test_crypto.c (127743B)
1 /* Copyright (c) 2001-2004, Roger Dingledine. 2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 3 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 4 /* See LICENSE for licensing information */ 5 6 #include "orconfig.h" 7 #define CRYPTO_CURVE25519_PRIVATE 8 #define CRYPTO_RAND_PRIVATE 9 #define USE_AES_RAW 10 #define TOR_AES_PRIVATE 11 #include "core/or/or.h" 12 #include "test/test.h" 13 #include "lib/crypt_ops/aes.h" 14 #include "siphash.h" 15 #include "ext/compat_blake2.h" 16 #include "ext/equix/hashx/include/hashx.h" 17 #include "lib/crypt_ops/crypto_curve25519.h" 18 #include "lib/crypt_ops/crypto_dh.h" 19 #include "lib/crypt_ops/crypto_ed25519.h" 20 #include "lib/crypt_ops/crypto_format.h" 21 #include "lib/crypt_ops/crypto_hkdf.h" 22 #include "lib/crypt_ops/crypto_rand.h" 23 #include "lib/crypt_ops/crypto_init.h" 24 #include "ed25519_vectors.inc" 25 #include "test/log_test_helpers.h" 26 #include "ext/polyval/polyval.h" 27 28 #ifdef HAVE_SYS_STAT_H 29 #include <sys/stat.h> 30 #endif 31 #ifdef HAVE_UNISTD_H 32 #include <unistd.h> 33 #endif 34 35 #if defined(ENABLE_OPENSSL) 36 #include "lib/crypt_ops/compat_openssl.h" 37 DISABLE_GCC_WARNING("-Wredundant-decls") 38 #include <openssl/dh.h> 39 ENABLE_GCC_WARNING("-Wredundant-decls") 40 #endif /* defined(ENABLE_OPENSSL) */ 41 42 /** Run unit tests for Diffie-Hellman functionality. */ 43 static void 44 test_crypto_dh(void *arg) 45 { 46 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT); 47 crypto_dh_t *dh1_dup = NULL; 48 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT); 49 char p1[DH2048_KEY_LEN]; 50 char p2[DH2048_KEY_LEN]; 51 char s1[DH2048_KEY_LEN]; 52 char s2[DH2048_KEY_LEN]; 53 ssize_t s1len, s2len; 54 #ifdef ENABLE_OPENSSL 55 crypto_dh_t *dh3 = NULL; 56 DH *dh4 = NULL; 57 BIGNUM *pubkey_tmp = NULL; 58 #endif 59 60 (void)arg; 61 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN); 62 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN); 63 64 memset(p1, 0, DH1024_KEY_LEN); 65 memset(p2, 0, DH1024_KEY_LEN); 66 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN); 67 68 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */ 69 70 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN)); 71 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN); 72 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN)); 73 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN); 74 75 memset(s1, 0, DH1024_KEY_LEN); 76 memset(s2, 0xFF, DH1024_KEY_LEN); 77 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50); 78 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50); 79 tt_assert(s1len > 0); 80 tt_int_op(s1len,OP_EQ, s2len); 81 tt_mem_op(s1,OP_EQ, s2, s1len); 82 83 /* test dh_dup; make sure it works the same. */ 84 dh1_dup = crypto_dh_dup(dh1); 85 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN, 86 s1, 50); 87 tt_i64_op(s1len, OP_GE, 0); 88 tt_mem_op(s1,OP_EQ, s2, s1len); 89 90 { 91 /* Now fabricate some bad values and make sure they get caught. */ 92 93 /* 1 and 0 should both fail. */ 94 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50); 95 tt_int_op(-1, OP_EQ, s1len); 96 97 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50); 98 tt_int_op(-1, OP_EQ, s1len); 99 100 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */ 101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 102 s1, 50); 103 tt_int_op(-1, OP_EQ, s1len); 104 105 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/ 106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 107 s1, 50); 108 tt_int_op(-1, OP_EQ, s1len); 109 110 /* 2 is okay, though weird. */ 111 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50); 112 tt_int_op(50, OP_EQ, s1len); 113 114 /* 2 a second time is still okay, though weird. */ 115 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50); 116 tt_int_op(50, OP_EQ, s1len); 117 118 const char P[] = 119 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" 120 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" 121 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" 122 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" 123 "49286651ECE65381FFFFFFFFFFFFFFFF"; 124 125 /* p-1, p, and so on are not okay. */ 126 base16_decode(p1, sizeof(p1), P, strlen(P)); 127 128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 129 s1, 50); 130 tt_int_op(-1, OP_EQ, s1len); 131 132 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */ 133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 134 s1, 50); 135 tt_int_op(-1, OP_EQ, s1len); 136 137 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */ 138 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 139 s1, 50); 140 tt_int_op(50, OP_EQ, s1len); 141 142 const char P_plus_one[] = 143 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" 144 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" 145 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" 146 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" 147 "49286651ECE653820000000000000000"; 148 149 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one)); 150 151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 152 s1, 50); 153 tt_int_op(-1, OP_EQ, s1len); 154 155 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */ 156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 157 s1, 50); 158 tt_int_op(-1, OP_EQ, s1len); 159 160 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */ 161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 162 s1, 50); 163 tt_int_op(-1, OP_EQ, s1len); 164 165 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */ 166 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, 167 s1, 50); 168 tt_int_op(-1, OP_EQ, s1len); 169 } 170 171 { 172 /* provoke an error in the openssl DH_compute_key function; make sure we 173 * survive. */ 174 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN)); 175 176 crypto_dh_free(dh2); 177 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */ 178 s1len = crypto_dh_compute_secret(LOG_WARN, dh2, 179 p1, DH1024_KEY_LEN, 180 s1, 50); 181 tt_int_op(s1len, OP_EQ, -1); 182 } 183 184 #if defined(ENABLE_OPENSSL) 185 { 186 /* Make sure that our crypto library can handshake with openssl. */ 187 dh3 = crypto_dh_new(DH_TYPE_TLS); 188 tt_assert(!crypto_dh_get_public(dh3, p1, sizeof(p1))); 189 190 dh4 = crypto_dh_new_openssl_tls(); 191 tt_assert(DH_generate_key(dh4)); 192 const BIGNUM *pk=NULL; 193 const BIGNUM *sk=NULL; 194 DH_get0_key(dh4, &pk, &sk); 195 tt_assert(pk); 196 tt_int_op(BN_num_bytes(pk), OP_LE, DH_TLS_KEY_BITS / 8); 197 tt_int_op(BN_num_bytes(pk), OP_GT, 0); 198 memset(p2, 0, sizeof(p2)); 199 /* right-pad. */ 200 BN_bn2bin(pk, (unsigned char *)(p2+sizeof(p2)-BN_num_bytes(pk))); 201 202 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH_TLS_KEY_BITS / 8, 203 (unsigned char *)s1, sizeof(s1)); 204 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH_TLS_KEY_BITS / 8, NULL); 205 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4); 206 207 tt_int_op(s1len, OP_EQ, s2len); 208 tt_int_op(s1len, OP_GT, 0); 209 tt_mem_op(s1, OP_EQ, s2, s1len); 210 } 211 #endif /* defined(ENABLE_OPENSSL) */ 212 213 done: 214 crypto_dh_free(dh1); 215 crypto_dh_free(dh2); 216 crypto_dh_free(dh1_dup); 217 #ifdef ENABLE_OPENSSL 218 crypto_dh_free(dh3); 219 if (dh4) 220 DH_free(dh4); 221 if (pubkey_tmp) 222 BN_free(pubkey_tmp); 223 #endif /* defined(ENABLE_OPENSSL) */ 224 } 225 226 static void 227 test_crypto_openssl_version(void *arg) 228 { 229 (void)arg; 230 #ifdef ENABLE_NSS 231 tt_skip(); 232 #else 233 const char *version = crypto_openssl_get_version_str(); 234 const char *h_version = crypto_openssl_get_header_version_str(); 235 tt_assert(version); 236 tt_assert(h_version); 237 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */ 238 TT_DIE(("OpenSSL library version %s did not begin with header version %s.", 239 version, h_version)); 240 } 241 if (strstr(version, "OpenSSL")) { 242 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version)); 243 } 244 int a=-1,b=-1,c=-1; 245 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL")) 246 return; 247 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c); 248 tt_int_op(r, OP_EQ, 3); 249 tt_int_op(a, OP_GE, 0); 250 tt_int_op(b, OP_GE, 0); 251 tt_int_op(c, OP_GE, 0); 252 #endif /* defined(ENABLE_NSS) */ 253 254 done: 255 ; 256 } 257 258 /** Run unit tests for our AES128 functionality */ 259 static void 260 test_crypto_aes128(void *arg) 261 { 262 (void)arg; 263 char *data1 = NULL, *data2 = NULL, *data3 = NULL; 264 crypto_cipher_t *env1 = NULL, *env2 = NULL; 265 int i, j; 266 char *mem_op_hex_tmp=NULL; 267 char key[CIPHER_KEY_LEN]; 268 269 data1 = tor_malloc(1024); 270 data2 = tor_malloc(1024); 271 data3 = tor_malloc(1024); 272 273 /* Now, test encryption and decryption with stream cipher. */ 274 data1[0]='\0'; 275 for (i = 1023; i>0; i -= 35) 276 strncat(data1, "Now is the time for all good onions", i); 277 278 memset(data2, 0, 1024); 279 memset(data3, 0, 1024); 280 crypto_rand(key, sizeof(key)); 281 env1 = crypto_cipher_new(key); 282 tt_ptr_op(env1, OP_NE, NULL); 