search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fuzzing module for various string operations, currently focusing on
[tor.git] / src / test / test_crypto.c
blob81d2fa6f33de1c1f1b40d6a14310fdee3a9f6e5e
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2018, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
12 #include "siphash.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
22
23 #ifdef HAVE_SYS_STAT_H
24 #include <sys/stat.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
29
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING(redundant-decls)
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING(redundant-decls)
35 #endif
36
37 /** Run unit tests for Diffie-Hellman functionality. */
38 static void
39 test_crypto_dh(void *arg)
40 {
41 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 crypto_dh_t *dh1_dup = NULL;
43 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 char p1[DH1024_KEY_LEN];
45 char p2[DH1024_KEY_LEN];
46 char s1[DH1024_KEY_LEN];
47 char s2[DH1024_KEY_LEN];
48 ssize_t s1len, s2len;
49 #ifdef ENABLE_OPENSSL
50 crypto_dh_t *dh3 = NULL;
51 DH *dh4 = NULL;
52 BIGNUM *pubkey_tmp = NULL;
53 #endif
54
55 (void)arg;
56 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58
59 memset(p1, 0, DH1024_KEY_LEN);
60 memset(p2, 0, DH1024_KEY_LEN);
61 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62
63 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
64
65 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69
70 memset(s1, 0, DH1024_KEY_LEN);
71 memset(s2, 0xFF, DH1024_KEY_LEN);
72 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 tt_assert(s1len > 0);
75 tt_int_op(s1len,OP_EQ, s2len);
76 tt_mem_op(s1,OP_EQ, s2, s1len);
77
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup = crypto_dh_dup(dh1);
80 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 s1, 50);
82 tt_i64_op(s1len, OP_GE, 0);
83 tt_mem_op(s1,OP_EQ, s2, s1len);
84
85 {
86 /* Now fabricate some bad values and make sure they get caught. */
87
88 /* 1 and 0 should both fail. */
89 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 tt_int_op(-1, OP_EQ, s1len);
91
92 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 tt_int_op(-1, OP_EQ, s1len);
94
95 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 s1, 50);
98 tt_int_op(-1, OP_EQ, s1len);
99
100 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 s1, 50);
103 tt_int_op(-1, OP_EQ, s1len);
104
105 /* 2 is okay, though weird. */
106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 tt_int_op(50, OP_EQ, s1len);
108
109 /* 2 a second time is still okay, though weird. */
110 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 tt_int_op(50, OP_EQ, s1len);
112
113 const char P[] =
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
119
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1, sizeof(p1), P, strlen(P));
122
123 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 s1, 50);
125 tt_int_op(-1, OP_EQ, s1len);
126
127 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 s1, 50);
130 tt_int_op(-1, OP_EQ, s1len);
131
132 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 s1, 50);
135 tt_int_op(50, OP_EQ, s1len);
136
137 const char P_plus_one[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
143
144 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
145
146 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 s1, 50);
148 tt_int_op(-1, OP_EQ, s1len);
149
150 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 s1, 50);
153 tt_int_op(-1, OP_EQ, s1len);
154
155 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 s1, 50);
158 tt_int_op(-1, OP_EQ, s1len);
159
160 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 s1, 50);
163 tt_int_op(-1, OP_EQ, s1len);
164 }
165
166 {
167 /* provoke an error in the openssl DH_compute_key function; make sure we
168 * survive. */
169 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170
171 crypto_dh_free(dh2);
172 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 p1, DH1024_KEY_LEN,
175 s1, 50);
176 tt_int_op(s1len, OP_EQ, -1);
177 }
178
179 #if defined(ENABLE_OPENSSL)
180 {
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3 = crypto_dh_new(DH_TYPE_TLS);
183 tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
184
185 dh4 = crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4));
187 const BIGNUM *pk=NULL;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM *sk=NULL;
190 DH_get0_key(dh4, &pk, &sk);
191 #else
192 pk = dh4->pub_key;
193 #endif
194 tt_assert(pk);
195 tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 memset(p2, 0, sizeof(p2));
198 /* right-pad. */
199 BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
200
201 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 (unsigned char *)s1, sizeof(s1));
203 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
205
206 tt_int_op(s1len, OP_EQ, s2len);
207 tt_int_op(s1len, OP_GT, 0);
208 tt_mem_op(s1, OP_EQ, s2, s1len);
209 }
210 #endif
211
212 done:
213 crypto_dh_free(dh1);
214 crypto_dh_free(dh2);
215 crypto_dh_free(dh1_dup);
216 #ifdef ENABLE_OPENSSL
217 crypto_dh_free(dh3);
218 if (dh4)
219 DH_free(dh4);
220 if (pubkey_tmp)
221 BN_free(pubkey_tmp);
222 #endif
223 }
224
225 static void
226 test_crypto_openssl_version(void *arg)
227 {
228 (void)arg;
229 #ifdef ENABLE_NSS
230 tt_skip();
231 #else
232 const char *version = crypto_openssl_get_version_str();
233 const char *h_version = crypto_openssl_get_header_version_str();
234 tt_assert(version);
235 tt_assert(h_version);
236 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version, h_version));
239 }
240 if (strstr(version, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
242 }
243 int a=-1,b=-1,c=-1;
244 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 return;
246 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 tt_int_op(r, OP_EQ, 3);
248 tt_int_op(a, OP_GE, 0);
249 tt_int_op(b, OP_GE, 0);
250 tt_int_op(c, OP_GE, 0);
251 #endif
252
253 done:
254 ;
255 }
256
257 /** Run unit tests for our random number generation function and its wrappers.
258 */
259 static void
260 test_crypto_rng(void *arg)
261 {
262 int i, j, allok;
263 char data1[100], data2[100];
264 double d;
265 char *h=NULL;
266
267 /* Try out RNG. */
268 (void)arg;
269 tt_assert(! crypto_seed_rng());
270 crypto_rand(data1, 100);
271 crypto_rand(data2, 100);
272 tt_mem_op(data1,OP_NE, data2,100);
273 allok = 1;
274 for (i = 0; i < 100; ++i) {
275 uint64_t big;
276 char *host;
277 j = crypto_rand_int(100);
278 if (j < 0 || j >= 100)
279 allok = 0;
280 big = crypto_rand_uint64(UINT64_C(1)<<40);
281 if (big >= (UINT64_C(1)<<40))
282 allok = 0;
283 big = crypto_rand_uint64(UINT64_C(5));
284 if (big >= 5)
285 allok = 0;
286 d = crypto_rand_double();
287 tt_assert(d >= 0);
288 tt_assert(d < 1.0);
289 host = crypto_random_hostname(3,8,"www.",".onion");
290 if (strcmpstart(host,"www.") ||
291 strcmpend(host,".onion") ||
292 strlen(host) < 13 ||
293 strlen(host) > 18)
294 allok = 0;
295 tor_free(host);
296 }
297
298 /* Make sure crypto_random_hostname clips its inputs properly. */
299 h = crypto_random_hostname(20000, 9000, "www.", ".onion");
300 tt_assert(! strcmpstart(h,"www."));
301 tt_assert(! strcmpend(h,".onion"));
302 tt_int_op(63+4+6, OP_EQ, strlen(h));
303
304 tt_assert(allok);
305 done:
306 tor_free(h);
307 }
308
309 static void
310 test_crypto_rng_range(void *arg)
311 {
312 int got_smallest = 0, got_largest = 0;
313 int i;
314
315 (void)arg;
316 for (i = 0; i < 1000; ++i) {
317 int x = crypto_rand_int_range(5,9);
318 tt_int_op(x, OP_GE, 5);
319 tt_int_op(x, OP_LT, 9);
320 if (x == 5)
321 got_smallest = 1;
322 if (x == 8)
323 got_largest = 1;
324 }
325 /* These fail with probability 1/10^603. */
326 tt_assert(got_smallest);
327 tt_assert(got_largest);
328
329 got_smallest = got_largest = 0;
330 const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
331 for (i = 0; i < 1000; ++i) {
332 uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
333 tt_u64_op(x, OP_GE, ten_billion);
334 tt_u64_op(x, OP_LT, ten_billion+10);
335 if (x == ten_billion)
336 got_smallest = 1;
337 if (x == ten_billion+9)
338 got_largest = 1;
339 }
340
341 tt_assert(got_smallest);
342 tt_assert(got_largest);
343
344 const time_t now = time(NULL);
345 for (i = 0; i < 2000; ++i) {
346 time_t x = crypto_rand_time_range(now, now+60);
347 tt_i64_op(x, OP_GE, now);
348 tt_i64_op(x, OP_LT, now+60);
349 if (x == now)
350 got_smallest = 1;
351 if (x == now+59)
352 got_largest = 1;
353 }
354
355 tt_assert(got_smallest);
356 tt_assert(got_largest);
357 done:
358 ;
359 }
360
361 static void
362 test_crypto_rng_strongest(void *arg)
363 {
364 const char *how = arg;
365 int broken = 0;
366
367 if (how == NULL) {
368 ;
369 } else if (!strcmp(how, "nosyscall")) {
370 break_strongest_rng_syscall = 1;
371 } else if (!strcmp(how, "nofallback")) {
372 break_strongest_rng_fallback = 1;
373 } else if (!strcmp(how, "broken")) {
374 broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
375 }
376
377 #define N 128
378 uint8_t combine_and[N];
379 uint8_t combine_or[N];
380 int i, j;
381
382 memset(combine_and, 0xff, N);
383 memset(combine_or, 0, N);
384
385 for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
386 uint8_t output[N];
387 memset(output, 0, N);
388 if (how == NULL) {
389 /* this one can't fail. */
390 crypto_strongest_rand(output, sizeof(output));
391 } else {
392 int r = crypto_strongest_rand_raw(output, sizeof(output));
393 if (r == -1) {
394 if (broken) {
395 goto done; /* we're fine. */
396 }
397 /* This function is allowed to break, but only if it always breaks. */
398 tt_int_op(i, OP_EQ, 0);
399 tt_skip();
400 } else {
401 tt_assert(! broken);
402 }
403 }
404 for (j = 0; j < N; ++j) {
405 combine_and[j] &= output[j];
406 combine_or[j] |= output[j];
407 }
408 }
409
410 for (j = 0; j < N; ++j) {
411 tt_int_op(combine_and[j], OP_EQ, 0);
412 tt_int_op(combine_or[j], OP_EQ, 0xff);
413 }
414 done:
415 ;
416 #undef N
417 }
418
419 /** Run unit tests for our AES128 functionality */
420 static void
421 test_crypto_aes128(void *arg)
422 {
423 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
424 crypto_cipher_t *env1 = NULL, *env2 = NULL;
425 int i, j;
426 char *mem_op_hex_tmp=NULL;
427 char key[CIPHER_KEY_LEN];
428 int use_evp = !strcmp(arg,"evp");
429 evaluate_evp_for_aes(use_evp);
430 evaluate_ctr_for_aes();
431
432 data1 = tor_malloc(1024);
433 data2 = tor_malloc(1024);
434 data3 = tor_malloc(1024);
435
436 /* Now, test encryption and decryption with stream cipher. */
437 data1[0]='\0';
438 for (i = 1023; i>0; i -= 35)
439 strncat(data1, "Now is the time for all good onions", i);
440
441 memset(data2, 0, 1024);
442 memset(data3, 0, 1024);
443 crypto_rand(key, sizeof(key));
444 env1 = crypto_cipher_new(key);
445 tt_ptr_op(env1, OP_NE, NULL);
446 env2 = crypto_cipher_new(key);
447 tt_ptr_op(env2, OP_NE, NULL);
448
449 /* Try encrypting 512 chars. */
450 crypto_cipher_encrypt(env1, data2, data1, 512);
451 crypto_cipher_decrypt(env2, data3, data2, 512);
452 tt_mem_op(data1,OP_EQ, data3, 512);
453 tt_mem_op(data1,OP_NE, data2, 512);
454
455 /* Now encrypt 1 at a time, and get 1 at a time. */
456 for (j = 512; j < 560; ++j) {
457 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
458 }
459 for (j = 512; j < 560; ++j) {
460 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
461 }
462 tt_mem_op(data1,OP_EQ, data3, 560);
463 /* Now encrypt 3 at a time, and get 5 at a time. */
464 for (j = 560; j < 1024-5; j += 3) {
465 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
466 }
467 for (j = 560; j < 1024-5; j += 5) {
468 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
469 }
470 tt_mem_op(data1,OP_EQ, data3, 1024-5);
471 /* Now make sure that when we encrypt with different chunk sizes, we get
472 the same results. */
473 crypto_cipher_free(env2);
474 env2 = NULL;
475
476 memset(data3, 0, 1024);
477 env2 = crypto_cipher_new(key);
478 tt_ptr_op(env2, OP_NE, NULL);
