search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Edit changelog a little for clarity and conciseness
[tor.git] / src / test / test_crypto.c
blobba2fb8624698a8d1e0001fc5c8d430028af8701a
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_PRIVATE
9 #include "or.h"
10 #include "test.h"
11 #include "aes.h"
12 #include "util.h"
13 #include "siphash.h"
14 #include "crypto_curve25519.h"
15 #include "crypto_ed25519.h"
16 #include "ed25519_vectors.inc"
17
18 #include <openssl/evp.h>
19 #include <openssl/rand.h>
20
21 /** Run unit tests for Diffie-Hellman functionality. */
22 static void
23 test_crypto_dh(void *arg)
24 {
25 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
26 crypto_dh_t *dh1_dup = NULL;
27 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
28 char p1[DH_BYTES];
29 char p2[DH_BYTES];
30 char s1[DH_BYTES];
31 char s2[DH_BYTES];
32 ssize_t s1len, s2len;
33
34 (void)arg;
35 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH_BYTES);
36 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH_BYTES);
37
38 memset(p1, 0, DH_BYTES);
39 memset(p2, 0, DH_BYTES);
40 tt_mem_op(p1,OP_EQ, p2, DH_BYTES);
41
42 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
43
44 tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
45 tt_mem_op(p1,OP_NE, p2, DH_BYTES);
46 tt_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
47 tt_mem_op(p1,OP_NE, p2, DH_BYTES);
48
49 memset(s1, 0, DH_BYTES);
50 memset(s2, 0xFF, DH_BYTES);
51 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
52 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
53 tt_assert(s1len > 0);
54 tt_int_op(s1len,OP_EQ, s2len);
55 tt_mem_op(s1,OP_EQ, s2, s1len);
56
57 /* test dh_dup; make sure it works the same. */
58 dh1_dup = crypto_dh_dup(dh1);
59 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH_BYTES, s1, 50);
60 tt_mem_op(s1,OP_EQ, s2, s1len);
61
62 {
63 /* Now fabricate some bad values and make sure they get caught. */
64
65 /* 1 and 0 should both fail. */
66 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
67 tt_int_op(-1, OP_EQ, s1len);
68
69 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
70 tt_int_op(-1, OP_EQ, s1len);
71
72 memset(p1, 0, DH_BYTES); /* 0 with padding. */
73 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
74 tt_int_op(-1, OP_EQ, s1len);
75
76 p1[DH_BYTES-1] = 1; /* 1 with padding*/
77 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
78 tt_int_op(-1, OP_EQ, s1len);
79
80 /* 2 is okay, though weird. */
81 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
82 tt_int_op(50, OP_EQ, s1len);
83
84 const char P[] =
85 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
86 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
87 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
88 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
89 "49286651ECE65381FFFFFFFFFFFFFFFF";
90
91 /* p-1, p, and so on are not okay. */
92 base16_decode(p1, sizeof(p1), P, strlen(P));
93
94 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
95 tt_int_op(-1, OP_EQ, s1len);
96
97 p1[DH_BYTES-1] = 0xFE; /* p-1 */
98 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
99 tt_int_op(-1, OP_EQ, s1len);
100
101 p1[DH_BYTES-1] = 0xFD; /* p-2 works fine */
102 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
103 tt_int_op(50, OP_EQ, s1len);
104
105 const char P_plus_one[] =
106 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
107 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
108 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
109 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
110 "49286651ECE653820000000000000000";
111
112 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
113
114 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
115 tt_int_op(-1, OP_EQ, s1len);
116
117 p1[DH_BYTES-1] = 0x01; /* p+2 */
118 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
119 tt_int_op(-1, OP_EQ, s1len);
120
121 p1[DH_BYTES-1] = 0xff; /* p+256 */
122 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
123 tt_int_op(-1, OP_EQ, s1len);
124
125 memset(p1, 0xff, DH_BYTES), /* 2^1024-1 */
126 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
127 tt_int_op(-1, OP_EQ, s1len);
128 }
129
130 {
131 /* provoke an error in the openssl DH_compute_key function; make sure we
132 * survive. */
133 tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
134
135 crypto_dh_free(dh2);
136 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
137 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
138 p1, DH_BYTES,
139 s1, 50);
140 tt_int_op(s1len, OP_EQ, -1);
141 }
142
143 done:
144 crypto_dh_free(dh1);
145 crypto_dh_free(dh2);
146 crypto_dh_free(dh1_dup);
147 }
148
149 static void
150 test_crypto_openssl_version(void *arg)
151 {
152 (void)arg;
153 const char *version = crypto_openssl_get_version_str();
154 const char *h_version = crypto_openssl_get_header_version_str();
155 tt_assert(version);
156 tt_assert(h_version);
157 tt_assert(!strcmpstart(version, h_version)); /* "-fips" suffix, etc */
158 tt_assert(!strstr(version, "OpenSSL"));
159 int a=-1,b=-1,c=-1;
160 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
161 return;
162 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
163 tt_int_op(r, OP_EQ, 3);
164 tt_int_op(a, OP_GE, 0);
165 tt_int_op(b, OP_GE, 0);
166 tt_int_op(c, OP_GE, 0);
167
168 done:
169 ;
170 }
171
172 /** Run unit tests for our random number generation function and its wrappers.
173 */
174 static void
175 test_crypto_rng(void *arg)
176 {
177 int i, j, allok;
178 char data1[100], data2[100];
179 double d;
180 char *h=NULL;
181
182 /* Try out RNG. */
183 (void)arg;
184 tt_assert(! crypto_seed_rng());
185 crypto_rand(data1, 100);
186 crypto_rand(data2, 100);
187 tt_mem_op(data1,OP_NE, data2,100);
188 allok = 1;
189 for (i = 0; i < 100; ++i) {
190 uint64_t big;
191 char *host;
192 j = crypto_rand_int(100);
193 if (j < 0 || j >= 100)
194 allok = 0;
195 big = crypto_rand_uint64(U64_LITERAL(1)<<40);
196 if (big >= (U64_LITERAL(1)<<40))
197 allok = 0;
198 big = crypto_rand_uint64(U64_LITERAL(5));
199 if (big >= 5)
200 allok = 0;
201 d = crypto_rand_double();
202 tt_assert(d >= 0);
203 tt_assert(d < 1.0);
204 host = crypto_random_hostname(3,8,"www.",".onion");
205 if (strcmpstart(host,"www.") ||
206 strcmpend(host,".onion") ||
207 strlen(host) < 13 ||
208 strlen(host) > 18)
209 allok = 0;
210 tor_free(host);
211 }
212
213 /* Make sure crypto_random_hostname clips its inputs properly. */
214 h = crypto_random_hostname(20000, 9000, "www.", ".onion");
215 tt_assert(! strcmpstart(h,"www."));
216 tt_assert(! strcmpend(h,".onion"));
217 tt_int_op(63+4+6, OP_EQ, strlen(h));
218
219 tt_assert(allok);
220 done:
221 tor_free(h);
222 }
223
224 static void
225 test_crypto_rng_range(void *arg)
226 {
227 int got_smallest = 0, got_largest = 0;
228 int i;
229
230 (void)arg;
231 for (i = 0; i < 1000; ++i) {
232 int x = crypto_rand_int_range(5,9);
233 tt_int_op(x, OP_GE, 5);
234 tt_int_op(x, OP_LT, 9);
235 if (x == 5)
236 got_smallest = 1;
237 if (x == 8)
238 got_largest = 1;
239 }
240 /* These fail with probability 1/10^603. */
241 tt_assert(got_smallest);
242 tt_assert(got_largest);
243
244 got_smallest = got_largest = 0;
245 const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
246 for (i = 0; i < 1000; ++i) {
247 uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
248 tt_u64_op(x, OP_GE, ten_billion);
249 tt_u64_op(x, OP_LT, ten_billion+10);
250 if (x == ten_billion)
251 got_smallest = 1;
252 if (x == ten_billion+9)
253 got_largest = 1;
254 }
255
256 tt_assert(got_smallest);
257 tt_assert(got_largest);
258
259 const time_t now = time(NULL);
260 for (i = 0; i < 2000; ++i) {
261 time_t x = crypto_rand_time_range(now, now+60);
262 tt_i64_op(x, OP_GE, now);
263 tt_i64_op(x, OP_LT, now+60);
264 if (x == now)
265 got_smallest = 1;
266 if (x == now+59)
267 got_largest = 1;
268 }
269
270 tt_assert(got_smallest);
271 tt_assert(got_largest);
272 done:
273 ;
274 }
275
276 static void
277 test_crypto_rng_strongest(void *arg)
278 {
279 const char *how = arg;
280 int broken = 0;
281
282 if (how == NULL) {
283 ;
284 } else if (!strcmp(how, "nosyscall")) {
285 break_strongest_rng_syscall = 1;
286 } else if (!strcmp(how, "nofallback")) {
287 break_strongest_rng_fallback = 1;
288 } else if (!strcmp(how, "broken")) {
289 broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
290 }
291
292 #define N 128
293 uint8_t combine_and[N];
294 uint8_t combine_or[N];
295 int i, j;
296
297 memset(combine_and, 0xff, N);
298 memset(combine_or, 0, N);
299
300 for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
301 uint8_t output[N];
302 memset(output, 0, N);
303 if (how == NULL) {
304 /* this one can't fail. */
305 crypto_strongest_rand(output, sizeof(output));
306 } else {
307 int r = crypto_strongest_rand_raw(output, sizeof(output));
308 if (r == -1) {
309 if (broken) {
310 goto done; /* we're fine. */
311 }
312 /* This function is allowed to break, but only if it always breaks. */
313 tt_int_op(i, OP_EQ, 0);
314 tt_skip();
315 } else {
316 tt_assert(! broken);
317 }
318 }
319 for (j = 0; j < N; ++j) {
320 combine_and[j] &= output[j];
321 combine_or[j] |= output[j];
322 }
323 }
324
325 for (j = 0; j < N; ++j) {
326 tt_int_op(combine_and[j], OP_EQ, 0);
327 tt_int_op(combine_or[j], OP_EQ, 0xff);
328 }
329 done:
330 ;
331 #undef N
332 }
333
334 /* Test for rectifying openssl RAND engine. */
335 static void
336 test_crypto_rng_engine(void *arg)
337 {
338 (void)arg;
339 RAND_METHOD dummy_method;
340 memset(&dummy_method, 0, sizeof(dummy_method));
341
342 /* We should be a no-op if we're already on RAND_OpenSSL */
343 tt_int_op(0, ==, crypto_force_rand_ssleay());
344 tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
345
346 /* We should correct the method if it's a dummy. */
347 RAND_set_rand_method(&dummy_method);
348 #ifdef LIBRESSL_VERSION_NUMBER
349 /* On libressl, you can't override the RNG. */
350 tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
351 tt_int_op(0, ==, crypto_force_rand_ssleay());
352 #else
353 tt_assert(RAND_get_rand_method() == &dummy_method);
354 tt_int_op(1, ==, crypto_force_rand_ssleay());
355 #endif
356 tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
357
358 /* Make sure we aren't calling dummy_method */
359 crypto_rand((void *) &dummy_method, sizeof(dummy_method));
360 crypto_rand((void *) &dummy_method, sizeof(dummy_method));
361
362 done:
363 ;
364 }
365
366 /** Run unit tests for our AES functionality */
367 static void
368 test_crypto_aes(void *arg)
369 {
370 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
371 crypto_cipher_t *env1 = NULL, *env2 = NULL;
372 int i, j;
373 char *mem_op_hex_tmp=NULL;
374
375 int use_evp = !strcmp(arg,"evp");
376 evaluate_evp_for_aes(use_evp);
377 evaluate_ctr_for_aes();
378
379 data1 = tor_malloc(1024);
380 data2 = tor_malloc(1024);
381 data3 = tor_malloc(1024);
382
383 /* Now, test encryption and decryption with stream cipher. */
384 data1[0]='\0';
385 for (i = 1023; i>0; i -= 35)
386 strncat(data1, "Now is the time for all good onions", i);
387
388 memset(data2, 0, 1024);
389 memset(data3, 0, 1024);
390 env1 = crypto_cipher_new(NULL);
391 tt_ptr_op(env1, OP_NE, NULL);
392 env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
393 tt_ptr_op(env2, OP_NE, NULL);
394
395 /* Try encrypting 512 chars. */
396 crypto_cipher_encrypt(env1, data2, data1, 512);
397 crypto_cipher_decrypt(env2, data3, data2, 512);
398 tt_mem_op(data1,OP_EQ, data3, 512);
399 tt_mem_op(data1,OP_NE, data2, 512);
400
401 /* Now encrypt 1 at a time, and get 1 at a time. */
402 for (j = 512; j < 560; ++j) {
403 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
404 }
405 for (j = 512; j < 560; ++j) {
