PKCS1_OAEP_PADDING
,0);
1345 tt_int_op(len
, OP_GE
, 0);
1346 len
= crypto_pk_obsolete_private_hybrid_decrypt(pk1
,data3
,sizeof(data3
),
1347 data2
,len
,PK_PKCS1_OAEP_PADDING
,1);
1348 tt_int_op(len
,OP_EQ
, i
);
1349 tt_mem_op(data1
,OP_EQ
, data3
,i
);
1353 crypto_pk_free(pk2
);
1354 pk2
= crypto_pk_copy_full(pk1
);
1355 tt_ptr_op(pk2
, OP_NE
, NULL
);
1356 tt_ptr_op(pk1
, OP_NE
, pk2
);
1357 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1361 crypto_pk_free(pk1
);
1363 crypto_pk_free(pk2
);
1368 test_crypto_pk_fingerprints(void *arg
)
1370 crypto_pk_t
*pk
= NULL
;
1372 char d
[DIGEST_LEN
], d2
[DIGEST_LEN
];
1373 char fingerprint
[FINGERPRINT_LEN
+1];
1376 char *mem_op_hex_tmp
=NULL
;
1380 pk
= pk_generate(1);
1382 n
= crypto_pk_asn1_encode(pk
, encoded
, sizeof(encoded
));
1383 tt_int_op(n
, OP_GT
, 0);
1384 tt_int_op(n
, OP_GT
, 128);
1385 tt_int_op(n
, OP_LT
, 256);
1387 /* Is digest as expected? */
1388 crypto_digest(d
, encoded
, n
);
1389 tt_int_op(0, OP_EQ
, crypto_pk_get_digest(pk
, d2
));
1390 tt_mem_op(d
,OP_EQ
, d2
, DIGEST_LEN
);
1392 /* Is fingerprint right? */
1393 tt_int_op(0, OP_EQ
, crypto_pk_get_fingerprint(pk
, fingerprint
, 0));
1394 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1395 test_memeq_hex(d
, fingerprint
);
1397 /* Are spaces right? */
1398 tt_int_op(0, OP_EQ
, crypto_pk_get_fingerprint(pk
, fingerprint
, 1));
1399 for (i
= 4; i
< strlen(fingerprint
); i
+= 5) {
1400 tt_int_op(fingerprint
[i
], OP_EQ
, ' ');
1402 tor_strstrip(fingerprint
, " ");
1403 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1404 test_memeq_hex(d
, fingerprint
);
1406 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1407 crypto_digest(d2
, d
, sizeof(d
));
1408 tt_int_op(0, OP_EQ
, crypto_pk_get_hashed_fingerprint(pk
, fingerprint
));
1409 tt_int_op(strlen(fingerprint
), OP_EQ
, DIGEST_LEN
* 2);
1410 test_memeq_hex(d2
, fingerprint
);
1414 tor_free(mem_op_hex_tmp
);
1418 test_crypto_pk_base64(void *arg
)
1420 crypto_pk_t
*pk1
= NULL
;
1421 crypto_pk_t
*pk2
= NULL
;
1422 char *encoded
= NULL
;
1426 /* Test Base64 encoding a key. */
1427 pk1
= pk_generate(0);
1429 tt_int_op(0, OP_EQ
, crypto_pk_base64_encode_private(pk1
, &encoded
));
1432 /* Test decoding a valid key. */
1433 pk2
= crypto_pk_base64_decode_private(encoded
, strlen(encoded
));
1435 tt_int_op(crypto_pk_cmp_keys(pk1
, pk2
), OP_EQ
, 0);
1436 crypto_pk_free(pk2
);
1438 /* Test decoding a invalid key (not Base64). */
1439 static const char *invalid_b64
= "The key is in another castle!";
1440 pk2
= crypto_pk_base64_decode_private(invalid_b64
, strlen(invalid_b64
));
1441 tt_ptr_op(pk2
, OP_EQ
, NULL
);
1443 /* Test decoding a truncated Base64 blob. */
1444 pk2
= crypto_pk_base64_decode_private(encoded
, strlen(encoded
)/2);
1445 tt_ptr_op(pk2
, OP_EQ
, NULL
);
1448 crypto_pk_free(pk1
);
1449 crypto_pk_free(pk2
);
1454 test_crypto_pk_pem_encrypted(void *arg
)
1456 crypto_pk_t
*pk
= NULL
;
1459 pk
= crypto_pk_new();
1460 /* we need to make sure that we won't stall if somebody gives us a key
1461 that's encrypted with a password. */
1464 "-----BEGIN RSA PRIVATE KEY-----\n"
1465 "Proc-Type: 4,ENCRYPTED\n"
1466 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1468 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1469 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1470 "YntnROBDwiKmUnue6PJVYg==\n"
1471 "-----END RSA PRIVATE KEY-----\n";
1472 tt_int_op(-1, OP_EQ
,
1473 crypto_pk_read_private_key_from_string(pk
, s
, strlen(s
)));
1475 /* For fun, make sure we aren't hit by OpenSSL issue
1476 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1477 if a cipher doesn't use an IV.
1481 "-----BEGIN RSA PUBLIC KEY-----\n"
1482 "Proc-Type:4,ENCRYPTED\n"
1483 "DEK-Info:des-ede -\n"
1486 "-----END RSA PUBLIC KEY-----\n";
1487 tt_int_op(-1, OP_EQ
,
1488 crypto_pk_read_public_key_from_string(pk
, s
, strlen(s
)));
1495 test_crypto_pk_invalid_private_key(void *arg
)
1498 /* Here is a simple invalid private key: it was produced by making
1499 * a regular private key, and then adding 2 to the modulus. */
1501 "-----BEGIN RSA PRIVATE KEY-----\n"
1502 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1503 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1504 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1505 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1506 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1507 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1508 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1509 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1510 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1511 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1512 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1513 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1514 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1515 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1516 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1517 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1518 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1519 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1520 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1521 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1522 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1523 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1524 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1525 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1526 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1527 "-----END RSA PRIVATE KEY-----\n";
1529 crypto_pk_t
*pk
= NULL
;
1531 pk
= crypto_pk_new();
1532 setup_capture_of_logs(LOG_WARN
);
1533 tt_int_op(-1, OP_EQ
,
1534 crypto_pk_read_private_key_from_string(pk
, pem
, strlen(pem
)));
1536 expect_single_log_msg_containing("received bad data");
1538 expect_single_log_msg_containing("while checking RSA key");
1541 teardown_capture_of_logs();
1545 #ifdef HAVE_TRUNCATE
1546 #define do_truncate truncate
1549 do_truncate(const char *fname
, size_t len
)
1554 bytes
= read_file_to_str(fname
, RFTS_BIN
, &st
);
1557 /* This cast isn't so great, but it should be safe given the actual files
1558 * and lengths we're using. */
1559 if (st
.st_size
< (off_t
)len
)
1560 len
= MIN(len
, (size_t)st
.st_size
);
1562 int r
= write_bytes_to_file(fname
, bytes
, len
, 1);
1566 #endif /* defined(HAVE_TRUNCATE) */
1568 /** Sanity check for crypto pk digests */
1570 test_crypto_digests(void *arg
)
1572 crypto_pk_t
*k
= NULL
;
1574 common_digests_t pkey_digests
;
1575 char digest
[DIGEST_LEN
];
1578 k
= crypto_pk_new();
1580 r
= crypto_pk_read_private_key_from_string(k
, AUTHORITY_SIGNKEY_3
,
1581 strlen(AUTHORITY_SIGNKEY_3
));
1584 r
= crypto_pk_get_digest(k
, digest
);
1586 tt_mem_op(hex_str(digest
, DIGEST_LEN
),OP_EQ
,
1587 AUTHORITY_SIGNKEY_A_DIGEST
, HEX_DIGEST_LEN
);
1589 r
= crypto_pk_get_common_digests(k
, &pkey_digests
);
1590 tt_int_op(r
, OP_EQ
, 0);
1592 tt_mem_op(hex_str(pkey_digests
.d
[DIGEST_SHA1
], DIGEST_LEN
),OP_EQ
,
1593 AUTHORITY_SIGNKEY_A_DIGEST
, HEX_DIGEST_LEN
);
1594 tt_mem_op(hex_str(pkey_digests
.d
[DIGEST_SHA256
], DIGEST256_LEN
),OP_EQ
,
1595 AUTHORITY_SIGNKEY_A_DIGEST256
, HEX_DIGEST256_LEN
);
1601 test_crypto_digest_names(void *arg
)
1603 static const struct {
1604 int a
; const char *n
;
1606 { DIGEST_SHA1
, "sha1" },
1607 { DIGEST_SHA256
, "sha256" },
1608 { DIGEST_SHA512
, "sha512" },
1609 { DIGEST_SHA3_256
, "sha3-256" },
1610 { DIGEST_SHA3_512