479 for (j = 0; j < 1024-16; j += 17) {
480 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
481 }
482 for (j= 0; j < 1024-16; ++j) {
483 if (data2[j] != data3[j]) {
484 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
485 }
486 }
487 tt_mem_op(data2,OP_EQ, data3, 1024-16);
488 crypto_cipher_free(env1);
489 env1 = NULL;
490 crypto_cipher_free(env2);
491 env2 = NULL;
492
493 /* NIST test vector for aes. */
494 /* IV starts at 0 */
495 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
496 "\x00\x00\x00\x00\x00\x00\x00\x00");
497 crypto_cipher_encrypt(env1, data1,
498 "\x00\x00\x00\x00\x00\x00\x00\x00"
499 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
500 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
501
502 /* Now test rollover. All these values are originally from a python
503 * script. */
504 crypto_cipher_free(env1);
505 env1 = crypto_cipher_new_with_iv(
506 "\x80\x00\x00\x00\x00\x00\x00\x00"
507 "\x00\x00\x00\x00\x00\x00\x00\x00",
508 "\x00\x00\x00\x00\x00\x00\x00\x00"
509 "\xff\xff\xff\xff\xff\xff\xff\xff");
510 memset(data2, 0, 1024);
511 crypto_cipher_encrypt(env1, data1, data2, 32);
512 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
513 "cdd0b917dbc7186908a6bfb5ffd574d3");
514 crypto_cipher_free(env1);
515 env1 = crypto_cipher_new_with_iv(
516 "\x80\x00\x00\x00\x00\x00\x00\x00"
517 "\x00\x00\x00\x00\x00\x00\x00\x00",
518 "\x00\x00\x00\x00\xff\xff\xff\xff"
519 "\xff\xff\xff\xff\xff\xff\xff\xff");
520 memset(data2, 0, 1024);
521 crypto_cipher_encrypt(env1, data1, data2, 32);
522 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
523 "3e63c721df790d2c6469cc1953a3ffac");
524 crypto_cipher_free(env1);
525 env1 = crypto_cipher_new_with_iv(
526 "\x80\x00\x00\x00\x00\x00\x00\x00"
527 "\x00\x00\x00\x00\x00\x00\x00\x00",
528 "\xff\xff\xff\xff\xff\xff\xff\xff"
529 "\xff\xff\xff\xff\xff\xff\xff\xff");
530 memset(data2, 0, 1024);
531 crypto_cipher_encrypt(env1, data1, data2, 32);
532 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
533 "0EDD33D3C621E546455BD8BA1418BEC8");
534
535 /* Now check rollover on inplace cipher. */
536 crypto_cipher_free(env1);
537 env1 = crypto_cipher_new_with_iv(
538 "\x80\x00\x00\x00\x00\x00\x00\x00"
539 "\x00\x00\x00\x00\x00\x00\x00\x00",
540 "\xff\xff\xff\xff\xff\xff\xff\xff"
541 "\xff\xff\xff\xff\xff\xff\xff\xff");
542 crypto_cipher_crypt_inplace(env1, data2, 64);
543 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
544 "0EDD33D3C621E546455BD8BA1418BEC8"
545 "93e2c5243d6839eac58503919192f7ae"
546 "1908e67cafa08d508816659c2e693191");
547 crypto_cipher_free(env1);
548 env1 = crypto_cipher_new_with_iv(
549 "\x80\x00\x00\x00\x00\x00\x00\x00"
550 "\x00\x00\x00\x00\x00\x00\x00\x00",
551 "\xff\xff\xff\xff\xff\xff\xff\xff"
552 "\xff\xff\xff\xff\xff\xff\xff\xff");
553 crypto_cipher_crypt_inplace(env1, data2, 64);
554 tt_assert(tor_mem_is_zero(data2, 64));
555
556 done:
557 tor_free(mem_op_hex_tmp);
558 if (env1)
559 crypto_cipher_free(env1);
560 if (env2)
561 crypto_cipher_free(env2);
562 tor_free(data1);
563 tor_free(data2);
564 tor_free(data3);
565 }
566
567 static void
568 test_crypto_aes_ctr_testvec(void *arg)
569 {
570 const char *bitstr = arg;
571 char *mem_op_hex_tmp=NULL;
572 crypto_cipher_t *c=NULL;
573
574 /* from NIST SP800-38a, section F.5 */
575 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
576 const char plaintext16[] =
577 "6bc1bee22e409f96e93d7e117393172a"
578 "ae2d8a571e03ac9c9eb76fac45af8e51"
579 "30c81c46a35ce411e5fbc1191a0a52ef"
580 "f69f2445df4f9b17ad2b417be66c3710";
581 const char *ciphertext16;
582 const char *key16;
583 int bits;
584
585 if (!strcmp(bitstr, "128")) {
586 ciphertext16 = /* section F.5.1 */
587 "874d6191b620e3261bef6864990db6ce"
588 "9806f66b7970fdff8617187bb9fffdff"
589 "5ae4df3edbd5d35e5b4f09020db03eab"
590 "1e031dda2fbe03d1792170a0f3009cee";
591 key16 = "2b7e151628aed2a6abf7158809cf4f3c";
592 bits = 128;
593 } else if (!strcmp(bitstr, "192")) {
594 ciphertext16 = /* section F.5.3 */
595 "1abc932417521ca24f2b0459fe7e6e0b"
596 "090339ec0aa6faefd5ccc2c6f4ce8e94"
597 "1e36b26bd1ebc670d1bd1d665620abf7"
598 "4f78a7f6d29809585a97daec58c6b050";
599 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
600 bits = 192;
601 } else if (!strcmp(bitstr, "256")) {
602 ciphertext16 = /* section F.5.5 */
603 "601ec313775789a5b7a7f504bbf3d228"
604 "f443e3ca4d62b59aca84e990cacaf5c5"
605 "2b0930daa23de94ce87017ba2d84988d"
606 "dfc9c58db67aada613c2dd08457941a6";
607 key16 =
608 "603deb1015ca71be2b73aef0857d7781"
609 "1f352c073b6108d72d9810a30914dff4";
610 bits = 256;
611 } else {
612 tt_abort_msg("AES doesn't support this number of bits.");
613 }
614
615 char key[32];
616 char iv[16];
617 char plaintext[16*4];
618 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
619 base16_decode(key, sizeof(key), key16, strlen(key16));
620 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
621 base16_decode(plaintext, sizeof(plaintext),
622 plaintext16, strlen(plaintext16));
623
624 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
625 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
626 test_memeq_hex(plaintext, ciphertext16);
627
628 done:
629 tor_free(mem_op_hex_tmp);
630 crypto_cipher_free(c);
631 }
632
633 /** Run unit tests for our SHA-1 functionality */
634 static void
635 test_crypto_sha(void *arg)
636 {
637 crypto_digest_t *d1 = NULL, *d2 = NULL;
638 int i;
639 #define RFC_4231_MAX_KEY_SIZE 131
640 char key[RFC_4231_MAX_KEY_SIZE];
641 char digest[DIGEST256_LEN];
642 char data[DIGEST512_LEN];
643 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
644 char *mem_op_hex_tmp=NULL;
645
646 /* Test SHA-1 with a test vector from the specification. */
647 (void)arg;
648 i = crypto_digest(data, "abc", 3);
649 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
650 tt_int_op(i, OP_EQ, 0);
651
652 /* Test SHA-256 with a test vector from the specification. */
653 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
654 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
655 "96177A9CB410FF61F20015AD");
656 tt_int_op(i, OP_EQ, 0);
657
658 /* Test SHA-512 with a test vector from the specification. */
659 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
660 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
661 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
662 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
663 tt_int_op(i, OP_EQ, 0);
664
665 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
666
667 /* Case empty (wikipedia) */
668 crypto_hmac_sha256(digest, "", 0, "", 0);
669 tt_str_op(hex_str(digest, 32),OP_EQ,
670 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
671
672 /* Case quick-brown (wikipedia) */
673 crypto_hmac_sha256(digest, "key", 3,
674 "The quick brown fox jumps over the lazy dog", 43);
675 tt_str_op(hex_str(digest, 32),OP_EQ,
676 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
677
678 /* "Test Case 1" from RFC 4231 */
679 memset(key, 0x0b, 20);
680 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
681 test_memeq_hex(digest,
682 "b0344c61d8db38535ca8afceaf0bf12b"
683 "881dc200c9833da726e9376c2e32cff7");
684
685 /* "Test Case 2" from RFC 4231 */
686 memset(key, 0x0b, 20);
687 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
688 test_memeq_hex(digest,
689 "5bdcc146bf60754e6a042426089575c7"
690 "5a003f089d2739839dec58b964ec3843");
691
692 /* "Test case 3" from RFC 4231 */
693 memset(key, 0xaa, 20);
694 memset(data, 0xdd, 50);
695 crypto_hmac_sha256(digest, key, 20, data, 50);
696 test_memeq_hex(digest,
697 "773ea91e36800e46854db8ebd09181a7"
698 "2959098b3ef8c122d9635514ced565fe");
699
700 /* "Test case 4" from RFC 4231 */
701 base16_decode(key, 25,
702 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
703 memset(data, 0xcd, 50);
704 crypto_hmac_sha256(digest, key, 25, data, 50);
705 test_memeq_hex(digest,
706 "82558a389a443c0ea4cc819899f2083a"
707 "85f0faa3e578f8077a2e3ff46729665b");
708
709 /* "Test case 5" from RFC 4231 */
710 memset(key, 0x0c, 20);
711 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
712 test_memeq_hex(digest,
713 "a3b6167473100ee06e0c796c2955552b");
714
715 /* "Test case 6" from RFC 4231 */
716 memset(key, 0xaa, 131);
717 crypto_hmac_sha256(digest, key, 131,
718 "Test Using Larger Than Block-Size Key - Hash Key First",
719 54);
720 test_memeq_hex(digest,
721 "60e431591ee0b67f0d8a26aacbf5b77f"
722 "8e0bc6213728c5140546040f0ee37f54");
723
724 /* "Test case 7" from RFC 4231 */
725 memset(key, 0xaa, 131);
726 crypto_hmac_sha256(digest, key, 131,
727 "This is a test using a larger than block-size key and a "
728 "larger than block-size data. The key needs to be hashed "
729 "before being used by the HMAC algorithm.", 152);
730 test_memeq_hex(digest,
731 "9b09ffa71b942fcb27635fbcd5b0e944"
732 "bfdc63644f0713938a7f51535c3a35e2");
733
734 /* Incremental digest code. */
735 d1 = crypto_digest_new();
736 tt_assert(d1);
737 crypto_digest_add_bytes(d1, "abcdef", 6);
738 d2 = crypto_digest_dup(d1);
739 tt_assert(d2);
740 crypto_digest_add_bytes(d2, "ghijkl", 6);
741 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
742 crypto_digest(d_out2, "abcdefghijkl", 12);
743 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
744 crypto_digest_assign(d2, d1);
745 crypto_digest_add_bytes(d2, "mno", 3);
746 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
747 crypto_digest(d_out2, "abcdefmno", 9);
748 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
749 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
750 crypto_digest(d_out2, "abcdef", 6);
751 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
752 crypto_digest_free(d1);
753 crypto_digest_free(d2);
754
755 /* Incremental digest code with sha256 */
756 d1 = crypto_digest256_new(DIGEST_SHA256);
757 tt_assert(d1);
758 crypto_digest_add_bytes(d1, "abcdef", 6);
759 d2 = crypto_digest_dup(d1);
760 tt_assert(d2);
761 crypto_digest_add_bytes(d2, "ghijkl", 6);
762 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
763 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
764 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
765 crypto_digest_assign(d2, d1);
766 crypto_digest_add_bytes(d2, "mno", 3);
767 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
768 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
769 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
770 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
771 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
772 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
773 crypto_digest_free(d1);
774 crypto_digest_free(d2);
775
776 /* Incremental digest code with sha512 */
777 d1 = crypto_digest512_new(DIGEST_SHA512);
778 tt_assert(d1);
779 crypto_digest_add_bytes(d1, "abcdef", 6);
780 d2 = crypto_digest_dup(d1);
781 tt_assert(d2);
782 crypto_digest_add_bytes(d2, "ghijkl", 6);
783 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
784 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
785 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
786 crypto_digest_assign(d2, d1);
787 crypto_digest_add_bytes(d2, "mno", 3);
788 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
789 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
790 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
791 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
792 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
793 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
794
795 done:
796 if (d1)
797 crypto_digest_free(d1);
798 if (d2)
799 crypto_digest_free(d2);
800 tor_free(mem_op_hex_tmp);
801 }
802
803 static void
804 test_crypto_sha3(void *arg)
805 {
806 crypto_digest_t *d1 = NULL, *d2 = NULL;
807 int i;
808 char data[DIGEST512_LEN];
809 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
810 char *mem_op_hex_tmp=NULL;
811 char *large = NULL;
812
813 (void)arg;
814
815 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
816 *
817 * NB: The code package's test vectors have length expressed in bits.
