search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update copyrights to 2021, using "make update-copyright"
[tor.git] / src / test / test_crypto.c
blob87e309f25a4379b4ae2b79ecce4cb5ee5b0f9fc6
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
12 #include "siphash.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
22
23 #ifdef HAVE_SYS_STAT_H
24 #include <sys/stat.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
29
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING("-Wredundant-decls")
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING("-Wredundant-decls")
35 #endif /* defined(ENABLE_OPENSSL) */
36
37 /** Run unit tests for Diffie-Hellman functionality. */
38 static void
39 test_crypto_dh(void *arg)
40 {
41 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 crypto_dh_t *dh1_dup = NULL;
43 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 char p1[DH1024_KEY_LEN];
45 char p2[DH1024_KEY_LEN];
46 char s1[DH1024_KEY_LEN];
47 char s2[DH1024_KEY_LEN];
48 ssize_t s1len, s2len;
49 #ifdef ENABLE_OPENSSL
50 crypto_dh_t *dh3 = NULL;
51 DH *dh4 = NULL;
52 BIGNUM *pubkey_tmp = NULL;
53 #endif
54
55 (void)arg;
56 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58
59 memset(p1, 0, DH1024_KEY_LEN);
60 memset(p2, 0, DH1024_KEY_LEN);
61 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62
63 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
64
65 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69
70 memset(s1, 0, DH1024_KEY_LEN);
71 memset(s2, 0xFF, DH1024_KEY_LEN);
72 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 tt_assert(s1len > 0);
75 tt_int_op(s1len,OP_EQ, s2len);
76 tt_mem_op(s1,OP_EQ, s2, s1len);
77
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup = crypto_dh_dup(dh1);
80 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 s1, 50);
82 tt_i64_op(s1len, OP_GE, 0);
83 tt_mem_op(s1,OP_EQ, s2, s1len);
84
85 {
86 /* Now fabricate some bad values and make sure they get caught. */
87
88 /* 1 and 0 should both fail. */
89 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 tt_int_op(-1, OP_EQ, s1len);
91
92 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 tt_int_op(-1, OP_EQ, s1len);
94
95 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 s1, 50);
98 tt_int_op(-1, OP_EQ, s1len);
99
100 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 s1, 50);
103 tt_int_op(-1, OP_EQ, s1len);
104
105 /* 2 is okay, though weird. */
106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 tt_int_op(50, OP_EQ, s1len);
108
109 /* 2 a second time is still okay, though weird. */
110 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 tt_int_op(50, OP_EQ, s1len);
112
113 const char P[] =
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
119
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1, sizeof(p1), P, strlen(P));
122
123 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 s1, 50);
125 tt_int_op(-1, OP_EQ, s1len);
126
127 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 s1, 50);
130 tt_int_op(-1, OP_EQ, s1len);
131
132 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 s1, 50);
135 tt_int_op(50, OP_EQ, s1len);
136
137 const char P_plus_one[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
143
144 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
145
146 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 s1, 50);
148 tt_int_op(-1, OP_EQ, s1len);
149
150 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 s1, 50);
153 tt_int_op(-1, OP_EQ, s1len);
154
155 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 s1, 50);
158 tt_int_op(-1, OP_EQ, s1len);
159
160 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 s1, 50);
163 tt_int_op(-1, OP_EQ, s1len);
164 }
165
166 {
167 /* provoke an error in the openssl DH_compute_key function; make sure we
168 * survive. */
169 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170
171 crypto_dh_free(dh2);
172 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 p1, DH1024_KEY_LEN,
175 s1, 50);
176 tt_int_op(s1len, OP_EQ, -1);
177 }
178
179 #if defined(ENABLE_OPENSSL)
180 {
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3 = crypto_dh_new(DH_TYPE_TLS);
183 tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
184
185 dh4 = crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4));
187 const BIGNUM *pk=NULL;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM *sk=NULL;
190 DH_get0_key(dh4, &pk, &sk);
191 #else
192 pk = dh4->pub_key;
193 #endif /* defined(OPENSSL_1_1_API) */
194 tt_assert(pk);
195 tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 memset(p2, 0, sizeof(p2));
198 /* right-pad. */
199 BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
200
201 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 (unsigned char *)s1, sizeof(s1));
203 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
205
206 tt_int_op(s1len, OP_EQ, s2len);
207 tt_int_op(s1len, OP_GT, 0);
208 tt_mem_op(s1, OP_EQ, s2, s1len);
209 }
210 #endif /* defined(ENABLE_OPENSSL) */
211
212 done:
213 crypto_dh_free(dh1);
214 crypto_dh_free(dh2);
215 crypto_dh_free(dh1_dup);
216 #ifdef ENABLE_OPENSSL
217 crypto_dh_free(dh3);
218 if (dh4)
219 DH_free(dh4);
220 if (pubkey_tmp)
221 BN_free(pubkey_tmp);
222 #endif /* defined(ENABLE_OPENSSL) */
223 }
224
225 static void
226 test_crypto_openssl_version(void *arg)
227 {
228 (void)arg;
229 #ifdef ENABLE_NSS
230 tt_skip();
231 #else
232 const char *version = crypto_openssl_get_version_str();
233 const char *h_version = crypto_openssl_get_header_version_str();
234 tt_assert(version);
235 tt_assert(h_version);
236 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version, h_version));
239 }
240 if (strstr(version, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
242 }
243 int a=-1,b=-1,c=-1;
244 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 return;
246 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 tt_int_op(r, OP_EQ, 3);
248 tt_int_op(a, OP_GE, 0);
249 tt_int_op(b, OP_GE, 0);
250 tt_int_op(c, OP_GE, 0);
251 #endif /* defined(ENABLE_NSS) */
252
253 done:
254 ;
255 }
256
257 /** Run unit tests for our AES128 functionality */
258 static void
259 test_crypto_aes128(void *arg)
260 {
261 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
262 crypto_cipher_t *env1 = NULL, *env2 = NULL;
263 int i, j;
264 char *mem_op_hex_tmp=NULL;
265 char key[CIPHER_KEY_LEN];
266 int use_evp = !strcmp(arg,"evp");
267 evaluate_evp_for_aes(use_evp);
268 evaluate_ctr_for_aes();
269
270 data1 = tor_malloc(1024);
271 data2 = tor_malloc(1024);
272 data3 = tor_malloc(1024);
273
274 /* Now, test encryption and decryption with stream cipher. */
275 data1[0]='\0';
276 for (i = 1023; i>0; i -= 35)
277 strncat(data1, "Now is the time for all good onions", i);
278
279 memset(data2, 0, 1024);
280 memset(data3, 0, 1024);
281 crypto_rand(key, sizeof(key));
282 env1 = crypto_cipher_new(key);
283 tt_ptr_op(env1, OP_NE, NULL);
284 env2 = crypto_cipher_new(key);
285 tt_ptr_op(env2, OP_NE, NULL);
286
287 /* Try encrypting 512 chars. */
288 crypto_cipher_encrypt(env1, data2, data1, 512);
289 crypto_cipher_decrypt(env2, data3, data2, 512);
290 tt_mem_op(data1,OP_EQ, data3, 512);
291 tt_mem_op(data1,OP_NE, data2, 512);
292
293 /* Now encrypt 1 at a time, and get 1 at a time. */
294 for (j = 512; j < 560; ++j) {
295 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
296 }
297 for (j = 512; j < 560; ++j) {
298 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
299 }
300 tt_mem_op(data1,OP_EQ, data3, 560);
301 /* Now encrypt 3 at a time, and get 5 at a time. */
302 for (j = 560; j < 1024-5; j += 3) {
303 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
304 }
305 for (j = 560; j < 1024-5; j += 5) {
306 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
307 }
308 tt_mem_op(data1,OP_EQ, data3, 1024-5);
309 /* Now make sure that when we encrypt with different chunk sizes, we get
310 the same results. */
311 crypto_cipher_free(env2);
312 env2 = NULL;
313
314 memset(data3, 0, 1024);
315 env2 = crypto_cipher_new(key);
316 tt_ptr_op(env2, OP_NE, NULL);
317 for (j = 0; j < 1024-16; j += 17) {
318 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
319 }
320 for (j= 0; j < 1024-16; ++j) {
321 if (data2[j] != data3[j]) {
322 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
323 }
324 }
325 tt_mem_op(data2,OP_EQ, data3, 1024-16);
326 crypto_cipher_free(env1);
327 env1 = NULL;
328 crypto_cipher_free(env2);
329 env2 = NULL;
330
331 /* NIST test vector for aes. */
332 /* IV starts at 0 */
333 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
334 "\x00\x00\x00\x00\x00\x00\x00\x00");
335 crypto_cipher_encrypt(env1, data1,
336 "\x00\x00\x00\x00\x00\x00\x00\x00"
337 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
338 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
339
340 /* Now test rollover. All these values are originally from a python
341 * script. */
342 crypto_cipher_free(env1);
343 env1 = crypto_cipher_new_with_iv(
344 "\x80\x00\x00\x00\x00\x00\x00\x00"
345 "\x00\x00\x00\x00\x00\x00\x00\x00",
346 "\x00\x00\x00\x00\x00\x00\x00\x00"
347 "\xff\xff\xff\xff\xff\xff\xff\xff");
348 memset(data2, 0, 1024);
349 crypto_cipher_encrypt(env1, data1, data2, 32);
350 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
351 "cdd0b917dbc7186908a6bfb5ffd574d3");
352 crypto_cipher_free(env1);
353 env1 = crypto_cipher_new_with_iv(
354 "\x80\x00\x00\x00\x00\x00\x00\x00"
355 "\x00\x00\x00\x00\x00\x00\x00\x00",
356 "\x00\x00\x00\x00\xff\xff\xff\xff"
357 "\xff\xff\xff\xff\xff\xff\xff\xff");
358 memset(data2, 0, 1024);
359 crypto_cipher_encrypt(env1, data1, data2, 32);
360 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
361 "3e63c721df790d2c6469cc1953a3ffac");
362 crypto_cipher_free(env1);
363 env1 = crypto_cipher_new_with_iv(
364 "\x80\x00\x00\x00\x00\x00\x00\x00"
365 "\x00\x00\x00\x00\x00\x00\x00\x00",
366 "\xff\xff\xff\xff\xff\xff\xff\xff"
367 "\xff\xff\xff\xff\xff\xff\xff\xff");
368 memset(data2, 0, 1024);
369 crypto_cipher_encrypt(env1, data1, data2, 32);