, "sha3-512" },
1616 for (i
= 0; names
[i
].n
; ++i
) {
1617 tt_str_op(names
[i
].n
, OP_EQ
,crypto_digest_algorithm_get_name(names
[i
].a
));
1618 tt_int_op(names
[i
].a
,
1619 OP_EQ
,crypto_digest_algorithm_parse_name(names
[i
].n
));
1621 tt_int_op(-1, OP_EQ
,
1622 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1627 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1628 * fingerprints, etc) */
1630 test_crypto_formats(void *arg
)
1632 char *data1
= NULL
, *data2
= NULL
, *data3
= NULL
;
1636 data1
= tor_malloc(1024);
1637 data2
= tor_malloc(1024);
1638 data3
= tor_malloc(1024);
1639 tt_assert(data1
&& data2
&& data3
);
1642 memset(data1
, 6, 1024);
1643 for (idx
= 0; idx
< 10; ++idx
) {
1644 i
= base64_encode(data2
, 1024, data1
, idx
, 0);
1645 tt_int_op(i
, OP_GE
, 0);
1646 tt_int_op(i
, OP_EQ
, strlen(data2
));
1647 j
= base64_decode(data3
, 1024, data2
, i
);
1648 tt_int_op(j
,OP_EQ
, idx
);
1649 tt_mem_op(data3
,OP_EQ
, data1
, idx
);
1651 i
= base64_encode_nopad(data2
, 1024, (uint8_t*)data1
, idx
);
1652 tt_int_op(i
, OP_GE
, 0);
1653 tt_int_op(i
, OP_EQ
, strlen(data2
));
1654 tt_assert(! strchr(data2
, '='));
1655 j
= base64_decode(data3
, 1024, data2
, i
);
1656 tt_int_op(j
, OP_EQ
, idx
);
1657 tt_mem_op(data3
,OP_EQ
, data1
, idx
);
1660 strlcpy(data1
, "Test string that contains 35 chars.", 1024);
1661 strlcat(data1
, " 2nd string that contains 35 chars.", 1024);
1663 i
= base64_encode(data2
, 1024, data1
, 71, 0);
1664 tt_int_op(i
, OP_GE
, 0);
1665 j
= base64_decode(data3
, 1024, data2
, i
);
1666 tt_int_op(j
,OP_EQ
, 71);
1667 tt_str_op(data3
,OP_EQ
, data1
);
1668 tt_int_op(data2
[i
], OP_EQ
, '\0');
1670 crypto_rand(data1
, DIGEST_LEN
);
1671 memset(data2
, 100, 1024);
1672 digest_to_base64(data2
, data1
);
1673 tt_int_op(BASE64_DIGEST_LEN
,OP_EQ
, strlen(data2
));
1674 tt_int_op(100,OP_EQ
, data2
[BASE64_DIGEST_LEN
+2]);
1675 memset(data3
, 99, 1024);
1676 tt_int_op(digest_from_base64(data3
, data2
),OP_EQ
, 0);
1677 tt_mem_op(data1
,OP_EQ
, data3
, DIGEST_LEN
);
1678 tt_int_op(99,OP_EQ
, data3
[DIGEST_LEN
+1]);
1680 tt_int_op(digest_from_base64(data3
, "###"), OP_LT
, 0);
1682 /* Encoding SHA256 */
1683 crypto_rand(data2
, DIGEST256_LEN
);
1684 memset(data2
, 100, 1024);
1685 digest256_to_base64(data2
, data1
);
1686 tt_int_op(BASE64_DIGEST256_LEN
,OP_EQ
, strlen(data2
));
1687 tt_int_op(100,OP_EQ
, data2
[BASE64_DIGEST256_LEN
+2]);
1688 memset(data3
, 99, 1024);
1689 tt_int_op(digest256_from_base64(data3
, data2
),OP_EQ
, 0);
1690 tt_mem_op(data1
,OP_EQ
, data3
, DIGEST256_LEN
);
1691 tt_int_op(99,OP_EQ
, data3
[DIGEST256_LEN
+1]);
1694 strlcpy(data1
, "5chrs", 1024);
1695 /* bit pattern is: [35 63 68 72 73] ->
1696 * [00110101 01100011 01101000 01110010 01110011]
1697 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1699 base32_encode(data2
, 9, data1
, 5);
1700 tt_str_op(data2
,OP_EQ
, "gvrwq4tt");
1702 strlcpy(data1
, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1703 base32_encode(data2
, 30, data1
, 10);
1704 tt_str_op(data2
,OP_EQ
, "772w2rfobvomsywe");
1707 strlcpy(data1
, "6chrs\xff", 1024);
1708 base16_encode(data2
, 13, data1
, 6);
1709 tt_str_op(data2
,OP_EQ
, "3663687273FF");
1711 strlcpy(data1
, "f0d678affc000100", 1024);
1712 i
= base16_decode(data2
, 8, data1
, 16);
1713 tt_int_op(i
,OP_EQ
, 8);
1714 tt_mem_op(data2
,OP_EQ
, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1716 /* now try some failing base16 decodes */
1717 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 8, data1
, 15)); /* odd input len */
1718 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 7, data1
, 16)); /* dest too short */
1719 strlcpy(data1
, "f0dz!8affc000100", 1024);
1720 tt_int_op(-1,OP_EQ
, base16_decode(data2
, 8, data1
, 16));
1726 /* Add spaces to fingerprint */
1728 data1
= tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1729 tt_int_op(strlen(data1
),OP_EQ
, 40);
1730 data2
= tor_malloc(FINGERPRINT_LEN
+1);
1731 crypto_add_spaces_to_fp(data2
, FINGERPRINT_LEN
+1, data1
);
1732 tt_str_op(data2
, OP_EQ
,
1733 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1744 /** Test AES-CTR encryption and decryption with IV. */
1746 test_crypto_aes_iv(void *arg
)
1748 char *plain
, *encrypted1
, *encrypted2
, *decrypted1
, *decrypted2
;
1749 char plain_1
[1], plain_15
[15], plain_16
[16], plain_17
[17];
1750 char key1
[16], key2
[16];
1751 ssize_t encrypted_size
, decrypted_size
;
1753 int use_evp
= !strcmp(arg
,"evp");
1754 evaluate_evp_for_aes(use_evp
);
1756 plain
= tor_malloc(4095);
1757 encrypted1
= tor_malloc(4095 + 1 + 16);
1758 encrypted2
= tor_malloc(4095 + 1 + 16);
1759 decrypted1
= tor_malloc(4095 + 1);
1760 decrypted2
= tor_malloc(4095 + 1);
1762 crypto_rand(plain
, 4095);
1763 crypto_rand(key1
, 16);
1764 crypto_rand(key2
, 16);
1765 crypto_rand(plain_1
, 1);
1766 crypto_rand(plain_15
, 15);
1767 crypto_rand(plain_16
, 16);
1768 crypto_rand(plain_17
, 17);
1769 key1
[0] = key2
[0] + 128; /* Make sure that contents are different. */
1770 /* Encrypt and decrypt with the same key. */
1771 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 4095,
1774 tt_int_op(encrypted_size
,OP_EQ
, 16 + 4095);
1775 tt_assert(encrypted_size
> 0); /* This is obviously true, since 4111 is
1776 * greater than 0, but its truth is not
1777 * obvious to all analysis tools. */
1778 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 4095,
1779 encrypted1
, encrypted_size
);
1781 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1782 tt_assert(decrypted_size
> 0);
1783 tt_mem_op(plain
,OP_EQ
, decrypted1
, 4095);
1784 /* Encrypt a second time (with a new random initialization vector). */
1785 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted2
, 16 + 4095,
1788 tt_int_op(encrypted_size
,OP_EQ
, 16 + 4095);
1789 tt_assert(encrypted_size
> 0);
1790 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted2
, 4095,
1791 encrypted2
, encrypted_size
);
1792 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1793 tt_assert(decrypted_size
> 0);
1794 tt_mem_op(plain
,OP_EQ
, decrypted2
, 4095);
1795 tt_mem_op(encrypted1
,OP_NE
, encrypted2
, encrypted_size
);
1796 /* Decrypt with the wrong key. */
1797 decrypted_size
= crypto_cipher_decrypt_with_iv(key2
, decrypted2
, 4095,
1798 encrypted1
, encrypted_size
);
1799 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1800 tt_mem_op(plain
,OP_NE
, decrypted2
, decrypted_size
);
1801 /* Alter the initialization vector. */
1802 encrypted1
[0] += 42;
1803 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 4095,
1804 encrypted1
, encrypted_size
);
1805 tt_int_op(decrypted_size
,OP_EQ
, 4095);
1806 tt_mem_op(plain
,OP_NE
, decrypted2
, 4095);
1807 /* Special length case: 1. */
1808 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 1,
1810 tt_int_op(encrypted_size
,OP_EQ
, 16 + 1);
1811 tt_assert(encrypted_size
> 0);
1812 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 1,
1813 encrypted1
, encrypted_size
);
1814 tt_int_op(decrypted_size
,OP_EQ
, 1);
1815 tt_assert(decrypted_size
> 0);
1816 tt_mem_op(plain_1
,OP_EQ
, decrypted1
, 1);
1817 /* Special length case: 15. */
1818 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 15,
1820 tt_int_op(encrypted_size
,OP_EQ
, 16 + 15);
1821 tt_assert(encrypted_size
> 0);
1822 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 15,
1823 encrypted1
, encrypted_size
);
1824 tt_int_op(decrypted_size
,OP_EQ
, 15);
1825 tt_assert(decrypted_size
> 0);
1826 tt_mem_op(plain_15
,OP_EQ
, decrypted1
, 15);