818 */
819
820 /* Len = 8, Msg = CC */
821 const uint8_t keccak_kat_msg8[] = { 0xcc };
822 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
823 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
824 "6252BB7CE180B00B582DD9B20AAAD7F0");
825 tt_int_op(i, OP_EQ, 0);
826 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
827 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
828 "C36E2EE0F652AC72E02624FA2E5ADEEC"
829 "C7DD6BB3580224B4D6138706FC6E8059"
830 "7B528051230B00621CC2B22999EAA205");
831 tt_int_op(i, OP_EQ, 0);
832
833 /* Len = 24, Msg = 1F877C */
834 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
835 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
836 DIGEST_SHA3_256);
837 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
838 "C9C966712A501B19D1B6632CCD408EC5");
839 tt_int_op(i, OP_EQ, 0);
840 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
841 DIGEST_SHA3_512);
842 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
843 "1A2F0D0608C3A575163751F002DB30F4"
844 "0F2F671834B22D208591CFAF1F5ECFE4"
845 "3C49863A53B3225BDFD7C6591BA7658B");
846 tt_int_op(i, OP_EQ, 0);
847
848 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
849 const uint8_t keccak_kat_msg1080[] = {
850 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
851 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
852 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
853 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
854 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
855 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
856 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
857 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
858 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
859 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
860 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
861 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
862 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
863 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
864 };
865 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
866 DIGEST_SHA3_256);
867 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
868 "BE9B7C736B8059ABFD6779AC35AC81B5");
869 tt_int_op(i, OP_EQ, 0);
870 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
871 DIGEST_SHA3_512);
872 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
873 "CB78696773A212A5F62D02D14E3259D1"
874 "92A87EBA4407DD83893527331407B6DA"
875 "DAAD920DBC46489B677493CE5F20B595");
876 tt_int_op(i, OP_EQ, 0);
877
878 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
879 const uint8_t keccak_kat_msg1088[] = {
880 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
881 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
882 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
883 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
884 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
885 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
886 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
887 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
888 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
889 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
890 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
891 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
892 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
893 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
894 };
895 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
896 DIGEST_SHA3_256);
897 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
898 "77B5286364FE16C59CC8A907AFF07732");
899 tt_int_op(i, OP_EQ, 0);
900 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
901 DIGEST_SHA3_512);
902 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
903 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
904 "FA3BA17A40B2FFA2163991B17786E51C"
905 "ABA79E5E0FFD34CF085E2A098BE8BACB");
906 tt_int_op(i, OP_EQ, 0);
907
908 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
909 const uint8_t keccak_kat_msg1096[] = {
910 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
911 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
912 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
913 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
914 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
915 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
916 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
917 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
918 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
919 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
920 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
921 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
922 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
923 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
924 };
925 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
926 DIGEST_SHA3_256);
927 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
928 "735E0177279222E7AC0AF8504762FAA0");
929 tt_int_op(i, OP_EQ, 0);
930 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
931 DIGEST_SHA3_512);
932 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
933 "40474041DE83D4A60645A826D7AF1ABE"
934 "1EEFCB7B74B62CA6A514E5F2697D585B"
935 "FECECE12931BBE1D4ED7EBF7B0BE660E");
936 tt_int_op(i, OP_EQ, 0);
937
938 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
939 const uint8_t keccak_kat_msg1144[] = {
940 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
941 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
942 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
943 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
944 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
945 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
946 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
947 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
948 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
949 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
950 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
951 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
952 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
953 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
954 0xDF, 0xAF, 0xEC,
955 };
956 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
957 DIGEST_SHA3_512);
958 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
959 "605516615D96A062C8BE53A0D6C5A648"
960 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
961 "295F284BE7F82F3B92919033C9CE5D80");
962 tt_int_op(i, OP_EQ, 0);
963 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
964 DIGEST_SHA3_256);
965 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
966 "118C0C2C606BDCDA06E7943D2C95E0E5");
967 tt_int_op(i, OP_EQ, 0);
968
969 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
970 const uint8_t keccak_kat_msg1152[] = {
971 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
972 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
973 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
974 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
975 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
976 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
977 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
978 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
979 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
980 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
981 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
982 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
983 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
984 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
985 0x9E, 0xE0, 0x0C, 0x63,
986 };
987 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
988 DIGEST_SHA3_512);
989 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
990 "22775DCB6019DCD22B8885994672A088"
991 "9C69E8115C641DC8B83E39F7311815A1"
992 "64DC46E0BA2FCA344D86D4BC2EF2532C");
993 tt_int_op(i, OP_EQ, 0);
994 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
995 DIGEST_SHA3_256);
996 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
997 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
998 tt_int_op(i, OP_EQ, 0);
999
1000 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
1001 const uint8_t keccak_kat_msg1160[] = {
1002 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
1003 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
1004 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
1005 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
1006 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
1007 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
1008 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
1009 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
1010 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
1011 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
1012 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
1013 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
1014 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
1015 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
1016 0x70, 0x11, 0x04, 0x4C, 0x53,
1017 };
1018 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
1019 DIGEST_SHA3_512);
1020 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
1021 "05221AC5EFB1229842E4614F4A029C9B"
1022 "D14A0ED7FD99AF3681429F3F309FDB53"
1023 "166AA9A3CD9F1F1223D04B4A9015E94A");
1024 tt_int_op(i, OP_EQ, 0);
1025 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
1026 DIGEST_SHA3_256);
1027 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
1028 "3CF6235C6B0B7969342C45A35194B67E");
1029 tt_int_op(i, OP_EQ, 0);
1030
1031 /* SHA3-[256,512] Empty case (wikipedia) */
1032 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
1033 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
1034 "f580ff4de43b49fa82d80a4b80f8434a");
1035 tt_int_op(i, OP_EQ, 0);
1036 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
1037 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
1038 "97c982164fe25859e0d1dcc1475c80a6"
1039 "15b2123af1f5f94c11e3e9402c3ac558"
1040 "f500199d95b6d3e301758586281dcd26");
1041 tt_int_op(i, OP_EQ, 0);
1042
1043 /* Incremental digest code with SHA3-256 */
1044 d1 = crypto_digest256_new(DIGEST_SHA3_256);
1045 tt_assert(d1);
1046 crypto_digest_add_bytes(d1, "abcdef", 6);
1047 d2 = crypto_digest_dup(d1);
1048 tt_assert(d2);
1049 crypto_digest_add_bytes(d2, "ghijkl", 6);
1050 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
1051 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
1052 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1053 crypto_digest_assign(d2, d1);
1054 crypto_digest_add_bytes(d2, "mno", 3);
1055 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
1056 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
1057 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1058 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
1059 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
1060 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1061 crypto_digest_free(d1);
1062 crypto_digest_free(d2);
1063
1064 /* Incremental digest code with SHA3-512 */
1065 d1 = crypto_digest512_new(DIGEST_SHA3_512);
1066 tt_assert(d1);
1067 crypto_digest_add_bytes(d1, "abcdef", 6);
1068 d2 = crypto_digest_dup(d1);
1069 tt_assert(d2);
1070 crypto_digest_add_bytes(d2, "ghijkl", 6);
1071 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
1072 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
1073 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1074 crypto_digest_assign(d2, d1);
1075 crypto_digest_add_bytes(d2, "mno", 3);
1076 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
1077 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
1078 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1079 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
1080 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
1081 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1082 crypto_digest_free(d1);
1083
1084 /* Attempt to exercise the incremental hashing code by creating a randomized
1085 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
1086 * is used because it has a lowest rate of the family (the code is common,
1087 * but the slower rate exercises more of it).
1088 */
1089 const size_t bufsz = 30 * 1024;
1090 size_t j = 0;
1091 large = tor_malloc(bufsz);
1092 crypto_rand(large, bufsz);
1093 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
1094 while (j < bufsz) {
1095 /* Pick how much data to add to the running digest. */
1096 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
1097 incr = MIN(bufsz - j, incr);
1098
1099 /* Add the data, and calculate the hash. */
1100 crypto_digest_add_bytes(d1, large + j, incr);
1101 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
1102
1103 /* One-shot hash the buffer up to the data that was just added,
1104 * and ensure that the values match up.
1105 *
1106 * XXX/yawning: If this actually fails, it'll be rather difficult to
1107 * reproduce. Improvements welcome.