370 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
371 "0EDD33D3C621E546455BD8BA1418BEC8");
372
373 /* Now check rollover on inplace cipher. */
374 crypto_cipher_free(env1);
375 env1 = crypto_cipher_new_with_iv(
376 "\x80\x00\x00\x00\x00\x00\x00\x00"
377 "\x00\x00\x00\x00\x00\x00\x00\x00",
378 "\xff\xff\xff\xff\xff\xff\xff\xff"
379 "\xff\xff\xff\xff\xff\xff\xff\xff");
380 crypto_cipher_crypt_inplace(env1, data2, 64);
381 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
382 "0EDD33D3C621E546455BD8BA1418BEC8"
383 "93e2c5243d6839eac58503919192f7ae"
384 "1908e67cafa08d508816659c2e693191");
385 crypto_cipher_free(env1);
386 env1 = crypto_cipher_new_with_iv(
387 "\x80\x00\x00\x00\x00\x00\x00\x00"
388 "\x00\x00\x00\x00\x00\x00\x00\x00",
389 "\xff\xff\xff\xff\xff\xff\xff\xff"
390 "\xff\xff\xff\xff\xff\xff\xff\xff");
391 crypto_cipher_crypt_inplace(env1, data2, 64);
392 tt_assert(fast_mem_is_zero(data2, 64));
393
394 done:
395 tor_free(mem_op_hex_tmp);
396 if (env1)
397 crypto_cipher_free(env1);
398 if (env2)
399 crypto_cipher_free(env2);
400 tor_free(data1);
401 tor_free(data2);
402 tor_free(data3);
403 }
404
405 static void
406 test_crypto_aes_ctr_testvec(void *arg)
407 {
408 const char *bitstr = arg;
409 char *mem_op_hex_tmp=NULL;
410 crypto_cipher_t *c=NULL;
411
412 /* from NIST SP800-38a, section F.5 */
413 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
414 const char plaintext16[] =
415 "6bc1bee22e409f96e93d7e117393172a"
416 "ae2d8a571e03ac9c9eb76fac45af8e51"
417 "30c81c46a35ce411e5fbc1191a0a52ef"
418 "f69f2445df4f9b17ad2b417be66c3710";
419 const char *ciphertext16;
420 const char *key16;
421 int bits;
422
423 if (!strcmp(bitstr, "128")) {
424 ciphertext16 = /* section F.5.1 */
425 "874d6191b620e3261bef6864990db6ce"
426 "9806f66b7970fdff8617187bb9fffdff"
427 "5ae4df3edbd5d35e5b4f09020db03eab"
428 "1e031dda2fbe03d1792170a0f3009cee";
429 key16 = "2b7e151628aed2a6abf7158809cf4f3c";
430 bits = 128;
431 } else if (!strcmp(bitstr, "192")) {
432 ciphertext16 = /* section F.5.3 */
433 "1abc932417521ca24f2b0459fe7e6e0b"
434 "090339ec0aa6faefd5ccc2c6f4ce8e94"
435 "1e36b26bd1ebc670d1bd1d665620abf7"
436 "4f78a7f6d29809585a97daec58c6b050";
437 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
438 bits = 192;
439 } else if (!strcmp(bitstr, "256")) {
440 ciphertext16 = /* section F.5.5 */
441 "601ec313775789a5b7a7f504bbf3d228"
442 "f443e3ca4d62b59aca84e990cacaf5c5"
443 "2b0930daa23de94ce87017ba2d84988d"
444 "dfc9c58db67aada613c2dd08457941a6";
445 key16 =
446 "603deb1015ca71be2b73aef0857d7781"
447 "1f352c073b6108d72d9810a30914dff4";
448 bits = 256;
449 } else {
450 tt_abort_msg("AES doesn't support this number of bits.");
451 }
452
453 char key[32];
454 char iv[16];
455 char plaintext[16*4];
456 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
457 base16_decode(key, sizeof(key), key16, strlen(key16));
458 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
459 base16_decode(plaintext, sizeof(plaintext),
460 plaintext16, strlen(plaintext16));
461
462 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
463 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
464 test_memeq_hex(plaintext, ciphertext16);
465
466 done:
467 tor_free(mem_op_hex_tmp);
468 crypto_cipher_free(c);
469 }
470
471 /** Run unit tests for our SHA-1 functionality */
472 static void
473 test_crypto_sha(void *arg)
474 {
475 crypto_digest_t *d1 = NULL, *d2 = NULL;
476 int i;
477 #define RFC_4231_MAX_KEY_SIZE 131
478 char key[RFC_4231_MAX_KEY_SIZE];
479 char digest[DIGEST256_LEN];
480 char data[DIGEST512_LEN];
481 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
482 char *mem_op_hex_tmp=NULL;
483
484 /* Test SHA-1 with a test vector from the specification. */
485 (void)arg;
486 i = crypto_digest(data, "abc", 3);
487 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
488 tt_int_op(i, OP_EQ, 0);
489
490 /* Test SHA-256 with a test vector from the specification. */
491 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
492 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
493 "96177A9CB410FF61F20015AD");
494 tt_int_op(i, OP_EQ, 0);
495
496 /* Test SHA-512 with a test vector from the specification. */
497 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
498 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
499 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
500 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
501 tt_int_op(i, OP_EQ, 0);
502
503 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
504
505 /* Case empty (wikipedia) */
506 crypto_hmac_sha256(digest, "", 0, "", 0);
507 tt_str_op(hex_str(digest, 32),OP_EQ,
508 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
509
510 /* Case quick-brown (wikipedia) */
511 crypto_hmac_sha256(digest, "key", 3,
512 "The quick brown fox jumps over the lazy dog", 43);
513 tt_str_op(hex_str(digest, 32),OP_EQ,
514 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
515
516 /* "Test Case 1" from RFC 4231 */
517 memset(key, 0x0b, 20);
518 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
519 test_memeq_hex(digest,
520 "b0344c61d8db38535ca8afceaf0bf12b"
521 "881dc200c9833da726e9376c2e32cff7");
522
523 /* "Test Case 2" from RFC 4231 */
524 memset(key, 0x0b, 20);
525 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
526 test_memeq_hex(digest,
527 "5bdcc146bf60754e6a042426089575c7"
528 "5a003f089d2739839dec58b964ec3843");
529
530 /* "Test case 3" from RFC 4231 */
531 memset(key, 0xaa, 20);
532 memset(data, 0xdd, 50);
533 crypto_hmac_sha256(digest, key, 20, data, 50);
534 test_memeq_hex(digest,
535 "773ea91e36800e46854db8ebd09181a7"
536 "2959098b3ef8c122d9635514ced565fe");
537
538 /* "Test case 4" from RFC 4231 */
539 base16_decode(key, 25,
540 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
541 memset(data, 0xcd, 50);
542 crypto_hmac_sha256(digest, key, 25, data, 50);
543 test_memeq_hex(digest,
544 "82558a389a443c0ea4cc819899f2083a"
545 "85f0faa3e578f8077a2e3ff46729665b");
546
547 /* "Test case 5" from RFC 4231 */
548 memset(key, 0x0c, 20);
549 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
550 test_memeq_hex(digest,
551 "a3b6167473100ee06e0c796c2955552b");
552
553 /* "Test case 6" from RFC 4231 */
554 memset(key, 0xaa, 131);
555 crypto_hmac_sha256(digest, key, 131,
556 "Test Using Larger Than Block-Size Key - Hash Key First",
557 54);
558 test_memeq_hex(digest,
559 "60e431591ee0b67f0d8a26aacbf5b77f"
560 "8e0bc6213728c5140546040f0ee37f54");
561
562 /* "Test case 7" from RFC 4231 */
563 memset(key, 0xaa, 131);
564 crypto_hmac_sha256(digest, key, 131,
565 "This is a test using a larger than block-size key and a "
566 "larger than block-size data. The key needs to be hashed "
567 "before being used by the HMAC algorithm.", 152);
568 test_memeq_hex(digest,
569 "9b09ffa71b942fcb27635fbcd5b0e944"
570 "bfdc63644f0713938a7f51535c3a35e2");
571
572 /* Incremental digest code. */
573 d1 = crypto_digest_new();
574 tt_assert(d1);
575 crypto_digest_add_bytes(d1, "abcdef", 6);
576 d2 = crypto_digest_dup(d1);
577 tt_assert(d2);
578 crypto_digest_add_bytes(d2, "ghijkl", 6);
579 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
580 crypto_digest(d_out2, "abcdefghijkl", 12);
581 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
582 crypto_digest_assign(d2, d1);
583 crypto_digest_add_bytes(d2, "mno", 3);
584 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
585 crypto_digest(d_out2, "abcdefmno", 9);
586 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
587 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
588 crypto_digest(d_out2, "abcdef", 6);
589 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
590 crypto_digest_free(d1);
591 crypto_digest_free(d2);
592
593 /* Incremental digest code with sha256 */
594 d1 = crypto_digest256_new(DIGEST_SHA256);
595 tt_assert(d1);
596 crypto_digest_add_bytes(d1, "abcdef", 6);
597 d2 = crypto_digest_dup(d1);
598 tt_assert(d2);
599 crypto_digest_add_bytes(d2, "ghijkl", 6);
600 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
601 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
602 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
603 crypto_digest_assign(d2, d1);
604 crypto_digest_add_bytes(d2, "mno", 3);
605 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
606 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
607 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
608 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
609 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
610 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
611 crypto_digest_free(d1);
612 crypto_digest_free(d2);
613
614 /* Incremental digest code with sha512 */
615 d1 = crypto_digest512_new(DIGEST_SHA512);
616 tt_assert(d1);
617 crypto_digest_add_bytes(d1, "abcdef", 6);
618 d2 = crypto_digest_dup(d1);
619 tt_assert(d2);
620 crypto_digest_add_bytes(d2, "ghijkl", 6);
621 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
622 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
623 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
624 crypto_digest_assign(d2, d1);
625 crypto_digest_add_bytes(d2, "mno", 3);
626 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
627 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
628 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
629 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
630 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
631 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
632
633 done:
634 if (d1)
635 crypto_digest_free(d1);
636 if (d2)
637 crypto_digest_free(d2);
638 tor_free(mem_op_hex_tmp);
639 }
640
641 static void
642 test_crypto_sha3(void *arg)
643 {
644 crypto_digest_t *d1 = NULL, *d2 = NULL;
645 int i;
646 char data[DIGEST512_LEN];
647 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
648 char *mem_op_hex_tmp=NULL;
649 char *large = NULL;
650
651 (void)arg;
652
653 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
654 *
655 * NB: The code package's test vectors have length expressed in bits.