283 env2 = crypto_cipher_new(key); 284 tt_ptr_op(env2, OP_NE, NULL); 285 286 /* Try encrypting 512 chars. */ 287 crypto_cipher_encrypt(env1, data2, data1, 512); 288 crypto_cipher_decrypt(env2, data3, data2, 512); 289 tt_mem_op(data1,OP_EQ, data3, 512); 290 tt_mem_op(data1,OP_NE, data2, 512); 291 292 /* Now encrypt 1 at a time, and get 1 at a time. */ 293 for (j = 512; j < 560; ++j) { 294 crypto_cipher_encrypt(env1, data2+j, data1+j, 1); 295 } 296 for (j = 512; j < 560; ++j) { 297 crypto_cipher_decrypt(env2, data3+j, data2+j, 1); 298 } 299 tt_mem_op(data1,OP_EQ, data3, 560); 300 /* Now encrypt 3 at a time, and get 5 at a time. */ 301 for (j = 560; j < 1024-5; j += 3) { 302 crypto_cipher_encrypt(env1, data2+j, data1+j, 3); 303 } 304 for (j = 560; j < 1024-5; j += 5) { 305 crypto_cipher_decrypt(env2, data3+j, data2+j, 5); 306 } 307 tt_mem_op(data1,OP_EQ, data3, 1024-5); 308 /* Now make sure that when we encrypt with different chunk sizes, we get 309 the same results. */ 310 crypto_cipher_free(env2); 311 env2 = NULL; 312 313 memset(data3, 0, 1024); 314 env2 = crypto_cipher_new(key); 315 tt_ptr_op(env2, OP_NE, NULL); 316 for (j = 0; j < 1024-16; j += 17) { 317 crypto_cipher_encrypt(env2, data3+j, data1+j, 17); 318 } 319 for (j= 0; j < 1024-16; ++j) { 320 if (data2[j] != data3[j]) { 321 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]); 322 } 323 } 324 tt_mem_op(data2,OP_EQ, data3, 1024-16); 325 crypto_cipher_free(env1); 326 env1 = NULL; 327 crypto_cipher_free(env2); 328 env2 = NULL; 329 330 /* NIST test vector for aes. */ 331 /* IV starts at 0 */ 332 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00" 333 "\x00\x00\x00\x00\x00\x00\x00\x00"); 334 crypto_cipher_encrypt(env1, data1, 335 "\x00\x00\x00\x00\x00\x00\x00\x00" 336 "\x00\x00\x00\x00\x00\x00\x00\x00", 16); 337 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8"); 338 339 /* Now test rollover. All these values are originally from a python 340 * script. */ 341 crypto_cipher_free(env1); 342 env1 = crypto_cipher_new_with_iv( 343 "\x80\x00\x00\x00\x00\x00\x00\x00" 344 "\x00\x00\x00\x00\x00\x00\x00\x00", 345 "\x00\x00\x00\x00\x00\x00\x00\x00" 346 "\xff\xff\xff\xff\xff\xff\xff\xff"); 347 memset(data2, 0, 1024); 348 crypto_cipher_encrypt(env1, data1, data2, 32); 349 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231" 350 "cdd0b917dbc7186908a6bfb5ffd574d3"); 351 crypto_cipher_free(env1); 352 env1 = crypto_cipher_new_with_iv( 353 "\x80\x00\x00\x00\x00\x00\x00\x00" 354 "\x00\x00\x00\x00\x00\x00\x00\x00", 355 "\x00\x00\x00\x00\xff\xff\xff\xff" 356 "\xff\xff\xff\xff\xff\xff\xff\xff"); 357 memset(data2, 0, 1024); 358 crypto_cipher_encrypt(env1, data1, data2, 32); 359 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73" 360 "3e63c721df790d2c6469cc1953a3ffac"); 361 crypto_cipher_free(env1); 362 env1 = crypto_cipher_new_with_iv( 363 "\x80\x00\x00\x00\x00\x00\x00\x00" 364 "\x00\x00\x00\x00\x00\x00\x00\x00", 365 "\xff\xff\xff\xff\xff\xff\xff\xff" 366 "\xff\xff\xff\xff\xff\xff\xff\xff"); 367 memset(data2, 0, 1024); 368 crypto_cipher_encrypt(env1, data1, data2, 32); 369 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a" 370 "0EDD33D3C621E546455BD8BA1418BEC8"); 371 372 /* Now check rollover on inplace cipher. */ 373 crypto_cipher_free(env1); 374 env1 = crypto_cipher_new_with_iv( 375 "\x80\x00\x00\x00\x00\x00\x00\x00" 376 "\x00\x00\x00\x00\x00\x00\x00\x00", 377 "\xff\xff\xff\xff\xff\xff\xff\xff" 378 "\xff\xff\xff\xff\xff\xff\xff\xff"); 379 crypto_cipher_crypt_inplace(env1, data2, 64); 380 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a" 381 "0EDD33D3C621E546455BD8BA1418BEC8" 382 "93e2c5243d6839eac58503919192f7ae" 383 "1908e67cafa08d508816659c2e693191"); 384 crypto_cipher_free(env1); 385 env1 = crypto_cipher_new_with_iv( 386 "\x80\x00\x00\x00\x00\x00\x00\x00" 387 "\x00\x00\x00\x00\x00\x00\x00\x00", 388 "\xff\xff\xff\xff\xff\xff\xff\xff" 389 "\xff\xff\xff\xff\xff\xff\xff\xff"); 390 crypto_cipher_crypt_inplace(env1, data2, 64); 391 tt_assert(fast_mem_is_zero(data2, 64)); 392 393 done: 394 tor_free(mem_op_hex_tmp); 395 if (env1) 396 crypto_cipher_free(env1); 397 if (env2) 398 crypto_cipher_free(env2); 399 tor_free(data1); 400 tor_free(data2); 401 tor_free(data3); 402 } 403 404 static void 405 test_crypto_aes_ctr_testvec(void *arg) 406 { 407 const char *bitstr = arg; 408 char *mem_op_hex_tmp=NULL; 409 crypto_cipher_t *c=NULL; 410 411 /* from NIST SP800-38a, section F.5 */ 412 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"; 413 const char plaintext16[] = 414 "6bc1bee22e409f96e93d7e117393172a" 415 "ae2d8a571e03ac9c9eb76fac45af8e51" 416 "30c81c46a35ce411e5fbc1191a0a52ef" 417 "f69f2445df4f9b17ad2b417be66c3710"; 418 const char *ciphertext16; 419 const char *key16; 420 int bits; 421 422 if (!strcmp(bitstr, "128")) { 423 ciphertext16 = /* section F.5.1 */ 424 "874d6191b620e3261bef6864990db6ce" 425 "9806f66b7970fdff8617187bb9fffdff" 426 "5ae4df3edbd5d35e5b4f09020db03eab" 427 "1e031dda2fbe03d1792170a0f3009cee"; 428 key16 = "2b7e151628aed2a6abf7158809cf4f3c"; 429 bits = 128; 430 } else if (!strcmp(bitstr, "192")) { 431 ciphertext16 = /* section F.5.3 */ 432 "1abc932417521ca24f2b0459fe7e6e0b" 433 "090339ec0aa6faefd5ccc2c6f4ce8e94" 434 "1e36b26bd1ebc670d1bd1d665620abf7" 435 "4f78a7f6d29809585a97daec58c6b050"; 436 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; 437 bits = 192; 438 } else if (!strcmp(bitstr, "256")) { 439 ciphertext16 = /* section F.5.5 */ 440 "601ec313775789a5b7a7f504bbf3d228" 441 "f443e3ca4d62b59aca84e990cacaf5c5" 442 "2b0930daa23de94ce87017ba2d84988d" 443 "dfc9c58db67aada613c2dd08457941a6"; 444 key16 = 445 "603deb1015ca71be2b73aef0857d7781" 446 "1f352c073b6108d72d9810a30914dff4"; 447 bits = 256; 448 } else { 449 tt_abort_msg("AES doesn't support this number of bits."); 450 } 451 452 char key[32]; 453 char iv[16]; 454 char plaintext[16*4]; 455 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */ 456 base16_decode(key, sizeof(key), key16, strlen(key16)); 457 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16)); 458 base16_decode(plaintext, sizeof(plaintext), 459 plaintext16, strlen(plaintext16)); 460 461 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits); 462 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext)); 463 test_memeq_hex(plaintext, ciphertext16); 464 465 done: 466 tor_free(mem_op_hex_tmp); 467 crypto_cipher_free(c); 468 } 469 470 /** Run unit tests for our SHA-1 functionality */ 471 static void 472 test_crypto_sha(void *arg) 473 { 474 crypto_digest_t *d1 = NULL, *d2 = NULL; 475 int i; 476 #define RFC_4231_MAX_KEY_SIZE 131 477 char key[RFC_4231_MAX_KEY_SIZE]; 478 char digest[DIGEST256_LEN]; 479 char data[DIGEST512_LEN]; 480 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN]; 481 char *mem_op_hex_tmp=NULL; 482 483 /* Test SHA-1 with a test vector from the specification. */ 484 (void)arg; 485 i = crypto_digest(data, "abc", 3); 486 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D"); 487 tt_int_op(i, OP_EQ, 0); 488 489 /* Test SHA-256 with a test vector from the specification. */ 490 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256); 491 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3" 492 "96177A9CB410FF61F20015AD"); 493 tt_int_op(i, OP_EQ, 0); 494 495 /* Test SHA-512 with a test vector from the specification. */ 496 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512); 497 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97" 498 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3" 499 "feebbd454d4423643ce80e2a9ac94fa54ca49f"); 500 tt_int_op(i, OP_EQ, 0); 501 502 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */ 503 504 /* Case empty (wikipedia) */ 505 crypto_hmac_sha256(digest, "", 0, "", 0); 506 tt_str_op(hex_str(digest, 32),OP_EQ, 507 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD"); 508 509 /* Case quick-brown (wikipedia) */ 510 crypto_hmac_sha256(digest, "key", 3, 511 "The quick brown fox jumps over the lazy dog", 43); 512 tt_str_op(hex_str(digest, 32),OP_EQ, 513 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8"); 514 515 /* "Test Case 1" from RFC 4231 */ 516 memset(key, 0x0b, 20); 517 crypto_hmac_sha256(digest, key, 20, "Hi There", 8); 518 test_memeq_hex(digest, 519 "b0344c61d8db38535ca8afceaf0bf12b" 520 "881dc200c9833da726e9376c2e32cff7"); 521 522 /* "Test Case 2" from RFC 4231 */ 523 memset(key, 0x0b, 20); 524 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28); 525 test_memeq_hex(digest, 526 "5bdcc146bf60754e6a042426089575c7" 527 "5a003f089d2739839dec58b964ec3843"); 528 529 /* "Test case 3" from RFC 4231 */ 530 memset(key, 0xaa, 20); 531 memset(data, 0xdd, 50); 532 crypto_hmac_sha256(digest, key, 20, data, 50); 533 test_memeq_hex(digest, 534 "773ea91e36800e46854db8ebd09181a7" 535 "2959098b3ef8c122d9635514ced565fe"); 536 537 /* "Test case 4" from RFC 4231 */ 538 base16_decode(key, 25, 539 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50); 540 memset(data, 0xcd, 50); 541 crypto_hmac_sha256(digest, key, 25, data, 50); 542 test_memeq_hex(digest, 543 "82558a389a443c0ea4cc819899f2083a" 544 "85f0faa3e578f8077a2e3ff46729665b"); 545 546 /* "Test case 5" from RFC 4231 */ 547 memset(key, 0x0c, 20); 548 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20); 549 test_memeq_hex(digest, 550 "a3b6167473100ee06e0c796c2955552b"); 551 552 /* "Test case 6" from RFC 4231 */ 553 memset(key, 0xaa, 131); 554 crypto_hmac_sha256(digest, key, 131, 555 "Test Using Larger Than Block-Size Key - Hash Key First", 556 54); 557 test_memeq_hex(digest, 558 "60e431591ee0b67f0d8a26aacbf5b77f" 559 "8e0bc6213728c5140546040f0ee37f54"); 560 561 /* "Test case 7" from RFC 4231 */ 562 memset(key, 0xaa, 131); 563 crypto_hmac_sha256(digest, key, 131, 564 "This is a test using a larger than block-size key and a " 565 "larger than block-size data. The key needs to be hashed " 566 "before being used by the HMAC algorithm.", 152); 567 test_memeq_hex(digest, 568 "9b09ffa71b942fcb27635fbcd5b0e944" 569 "bfdc63644f0713938a7f51535c3a35e2"); 570 571 /* Incremental digest code. */ 572 d1 = crypto_digest_new(); 573 tt_assert(d1); 574 crypto_digest_add_bytes(d1, "abcdef", 6); 575 d2 = crypto_digest_dup(d1); 576 tt_assert(d2); 577 crypto_digest_add_bytes(d2, "ghijkl", 6); 578 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN); 579 crypto_digest(d_out2, "abcdefghijkl", 12); 580 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN); 581 crypto_digest_assign(d2, d1); 582 crypto_digest_add_bytes(d2, "mno", 3); 583 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN); 584 crypto_digest(d_out2, "abcdefmno", 9); 585 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN); 586 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN); 587 crypto_digest(d_out2, "abcdef", 6); 588 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN); 589 crypto_digest_free(d1); 590 crypto_digest_free(d2); 591 592 /* Incremental digest code with sha256 */ 593 d1 = crypto_digest256_new(DIGEST_SHA256); 594 tt_assert(d1); 595 crypto_digest_add_bytes(d1, "abcdef", 6); 596 d2 = crypto_digest_dup(d1); 597 tt_assert(d2); 598 crypto_digest_add_bytes(d2, "ghijkl", 6); 599 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN); 600 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256); 601 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 602 crypto_digest_assign(d2, d1); 603 crypto_digest_add_bytes(d2, "mno", 3); 604 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN); 605 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256); 606 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 607 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN); 608 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256); 609 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 610 crypto_digest_free(d1); 611 crypto_digest_free(d2); 612 613 /* Incremental digest code with sha512 */ 614 d1 = crypto_digest512_new(DIGEST_SHA512); 615 tt_assert(d1); 616 crypto_digest_add_bytes(d1, "abcdef", 6); 617 d2 = crypto_digest_dup(d1); 618 tt_assert(d2); 619 crypto_digest_add_bytes(d2, "ghijkl", 6); 620 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN); 621 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512); 622 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 623 crypto_digest_assign(d2, d1); 624 crypto_digest_add_bytes(d2, "mno", 3); 625 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN); 626 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512); 627 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 628 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN); 629 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512); 630 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 631 632 done: 633 if (d1) 634 crypto_digest_free(d1); 635 if (d2) 636 crypto_digest_free(d2); 637 tor_free(mem_op_hex_tmp); 638 } 639 640 static void 641 test_crypto_sha3(void *arg) 642 { 643 crypto_digest_t *d1 = NULL, *d2 = NULL; 644 int i; 645 char data[DIGEST512_LEN]; 646 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN]; 647 char *mem_op_hex_tmp=NULL; 648 char *large = NULL; 649 650 (void)arg; 651 652 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package. 653 * 654 * NB: The code package's test vectors have length expressed in bits. 655 */ 656 657 /* Len = 8, Msg = CC */ 658 const uint8_t keccak_kat_msg8[] = { 0xcc }; 659 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256); 660 test_memeq_hex(data, "677035391CD3701293D385F037BA3279" 661 "6252BB7CE180B00B582DD9B20AAAD7F0"); 662 tt_int_op(i, OP_EQ, 0); 663 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512); 664 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC" 665 "C36E2EE0F652AC72E02624FA2E5ADEEC" 666 "C7DD6BB3580224B4D6138706FC6E8059" 667 "7B528051230B00621CC2B22999EAA205"); 668 tt_int_op(i, OP_EQ, 0); 669 670 /* Len = 24, Msg = 1F877C */ 671 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c }; 672 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3, 673 DIGEST_SHA3_256); 674 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1" 675 "C9C966712A501B19D1B6632CCD408EC5"); 676 tt_int_op(i, OP_EQ, 0); 677 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3, 678 DIGEST_SHA3_512); 679 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C" 680 "1A2F0D0608C3A575163751F002DB30F4" 681 "0F2F671834B22D208591CFAF1F5ECFE4" 682 "3C49863A53B3225BDFD7C6591BA7658B"); 683 tt_int_op(i, OP_EQ, 0); 684 685 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */ 686 const uint8_t keccak_kat_msg1080[] = { 687 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1, 688 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8, 689 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE, 690 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73, 691 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC, 692 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60, 693 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34, 694 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55, 695 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49, 696 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71, 697 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C, 698 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D, 699 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE, 700 0xD6, 0xA8, 0x05, 0x2F, 0xBB, 701 }; 702 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135, 703 DIGEST_SHA3_256); 704 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18" 705 "BE9B7C736B8059ABFD6779AC35AC81B5"); 706 tt_int_op(i, OP_EQ, 0); 707 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135, 708 DIGEST_SHA3_512); 709 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1" 710 "CB78696773A212A5F62D02D14E3259D1" 711 "92A87EBA4407DD83893527331407B6DA" 712 "DAAD920DBC46489B677493CE5F20B595"); 713 tt_int_op(i, OP_EQ, 0); 714 715 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */ 716 const uint8_t keccak_kat_msg1088[] = { 717 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D, 718 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C, 719 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE, 720 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70, 721 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD, 722 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B, 723 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95, 724 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68, 725 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4, 726 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3, 727 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE, 728 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B, 729 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67, 730 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04, 731 }; 732 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136, 733 DIGEST_SHA3_256); 734 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC" 735 "77B5286364FE16C59CC8A907AFF07732"); 736 tt_int_op(i, OP_EQ, 0); 737 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136, 738 DIGEST_SHA3_512); 739 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E" 740 "FB94A14C72DE5ACD10D0EB5ECE029CAD" 741 "FA3BA17A40B2FFA2163991B17786E51C" 742 "ABA79E5E0FFD34CF085E2A098BE8BACB"); 743 tt_int_op(i, OP_EQ, 0); 744 745 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */ 746 const uint8_t keccak_kat_msg1096[] = { 747 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40, 748 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5, 749 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2, 750 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD, 751 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13, 752 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE, 753 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78, 754 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B, 755 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4, 756 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37, 757 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E, 758 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96, 759 