1108 */
1109 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
1110 tt_int_op(i, OP_EQ, 0);
1111 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
1112
1113 j += incr;
1114 }
1115
1116 done:
1117 if (d1)
1118 crypto_digest_free(d1);
1119 if (d2)
1120 crypto_digest_free(d2);
1121 tor_free(large);
1122 tor_free(mem_op_hex_tmp);
1123 }
1124
1125 /** Run unit tests for our XOF. */
1126 static void
1127 test_crypto_sha3_xof(void *arg)
1128 {
1129 uint8_t msg[255];
1130 uint8_t out[512];
1131 crypto_xof_t *xof;
1132 char *mem_op_hex_tmp=NULL;
1133
1134 (void)arg;
1135
1136 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
1137 base16_decode((char *)msg, 255,
1138 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
1139 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
1140 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
1141 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
1142 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
1143 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
1144 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
1145 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
1146 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
1147 const char *squeezed_hex =
1148 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
1149 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
1150 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
1151 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
1152 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
1153 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
1154 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
1155 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
1156 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
1157 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
1158 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
1159 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
1160 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
1161 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1162 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1163 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1164 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1165 "73D4";
1166
1167 /* Test oneshot absorb/squeeze. */
1168 xof = crypto_xof_new();
1169 tt_assert(xof);
1170 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1171 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1172 test_memeq_hex(out, squeezed_hex);
1173 crypto_xof_free(xof);
1174 memset(out, 0, sizeof(out));
1175
1176 /* Test incremental absorb/squeeze. */
1177 xof = crypto_xof_new();
1178 tt_assert(xof);
1179 for (size_t i = 0; i < sizeof(msg); i++)
1180 crypto_xof_add_bytes(xof, msg + i, 1);
1181 for (size_t i = 0; i < sizeof(out); i++)
1182 crypto_xof_squeeze_bytes(xof, out + i, 1);
1183 test_memeq_hex(out, squeezed_hex);
1184
1185 done:
1186 if (xof)
1187 crypto_xof_free(xof);
1188 tor_free(mem_op_hex_tmp);
1189 }
1190
1191 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1192 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1193 * are gonna do is test our crypto_mac_sha3_256() function against manually
1194 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1195 * standarize an MAC construction and make test vectors, we should
1196 * incorporate them here. */
1197 static void
1198 test_crypto_mac_sha3(void *arg)
1199 {
1200 const char msg[] = "i am in a library somewhere using my computer";
1201 const char key[] = "i'm from the past talking to the future.";
1202
1203 uint8_t hmac_test[DIGEST256_LEN];
1204 char hmac_manual[DIGEST256_LEN];
1205
1206 (void) arg;
1207
1208 /* First let's use our nice HMAC-SHA3 function */
1209 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1210 (uint8_t *) key, strlen(key),
1211 (uint8_t *) msg, strlen(msg));
1212
1213 /* Now let's try a manual H(len(k) || k || m) construction */
1214 {
1215 char *key_msg_concat = NULL, *all = NULL;
1216 int result;
1217 const uint64_t key_len_netorder = tor_htonll(strlen(key));
1218 size_t all_len;
1219
1220 tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1221 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1222 all = tor_malloc_zero(all_len);
1223 memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1224 memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1225 strlen(key_msg_concat));
1226
1227 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1228 tor_free(key_msg_concat);
1229 tor_free(all);
1230 tt_int_op(result, OP_EQ, 0);
1231 }
1232
1233 /* Now compare the two results */
1234 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1235
1236 done: ;
1237 }
1238
1239 /** Run unit tests for our public key crypto functions */
1240 static void
1241 test_crypto_pk(void *arg)
1242 {
1243 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1244 char *encoded = NULL;
1245 char data1[1024], data2[1024], data3[1024];
1246 size_t size;
1247 int i, len;
1248
1249 /* Public-key ciphers */
1250 (void)arg;
1251 pk1 = pk_generate(0);
1252 pk2 = crypto_pk_new();
1253 tt_assert(pk1 && pk2);
1254 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1255 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1256 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1257
1258 /* comparison between keys and NULL */
1259 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1260 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1261 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1262
1263 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1264 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1265 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1266 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1267
1268 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1269 "Hello whirled.", 15,
1270 PK_PKCS1_OAEP_PADDING));
1271 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1272 "Hello whirled.", 15,
1273 PK_PKCS1_OAEP_PADDING));
1274 /* oaep padding should make encryption not match */
1275 tt_mem_op(data1,OP_NE, data2, 128);
1276 tt_int_op(15,OP_EQ,
1277 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1278 PK_PKCS1_OAEP_PADDING,1));
1279 tt_str_op(data3,OP_EQ, "Hello whirled.");
1280 memset(data3, 0, 1024);
1281 tt_int_op(15,OP_EQ,
1282 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1283 PK_PKCS1_OAEP_PADDING,1));
1284 tt_str_op(data3,OP_EQ, "Hello whirled.");
1285 /* Can't decrypt with public key. */
1286 tt_int_op(-1,OP_EQ,
1287 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1288 PK_PKCS1_OAEP_PADDING,1));
1289 /* Try again with bad padding */
1290 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1291 tt_int_op(-1,OP_EQ,
1292 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1293 PK_PKCS1_OAEP_PADDING,1));
1294
1295 /* File operations: save and load private key */
1296 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1297 get_fname("pkey1")));
1298 /* failing case for read: can't read. */
1299 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1300 OP_LT, 0);
1301 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1302 /* Failing case for read: no key. */
1303 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1304 OP_LT, 0);
1305 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1306 get_fname("pkey1")));
1307 tt_int_op(15,OP_EQ,
1308 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1309 PK_PKCS1_OAEP_PADDING,1));
1310
1311 /* Now try signing. */
1312 strlcpy(data1, "Ossifrage", 1024);
1313 tt_int_op(128,OP_EQ,
1314 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1315 tt_int_op(10,OP_EQ,
1316 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1317 tt_str_op(data3,OP_EQ, "Ossifrage");
1318 /* Try signing digests. */
1319 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1320 data1, 10));
1321 tt_int_op(20,OP_EQ,
1322 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1323 tt_int_op(0,OP_EQ,
1324 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1325 tt_int_op(-1,OP_EQ,
1326 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1327
1328 /*XXXX test failed signing*/
1329
1330 /* Try encoding */
1331 crypto_pk_free(pk2);
1332 pk2 = NULL;
1333 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1334 tt_int_op(i, OP_GT, 0);
1335 pk2 = crypto_pk_asn1_decode(data1, i);
1336 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1337
1338 /* Try with hybrid encryption wrappers. */
1339 crypto_rand(data1, 1024);
1340 for (i = 85; i < 140; ++i) {
1341 memset(data2,0,1024);
1342 memset(data3,0,1024);
1343 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1344 data1,i,PK_PKCS1_OAEP_PADDING,0);
1345 tt_int_op(len, OP_GE, 0);
1346 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1347 data2,len,PK_PKCS1_OAEP_PADDING,1);
1348 tt_int_op(len,OP_EQ, i);
1349 tt_mem_op(data1,OP_EQ, data3,i);
1350 }
1351
1352 /* Try copy_full */
1353 crypto_pk_free(pk2);
1354 pk2 = crypto_pk_copy_full(pk1);
1355 tt_ptr_op(pk2, OP_NE, NULL);
1356 tt_ptr_op(pk1, OP_NE, pk2);
1357 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1358
1359 done:
1360 if (pk1)
1361 crypto_pk_free(pk1);
1362 if (pk2)
1363 crypto_pk_free(pk2);
1364 tor_free(encoded);
1365 }
1366
1367 static void
1368 test_crypto_pk_fingerprints(void *arg)
1369 {
1370 crypto_pk_t *pk = NULL;
1371 char encoded[512];
1372 char d[DIGEST_LEN], d2[DIGEST_LEN];
1373 char fingerprint[FINGERPRINT_LEN+1];
1374 int n;
1375 unsigned i;
1376 char *mem_op_hex_tmp=NULL;
1377
1378 (void)arg;
1379
1380 pk = pk_generate(1);
1381 tt_assert(pk);
1382 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1383 tt_int_op(n, OP_GT, 0);
1384 tt_int_op(n, OP_GT, 128);
1385 tt_int_op(n, OP_LT, 256);
1386
1387 /* Is digest as expected? */
1388 crypto_digest(d, encoded, n);
1389 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1390 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1391
1392 /* Is fingerprint right? */
1393 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1394 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1395 test_memeq_hex(d, fingerprint);
1396
1397 /* Are spaces right? */
1398 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1399 for (i = 4; i < strlen(fingerprint); i += 5) {
1400 tt_int_op(fingerprint[i], OP_EQ, ' ');
1401 }
1402 tor_strstrip(fingerprint, " ");
1403 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1404 test_memeq_hex(d, fingerprint);
1405
1406 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1407 crypto_digest(d2, d, sizeof(d));
1408 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1409 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1410 test_memeq_hex(d2, fingerprint);
1411
1412 done:
1413 crypto_pk_free(pk);
1414 tor_free(mem_op_hex_tmp);
1415 }
1416
1417 static void
1418 test_crypto_pk_base64(void *arg)
1419 {
1420 crypto_pk_t *pk1 = NULL;
1421 crypto_pk_t *pk2 = NULL;
1422 char *encoded = NULL;
1423
1424 (void)arg;
1425
1426 /* Test Base64 encoding a key. */
1427 pk1 = pk_generate(0);
1428 tt_assert(pk1);
1429 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1430 tt_assert(encoded);
1431
1432 /* Test decoding a valid key. */
1433 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1434 tt_assert(pk2);
1435 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1436 crypto_pk_free(pk2);
1437
1438 /* Test decoding a invalid key (not Base64). */
1439 static const char *invalid_b64 = "The key is in another castle!";
1440 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1441 tt_ptr_op(pk2, OP_EQ, NULL);
1442
1443 /* Test decoding a truncated Base64 blob. */
1444 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1445 tt_ptr_op(pk2, OP_EQ, NULL);
1446
1447 done:
1448 crypto_pk_free(pk1);
1449 crypto_pk_free(pk2);
1450 tor_free(encoded);
1451 }
1452
1453 static void
1454 test_crypto_pk_pem_encrypted(void *arg)
1455 {
1456 crypto_pk_t *pk = NULL;
1457 (void)arg;
1458
1459 pk = crypto_pk_new();
1460 /* we need to make sure that we won't stall if somebody gives us a key
1461 that's encrypted with a password. */
1462 {
1463 const char *s =
1464 "-----BEGIN RSA PRIVATE KEY-----\n"
1465 "Proc-Type: 4,ENCRYPTED\n"
1466 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1467 "\n"
1468 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1469 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1470 "YntnROBDwiKmUnue6PJVYg==\n"
1471 "-----END RSA PRIVATE KEY-----\n";
1472 tt_int_op(-1, OP_EQ,
1473 crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1474 }
1475 /* For fun, make sure we aren't hit by OpenSSL issue
1476 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1477 if a cipher doesn't use an IV.