656 */
657
658 /* Len = 8, Msg = CC */
659 const uint8_t keccak_kat_msg8[] = { 0xcc };
660 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
661 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
662 "6252BB7CE180B00B582DD9B20AAAD7F0");
663 tt_int_op(i, OP_EQ, 0);
664 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
665 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
666 "C36E2EE0F652AC72E02624FA2E5ADEEC"
667 "C7DD6BB3580224B4D6138706FC6E8059"
668 "7B528051230B00621CC2B22999EAA205");
669 tt_int_op(i, OP_EQ, 0);
670
671 /* Len = 24, Msg = 1F877C */
672 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
673 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
674 DIGEST_SHA3_256);
675 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
676 "C9C966712A501B19D1B6632CCD408EC5");
677 tt_int_op(i, OP_EQ, 0);
678 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
679 DIGEST_SHA3_512);
680 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
681 "1A2F0D0608C3A575163751F002DB30F4"
682 "0F2F671834B22D208591CFAF1F5ECFE4"
683 "3C49863A53B3225BDFD7C6591BA7658B");
684 tt_int_op(i, OP_EQ, 0);
685
686 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
687 const uint8_t keccak_kat_msg1080[] = {
688 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
689 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
690 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
691 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
692 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
693 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
694 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
695 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
696 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
697 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
698 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
699 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
700 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
701 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
702 };
703 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
704 DIGEST_SHA3_256);
705 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
706 "BE9B7C736B8059ABFD6779AC35AC81B5");
707 tt_int_op(i, OP_EQ, 0);
708 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
709 DIGEST_SHA3_512);
710 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
711 "CB78696773A212A5F62D02D14E3259D1"
712 "92A87EBA4407DD83893527331407B6DA"
713 "DAAD920DBC46489B677493CE5F20B595");
714 tt_int_op(i, OP_EQ, 0);
715
716 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
717 const uint8_t keccak_kat_msg1088[] = {
718 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
719 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
720 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
721 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
722 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
723 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
724 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
725 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
726 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
727 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
728 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
729 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
730 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
731 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
732 };
733 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
734 DIGEST_SHA3_256);
735 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
736 "77B5286364FE16C59CC8A907AFF07732");
737 tt_int_op(i, OP_EQ, 0);
738 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
739 DIGEST_SHA3_512);
740 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
741 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
742 "FA3BA17A40B2FFA2163991B17786E51C"
743 "ABA79E5E0FFD34CF085E2A098BE8BACB");
744 tt_int_op(i, OP_EQ, 0);
745
746 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
747 const uint8_t keccak_kat_msg1096[] = {
748 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
749 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
750 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
751 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
752 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
753 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
754 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
755 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
756 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
757 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
758 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
759 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
760 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
761 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
762 };
763 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
764 DIGEST_SHA3_256);
765 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
766 "735E0177279222E7AC0AF8504762FAA0");
767 tt_int_op(i, OP_EQ, 0);
768 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
769 DIGEST_SHA3_512);
770 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
771 "40474041DE83D4A60645A826D7AF1ABE"
772 "1EEFCB7B74B62CA6A514E5F2697D585B"
773 "FECECE12931BBE1D4ED7EBF7B0BE660E");
774 tt_int_op(i, OP_EQ, 0);
775
776 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
777 const uint8_t keccak_kat_msg1144[] = {
778 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
779 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
780 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
781 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
782 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
783 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
784 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
785 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
786 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
787 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
788 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
789 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
790 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
791 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
792 0xDF, 0xAF, 0xEC,
793 };
794 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
795 DIGEST_SHA3_512);
796 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
797 "605516615D96A062C8BE53A0D6C5A648"
798 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
799 "295F284BE7F82F3B92919033C9CE5D80");
800 tt_int_op(i, OP_EQ, 0);
801 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
802 DIGEST_SHA3_256);
803 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
804 "118C0C2C606BDCDA06E7943D2C95E0E5");
805 tt_int_op(i, OP_EQ, 0);
806
807 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
808 const uint8_t keccak_kat_msg1152[] = {
809 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
810 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
811 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
812 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
813 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
814 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
815 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
816 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
817 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
818 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
819 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
820 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
821 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
822 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
823 0x9E, 0xE0, 0x0C, 0x63,
824 };
825 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
826 DIGEST_SHA3_512);
827 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
828 "22775DCB6019DCD22B8885994672A088"
829 "9C69E8115C641DC8B83E39F7311815A1"
830 "64DC46E0BA2FCA344D86D4BC2EF2532C");
831 tt_int_op(i, OP_EQ, 0);
832 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
833 DIGEST_SHA3_256);
834 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
835 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
836 tt_int_op(i, OP_EQ, 0);
837
838 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
839 const uint8_t keccak_kat_msg1160[] = {
840 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
841 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
842 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
843 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
844 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
845 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
846 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
847 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
848 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
849 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
850 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
851 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
852 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
853 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
854 0x70, 0x11, 0x04, 0x4C, 0x53,
855 };
856 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
857 DIGEST_SHA3_512);
858 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
859 "05221AC5EFB1229842E4614F4A029C9B"
860 "D14A0ED7FD99AF3681429F3F309FDB53"
861 "166AA9A3CD9F1F1223D04B4A9015E94A");
862 tt_int_op(i, OP_EQ, 0);
863 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
864 DIGEST_SHA3_256);
865 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
866 "3CF6235C6B0B7969342C45A35194B67E");
867 tt_int_op(i, OP_EQ, 0);
868
869 /* SHA3-[256,512] Empty case (wikipedia) */
870 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
871 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
872 "f580ff4de43b49fa82d80a4b80f8434a");
873 tt_int_op(i, OP_EQ, 0);
874 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
875 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
876 "97c982164fe25859e0d1dcc1475c80a6"
877 "15b2123af1f5f94c11e3e9402c3ac558"
878 "f500199d95b6d3e301758586281dcd26");
879 tt_int_op(i, OP_EQ, 0);
880
881 /* Incremental digest code with SHA3-256 */
882 d1 = crypto_digest256_new(DIGEST_SHA3_256);
883 tt_assert(d1);
884 crypto_digest_add_bytes(d1, "abcdef", 6);
885 d2 = crypto_digest_dup(d1);
886 tt_assert(d2);
887 crypto_digest_add_bytes(d2, "ghijkl", 6);
888 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
889 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
890 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
891 crypto_digest_assign(d2, d1);
892 crypto_digest_add_bytes(d2, "mno", 3);
893 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
894 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
895 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
896 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
897 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
898 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
899 crypto_digest_free(d1);
900 crypto_digest_free(d2);
901
902 /* Incremental digest code with SHA3-512 */
903 d1 = crypto_digest512_new(DIGEST_SHA3_512);
904 tt_assert(d1);
905 crypto_digest_add_bytes(d1, "abcdef", 6);
906 d2 = crypto_digest_dup(d1);
907 tt_assert(d2);
908 crypto_digest_add_bytes(d2, "ghijkl", 6);
909 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
910 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
911 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
912 crypto_digest_assign(d2, d1);
913 crypto_digest_add_bytes(d2, "mno", 3);
914 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
915 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
916 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
917 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
918 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
919 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
920 crypto_digest_free(d1);
921
922 /* Attempt to exercise the incremental hashing code by creating a randomized
923 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
924 * is used because it has a lowest rate of the family (the code is common,
925 * but the slower rate exercises more of it).
926 */
927 const size_t bufsz = 30 * 1024;
928 size_t j = 0;
929 large = tor_malloc(bufsz);
930 crypto_rand(large, bufsz);
931 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
932 while (j < bufsz) {
933 /* Pick how much data to add to the running digest. */
934 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
935 incr = MIN(bufsz - j, incr);
936
937 /* Add the data, and calculate the hash. */
938 crypto_digest_add_bytes(d1, large + j, incr);
939 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
940
941 /* One-shot hash the buffer up to the data that was just added,
942 * and ensure that the values match up.
943 *
944 * XXX/yawning: If this actually fails, it'll be rather difficult to
945 * reproduce. Improvements welcome.
946 */
947 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
948 tt_int_op(i, OP_EQ, 0);
949 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
950
951 j += incr;
952 }
953
954 done:
955 if (d1)
956 crypto_digest_free(d1);
957 if (d2)
958 crypto_digest_free(d2);
959 tor_free(large);
960 tor_free(mem_op_hex_tmp);
961 }
962
963 /** Run unit tests for our XOF. */
964 static void
965 test_crypto_sha3_xof(void *arg)
966 {
967 uint8_t msg[255];
968 uint8_t out[512];
969 crypto_xof_t *xof;
970 char *mem_op_hex_tmp=NULL;
971
972 (void)arg;
973
974 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
975 base16_decode((char *)msg, 255,
976 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
977 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
978 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
979 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
980 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
981 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
982 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
983 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
984 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
985 const char *squeezed_hex =
986 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
987 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
988 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
989 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