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D, 760 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D, 761 }; 762 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137, 763 DIGEST_SHA3_256); 764 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D" 765 "735E0177279222E7AC0AF8504762FAA0"); 766 tt_int_op(i, OP_EQ, 0); 767 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137, 768 DIGEST_SHA3_512); 769 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C" 770 "40474041DE83D4A60645A826D7AF1ABE" 771 "1EEFCB7B74B62CA6A514E5F2697D585B" 772 "FECECE12931BBE1D4ED7EBF7B0BE660E"); 773 tt_int_op(i, OP_EQ, 0); 774 775 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */ 776 const uint8_t keccak_kat_msg1144[] = { 777 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E, 778 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2, 779 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90, 780 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B, 781 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A, 782 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2, 783 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B, 784 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6, 785 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69, 786 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE, 787 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63, 788 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA, 789 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95, 790 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66, 791 0xDF, 0xAF, 0xEC, 792 }; 793 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143, 794 DIGEST_SHA3_512); 795 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6" 796 "605516615D96A062C8BE53A0D6C5A648" 797 "7BE35D2A8F3CF6620D0C2DBA2C560D68" 798 "295F284BE7F82F3B92919033C9CE5D80"); 799 tt_int_op(i, OP_EQ, 0); 800 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143, 801 DIGEST_SHA3_256); 802 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6" 803 "118C0C2C606BDCDA06E7943D2C95E0E5"); 804 tt_int_op(i, OP_EQ, 0); 805 806 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */ 807 const uint8_t keccak_kat_msg1152[] = { 808 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26, 809 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D, 810 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63, 811 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B, 812 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F, 813 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1, 814 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5, 815 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3, 816 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA, 817 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32, 818 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5, 819 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29, 820 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F, 821 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47, 822 0x9E, 0xE0, 0x0C, 0x63, 823 }; 824 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144, 825 DIGEST_SHA3_512); 826 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735" 827 "22775DCB6019DCD22B8885994672A088" 828 "9C69E8115C641DC8B83E39F7311815A1" 829 "64DC46E0BA2FCA344D86D4BC2EF2532C"); 830 tt_int_op(i, OP_EQ, 0); 831 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144, 832 DIGEST_SHA3_256); 833 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD" 834 "84DA47678F3C2FFE5A39FDB5F7E63FFB"); 835 tt_int_op(i, OP_EQ, 0); 836 837 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */ 838 const uint8_t keccak_kat_msg1160[] = { 839 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4, 840 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC, 841 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2, 842 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21, 843 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58, 844 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8, 845 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79, 846 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82, 847 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48, 848 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57, 849 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D, 850 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9, 851 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94, 852 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53, 853 0x70, 0x11, 0x04, 0x4C, 0x53, 854 }; 855 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145, 856 DIGEST_SHA3_512); 857 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04" 858 "05221AC5EFB1229842E4614F4A029C9B" 859 "D14A0ED7FD99AF3681429F3F309FDB53" 860 "166AA9A3CD9F1F1223D04B4A9015E94A"); 861 tt_int_op(i, OP_EQ, 0); 862 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145, 863 DIGEST_SHA3_256); 864 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814" 865 "3CF6235C6B0B7969342C45A35194B67E"); 866 tt_int_op(i, OP_EQ, 0); 867 868 /* SHA3-[256,512] Empty case (wikipedia) */ 869 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256); 870 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662" 871 "f580ff4de43b49fa82d80a4b80f8434a"); 872 tt_int_op(i, OP_EQ, 0); 873 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512); 874 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e" 875 "97c982164fe25859e0d1dcc1475c80a6" 876 "15b2123af1f5f94c11e3e9402c3ac558" 877 "f500199d95b6d3e301758586281dcd26"); 878 tt_int_op(i, OP_EQ, 0); 879 880 /* Incremental digest code with SHA3-256 */ 881 d1 = crypto_digest256_new(DIGEST_SHA3_256); 882 tt_assert(d1); 883 crypto_digest_add_bytes(d1, "abcdef", 6); 884 d2 = crypto_digest_dup(d1); 885 tt_assert(d2); 886 crypto_digest_add_bytes(d2, "ghijkl", 6); 887 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN); 888 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256); 889 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 890 crypto_digest_assign(d2, d1); 891 crypto_digest_add_bytes(d2, "mno", 3); 892 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN); 893 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256); 894 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 895 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN); 896 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256); 897 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN); 898 crypto_digest_free(d1); 899 crypto_digest_free(d2); 900 901 /* Incremental digest code with SHA3-512 */ 902 d1 = crypto_digest512_new(DIGEST_SHA3_512); 903 tt_assert(d1); 904 crypto_digest_add_bytes(d1, "abcdef", 6); 905 d2 = crypto_digest_dup(d1); 906 tt_assert(d2); 907 crypto_digest_add_bytes(d2, "ghijkl", 6); 908 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN); 909 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512); 910 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 911 crypto_digest_assign(d2, d1); 912 crypto_digest_add_bytes(d2, "mno", 3); 913 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN); 914 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512); 915 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 916 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN); 917 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512); 918 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN); 919 crypto_digest_free(d1); 920 921 /* Attempt to exercise the incremental hashing code by creating a randomized 922 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512 923 * is used because it has a lowest rate of the family (the code is common, 924 * but the slower rate exercises more of it). 925 */ 926 const size_t bufsz = 30 * 1024; 927 size_t j = 0; 928 large = tor_malloc(bufsz); 929 crypto_rand(large, bufsz); 930 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */ 931 while (j < bufsz) { 932 /* Pick how much data to add to the running digest. */ 933 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5); 934 incr = MIN(bufsz - j, incr); 935 936 /* Add the data, and calculate the hash. */ 937 crypto_digest_add_bytes(d1, large + j, incr); 938 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN); 939 940 /* One-shot hash the buffer up to the data that was just added, 941 * and ensure that the values match up. 942 * 943 * XXX/yawning: If this actually fails, it'll be rather difficult to 944 * reproduce. Improvements welcome. 