1478 */
1479 {
1480 const char *s =
1481 "-----BEGIN RSA PUBLIC KEY-----\n"
1482 "Proc-Type:4,ENCRYPTED\n"
1483 "DEK-Info:des-ede -\n"
1484 "\n"
1485 "iRqK\n"
1486 "-----END RSA PUBLIC KEY-----\n";
1487 tt_int_op(-1, OP_EQ,
1488 crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1489 }
1490 done:
1491 crypto_pk_free(pk);
1492 }
1493
1494 static void
1495 test_crypto_pk_invalid_private_key(void *arg)
1496 {
1497 (void)arg;
1498 /* Here is a simple invalid private key: it was produced by making
1499 * a regular private key, and then adding 2 to the modulus. */
1500 const char pem[] =
1501 "-----BEGIN RSA PRIVATE KEY-----\n"
1502 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1503 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1504 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1505 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1506 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1507 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1508 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1509 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1510 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1511 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1512 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1513 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1514 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1515 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1516 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1517 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1518 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1519 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1520 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1521 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1522 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1523 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1524 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1525 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1526 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1527 "-----END RSA PRIVATE KEY-----\n";
1528
1529 crypto_pk_t *pk = NULL;
1530
1531 pk = crypto_pk_new();
1532 setup_capture_of_logs(LOG_WARN);
1533 tt_int_op(-1, OP_EQ,
1534 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1535 #ifdef ENABLE_NSS
1536 expect_single_log_msg_containing("received bad data");
1537 #else
1538 expect_single_log_msg_containing("while checking RSA key");
1539 #endif
1540 done:
1541 teardown_capture_of_logs();
1542 crypto_pk_free(pk);
1543 }
1544
1545 #ifdef HAVE_TRUNCATE
1546 #define do_truncate truncate
1547 #else
1548 static int
1549 do_truncate(const char *fname, size_t len)
1550 {
1551 struct stat st;
1552 char *bytes;
1553
1554 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1555 if (!bytes)
1556 return -1;
1557 /* This cast isn't so great, but it should be safe given the actual files
1558 * and lengths we're using. */
1559 if (st.st_size < (off_t)len)
1560 len = MIN(len, (size_t)st.st_size);
1561
1562 int r = write_bytes_to_file(fname, bytes, len, 1);
1563 tor_free(bytes);
1564 return r;
1565 }
1566 #endif /* defined(HAVE_TRUNCATE) */
1567
1568 /** Sanity check for crypto pk digests */
1569 static void
1570 test_crypto_digests(void *arg)
1571 {
1572 crypto_pk_t *k = NULL;
1573 ssize_t r;
1574 common_digests_t pkey_digests;
1575 char digest[DIGEST_LEN];
1576
1577 (void)arg;
1578 k = crypto_pk_new();
1579 tt_assert(k);
1580 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1581 strlen(AUTHORITY_SIGNKEY_3));
1582 tt_assert(!r);
1583
1584 r = crypto_pk_get_digest(k, digest);
1585 tt_assert(r == 0);
1586 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1587 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1588
1589 r = crypto_pk_get_common_digests(k, &pkey_digests);
1590 tt_int_op(r, OP_EQ, 0);
1591
1592 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1593 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1594 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1595 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1596 done:
1597 crypto_pk_free(k);
1598 }
1599
1600 static void
1601 test_crypto_digest_names(void *arg)
1602 {
1603 static const struct {
1604 int a; const char *n;
1605 } names[] = {
1606 { DIGEST_SHA1, "sha1" },
1607 { DIGEST_SHA256, "sha256" },
1608 { DIGEST_SHA512, "sha512" },
1609 { DIGEST_SHA3_256, "sha3-256" },
1610 { DIGEST_SHA3_512, "sha3-512" },
1611 { -1, NULL }
1612 };
1613 (void)arg;
1614
1615 int i;
1616 for (i = 0; names[i].n; ++i) {
1617 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1618 tt_int_op(names[i].a,
1619 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1620 }
1621 tt_int_op(-1, OP_EQ,
1622 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1623 done:
1624 ;
1625 }
1626
1627 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1628 * fingerprints, etc) */
1629 static void
1630 test_crypto_formats(void *arg)
1631 {
1632 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1633 int i, j, idx;
1634
1635 (void)arg;
1636 data1 = tor_malloc(1024);
1637 data2 = tor_malloc(1024);
1638 data3 = tor_malloc(1024);
1639 tt_assert(data1 && data2 && data3);
1640
1641 /* Base64 tests */
1642 memset(data1, 6, 1024);
1643 for (idx = 0; idx < 10; ++idx) {
1644 i = base64_encode(data2, 1024, data1, idx, 0);
1645 tt_int_op(i, OP_GE, 0);
1646 tt_int_op(i, OP_EQ, strlen(data2));
1647 j = base64_decode(data3, 1024, data2, i);
1648 tt_int_op(j,OP_EQ, idx);
1649 tt_mem_op(data3,OP_EQ, data1, idx);
1650
1651 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1652 tt_int_op(i, OP_GE, 0);
1653 tt_int_op(i, OP_EQ, strlen(data2));
1654 tt_assert(! strchr(data2, '='));
1655 j = base64_decode(data3, 1024, data2, i);
1656 tt_int_op(j, OP_EQ, idx);
1657 tt_mem_op(data3,OP_EQ, data1, idx);
1658 }
1659
1660 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1661 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1662
1663 i = base64_encode(data2, 1024, data1, 71, 0);
1664 tt_int_op(i, OP_GE, 0);
1665 j = base64_decode(data3, 1024, data2, i);
1666 tt_int_op(j,OP_EQ, 71);
1667 tt_str_op(data3,OP_EQ, data1);
1668 tt_int_op(data2[i], OP_EQ, '\0');
1669
1670 crypto_rand(data1, DIGEST_LEN);
1671 memset(data2, 100, 1024);
1672 digest_to_base64(data2, data1);
1673 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1674 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1675 memset(data3, 99, 1024);
1676 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1677 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1678 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1679
1680 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1681
1682 /* Encoding SHA256 */
1683 crypto_rand(data2, DIGEST256_LEN);
1684 memset(data2, 100, 1024);
1685 digest256_to_base64(data2, data1);
1686 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1687 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1688 memset(data3, 99, 1024);
1689 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1690 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1691 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1692
1693 /* Base32 tests */
1694 strlcpy(data1, "5chrs", 1024);
1695 /* bit pattern is: [35 63 68 72 73] ->
1696 * [00110101 01100011 01101000 01110010 01110011]
1697 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1698 */
1699 base32_encode(data2, 9, data1, 5);
1700 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1701
1702 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1703 base32_encode(data2, 30, data1, 10);
1704 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1705
1706 /* Base16 tests */
1707 strlcpy(data1, "6chrs\xff", 1024);
1708 base16_encode(data2, 13, data1, 6);
1709 tt_str_op(data2,OP_EQ, "3663687273FF");
1710
1711 strlcpy(data1, "f0d678affc000100", 1024);
1712 i = base16_decode(data2, 8, data1, 16);
1713 tt_int_op(i,OP_EQ, 8);
1714 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1715
1716 /* now try some failing base16 decodes */
1717 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1718 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1719 strlcpy(data1, "f0dz!8affc000100", 1024);
1720 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1721
1722 tor_free(data1);
1723 tor_free(data2);
1724 tor_free(data3);
1725
1726 /* Add spaces to fingerprint */
1727 {
1728 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1729 tt_int_op(strlen(data1),OP_EQ, 40);
1730 data2 = tor_malloc(FINGERPRINT_LEN+1);
1731 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1732 tt_str_op(data2, OP_EQ,
1733 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1734 tor_free(data1);
1735 tor_free(data2);
1736 }
1737
1738 done:
1739 tor_free(data1);
1740 tor_free(data2);
1741 tor_free(data3);
1742 }
1743
1744 /** Test AES-CTR encryption and decryption with IV. */
1745 static void
1746 test_crypto_aes_iv(void *arg)
1747 {
1748 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1749 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1750 char key1[16], key2[16];
1751 ssize_t encrypted_size, decrypted_size;
1752
1753 int use_evp = !strcmp(arg,"evp");
1754 evaluate_evp_for_aes(use_evp);
1755
1756 plain = tor_malloc(4095);
1757 encrypted1 = tor_malloc(4095 + 1 + 16);
1758 encrypted2 = tor_malloc(4095 + 1 + 16);
1759 decrypted1 = tor_malloc(4095 + 1);
1760 decrypted2 = tor_malloc(4095 + 1);
1761
1762 crypto_rand(plain, 4095);
1763 crypto_rand(key1, 16);
1764 crypto_rand(key2, 16);
1765 crypto_rand(plain_1, 1);
1766 crypto_rand(plain_15, 15);
1767 crypto_rand(plain_16, 16);
1768 crypto_rand(plain_17, 17);
1769 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1770 /* Encrypt and decrypt with the same key. */
1771 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1772 plain, 4095);
1773
1774 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1775 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1776 * greater than 0, but its truth is not
1777 * obvious to all analysis tools. */
1778 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1779 encrypted1, encrypted_size);
1780
1781 tt_int_op(decrypted_size,OP_EQ, 4095);
1782 tt_assert(decrypted_size > 0);
1783 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1784 /* Encrypt a second time (with a new random initialization vector). */
1785 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1786 plain, 4095);
1787
1788 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1789 tt_assert(encrypted_size > 0);
1790 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1791 encrypted2, encrypted_size);
1792 tt_int_op(decrypted_size,OP_EQ, 4095);
1793 tt_assert(decrypted_size > 0);
1794 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1795 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1796 /* Decrypt with the wrong key. */
1797 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1798 encrypted1, encrypted_size);
1799 tt_int_op(decrypted_size,OP_EQ, 4095);
1800 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1801 /* Alter the initialization vector. */
1802 encrypted1[0] += 42;
1803 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1804 encrypted1, encrypted_size);
1805 tt_int_op(decrypted_size,OP_EQ, 4095);
1806 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1807 /* Special length case: 1. */
1808 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1809 plain_1, 1);
1810 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1811 tt_assert(encrypted_size > 0);
1812 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1813 encrypted1, encrypted_size);
1814 tt_int_op(decrypted_size,OP_EQ, 1);
1815 tt_assert(decrypted_size > 0);
1816 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1817 /* Special length case: 15. */
1818 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1819 plain_15, 15);
1820 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1821 tt_assert(encrypted_size > 0);
1822 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1823 encrypted1, encrypted_size);
1824 tt_int_op(decrypted_size,OP_EQ, 15);
1825 tt_assert(decrypted_size > 0);
1826 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1827 /* Special length case: 16. */
1828 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1829 plain_16, 16);
1830 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1831 tt_assert(encrypted_size > 0);
1832 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1833 encrypted1, encrypted_size);
1834 tt_int_op(decrypted_size,OP_EQ, 16);
1835 tt_assert(decrypted_size > 0);
1836 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1837 /* Special length case: 17. */
1838 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1839 plain_17, 17);
1840 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1841 tt_assert(encrypted_size > 0);
1842 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1843 encrypted1, encrypted_size);
1844 tt_int_op(decrypted_size,OP_EQ, 17);
1845 tt_assert(decrypted_size > 0);
1846 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1847
1848 done:
1849 /* Free memory. */
1850 tor_free(plain);
1851 tor_free(encrypted1);
1852 tor_free(encrypted2);
1853 tor_free(decrypted1);
1854 tor_free(decrypted2);
1855 }
1856
1857 /** Test base32 decoding. */
1858 static void
1859 test_crypto_base32_decode(void *arg)
1860 {
1861 char plain[60], encoded[96 + 1], decoded[60];
1862 int res;
1863 (void)arg;
1864 crypto_rand(plain, 60);
1865 /* Encode and decode a random string. */
1866 base32_encode(encoded, 96 + 1, plain, 60);
1867 res = base32_decode(decoded, 60, encoded, 96);
1868 tt_int_op(res,OP_EQ, 0);
1869 tt_mem_op(plain,OP_EQ, decoded, 60);
1870 /* Encode, uppercase, and decode a random string. */
1871 base32_encode(encoded, 96 + 1, plain, 60);
1872 tor_strupper(encoded);
1873 res = base32_decode(decoded, 60, encoded, 96);
1874 tt_int_op(res,OP_EQ, 0);
1875 tt_mem_op(plain,OP_EQ, decoded, 60);
1876 /* Change encoded string and decode. */
1877 if (encoded[0] == 'A' || encoded[0] == 'a')
1878 encoded[0] = 'B';
1879 else
1880 encoded[0] = 'A';
1881 res = base32_decode(decoded, 60, encoded, 96);
1882 tt_int_op(res,OP_EQ, 0);
1883 tt_mem_op(plain,OP_NE, decoded, 60);
1884 /* Bad encodings. */
1885 encoded[0] = '!';
1886 res = base32_decode(decoded, 60, encoded, 96);
1887 tt_int_op(0, OP_GT, res);
1888
1889 done:
1890 ;
1891 }
1892
1893 static void
1894 test_crypto_kdf_TAP(void *arg)
1895 {
1896 uint8_t key_material[100];
1897 int r;
1898 char *mem_op_hex_tmp = NULL;
1899
1900 (void)arg;
1901 #define EXPAND(s) \
1902 r = crypto_expand_key_material_TAP( \
1903 (const uint8_t*)(s), strlen(s), \
1904 key_material, 100)
1905
1906 /* Test vectors generated with a little python script; feel free to write
1907 * your own. */
1908 memset(key_material, 0, sizeof(key_material));
1909 EXPAND("");
1910 tt_int_op(r, OP_EQ, 0);
1911 test_memeq_hex(key_material,
1912 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1913 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1914 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1915 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1916
1917 EXPAND("Tor");
1918 tt_int_op(r, OP_EQ, 0);
1919 test_memeq_hex(key_material,