990 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
991 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
992 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
993 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
994 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
995 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
996 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
997 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
998 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
999 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1000 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1001 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1002 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1003 "73D4";
1004
1005 /* Test oneshot absorb/squeeze. */
1006 xof = crypto_xof_new();
1007 tt_assert(xof);
1008 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1009 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1010 test_memeq_hex(out, squeezed_hex);
1011 crypto_xof_free(xof);
1012 memset(out, 0, sizeof(out));
1013
1014 /* Test one-function absorb/squeeze. */
1015 crypto_xof(out, sizeof(out), msg, sizeof(msg));
1016 test_memeq_hex(out, squeezed_hex);
1017 memset(out, 0, sizeof(out));
1018
1019 /* Test incremental absorb/squeeze. */
1020 xof = crypto_xof_new();
1021 tt_assert(xof);
1022 for (size_t i = 0; i < sizeof(msg); i++)
1023 crypto_xof_add_bytes(xof, msg + i, 1);
1024 for (size_t i = 0; i < sizeof(out); i++) {
1025 crypto_xof_squeeze_bytes(xof, out + i, 1);
1026 }
1027 test_memeq_hex(out, squeezed_hex);
1028
1029 done:
1030 if (xof)
1031 crypto_xof_free(xof);
1032 tor_free(mem_op_hex_tmp);
1033 }
1034
1035 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1036 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1037 * are gonna do is test our crypto_mac_sha3_256() function against manually
1038 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1039 * standarize an MAC construction and make test vectors, we should
1040 * incorporate them here. */
1041 static void
1042 test_crypto_mac_sha3(void *arg)
1043 {
1044 const char msg[] = "i am in a library somewhere using my computer";
1045 const char key[] = "i'm from the past talking to the future.";
1046
1047 uint8_t hmac_test[DIGEST256_LEN];
1048 char hmac_manual[DIGEST256_LEN];
1049
1050 (void) arg;
1051
1052 /* First let's use our nice HMAC-SHA3 function */
1053 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1054 (uint8_t *) key, strlen(key),
1055 (uint8_t *) msg, strlen(msg));
1056
1057 /* Now let's try a manual H(len(k) || k || m) construction */
1058 {
1059 char *key_msg_concat = NULL, *all = NULL;
1060 int result;
1061 const uint64_t key_len_netorder = tor_htonll(strlen(key));
1062 size_t all_len;
1063
1064 tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1065 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1066 all = tor_malloc_zero(all_len);
1067 memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1068 memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1069 strlen(key_msg_concat));
1070
1071 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1072 tor_free(key_msg_concat);
1073 tor_free(all);
1074 tt_int_op(result, OP_EQ, 0);
1075 }
1076
1077 /* Now compare the two results */
1078 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1079
1080 done: ;
1081 }
1082
1083 /** Run unit tests for our public key crypto functions */
1084 static void
1085 test_crypto_pk(void *arg)
1086 {
1087 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1088 char *encoded = NULL;
1089 char data1[1024], data2[1024], data3[1024];
1090 size_t size;
1091 int i, len;
1092
1093 /* Public-key ciphers */
1094 (void)arg;
1095 pk1 = pk_generate(0);
1096 pk2 = crypto_pk_new();
1097 tt_assert(pk1 && pk2);
1098 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1099 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1100 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1101
1102 /* comparison between keys and NULL */
1103 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1104 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1105 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1106
1107 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1108 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1109 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1110 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1111
1112 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1113 "Hello whirled.", 15,
1114 PK_PKCS1_OAEP_PADDING));
1115 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1116 "Hello whirled.", 15,
1117 PK_PKCS1_OAEP_PADDING));
1118 /* oaep padding should make encryption not match */
1119 tt_mem_op(data1,OP_NE, data2, 128);
1120 tt_int_op(15,OP_EQ,
1121 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1122 PK_PKCS1_OAEP_PADDING,1));
1123 tt_str_op(data3,OP_EQ, "Hello whirled.");
1124 memset(data3, 0, 1024);
1125 tt_int_op(15,OP_EQ,
1126 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1127 PK_PKCS1_OAEP_PADDING,1));
1128 tt_str_op(data3,OP_EQ, "Hello whirled.");
1129 /* Can't decrypt with public key. */
1130 tt_int_op(-1,OP_EQ,
1131 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1132 PK_PKCS1_OAEP_PADDING,1));
1133 /* Try again with bad padding */
1134 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1135 tt_int_op(-1,OP_EQ,
1136 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1137 PK_PKCS1_OAEP_PADDING,1));
1138
1139 /* File operations: save and load private key */
1140 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1141 get_fname("pkey1")));
1142 /* failing case for read: can't read. */
1143 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1144 OP_LT, 0);
1145 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1146 /* Failing case for read: no key. */
1147 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1148 OP_LT, 0);
1149 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1150 get_fname("pkey1")));
1151 tt_int_op(15,OP_EQ,
1152 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1153 PK_PKCS1_OAEP_PADDING,1));
1154
1155 /* Now try signing. */
1156 strlcpy(data1, "Ossifrage", 1024);
1157 tt_int_op(128,OP_EQ,
1158 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1159 tt_int_op(10,OP_EQ,
1160 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1161 tt_str_op(data3,OP_EQ, "Ossifrage");
1162 /* Try signing digests. */
1163 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1164 data1, 10));
1165 tt_int_op(20,OP_EQ,
1166 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1167 tt_int_op(0,OP_EQ,
1168 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1169 tt_int_op(-1,OP_EQ,
1170 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1171
1172 /*XXXX test failed signing*/
1173
1174 /* Try encoding */
1175 crypto_pk_free(pk2);
1176 pk2 = NULL;
1177 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1178 tt_int_op(i, OP_GT, 0);
1179 pk2 = crypto_pk_asn1_decode(data1, i);
1180 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1181
1182 /* Try with hybrid encryption wrappers. */
1183 crypto_rand(data1, 1024);
1184 for (i = 85; i < 140; ++i) {
1185 memset(data2,0,1024);
1186 memset(data3,0,1024);
1187 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1188 data1,i,PK_PKCS1_OAEP_PADDING,0);
1189 tt_int_op(len, OP_GE, 0);
1190 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1191 data2,len,PK_PKCS1_OAEP_PADDING,1);
1192 tt_int_op(len,OP_EQ, i);
1193 tt_mem_op(data1,OP_EQ, data3,i);
1194 }
1195
1196 /* Try copy_full */
1197 crypto_pk_free(pk2);
1198 pk2 = crypto_pk_copy_full(pk1);
1199 tt_ptr_op(pk2, OP_NE, NULL);
1200 tt_ptr_op(pk1, OP_NE, pk2);
1201 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1202
1203 done:
1204 if (pk1)
1205 crypto_pk_free(pk1);
1206 if (pk2)
1207 crypto_pk_free(pk2);
1208 tor_free(encoded);
1209 }
1210
1211 static void
1212 test_crypto_pk_fingerprints(void *arg)
1213 {
1214 crypto_pk_t *pk = NULL;
1215 char encoded[512];
1216 char d[DIGEST_LEN], d2[DIGEST_LEN];
1217 char fingerprint[FINGERPRINT_LEN+1];
1218 int n;
1219 unsigned i;
1220 char *mem_op_hex_tmp=NULL;
1221
1222 (void)arg;
1223
1224 pk = pk_generate(1);
1225 tt_assert(pk);
1226 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1227 tt_int_op(n, OP_GT, 0);
1228 tt_int_op(n, OP_GT, 128);
1229 tt_int_op(n, OP_LT, 256);
1230
1231 /* Is digest as expected? */
1232 crypto_digest(d, encoded, n);
1233 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1234 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1235
1236 /* Is fingerprint right? */
1237 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1238 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1239 test_memeq_hex(d, fingerprint);
1240
1241 /* Are spaces right? */
1242 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1243 for (i = 4; i < strlen(fingerprint); i += 5) {
1244 tt_int_op(fingerprint[i], OP_EQ, ' ');
1245 }
1246 tor_strstrip(fingerprint, " ");
1247 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1248 test_memeq_hex(d, fingerprint);
1249
1250 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1251 crypto_digest(d2, d, sizeof(d));
1252 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1253 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1254 test_memeq_hex(d2, fingerprint);
1255
1256 done:
1257 crypto_pk_free(pk);
1258 tor_free(mem_op_hex_tmp);
1259 }
1260
1261 static void
1262 test_crypto_pk_base64(void *arg)
1263 {
1264 crypto_pk_t *pk1 = NULL;
1265 crypto_pk_t *pk2 = NULL;
1266 char *encoded = NULL;
1267
1268 (void)arg;
1269
1270 /* Test Base64 encoding a key. */
1271 pk1 = pk_generate(0);
1272 tt_assert(pk1);
1273 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1274 tt_assert(encoded);
1275
1276 /* Test decoding a valid key. */
1277 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1278 tt_assert(pk2);
1279 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1280 crypto_pk_free(pk2);
1281
1282 /* Test decoding a invalid key (not Base64). */
1283 static const char *invalid_b64 = "The key is in another castle!";
1284 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1285 tt_ptr_op(pk2, OP_EQ, NULL);
1286
1287 /* Test decoding a truncated Base64 blob. */
1288 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1289 tt_ptr_op(pk2, OP_EQ, NULL);
1290
1291 done:
1292 crypto_pk_free(pk1);
1293 crypto_pk_free(pk2);
1294 tor_free(encoded);
1295 }
1296
1297 static void
1298 test_crypto_pk_pem_encrypted(void *arg)
1299 {
1300 crypto_pk_t *pk = NULL;
1301 (void)arg;
1302
1303 pk = crypto_pk_new();
1304 /* we need to make sure that we won't stall if somebody gives us a key
1305 that's encrypted with a password. */
1306 {
1307 const char *s =
1308 "-----BEGIN RSA PRIVATE KEY-----\n"
1309 "Proc-Type: 4,ENCRYPTED\n"
1310 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1311 "\n"
1312 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1313 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1314 "YntnROBDwiKmUnue6PJVYg==\n"
1315 "-----END RSA PRIVATE KEY-----\n";
1316 tt_int_op(-1, OP_EQ,
1317 crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1318 }
1319 /* For fun, make sure we aren't hit by OpenSSL issue
1320 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1321 if a cipher doesn't use an IV.
1322 */
1323 {
1324 const char *s =
1325 "-----BEGIN RSA PUBLIC KEY-----\n"
1326 "Proc-Type:4,ENCRYPTED\n"
1327 "DEK-Info:des-ede -\n"
1328 "\n"
1329 "iRqK\n"
1330 "-----END RSA PUBLIC KEY-----\n";
1331 tt_int_op(-1, OP_EQ,
1332 crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1333 }
1334 done:
1335 crypto_pk_free(pk);
1336 }
1337
1338 static void
1339 test_crypto_pk_bad_size(void *arg)
1340 {
1341 (void)arg;
1342 crypto_pk_t *pk1 = pk_generate(0);
1343 crypto_pk_t *pk2 = NULL;
1344 char buf[2048];
1345 int n = crypto_pk_asn1_encode_private(pk1, buf, sizeof(buf));
1346 tt_int_op(n, OP_GT, 0);
1347
1348 /* Set the max bit count smaller: we should refuse to decode the key.*/
1349 pk2 = crypto_pk_asn1_decode_private(buf, n, 1020);
1350 tt_assert(! pk2);
1351
1352 /* Set the max bit count one bit smaller: we should refuse to decode the
1353 key.*/
1354 pk2 = crypto_pk_asn1_decode_private(buf, n, 1023);
1355 tt_assert(! pk2);
1356
1357 /* Correct size: should work. */
1358 pk2 = crypto_pk_asn1_decode_private(buf, n, 1024);
1359 tt_assert(pk2);
1360 crypto_pk_free(pk2);
1361
1362 /* One bit larger: should work. */
1363 pk2 = crypto_pk_asn1_decode_private(buf, n, 1025);
1364 tt_assert(pk2);
1365 crypto_pk_free(pk2);
1366
1367 /* Set the max bit count larger: it should decode fine. */
1368 pk2 = crypto_pk_asn1_decode_private(buf, n, 2048);
1369 tt_assert(pk2);
1370
1371 done:
1372 crypto_pk_free(pk1);
1373 crypto_pk_free(pk2);
1374 }
1375
1376 static void
1377 test_crypto_pk_invalid_private_key(void *arg)
1378 {
1379 (void)arg;
1380 /* Here is a simple invalid private key: it was produced by making
1381 * a regular private key, and then adding 2 to the modulus. */
1382 const char pem[] =
1383 "-----BEGIN RSA PRIVATE KEY-----\n"
1384 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1385 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1386 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1387 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1388 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1389 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1390 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1391 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1392 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1393 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1394 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1395 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1396 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1397 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1398 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1399 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1400 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1401 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1402 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1403 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1404 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1405 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1406 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1407 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1408 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1409 "-----END RSA PRIVATE KEY-----\n";