406 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
407 }
408 tt_mem_op(data1,OP_EQ, data3, 560);
409 /* Now encrypt 3 at a time, and get 5 at a time. */
410 for (j = 560; j < 1024-5; j += 3) {
411 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
412 }
413 for (j = 560; j < 1024-5; j += 5) {
414 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
415 }
416 tt_mem_op(data1,OP_EQ, data3, 1024-5);
417 /* Now make sure that when we encrypt with different chunk sizes, we get
418 the same results. */
419 crypto_cipher_free(env2);
420 env2 = NULL;
421
422 memset(data3, 0, 1024);
423 env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
424 tt_ptr_op(env2, OP_NE, NULL);
425 for (j = 0; j < 1024-16; j += 17) {
426 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
427 }
428 for (j= 0; j < 1024-16; ++j) {
429 if (data2[j] != data3[j]) {
430 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
431 }
432 }
433 tt_mem_op(data2,OP_EQ, data3, 1024-16);
434 crypto_cipher_free(env1);
435 env1 = NULL;
436 crypto_cipher_free(env2);
437 env2 = NULL;
438
439 /* NIST test vector for aes. */
440 /* IV starts at 0 */
441 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
442 "\x00\x00\x00\x00\x00\x00\x00\x00");
443 crypto_cipher_encrypt(env1, data1,
444 "\x00\x00\x00\x00\x00\x00\x00\x00"
445 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
446 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
447
448 /* Now test rollover. All these values are originally from a python
449 * script. */
450 crypto_cipher_free(env1);
451 env1 = crypto_cipher_new_with_iv(
452 "\x80\x00\x00\x00\x00\x00\x00\x00"
453 "\x00\x00\x00\x00\x00\x00\x00\x00",
454 "\x00\x00\x00\x00\x00\x00\x00\x00"
455 "\xff\xff\xff\xff\xff\xff\xff\xff");
456 memset(data2, 0, 1024);
457 crypto_cipher_encrypt(env1, data1, data2, 32);
458 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
459 "cdd0b917dbc7186908a6bfb5ffd574d3");
460 crypto_cipher_free(env1);
461 env1 = crypto_cipher_new_with_iv(
462 "\x80\x00\x00\x00\x00\x00\x00\x00"
463 "\x00\x00\x00\x00\x00\x00\x00\x00",
464 "\x00\x00\x00\x00\xff\xff\xff\xff"
465 "\xff\xff\xff\xff\xff\xff\xff\xff");
466 memset(data2, 0, 1024);
467 crypto_cipher_encrypt(env1, data1, data2, 32);
468 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
469 "3e63c721df790d2c6469cc1953a3ffac");
470 crypto_cipher_free(env1);
471 env1 = crypto_cipher_new_with_iv(
472 "\x80\x00\x00\x00\x00\x00\x00\x00"
473 "\x00\x00\x00\x00\x00\x00\x00\x00",
474 "\xff\xff\xff\xff\xff\xff\xff\xff"
475 "\xff\xff\xff\xff\xff\xff\xff\xff");
476 memset(data2, 0, 1024);
477 crypto_cipher_encrypt(env1, data1, data2, 32);
478 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
479 "0EDD33D3C621E546455BD8BA1418BEC8");
480
481 /* Now check rollover on inplace cipher. */
482 crypto_cipher_free(env1);
483 env1 = crypto_cipher_new_with_iv(
484 "\x80\x00\x00\x00\x00\x00\x00\x00"
485 "\x00\x00\x00\x00\x00\x00\x00\x00",
486 "\xff\xff\xff\xff\xff\xff\xff\xff"
487 "\xff\xff\xff\xff\xff\xff\xff\xff");
488 crypto_cipher_crypt_inplace(env1, data2, 64);
489 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
490 "0EDD33D3C621E546455BD8BA1418BEC8"
491 "93e2c5243d6839eac58503919192f7ae"
492 "1908e67cafa08d508816659c2e693191");
493 crypto_cipher_free(env1);
494 env1 = crypto_cipher_new_with_iv(
495 "\x80\x00\x00\x00\x00\x00\x00\x00"
496 "\x00\x00\x00\x00\x00\x00\x00\x00",
497 "\xff\xff\xff\xff\xff\xff\xff\xff"
498 "\xff\xff\xff\xff\xff\xff\xff\xff");
499 crypto_cipher_crypt_inplace(env1, data2, 64);
500 tt_assert(tor_mem_is_zero(data2, 64));
501
502 done:
503 tor_free(mem_op_hex_tmp);
504 if (env1)
505 crypto_cipher_free(env1);
506 if (env2)
507 crypto_cipher_free(env2);
508 tor_free(data1);
509 tor_free(data2);
510 tor_free(data3);
511 }
512
513 static void
514 test_crypto_aes_ctr_testvec(void *arg)
515 {
516 (void)arg;
517 char *mem_op_hex_tmp=NULL;
518
519 /* from NIST SP800-38a, section F.5 */
520 const char key16[] = "2b7e151628aed2a6abf7158809cf4f3c";
521 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
522 const char plaintext16[] =
523 "6bc1bee22e409f96e93d7e117393172a"
524 "ae2d8a571e03ac9c9eb76fac45af8e51"
525 "30c81c46a35ce411e5fbc1191a0a52ef"
526 "f69f2445df4f9b17ad2b417be66c3710";
527 const char ciphertext16[] =
528 "874d6191b620e3261bef6864990db6ce"
529 "9806f66b7970fdff8617187bb9fffdff"
530 "5ae4df3edbd5d35e5b4f09020db03eab"
531 "1e031dda2fbe03d1792170a0f3009cee";
532
533 char key[16];
534 char iv[16];
535 char plaintext[16*4];
536 base16_decode(key, sizeof(key), key16, strlen(key16));
537 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
538 base16_decode(plaintext, sizeof(plaintext),
539 plaintext16, strlen(plaintext16));
540
541 crypto_cipher_t *c = crypto_cipher_new_with_iv(key, iv);
542 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
543 test_memeq_hex(plaintext, ciphertext16);
544
545 done:
546 tor_free(mem_op_hex_tmp);
547 crypto_cipher_free(c);
548 }
549
550 /** Run unit tests for our SHA-1 functionality */
551 static void
552 test_crypto_sha(void *arg)
553 {
554 crypto_digest_t *d1 = NULL, *d2 = NULL;
555 int i;
556 #define RFC_4231_MAX_KEY_SIZE 131
557 char key[RFC_4231_MAX_KEY_SIZE];
558 char digest[DIGEST256_LEN];
559 char data[DIGEST512_LEN];
560 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
561 char *mem_op_hex_tmp=NULL;
562
563 /* Test SHA-1 with a test vector from the specification. */
564 (void)arg;
565 i = crypto_digest(data, "abc", 3);
566 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
567 tt_int_op(i, OP_EQ, 0);
568
569 /* Test SHA-256 with a test vector from the specification. */
570 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
571 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
572 "96177A9CB410FF61F20015AD");
573 tt_int_op(i, OP_EQ, 0);
574
575 /* Test SHA-512 with a test vector from the specification. */
576 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
577 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
578 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
579 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
580 tt_int_op(i, OP_EQ, 0);
581
582 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
583
584 /* Case empty (wikipedia) */
585 crypto_hmac_sha256(digest, "", 0, "", 0);
586 tt_str_op(hex_str(digest, 32),OP_EQ,
587 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
588
589 /* Case quick-brown (wikipedia) */
590 crypto_hmac_sha256(digest, "key", 3,
591 "The quick brown fox jumps over the lazy dog", 43);
592 tt_str_op(hex_str(digest, 32),OP_EQ,
593 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
594
595 /* "Test Case 1" from RFC 4231 */
596 memset(key, 0x0b, 20);
597 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
598 test_memeq_hex(digest,
599 "b0344c61d8db38535ca8afceaf0bf12b"
600 "881dc200c9833da726e9376c2e32cff7");
601
602 /* "Test Case 2" from RFC 4231 */
603 memset(key, 0x0b, 20);
604 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
605 test_memeq_hex(digest,
606 "5bdcc146bf60754e6a042426089575c7"
607 "5a003f089d2739839dec58b964ec3843");
608
609 /* "Test case 3" from RFC 4231 */
610 memset(key, 0xaa, 20);
611 memset(data, 0xdd, 50);
612 crypto_hmac_sha256(digest, key, 20, data, 50);
613 test_memeq_hex(digest,
614 "773ea91e36800e46854db8ebd09181a7"
615 "2959098b3ef8c122d9635514ced565fe");
616
617 /* "Test case 4" from RFC 4231 */
618 base16_decode(key, 25,
619 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
620 memset(data, 0xcd, 50);
621 crypto_hmac_sha256(digest, key, 25, data, 50);
622 test_memeq_hex(digest,
623 "82558a389a443c0ea4cc819899f2083a"
624 "85f0faa3e578f8077a2e3ff46729665b");
625
626 /* "Test case 5" from RFC 4231 */
627 memset(key, 0x0c, 20);
628 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
629 test_memeq_hex(digest,
630 "a3b6167473100ee06e0c796c2955552b");
631
632 /* "Test case 6" from RFC 4231 */
633 memset(key, 0xaa, 131);
634 crypto_hmac_sha256(digest, key, 131,
635 "Test Using Larger Than Block-Size Key - Hash Key First",
636 54);
637 test_memeq_hex(digest,
638 "60e431591ee0b67f0d8a26aacbf5b77f"
639 "8e0bc6213728c5140546040f0ee37f54");
640
641 /* "Test case 7" from RFC 4231 */
642 memset(key, 0xaa, 131);
643 crypto_hmac_sha256(digest, key, 131,
644 "This is a test using a larger than block-size key and a "
645 "larger than block-size data. The key needs to be hashed "
646 "before being used by the HMAC algorithm.", 152);
647 test_memeq_hex(digest,
648 "9b09ffa71b942fcb27635fbcd5b0e944"
649 "bfdc63644f0713938a7f51535c3a35e2");
650
651 /* Incremental digest code. */
652 d1 = crypto_digest_new();
653 tt_assert(d1);
654 crypto_digest_add_bytes(d1, "abcdef", 6);
655 d2 = crypto_digest_dup(d1);
656 tt_assert(d2);
657 crypto_digest_add_bytes(d2, "ghijkl", 6);
658 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
659 crypto_digest(d_out2, "abcdefghijkl", 12);
660 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
661 crypto_digest_assign(d2, d1);
662 crypto_digest_add_bytes(d2, "mno", 3);
663 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
664 crypto_digest(d_out2, "abcdefmno", 9);
665 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
666 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
667 crypto_digest(d_out2, "abcdef", 6);
668 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
669 crypto_digest_free(d1);
670 crypto_digest_free(d2);
671
672 /* Incremental digest code with sha256 */
673 d1 = crypto_digest256_new(DIGEST_SHA256);
674 tt_assert(d1);
675 crypto_digest_add_bytes(d1, "abcdef", 6);
676 d2 = crypto_digest_dup(d1);
677 tt_assert(d2);
678 crypto_digest_add_bytes(d2, "ghijkl", 6);
679 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
680 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
681 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
682 crypto_digest_assign(d2, d1);
683 crypto_digest_add_bytes(d2, "mno", 3);
684 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
685 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
686 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
687 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
688 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
689 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
690 crypto_digest_free(d1);
691 crypto_digest_free(d2);
692
693 /* Incremental digest code with sha512 */
694 d1 = crypto_digest512_new(DIGEST_SHA512);
695 tt_assert(d1);
696 crypto_digest_add_bytes(d1, "abcdef", 6);
697 d2 = crypto_digest_dup(d1);
698 tt_assert(d2);
699 crypto_digest_add_bytes(d2, "ghijkl", 6);
700 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
701 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
702 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
703 crypto_digest_assign(d2, d1);
704 crypto_digest_add_bytes(d2, "mno", 3);
705 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
706 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
707 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
708 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
709 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
710 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
711
712 done:
713 if (d1)
714 crypto_digest_free(d1);
715 if (d2)
716 crypto_digest_free(d2);
717 tor_free(mem_op_hex_tmp);
718 }
719
720 static void
721 test_crypto_sha3(void *arg)
722 {
723 crypto_digest_t *d1 = NULL, *d2 = NULL;
724 int i;
725 char data[DIGEST512_LEN];
726 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
727 char *mem_op_hex_tmp=NULL;
728 char *large = NULL;
729
730 (void)arg;
731
732 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
733 *
734 * NB: The code package's test vectors have length expressed in bits.