1920 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1921 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1922 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1923 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1924
1925 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1926 tt_int_op(r, OP_EQ, 0);
1927 test_memeq_hex(key_material,
1928 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1929 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1930 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1931 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1932
1933 done:
1934 tor_free(mem_op_hex_tmp);
1935
1936 #undef EXPAND
1937 }
1938
1939 static void
1940 test_crypto_hkdf_sha256(void *arg)
1941 {
1942 uint8_t key_material[100];
1943 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1944 const size_t salt_len = strlen((char*)salt);
1945 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1946 const size_t m_expand_len = strlen((char*)m_expand);
1947 int r;
1948 char *mem_op_hex_tmp = NULL;
1949
1950 (void)arg;
1951
1952 #define EXPAND(s) \
1953 r = crypto_expand_key_material_rfc5869_sha256( \
1954 (const uint8_t*)(s), strlen(s), \
1955 salt, salt_len, \
1956 m_expand, m_expand_len, \
1957 key_material, 100)
1958
1959 /* Test vectors generated with ntor_ref.py */
1960 EXPAND("Tor");
1961 tt_int_op(r, OP_EQ, 0);
1962 test_memeq_hex(key_material,
1963 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1964 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1965 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1966 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1967
1968 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1969 tt_int_op(r, OP_EQ, 0);
1970 test_memeq_hex(key_material,
1971 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1972 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1973 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1974 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1975 done:
1976 tor_free(mem_op_hex_tmp);
1977 #undef EXPAND
1978 }
1979
1980 static void
1981 test_crypto_hkdf_sha256_testvecs(void *arg)
1982 {
1983 (void) arg;
1984 /* Test vectors from RFC5869, sections A.1 through A.3 */
1985 const struct {
1986 const char *ikm16, *salt16, *info16;
1987 int L;
1988 const char *okm16;
1989 } vecs[] = {
1990 { /* from A.1 */
1991 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1992 "000102030405060708090a0b0c",
1993 "f0f1f2f3f4f5f6f7f8f9",
1994 42,
1995 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1996 "34007208d5b887185865"
1997 },
1998 { /* from A.2 */
1999 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
2000 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
2001 "404142434445464748494a4b4c4d4e4f",
2002 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
2003 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
2004 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
2005 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
2006 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
2007 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2008 82,
2009 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
2010 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
2011 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
2012 },
2013 { /* from A.3 */
2014 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
2015 "",
2016 "",
2017 42,
2018 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
2019 "9d201395faa4b61a96c8",
2020 },
2021 { NULL, NULL, NULL, -1, NULL }
2022 };
2023
2024 int i;
2025 char *ikm = NULL;
2026 char *salt = NULL;
2027 char *info = NULL;
2028 char *okm = NULL;
2029 char *mem_op_hex_tmp = NULL;
2030
2031 for (i = 0; vecs[i].ikm16; ++i) {
2032 size_t ikm_len = strlen(vecs[i].ikm16)/2;
2033 size_t salt_len = strlen(vecs[i].salt16)/2;
2034 size_t info_len = strlen(vecs[i].info16)/2;
2035 size_t okm_len = vecs[i].L;
2036
2037 ikm = tor_malloc(ikm_len);
2038 salt = tor_malloc(salt_len);
2039 info = tor_malloc(info_len);
2040 okm = tor_malloc(okm_len);
2041
2042 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
2043 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
2044 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
2045
2046 int r = crypto_expand_key_material_rfc5869_sha256(
2047 (const uint8_t*)ikm, ikm_len,
2048 (const uint8_t*)salt, salt_len,
2049 (const uint8_t*)info, info_len,
2050 (uint8_t*)okm, okm_len);
2051 tt_int_op(r, OP_EQ, 0);
2052 test_memeq_hex(okm, vecs[i].okm16);
2053 tor_free(ikm);
2054 tor_free(salt);
2055 tor_free(info);
2056 tor_free(okm);
2057 }
2058 done:
2059 tor_free(ikm);
2060 tor_free(salt);
2061 tor_free(info);
2062 tor_free(okm);
2063 tor_free(mem_op_hex_tmp);
2064 }
2065
2066 static void
2067 test_crypto_curve25519_impl(void *arg)
2068 {
2069 /* adapted from curve25519_donna, which adapted it from test-curve25519
2070 version 20050915, by D. J. Bernstein, Public domain. */
2071
2072 const int randomize_high_bit = (arg != NULL);
2073
2074 #ifdef SLOW_CURVE25519_TEST
2075 const int loop_max=10000;
2076 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
2077 "7e0329f4dd2819f5f32d130f1296b500";
2078 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
2079 "e0544770bc7de853b38f9100489e3e79";
2080 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
2081 "bd13861475516bc2cd2b6e005e805064";
2082 #else /* !(defined(SLOW_CURVE25519_TEST)) */
2083 const int loop_max=200;
2084 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
2085 "c6a1037d74cceb3712e9206871dcf654";
2086 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
2087 "8e3ee1a63c7d14274ea5d4c67f065467";
2088 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
2089 "c0ee98cb2257a4545c0cfb2ca3e1812b";
2090 #endif /* defined(SLOW_CURVE25519_TEST) */
2091
2092 unsigned char e1k[32];
2093 unsigned char e2k[32];
2094 unsigned char e1e2k[32];
2095 unsigned char e2e1k[32];
2096 unsigned char e1[32] = {3};
2097 unsigned char e2[32] = {5};
2098 unsigned char k[32] = {9};
2099 int loop, i;
2100
2101 char *mem_op_hex_tmp = NULL;
2102
2103 for (loop = 0; loop < loop_max; ++loop) {
2104 curve25519_impl(e1k,e1,k);
2105 curve25519_impl(e2e1k,e2,e1k);
2106 curve25519_impl(e2k,e2,k);
2107 if (randomize_high_bit) {
2108 /* We require that the high bit of the public key be ignored. So if
2109 * we're doing this variant test, we randomize the high bit of e2k, and
2110 * make sure that the handshake still works out the same as it would
2111 * otherwise. */
2112 uint8_t byte;
2113 crypto_rand((char*)&byte, 1);
2114 e2k[31] |= (byte & 0x80);
2115 }
2116 curve25519_impl(e1e2k,e1,e2k);
2117 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
2118 if (loop == loop_max-1) {
2119 break;
2120 }
2121 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
2122 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
2123 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
2124 }
2125
2126 test_memeq_hex(e1, e1_expected);
2127 test_memeq_hex(e2k, e2k_expected);
2128 test_memeq_hex(e1e2k, e1e2k_expected);
2129
2130 done:
2131 tor_free(mem_op_hex_tmp);
2132 }
2133
2134 static void
2135 test_crypto_curve25519_basepoint(void *arg)
2136 {
2137 uint8_t secret[32];
2138 uint8_t public1[32];
2139 uint8_t public2[32];
2140 const int iters = 2048;
2141 int i;
2142 (void) arg;
2143
2144 for (i = 0; i < iters; ++i) {
2145 crypto_rand((char*)secret, 32);
2146 curve25519_set_impl_params(1); /* Use optimization */
2147 curve25519_basepoint_impl(public1, secret);
2148 curve25519_set_impl_params(0); /* Disable optimization */
2149 curve25519_basepoint_impl(public2, secret);
2150 tt_mem_op(public1, OP_EQ, public2, 32);
2151 }
2152
2153 done:
2154 ;
2155 }
2156
2157 static void
2158 test_crypto_curve25519_testvec(void *arg)
2159 {
2160 (void)arg;
2161 char *mem_op_hex_tmp = NULL;
2162
2163 /* From RFC 7748, section 6.1 */
2164 /* Alice's private key, a: */
2165 const char a16[] =
2166 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2167 /* Alice's public key, X25519(a, 9): */
2168 const char a_pub16[] =
2169 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2170 /* Bob's private key, b: */
2171 const char b16[] =
2172 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2173 /* Bob's public key, X25519(b, 9): */
2174 const char b_pub16[] =
2175 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2176 /* Their shared secret, K: */
2177 const char k16[] =
2178 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2179
2180 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2181 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2182 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2183 curve25519_basepoint_impl(a_pub, a);
2184 curve25519_basepoint_impl(b_pub, b);
2185 curve25519_impl(k1, a, b_pub);
2186 curve25519_impl(k2, b, a_pub);
2187
2188 test_memeq_hex(a, a16);
2189 test_memeq_hex(b, b16);
2190 test_memeq_hex(a_pub, a_pub16);
2191 test_memeq_hex(b_pub, b_pub16);
2192 test_memeq_hex(k1, k16);
2193 test_memeq_hex(k2, k16);
2194 done:
2195 tor_free(mem_op_hex_tmp);
2196 }
2197
2198 static void
2199 test_crypto_curve25519_wrappers(void *arg)
2200 {
2201 curve25519_public_key_t pubkey1, pubkey2;
2202 curve25519_secret_key_t seckey1, seckey2;
2203
2204 uint8_t output1[CURVE25519_OUTPUT_LEN];
2205 uint8_t output2[CURVE25519_OUTPUT_LEN];
2206 (void)arg;
2207
2208 /* Test a simple handshake, serializing and deserializing some stuff. */
2209 curve25519_secret_key_generate(&seckey1, 0);
2210 curve25519_secret_key_generate(&seckey2, 1);
2211 curve25519_public_key_generate(&pubkey1, &seckey1);
2212 curve25519_public_key_generate(&pubkey2, &seckey2);
2213 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2214 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2215 curve25519_handshake(output1, &seckey1, &pubkey2);
2216 curve25519_handshake(output2, &seckey2, &pubkey1);
2217 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2218
2219 done:
2220 ;
2221 }
2222
2223 static void
2224 test_crypto_curve25519_encode(void *arg)
2225 {
2226 curve25519_secret_key_t seckey;
2227 curve25519_public_key_t key1, key2, key3;
2228 char buf[64];
2229
2230 (void)arg;
2231
2232 curve25519_secret_key_generate(&seckey, 0);
2233 curve25519_public_key_generate(&key1, &seckey);
2234 tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
2235 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2236
2237 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2238 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2239
2240 buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
2241 tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
2242 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
2243 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2244
2245 /* Now try bogus parses. */
2246 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2247 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2248
2249 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2250 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2251
2252 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2253 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2254
2255 done:
2256 ;
2257 }
2258
2259 static void
2260 test_crypto_curve25519_persist(void *arg)
2261 {
2262 curve25519_keypair_t keypair, keypair2;
2263 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2264 char *tag = NULL;
2265 char *content = NULL;
2266 const char *cp;
2267 struct stat st;
2268 size_t taglen;
2269
2270 (void)arg;
2271
2272 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2273
2274 tt_int_op(0,OP_EQ,
2275 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2276 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2277 tt_str_op(tag,OP_EQ,"testing");
2278 tor_free(tag);
2279
2280 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2281 keypair2.pubkey.public_key,
2282 CURVE25519_PUBKEY_LEN);
2283 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2284 keypair2.seckey.secret_key,
2285 CURVE25519_SECKEY_LEN);
2286
2287 content = read_file_to_str(fname, RFTS_BIN, &st);
2288 tt_assert(content);
2289 taglen = strlen("== c25519v1: testing ==");
2290 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2291 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2292 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2293 tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
2294 cp = content + 32;
2295 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2296 cp,
2297 CURVE25519_SECKEY_LEN);
2298 cp += CURVE25519_SECKEY_LEN;
2299 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2300 cp,
2301 CURVE25519_SECKEY_LEN);
2302
2303 tor_free(fname);
2304 fname = tor_strdup(get_fname("bogus_keypair"));
2305
2306 tt_int_op(-1, OP_EQ,
2307 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2308 tor_free(tag);
2309
2310 content[69] ^= 0xff;
2311 tt_int_op(0, OP_EQ,
2312 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2313 tt_int_op(-1, OP_EQ,
2314 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2315
2316 done:
2317 tor_free(fname);
2318 tor_free(content);
2319 tor_free(tag);
2320 }
2321
2322 static void
2323 test_crypto_ed25519_simple(void *arg)
2324 {
2325 ed25519_keypair_t kp1, kp2;
2326 ed25519_public_key_t pub1, pub2;
2327 ed25519_secret_key_t sec1, sec2;
2328 ed25519_signature_t sig1, sig2;
2329 const uint8_t msg[] =
2330 "GNU will be able to run Unix programs, "
2331 "but will not be identical to Unix.";
2332 const uint8_t msg2[] =
2333 "Microsoft Windows extends the features of the DOS operating system, "
2334 "yet is compatible with most existing applications that run under DOS.";
2335 size_t msg_len = strlen((const char*)msg);
2336 size_t msg2_len = strlen((const char*)msg2);
2337
2338 (void)arg;
2339
2340 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2341 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2342
2343 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2344 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2345
2346 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2347 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2348
2349 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2350 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2351 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2352
2353 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2354 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2355 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2356 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2357
2358 /* Ed25519 signatures are deterministic */
2359 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2360
2361 /* Basic signature is valid. */
2362 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2363
2364 /* Altered signature doesn't work. */
2365 sig1.sig[0] ^= 3;
2366 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2367
2368 /* Wrong public key doesn't work. */
2369 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2370 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2371 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2372
2373 /* Wrong message doesn't work. */