1827 /* Special length case: 16. */
1828 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 16,
1830 tt_int_op(encrypted_size
,OP_EQ
, 16 + 16);
1831 tt_assert(encrypted_size
> 0);
1832 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 16,
1833 encrypted1
, encrypted_size
);
1834 tt_int_op(decrypted_size
,OP_EQ
, 16);
1835 tt_assert(decrypted_size
> 0);
1836 tt_mem_op(plain_16
,OP_EQ
, decrypted1
, 16);
1837 /* Special length case: 17. */
1838 encrypted_size
= crypto_cipher_encrypt_with_iv(key1
, encrypted1
, 16 + 17,
1840 tt_int_op(encrypted_size
,OP_EQ
, 16 + 17);
1841 tt_assert(encrypted_size
> 0);
1842 decrypted_size
= crypto_cipher_decrypt_with_iv(key1
, decrypted1
, 17,
1843 encrypted1
, encrypted_size
);
1844 tt_int_op(decrypted_size
,OP_EQ
, 17);
1845 tt_assert(decrypted_size
> 0);
1846 tt_mem_op(plain_17
,OP_EQ
, decrypted1
, 17);
1851 tor_free(encrypted1
);
1852 tor_free(encrypted2
);
1853 tor_free(decrypted1
);
1854 tor_free(decrypted2
);
1857 /** Test base32 decoding. */
1859 test_crypto_base32_decode(void *arg
)
1861 char plain
[60], encoded
[96 + 1], decoded
[60];
1864 crypto_rand(plain
, 60);
1865 /* Encode and decode a random string. */
1866 base32_encode(encoded
, 96 + 1, plain
, 60);
1867 res
= base32_decode(decoded
, 60, encoded
, 96);
1868 tt_int_op(res
,OP_EQ
, 0);
1869 tt_mem_op(plain
,OP_EQ
, decoded
, 60);
1870 /* Encode, uppercase, and decode a random string. */
1871 base32_encode(encoded
, 96 + 1, plain
, 60);
1872 tor_strupper(encoded
);
1873 res
= base32_decode(decoded
, 60, encoded
, 96);
1874 tt_int_op(res
,OP_EQ
, 0);
1875 tt_mem_op(plain
,OP_EQ
, decoded
, 60);
1876 /* Change encoded string and decode. */
1877 if (encoded
[0] == 'A' || encoded
[0] == 'a')
1881 res
= base32_decode(decoded
, 60, encoded
, 96);
1882 tt_int_op(res
,OP_EQ
, 0);
1883 tt_mem_op(plain
,OP_NE
, decoded
, 60);
1884 /* Bad encodings. */
1886 res
= base32_decode(decoded
, 60, encoded
, 96);
1887 tt_int_op(0, OP_GT
, res
);
1894 test_crypto_kdf_TAP(void *arg
)
1896 uint8_t key_material
[100];
1898 char *mem_op_hex_tmp
= NULL
;
1902 r = crypto_expand_key_material_TAP( \
1903 (const uint8_t*)(s), strlen(s), \
1906 /* Test vectors generated with a little python script; feel free to write
1908 memset(key_material
, 0, sizeof(key_material
));
1910 tt_int_op(r
, OP_EQ
, 0);
1911 test_memeq_hex(key_material
,
1912 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1913 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1914 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1915 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1918 tt_int_op(r
, OP_EQ
, 0);
1919 test_memeq_hex(key_material
,
1920 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1921 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1922 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1923 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1925 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1926 tt_int_op(r
, OP_EQ
, 0);
1927 test_memeq_hex(key_material
,
1928 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1929 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1930 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1931 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1934 tor_free(mem_op_hex_tmp
);
1940 test_crypto_hkdf_sha256(void *arg
)
1942 uint8_t key_material
[100];
1943 const uint8_t salt
[] = "ntor-curve25519-sha256-1:key_extract";
1944 const size_t salt_len
= strlen((char*)salt
);
1945 const uint8_t m_expand
[] = "ntor-curve25519-sha256-1:key_expand";
1946 const size_t m_expand_len
= strlen((char*)m_expand
);
1948 char *mem_op_hex_tmp
= NULL
;
1953 r = crypto_expand_key_material_rfc5869_sha256( \
1954 (const uint8_t*)(s), strlen(s), \
1956 m_expand, m_expand_len, \
1959 /* Test vectors generated with ntor_ref.py */
1961 tt_int_op(r
, OP_EQ
, 0);
1962 test_memeq_hex(key_material
,
1963 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1964 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1965 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1966 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1968 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1969 tt_int_op(r
, OP_EQ
, 0);
1970 test_memeq_hex(key_material
,
1971 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1972 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1973 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1974 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1976 tor_free(mem_op_hex_tmp
);
1981 test_crypto_hkdf_sha256_testvecs(void *arg
)
1984 /* Test vectors from RFC5869, sections A.1 through A.3 */
1986 const char *ikm16
, *salt16
, *info16
;
1991 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1992 "000102030405060708090a0b0c",
1993 "f0f1f2f3f4f5f6f7f8f9",
1995 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1996 "34007208d5b887185865"
1999 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
2000 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
2001 "404142434445464748494a4b4c4d4e4f",
2002 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
2003 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
2004 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
2005 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
2006 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
2007 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2009 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
2010 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
2011 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
2014 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
2018 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
2019 "9d201395faa4b61a96c8",
2021 { NULL
, NULL
, NULL
, -1, NULL
}
2029 char *mem_op_hex_tmp
= NULL
;
2031 for (i
= 0; vecs
[i
].ikm16
; ++i
) {
2032 size_t ikm_len
= strlen(vecs
[i
].ikm16
)/2;
2033 size_t salt_len
= strlen(vecs
[i
].salt16
)/2;
2034 size_t info_len
= strlen(vecs
[i
].info16
)/2;
2035 size_t okm_len
= vecs
[i
].L
;
2037 ikm
= tor_malloc(ikm_len
);
2038 salt
= tor_malloc(salt_len
);
2039 info
= tor_malloc(info_len
);
2040 okm
= tor_malloc(okm_len
);
2042 base16_decode(ikm
, ikm_len
, vecs
[i
].ikm16
, strlen(vecs
[i
].ikm16
));
2043 base16_decode(salt
, salt_len
, vecs
[i
].salt16
, strlen(vecs
[i
].salt16
));
2044 base16_decode(info
, info_len
, vecs
[i
].info16
, strlen(vecs
[i
].info16
));
2046 int r
= crypto_expand_key_material_rfc5869_sha256(
2047 (const uint8_t*)ikm
, ikm_len
,
2048 (const uint8_t*)salt
, salt_len
,
2049 (const uint8_t*)info
, info_len
,
2050 (uint8_t*)okm
, okm_len
);
2051 tt_int_op(r
, OP_EQ
, 0);
2052 test_memeq_hex(okm
, vecs
[i
].okm16
);
2063 tor_free(mem_op_hex_tmp
);
2067 test_crypto_curve25519_impl(void *arg
)
2069 /* adapted from curve25519_donna, which adapted it from test-curve25519
2070 version 20050915, by D. J. Bernstein, Public domain. */
2072 const int randomize_high_bit
= (arg
!= NULL
);
2074 #ifdef SLOW_CURVE25519_TEST
2075 const int loop_max
=10000;
2076 const char e1_expected
[] = "4faf81190869fd742a33691b0e0824d5"
2077 "7e0329f4dd2819f5f32d130f1296b500";
2078 const char e2k_expected
[] = "05aec13f92286f3a781ccae98995a3b9"
2079 "e0544770bc7de853b38f9100489e3e79";
2080 const char e1e2k_expected
[] = "cd6e8269104eb5aaee886bd2071fba88"
2081 "bd13861475516bc2cd2b6e005e805064";
2082 #else /* !(defined(SLOW_CURVE25519_TEST)) */
2083 const int loop_max
=200;
2084 const char e1_expected
[] = "bc7112cde03f97ef7008cad1bdc56be3"