735 */
736
737 /* Len = 8, Msg = CC */
738 const uint8_t keccak_kat_msg8[] = { 0xcc };
739 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
740 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
741 "6252BB7CE180B00B582DD9B20AAAD7F0");
742 tt_int_op(i, OP_EQ, 0);
743 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
744 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
745 "C36E2EE0F652AC72E02624FA2E5ADEEC"
746 "C7DD6BB3580224B4D6138706FC6E8059"
747 "7B528051230B00621CC2B22999EAA205");
748 tt_int_op(i, OP_EQ, 0);
749
750 /* Len = 24, Msg = 1F877C */
751 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
752 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
753 DIGEST_SHA3_256);
754 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
755 "C9C966712A501B19D1B6632CCD408EC5");
756 tt_int_op(i, OP_EQ, 0);
757 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
758 DIGEST_SHA3_512);
759 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
760 "1A2F0D0608C3A575163751F002DB30F4"
761 "0F2F671834B22D208591CFAF1F5ECFE4"
762 "3C49863A53B3225BDFD7C6591BA7658B");
763 tt_int_op(i, OP_EQ, 0);
764
765 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
766 const uint8_t keccak_kat_msg1080[] = {
767 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
768 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
769 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
770 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
771 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
772 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
773 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
774 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
775 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
776 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
777 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
778 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
779 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
780 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
781 };
782 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
783 DIGEST_SHA3_256);
784 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
785 "BE9B7C736B8059ABFD6779AC35AC81B5");
786 tt_int_op(i, OP_EQ, 0);
787 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
788 DIGEST_SHA3_512);
789 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
790 "CB78696773A212A5F62D02D14E3259D1"
791 "92A87EBA4407DD83893527331407B6DA"
792 "DAAD920DBC46489B677493CE5F20B595");
793 tt_int_op(i, OP_EQ, 0);
794
795 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
796 const uint8_t keccak_kat_msg1088[] = {
797 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
798 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
799 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
800 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
801 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
802 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
803 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
804 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
805 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
806 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
807 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
808 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
809 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
810 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
811 };
812 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
813 DIGEST_SHA3_256);
814 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
815 "77B5286364FE16C59CC8A907AFF07732");
816 tt_int_op(i, OP_EQ, 0);
817 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
818 DIGEST_SHA3_512);
819 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
820 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
821 "FA3BA17A40B2FFA2163991B17786E51C"
822 "ABA79E5E0FFD34CF085E2A098BE8BACB");
823 tt_int_op(i, OP_EQ, 0);
824
825 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
826 const uint8_t keccak_kat_msg1096[] = {
827 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
828 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
829 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
830 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
831 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
832 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
833 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
834 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
835 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
836 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
837 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
838 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
839 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
840 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
841 };
842 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
843 DIGEST_SHA3_256);
844 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
845 "735E0177279222E7AC0AF8504762FAA0");
846 tt_int_op(i, OP_EQ, 0);
847 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
848 DIGEST_SHA3_512);
849 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
850 "40474041DE83D4A60645A826D7AF1ABE"
851 "1EEFCB7B74B62CA6A514E5F2697D585B"
852 "FECECE12931BBE1D4ED7EBF7B0BE660E");
853 tt_int_op(i, OP_EQ, 0);
854
855 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
856 const uint8_t keccak_kat_msg1144[] = {
857 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
858 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
859 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
860 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
861 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
862 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
863 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
864 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
865 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
866 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
867 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
868 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
869 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
870 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
871 0xDF, 0xAF, 0xEC,
872 };
873 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
874 DIGEST_SHA3_512);
875 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
876 "605516615D96A062C8BE53A0D6C5A648"
877 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
878 "295F284BE7F82F3B92919033C9CE5D80");
879 tt_int_op(i, OP_EQ, 0);
880 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
881 DIGEST_SHA3_256);
882 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
883 "118C0C2C606BDCDA06E7943D2C95E0E5");
884 tt_int_op(i, OP_EQ, 0);
885
886 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
887 const uint8_t keccak_kat_msg1152[] = {
888 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
889 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
890 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
891 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
892 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
893 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
894 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
895 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
896 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
897 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
898 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
899 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
900 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
901 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
902 0x9E, 0xE0, 0x0C, 0x63,
903 };
904 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
905 DIGEST_SHA3_512);
906 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
907 "22775DCB6019DCD22B8885994672A088"
908 "9C69E8115C641DC8B83E39F7311815A1"
909 "64DC46E0BA2FCA344D86D4BC2EF2532C");
910 tt_int_op(i, OP_EQ, 0);
911 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
912 DIGEST_SHA3_256);
913 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
914 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
915 tt_int_op(i, OP_EQ, 0);
916
917 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
918 const uint8_t keccak_kat_msg1160[] = {
919 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
920 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
921 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
922 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
923 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
924 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
925 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
926 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
927 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
928 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
929 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
930 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
931 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
932 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
933 0x70, 0x11, 0x04, 0x4C, 0x53,
934 };
935 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
936 DIGEST_SHA3_512);
937 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
938 "05221AC5EFB1229842E4614F4A029C9B"
939 "D14A0ED7FD99AF3681429F3F309FDB53"
940 "166AA9A3CD9F1F1223D04B4A9015E94A");
941 tt_int_op(i, OP_EQ, 0);
942 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
943 DIGEST_SHA3_256);
944 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
945 "3CF6235C6B0B7969342C45A35194B67E");
946 tt_int_op(i, OP_EQ, 0);
947
948 /* SHA3-[256,512] Empty case (wikipedia) */
949 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
950 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
951 "f580ff4de43b49fa82d80a4b80f8434a");
952 tt_int_op(i, OP_EQ, 0);
953 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
954 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
955 "97c982164fe25859e0d1dcc1475c80a6"
956 "15b2123af1f5f94c11e3e9402c3ac558"
957 "f500199d95b6d3e301758586281dcd26");
958 tt_int_op(i, OP_EQ, 0);
959
960 /* Incremental digest code with SHA3-256 */
961 d1 = crypto_digest256_new(DIGEST_SHA3_256);
962 tt_assert(d1);
963 crypto_digest_add_bytes(d1, "abcdef", 6);
964 d2 = crypto_digest_dup(d1);
965 tt_assert(d2);
966 crypto_digest_add_bytes(d2, "ghijkl", 6);
967 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
968 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
969 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
970 crypto_digest_assign(d2, d1);
971 crypto_digest_add_bytes(d2, "mno", 3);
972 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
973 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
974 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
975 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
976 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
977 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
978 crypto_digest_free(d1);
979 crypto_digest_free(d2);
980
981 /* Incremental digest code with SHA3-512 */
982 d1 = crypto_digest512_new(DIGEST_SHA3_512);
983 tt_assert(d1);
984 crypto_digest_add_bytes(d1, "abcdef", 6);
985 d2 = crypto_digest_dup(d1);
986 tt_assert(d2);
987 crypto_digest_add_bytes(d2, "ghijkl", 6);
988 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
989 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
990 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
991 crypto_digest_assign(d2, d1);
992 crypto_digest_add_bytes(d2, "mno", 3);
993 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
994 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
995 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
996 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
997 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
998 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
999 crypto_digest_free(d1);
1000
1001 /* Attempt to exercise the incremental hashing code by creating a randomized
1002 * 100 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
1003 * is used because it has a lowest rate of the family (the code is common,
1004 * but the slower rate exercises more of it).
1005 */
1006 const size_t bufsz = 100 * 1024;
1007 size_t j = 0;
1008 large = tor_malloc(bufsz);
1009 crypto_rand(large, bufsz);
1010 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
1011 while (j < bufsz) {
1012 /* Pick how much data to add to the running digest. */
1013 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
1014 incr = MIN(bufsz - j, incr);
1015
1016 /* Add the data, and calculate the hash. */
1017 crypto_digest_add_bytes(d1, large + j, incr);
1018 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
1019
1020 /* One-shot hash the buffer up to the data that was just added,
1021 * and ensure that the values match up.