1410
1411 crypto_pk_t *pk = NULL;
1412
1413 pk = crypto_pk_new();
1414 setup_capture_of_logs(LOG_WARN);
1415 tt_int_op(-1, OP_EQ,
1416 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1417 #ifdef ENABLE_NSS
1418 expect_single_log_msg_containing("received bad data");
1419 #else
1420 expect_single_log_msg_containing("while checking RSA key");
1421 #endif
1422 done:
1423 teardown_capture_of_logs();
1424 crypto_pk_free(pk);
1425 }
1426
1427 #ifdef HAVE_TRUNCATE
1428 #define do_truncate truncate
1429 #else
1430 static int
1431 do_truncate(const char *fname, size_t len)
1432 {
1433 struct stat st;
1434 char *bytes;
1435
1436 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1437 if (!bytes)
1438 return -1;
1439 /* This cast isn't so great, but it should be safe given the actual files
1440 * and lengths we're using. */
1441 if (st.st_size < (off_t)len)
1442 len = MIN(len, (size_t)st.st_size);
1443
1444 int r = write_bytes_to_file(fname, bytes, len, 1);
1445 tor_free(bytes);
1446 return r;
1447 }
1448 #endif /* defined(HAVE_TRUNCATE) */
1449
1450 /** Sanity check for crypto pk digests */
1451 static void
1452 test_crypto_digests(void *arg)
1453 {
1454 crypto_pk_t *k = NULL;
1455 ssize_t r;
1456 common_digests_t pkey_digests;
1457 char digest[DIGEST_LEN];
1458
1459 (void)arg;
1460 k = crypto_pk_new();
1461 tt_assert(k);
1462 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1463 strlen(AUTHORITY_SIGNKEY_3));
1464 tt_assert(!r);
1465
1466 r = crypto_pk_get_digest(k, digest);
1467 tt_assert(r == 0);
1468 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1469 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1470
1471 r = crypto_pk_get_common_digests(k, &pkey_digests);
1472 tt_int_op(r, OP_EQ, 0);
1473
1474 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1475 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1476 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1477 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1478 done:
1479 crypto_pk_free(k);
1480 }
1481
1482 static void
1483 test_crypto_digest_names(void *arg)
1484 {
1485 static const struct {
1486 int a; const char *n;
1487 } names[] = {
1488 { DIGEST_SHA1, "sha1" },
1489 { DIGEST_SHA256, "sha256" },
1490 { DIGEST_SHA512, "sha512" },
1491 { DIGEST_SHA3_256, "sha3-256" },
1492 { DIGEST_SHA3_512, "sha3-512" },
1493 { -1, NULL }
1494 };
1495 (void)arg;
1496
1497 int i;
1498 for (i = 0; names[i].n; ++i) {
1499 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1500 tt_int_op(names[i].a,
1501 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1502 }
1503 tt_int_op(-1, OP_EQ,
1504 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1505 done:
1506 ;
1507 }
1508
1509 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1510 * fingerprints, etc) */
1511 static void
1512 test_crypto_formats(void *arg)
1513 {
1514 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1515 int i, j, idx;
1516
1517 (void)arg;
1518 data1 = tor_malloc(1024);
1519 data2 = tor_malloc(1024);
1520 data3 = tor_malloc(1024);
1521 tt_assert(data1 && data2 && data3);
1522
1523 /* Base64 tests */
1524 memset(data1, 6, 1024);
1525 for (idx = 0; idx < 10; ++idx) {
1526 i = base64_encode(data2, 1024, data1, idx, 0);
1527 tt_int_op(i, OP_GE, 0);
1528 tt_int_op(i, OP_EQ, strlen(data2));
1529 j = base64_decode(data3, 1024, data2, i);
1530 tt_int_op(j,OP_EQ, idx);
1531 tt_mem_op(data3,OP_EQ, data1, idx);
1532
1533 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1534 tt_int_op(i, OP_GE, 0);
1535 tt_int_op(i, OP_EQ, strlen(data2));
1536 tt_assert(! strchr(data2, '='));
1537 j = base64_decode(data3, 1024, data2, i);
1538 tt_int_op(j, OP_EQ, idx);
1539 tt_mem_op(data3,OP_EQ, data1, idx);
1540 }
1541
1542 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1543 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1544
1545 i = base64_encode(data2, 1024, data1, 71, 0);
1546 tt_int_op(i, OP_GE, 0);
1547 j = base64_decode(data3, 1024, data2, i);
1548 tt_int_op(j,OP_EQ, 71);
1549 tt_str_op(data3,OP_EQ, data1);
1550 tt_int_op(data2[i], OP_EQ, '\0');
1551
1552 crypto_rand(data1, DIGEST_LEN);
1553 memset(data2, 100, 1024);
1554 digest_to_base64(data2, data1);
1555 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1556 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1557 memset(data3, 99, 1024);
1558 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1559 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1560 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1561
1562 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1563
1564 /* Encoding SHA256 */
1565 crypto_rand(data2, DIGEST256_LEN);
1566 memset(data2, 100, 1024);
1567 digest256_to_base64(data2, data1);
1568 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1569 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1570 memset(data3, 99, 1024);
1571 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1572 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1573 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1574
1575 /* Base32 tests */
1576 strlcpy(data1, "5chrs", 1024);
1577 /* bit pattern is: [35 63 68 72 73] ->
1578 * [00110101 01100011 01101000 01110010 01110011]
1579 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1580 */
1581 base32_encode(data2, 9, data1, 5);
1582 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1583
1584 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1585 base32_encode(data2, 30, data1, 10);
1586 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1587
1588 /* Base16 tests */
1589 strlcpy(data1, "6chrs\xff", 1024);
1590 base16_encode(data2, 13, data1, 6);
1591 tt_str_op(data2,OP_EQ, "3663687273FF");
1592
1593 strlcpy(data1, "f0d678affc000100", 1024);
1594 i = base16_decode(data2, 8, data1, 16);
1595 tt_int_op(i,OP_EQ, 8);
1596 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1597
1598 /* now try some failing base16 decodes */
1599 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1600 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1601 strlcpy(data1, "f0dz!8affc000100", 1024);
1602 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1603
1604 tor_free(data1);
1605 tor_free(data2);
1606 tor_free(data3);
1607
1608 /* Add spaces to fingerprint */
1609 {
1610 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1611 tt_int_op(strlen(data1),OP_EQ, 40);
1612 data2 = tor_malloc(FINGERPRINT_LEN+1);
1613 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1614 tt_str_op(data2, OP_EQ,
1615 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1616 tor_free(data1);
1617 tor_free(data2);
1618 }
1619
1620 done:
1621 tor_free(data1);
1622 tor_free(data2);
1623 tor_free(data3);
1624 }
1625
1626 /** Test AES-CTR encryption and decryption with IV. */
1627 static void
1628 test_crypto_aes_iv(void *arg)
1629 {
1630 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1631 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1632 char key1[16], key2[16];
1633 ssize_t encrypted_size, decrypted_size;
1634
1635 int use_evp = !strcmp(arg,"evp");
1636 evaluate_evp_for_aes(use_evp);
1637
1638 plain = tor_malloc(4095);
1639 encrypted1 = tor_malloc(4095 + 1 + 16);
1640 encrypted2 = tor_malloc(4095 + 1 + 16);
1641 decrypted1 = tor_malloc(4095 + 1);
1642 decrypted2 = tor_malloc(4095 + 1);
1643
1644 crypto_rand(plain, 4095);
1645 crypto_rand(key1, 16);
1646 crypto_rand(key2, 16);
1647 crypto_rand(plain_1, 1);
1648 crypto_rand(plain_15, 15);
1649 crypto_rand(plain_16, 16);
1650 crypto_rand(plain_17, 17);
1651 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1652 /* Encrypt and decrypt with the same key. */
1653 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1654 plain, 4095);
1655
1656 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1657 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1658 * greater than 0, but its truth is not
1659 * obvious to all analysis tools. */
1660 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1661 encrypted1, encrypted_size);
1662
1663 tt_int_op(decrypted_size,OP_EQ, 4095);
1664 tt_assert(decrypted_size > 0);
1665 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1666 /* Encrypt a second time (with a new random initialization vector). */
1667 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1668 plain, 4095);
1669
1670 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1671 tt_assert(encrypted_size > 0);
1672 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1673 encrypted2, encrypted_size);
1674 tt_int_op(decrypted_size,OP_EQ, 4095);
1675 tt_assert(decrypted_size > 0);
1676 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1677 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1678 /* Decrypt with the wrong key. */
1679 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1680 encrypted1, encrypted_size);
1681 tt_int_op(decrypted_size,OP_EQ, 4095);
1682 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1683 /* Alter the initialization vector. */
1684 encrypted1[0] += 42;
1685 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1686 encrypted1, encrypted_size);
1687 tt_int_op(decrypted_size,OP_EQ, 4095);
1688 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1689 /* Special length case: 1. */
1690 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1691 plain_1, 1);
1692 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1693 tt_assert(encrypted_size > 0);
1694 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1695 encrypted1, encrypted_size);
1696 tt_int_op(decrypted_size,OP_EQ, 1);
1697 tt_assert(decrypted_size > 0);
1698 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1699 /* Special length case: 15. */
1700 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1701 plain_15, 15);
1702 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1703 tt_assert(encrypted_size > 0);
1704 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1705 encrypted1, encrypted_size);
1706 tt_int_op(decrypted_size,OP_EQ, 15);
1707 tt_assert(decrypted_size > 0);
1708 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1709 /* Special length case: 16. */
1710 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1711 plain_16, 16);
1712 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1713 tt_assert(encrypted_size > 0);
1714 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1715 encrypted1, encrypted_size);
1716 tt_int_op(decrypted_size,OP_EQ, 16);
1717 tt_assert(decrypted_size > 0);
1718 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1719 /* Special length case: 17. */
1720 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1721 plain_17, 17);
1722 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1723 tt_assert(encrypted_size > 0);
1724 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1725 encrypted1, encrypted_size);
1726 tt_int_op(decrypted_size,OP_EQ, 17);
1727 tt_assert(decrypted_size > 0);
1728 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1729
1730 done:
1731 /* Free memory. */
1732 tor_free(plain);
1733 tor_free(encrypted1);
1734 tor_free(encrypted2);
1735 tor_free(decrypted1);
1736 tor_free(decrypted2);
1737 }
1738
1739 /** Test base32 decoding. */
1740 static void
1741 test_crypto_base32_decode(void *arg)
1742 {
1743 char plain[60], encoded[96 + 1], decoded[60];
1744 int res;
1745 (void)arg;
1746 crypto_rand(plain, 60);
1747 /* Encode and decode a random string. */
1748 base32_encode(encoded, 96 + 1, plain, 60);
1749 res = base32_decode(decoded, 60, encoded, 96);
1750 tt_int_op(res, OP_EQ, 60);
1751 tt_mem_op(plain,OP_EQ, decoded, 60);
1752 /* Encode, uppercase, and decode a random string. */
1753 base32_encode(encoded, 96 + 1, plain, 60);
1754 tor_strupper(encoded);
1755 res = base32_decode(decoded, 60, encoded, 96);
1756 tt_int_op(res, OP_EQ, 60);
1757 tt_mem_op(plain,OP_EQ, decoded, 60);
1758 /* Change encoded string and decode. */
1759 if (encoded[0] == 'A' || encoded[0] == 'a')
1760 encoded[0] = 'B';
1761 else
1762 encoded[0] = 'A';
1763 res = base32_decode(decoded, 60, encoded, 96);
1764 tt_int_op(res, OP_EQ, 60);
1765 tt_mem_op(plain,OP_NE, decoded, 60);
1766 /* Bad encodings. */
1767 encoded[0] = '!';
1768 res = base32_decode(decoded, 60, encoded, 96);
1769 tt_int_op(res, OP_LT, 0);
1770
1771 done:
1772 ;
1773 }
1774
1775 static void
1776 test_crypto_kdf_TAP(void *arg)
1777 {
1778 uint8_t key_material[100];
1779 int r;
1780 char *mem_op_hex_tmp = NULL;
1781
1782 (void)arg;
1783 #define EXPAND(s) \
1784 r = crypto_expand_key_material_TAP( \
1785 (const uint8_t*)(s), strlen(s), \
1786 key_material, 100)
1787
1788 /* Test vectors generated with a little python script; feel free to write
1789 * your own. */
1790 memset(key_material, 0, sizeof(key_material));
1791 EXPAND("");
1792 tt_int_op(r, OP_EQ, 0);
1793 test_memeq_hex(key_material,
1794 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1795 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1796 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1797 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1798
1799 EXPAND("Tor");
1800 tt_int_op(r, OP_EQ, 0);
1801 test_memeq_hex(key_material,
1802 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1803 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1804 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1805 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1806
1807 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1808 tt_int_op(r, OP_EQ, 0);
1809 test_memeq_hex(key_material,
1810 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1811 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1812 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1813 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1814
1815 done:
1816 tor_free(mem_op_hex_tmp);
1817
1818 #undef EXPAND
1819 }
1820
1821 static void
1822 test_crypto_hkdf_sha256(void *arg)
1823 {
1824 uint8_t key_material[100];
1825 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1826 const size_t salt_len = strlen((char*)salt);
1827 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1828 const size_t m_expand_len = strlen((char*)m_expand);
1829 int r;
1830 char *mem_op_hex_tmp = NULL;
1831
1832 (void)arg;
1833
1834 #define EXPAND(s) \
1835 r = crypto_expand_key_material_rfc5869_sha256( \
1836 (const uint8_t*)(s), strlen(s), \
1837 salt, salt_len, \
1838 m_expand, m_expand_len, \
1839 key_material, 100)
1840
1841 /* Test vectors generated with ntor_ref.py */
1842 EXPAND("Tor");
1843 tt_int_op(r, OP_EQ, 0);
1844 test_memeq_hex(key_material,