2085 "c6a1037d74cceb3712e9206871dcf654";
2086 const char e2k_expected
[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
2087 "8e3ee1a63c7d14274ea5d4c67f065467";
2088 const char e1e2k_expected
[] = "7ddb98bd89025d2347776b33901b3e7e"
2089 "c0ee98cb2257a4545c0cfb2ca3e1812b";
2090 #endif /* defined(SLOW_CURVE25519_TEST) */
2092 unsigned char e1k
[32];
2093 unsigned char e2k
[32];
2094 unsigned char e1e2k
[32];
2095 unsigned char e2e1k
[32];
2096 unsigned char e1
[32] = {3};
2097 unsigned char e2
[32] = {5};
2098 unsigned char k
[32] = {9};
2101 char *mem_op_hex_tmp
= NULL
;
2103 for (loop
= 0; loop
< loop_max
; ++loop
) {
2104 curve25519_impl(e1k
,e1
,k
);
2105 curve25519_impl(e2e1k
,e2
,e1k
);
2106 curve25519_impl(e2k
,e2
,k
);
2107 if (randomize_high_bit
) {
2108 /* We require that the high bit of the public key be ignored. So if
2109 * we're doing this variant test, we randomize the high bit of e2k, and
2110 * make sure that the handshake still works out the same as it would
2113 crypto_rand((char*)&byte
, 1);
2114 e2k
[31] |= (byte
& 0x80);
2116 curve25519_impl(e1e2k
,e1
,e2k
);
2117 tt_mem_op(e1e2k
,OP_EQ
, e2e1k
, 32);
2118 if (loop
== loop_max
-1) {
2121 for (i
= 0;i
< 32;++i
) e1
[i
] ^= e2k
[i
];
2122 for (i
= 0;i
< 32;++i
) e2
[i
] ^= e1k
[i
];
2123 for (i
= 0;i
< 32;++i
) k
[i
] ^= e1e2k
[i
];
2126 test_memeq_hex(e1
, e1_expected
);
2127 test_memeq_hex(e2k
, e2k_expected
);
2128 test_memeq_hex(e1e2k
, e1e2k_expected
);
2131 tor_free(mem_op_hex_tmp
);
2135 test_crypto_curve25519_basepoint(void *arg
)
2138 uint8_t public1
[32];
2139 uint8_t public2
[32];
2140 const int iters
= 2048;
2144 for (i
= 0; i
< iters
; ++i
) {
2145 crypto_rand((char*)secret
, 32);
2146 curve25519_set_impl_params(1); /* Use optimization */
2147 curve25519_basepoint_impl(public1
, secret
);
2148 curve25519_set_impl_params(0); /* Disable optimization */
2149 curve25519_basepoint_impl(public2
, secret
);
2150 tt_mem_op(public1
, OP_EQ
, public2
, 32);
2158 test_crypto_curve25519_testvec(void *arg
)
2161 char *mem_op_hex_tmp
= NULL
;
2163 /* From RFC 7748, section 6.1 */
2164 /* Alice's private key, a: */
2166 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2167 /* Alice's public key, X25519(a, 9): */
2168 const char a_pub16
[] =
2169 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2170 /* Bob's private key, b: */
2172 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2173 /* Bob's public key, X25519(b, 9): */
2174 const char b_pub16
[] =
2175 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2176 /* Their shared secret, K: */
2178 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2180 uint8_t a
[32], b
[32], a_pub
[32], b_pub
[32], k1
[32], k2
[32];
2181 base16_decode((char*)a
, sizeof(a
), a16
, strlen(a16
));
2182 base16_decode((char*)b
, sizeof(b
), b16
, strlen(b16
));
2183 curve25519_basepoint_impl(a_pub
, a
);
2184 curve25519_basepoint_impl(b_pub
, b
);
2185 curve25519_impl(k1
, a
, b_pub
);
2186 curve25519_impl(k2
, b
, a_pub
);
2188 test_memeq_hex(a
, a16
);
2189 test_memeq_hex(b
, b16
);
2190 test_memeq_hex(a_pub
, a_pub16
);
2191 test_memeq_hex(b_pub
, b_pub16
);
2192 test_memeq_hex(k1
, k16
);
2193 test_memeq_hex(k2
, k16
);
2195 tor_free(mem_op_hex_tmp
);
2199 test_crypto_curve25519_wrappers(void *arg
)
2201 curve25519_public_key_t pubkey1
, pubkey2
;
2202 curve25519_secret_key_t seckey1
, seckey2
;
2204 uint8_t output1
[CURVE25519_OUTPUT_LEN
];
2205 uint8_t output2
[CURVE25519_OUTPUT_LEN
];
2208 /* Test a simple handshake, serializing and deserializing some stuff. */
2209 curve25519_secret_key_generate(&seckey1
, 0);
2210 curve25519_secret_key_generate(&seckey2
, 1);
2211 curve25519_public_key_generate(&pubkey1
, &seckey1
);
2212 curve25519_public_key_generate(&pubkey2
, &seckey2
);
2213 tt_assert(curve25519_public_key_is_ok(&pubkey1
));
2214 tt_assert(curve25519_public_key_is_ok(&pubkey2
));
2215 curve25519_handshake(output1
, &seckey1
, &pubkey2
);
2216 curve25519_handshake(output2
, &seckey2
, &pubkey1
);
2217 tt_mem_op(output1
,OP_EQ
, output2
, sizeof(output1
));
2224 test_crypto_curve25519_encode(void *arg
)
2226 curve25519_secret_key_t seckey
;
2227 curve25519_public_key_t key1
, key2
, key3
;
2232 curve25519_secret_key_generate(&seckey
, 0);
2233 curve25519_public_key_generate(&key1
, &seckey
);
2234 tt_int_op(0, OP_EQ
, curve25519_public_to_base64(buf
, &key1
));
2235 tt_int_op(CURVE25519_BASE64_PADDED_LEN
, OP_EQ
, strlen(buf
));
2237 tt_int_op(0, OP_EQ
, curve25519_public_from_base64(&key2
, buf
));
2238 tt_mem_op(key1
.public_key
,OP_EQ
, key2
.public_key
, CURVE25519_PUBKEY_LEN
);
2240 buf
[CURVE25519_BASE64_PADDED_LEN
- 1] = '\0';
2241 tt_int_op(CURVE25519_BASE64_PADDED_LEN
-1, OP_EQ
, strlen(buf
));
2242 tt_int_op(0, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2243 tt_mem_op(key1
.public_key
,OP_EQ
, key3
.public_key
, CURVE25519_PUBKEY_LEN
);
2245 /* Now try bogus parses. */
2246 strlcpy(buf
, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf
));
2247 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2249 strlcpy(buf
, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf
));
2250 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2252 strlcpy(buf
, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf
));
2253 tt_int_op(-1, OP_EQ
, curve25519_public_from_base64(&key3
, buf
));
2260 test_crypto_curve25519_persist(void *arg
)
2262 curve25519_keypair_t keypair
, keypair2
;
2263 char *fname
= tor_strdup(get_fname("curve25519_keypair"));
2265 char *content
= NULL
;
2272 tt_int_op(0,OP_EQ
,curve25519_keypair_generate(&keypair
, 0));
2275 curve25519_keypair_write_to_file(&keypair
, fname
, "testing"));
2276 tt_int_op(0,OP_EQ
,curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2277 tt_str_op(tag
,OP_EQ
,"testing");
2280 tt_mem_op(keypair
.pubkey
.public_key
,OP_EQ
,
2281 keypair2
.pubkey
.public_key
,
2282 CURVE25519_PUBKEY_LEN
);
2283 tt_mem_op(keypair
.seckey
.secret_key
,OP_EQ
,
2284 keypair2
.seckey
.secret_key
,
2285 CURVE25519_SECKEY_LEN
);
2287 content
= read_file_to_str(fname
, RFTS_BIN
, &st
);
2289 taglen
= strlen("== c25519v1: testing ==");
2290 tt_u64_op((uint64_t)st
.st_size
, OP_EQ
,
2291 32+CURVE25519_PUBKEY_LEN
+CURVE25519_SECKEY_LEN
);
2292 tt_assert(fast_memeq(content
, "== c25519v1: testing ==", taglen
));
2293 tt_assert(tor_mem_is_zero(content
+taglen
, 32-taglen
));
2295 tt_mem_op(keypair
.seckey
.secret_key
,OP_EQ
,
2297 CURVE25519_SECKEY_LEN
);
2298 cp
+= CURVE25519_SECKEY_LEN
;
2299 tt_mem_op(keypair
.pubkey
.public_key
,OP_EQ
,
2301 CURVE25519_SECKEY_LEN
);
2304 fname
= tor_strdup(get_fname("bogus_keypair"));
2306 tt_int_op(-1, OP_EQ
,
2307 curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2310 content
[69] ^= 0xff;
2312 write_bytes_to_file(fname
, content
, (size_t)st
.st_size
, 1));
2313 tt_int_op(-1, OP_EQ
,
2314 curve25519_keypair_read_from_file(&keypair2
, &tag
, fname
));
2323 test_crypto_ed25519_simple(void *arg
)
2325 ed25519_keypair_t kp1
, kp2
;
2326 ed25519_public_key_t pub1
, pub2
;
2327 ed25519_secret_key_t sec1
, sec2
;
2328 ed25519_signature_t sig1
, sig2
;
2329 const uint8_t msg
[] =
2330 "GNU will be able to run Unix programs, "
2331 "but will not be identical to Unix.";
2332 const uint8_t msg2
[] =
2333 "Microsoft Windows extends the features of the DOS operating system, "
2334 "yet is compatible with most existing applications that run under DOS.";
2335 size_t msg_len
= strlen((const char*)msg
);
2336 size_t msg2_len
= strlen((const char*)msg2
);