945 */ 946 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512); 947 tt_int_op(i, OP_EQ, 0); 948 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN); 949 950 j += incr; 951 } 952 953 done: 954 if (d1) 955 crypto_digest_free(d1); 956 if (d2) 957 crypto_digest_free(d2); 958 tor_free(large); 959 tor_free(mem_op_hex_tmp); 960 } 961 962 /** Run unit tests for our XOF. */ 963 static void 964 test_crypto_sha3_xof(void *arg) 965 { 966 uint8_t msg[255]; 967 uint8_t out[512]; 968 crypto_xof_t *xof; 969 char *mem_op_hex_tmp=NULL; 970 971 (void)arg; 972 973 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */ 974 base16_decode((char *)msg, 255, 975 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431" 976 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1" 977 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F" 978 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457" 979 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186" 980 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3" 981 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565" 982 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7" 983 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510); 984 const char *squeezed_hex = 985 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE" 986 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A" 987 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84" 988 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF" 989 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60" 990 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9" 991 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34" 992 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF" 993 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90" 994 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC" 995 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18" 996 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775" 997 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B" 998 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2" 999 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78" 1000 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9" 1001 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39" 1002 "73D4"; 1003 1004 /* Test oneshot absorb/squeeze. */ 1005 xof = crypto_xof_new(); 1006 tt_assert(xof); 1007 crypto_xof_add_bytes(xof, msg, sizeof(msg)); 1008 crypto_xof_squeeze_bytes(xof, out, sizeof(out)); 1009 test_memeq_hex(out, squeezed_hex); 1010 crypto_xof_free(xof); 1011 memset(out, 0, sizeof(out)); 1012 1013 /* Test one-function absorb/squeeze. */ 1014 crypto_xof(out, sizeof(out), msg, sizeof(msg)); 1015 test_memeq_hex(out, squeezed_hex); 1016 memset(out, 0, sizeof(out)); 1017 1018 /* Test incremental absorb/squeeze. */ 1019 xof = crypto_xof_new(); 1020 tt_assert(xof); 1021 for (size_t i = 0; i < sizeof(msg); i++) 1022 crypto_xof_add_bytes(xof, msg + i, 1); 1023 for (size_t i = 0; i < sizeof(out); i++) { 1024 crypto_xof_squeeze_bytes(xof, out + i, 1); 1025 } 1026 test_memeq_hex(out, squeezed_hex); 1027 1028 done: 1029 if (xof) 1030 crypto_xof_free(xof); 1031 tor_free(mem_op_hex_tmp); 1032 } 1033 1034 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test 1035 * vectors out there for our H(len(k) || k || m) construction. Hence what we 1036 * are gonna do is test our crypto_mac_sha3_256() function against manually 1037 * doing H(len(k) || k||m). If in the future the Keccak group decides to 1038 * standarize an MAC construction and make test vectors, we should 1039 * incorporate them here. */ 1040 static void 1041 test_crypto_mac_sha3(void *arg) 1042 { 1043 const char msg[] = "i am in a library somewhere using my computer"; 1044 const char key[] = "i'm from the past talking to the future."; 1045 char *mem_op_hex_tmp = NULL; 1046 1047 uint8_t hmac_test[DIGEST256_LEN]; 1048 char hmac_manual[DIGEST256_LEN]; 1049 1050 (void) arg; 1051 1052 /* First let's use our nice HMAC-SHA3 function */ 1053 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test), 1054 (uint8_t *) key, strlen(key), 1055 (uint8_t *) msg, strlen(msg)); 1056 1057 /* Now let's try a manual H(len(k) || k || m) construction */ 1058 { 1059 char *key_msg_concat = NULL, *all = NULL; 1060 int result; 1061 const uint64_t key_len_netorder = tor_htonll(strlen(key)); 1062 size_t all_len; 1063 1064 tor_asprintf(&key_msg_concat, "%s%s", key, msg); 1065 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat); 1066 all = tor_malloc_zero(all_len); 1067 memcpy(all, &key_len_netorder, sizeof(key_len_netorder)); 1068 memcpy(all + sizeof(key_len_netorder), key_msg_concat, 1069 strlen(key_msg_concat)); 1070 1071 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256); 1072 tor_free(key_msg_concat); 1073 tor_free(all); 1074 tt_int_op(result, OP_EQ, 0); 1075 } 1076 1077 /* Now compare the two results */ 1078 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN); 1079 1080 /* Check against a known correct value (computed from python) */ 1081 test_memeq_hex(hmac_test, 1082 "753fba6d87d49497238a512a3772dd29" 1083 "1e55f7d1cd332c9fb5c967c7a10a13ca"); 1084 done: 1085 tor_free(mem_op_hex_tmp); 1086 } 1087 1088 /** Run unit tests for our public key crypto functions */ 1089 static void 1090 test_crypto_pk(void *arg) 1091 { 1092 crypto_pk_t *pk1 = NULL, *pk2 = NULL; 1093 char *encoded = NULL; 1094 char data1[1024], data2[1024], data3[1024]; 1095 size_t size; 1096 int i, len; 1097 1098 /* Public-key ciphers */ 1099 (void)arg; 1100 pk1 = pk_generate(0); 1101 pk2 = crypto_pk_new(); 1102 tt_assert(pk1 && pk2); 1103 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size)); 1104 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size)); 1105 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2)); 1106 1107 /* comparison between keys and NULL */ 1108 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0); 1109 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0); 1110 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0); 1111 1112 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1)); 1113 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1)); 1114 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2)); 1115 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2)); 1116 1117 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1), 1118 "Hello whirled.", 15, 1119 PK_PKCS1_OAEP_PADDING)); 1120 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1), 1121 "Hello whirled.", 15, 1122 PK_PKCS1_OAEP_PADDING)); 1123 /* oaep padding should make encryption not match */ 1124 tt_mem_op(data1,OP_NE, data2, 128); 1125 tt_int_op(15,OP_EQ, 1126 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128, 1127 PK_PKCS1_OAEP_PADDING,1)); 1128 tt_str_op(data3,OP_EQ, "Hello whirled."); 1129 memset(data3, 0, 1024); 1130 tt_int_op(15,OP_EQ, 1131 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128, 1132 PK_PKCS1_OAEP_PADDING,1)); 1133 tt_str_op(data3,OP_EQ, "Hello whirled."); 1134 /* Can't decrypt with public key. */ 1135 tt_int_op(-1,OP_EQ, 1136 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128, 1137 PK_PKCS1_OAEP_PADDING,1)); 1138 /* Try again with bad padding */ 1139 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */ 1140 tt_int_op(-1,OP_EQ, 1141 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128, 1142 PK_PKCS1_OAEP_PADDING,1)); 1143 1144 /* File operations: save and load private key */ 1145 tt_assert(! crypto_pk_write_private_key_to_filename(pk1, 1146 get_fname("pkey1"))); 1147 /* failing case for read: can't read. */ 1148 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")), 1149 OP_LT, 0); 1150 write_str_to_file(get_fname("xyzzy"), "foobar", 6); 1151 /* Failing case for read: no key. */ 1152 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")), 1153 OP_LT, 0); 1154 tt_assert(! crypto_pk_read_private_key_from_filename(pk2, 1155 get_fname("pkey1"))); 1156 tt_int_op(15,OP_EQ, 1157 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128, 1158 PK_PKCS1_OAEP_PADDING,1)); 1159 1160 /* Now try signing. */ 1161 strlcpy(data1, "Ossifrage", 1024); 1162 tt_int_op(128,OP_EQ, 1163 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10)); 1164 tt_int_op(10,OP_EQ, 1165 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128)); 1166 tt_str_op(data3,OP_EQ, "Ossifrage"); 1167 /* Try signing digests. */ 1168 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2), 1169 data1, 10)); 1170 tt_int_op(20,OP_EQ, 1171 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128)); 1172 tt_int_op(0,OP_EQ, 1173 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128)); 1174 tt_int_op(-1,OP_EQ, 1175 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128)); 1176 1177 /*XXXX test failed signing*/ 1178 1179 /* Try encoding */ 1180 crypto_pk_free(pk2); 1181 pk2 = NULL; 1182 i = crypto_pk_asn1_encode(pk1, data1, 1024); 1183 tt_int_op(i, OP_GT, 0); 1184 pk2 = crypto_pk_asn1_decode(data1, i); 1185 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0); 1186 1187 /* Try with hybrid encryption wrappers. */ 1188 crypto_rand(data1, 1024); 1189 for (i = 85; i < 140; ++i) { 1190 memset(data2,0,1024); 1191 memset(data3,0,1024); 1192 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2), 1193 data1,i,PK_PKCS1_OAEP_PADDING,0); 1194 tt_int_op(len, OP_GE, 0); 1195 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3), 1196 data2,len,PK_PKCS1_OAEP_PADDING,1); 1197 tt_int_op(len,OP_EQ, i); 1198 tt_mem_op(data1,OP_EQ, data3,i); 1199 } 1200 1201 /* Try copy_full */ 1202 crypto_pk_free(pk2); 1203 pk2 = crypto_pk_copy_full(pk1); 1204 