1022 *
1023 * XXX/yawning: If this actually fails, it'll be rather difficult to
1024 * reproduce. Improvements welcome.
1025 */
1026 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
1027 tt_int_op(i, OP_EQ, 0);
1028 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
1029
1030 j += incr;
1031 }
1032
1033 done:
1034 if (d1)
1035 crypto_digest_free(d1);
1036 if (d2)
1037 crypto_digest_free(d2);
1038 tor_free(large);
1039 tor_free(mem_op_hex_tmp);
1040 }
1041
1042 /** Run unit tests for our XOF. */
1043 static void
1044 test_crypto_sha3_xof(void *arg)
1045 {
1046 uint8_t msg[255];
1047 uint8_t out[512];
1048 crypto_xof_t *xof;
1049 char *mem_op_hex_tmp=NULL;
1050
1051 (void)arg;
1052
1053 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
1054 base16_decode((char *)msg, 255,
1055 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
1056 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
1057 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
1058 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
1059 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
1060 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
1061 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
1062 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
1063 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
1064 const char *squeezed_hex =
1065 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
1066 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
1067 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
1068 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
1069 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
1070 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
1071 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
1072 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
1073 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
1074 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
1075 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
1076 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
1077 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
1078 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1079 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1080 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1081 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1082 "73D4";
1083
1084 /* Test oneshot absorb/squeeze. */
1085 xof = crypto_xof_new();
1086 tt_assert(xof);
1087 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1088 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1089 test_memeq_hex(out, squeezed_hex);
1090 crypto_xof_free(xof);
1091 memset(out, 0, sizeof(out));
1092
1093 /* Test incremental absorb/squeeze. */
1094 xof = crypto_xof_new();
1095 tt_assert(xof);
1096 for (size_t i = 0; i < sizeof(msg); i++)
1097 crypto_xof_add_bytes(xof, msg + i, 1);
1098 for (size_t i = 0; i < sizeof(out); i++)
1099 crypto_xof_squeeze_bytes(xof, out + i, 1);
1100 test_memeq_hex(out, squeezed_hex);
1101
1102 done:
1103 if (xof)
1104 crypto_xof_free(xof);
1105 tor_free(mem_op_hex_tmp);
1106 }
1107
1108 /** Run unit tests for our public key crypto functions */
1109 static void
1110 test_crypto_pk(void *arg)
1111 {
1112 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1113 char *encoded = NULL;
1114 char data1[1024], data2[1024], data3[1024];
1115 size_t size;
1116 int i, len;
1117
1118 /* Public-key ciphers */
1119 (void)arg;
1120 pk1 = pk_generate(0);
1121 pk2 = crypto_pk_new();
1122 tt_assert(pk1 && pk2);
1123 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1124 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1125 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1126
1127 /* comparison between keys and NULL */
1128 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1129 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1130 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1131
1132 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1133 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1134 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1135 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1136
1137 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1138 "Hello whirled.", 15,
1139 PK_PKCS1_OAEP_PADDING));
1140 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1141 "Hello whirled.", 15,
1142 PK_PKCS1_OAEP_PADDING));
1143 /* oaep padding should make encryption not match */
1144 tt_mem_op(data1,OP_NE, data2, 128);
1145 tt_int_op(15,OP_EQ,
1146 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1147 PK_PKCS1_OAEP_PADDING,1));
1148 tt_str_op(data3,OP_EQ, "Hello whirled.");
1149 memset(data3, 0, 1024);
1150 tt_int_op(15,OP_EQ,
1151 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1152 PK_PKCS1_OAEP_PADDING,1));
1153 tt_str_op(data3,OP_EQ, "Hello whirled.");
1154 /* Can't decrypt with public key. */
1155 tt_int_op(-1,OP_EQ,
1156 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1157 PK_PKCS1_OAEP_PADDING,1));
1158 /* Try again with bad padding */
1159 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1160 tt_int_op(-1,OP_EQ,
1161 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1162 PK_PKCS1_OAEP_PADDING,1));
1163
1164 /* File operations: save and load private key */
1165 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1166 get_fname("pkey1")));
1167 /* failing case for read: can't read. */
1168 tt_assert(crypto_pk_read_private_key_from_filename(pk2,
1169 get_fname("xyzzy")) < 0);
1170 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1171 /* Failing case for read: no key. */
1172 tt_assert(crypto_pk_read_private_key_from_filename(pk2,
1173 get_fname("xyzzy")) < 0);
1174 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1175 get_fname("pkey1")));
1176 tt_int_op(15,OP_EQ,
1177 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1178 PK_PKCS1_OAEP_PADDING,1));
1179
1180 /* Now try signing. */
1181 strlcpy(data1, "Ossifrage", 1024);
1182 tt_int_op(128,OP_EQ,
1183 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1184 tt_int_op(10,OP_EQ,
1185 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1186 tt_str_op(data3,OP_EQ, "Ossifrage");
1187 /* Try signing digests. */
1188 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1189 data1, 10));
1190 tt_int_op(20,OP_EQ,
1191 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1192 tt_int_op(0,OP_EQ,
1193 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1194 tt_int_op(-1,OP_EQ,
1195 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1196
1197 /*XXXX test failed signing*/
1198
1199 /* Try encoding */
1200 crypto_pk_free(pk2);
1201 pk2 = NULL;
1202 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1203 tt_int_op(i, OP_GT, 0);
1204 pk2 = crypto_pk_asn1_decode(data1, i);
1205 tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
1206
1207 /* Try with hybrid encryption wrappers. */
1208 crypto_rand(data1, 1024);
1209 for (i = 85; i < 140; ++i) {
1210 memset(data2,0,1024);
1211 memset(data3,0,1024);
1212 len = crypto_pk_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1213 data1,i,PK_PKCS1_OAEP_PADDING,0);
1214 tt_int_op(len, OP_GE, 0);
1215 len = crypto_pk_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1216 data2,len,PK_PKCS1_OAEP_PADDING,1);
1217 tt_int_op(len,OP_EQ, i);
1218 tt_mem_op(data1,OP_EQ, data3,i);
1219 }
1220
1221 /* Try copy_full */
1222 crypto_pk_free(pk2);
1223 pk2 = crypto_pk_copy_full(pk1);
1224 tt_assert(pk2 != NULL);
1225 tt_ptr_op(pk1, OP_NE, pk2);
1226 tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
1227
1228 done:
1229 if (pk1)
1230 crypto_pk_free(pk1);
1231 if (pk2)
1232 crypto_pk_free(pk2);
1233 tor_free(encoded);
1234 }
1235
1236 static void
1237 test_crypto_pk_fingerprints(void *arg)
1238 {
1239 crypto_pk_t *pk = NULL;
1240 char encoded[512];
1241 char d[DIGEST_LEN], d2[DIGEST_LEN];
1242 char fingerprint[FINGERPRINT_LEN+1];
1243 int n;
1244 unsigned i;
1245 char *mem_op_hex_tmp=NULL;
1246
1247 (void)arg;
1248
1249 pk = pk_generate(1);
1250 tt_assert(pk);
1251 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1252 tt_int_op(n, OP_GT, 0);
1253 tt_int_op(n, OP_GT, 128);
1254 tt_int_op(n, OP_LT, 256);
1255
1256 /* Is digest as expected? */
1257 crypto_digest(d, encoded, n);
1258 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1259 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1260
1261 /* Is fingerprint right? */
1262 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1263 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1264 test_memeq_hex(d, fingerprint);
1265
1266 /* Are spaces right? */
1267 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1268 for (i = 4; i < strlen(fingerprint); i += 5) {
1269 tt_int_op(fingerprint[i], OP_EQ, ' ');
1270 }
1271 tor_strstrip(fingerprint, " ");
1272 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1273 test_memeq_hex(d, fingerprint);
1274
1275 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1276 crypto_digest(d2, d, sizeof(d));
1277 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1278 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1279 test_memeq_hex(d2, fingerprint);
1280
1281 done:
1282 crypto_pk_free(pk);
1283 tor_free(mem_op_hex_tmp);
1284 }
1285
1286 static void
1287 test_crypto_pk_base64(void *arg)
1288 {
1289 crypto_pk_t *pk1 = NULL;
1290 crypto_pk_t *pk2 = NULL;
1291 char *encoded = NULL;
1292
1293 (void)arg;
1294
1295 /* Test Base64 encoding a key. */
1296 pk1 = pk_generate(0);
1297 tt_assert(pk1);
1298 tt_int_op(0, OP_EQ, crypto_pk_base64_encode(pk1, &encoded));
1299 tt_assert(encoded);
1300
1301 /* Test decoding a valid key. */
1302 pk2 = crypto_pk_base64_decode(encoded, strlen(encoded));
1303 tt_assert(pk2);
1304 tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
1305 crypto_pk_free(pk2);
1306
1307 /* Test decoding a invalid key (not Base64). */
1308 static const char *invalid_b64 = "The key is in another castle!";
1309 pk2 = crypto_pk_base64_decode(invalid_b64, strlen(invalid_b64));
1310 tt_assert(!pk2);
1311
1312 /* Test decoding a truncated Base64 blob. */
1313 pk2 = crypto_pk_base64_decode(encoded, strlen(encoded)/2);
1314 tt_assert(!pk2);
1315
1316 done:
1317 crypto_pk_free(pk1);
1318 crypto_pk_free(pk2);
1319 tor_free(encoded);
1320 }
1321
1322 #ifdef HAVE_TRUNCATE
1323 #define do_truncate truncate
1324 #else
1325 static int
1326 do_truncate(const char *fname, size_t len)
1327 {
1328 struct stat st;
1329 char *bytes;
1330
1331 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1332 if (!bytes)
1333 return -1;
1334 /* This cast isn't so great, but it should be safe given the actual files
1335 * and lengths we're using. */
1336 if (st.st_size < (off_t)len)
1337 len = MIN(len, (size_t)st.st_size);
1338
1339 int r = write_bytes_to_file(fname, bytes, len, 1);
1340 tor_free(bytes);
1341 return r;
1342 }
1343 #endif
1344
1345 /** Sanity check for crypto pk digests */
1346 static void
1347 test_crypto_digests(void *arg)
1348 {
1349 crypto_pk_t *k = NULL;
1350 ssize_t r;
1351 common_digests_t pkey_digests;
1352 char digest[DIGEST_LEN];
1353
1354 (void)arg;
1355 k = crypto_pk_new();
1356 tt_assert(k);
1357 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, -1);
1358 tt_assert(!r);
1359
1360 r = crypto_pk_get_digest(k, digest);
1361 tt_assert(r == 0);
1362 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1363 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1364
1365 r = crypto_pk_get_common_digests(k, &pkey_digests);
1366
1367 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1368 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1369 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1370 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1371 done:
1372 crypto_pk_free(k);
1373 }
1374
1375 static void
1376 test_crypto_digest_names(void *arg)
1377 {
1378 static const struct {
1379 int a; const char *n;
1380 } names[] = {
1381 { DIGEST_SHA1, "sha1" },
1382 { DIGEST_SHA256, "sha256" },
1383 { DIGEST_SHA512, "sha512" },
1384 { DIGEST_SHA3_256, "sha3-256" },
1385 { DIGEST_SHA3_512, "sha3-512" },
1386 { -1, NULL }
1387 };
1388 (void)arg;
1389
1390 int i;
1391 for (i = 0; names[i].n; ++i) {
1392 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1393 tt_int_op(names[i].a,
1394 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1395 }
1396 tt_int_op(-1, OP_EQ,
1397 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1398 done:
1399 ;
1400 }
1401
1402 #ifndef OPENSSL_1_1_API
1403 #define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
1404 #define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
1405 #endif
1406
1407 /** Encode src into dest with OpenSSL's EVP Encode interface, returning the
1408 * length of the encoded data in bytes.