2340 tt_int_op(0, OP_EQ
, ed25519_secret_key_generate(&sec1
, 0));
2341 tt_int_op(0, OP_EQ
, ed25519_secret_key_generate(&sec2
, 1));
2343 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub1
, &sec1
));
2344 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub2
, &sec1
));
2346 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, 0);
2347 tt_int_op(ed25519_validate_pubkey(&pub2
), OP_EQ
, 0);
2349 tt_mem_op(pub1
.pubkey
, OP_EQ
, pub2
.pubkey
, sizeof(pub1
.pubkey
));
2350 tt_assert(ed25519_pubkey_eq(&pub1
, &pub2
));
2351 tt_assert(ed25519_pubkey_eq(&pub1
, &pub1
));
2353 memcpy(&kp1
.pubkey
, &pub1
, sizeof(pub1
));
2354 memcpy(&kp1
.seckey
, &sec1
, sizeof(sec1
));
2355 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, msg
, msg_len
, &kp1
));
2356 tt_int_op(0, OP_EQ
, ed25519_sign(&sig2
, msg
, msg_len
, &kp1
));
2358 /* Ed25519 signatures are deterministic */
2359 tt_mem_op(sig1
.sig
, OP_EQ
, sig2
.sig
, sizeof(sig1
.sig
));
2361 /* Basic signature is valid. */
2362 tt_int_op(0, OP_EQ
, ed25519_checksig(&sig1
, msg
, msg_len
, &pub1
));
2364 /* Altered signature doesn't work. */
2366 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig1
, msg
, msg_len
, &pub1
));
2368 /* Wrong public key doesn't work. */
2369 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pub2
, &sec2
));
2370 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
, &pub2
));
2371 tt_assert(! ed25519_pubkey_eq(&pub1
, &pub2
));
2373 /* Wrong message doesn't work. */
2374 tt_int_op(0, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
, &pub1
));
2375 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg
, msg_len
-1, &pub1
));
2376 tt_int_op(-1, OP_EQ
, ed25519_checksig(&sig2
, msg2
, msg2_len
, &pub1
));
2378 /* Batch signature checking works with some bad. */
2379 tt_int_op(0, OP_EQ
, ed25519_keypair_generate(&kp2
, 0));
2380 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, msg
, msg_len
, &kp2
));
2382 ed25519_checkable_t ch
[] = {
2383 { &pub1
, sig2
, msg
, msg_len
}, /*ok*/
2384 { &pub1
, sig2
, msg
, msg_len
-1 }, /*bad*/
2385 { &kp2
.pubkey
, sig2
, msg2
, msg2_len
}, /*bad*/
2386 { &kp2
.pubkey
, sig1
, msg
, msg_len
}, /*ok*/
2389 tt_int_op(-2, OP_EQ
, ed25519_checksig_batch(okay
, ch
, 4));
2390 tt_int_op(okay
[0], OP_EQ
, 1);
2391 tt_int_op(okay
[1], OP_EQ
, 0);
2392 tt_int_op(okay
[2], OP_EQ
, 0);
2393 tt_int_op(okay
[3], OP_EQ
, 1);
2394 tt_int_op(-2, OP_EQ
, ed25519_checksig_batch(NULL
, ch
, 4));
2397 /* Batch signature checking works with all good. */
2399 ed25519_checkable_t ch
[] = {
2400 { &pub1
, sig2
, msg
, msg_len
}, /*ok*/
2401 { &kp2
.pubkey
, sig1
, msg
, msg_len
}, /*ok*/
2404 tt_int_op(0, OP_EQ
, ed25519_checksig_batch(okay
, ch
, 2));
2405 tt_int_op(okay
[0], OP_EQ
, 1);
2406 tt_int_op(okay
[1], OP_EQ
, 1);
2407 tt_int_op(0, OP_EQ
, ed25519_checksig_batch(NULL
, ch
, 2));
2410 /* Test the string-prefixed sign/checksig functions */
2412 ed25519_signature_t manual_sig
;
2415 /* Generate a signature with a prefixed msg. */
2416 tt_int_op(0, OP_EQ
, ed25519_sign_prefixed(&sig1
, msg
, msg_len
,
2417 "always in the mood",
2420 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2421 if we had manually prefixed the msg ourselves. */
2422 tor_asprintf(&prefixed_msg
, "%s%s", "always in the mood", msg
);
2423 tt_int_op(0, OP_EQ
, ed25519_sign(&manual_sig
, (uint8_t *)prefixed_msg
,
2424 strlen(prefixed_msg
), &kp1
));
2425 tor_free(prefixed_msg
);
2426 tt_assert(fast_memeq(sig1
.sig
, manual_sig
.sig
, sizeof(sig1
.sig
)));
2428 /* Test that prefixed checksig verifies it properly. */
2429 tt_int_op(0, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2430 "always in the mood",
2433 /* Test that checksig with wrong prefix fails. */
2434 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2435 "always in the moo",
2437 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2438 "always in the moon",
2440 tt_int_op(-1, OP_EQ
, ed25519_checksig_prefixed(&sig1
, msg
, msg_len
,
2441 "always in the mood!",
2450 test_crypto_ed25519_test_vectors(void *arg
)
2452 char *mem_op_hex_tmp
=NULL
;
2460 /* These test vectors were generated with the "ref" implementation of
2461 * ed25519 from SUPERCOP-20130419 */
2462 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2463 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2464 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2465 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2466 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2467 "204e554c2d7465726d696e617465642e"
2470 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2471 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2472 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2473 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2474 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2475 "204e554c2d7465726d696e617465642e"
2477 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2478 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2479 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2480 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2481 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2482 "204e554c2d7465726d696e617465642e"
2485 /* These come from "sign.input" in ed25519's page */
2486 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2487 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2488 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2489 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2490 "5a8d9d0a22357e6655f9c785"
2492 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2493 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2494 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2495 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2496 "b87d3813e03f58cf19fd0b6395"
2498 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2499 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2500 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2501 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2502 "55c7fa434f5ed8cdec2b7aeac173",
2504 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2505 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2506 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2507 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2508 "0a688e79be24f866286d4646b5d81c"
2510 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2512 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2513 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2514 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2515 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2519 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2520 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2521 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2522 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2526 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2527 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2528 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2529 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2530 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2531 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2532 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2533 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2534 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2535 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2536 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2537 