tt_ptr_op(pk2, OP_NE, NULL); 1205 tt_ptr_op(pk1, OP_NE, pk2); 1206 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0); 1207 1208 done: 1209 if (pk1) 1210 crypto_pk_free(pk1); 1211 if (pk2) 1212 crypto_pk_free(pk2); 1213 tor_free(encoded); 1214 } 1215 1216 static void 1217 test_crypto_pk_fingerprints(void *arg) 1218 { 1219 crypto_pk_t *pk = NULL; 1220 char encoded[512]; 1221 char d[DIGEST_LEN], d2[DIGEST_LEN]; 1222 char fingerprint[FINGERPRINT_LEN+1]; 1223 int n; 1224 unsigned i; 1225 char *mem_op_hex_tmp=NULL; 1226 1227 (void)arg; 1228 1229 pk = pk_generate(1); 1230 tt_assert(pk); 1231 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded)); 1232 tt_int_op(n, OP_GT, 0); 1233 tt_int_op(n, OP_GT, 128); 1234 tt_int_op(n, OP_LT, 256); 1235 1236 /* Is digest as expected? */ 1237 crypto_digest(d, encoded, n); 1238 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2)); 1239 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN); 1240 1241 /* Is fingerprint right? */ 1242 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0)); 1243 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2); 1244 test_memeq_hex(d, fingerprint); 1245 1246 /* Are spaces right? */ 1247 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1)); 1248 for (i = 4; i < strlen(fingerprint); i += 5) { 1249 tt_int_op(fingerprint[i], OP_EQ, ' '); 1250 } 1251 tor_strstrip(fingerprint, " "); 1252 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2); 1253 test_memeq_hex(d, fingerprint); 1254 1255 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */ 1256 crypto_digest(d2, d, sizeof(d)); 1257 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint)); 1258 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2); 1259 test_memeq_hex(d2, fingerprint); 1260 1261 done: 1262 crypto_pk_free(pk); 1263 tor_free(mem_op_hex_tmp); 1264 } 1265 1266 static void 1267 test_crypto_pk_base64(void *arg) 1268 { 1269 crypto_pk_t *pk1 = NULL; 1270 crypto_pk_t *pk2 = NULL; 1271 char *encoded = NULL; 1272 1273 (void)arg; 1274 1275 /* Test Base64 encoding a key. */ 1276 pk1 = pk_generate(0); 1277 tt_assert(pk1); 1278 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded)); 1279 tt_assert(encoded); 1280 1281 /* Test decoding a valid key. */ 1282 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)); 1283 tt_assert(pk2); 1284 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0); 1285 crypto_pk_free(pk2); 1286 1287 /* Test decoding a invalid key (not Base64). */ 1288 static const char *invalid_b64 = "The key is in another castle!"; 1289 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64)); 1290 tt_ptr_op(pk2, OP_EQ, NULL); 1291 1292 /* Test decoding a truncated Base64 blob. */ 1293 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2); 1294 tt_ptr_op(pk2, OP_EQ, NULL); 1295 1296 done: 1297 crypto_pk_free(pk1); 1298 crypto_pk_free(pk2); 1299 tor_free(encoded); 1300 } 1301 1302 static void 1303 test_crypto_pk_pem_encrypted(void *arg) 1304 { 1305 crypto_pk_t *pk = NULL; 1306 (void)arg; 1307 1308 pk = crypto_pk_new(); 1309 /* we need to make sure that we won't stall if somebody gives us a key 1310 that's encrypted with a password. */ 1311 { 1312 const char *s = 1313 "-----BEGIN RSA PRIVATE KEY-----\n" 1314 "Proc-Type: 4,ENCRYPTED\n" 1315 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n" 1316 "\n" 1317 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n" 1318 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n" 1319 "YntnROBDwiKmUnue6PJVYg==\n" 1320 "-----END RSA PRIVATE KEY-----\n"; 1321 tt_int_op(-1, OP_EQ, 1322 crypto_pk_read_private_key_from_string(pk, s, strlen(s))); 1323 } 1324 /* For fun, make sure we aren't hit by OpenSSL issue 1325 https://github.com/openssl/openssl/issues/6347 , where we get in trouble 1326 if a cipher doesn't use an IV. 1327 */ 1328 { 1329 const char *s = 1330 "-----BEGIN RSA PUBLIC KEY-----\n" 1331 "Proc-Type:4,ENCRYPTED\n" 1332 "DEK-Info:des-ede -\n" 1333 "\n" 1334 "iRqK\n" 1335 "-----END RSA PUBLIC KEY-----\n"; 1336 tt_int_op(-1, OP_EQ, 1337 crypto_pk_read_public_key_from_string(pk, s, strlen(s))); 1338 } 1339 done: 1340 crypto_pk_free(pk); 1341 } 1342 1343 static void 1344 test_crypto_pk_bad_size(void *arg) 1345 { 1346 (void)arg; 1347 crypto_pk_t *pk1 = pk_generate(0); 1348 crypto_pk_t *pk2 = NULL; 1349 char buf[2048]; 1350 int n = crypto_pk_asn1_encode_private(pk1, buf, sizeof(buf)); 1351 tt_int_op(n, OP_GT, 0); 1352 1353 /* Set the max bit count smaller: we should refuse to decode the key.*/ 1354 pk2 = crypto_pk_asn1_decode_private(buf, n, 1020); 1355 tt_assert(! pk2); 1356 1357 /* Set the max bit count one bit smaller: we should refuse to decode the 1358 key.*/ 1359 pk2 = crypto_pk_asn1_decode_private(buf, n, 1023); 1360 tt_assert(! pk2); 1361 1362 /* Correct size: should work. */ 1363 pk2 = crypto_pk_asn1_decode_private(buf, n, 1024); 1364 tt_assert(pk2); 1365 crypto_pk_free(pk2); 1366 1367 /* One bit larger: should work. */ 1368 pk2 = crypto_pk_asn1_decode_private(buf, n, 1025); 1369 tt_assert(pk2); 1370 crypto_pk_free(pk2); 1371 1372 /* Set the max bit count larger: it should decode fine. */ 1373 pk2 = crypto_pk_asn1_decode_private(buf, n, 2048); 1374 tt_assert(pk2); 1375 1376 done: 1377 crypto_pk_free(pk1); 1378 crypto_pk_free(pk2); 1379 } 1380 1381 static void 1382 test_crypto_pk_invalid_private_key(void *arg) 1383 { 1384 (void)arg; 1385 /* Here is a simple invalid private key: it was produced by making 1386 * a regular private key, and then adding 2 to the modulus. */ 1387 const char pem[] = 1388 "-----BEGIN RSA PRIVATE KEY-----\n" 1389 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n" 1390 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n" 1391 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n" 1392 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n" 1393 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n" 1394 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n" 1395 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n" 1396 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n" 1397 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n" 1398 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n" 1399 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n" 1400 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n" 1401 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n" 1402 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n" 1403 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n" 1404 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n" 1405 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n" 1406 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n" 1407 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n" 1408 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n" 1409 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n" 1410 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n" 1411 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n" 1412 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n" 1413 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n" 1414 "-----END RSA PRIVATE KEY-----\n"; 1415 1416 crypto_pk_t *pk = NULL; 1417 1418 pk = crypto_pk_new(); 1419 setup_capture_of_logs(LOG_WARN); 1420 tt_int_op(-1, OP_EQ, 1421 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem))); 1422 #ifdef ENABLE_NSS 1423 expect_single_log_msg_containing("received bad data"); 1424 #else 1425 expect_single_log_msg_containing("while checking RSA key"); 1426 #endif 1427 done: 1428 teardown_capture_of_logs(); 1429 crypto_pk_free(pk); 1430 } 1431 1432 #ifdef HAVE_TRUNCATE 1433 #define do_truncate truncate 1434 #else 1435 static int 1436 do_truncate(const char *fname, size_t len) 1437 { 1438 struct stat st; 1439 char *bytes; 1440 1441 bytes = read_file_to_str(fname, RFTS_BIN, &st); 1442 if (!bytes) 1443 return -1; 1444 /* This cast isn't so great, but it should be safe given the actual files 1445 * and lengths we're using. */ 1446 if (st.st_size < (off_t)len) 1447 len = MIN(len, (size_t)st.st_size); 1448 1449 int r = write_bytes_to_file(fname, bytes, len, 1); 1450 tor_free(bytes); 1451 return r; 1452 } 1453 #endif /* defined(HAVE_TRUNCATE) */ 1454 1455 /** Sanity check for crypto pk digests */ 1456 static void 1457 test_crypto_digests(void *arg) 1458 { 1459 crypto_pk_t *k = NULL; 1460 ssize_t r; 1461 common_digests_t pkey_digests; 1462 char digest[DIGEST_LEN]; 1463 1464 (void)arg; 1465 k = crypto_pk_new(); 1466 tt_assert(k); 1467 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, 1468 strlen(AUTHORITY_SIGNKEY_3)); 1469 tt_assert(!r); 1470 1471 r = crypto_pk_get_digest(k, digest); 1472 tt_assert(r == 0); 1473 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ, 1474 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN); 1475 1476 r = crypto_pk_get_common_digests(k, &pkey_digests); 1477 tt_int_op(r, OP_EQ, 0); 1478 1479 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ, 1480 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN); 1481 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ, 1482 