1409 */
1410 static int
1411 base64_encode_evp(char *dest, char *src, size_t srclen)
1412 {
1413 const unsigned char *s = (unsigned char*)src;
1414 EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
1415 int len, ret;
1416
1417 EVP_EncodeInit(ctx);
1418 EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
1419 EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
1420 EVP_ENCODE_CTX_free(ctx);
1421 return ret+ len;
1422 }
1423
1424 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1425 * fingerprints, etc) */
1426 static void
1427 test_crypto_formats(void *arg)
1428 {
1429 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1430 int i, j, idx;
1431
1432 (void)arg;
1433 data1 = tor_malloc(1024);
1434 data2 = tor_malloc(1024);
1435 data3 = tor_malloc(1024);
1436 tt_assert(data1 && data2 && data3);
1437
1438 /* Base64 tests */
1439 memset(data1, 6, 1024);
1440 for (idx = 0; idx < 10; ++idx) {
1441 i = base64_encode(data2, 1024, data1, idx, 0);
1442 tt_int_op(i, OP_GE, 0);
1443 tt_int_op(i, OP_EQ, strlen(data2));
1444 j = base64_decode(data3, 1024, data2, i);
1445 tt_int_op(j,OP_EQ, idx);
1446 tt_mem_op(data3,OP_EQ, data1, idx);
1447
1448 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1449 tt_int_op(i, OP_GE, 0);
1450 tt_int_op(i, OP_EQ, strlen(data2));
1451 tt_assert(! strchr(data2, '='));
1452 j = base64_decode_nopad((uint8_t*)data3, 1024, data2, i);
1453 tt_int_op(j, OP_EQ, idx);
1454 tt_mem_op(data3,OP_EQ, data1, idx);
1455 }
1456
1457 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1458 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1459
1460 i = base64_encode(data2, 1024, data1, 71, 0);
1461 tt_int_op(i, OP_GE, 0);
1462 j = base64_decode(data3, 1024, data2, i);
1463 tt_int_op(j,OP_EQ, 71);
1464 tt_str_op(data3,OP_EQ, data1);
1465 tt_int_op(data2[i], OP_EQ, '\0');
1466
1467 crypto_rand(data1, DIGEST_LEN);
1468 memset(data2, 100, 1024);
1469 digest_to_base64(data2, data1);
1470 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1471 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1472 memset(data3, 99, 1024);
1473 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1474 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1475 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1476
1477 tt_assert(digest_from_base64(data3, "###") < 0);
1478
1479 for (i = 0; i < 256; i++) {
1480 /* Test the multiline format Base64 encoder with 0 .. 256 bytes of
1481 * output against OpenSSL.
1482 */
1483 const size_t enclen = base64_encode_size(i, BASE64_ENCODE_MULTILINE);
1484 data1[i] = i;
1485 j = base64_encode(data2, 1024, data1, i, BASE64_ENCODE_MULTILINE);
1486 tt_int_op(j, OP_EQ, enclen);
1487 j = base64_encode_evp(data3, data1, i);
1488 tt_int_op(j, OP_EQ, enclen);
1489 tt_mem_op(data2, OP_EQ, data3, enclen);
1490 tt_int_op(j, OP_EQ, strlen(data2));
1491 }
1492
1493 /* Encoding SHA256 */
1494 crypto_rand(data2, DIGEST256_LEN);
1495 memset(data2, 100, 1024);
1496 digest256_to_base64(data2, data1);
1497 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1498 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1499 memset(data3, 99, 1024);
1500 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1501 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1502 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1503
1504 /* Base32 tests */
1505 strlcpy(data1, "5chrs", 1024);
1506 /* bit pattern is: [35 63 68 72 73] ->
1507 * [00110101 01100011 01101000 01110010 01110011]
1508 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1509 */
1510 base32_encode(data2, 9, data1, 5);
1511 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1512
1513 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1514 base32_encode(data2, 30, data1, 10);
1515 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1516
1517 /* Base16 tests */
1518 strlcpy(data1, "6chrs\xff", 1024);
1519 base16_encode(data2, 13, data1, 6);
1520 tt_str_op(data2,OP_EQ, "3663687273FF");
1521
1522 strlcpy(data1, "f0d678affc000100", 1024);
1523 i = base16_decode(data2, 8, data1, 16);
1524 tt_int_op(i,OP_EQ, 8);
1525 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1526
1527 /* now try some failing base16 decodes */
1528 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1529 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1530 strlcpy(data1, "f0dz!8affc000100", 1024);
1531 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1532
1533 tor_free(data1);
1534 tor_free(data2);
1535 tor_free(data3);
1536
1537 /* Add spaces to fingerprint */
1538 {
1539 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1540 tt_int_op(strlen(data1),OP_EQ, 40);
1541 data2 = tor_malloc(FINGERPRINT_LEN+1);
1542 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1543 tt_str_op(data2, OP_EQ,
1544 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1545 tor_free(data1);
1546 tor_free(data2);
1547 }
1548
1549 done:
1550 tor_free(data1);
1551 tor_free(data2);
1552 tor_free(data3);
1553 }
1554
1555 /** Test AES-CTR encryption and decryption with IV. */
1556 static void
1557 test_crypto_aes_iv(void *arg)
1558 {
1559 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1560 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1561 char key1[16], key2[16];
1562 ssize_t encrypted_size, decrypted_size;
1563
1564 int use_evp = !strcmp(arg,"evp");
1565 evaluate_evp_for_aes(use_evp);
1566
1567 plain = tor_malloc(4095);
1568 encrypted1 = tor_malloc(4095 + 1 + 16);
1569 encrypted2 = tor_malloc(4095 + 1 + 16);
1570 decrypted1 = tor_malloc(4095 + 1);
1571 decrypted2 = tor_malloc(4095 + 1);
1572
1573 crypto_rand(plain, 4095);
1574 crypto_rand(key1, 16);
1575 crypto_rand(key2, 16);
1576 crypto_rand(plain_1, 1);
1577 crypto_rand(plain_15, 15);
1578 crypto_rand(plain_16, 16);
1579 crypto_rand(plain_17, 17);
1580 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1581 /* Encrypt and decrypt with the same key. */
1582 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1583 plain, 4095);
1584
1585 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1586 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1587 * greater than 0, but its truth is not
1588 * obvious to all analysis tools. */
1589 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1590 encrypted1, encrypted_size);
1591
1592 tt_int_op(decrypted_size,OP_EQ, 4095);
1593 tt_assert(decrypted_size > 0);
1594 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1595 /* Encrypt a second time (with a new random initialization vector). */
1596 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1597 plain, 4095);
1598
1599 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1600 tt_assert(encrypted_size > 0);
1601 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1602 encrypted2, encrypted_size);
1603 tt_int_op(decrypted_size,OP_EQ, 4095);
1604 tt_assert(decrypted_size > 0);
1605 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1606 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1607 /* Decrypt with the wrong key. */
1608 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1609 encrypted1, encrypted_size);
1610 tt_int_op(decrypted_size,OP_EQ, 4095);
1611 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1612 /* Alter the initialization vector. */
1613 encrypted1[0] += 42;
1614 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1615 encrypted1, encrypted_size);
1616 tt_int_op(decrypted_size,OP_EQ, 4095);
1617 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1618 /* Special length case: 1. */
1619 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1620 plain_1, 1);
1621 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1622 tt_assert(encrypted_size > 0);
1623 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1624 encrypted1, encrypted_size);
1625 tt_int_op(decrypted_size,OP_EQ, 1);
1626 tt_assert(decrypted_size > 0);
1627 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1628 /* Special length case: 15. */
1629 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1630 plain_15, 15);
1631 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1632 tt_assert(encrypted_size > 0);
1633 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1634 encrypted1, encrypted_size);
1635 tt_int_op(decrypted_size,OP_EQ, 15);
1636 tt_assert(decrypted_size > 0);
1637 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1638 /* Special length case: 16. */
1639 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1640 plain_16, 16);
1641 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1642 tt_assert(encrypted_size > 0);
1643 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1644 encrypted1, encrypted_size);
1645 tt_int_op(decrypted_size,OP_EQ, 16);
1646 tt_assert(decrypted_size > 0);
1647 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1648 /* Special length case: 17. */
1649 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1650 plain_17, 17);
1651 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1652 tt_assert(encrypted_size > 0);
1653 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1654 encrypted1, encrypted_size);
1655 tt_int_op(decrypted_size,OP_EQ, 17);
1656 tt_assert(decrypted_size > 0);
1657 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1658
1659 done:
1660 /* Free memory. */
1661 tor_free(plain);
1662 tor_free(encrypted1);
1663 tor_free(encrypted2);
1664 tor_free(decrypted1);
1665 tor_free(decrypted2);
1666 }
1667
1668 /** Test base32 decoding. */
1669 static void
1670 test_crypto_base32_decode(void *arg)
1671 {
1672 char plain[60], encoded[96 + 1], decoded[60];
1673 int res;
1674 (void)arg;
1675 crypto_rand(plain, 60);
1676 /* Encode and decode a random string. */
1677 base32_encode(encoded, 96 + 1, plain, 60);
1678 res = base32_decode(decoded, 60, encoded, 96);
1679 tt_int_op(res,OP_EQ, 0);
1680 tt_mem_op(plain,OP_EQ, decoded, 60);
1681 /* Encode, uppercase, and decode a random string. */
1682 base32_encode(encoded, 96 + 1, plain, 60);
1683 tor_strupper(encoded);
1684 res = base32_decode(decoded, 60, encoded, 96);
1685 tt_int_op(res,OP_EQ, 0);
1686 tt_mem_op(plain,OP_EQ, decoded, 60);
1687 /* Change encoded string and decode. */
1688 if (encoded[0] == 'A' || encoded[0] == 'a')
1689 encoded[0] = 'B';
1690 else
1691 encoded[0] = 'A';
1692 res = base32_decode(decoded, 60, encoded, 96);
1693 tt_int_op(res,OP_EQ, 0);
1694 tt_mem_op(plain,OP_NE, decoded, 60);
1695 /* Bad encodings. */
1696 encoded[0] = '!';
1697 res = base32_decode(decoded, 60, encoded, 96);
1698 tt_int_op(0, OP_GT, res);
1699
1700 done:
1701 ;
1702 }
1703
1704 static void
1705 test_crypto_kdf_TAP(void *arg)
1706 {
1707 uint8_t key_material[100];
1708 int r;
1709 char *mem_op_hex_tmp = NULL;
1710
1711 (void)arg;
1712 #define EXPAND(s) \
1713 r = crypto_expand_key_material_TAP( \
1714 (const uint8_t*)(s), strlen(s), \
1715 key_material, 100)
1716
1717 /* Test vectors generated with a little python script; feel free to write
1718 * your own. */
1719 memset(key_material, 0, sizeof(key_material));
1720 EXPAND("");
1721 tt_int_op(r, OP_EQ, 0);
1722 test_memeq_hex(key_material,
1723 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1724 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1725 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1726 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1727
1728 EXPAND("Tor");
1729 tt_int_op(r, OP_EQ, 0);
1730 test_memeq_hex(key_material,
1731 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1732 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1733 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1734 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1735
1736 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1737 tt_int_op(r, OP_EQ, 0);
1738 test_memeq_hex(key_material,
1739 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1740 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1741 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1742 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1743
1744 done:
1745 tor_free(mem_op_hex_tmp);
1746
1747 #undef EXPAND
1748 }
1749
1750 static void
1751 test_crypto_hkdf_sha256(void *arg)
1752 {
1753 uint8_t key_material[100];
1754 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1755 const size_t salt_len = strlen((char*)salt);
1756 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1757 const size_t m_expand_len = strlen((char*)m_expand);
1758 int r;
1759 char *mem_op_hex_tmp = NULL;
1760
1761 (void)arg;
1762
1763 #define EXPAND(s) \
1764 r = crypto_expand_key_material_rfc5869_sha256( \
1765 (const uint8_t*)(s), strlen(s), \
1766 salt, salt_len, \
1767 m_expand, m_expand_len, \
1768 key_material, 100)
1769
1770 /* Test vectors generated with ntor_ref.py */
1771 memset(key_material, 0, sizeof(key_material));
1772 EXPAND("");
1773 tt_int_op(r, OP_EQ, 0);
1774 test_memeq_hex(key_material,
1775 "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75"
1776 "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd"
1777 "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7"
1778 "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8");
1779
1780 EXPAND("Tor");
1781 tt_int_op(r, OP_EQ, 0);
1782 test_memeq_hex(key_material,
1783 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1784 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1785 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1786 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1787
1788 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1789 tt_int_op(r, OP_EQ, 0);
1790 test_memeq_hex(key_material,
1791 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1792 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1793 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1794 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1795 done:
1796 tor_free(mem_op_hex_tmp);
1797 #undef EXPAND
1798 }
1799
1800 static void
1801 test_crypto_hkdf_sha256_testvecs(void *arg)
1802 {
1803 (void) arg;
1804 /* Test vectors from RFC5869, sections A.1 through A.3 */
1805 const struct {
1806 const char *ikm16, *salt16, *info16;
1807 int L;
1808 const char *okm16;
1809 } vecs[] = {
1810 { /* from A.1 */
1811 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1812 "000102030405060708090a0b0c",
1813 "f0f1f2f3f4f5f6f7f8f9",
1814 42,
1815 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1816 "34007208d5b887185865"
1817 },
1818 { /* from A.2 */
1819 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1820 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1821 "404142434445464748494a4b4c4d4e4f",
1822 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1823 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1824 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1825 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1826 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1827 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1828 82,
1829 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1830 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1831 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1832 },
1833 { /* from A.3 */
1834 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1835 "",
1836 "",
1837 42,
1838 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1839 "9d201395faa4b61a96c8",
1840 },
1841 { NULL, NULL, NULL, -1, NULL }
1842 };
1843
1844 int i;
1845 char *ikm = NULL;
1846 char *salt = NULL;
1847 char *info = NULL;
1848 char *okm = NULL;
1849 char *mem_op_hex_tmp = NULL;
1850
1851 for (i = 0; vecs[i].ikm16; ++i) {
1852 size_t ikm_len = strlen(vecs[i].ikm16)/2;
1853 size_t salt_len = strlen(vecs[i].salt16)/2;
1854 size_t info_len = strlen(vecs[i].info16)/2;
1855 size_t okm_len = vecs[i].L;
1856
1857 ikm = tor_malloc(ikm_len);
1858 salt = tor_malloc(salt_len);
1859 info = tor_malloc(info_len);
1860 okm = tor_malloc(okm_len);
1861
1862 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
1863 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
1864 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
1865
1866 int r = crypto_expand_key_material_rfc5869_sha256(
1867 (const uint8_t*)ikm, ikm_len,
1868 (const uint8_t*)salt, salt_len,
1869 (const uint8_t*)info, info_len,
1870 (uint8_t*)okm, okm_len);
1871 tt_int_op(r, OP_EQ, 0);
1872 test_memeq_hex(okm, vecs[i].okm16);
1873 tor_free(ikm);
1874 tor_free(salt);
1875 tor_free(info);
1876 tor_free(okm);
1877 }
1878 done:
1879 tor_free(ikm);
1880 tor_free(salt);
1881 tor_free(info);
1882 tor_free(okm);
1883 tor_free(mem_op_hex_tmp);
1884 }
1885
1886 static void
1887 test_crypto_curve25519_impl(void *arg)
1888 {
1889 /* adapted from curve25519_donna, which adapted it from test-curve25519
1890 version 20050915, by D. J. Bernstein, Public domain. */
1891
1892 const int randomize_high_bit = (arg != NULL);
1893
1894 #ifdef SLOW_CURVE25519_TEST
1895 const int loop_max=10000;
1896 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
1897 "7e0329f4dd2819f5f32d130f1296b500";
1898 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
1899 "e0544770bc7de853b38f9100489e3e79";
1900 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
1901 "bd13861475516bc2cd2b6e005e805064";
1902 #else
1903 const int loop_max=200;
1904 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
1905 "c6a1037d74cceb3712e9206871dcf654";
1906 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1907 "8e3ee1a63c7d14274ea5d4c67f065467";
1908 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
1909 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1910 #endif
1911
1912 unsigned char e1k[32];
1913 unsigned char e2k[32];
1914 unsigned char e1e2k[32];
1915 unsigned char e2e1k[32];
1916 unsigned char e1[32] = {3};
1917 unsigned char e2[32] = {5};
1918 unsigned char k[32] = {9};
1919 int loop, i;
1920
1921 char *mem_op_hex_tmp = NULL;
1922
1923 for (loop = 0; loop < loop_max; ++loop) {
1924 curve25519_impl(e1k,e1,k);
1925 curve25519_impl(e2e1k,e2,e1k);
1926 curve25519_impl(e2k,e2,k);
1927 if (randomize_high_bit) {
1928 /* We require that the high bit of the public key be ignored. So if
1929 * we're doing this variant test, we randomize the high bit of e2k, and
1930 * make sure that the handshake still works out the same as it would
1931 * otherwise. */
1932 uint8_t byte;
1933 crypto_rand((char*)&byte, 1);
1934 e2k[31] |= (byte & 0x80);
1935 }
1936 curve25519_impl(e1e2k,e1,e2k);
1937 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
1938 if (loop == loop_max-1) {
1939 break;
1940 }
1941 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
1942 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
1943 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
1944 }
1945
1946 test_memeq_hex(e1, e1_expected);
1947 test_memeq_hex(e2k, e2k_expected);
1948 test_memeq_hex(e1e2k, e1e2k_expected);
1949
1950 done:
1951 tor_free(mem_op_hex_tmp);
1952 }
1953
1954 static void
1955 test_crypto_curve25519_basepoint(void *arg)
1956 {
1957 uint8_t secret[32];
1958 uint8_t public1[32];
1959 uint8_t public2[32];
1960 const int iters = 2048;
1961 int i;
1962 (void) arg;
1963
1964 for (i = 0; i < iters; ++i) {
1965 crypto_rand((char*)secret, 32);
1966 curve25519_set_impl_params(1); /* Use optimization */
1967 curve25519_basepoint_impl(public1, secret);
1968 curve25519_set_impl_params(0); /* Disable optimization */
1969 curve25519_basepoint_impl(public2, secret);
1970 tt_mem_op(public1, OP_EQ, public2, 32);
1971 }
1972
1973 done:
1974 ;
1975 }
1976
1977 static void
1978 test_crypto_curve25519_testvec(void *arg)
1979 {
1980 (void)arg;
1981 char *mem_op_hex_tmp = NULL;
1982
1983 /* From RFC 7748, section 6.1 */
1984 /* Alice's private key, a: */
1985 const char a16[] =
1986 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
1987 /* Alice's public key, X25519(a, 9): */
1988 const char a_pub16[] =
1989 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
1990 /* Bob's private key, b: */
1991 const char b16[] =
1992 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
1993 /* Bob's public key, X25519(b, 9): */
1994 const char b_pub16[] =
1995 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
1996 /* Their shared secret, K: */
1997 const char k16[] =
1998 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
1999
2000 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2001 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2002 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2003 curve25519_basepoint_impl(a_pub, a);
2004 curve25519_basepoint_impl(b_pub, b);
2005 curve25519_impl(k1, a, b_pub);
2006 curve25519_impl(k2, b, a_pub);
2007
2008 test_memeq_hex(a, a16);
2009 test_memeq_hex(b, b16);
2010 test_memeq_hex(a_pub, a_pub16);
2011 test_memeq_hex(b_pub, b_pub16);
2012 test_memeq_hex(k1, k16);
2013 test_memeq_hex(k2, k16);
2014 done:
2015 tor_free(mem_op_hex_tmp);
2016 }
2017
2018 static void
2019 test_crypto_curve25519_wrappers(void *arg)
2020 {
2021 curve25519_public_key_t pubkey1, pubkey2;
2022 curve25519_secret_key_t seckey1, seckey2;
2023
2024 uint8_t output1[CURVE25519_OUTPUT_LEN];
2025 uint8_t output2[CURVE25519_OUTPUT_LEN];
2026 (void)arg;
2027
2028 /* Test a simple handshake, serializing and deserializing some stuff. */
2029 curve25519_secret_key_generate(&seckey1, 0);
2030 curve25519_secret_key_generate(&seckey2, 1);
2031 curve25519_public_key_generate(&pubkey1, &seckey1);
2032 curve25519_public_key_generate(&pubkey2, &seckey2);
2033 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2034 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2035 curve25519_handshake(output1, &seckey1, &pubkey2);
2036 curve25519_handshake(output2, &seckey2, &pubkey1);
2037 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2038
2039 done:
2040 ;
2041 }
2042
2043 static void
2044 test_crypto_curve25519_encode(void *arg)
2045 {
2046 curve25519_secret_key_t seckey;
2047 curve25519_public_key_t key1, key2, key3;
2048 char buf[64];
2049
2050 (void)arg;
2051
2052 curve25519_secret_key_generate(&seckey, 0);
2053 curve25519_public_key_generate(&key1, &seckey);
2054 tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
2055 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2056
2057 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2058 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2059
2060 buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
2061 tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
2062 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
2063 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2064
2065 /* Now try bogus parses. */
2066 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2067 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2068
2069 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2070 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2071
2072 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2073 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2074
2075 done:
2076 ;
2077 }
2078
2079 static void
2080 test_crypto_curve25519_persist(void *arg)
2081 {
2082 curve25519_keypair_t keypair, keypair2;
2083 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2084 char *tag = NULL;
2085 char *content = NULL;
2086 const char *cp;
2087 struct stat st;
2088 size_t taglen;
2089
2090 (void)arg;
2091
2092 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2093
2094 tt_int_op(0,OP_EQ,
2095 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2096 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2097 tt_str_op(tag,OP_EQ,"testing");
2098 tor_free(tag);
2099
2100 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2101 keypair2.pubkey.public_key,
2102 CURVE25519_PUBKEY_LEN);
2103 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2104 keypair2.seckey.secret_key,
2105 CURVE25519_SECKEY_LEN);
2106
2107 content = read_file_to_str(fname, RFTS_BIN, &st);
2108 tt_assert(content);
2109 taglen = strlen("== c25519v1: testing ==");
2110 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2111 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2112 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2113 tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
2114 cp = content + 32;
2115 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2116 cp,
2117 CURVE25519_SECKEY_LEN);
2118 cp += CURVE25519_SECKEY_LEN;
2119 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2120 cp,
2121 CURVE25519_SECKEY_LEN);
2122
2123 tor_free(fname);
2124 fname = tor_strdup(get_fname("bogus_keypair"));
2125
2126 tt_int_op(-1, OP_EQ,
2127 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2128 tor_free(tag);
2129
2130 content[69] ^= 0xff;
2131 tt_int_op(0, OP_EQ,
2132 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2133 tt_int_op(-1, OP_EQ,
2134 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2135
2136 done:
2137 tor_free(fname);
2138 tor_free(content);
2139 tor_free(tag);
2140 }
2141
2142 static void *
2143 ed25519_testcase_setup(const struct testcase_t *testcase)
2144 {
2145 crypto_ed25519_testing_force_impl(testcase->setup_data);
2146 return testcase->setup_data;
2147 }
2148 static int
2149 ed25519_testcase_cleanup(const struct testcase_t *testcase, void *ptr)
2150 {
2151 (void)testcase;
2152 (void)ptr;
2153 crypto_ed25519_testing_restore_impl();
2154 return 1;
2155 }
2156 static const struct testcase_setup_t ed25519_test_setup = {
2157 ed25519_testcase_setup, ed25519_testcase_cleanup
2158 };
2159
2160 static void
2161 test_crypto_ed25519_simple(void *arg)
2162 {
2163 ed25519_keypair_t kp1, kp2;
2164 ed25519_public_key_t pub1, pub2;
2165 ed25519_secret_key_t sec1, sec2;
2166 ed25519_signature_t sig1, sig2;
2167 const uint8_t msg[] =
2168 "GNU will be able to run Unix programs, "
2169 "but will not be identical to Unix.";
2170 const uint8_t msg2[] =
2171 "Microsoft Windows extends the features of the DOS operating system, "
2172 "yet is compatible with most existing applications that run under DOS.";
2173 size_t msg_len = strlen((const char*)msg);
2174 size_t msg2_len = strlen((const char*)msg2);
2175
2176 (void)arg;
2177
2178 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2179 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2180
2181 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2182 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2183
2184 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2185 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2186 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2187
2188 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2189 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2190 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2191 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2192
2193 /* Ed25519 signatures are deterministic */
2194 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2195
2196 /* Basic signature is valid. */
2197 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2198
2199 /* Altered signature doesn't work. */
2200 sig1.sig[0] ^= 3;
2201 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2202
2203 /* Wrong public key doesn't work. */
2204 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2205 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2206 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2207
2208 /* Wrong message doesn't work. */
2209 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2210 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2211 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2212