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2538 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2539 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2540 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2541 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2542 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2543 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2544 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2545 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2546 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2547 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2548 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2549 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2550 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2551 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2552 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2553 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2554 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2555 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2556 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2557 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2558 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2559 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2560 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2561 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2564 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2565 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2566 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2567 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2568 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2569 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2571 { NULL
, NULL
, NULL
, NULL
}
2576 for (i
= 0; items
[i
].pk
; ++i
) {
2577 ed25519_keypair_t kp
;
2578 ed25519_signature_t sig
;
2579 uint8_t sk_seed
[32];
2582 base16_decode((char*)sk_seed
, sizeof(sk_seed
),
2584 ed25519_secret_key_from_seed(&kp
.seckey
, sk_seed
);
2585 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&kp
.pubkey
, &kp
.seckey
));
2586 test_memeq_hex(kp
.pubkey
.pubkey
, items
[i
].pk
);
2588 msg_len
= strlen(items
[i
].msg
) / 2;
2589 msg
= tor_malloc(msg_len
);
2590 base16_decode((char*)msg
, msg_len
, items
[i
].msg
, strlen(items
[i
].msg
));
2592 tt_int_op(0, OP_EQ
, ed25519_sign(&sig
, msg
, msg_len
, &kp
));
2593 test_memeq_hex(sig
.sig
, items
[i
].sig
);
2599 tor_free(mem_op_hex_tmp
);
2603 test_crypto_ed25519_encode(void *arg
)
2605 char buf
[ED25519_SIG_BASE64_LEN
+1];
2606 ed25519_keypair_t kp
;
2607 ed25519_public_key_t pk
;
2608 ed25519_signature_t sig1
, sig2
;
2609 char *mem_op_hex_tmp
= NULL
;
2612 /* Test roundtrip. */
2613 tt_int_op(0, OP_EQ
, ed25519_keypair_generate(&kp
, 0));
2614 tt_int_op(0, OP_EQ
, ed25519_public_to_base64(buf
, &kp
.pubkey
));
2615 tt_int_op(ED25519_BASE64_LEN
, OP_EQ
, strlen(buf
));
2616 tt_int_op(0, OP_EQ
, ed25519_public_from_base64(&pk
, buf
));
2617 tt_mem_op(kp
.pubkey
.pubkey
, OP_EQ
, pk
.pubkey
, ED25519_PUBKEY_LEN
);
2619 tt_int_op(0, OP_EQ
, ed25519_sign(&sig1
, (const uint8_t*)"ABC", 3, &kp
));
2620 tt_int_op(0, OP_EQ
, ed25519_signature_to_base64(buf
, &sig1
));
2621 tt_int_op(0, OP_EQ
, ed25519_signature_from_base64(&sig2
, buf
));
2622 tt_mem_op(sig1
.sig
, OP_EQ
, sig2
.sig
, ED25519_SIG_LEN
);
2624 /* Test known value. */
2625 tt_int_op(0, OP_EQ
, ed25519_public_from_base64(&pk
,
2626 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2627 test_memeq_hex(pk
.pubkey
,
2628 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2631 tor_free(mem_op_hex_tmp
);
2635 test_crypto_ed25519_convert(void *arg
)
2637 const uint8_t msg
[] =
2638 "The eyes are not here / There are no eyes here.";
2643 for (i
= 0; i
< N
; ++i
) {
2644 curve25519_keypair_t curve25519_keypair
;
2645 ed25519_keypair_t ed25519_keypair
;
2646 ed25519_public_key_t ed25519_pubkey
;
2649 ed25519_signature_t sig
;
2651 tt_int_op(0,OP_EQ
,curve25519_keypair_generate(&curve25519_keypair
, i
&1));
2652 tt_int_op(0,OP_EQ
,ed25519_keypair_from_curve25519_keypair(
2653 &ed25519_keypair
, &bit
, &curve25519_keypair
));
2654 tt_int_op(0,OP_EQ
,ed25519_public_key_from_curve25519_public_key(
2655 &ed25519_pubkey
, &curve25519_keypair
.pubkey
, bit
));
2656 tt_mem_op(ed25519_pubkey
.pubkey
, OP_EQ
, ed25519_keypair
.pubkey
.pubkey
, 32);
2658 tt_int_op(0,OP_EQ
,ed25519_sign(&sig
, msg
, sizeof(msg
), &ed25519_keypair
));
2659 tt_int_op(0,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2662 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
)-1,
2665 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2674 test_crypto_ed25519_blinding(void *arg
)
2676 const uint8_t msg
[] =
2677 "Eyes I dare not meet in dreams / In death's dream kingdom";
2683 for (i
= 0; i
< N
; ++i
) {
2684 uint8_t blinding
[32];
2685 ed25519_keypair_t ed25519_keypair
;
2686 ed25519_keypair_t ed25519_keypair_blinded
;
2687 ed25519_public_key_t ed25519_pubkey_blinded
;
2689 ed25519_signature_t sig
;
2691 crypto_rand((char*) blinding
, sizeof(blinding
));
2693 tt_int_op(0,OP_EQ
,ed25519_keypair_generate(&ed25519_keypair
, 0));
2694 tt_int_op(0,OP_EQ
,ed25519_keypair_blind(&ed25519_keypair_blinded
,
2695 &ed25519_keypair
, blinding
));
2697 tt_int_op(0,OP_EQ
,ed25519_public_blind(&ed25519_pubkey_blinded
,
2698 &ed25519_keypair
.pubkey
, blinding
));
2700 tt_mem_op(ed25519_pubkey_blinded
.pubkey
, OP_EQ
,
2701 ed25519_keypair_blinded
.pubkey
.pubkey
, 32);
2703 tt_int_op(0,OP_EQ
,ed25519_sign(&sig
, msg
, sizeof(msg
),
2704 &ed25519_keypair_blinded
));
2706 tt_int_op(0,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2707 &ed25519_pubkey_blinded
));
2709 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
)-1,
2710 &ed25519_pubkey_blinded
));
2712 tt_int_op(-1,OP_EQ
,ed25519_checksig(&sig
, msg
, sizeof(msg
),
2713 &ed25519_pubkey_blinded
));
2720 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2722 test_crypto_ed25519_blinding_fail(void *arg
)
2725 uint8_t param
[32] = {2};
2726 ed25519_public_key_t pub
;
2727 ed25519_public_key_t pub_blinded
;
2731 /* This point is not on the curve: the blind routines should fail */
2732 const char badkey
[] =
2733 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2734 retval
= base16_decode((char*)pub
.pubkey
, sizeof(pub
.pubkey
),
2735 badkey
, strlen(badkey
));
2736 tt_int_op(retval
, OP_EQ
, sizeof(pub
.pubkey
));
2737 retval
= ed25519_public_blind(&pub_blinded
, &pub
, param
);
2738 tt_int_op(retval
, OP_EQ
, -1);
2740 /* This point is legit: blind routines should be happy */
2741 const char goodkey
[] =
2742 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2743 retval
= base16_decode((char*)pub
.pubkey
, sizeof(pub
.pubkey
),
2744 goodkey
, strlen(goodkey
));
2745 tt_int_op(retval
, OP_EQ
, sizeof(pub
.pubkey
));
2746 retval
= ed25519_public_blind(&pub_blinded
, &pub
, param
);
2747 tt_int_op(retval
, OP_EQ
, 0);
2754 test_crypto_ed25519_testvectors(void *arg
)
2757 char *mem_op_hex_tmp
= NULL
;
2760 for (i
= 0; i
< ARRAY_LENGTH(ED25519_SECRET_KEYS
); ++i
) {
2762 ed25519_secret_key_t esk
;
2763 ed25519_public_key_t pk
, blind_pk
, pkfromcurve
;
2764 ed25519_keypair_t keypair
, blind_keypair
;
2765 curve25519_keypair_t curvekp
;
2766 uint8_t blinding_param
[32];
2767 ed25519_signature_t sig
;
2770 memset(&curvekp
, 0xd0, sizeof(curvekp
));
2772 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2773 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2775 tt_int_op(sizeof(sk