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN); 1483 done: 1484 crypto_pk_free(k); 1485 } 1486 1487 static void 1488 test_crypto_digest_names(void *arg) 1489 { 1490 static const struct { 1491 int a; const char *n; 1492 } names[] = { 1493 { DIGEST_SHA1, "sha1" }, 1494 { DIGEST_SHA256, "sha256" }, 1495 { DIGEST_SHA512, "sha512" }, 1496 { DIGEST_SHA3_256, "sha3-256" }, 1497 { DIGEST_SHA3_512, "sha3-512" }, 1498 { -1, NULL } 1499 }; 1500 (void)arg; 1501 1502 int i; 1503 for (i = 0; names[i].n; ++i) { 1504 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a)); 1505 tt_int_op(names[i].a, 1506 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n)); 1507 } 1508 tt_int_op(-1, OP_EQ, 1509 crypto_digest_algorithm_parse_name("TimeCubeHash-4444")); 1510 done: 1511 ; 1512 } 1513 1514 /** Run unit tests for misc crypto formatting functionality (base64, base32, 1515 * fingerprints, etc) */ 1516 static void 1517 test_crypto_formats(void *arg) 1518 { 1519 char *data1 = NULL, *data2 = NULL, *data3 = NULL; 1520 int i, j, idx; 1521 1522 (void)arg; 1523 data1 = tor_malloc(1024); 1524 data2 = tor_malloc(1024); 1525 data3 = tor_malloc(1024); 1526 tt_assert(data1 && data2 && data3); 1527 1528 /* Base64 tests */ 1529 memset(data1, 6, 1024); 1530 for (idx = 0; idx < 10; ++idx) { 1531 i = base64_encode(data2, 1024, data1, idx, 0); 1532 tt_int_op(i, OP_GE, 0); 1533 tt_int_op(i, OP_EQ, strlen(data2)); 1534 j = base64_decode(data3, 1024, data2, i); 1535 tt_int_op(j,OP_EQ, idx); 1536 tt_mem_op(data3,OP_EQ, data1, idx); 1537 1538 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx); 1539 tt_int_op(i, OP_GE, 0); 1540 tt_int_op(i, OP_EQ, strlen(data2)); 1541 tt_assert(! strchr(data2, '=')); 1542 j = base64_decode(data3, 1024, data2, i); 1543 tt_int_op(j, OP_EQ, idx); 1544 tt_mem_op(data3,OP_EQ, data1, idx); 1545 } 1546 1547 strlcpy(data1, "Test string that contains 35 chars.", 1024); 1548 strlcat(data1, " 2nd string that contains 35 chars.", 1024); 1549 1550 i = base64_encode(data2, 1024, data1, 71, 0); 1551 tt_int_op(i, OP_GE, 0); 1552 j = base64_decode(data3, 1024, data2, i); 1553 tt_int_op(j,OP_EQ, 71); 1554 tt_str_op(data3,OP_EQ, data1); 1555 tt_int_op(data2[i], OP_EQ, '\0'); 1556 1557 crypto_rand(data1, DIGEST_LEN); 1558 memset(data2, 100, 1024); 1559 digest_to_base64(data2, data1); 1560 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2)); 1561 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]); 1562 memset(data3, 99, 1024); 1563 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0); 1564 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN); 1565 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]); 1566 1567 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0); 1568 1569 /* Encoding SHA256 */ 1570 crypto_rand(data2, DIGEST256_LEN); 1571 memset(data2, 100, 1024); 1572 digest256_to_base64(data2, data1); 1573 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2)); 1574 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]); 1575 memset(data3, 99, 1024); 1576 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0); 1577 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN); 1578 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]); 1579 1580 /* Base32 tests */ 1581 strlcpy(data1, "5chrs", 1024); 1582 /* bit pattern is: [35 63 68 72 73] -> 1583 * [00110101 01100011 01101000 01110010 01110011] 1584 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011] 1585 */ 1586 base32_encode(data2, 9, data1, 5); 1587 tt_str_op(data2,OP_EQ, "gvrwq4tt"); 1588 1589 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024); 1590 base32_encode(data2, 30, data1, 10); 1591 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe"); 1592 1593 /* Base16 tests */ 1594 strlcpy(data1, "6chrs\xff", 1024); 1595 base16_encode(data2, 13, data1, 6); 1596 tt_str_op(data2,OP_EQ, "3663687273FF"); 1597 1598 strlcpy(data1, "f0d678affc000100", 1024); 1599 i = base16_decode(data2, 8, data1, 16); 1600 tt_int_op(i,OP_EQ, 8); 1601 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8); 1602 1603 /* now try some failing base16 decodes */ 1604 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */ 1605 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */ 1606 strlcpy(data1, "f0dz!8affc000100", 1024); 1607 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16)); 1608 1609 tor_free(data1); 1610 tor_free(data2); 1611 tor_free(data3); 1612 1613 /* Add spaces to fingerprint */ 1614 { 1615 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000"); 1616 tt_int_op(strlen(data1),OP_EQ, 40); 1617 data2 = tor_malloc(FINGERPRINT_LEN+1); 1618 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1); 1619 tt_str_op(data2, OP_EQ, 1620 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000"); 1621 tor_free(data1); 1622 tor_free(data2); 1623 } 1624 1625 done: 1626 tor_free(data1); 1627 tor_free(data2); 1628 tor_free(data3); 1629 } 1630 1631 /** Test AES-CTR encryption and decryption with IV. */ 1632 static void 1633 test_crypto_aes_iv(void *arg) 1634 { 1635 (void)arg; 1636 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2; 1637 char plain_1[1], plain_15[15], plain_16[16], plain_17[17]; 1638 char key1[16], key2[16]; 1639 ssize_t encrypted_size, decrypted_size; 1640 1641 plain = tor_malloc(4095); 1642 encrypted1 = tor_malloc(4095 + 1 + 16); 1643 encrypted2 = tor_malloc(4095 + 1 + 16); 1644 decrypted1 = tor_malloc(4095 + 1); 1645 decrypted2 = tor_malloc(4095 + 1); 1646 1647 crypto_rand(plain, 4095); 1648 crypto_rand(key1, 16); 1649 crypto_rand(key2, 16); 1650 crypto_rand(plain_1, 1); 1651 crypto_rand(plain_15, 15); 1652 crypto_rand(plain_16, 16); 1653 crypto_rand(plain_17, 17); 1654 key1[0] = key2[0] + 128; /* Make sure that contents are different. */ 1655 /* Encrypt and decrypt with the same key. */ 1656 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095, 1657 plain, 4095); 1658 1659 tt_int_op(encrypted_size,OP_EQ, 16 + 4095); 1660 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is 1661 * greater than 0, but its truth is not 1662 * obvious to all analysis tools. */ 1663 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095, 1664 encrypted1, encrypted_size); 1665 1666 tt_int_op(decrypted_size,OP_EQ, 4095); 1667 tt_assert(decrypted_size > 0); 1668 tt_mem_op(plain,OP_EQ, decrypted1, 4095); 1669 /* Encrypt a second time (with a new random initialization vector). */ 1670 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095, 1671 plain, 4095); 1672 1673 tt_int_op(encrypted_size,OP_EQ, 16 + 4095); 1674 tt_assert(encrypted_size > 0); 1675 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095, 1676 encrypted2, encrypted_size); 1677 tt_int_op(decrypted_size,OP_EQ, 4095); 1678 tt_assert(decrypted_size > 0); 1679 tt_mem_op(plain,OP_EQ, decrypted2, 4095); 1680 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size); 1681 /* Decrypt with the wrong key. */ 1682 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095, 1683 encrypted1, encrypted_size); 1684 tt_int_op(decrypted_size,OP_EQ, 4095); 1685 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size); 1686 /* Alter the initialization vector. */ 1687 encrypted1[0] += 42; 1688 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095, 1689 encrypted1, encrypted_size); 1690 tt_int_op(decrypted_size,OP_EQ, 4095); 1691 tt_mem_op(plain,OP_NE, decrypted2, 4095); 1692 /* Special length case: 1. */ 1693 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1, 1694 plain_1, 1); 1695 tt_int_op(encrypted_size,OP_EQ, 16 + 1); 1696 tt_assert(encrypted_size > 0); 1697 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1, 1698 encrypted1, encrypted_size); 1699 tt_int_op(decrypted_size,OP_EQ, 1); 1700 tt_assert(decrypted_size > 0); 1701 tt_mem_op(plain_1,OP_EQ, decrypted1, 1); 1702 /* Special length case: 15. */ 1703 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15, 1704 plain_15, 15); 1705 tt_int_op(encrypted_size,OP_EQ, 16 + 15); 1706 tt_assert(encrypted_size > 0); 1707 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15, 1708 encrypted1, encrypted_size); 1709 tt_int_op(decrypted_size,OP_EQ, 15); 1710 tt_assert(decrypted_size > 0); 1711 tt_mem_op(plain_15,OP_EQ, decrypted1, 15); 1712 /* Special length case: 16. */ 1713 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16, 1714 plain_16, 16); 1715 tt_int_op(encrypted_size,OP_EQ, 16 + 16); 1716 tt_assert(encrypted_size > 0); 1717 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16, 1718 encrypted1, encrypted_size); 1719 tt_int_op(decrypted_size,OP_EQ, 16); 1720 tt_assert(decrypted_size > 0); 1721 tt_mem_op(plain_16,OP_EQ, decrypted1, 16); 1722 /* Special length case: 17. */ 1723 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17, 1724 plain_17, 17); 1725 tt_int_op(encrypted_size,OP_EQ, 16 + 17); 1726 tt_assert(encrypted_size > 0); 1727 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17, 1728 encrypted1, encrypted_size); 1729 tt_int_op(decrypted_size,OP_EQ, 17); 1730 tt_assert(decrypted_size > 0); 1731 tt_mem_op(plain_17,OP_EQ, decrypted1, 17); 1732 1733 done: 1734 /* Free memory. */ 1735 tor_free(plain); 