2374 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2375 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2376 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2377
2378 /* Batch signature checking works with some bad. */
2379 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2380 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2381 {
2382 ed25519_checkable_t ch[] = {
2383 { &pub1, sig2, msg, msg_len }, /*ok*/
2384 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2385 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2386 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2387 };
2388 int okay[4];
2389 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2390 tt_int_op(okay[0], OP_EQ, 1);
2391 tt_int_op(okay[1], OP_EQ, 0);
2392 tt_int_op(okay[2], OP_EQ, 0);
2393 tt_int_op(okay[3], OP_EQ, 1);
2394 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2395 }
2396
2397 /* Batch signature checking works with all good. */
2398 {
2399 ed25519_checkable_t ch[] = {
2400 { &pub1, sig2, msg, msg_len }, /*ok*/
2401 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2402 };
2403 int okay[2];
2404 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2405 tt_int_op(okay[0], OP_EQ, 1);
2406 tt_int_op(okay[1], OP_EQ, 1);
2407 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2408 }
2409
2410 /* Test the string-prefixed sign/checksig functions */
2411 {
2412 ed25519_signature_t manual_sig;
2413 char *prefixed_msg;
2414
2415 /* Generate a signature with a prefixed msg. */
2416 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2417 "always in the mood",
2418 &kp1));
2419
2420 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2421 if we had manually prefixed the msg ourselves. */
2422 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2423 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2424 strlen(prefixed_msg), &kp1));
2425 tor_free(prefixed_msg);
2426 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2427
2428 /* Test that prefixed checksig verifies it properly. */
2429 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2430 "always in the mood",
2431 &pub1));
2432
2433 /* Test that checksig with wrong prefix fails. */
2434 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2435 "always in the moo",
2436 &pub1));
2437 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2438 "always in the moon",
2439 &pub1));
2440 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2441 "always in the mood!",
2442 &pub1));
2443 }
2444
2445 done:
2446 ;
2447 }
2448
2449 static void
2450 test_crypto_ed25519_test_vectors(void *arg)
2451 {
2452 char *mem_op_hex_tmp=NULL;
2453 int i;
2454 struct {
2455 const char *sk;
2456 const char *pk;
2457 const char *sig;
2458 const char *msg;
2459 } items[] = {
2460 /* These test vectors were generated with the "ref" implementation of
2461 * ed25519 from SUPERCOP-20130419 */
2462 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2463 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2464 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2465 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2466 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2467 "204e554c2d7465726d696e617465642e"
2468 },
2469
2470 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2471 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2472 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2473 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2474 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2475 "204e554c2d7465726d696e617465642e"
2476 },
2477 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2478 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2479 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2480 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2481 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2482 "204e554c2d7465726d696e617465642e"
2483 },
2484
2485 /* These come from "sign.input" in ed25519's page */
2486 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2487 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2488 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2489 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2490 "5a8d9d0a22357e6655f9c785"
2491 },
2492 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2493 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2494 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2495 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2496 "b87d3813e03f58cf19fd0b6395"
2497 },
2498 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2499 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2500 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2501 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2502 "55c7fa434f5ed8cdec2b7aeac173",
2503 },
2504 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2505 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2506 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2507 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2508 "0a688e79be24f866286d4646b5d81c"
2509 },
2510 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2511 {
2512 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2513 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2514 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2515 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2516 ""
2517 },
2518 {
2519 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2520 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2521 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2522 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2523 "72"
2524 },
2525 {
2526 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2527 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2528 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2529 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2530 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2531 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2532 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2533 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2534 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2535 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2536 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2537 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2538 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2539 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2540 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2541 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2542 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2543 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2544 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2545 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2546 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2547 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2548 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2549 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2550 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2551 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2552 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2553 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2554 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2555 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2556 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2557 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2558 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2559 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2560 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2561 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2562 },
2563 {
2564 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2565 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2566 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2567 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2568 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2569 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2570 },
2571 { NULL, NULL, NULL, NULL}
2572 };
2573
2574 (void)arg;
2575
2576 for (i = 0; items[i].pk; ++i) {
2577 ed25519_keypair_t kp;
2578 ed25519_signature_t sig;
2579 uint8_t sk_seed[32];
2580 uint8_t *msg;
2581 size_t msg_len;
2582 base16_decode((char*)sk_seed, sizeof(sk_seed),
2583 items[i].sk, 64);
2584 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2585 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2586 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2587
2588 msg_len = strlen(items[i].msg) / 2;
2589 msg = tor_malloc(msg_len);
2590 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2591
2592 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2593 test_memeq_hex(sig.sig, items[i].sig);
2594
2595 tor_free(msg);
2596 }
2597
2598 done:
2599 tor_free(mem_op_hex_tmp);
2600 }
2601
2602 static void
2603 test_crypto_ed25519_encode(void *arg)
2604 {
2605 char buf[ED25519_SIG_BASE64_LEN+1];
2606 ed25519_keypair_t kp;
2607 ed25519_public_key_t pk;
2608 ed25519_signature_t sig1, sig2;
2609 char *mem_op_hex_tmp = NULL;
2610 (void) arg;
2611
2612 /* Test roundtrip. */
2613 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2614 tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
2615 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2616 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2617 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2618
2619 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2620 tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
2621 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2622 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2623
2624 /* Test known value. */
2625 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2626 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2627 test_memeq_hex(pk.pubkey,
2628 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2629
2630 done:
2631 tor_free(mem_op_hex_tmp);
2632 }
2633
2634 static void
2635 test_crypto_ed25519_convert(void *arg)
2636 {
2637 const uint8_t msg[] =
2638 "The eyes are not here / There are no eyes here.";
2639 const int N = 30;
2640 int i;
2641 (void)arg;
2642
2643 for (i = 0; i < N; ++i) {
2644 curve25519_keypair_t curve25519_keypair;
2645 ed25519_keypair_t ed25519_keypair;
2646 ed25519_public_key_t ed25519_pubkey;
2647
2648 int bit=0;
2649 ed25519_signature_t sig;
2650
2651 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2652 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2653 &ed25519_keypair, &bit, &curve25519_keypair));
2654 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2655 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2656 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2657
2658 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2659 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2660 &ed25519_pubkey));
2661
2662 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2663 &ed25519_pubkey));
2664 sig.sig[0] ^= 15;
2665 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2666 &ed25519_pubkey));
2667 }
2668
2669 done:
2670 ;
2671 }
2672
2673 static void
2674 test_crypto_ed25519_blinding(void *arg)
2675 {
2676 const uint8_t msg[] =
2677 "Eyes I dare not meet in dreams / In death's dream kingdom";
2678
2679 const int N = 30;
2680 int i;
2681 (void)arg;
2682
2683 for (i = 0; i < N; ++i) {
2684 uint8_t blinding[32];
2685 ed25519_keypair_t ed25519_keypair;
2686 ed25519_keypair_t ed25519_keypair_blinded;
2687 ed25519_public_key_t ed25519_pubkey_blinded;
2688
2689 ed25519_signature_t sig;
2690
2691 crypto_rand((char*) blinding, sizeof(blinding));
2692
2693 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2694 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2695 &ed25519_keypair, blinding));
2696
2697 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2698 &ed25519_keypair.pubkey, blinding));
2699
2700 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2701 ed25519_keypair_blinded.pubkey.pubkey, 32);
2702
2703 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2704 &ed25519_keypair_blinded));
2705
2706 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2707 &ed25519_pubkey_blinded));
2708
2709 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2710 &ed25519_pubkey_blinded));
2711 sig.sig[0] ^= 15;
2712 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2713 &ed25519_pubkey_blinded));
2714 }
2715
2716 done:
2717 ;
2718 }
2719
2720 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2721 static void
2722 test_crypto_ed25519_blinding_fail(void *arg)
2723 {
2724 int retval;
2725 uint8_t param[32] = {2};
2726 ed25519_public_key_t pub;
2727 ed25519_public_key_t pub_blinded;
2728
2729 (void)arg;
2730
2731 /* This point is not on the curve: the blind routines should fail */
2732 const char badkey[] =
2733 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2734 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2735 badkey, strlen(badkey));
2736 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2737 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2738 tt_int_op(retval, OP_EQ, -1);
2739
2740 /* This point is legit: blind routines should be happy */
2741 const char goodkey[] =
2742 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2743 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2744 goodkey, strlen(goodkey));
2745 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2746 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2747 tt_int_op(retval, OP_EQ, 0);
2748
2749 done:
2750 ;
2751 }
2752
2753 static void
2754 test_crypto_ed25519_testvectors(void *arg)
2755 {
2756 unsigned i;
2757 char *mem_op_hex_tmp = NULL;
2758 (void)arg;
2759
2760 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2761 uint8_t sk[32];
2762 ed25519_secret_key_t esk;
2763 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2764 ed25519_keypair_t keypair, blind_keypair;
2765 curve25519_keypair_t curvekp;
2766 uint8_t blinding_param[32];
2767 ed25519_signature_t sig;
2768 int sign;
2769
2770 memset(&curvekp, 0xd0, sizeof(curvekp));
2771
2772 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2773 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2774
2775 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2776 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2777 ED25519_BLINDING_PARAMS[i]));
2778
2779 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2780 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2781
2782 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2783 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2784
2785 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2786 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2787
2788 tt_int_op(0, OP_EQ,
2789 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2790 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2791 &pkfromcurve, &curvekp.pubkey, sign));
2792 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2793 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2794
2795 /* Self-signing */
2796 memcpy(&keypair.seckey, &esk, sizeof(esk));
2797 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2798