1845 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1846 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1847 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1848 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1849
1850 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1851 tt_int_op(r, OP_EQ, 0);
1852 test_memeq_hex(key_material,
1853 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1854 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1855 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1856 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1857 done:
1858 tor_free(mem_op_hex_tmp);
1859 #undef EXPAND
1860 }
1861
1862 static void
1863 test_crypto_hkdf_sha256_testvecs(void *arg)
1864 {
1865 (void) arg;
1866 /* Test vectors from RFC5869, sections A.1 through A.3 */
1867 const struct {
1868 const char *ikm16, *salt16, *info16;
1869 int L;
1870 const char *okm16;
1871 } vecs[] = {
1872 { /* from A.1 */
1873 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1874 "000102030405060708090a0b0c",
1875 "f0f1f2f3f4f5f6f7f8f9",
1876 42,
1877 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1878 "34007208d5b887185865"
1879 },
1880 { /* from A.2 */
1881 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1882 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1883 "404142434445464748494a4b4c4d4e4f",
1884 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1885 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1886 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1887 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1888 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1889 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1890 82,
1891 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1892 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1893 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1894 },
1895 { /* from A.3 */
1896 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1897 "",
1898 "",
1899 42,
1900 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1901 "9d201395faa4b61a96c8",
1902 },
1903 { NULL, NULL, NULL, -1, NULL }
1904 };
1905
1906 int i;
1907 char *ikm = NULL;
1908 char *salt = NULL;
1909 char *info = NULL;
1910 char *okm = NULL;
1911 char *mem_op_hex_tmp = NULL;
1912
1913 for (i = 0; vecs[i].ikm16; ++i) {
1914 size_t ikm_len = strlen(vecs[i].ikm16)/2;
1915 size_t salt_len = strlen(vecs[i].salt16)/2;
1916 size_t info_len = strlen(vecs[i].info16)/2;
1917 size_t okm_len = vecs[i].L;
1918
1919 ikm = tor_malloc(ikm_len);
1920 salt = tor_malloc(salt_len);
1921 info = tor_malloc(info_len);
1922 okm = tor_malloc(okm_len);
1923
1924 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
1925 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
1926 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
1927
1928 int r = crypto_expand_key_material_rfc5869_sha256(
1929 (const uint8_t*)ikm, ikm_len,
1930 (const uint8_t*)salt, salt_len,
1931 (const uint8_t*)info, info_len,
1932 (uint8_t*)okm, okm_len);
1933 tt_int_op(r, OP_EQ, 0);
1934 test_memeq_hex(okm, vecs[i].okm16);
1935 tor_free(ikm);
1936 tor_free(salt);
1937 tor_free(info);
1938 tor_free(okm);
1939 }
1940 done:
1941 tor_free(ikm);
1942 tor_free(salt);
1943 tor_free(info);
1944 tor_free(okm);
1945 tor_free(mem_op_hex_tmp);
1946 }
1947
1948 static void
1949 test_crypto_curve25519_impl(void *arg)
1950 {
1951 /* adapted from curve25519_donna, which adapted it from test-curve25519
1952 version 20050915, by D. J. Bernstein, Public domain. */
1953
1954 const int randomize_high_bit = (arg != NULL);
1955
1956 #ifdef SLOW_CURVE25519_TEST
1957 const int loop_max=10000;
1958 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
1959 "7e0329f4dd2819f5f32d130f1296b500";
1960 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
1961 "e0544770bc7de853b38f9100489e3e79";
1962 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
1963 "bd13861475516bc2cd2b6e005e805064";
1964 #else /* !defined(SLOW_CURVE25519_TEST) */
1965 const int loop_max=200;
1966 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
1967 "c6a1037d74cceb3712e9206871dcf654";
1968 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1969 "8e3ee1a63c7d14274ea5d4c67f065467";
1970 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
1971 "c0ee98cb2257a4545c0cfb2ca3e1812b";
1972 #endif /* defined(SLOW_CURVE25519_TEST) */
1973
1974 unsigned char e1k[32];
1975 unsigned char e2k[32];
1976 unsigned char e1e2k[32];
1977 unsigned char e2e1k[32];
1978 unsigned char e1[32] = {3};
1979 unsigned char e2[32] = {5};
1980 unsigned char k[32] = {9};
1981 int loop, i;
1982
1983 char *mem_op_hex_tmp = NULL;
1984
1985 for (loop = 0; loop < loop_max; ++loop) {
1986 curve25519_impl(e1k,e1,k);
1987 curve25519_impl(e2e1k,e2,e1k);
1988 curve25519_impl(e2k,e2,k);
1989 if (randomize_high_bit) {
1990 /* We require that the high bit of the public key be ignored. So if
1991 * we're doing this variant test, we randomize the high bit of e2k, and
1992 * make sure that the handshake still works out the same as it would
1993 * otherwise. */
1994 uint8_t byte;
1995 crypto_rand((char*)&byte, 1);
1996 e2k[31] |= (byte & 0x80);
1997 }
1998 curve25519_impl(e1e2k,e1,e2k);
1999 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
2000 if (loop == loop_max-1) {
2001 break;
2002 }
2003 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
2004 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
2005 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
2006 }
2007
2008 test_memeq_hex(e1, e1_expected);
2009 test_memeq_hex(e2k, e2k_expected);
2010 test_memeq_hex(e1e2k, e1e2k_expected);
2011
2012 done:
2013 tor_free(mem_op_hex_tmp);
2014 }
2015
2016 static void
2017 test_crypto_curve25519_basepoint(void *arg)
2018 {
2019 uint8_t secret[32];
2020 uint8_t public1[32];
2021 uint8_t public2[32];
2022 const int iters = 2048;
2023 int i;
2024 (void) arg;
2025
2026 for (i = 0; i < iters; ++i) {
2027 crypto_rand((char*)secret, 32);
2028 curve25519_set_impl_params(1); /* Use optimization */
2029 curve25519_basepoint_impl(public1, secret);
2030 curve25519_set_impl_params(0); /* Disable optimization */
2031 curve25519_basepoint_impl(public2, secret);
2032 tt_mem_op(public1, OP_EQ, public2, 32);
2033 }
2034
2035 done:
2036 ;
2037 }
2038
2039 static void
2040 test_crypto_curve25519_testvec(void *arg)
2041 {
2042 (void)arg;
2043 char *mem_op_hex_tmp = NULL;
2044
2045 /* From RFC 7748, section 6.1 */
2046 /* Alice's private key, a: */
2047 const char a16[] =
2048 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2049 /* Alice's public key, X25519(a, 9): */
2050 const char a_pub16[] =
2051 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2052 /* Bob's private key, b: */
2053 const char b16[] =
2054 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2055 /* Bob's public key, X25519(b, 9): */
2056 const char b_pub16[] =
2057 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2058 /* Their shared secret, K: */
2059 const char k16[] =
2060 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2061
2062 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2063 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2064 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2065 curve25519_basepoint_impl(a_pub, a);
2066 curve25519_basepoint_impl(b_pub, b);
2067 curve25519_impl(k1, a, b_pub);
2068 curve25519_impl(k2, b, a_pub);
2069
2070 test_memeq_hex(a, a16);
2071 test_memeq_hex(b, b16);
2072 test_memeq_hex(a_pub, a_pub16);
2073 test_memeq_hex(b_pub, b_pub16);
2074 test_memeq_hex(k1, k16);
2075 test_memeq_hex(k2, k16);
2076 done:
2077 tor_free(mem_op_hex_tmp);
2078 }
2079
2080 static void
2081 test_crypto_curve25519_wrappers(void *arg)
2082 {
2083 curve25519_public_key_t pubkey1, pubkey2;
2084 curve25519_secret_key_t seckey1, seckey2;
2085
2086 uint8_t output1[CURVE25519_OUTPUT_LEN];
2087 uint8_t output2[CURVE25519_OUTPUT_LEN];
2088 (void)arg;
2089
2090 /* Test a simple handshake, serializing and deserializing some stuff. */
2091 curve25519_secret_key_generate(&seckey1, 0);
2092 curve25519_secret_key_generate(&seckey2, 1);
2093 curve25519_public_key_generate(&pubkey1, &seckey1);
2094 curve25519_public_key_generate(&pubkey2, &seckey2);
2095 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2096 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2097 curve25519_handshake(output1, &seckey1, &pubkey2);
2098 curve25519_handshake(output2, &seckey2, &pubkey1);
2099 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2100
2101 done:
2102 ;
2103 }
2104
2105 static void
2106 test_crypto_curve25519_encode(void *arg)
2107 {
2108 curve25519_secret_key_t seckey;
2109 curve25519_public_key_t key1, key2, key3;
2110 char buf[64], buf_nopad[64];
2111
2112 (void)arg;
2113
2114 curve25519_secret_key_generate(&seckey, 0);
2115 curve25519_public_key_generate(&key1, &seckey);
2116 curve25519_public_to_base64(buf, &key1, true);
2117 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2118
2119 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2120 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2121
2122 curve25519_public_to_base64(buf_nopad, &key1, false);
2123 tt_int_op(CURVE25519_BASE64_LEN, OP_EQ, strlen(buf_nopad));
2124 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf_nopad));
2125 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2126
2127 /* Now try bogus parses. */
2128 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2129 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2130
2131 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2132 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2133
2134 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2135 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2136
2137 done:
2138 ;
2139 }
2140
2141 static void
2142 test_crypto_curve25519_persist(void *arg)
2143 {
2144 curve25519_keypair_t keypair, keypair2;
2145 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2146 char *tag = NULL;
2147 char *content = NULL;
2148 const char *cp;
2149 struct stat st;
2150 size_t taglen;
2151
2152 (void)arg;
2153
2154 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2155
2156 tt_int_op(0,OP_EQ,
2157 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2158 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2159 tt_str_op(tag,OP_EQ,"testing");
2160 tor_free(tag);
2161
2162 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2163 keypair2.pubkey.public_key,
2164 CURVE25519_PUBKEY_LEN);
2165 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2166 keypair2.seckey.secret_key,
2167 CURVE25519_SECKEY_LEN);
2168
2169 content = read_file_to_str(fname, RFTS_BIN, &st);
2170 tt_assert(content);
2171 taglen = strlen("== c25519v1: testing ==");
2172 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2173 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2174 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2175 tt_assert(fast_mem_is_zero(content+taglen, 32-taglen));
2176 cp = content + 32;
2177 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2178 cp,
2179 CURVE25519_SECKEY_LEN);
2180 cp += CURVE25519_SECKEY_LEN;
2181 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2182 cp,
2183 CURVE25519_SECKEY_LEN);
2184
2185 tor_free(fname);
2186 fname = tor_strdup(get_fname("bogus_keypair"));
2187
2188 tt_int_op(-1, OP_EQ,
2189 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2190 tor_free(tag);
2191
2192 content[69] ^= 0xff;
2193 tt_int_op(0, OP_EQ,
2194 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2195 tt_int_op(-1, OP_EQ,
2196 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2197
2198 done:
2199 tor_free(fname);
2200 tor_free(content);
2201 tor_free(tag);
2202 }
2203
2204 static void
2205 test_crypto_ed25519_simple(void *arg)
2206 {
2207 ed25519_keypair_t kp1, kp2;
2208 ed25519_public_key_t pub1, pub2;
2209 ed25519_secret_key_t sec1, sec2;
2210 ed25519_signature_t sig1, sig2;
2211 const uint8_t msg[] =
2212 "GNU will be able to run Unix programs, "
2213 "but will not be identical to Unix.";
2214 const uint8_t msg2[] =
2215 "Microsoft Windows extends the features of the DOS operating system, "
2216 "yet is compatible with most existing applications that run under DOS.";
2217 size_t msg_len = strlen((const char*)msg);
2218 size_t msg2_len = strlen((const char*)msg2);
2219
2220 (void)arg;
2221
2222 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2223 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2224
2225 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2226 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2227
2228 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2229 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2230
2231 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2232 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2233 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2234
2235 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2236 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2237 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2238 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2239
2240 /* Ed25519 signatures are deterministic */
2241 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2242
2243 /* Basic signature is valid. */
2244 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2245
2246 /* Altered signature doesn't work. */
2247 sig1.sig[0] ^= 3;
2248 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2249
2250 /* Wrong public key doesn't work. */
2251 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2252 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2253 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2254
2255 /* Wrong message doesn't work. */
2256 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2257 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2258 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2259
2260 /* Batch signature checking works with some bad. */
2261 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2262 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2263 {
2264 ed25519_checkable_t ch[] = {
2265 { &pub1, sig2, msg, msg_len }, /*ok*/
2266 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2267 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2268 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2269 };
2270 int okay[4];
2271 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2272 tt_int_op(okay[0], OP_EQ, 1);
2273 tt_int_op(okay[1], OP_EQ, 0);
2274 tt_int_op(okay[2], OP_EQ, 0);
2275 tt_int_op(okay[3], OP_EQ, 1);
2276 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2277 }
2278