2213 /* Batch signature checking works with some bad. */
2214 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2215 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2216 {
2217 ed25519_checkable_t ch[] = {
2218 { &pub1, sig2, msg, msg_len }, /*ok*/
2219 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2220 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2221 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2222 };
2223 int okay[4];
2224 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2225 tt_int_op(okay[0], OP_EQ, 1);
2226 tt_int_op(okay[1], OP_EQ, 0);
2227 tt_int_op(okay[2], OP_EQ, 0);
2228 tt_int_op(okay[3], OP_EQ, 1);
2229 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2230 }
2231
2232 /* Batch signature checking works with all good. */
2233 {
2234 ed25519_checkable_t ch[] = {
2235 { &pub1, sig2, msg, msg_len }, /*ok*/
2236 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2237 };
2238 int okay[2];
2239 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2240 tt_int_op(okay[0], OP_EQ, 1);
2241 tt_int_op(okay[1], OP_EQ, 1);
2242 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2243 }
2244
2245 done:
2246 ;
2247 }
2248
2249 static void
2250 test_crypto_ed25519_test_vectors(void *arg)
2251 {
2252 char *mem_op_hex_tmp=NULL;
2253 int i;
2254 struct {
2255 const char *sk;
2256 const char *pk;
2257 const char *sig;
2258 const char *msg;
2259 } items[] = {
2260 /* These test vectors were generated with the "ref" implementation of
2261 * ed25519 from SUPERCOP-20130419 */
2262 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2263 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2264 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2265 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2266 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2267 "204e554c2d7465726d696e617465642e"
2268 },
2269
2270 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2271 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2272 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2273 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2274 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2275 "204e554c2d7465726d696e617465642e"
2276 },
2277 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2278 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2279 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2280 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2281 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2282 "204e554c2d7465726d696e617465642e"
2283 },
2284
2285 /* These come from "sign.input" in ed25519's page */
2286 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2287 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2288 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2289 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2290 "5a8d9d0a22357e6655f9c785"
2291 },
2292 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2293 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2294 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2295 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2296 "b87d3813e03f58cf19fd0b6395"
2297 },
2298 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2299 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2300 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2301 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2302 "55c7fa434f5ed8cdec2b7aeac173",
2303 },
2304 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2305 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2306 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2307 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2308 "0a688e79be24f866286d4646b5d81c"
2309 },
2310 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2311 {
2312 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2313 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2314 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2315 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2316 ""
2317 },
2318 {
2319 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2320 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2321 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2322 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2323 "72"
2324 },
2325 {
2326 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2327 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2328 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2329 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2330 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2331 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2332 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2333 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2334 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2335 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2336 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2337 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2338 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2339 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2340 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2341 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2342 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2343 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2344 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2345 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2346 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2347 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2348 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2349 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2350 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2351 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2352 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2353 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2354 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2355 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2356 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2357 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2358 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2359 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2360 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2361 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2362 },
2363 {
2364 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2365 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2366 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2367 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2368 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2369 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2370 },
2371 { NULL, NULL, NULL, NULL}
2372 };
2373
2374 (void)arg;
2375
2376 for (i = 0; items[i].pk; ++i) {
2377 ed25519_keypair_t kp;
2378 ed25519_signature_t sig;
2379 uint8_t sk_seed[32];
2380 uint8_t *msg;
2381 size_t msg_len;
2382 base16_decode((char*)sk_seed, sizeof(sk_seed),
2383 items[i].sk, 64);
2384 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2385 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2386 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2387
2388 msg_len = strlen(items[i].msg) / 2;
2389 msg = tor_malloc(msg_len);
2390 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2391
2392 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2393 test_memeq_hex(sig.sig, items[i].sig);
2394
2395 tor_free(msg);
2396 }
2397
2398 done:
2399 tor_free(mem_op_hex_tmp);
2400 }
2401
2402 static void
2403 test_crypto_ed25519_encode(void *arg)
2404 {
2405 char buf[ED25519_SIG_BASE64_LEN+1];
2406 ed25519_keypair_t kp;
2407 ed25519_public_key_t pk;
2408 ed25519_signature_t sig1, sig2;
2409 char *mem_op_hex_tmp = NULL;
2410 (void) arg;
2411
2412 /* Test roundtrip. */
2413 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2414 tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
2415 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2416 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2417 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2418
2419 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2420 tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
2421 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2422 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2423
2424 /* Test known value. */
2425 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2426 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2427 test_memeq_hex(pk.pubkey,
2428 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2429
2430 done:
2431 tor_free(mem_op_hex_tmp);
2432 }
2433
2434 static void
2435 test_crypto_ed25519_convert(void *arg)
2436 {
2437 const uint8_t msg[] =
2438 "The eyes are not here / There are no eyes here.";
2439 const int N = 30;
2440 int i;
2441 (void)arg;
2442
2443 for (i = 0; i < N; ++i) {
2444 curve25519_keypair_t curve25519_keypair;
2445 ed25519_keypair_t ed25519_keypair;
2446 ed25519_public_key_t ed25519_pubkey;
2447
2448 int bit=0;
2449 ed25519_signature_t sig;
2450
2451 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2452 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2453 &ed25519_keypair, &bit, &curve25519_keypair));
2454 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2455 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2456 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2457
2458 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2459 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2460 &ed25519_pubkey));
2461
2462 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2463 &ed25519_pubkey));
2464 sig.sig[0] ^= 15;
2465 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2466 &ed25519_pubkey));
2467 }
2468
2469 done:
2470 ;
2471 }
2472
2473 static void
2474 test_crypto_ed25519_blinding(void *arg)
2475 {
2476 const uint8_t msg[] =
2477 "Eyes I dare not meet in dreams / In death's dream kingdom";
2478
2479 const int N = 30;
2480 int i;
2481 (void)arg;
2482
2483 for (i = 0; i < N; ++i) {
2484 uint8_t blinding[32];
2485 ed25519_keypair_t ed25519_keypair;
2486 ed25519_keypair_t ed25519_keypair_blinded;
2487 ed25519_public_key_t ed25519_pubkey_blinded;
2488
2489 ed25519_signature_t sig;
2490
2491 crypto_rand((char*) blinding, sizeof(blinding));
2492
2493 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2494 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2495 &ed25519_keypair, blinding));
2496
2497 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2498 &ed25519_keypair.pubkey, blinding));
2499
2500 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2501 ed25519_keypair_blinded.pubkey.pubkey, 32);
2502
2503 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2504 &ed25519_keypair_blinded));
2505
2506 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2507 &ed25519_pubkey_blinded));
2508
2509 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2510 &ed25519_pubkey_blinded));
2511 sig.sig[0] ^= 15;
2512 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2513 &ed25519_pubkey_blinded));
2514 }
2515
2516 done:
2517 ;
2518 }
2519
2520 static void
2521 test_crypto_ed25519_testvectors(void *arg)
2522 {
2523 unsigned i;
2524 char *mem_op_hex_tmp = NULL;
2525 (void)arg;
2526
2527 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2528 uint8_t sk[32];
2529 ed25519_secret_key_t esk;
2530 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2531 ed25519_keypair_t keypair, blind_keypair;
2532 curve25519_keypair_t curvekp;
2533 uint8_t blinding_param[32];
2534 ed25519_signature_t sig;
2535 int sign;
2536
2537 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2538 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2539
2540 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2541 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2542 ED25519_BLINDING_PARAMS[i]));
2543
2544 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2545 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2546
2547 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2548 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2549
2550 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2551 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2552
2553 tt_int_op(0, OP_EQ,
2554 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2555 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2556 &pkfromcurve, &curvekp.pubkey, sign));
2557 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2558 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2559
2560 /* Self-signing */
2561 memcpy(&keypair.seckey, &esk, sizeof(esk));
2562 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2563
2564 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2565
2566 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2567
2568 /* Blinding */
2569 tt_int_op(0, OP_EQ,
2570 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2571 tt_int_op(0, OP_EQ,
2572 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2573
2574 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2575 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2576
2577 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2578
2579 #undef DECODE
2580 #undef EQ
2581 }
2582 done:
2583 tor_free(mem_op_hex_tmp);
2584 }
2585
2586 static void
2587 test_crypto_ed25519_fuzz_donna(void *arg)
2588 {
2589 const unsigned iters = 1024;
2590 uint8_t msg[1024];
2591 unsigned i;
2592 (void)arg;
2593
2594 tt_assert(sizeof(msg) == iters);
2595 crypto_rand((char*) msg, sizeof(msg));
2596
2597 /* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
2598 * generate keys/sign per iteration.