2799 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2800
2801 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2802
2803 /* Blinding */
2804 tt_int_op(0, OP_EQ,
2805 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2806 tt_int_op(0, OP_EQ,
2807 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2808
2809 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2810 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2811
2812 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2813
2814 #undef DECODE
2815 #undef EQ
2816 }
2817 done:
2818 tor_free(mem_op_hex_tmp);
2819 }
2820
2821 static void
2822 test_crypto_ed25519_storage(void *arg)
2823 {
2824 (void)arg;
2825 ed25519_keypair_t *keypair = NULL;
2826 ed25519_public_key_t pub;
2827 ed25519_secret_key_t sec;
2828 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2829 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2830 char *contents = NULL;
2831 char *tag = NULL;
2832
2833 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2834 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2835 tt_int_op(0,OP_EQ,
2836 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2837 tt_int_op(0,OP_EQ,
2838 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2839
2840 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2841 tt_ptr_op(tag, OP_EQ, NULL);
2842 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2843 tt_ptr_op(tag, OP_EQ, NULL);
2844
2845 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2846 tt_str_op(tag, OP_EQ, "bar");
2847 tor_free(tag);
2848 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2849 tt_str_op(tag, OP_EQ, "foo");
2850 tor_free(tag);
2851
2852 /* whitebox test: truncated keys. */
2853 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2854 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2855 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2856 tt_ptr_op(tag, OP_EQ, NULL);
2857 tor_free(tag);
2858 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2859 tt_ptr_op(tag, OP_EQ, NULL);
2860
2861 done:
2862 tor_free(fname_1);
2863 tor_free(fname_2);
2864 tor_free(contents);
2865 tor_free(tag);
2866 ed25519_keypair_free(keypair);
2867 }
2868
2869 static void
2870 test_crypto_siphash(void *arg)
2871 {
2872 /* From the reference implementation, taking
2873 k = 00 01 02 ... 0f
2874 and in = 00; 00 01; 00 01 02; ...
2875 */
2876 const uint8_t VECTORS[64][8] =
2877 {
2878 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2879 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2880 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2881 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2882 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2883 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2884 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2885 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2886 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2887 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2888 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2889 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2890 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2891 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2892 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2893 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2894 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2895 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2896 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2897 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2898 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2899 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2900 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2901 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2902 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2903 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2904 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2905 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2906 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2907 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2908 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2909 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2910 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2911 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2912 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2913 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2914 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2915 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2916 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2917 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2918 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2919 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2920 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2921 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2922 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2923 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2924 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2925 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2926 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2927 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2928 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2929 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2930 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2931 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2932 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2933 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2934 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2935 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2936 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2937 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2938 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2939 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2940 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2941 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2942 };
2943
2944 const struct sipkey K = { UINT64_C(0x0706050403020100),
2945 UINT64_C(0x0f0e0d0c0b0a0908) };
2946 uint8_t input[64];
2947 int i, j;
2948
2949 (void)arg;
2950
2951 for (i = 0; i < 64; ++i)
2952 input[i] = i;
2953
2954 for (i = 0; i < 64; ++i) {
2955 uint64_t r = siphash24(input, i, &K);
2956 for (j = 0; j < 8; ++j) {
2957 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2958 }
2959 }
2960
2961 done:
2962 ;
2963 }
2964
2965 /* We want the likelihood that the random buffer exhibits any regular pattern
2966 * to be far less than the memory bit error rate in the int return value.
2967 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2968 * 3 functions, leading to an overall error rate of 1/10^616.
2969 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2970 */
2971 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2972
2973 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2974 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2975 * or -1 when it fails. */
2976 static int
2977 crypto_rand_check_failure_mode_zero(void)
2978 {
2979 char buf[FAILURE_MODE_BUFFER_SIZE];
2980
2981 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2982 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2983
2984 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2985 if (buf[i] != 0) {
2986 return 0;
2987 }
2988 }
2989
2990 return -1;
2991 }
2992
2993 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2994 * the same. Return 0 when the check passes, or -1 when it fails. */
2995 static int
2996 crypto_rand_check_failure_mode_identical(void)
2997 {
2998 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2999 #define FAILURE_MODE_BUFFER_SIZE_I64 \
3000 (FAILURE_MODE_BUFFER_SIZE/8)
3001 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
3002 (FAILURE_MODE_BUFFER_SIZE_I64*8)
3003
3004 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
3005 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
3006 #endif
3007
3008 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
3009
3010 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
3011 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
3012
3013 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
3014 if (buf[i] != buf[i-1]) {
3015 return 0;
3016 }
3017 }
3018
3019 return -1;
3020 }
3021
3022 /** Check crypto_rand for a failure mode where it increments the "random"
3023 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
3024 * Return 0 when the check passes, or -1 when it fails. */
3025 static int
3026 crypto_rand_check_failure_mode_predict(void)
3027 {
3028 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
3029
3030 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
3031 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
3032
3033 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
3034 /* check if the last byte was incremented by 1, including integer
3035 * wrapping */
3036 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
3037 return 0;
3038 }
3039 }
3040
3041 return -1;
3042 }
3043
3044 #undef FAILURE_MODE_BUFFER_SIZE
3045
3046 /** Test that our ed25519 validation function rejects evil public keys and
3047 * accepts good ones. */
3048 static void
3049 test_crypto_ed25519_validation(void *arg)
3050 {
3051 (void) arg;
3052
3053 int retval;
3054 ed25519_public_key_t pub1;
3055
3056 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
3057 for a list of points with torsion components in ed25519. */
3058
3059 { /* Point with torsion component (order 8l) */
3060 const char badkey[] =
3061 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
3062 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3063 badkey, strlen(badkey));
3064 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3065 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3066 }
3067
3068 { /* Point with torsion component (order 4l) */
3069 const char badkey[] =
3070 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
3071 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3072 badkey, strlen(badkey));
3073 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3074 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3075 }
3076
3077 { /* Point with torsion component (order 2l) */
3078 const char badkey[] =
3079 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
3080 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3081 badkey, strlen(badkey));
3082 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3083 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3084 }
3085
3086 { /* This point is not even on the curve */
3087 const char badkey[] =
3088 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
3089 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3090 badkey, strlen(badkey));
3091 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3092 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3093 }
3094
3095 { /* This one is a good key */
3096 const char goodkey[] =
3097 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
3098 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3099 goodkey, strlen(goodkey));
3100 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3101 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
3102 }
3103
3104 done: ;
3105 }
3106
3107 static void
3108 test_crypto_failure_modes(void *arg)
3109 {
3110 int rv = 0;
3111 (void)arg;
3112
3113 rv = crypto_early_init();
3114 tt_int_op(rv, OP_EQ, 0);
3115
3116 /* Check random works */
3117 rv = crypto_rand_check_failure_mode_zero();
3118 tt_int_op(rv, OP_EQ, 0);
3119
3120 rv = crypto_rand_check_failure_mode_identical();
3121 tt_int_op(rv, OP_EQ, 0);
3122
3123 rv = crypto_rand_check_failure_mode_predict();
3124 tt_int_op(rv, OP_EQ, 0);
3125
3126 done:
3127 ;
3128 }
3129
3130 #define CRYPTO_LEGACY(name) \
3131 { #name, test_crypto_ ## name , 0, NULL, NULL }
3132
3133 #define ED25519_TEST_ONE(name, fl, which) \
3134 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3135 &ed25519_test_setup, (void*)which }
3136
3137 #define ED25519_TEST(name, fl) \
3138 ED25519_TEST_ONE(name, (fl), "donna"), \
3139 ED25519_TEST_ONE(name, (fl), "ref10")
3140
3141 struct testcase_t crypto_tests[] = {
3142 CRYPTO_LEGACY(formats),
3143 CRYPTO_LEGACY(rng),
3144 { "rng_range", test_crypto_rng_range, 0, NULL, NULL },
3145 { "rng_strongest", test_crypto_rng_strongest, TT_FORK, NULL, NULL },
3146 { "rng_strongest_nosyscall", test_crypto_rng_strongest, TT_FORK,
3147 &passthrough_setup, (void*)"nosyscall" },
3148 { "rng_strongest_nofallback", test_crypto_rng_strongest, TT_FORK,
3149 &passthrough_setup, (void*)"nofallback" },
3150 { "rng_strongest_broken", test_crypto_rng_strongest, TT_FORK,
3151 &passthrough_setup, (void*)"broken" },
3152 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
3153 { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
3154 { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
3155 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3156 &passthrough_setup, (void*)"128" },
3157 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3158 &passthrough_setup, (void*)"192" },
3159 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3160 &passthrough_setup, (void*)"256" },
3161 CRYPTO_LEGACY(sha),
3162 CRYPTO_LEGACY(pk),
3163 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
3164 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
3165 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
3166 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
3167 NULL, NULL },
3168 CRYPTO_LEGACY(digests),
3169 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
3170 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3171 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3172 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3173 CRYPTO_LEGACY(dh),
3174 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3175 (void*)"aes" },
3176 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3177 (void*)"evp" },
3178 CRYPTO_LEGACY(base32_decode),
3179 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3180 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3181 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3182 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3183 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3184 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3185 { "curve25519_basepoint",
3186 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3187 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3188 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3189 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3190 ED25519_TEST(simple, 0),
3191 ED25519_TEST(test_vectors, 0),
3192 ED25519_TEST(encode, 0),
3193 ED25519_TEST(convert, 0),
3194 ED25519_TEST(blinding, 0),
3195 ED25519_TEST(blinding_fail, 0),
3196 ED25519_TEST(testvectors, 0),
3197 ED25519_TEST(validation, 0),
3198 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3199 { "siphash", test_crypto_siphash, 0, NULL, NULL },
3200 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3201 END_OF_TESTCASES
3202 };
The Onion Router