2279 /* Batch signature checking works with all good. */
2280 {
2281 ed25519_checkable_t ch[] = {
2282 { &pub1, sig2, msg, msg_len }, /*ok*/
2283 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2284 };
2285 int okay[2];
2286 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2287 tt_int_op(okay[0], OP_EQ, 1);
2288 tt_int_op(okay[1], OP_EQ, 1);
2289 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2290 }
2291
2292 /* Test the string-prefixed sign/checksig functions */
2293 {
2294 ed25519_signature_t manual_sig;
2295 char *prefixed_msg;
2296
2297 /* Generate a signature with a prefixed msg. */
2298 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2299 "always in the mood",
2300 &kp1));
2301
2302 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2303 if we had manually prefixed the msg ourselves. */
2304 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2305 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2306 strlen(prefixed_msg), &kp1));
2307 tor_free(prefixed_msg);
2308 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2309
2310 /* Test that prefixed checksig verifies it properly. */
2311 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2312 "always in the mood",
2313 &pub1));
2314
2315 /* Test that checksig with wrong prefix fails. */
2316 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2317 "always in the moo",
2318 &pub1));
2319 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2320 "always in the moon",
2321 &pub1));
2322 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2323 "always in the mood!",
2324 &pub1));
2325 }
2326
2327 done:
2328 ;
2329 }
2330
2331 static void
2332 test_crypto_ed25519_test_vectors(void *arg)
2333 {
2334 char *mem_op_hex_tmp=NULL;
2335 int i;
2336 struct {
2337 const char *sk;
2338 const char *pk;
2339 const char *sig;
2340 const char *msg;
2341 } items[] = {
2342 /* These test vectors were generated with the "ref" implementation of
2343 * ed25519 from SUPERCOP-20130419 */
2344 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2345 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2346 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2347 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2348 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2349 "204e554c2d7465726d696e617465642e"
2350 },
2351
2352 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2353 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2354 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2355 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2356 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2357 "204e554c2d7465726d696e617465642e"
2358 },
2359 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2360 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2361 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2362 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2363 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2364 "204e554c2d7465726d696e617465642e"
2365 },
2366
2367 /* These come from "sign.input" in ed25519's page */
2368 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2369 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2370 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2371 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2372 "5a8d9d0a22357e6655f9c785"
2373 },
2374 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2375 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2376 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2377 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2378 "b87d3813e03f58cf19fd0b6395"
2379 },
2380 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2381 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2382 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2383 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2384 "55c7fa434f5ed8cdec2b7aeac173",
2385 },
2386 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2387 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2388 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2389 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2390 "0a688e79be24f866286d4646b5d81c"
2391 },
2392 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2393 {
2394 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2395 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2396 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2397 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2398 ""
2399 },
2400 {
2401 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2402 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2403 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2404 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2405 "72"
2406 },
2407 {
2408 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2409 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2410 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2411 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2412 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2413 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2414 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2415 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2416 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2417 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2418 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2419 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2420 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2421 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2422 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2423 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2424 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2425 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2426 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2427 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2428 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2429 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2430 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2431 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2432 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2433 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2434 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2435 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2436 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2437 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2438 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2439 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2440 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2441 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2442 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2443 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2444 },
2445 {
2446 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2447 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2448 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2449 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2450 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2451 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2452 },
2453 { NULL, NULL, NULL, NULL}
2454 };
2455
2456 (void)arg;
2457
2458 for (i = 0; items[i].pk; ++i) {
2459 ed25519_keypair_t kp;
2460 ed25519_signature_t sig;
2461 uint8_t sk_seed[32];
2462 uint8_t *msg;
2463 size_t msg_len;
2464 base16_decode((char*)sk_seed, sizeof(sk_seed),
2465 items[i].sk, 64);
2466 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2467 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2468 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2469
2470 msg_len = strlen(items[i].msg) / 2;
2471 msg = tor_malloc(msg_len);
2472 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2473
2474 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2475 test_memeq_hex(sig.sig, items[i].sig);
2476
2477 tor_free(msg);
2478 }
2479
2480 done:
2481 tor_free(mem_op_hex_tmp);
2482 }
2483
2484 static void
2485 test_crypto_ed25519_encode(void *arg)
2486 {
2487 char buf[ED25519_SIG_BASE64_LEN+1];
2488 ed25519_keypair_t kp;
2489 ed25519_public_key_t pk;
2490 ed25519_signature_t sig1, sig2;
2491 char *mem_op_hex_tmp = NULL;
2492 (void) arg;
2493
2494 /* Test roundtrip. */
2495 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2496 ed25519_public_to_base64(buf, &kp.pubkey);
2497 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2498 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2499 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2500
2501 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2502 ed25519_signature_to_base64(buf, &sig1);
2503 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2504 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2505
2506 /* Test known value. */
2507 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2508 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2509 test_memeq_hex(pk.pubkey,
2510 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2511
2512 done:
2513 tor_free(mem_op_hex_tmp);
2514 }
2515
2516 static void
2517 test_crypto_ed25519_convert(void *arg)
2518 {
2519 const uint8_t msg[] =
2520 "The eyes are not here / There are no eyes here.";
2521 const int N = 30;
2522 int i;
2523 (void)arg;
2524
2525 for (i = 0; i < N; ++i) {
2526 curve25519_keypair_t curve25519_keypair;
2527 ed25519_keypair_t ed25519_keypair;
2528 ed25519_public_key_t ed25519_pubkey;
2529
2530 int bit=0;
2531 ed25519_signature_t sig;
2532
2533 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2534 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2535 &ed25519_keypair, &bit, &curve25519_keypair));
2536 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2537 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2538 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2539
2540 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2541 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2542 &ed25519_pubkey));
2543
2544 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2545 &ed25519_pubkey));
2546 sig.sig[0] ^= 15;
2547 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2548 &ed25519_pubkey));
2549 }
2550
2551 done:
2552 ;
2553 }
2554
2555 static void
2556 test_crypto_ed25519_blinding(void *arg)
2557 {
2558 const uint8_t msg[] =
2559 "Eyes I dare not meet in dreams / In death's dream kingdom";
2560
2561 const int N = 30;
2562 int i;
2563 (void)arg;
2564
2565 for (i = 0; i < N; ++i) {
2566 uint8_t blinding[32];
2567 ed25519_keypair_t ed25519_keypair;
2568 ed25519_keypair_t ed25519_keypair_blinded;
2569 ed25519_public_key_t ed25519_pubkey_blinded;
2570
2571 ed25519_signature_t sig;
2572
2573 crypto_rand((char*) blinding, sizeof(blinding));
2574
2575 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2576 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2577 &ed25519_keypair, blinding));
2578
2579 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2580 &ed25519_keypair.pubkey, blinding));
2581
2582 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2583 ed25519_keypair_blinded.pubkey.pubkey, 32);
2584
2585 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2586 &ed25519_keypair_blinded));
2587
2588 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2589 &ed25519_pubkey_blinded));
2590
2591 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2592 &ed25519_pubkey_blinded));
2593 sig.sig[0] ^= 15;
2594 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2595 &ed25519_pubkey_blinded));
2596 }
2597
2598 done:
2599 ;
2600 }
2601
2602 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2603 static void
2604 test_crypto_ed25519_blinding_fail(void *arg)
2605 {
2606 int retval;
2607 uint8_t param[32] = {2};
2608 ed25519_public_key_t pub;
2609 ed25519_public_key_t pub_blinded;
2610
2611 (void)arg;
2612
2613 /* This point is not on the curve: the blind routines should fail */
2614 const char badkey[] =
2615 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2616 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2617 badkey, strlen(badkey));
2618 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2619 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2620 tt_int_op(retval, OP_EQ, -1);
2621
2622 /* This point is legit: blind routines should be happy */
2623 const char goodkey[] =
2624 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2625 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2626 goodkey, strlen(goodkey));
2627 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2628 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2629 tt_int_op(retval, OP_EQ, 0);
2630
2631 done:
2632 ;
2633 }
2634
2635 static void
2636 test_crypto_ed25519_testvectors(void *arg)
2637 {
2638 unsigned i;
2639 char *mem_op_hex_tmp = NULL;
2640 (void)arg;
2641
2642 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2643 uint8_t sk[32];
2644 ed25519_secret_key_t esk;
2645 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2646 ed25519_keypair_t keypair, blind_keypair;
2647 curve25519_keypair_t curvekp;
2648 uint8_t blinding_param[32];
2649 ed25519_signature_t sig;
2650 int sign;
2651
2652 memset(&curvekp, 0xd0, sizeof(curvekp));
2653
2654 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2655 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2656
2657 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2658 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2659 ED25519_BLINDING_PARAMS[i]));
2660
2661 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2662 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2663
2664 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2665 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2666
2667 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2668 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2669
2670 tt_int_op(0, OP_EQ,
2671 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2672 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2673 &pkfromcurve, &curvekp.pubkey, sign));
2674 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2675 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2676
2677 /* Self-signing */
2678 memcpy(&keypair.seckey, &esk, sizeof(esk));
2679 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2680
2681 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2682
2683 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2684
2685 /* Blinding */
2686 tt_int_op(0, OP_EQ,
2687 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2688 tt_int_op(0, OP_EQ,