2599 */
2600 for (i = 0; i < iters; ++i) {
2601 const int use_donna = i & 1;
2602 uint8_t blinding[32];
2603 curve25519_keypair_t ckp;
2604 ed25519_keypair_t kp, kp_blind, kp_curve25519;
2605 ed25519_public_key_t pk, pk_blind, pk_curve25519;
2606 ed25519_signature_t sig, sig_blind;
2607 int bit = 0;
2608
2609 crypto_rand((char*) blinding, sizeof(blinding));
2610
2611 /* Impl. A:
2612 * 1. Generate a keypair.
2613 * 2. Blinded the keypair.
2614 * 3. Sign a message (unblinded).
2615 * 4. Sign a message (blinded).
2616 * 5. Generate a curve25519 keypair, and convert it to Ed25519.
2617 */
2618 ed25519_set_impl_params(use_donna);
2619 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
2620 tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
2621 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
2622 tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
2623
2624 tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
2625 tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
2626 &kp_curve25519, &bit, &ckp));
2627
2628 /* Impl. B:
2629 * 1. Validate the public key by rederiving it.
2630 * 2. Validate the blinded public key by rederiving it.
2631 * 3. Validate the unblinded signature (and test a invalid signature).
2632 * 4. Validate the blinded signature.
2633 * 5. Validate the public key (from Curve25519) by rederiving it.
2634 */
2635 ed25519_set_impl_params(!use_donna);
2636 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
2637 tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
2638
2639 tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
2640 tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
2641
2642 tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
2643 sig.sig[0] ^= 15;
2644 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
2645
2646 tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
2647
2648 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2649 &pk_curve25519, &ckp.pubkey, bit));
2650 tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
2651 }
2652
2653 done:
2654 ;
2655 }
2656
2657 static void
2658 test_crypto_ed25519_storage(void *arg)
2659 {
2660 (void)arg;
2661 ed25519_keypair_t *keypair = NULL;
2662 ed25519_public_key_t pub;
2663 ed25519_secret_key_t sec;
2664 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2665 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2666 char *contents = NULL;
2667 char *tag = NULL;
2668
2669 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2670 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2671 tt_int_op(0,OP_EQ,
2672 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2673 tt_int_op(0,OP_EQ,
2674 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2675
2676 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2677 tt_ptr_op(tag, OP_EQ, NULL);
2678 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2679 tt_ptr_op(tag, OP_EQ, NULL);
2680
2681 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2682 tt_str_op(tag, OP_EQ, "bar");
2683 tor_free(tag);
2684 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2685 tt_str_op(tag, OP_EQ, "foo");
2686 tor_free(tag);
2687
2688 /* whitebox test: truncated keys. */
2689 tt_int_op(0, ==, do_truncate(fname_1, 40));
2690 tt_int_op(0, ==, do_truncate(fname_2, 40));
2691 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2692 tt_ptr_op(tag, OP_EQ, NULL);
2693 tor_free(tag);
2694 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2695 tt_ptr_op(tag, OP_EQ, NULL);
2696
2697 done:
2698 tor_free(fname_1);
2699 tor_free(fname_2);
2700 tor_free(contents);
2701 tor_free(tag);
2702 ed25519_keypair_free(keypair);
2703 }
2704
2705 static void
2706 test_crypto_siphash(void *arg)
2707 {
2708 /* From the reference implementation, taking
2709 k = 00 01 02 ... 0f
2710 and in = 00; 00 01; 00 01 02; ...
2711 */
2712 const uint8_t VECTORS[64][8] =
2713 {
2714 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2715 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2716 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2717 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2718 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2719 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2720 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2721 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2722 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2723 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2724 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2725 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2726 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2727 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2728 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2729 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2730 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2731 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2732 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2733 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2734 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2735 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2736 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2737 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2738 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2739 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2740 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2741 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2742 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2743 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2744 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2745 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2746 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2747 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2748 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2749 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2750 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2751 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2752 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2753 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2754 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2755 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2756 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2757 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2758 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2759 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2760 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2761 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2762 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2763 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2764 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2765 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2766 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2767 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2768 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2769 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2770 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2771 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2772 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2773 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2774 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2775 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2776 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2777 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2778 };
2779
2780 const struct sipkey K = { U64_LITERAL(0x0706050403020100),
2781 U64_LITERAL(0x0f0e0d0c0b0a0908) };
2782 uint8_t input[64];
2783 int i, j;
2784
2785 (void)arg;
2786
2787 for (i = 0; i < 64; ++i)
2788 input[i] = i;
2789
2790 for (i = 0; i < 64; ++i) {
2791 uint64_t r = siphash24(input, i, &K);
2792 for (j = 0; j < 8; ++j) {
2793 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2794 }
2795 }
2796
2797 done:
2798 ;
2799 }
2800
2801 /* We want the likelihood that the random buffer exhibits any regular pattern
2802 * to be far less than the memory bit error rate in the int return value.
2803 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2804 * 3 functions, leading to an overall error rate of 1/10^616.
2805 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2806 */
2807 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2808
2809 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2810 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2811 * or -1 when it fails. */
2812 static int
2813 crypto_rand_check_failure_mode_zero(void)
2814 {
2815 char buf[FAILURE_MODE_BUFFER_SIZE];
2816
2817 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2818 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2819
2820 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2821 if (buf[i] != 0) {
2822 return 0;
2823 }
2824 }
2825
2826 return -1;
2827 }
2828
2829 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2830 * the same. Return 0 when the check passes, or -1 when it fails. */
2831 static int
2832 crypto_rand_check_failure_mode_identical(void)
2833 {
2834 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2835 #define FAILURE_MODE_BUFFER_SIZE_I64 \
2836 (FAILURE_MODE_BUFFER_SIZE/SIZEOF_INT64_T)
2837 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2838 (FAILURE_MODE_BUFFER_SIZE_I64*SIZEOF_INT64_T)
2839
2840 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2841 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*SIZEOF_INT64_T
2842 #endif
2843
2844 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
2845
2846 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2847 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2848
2849 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
2850 if (buf[i] != buf[i-1]) {
2851 return 0;
2852 }
2853 }
2854
2855 return -1;
2856 }
2857
2858 /** Check crypto_rand for a failure mode where it increments the "random"
2859 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2860 * Return 0 when the check passes, or -1 when it fails. */
2861 static int
2862 crypto_rand_check_failure_mode_predict(void)
2863 {
2864 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
2865
2866 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2867 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
2868
2869 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2870 /* check if the last byte was incremented by 1, including integer
2871 * wrapping */
2872 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
2873 return 0;
2874 }
2875 }
2876
2877 return -1;
2878 }
2879
2880 #undef FAILURE_MODE_BUFFER_SIZE
2881
2882 static void
2883 test_crypto_failure_modes(void *arg)
2884 {
2885 int rv = 0;
2886 (void)arg;
2887
2888 rv = crypto_early_init();
2889 tt_assert(rv == 0);
2890
2891 /* Check random works */
2892 rv = crypto_rand_check_failure_mode_zero();
2893 tt_assert(rv == 0);
2894
2895 rv = crypto_rand_check_failure_mode_identical();
2896 tt_assert(rv == 0);
2897
2898 rv = crypto_rand_check_failure_mode_predict();
2899 tt_assert(rv == 0);
2900
2901 done:
2902 ;
2903 }
2904
2905 #define CRYPTO_LEGACY(name) \
2906 { #name, test_crypto_ ## name , 0, NULL, NULL }
2907
2908 #define ED25519_TEST_ONE(name, fl, which) \
2909 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
2910 &ed25519_test_setup, (void*)which }
2911
2912 #define ED25519_TEST(name, fl) \
2913 ED25519_TEST_ONE(name, (fl), "donna"), \
2914 ED25519_TEST_ONE(name, (fl), "ref10")
2915
2916 struct testcase_t crypto_tests[] = {
2917 CRYPTO_LEGACY(formats),
2918 CRYPTO_LEGACY(rng),
2919 { "rng_range", test_crypto_rng_range, 0, NULL, NULL },
2920 { "rng_engine", test_crypto_rng_engine, TT_FORK, NULL, NULL },
2921 { "rng_strongest", test_crypto_rng_strongest, TT_FORK, NULL, NULL },
2922 { "rng_strongest_nosyscall", test_crypto_rng_strongest, TT_FORK,
2923 &passthrough_setup, (void*)"nosyscall" },
2924 { "rng_strongest_nofallback", test_crypto_rng_strongest, TT_FORK,
2925 &passthrough_setup, (void*)"nofallback" },
2926 { "rng_strongest_broken", test_crypto_rng_strongest, TT_FORK,
2927 &passthrough_setup, (void*)"broken" },
2928 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
2929 { "aes_AES", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"aes" },
2930 { "aes_EVP", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"evp" },
2931 { "aes_ctr_testvec", test_crypto_aes_ctr_testvec, 0, NULL, NULL },
2932 CRYPTO_LEGACY(sha),
2933 CRYPTO_LEGACY(pk),
2934 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
2935 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
2936 CRYPTO_LEGACY(digests),
2937 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
2938 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
2939 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
2940 CRYPTO_LEGACY(dh),
2941 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
2942 (void*)"aes" },
2943 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
2944 (void*)"evp" },
2945 CRYPTO_LEGACY(base32_decode),
2946 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
2947 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
2948 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
2949 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
2950 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
2951 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
2952 { "curve25519_basepoint",
2953 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
2954 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
2955 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
2956 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
2957 ED25519_TEST(simple, 0),
2958 ED25519_TEST(test_vectors, 0),
2959 ED25519_TEST(encode, 0),
2960 ED25519_TEST(convert, 0),
2961 ED25519_TEST(blinding, 0),
2962 ED25519_TEST(testvectors, 0),
2963 ED25519_TEST(fuzz_donna, TT_FORK),
2964 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
2965 { "siphash", test_crypto_siphash, 0, NULL, NULL },
2966 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
2967 END_OF_TESTCASES
2968 };
2969
The Onion Router