), OP_EQ
, DECODE(sk
, ED25519_SECRET_KEYS
[i
]));
2776 tt_int_op(sizeof(blinding_param
), OP_EQ
, DECODE(blinding_param
,
2777 ED25519_BLINDING_PARAMS
[i
]));
2779 tt_int_op(0, OP_EQ
, ed25519_secret_key_from_seed(&esk
, sk
));
2780 EQ(esk
.seckey
, ED25519_EXPANDED_SECRET_KEYS
[i
]);
2782 tt_int_op(0, OP_EQ
, ed25519_public_key_generate(&pk
, &esk
));
2783 EQ(pk
.pubkey
, ED25519_PUBLIC_KEYS
[i
]);
2785 memcpy(&curvekp
.seckey
.secret_key
, esk
.seckey
, 32);
2786 curve25519_public_key_generate(&curvekp
.pubkey
, &curvekp
.seckey
);
2789 ed25519_keypair_from_curve25519_keypair(&keypair
, &sign
, &curvekp
));
2790 tt_int_op(0, OP_EQ
, ed25519_public_key_from_curve25519_public_key(
2791 &pkfromcurve
, &curvekp
.pubkey
, sign
));
2792 tt_mem_op(keypair
.pubkey
.pubkey
, OP_EQ
, pkfromcurve
.pubkey
, 32);
2793 EQ(curvekp
.pubkey
.public_key
, ED25519_CURVE25519_PUBLIC_KEYS
[i
]);
2796 memcpy(&keypair
.seckey
, &esk
, sizeof(esk
));
2797 memcpy(&keypair
.pubkey
, &pk
, sizeof(pk
));
2799 tt_int_op(0, OP_EQ
, ed25519_sign(&sig
, pk
.pubkey
, 32, &keypair
));
2801 EQ(sig
.sig
, ED25519_SELF_SIGNATURES
[i
]);
2805 ed25519_keypair_blind(&blind_keypair
, &keypair
, blinding_param
));
2807 ed25519_public_blind(&blind_pk
, &pk
, blinding_param
));
2809 EQ(blind_keypair
.seckey
.seckey
, ED25519_BLINDED_SECRET_KEYS
[i
]);
2810 EQ(blind_pk
.pubkey
, ED25519_BLINDED_PUBLIC_KEYS
[i
]);
2812 tt_mem_op(blind_pk
.pubkey
, OP_EQ
, blind_keypair
.pubkey
.pubkey
, 32);
2818 tor_free(mem_op_hex_tmp
);
2822 test_crypto_ed25519_storage(void *arg
)
2825 ed25519_keypair_t
*keypair
= NULL
;
2826 ed25519_public_key_t pub
;
2827 ed25519_secret_key_t sec
;
2828 char *fname_1
= tor_strdup(get_fname("ed_seckey_1"));
2829 char *fname_2
= tor_strdup(get_fname("ed_pubkey_2"));
2830 char *contents
= NULL
;
2833 keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
2834 tt_int_op(0,OP_EQ
,ed25519_keypair_generate(keypair
, 0));
2836 ed25519_seckey_write_to_file(&keypair
->seckey
, fname_1
, "foo"));
2838 ed25519_pubkey_write_to_file(&keypair
->pubkey
, fname_2
, "bar"));
2840 tt_int_op(-1, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_1
));
2841 tt_ptr_op(tag
, OP_EQ
, NULL
);
2842 tt_int_op(-1, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_2
));
2843 tt_ptr_op(tag
, OP_EQ
, NULL
);
2845 tt_int_op(0, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_2
));
2846 tt_str_op(tag
, OP_EQ
, "bar");
2848 tt_int_op(0, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_1
));
2849 tt_str_op(tag
, OP_EQ
, "foo");
2852 /* whitebox test: truncated keys. */
2853 tt_int_op(0, OP_EQ
, do_truncate(fname_1
, 40));
2854 tt_int_op(0, OP_EQ
, do_truncate(fname_2
, 40));
2855 tt_int_op(-1, OP_EQ
, ed25519_pubkey_read_from_file(&pub
, &tag
, fname_2
));
2856 tt_ptr_op(tag
, OP_EQ
, NULL
);
2858 tt_int_op(-1, OP_EQ
, ed25519_seckey_read_from_file(&sec
, &tag
, fname_1
));
2859 tt_ptr_op(tag
, OP_EQ
, NULL
);
2866 ed25519_keypair_free(keypair
);
2870 test_crypto_siphash(void *arg
)
2872 /* From the reference implementation, taking
2874 and in = 00; 00 01; 00 01 02; ...
2876 const uint8_t VECTORS
[64][8] =
2878 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2879 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2880 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2881 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2882 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2883 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2884 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2885 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2886 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2887 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2888 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2889 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2890 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2891 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2892 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2893 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2894 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2895 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2896 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2897 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2898 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2899 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2900 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2901 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2902 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2903 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2904 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2905 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2906 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2907 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2908 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2909 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2910 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2911 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2912 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2913 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2914 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2915 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2916 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2917 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2918 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2919 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2920 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2921 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2922 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2923 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2924 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2925 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2926 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2927 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2928 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2929 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2930 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2931 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2932 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2933 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2934 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2935 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2936 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2937 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2938 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2939 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2940 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2941 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2944 const struct sipkey K
= { UINT64_C(0x0706050403020100),
2945 UINT64_C(0x0f0e0d0c0b0a0908) };
2951 for (i
= 0; i
< 64; ++i
)
2954 for (i
= 0; i
< 64; ++i
) {
2955 uint64_t r
= siphash24(input
, i
, &K
);
2956 for (j
= 0; j
< 8; ++j
) {
2957 tt_int_op( (r
>> (j
*8)) & 0xff, OP_EQ
, VECTORS
[i
][j
]);
2965 /* We want the likelihood that the random buffer exhibits any regular pattern
2966 * to be far less than the memory bit error rate in the int return value.
2967 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2968 * 3 functions, leading to an overall error rate of 1/10^616.