2689 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2690
2691 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2692 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2693
2694 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2695
2696 #undef DECODE
2697 #undef EQ
2698 }
2699 done:
2700 tor_free(mem_op_hex_tmp);
2701 }
2702
2703 static void
2704 test_crypto_ed25519_storage(void *arg)
2705 {
2706 (void)arg;
2707 ed25519_keypair_t *keypair = NULL;
2708 ed25519_public_key_t pub;
2709 ed25519_secret_key_t sec;
2710 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2711 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2712 char *contents = NULL;
2713 char *tag = NULL;
2714
2715 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2716 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2717 tt_int_op(0,OP_EQ,
2718 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2719 tt_int_op(0,OP_EQ,
2720 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2721
2722 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2723 tt_ptr_op(tag, OP_EQ, NULL);
2724 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2725 tt_ptr_op(tag, OP_EQ, NULL);
2726
2727 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2728 tt_str_op(tag, OP_EQ, "bar");
2729 tor_free(tag);
2730 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2731 tt_str_op(tag, OP_EQ, "foo");
2732 tor_free(tag);
2733
2734 /* whitebox test: truncated keys. */
2735 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2736 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2737 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2738 tt_ptr_op(tag, OP_EQ, NULL);
2739 tor_free(tag);
2740 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2741 tt_ptr_op(tag, OP_EQ, NULL);
2742
2743 done:
2744 tor_free(fname_1);
2745 tor_free(fname_2);
2746 tor_free(contents);
2747 tor_free(tag);
2748 ed25519_keypair_free(keypair);
2749 }
2750
2751 static void
2752 test_crypto_siphash(void *arg)
2753 {
2754 /* From the reference implementation, taking
2755 k = 00 01 02 ... 0f
2756 and in = 00; 00 01; 00 01 02; ...
2757 */
2758 const uint8_t VECTORS[64][8] =
2759 {
2760 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2761 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2762 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2763 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2764 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2765 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2766 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2767 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2768 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2769 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2770 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2771 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2772 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2773 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2774 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2775 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2776 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2777 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2778 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2779 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2780 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2781 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2782 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2783 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2784 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2785 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2786 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2787 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2788 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2789 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2790 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2791 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2792 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2793 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2794 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2795 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2796 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2797 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2798 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2799 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2800 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2801 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2802 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2803 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2804 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2805 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2806 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2807 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2808 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2809 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2810 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2811 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2812 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2813 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2814 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2815 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2816 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2817 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2818 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2819 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2820 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2821 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2822 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2823 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2824 };
2825
2826 const struct sipkey K = { UINT64_C(0x0706050403020100),
2827 UINT64_C(0x0f0e0d0c0b0a0908) };
2828 uint8_t input[64];
2829 int i, j;
2830
2831 (void)arg;
2832
2833 for (i = 0; i < 64; ++i)
2834 input[i] = i;
2835
2836 for (i = 0; i < 64; ++i) {
2837 uint64_t r = siphash24(input, i, &K);
2838 for (j = 0; j < 8; ++j) {
2839 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2840 }
2841 }
2842
2843 done:
2844 ;
2845 }
2846
2847 /* We want the likelihood that the random buffer exhibits any regular pattern
2848 * to be far less than the memory bit error rate in the int return value.
2849 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2850 * 3 functions, leading to an overall error rate of 1/10^616.
2851 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2852 */
2853 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2854
2855 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2856 * or it sets the buffer to all zeroes. Return 0 when the check passes,
2857 * or -1 when it fails. */
2858 static int
2859 crypto_rand_check_failure_mode_zero(void)
2860 {
2861 char buf[FAILURE_MODE_BUFFER_SIZE];
2862
2863 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2864 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2865
2866 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2867 if (buf[i] != 0) {
2868 return 0;
2869 }
2870 }
2871
2872 return -1;
2873 }
2874
2875 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2876 * the same. Return 0 when the check passes, or -1 when it fails. */
2877 static int
2878 crypto_rand_check_failure_mode_identical(void)
2879 {
2880 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2881 #define FAILURE_MODE_BUFFER_SIZE_I64 \
2882 (FAILURE_MODE_BUFFER_SIZE/8)
2883 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2884 (FAILURE_MODE_BUFFER_SIZE_I64*8)
2885
2886 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2887 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
2888 #endif
2889
2890 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
2891
2892 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2893 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2894
2895 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
2896 if (buf[i] != buf[i-1]) {
2897 return 0;
2898 }
2899 }
2900
2901 return -1;
2902 }
2903
2904 /** Check crypto_rand for a failure mode where it increments the "random"
2905 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2906 * Return 0 when the check passes, or -1 when it fails. */
2907 static int
2908 crypto_rand_check_failure_mode_predict(void)
2909 {
2910 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
2911
2912 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2913 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
2914
2915 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2916 /* check if the last byte was incremented by 1, including integer
2917 * wrapping */
2918 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
2919 return 0;
2920 }
2921 }
2922
2923 return -1;
2924 }
2925
2926 #undef FAILURE_MODE_BUFFER_SIZE
2927
2928 /** Test that our ed25519 validation function rejects evil public keys and
2929 * accepts good ones. */
2930 static void
2931 test_crypto_ed25519_validation(void *arg)
2932 {
2933 (void) arg;
2934
2935 int retval;
2936 ed25519_public_key_t pub1;
2937
2938 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
2939 for a list of points with torsion components in ed25519. */
2940
2941 { /* Point with torsion component (order 8l) */
2942 const char badkey[] =
2943 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
2944 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2945 badkey, strlen(badkey));
2946 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2947 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2948 }
2949
2950 { /* Point with torsion component (order 4l) */
2951 const char badkey[] =
2952 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
2953 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2954 badkey, strlen(badkey));
2955 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2956 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2957 }
2958
2959 { /* Point with torsion component (order 2l) */
2960 const char badkey[] =
2961 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
2962 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2963 badkey, strlen(badkey));
2964 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2965 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2966 }
2967
2968 { /* This point is not even on the curve */
2969 const char badkey[] =
2970 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2971 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2972 badkey, strlen(badkey));
2973 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2974 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2975 }
2976
2977 { /* This one is a good key */
2978 const char goodkey[] =
2979 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2980 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2981 goodkey, strlen(goodkey));
2982 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2983 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2984 }
2985
2986 done: ;
2987 }
2988
2989 static void
2990 test_crypto_failure_modes(void *arg)
2991 {
2992 int rv = 0;
2993 (void)arg;
2994
2995 rv = crypto_early_init();
2996 tt_int_op(rv, OP_EQ, 0);
2997
2998 /* Check random works */
2999 rv = crypto_rand_check_failure_mode_zero();
3000 tt_int_op(rv, OP_EQ, 0);
3001
3002 rv = crypto_rand_check_failure_mode_identical();
3003 tt_int_op(rv, OP_EQ, 0);
3004
3005 rv = crypto_rand_check_failure_mode_predict();
3006 tt_int_op(rv, OP_EQ, 0);
3007
3008 done:
3009 ;
3010 }
3011
3012 #ifndef COCCI
3013 #define CRYPTO_LEGACY(name) \
3014 { #name, test_crypto_ ## name , 0, NULL, NULL }
3015
3016 #define ED25519_TEST_ONE(name, fl, which) \
3017 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3018 &ed25519_test_setup, (void*)which }
3019
3020 #define ED25519_TEST(name, fl) \
3021 ED25519_TEST_ONE(name, (fl), "donna"), \
3022 ED25519_TEST_ONE(name, (fl), "ref10")
3023 #endif /* !defined(COCCI) */
3024
3025 struct testcase_t crypto_tests[] = {
3026 CRYPTO_LEGACY(formats),
3027 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
3028 { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
3029 { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
3030 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3031 &passthrough_setup, (void*)"128" },
3032 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3033 &passthrough_setup, (void*)"192" },
3034 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3035 &passthrough_setup, (void*)"256" },
3036 CRYPTO_LEGACY(sha),
3037 CRYPTO_LEGACY(pk),
3038 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
3039 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
3040 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
3041 { "pk_bad_size", test_crypto_pk_bad_size, 0, NULL, NULL },
3042 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
3043 NULL, NULL },
3044 CRYPTO_LEGACY(digests),
3045 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
3046 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3047 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3048 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3049 CRYPTO_LEGACY(dh),
3050 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3051 (void*)"aes" },
3052 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3053 (void*)"evp" },
3054 CRYPTO_LEGACY(base32_decode),
3055 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3056 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3057 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3058 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3059 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3060 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3061 { "curve25519_basepoint",
3062 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3063 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3064 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3065 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3066 ED25519_TEST(simple, 0),
3067 ED25519_TEST(test_vectors, 0),
3068 ED25519_TEST(encode, 0),
3069 ED25519_TEST(convert, 0),
3070 ED25519_TEST(blinding, 0),
3071 ED25519_TEST(blinding_fail, 0),
3072 ED25519_TEST(testvectors, 0),
3073 ED25519_TEST(validation, 0),
3074 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3075 { "siphash", test_crypto_siphash, 0, NULL, NULL },
3076 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3077 END_OF_TESTCASES
3078 };
The Onion Router