2969 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2971 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2973 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2974 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2975 * or -1 when it fails. */
2977 crypto_rand_check_failure_mode_zero(void)
2979 char buf
[FAILURE_MODE_BUFFER_SIZE
];
2981 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE
);
2982 crypto_rand(buf
, FAILURE_MODE_BUFFER_SIZE
);
2984 for (size_t i
= 0; i
< FAILURE_MODE_BUFFER_SIZE
; i
++) {
2993 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2994 * the same. Return 0 when the check passes, or -1 when it fails. */
2996 crypto_rand_check_failure_mode_identical(void)
2998 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2999 #define FAILURE_MODE_BUFFER_SIZE_I64 \
3000 (FAILURE_MODE_BUFFER_SIZE/8)
3001 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
3002 (FAILURE_MODE_BUFFER_SIZE_I64*8)
3004 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
3005 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
3008 int64_t buf
[FAILURE_MODE_BUFFER_SIZE_I64
];
3010 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES
);
3011 crypto_rand((char *)buf
, FAILURE_MODE_BUFFER_SIZE_I64_BYTES
);
3013 for (size_t i
= 1; i
< FAILURE_MODE_BUFFER_SIZE_I64
; i
++) {
3014 if (buf
[i
] != buf
[i
-1]) {
3022 /** Check crypto_rand for a failure mode where it increments the "random"
3023 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
3024 * Return 0 when the check passes, or -1 when it fails. */
3026 crypto_rand_check_failure_mode_predict(void)
3028 unsigned char buf
[FAILURE_MODE_BUFFER_SIZE
];
3030 memset(buf
, 0, FAILURE_MODE_BUFFER_SIZE
);
3031 crypto_rand((char *)buf
, FAILURE_MODE_BUFFER_SIZE
);
3033 for (size_t i
= 1; i
< FAILURE_MODE_BUFFER_SIZE
; i
++) {
3034 /* check if the last byte was incremented by 1, including integer
3036 if (buf
[i
] - buf
[i
-1] != 1 && buf
[i
-1] - buf
[i
] != 255) {
3044 #undef FAILURE_MODE_BUFFER_SIZE
3046 /** Test that our ed25519 validation function rejects evil public keys and
3047 * accepts good ones. */
3049 test_crypto_ed25519_validation(void *arg
)
3054 ed25519_public_key_t pub1
;
3056 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
3057 for a list of points with torsion components in ed25519. */
3059 { /* Point with torsion component (order 8l) */
3060 const char badkey
[] =
3061 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
3062 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
3063 badkey
, strlen(badkey
));
3064 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
3065 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
3068 { /* Point with torsion component (order 4l) */
3069 const char badkey
[] =
3070 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
3071 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
3072 badkey
, strlen(badkey
));
3073 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
3074 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
3077 { /* Point with torsion component (order 2l) */
3078 const char badkey
[] =
3079 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
3080 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
3081 badkey
, strlen(badkey
));
3082 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
3083 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
3086 { /* This point is not even on the curve */
3087 const char badkey
[] =
3088 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
3089 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
3090 badkey
, strlen(badkey
));
3091 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
3092 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, -1);
3095 { /* This one is a good key */
3096 const char goodkey
[] =
3097 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
3098 retval
= base16_decode((char*)pub1
.pubkey
, sizeof(pub1
.pubkey
),
3099 goodkey
, strlen(goodkey
));
3100 tt_int_op(retval
, OP_EQ
, sizeof(pub1
.pubkey
));
3101 tt_int_op(ed25519_validate_pubkey(&pub1
), OP_EQ
, 0);
3108 test_crypto_failure_modes(void *arg
)
3113 rv
= crypto_early_init();
3114 tt_int_op(rv
, OP_EQ
, 0);
3116 /* Check random works */
3117 rv
= crypto_rand_check_failure_mode_zero();
3118 tt_int_op(rv
, OP_EQ
, 0);
3120 rv
= crypto_rand_check_failure_mode_identical();
3121 tt_int_op(rv
, OP_EQ
, 0);
3123 rv
= crypto_rand_check_failure_mode_predict();
3124 tt_int_op(rv
, OP_EQ
, 0);
3130 #define CRYPTO_LEGACY(name) \
3131 { #name, test_crypto_ ## name , 0, NULL, NULL }
3133 #define ED25519_TEST_ONE(name, fl, which) \
3134 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3135 &ed25519_test_setup, (void*)which }
3137 #define ED25519_TEST(name, fl) \
3138 ED25519_TEST_ONE(name, (fl), "donna"), \
3139 ED25519_TEST_ONE(name, (fl), "ref10")
3141 struct testcase_t crypto_tests
[] = {
3142 CRYPTO_LEGACY(formats
),
3144 { "rng_range", test_crypto_rng_range
, 0, NULL
, NULL
},
3145 { "rng_strongest", test_crypto_rng_strongest
, TT_FORK
, NULL
, NULL
},
3146 { "rng_strongest_nosyscall", test_crypto_rng_strongest
, TT_FORK
,
3147 &passthrough_setup
, (void*)"nosyscall" },
3148 { "rng_strongest_nofallback", test_crypto_rng_strongest
, TT_FORK
,
3149 &passthrough_setup
, (void*)"nofallback" },
3150 { "rng_strongest_broken", test_crypto_rng_strongest
, TT_FORK
,
3151 &passthrough_setup
, (void*)"broken" },
3152 { "openssl_version", test_crypto_openssl_version
, TT_FORK
, NULL
, NULL
},
3153 { "aes_AES", test_crypto_aes128
, TT_FORK
, &passthrough_setup
, (void*)"aes" },
3154 { "aes_EVP", test_crypto_aes128
, TT_FORK
, &passthrough_setup
, (void*)"evp" },
3155 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3156 &passthrough_setup
, (void*)"128" },
3157 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3158 &passthrough_setup
, (void*)"192" },
3159 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec
, 0,
3160 &passthrough_setup
, (void*)"256" },
3163 { "pk_fingerprints", test_crypto_pk_fingerprints
, TT_FORK
, NULL
, NULL
},
3164 { "pk_base64", test_crypto_pk_base64
, TT_FORK
, NULL
, NULL
},
3165 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted
, TT_FORK
, NULL
, NULL
},
3166 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key
, 0,
3168 CRYPTO_LEGACY(digests
),
3169 { "digest_names", test_crypto_digest_names
, 0, NULL
, NULL
},
3170 { "sha3", test_crypto_sha3
, TT_FORK
, NULL
, NULL
},
3171 { "sha3_xof", test_crypto_sha3_xof
, TT_FORK
, NULL
, NULL
},
3172 { "mac_sha3", test_crypto_mac_sha3
, TT_FORK
, NULL
, NULL
},
3174 { "aes_iv_AES", test_crypto_aes_iv
, TT_FORK
, &passthrough_setup
,
3176 { "aes_iv_EVP", test_crypto_aes_iv
, TT_FORK
, &passthrough_setup
,
3178 CRYPTO_LEGACY(base32_decode
),
3179 { "kdf_TAP", test_crypto_kdf_TAP
, 0, NULL
, NULL
},
3180 { "hkdf_sha256", test_crypto_hkdf_sha256
, 0, NULL
, NULL
},
3181 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs
, 0, NULL
, NULL
},
3182 { "curve25519_impl", test_crypto_curve25519_impl
, 0, NULL
, NULL
},
3183 { "curve25519_impl_hibit", test_crypto_curve25519_impl
, 0, NULL
, (void*)"y"},
3184 { "curve25516_testvec", test_crypto_curve25519_testvec
, 0, NULL
, NULL
},
3185 { "curve25519_basepoint",
3186 test_crypto_curve25519_basepoint
, TT_FORK
, NULL
, NULL
},
3187 { "curve25519_wrappers", test_crypto_curve25519_wrappers
, 0, NULL
, NULL
},
3188 { "curve25519_encode", test_crypto_curve25519_encode
, 0, NULL
, NULL
},
3189 { "curve25519_persist", test_crypto_curve25519_persist
, 0, NULL
, NULL
},
3190 ED25519_TEST(simple
, 0),
3191 ED25519_TEST(test_vectors
, 0),
3192 ED25519_TEST(encode
, 0),
3193 ED25519_TEST(convert
, 0),
3194 ED25519_TEST(blinding
, 0),
3195 ED25519_TEST(blinding_fail
, 0),
3196 ED25519_TEST(testvectors
, 0),
3197 ED25519_TEST(validation
, 0),
3198 { "ed25519_storage", test_crypto_ed25519_storage
, 0, NULL
, NULL
},
3199 { "siphash", test_crypto_siphash
, 0, NULL
, NULL
},
3200 { "failure_modes", test_crypto_failure_modes
, TT_FORK
, NULL
, NULL
},