1736 tor_free(encrypted1); 1737 tor_free(encrypted2); 1738 tor_free(decrypted1); 1739 tor_free(decrypted2); 1740 } 1741 1742 /** Test base32 decoding. */ 1743 static void 1744 test_crypto_base32_decode(void *arg) 1745 { 1746 char plain[60], encoded[96 + 1], decoded[60]; 1747 int res; 1748 (void)arg; 1749 crypto_rand(plain, 60); 1750 /* Encode and decode a random string. */ 1751 base32_encode(encoded, 96 + 1, plain, 60); 1752 res = base32_decode(decoded, 60, encoded, 96); 1753 tt_int_op(res, OP_EQ, 60); 1754 tt_mem_op(plain,OP_EQ, decoded, 60); 1755 /* Encode, uppercase, and decode a random string. */ 1756 base32_encode(encoded, 96 + 1, plain, 60); 1757 tor_strupper(encoded); 1758 res = base32_decode(decoded, 60, encoded, 96); 1759 tt_int_op(res, OP_EQ, 60); 1760 tt_mem_op(plain,OP_EQ, decoded, 60); 1761 /* Change encoded string and decode. */ 1762 if (encoded[0] == 'A' || encoded[0] == 'a') 1763 encoded[0] = 'B'; 1764 else 1765 encoded[0] = 'A'; 1766 res = base32_decode(decoded, 60, encoded, 96); 1767 tt_int_op(res, OP_EQ, 60); 1768 tt_mem_op(plain,OP_NE, decoded, 60); 1769 /* Bad encodings. */ 1770 encoded[0] = '!'; 1771 res = base32_decode(decoded, 60, encoded, 96); 1772 tt_int_op(res, OP_LT, 0); 1773 1774 done: 1775 ; 1776 } 1777 1778 static void 1779 test_crypto_kdf_TAP(void *arg) 1780 { 1781 uint8_t key_material[100]; 1782 int r; 1783 char *mem_op_hex_tmp = NULL; 1784 1785 (void)arg; 1786 #define EXPAND(s) \ 1787 r = crypto_expand_key_material_TAP( \ 1788 (const uint8_t*)(s), strlen(s), \ 1789 key_material, 100) 1790 1791 /* Test vectors generated with a little python script; feel free to write 1792 * your own. */ 1793 memset(key_material, 0, sizeof(key_material)); 1794 EXPAND(""); 1795 tt_int_op(r, OP_EQ, 0); 1796 test_memeq_hex(key_material, 1797 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8" 1798 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2" 1799 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414" 1800 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383"); 1801 1802 EXPAND("Tor"); 1803 tt_int_op(r, OP_EQ, 0); 1804 test_memeq_hex(key_material, 1805 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922" 1806 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034" 1807 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8" 1808 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28"); 1809 1810 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE"); 1811 tt_int_op(r, OP_EQ, 0); 1812 test_memeq_hex(key_material, 1813 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331" 1814 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7" 1815 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854" 1816 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10"); 1817 1818 done: 1819 tor_free(mem_op_hex_tmp); 1820 1821 #undef EXPAND 1822 } 1823 1824 static void 1825 test_crypto_hkdf_sha256(void *arg) 1826 { 1827 uint8_t key_material[100]; 1828 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract"; 1829 const size_t salt_len = strlen((char*)salt); 1830 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand"; 1831 const size_t m_expand_len = strlen((char*)m_expand); 1832 int r; 1833 char *mem_op_hex_tmp = NULL; 1834 1835 (void)arg; 1836 1837 #define EXPAND(s) \ 1838 r = crypto_expand_key_material_rfc5869_sha256( \ 1839 (const uint8_t*)(s), strlen(s), \ 1840 salt, salt_len, \ 1841 m_expand, m_expand_len, \ 1842 key_material, 100) 1843 1844 /* Test vectors generated with ntor_ref.py */ 1845 EXPAND("Tor"); 1846 tt_int_op(r, OP_EQ, 0); 1847 test_memeq_hex(key_material, 1848 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6" 1849 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d" 1850 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3" 1851 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac"); 1852 1853 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT"); 1854 tt_int_op(r, OP_EQ, 0); 1855 test_memeq_hex(key_material, 1856 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f" 1857 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c" 1858 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d" 1859 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf"); 1860 done: 1861 tor_free(mem_op_hex_tmp); 1862 #undef EXPAND 1863 } 1864 1865 static void 1866 test_crypto_hkdf_sha256_testvecs(void *arg) 1867 { 1868 (void) arg; 1869 /* Test vectors from RFC5869, sections A.1 through A.3 */ 1870 const struct { 1871 const char *ikm16, *salt16, *info16; 1872 int L; 1873 const char *okm16; 1874 } vecs[] = { 1875 { /* from A.1 */ 1876 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", 1877 "000102030405060708090a0b0c", 1878 "f0f1f2f3f4f5f6f7f8f9", 1879 42, 1880 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf" 1881 "34007208d5b887185865" 1882 }, 1883 { /* from A.2 */ 1884 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" 1885 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" 1886 "404142434445464748494a4b4c4d4e4f", 1887 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" 1888 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" 1889 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf", 1890 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf" 1891 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef" 1892 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1893 82, 1894 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c" 1895 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71" 1896 "cc30c58179ec3e87c14c01d5c1f3434f1d87" 1897 }, 1898 { /* from A.3 */ 1899 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", 1900 "", 1901 "", 1902 42, 1903 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d" 1904 "9d201395faa4b61a96c8", 1905 }, 1906 { NULL, NULL, NULL, -1, NULL } 1907 }; 1908 1909 int i; 1910 char *ikm = NULL; 1911 char *salt = NULL; 1912 char *info = NULL; 1913 char *okm = NULL; 1914 char *mem_op_hex_tmp = NULL; 1915 1916 for (i = 0; vecs[i].ikm16; ++i) { 1917 size_t ikm_len = strlen(vecs[i].ikm16)/2; 1918 size_t salt_len = strlen(vecs[i].salt16)/2; 1919 size_t info_len = strlen(vecs[i].info16)/2; 1920 size_t okm_len = vecs[i].L; 1921 1922 ikm = tor_malloc(ikm_len); 1923 salt = tor_malloc(salt_len); 1924 info = tor_malloc(info_len); 1925 okm = tor_malloc(okm_len); 1926 1927 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16)); 1928 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16)); 1929 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16)); 1930 1931 int r = crypto_expand_key_material_rfc5869_sha256( 1932 (const uint8_t*)ikm, ikm_len, 1933 (const uint8_t*)salt, salt_len, 1934 (const uint8_t*)info, info_len, 1935 (uint8_t*)okm, okm_len); 1936 tt_int_op(r, OP_EQ, 0); 1937 test_memeq_hex(okm, vecs[i].okm16); 1938 tor_free(ikm); 1939 tor_free(salt); 1940 tor_free(info); 1941 tor_free(okm); 1942 } 1943 done: 1944 tor_free(ikm); 1945 tor_free(salt); 1946 tor_free(info); 1947 tor_free(okm); 1948 tor_free(mem_op_hex_tmp); 1949 } 1950 1951 static void 1952 test_crypto_curve25519_impl(void *arg) 1953 { 1954 /* adapted from curve25519_donna, which adapted it from test-curve25519 1955 version 20050915, by D. J. Bernstein, Public domain. */ 1956 1957 const int randomize_high_bit = (arg != NULL); 1958 1959 #ifdef SLOW_CURVE25519_TEST 1960 const int loop_max=10000; 1961 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5" 1962 "7e0329f4dd2819f5f32d130f1296b500"; 1963 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9" 1964 "e0544770bc7de853b38f9100489e3e79"; 1965 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88" 1966 "bd13861475516bc2cd2b6e005e805064"; 1967 #else /* !defined(SLOW_CURVE25519_TEST) */ 1968 const int loop_max=200; 1969 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3" 1970 "c6a1037d74cceb3712e9206871dcf654"; 1971 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d" 1972 "8e3ee1a63c7d14274ea5d4c67f065467"; 1973 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e" 1974 "c0ee98cb2257a4545c0cfb2ca3e1812b"; 1975 #endif /* defined(SLOW_CURVE25519_TEST) */ 1976 1977 unsigned char e1k[32]; 1978 unsigned char e2k[32]; 1979 unsigned char e1e2k[32]; 1980 unsigned char e2e1k[32]; 1981 unsigned char e1[32] = {3}; 1982 unsigned char e2[32] = {5}; 1983 unsigned char k[32] = {9}; 1984 int loop, i; 1985 1986 char *mem_op_hex_tmp = NULL; 1987 1988 for (loop = 0; loop < loop_max; ++loop) { 1989 curve25519_impl(e1k,e1,k); 1990 curve25519_impl(e2e1k,e2,e1k); 1991 curve25519_impl(e2k,e2,k); 1992 if (randomize_high_bit) { 1993 /* We require that the high bit of the public key be ignored. So if 1994 * we're doing this variant test, we randomize the high bit of e2k, and 1995 * make sure that the handshake still works out the same as it would 1996 * otherwise. */ 1997 uint8_t byte; 1998 crypto_rand((char*)&byte, 1); 1999 e2k[31] |= (byte & 0x80); 2000 } 2001 curve25519_impl(e1e2k,e1,e2k); 2002 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32); 2003 if (loop == loop_max-1) { 2004 break; 2005 } 2006 for (i = 0;i < 32;++i) e1[i] ^= e2k[i]; 2007 for (i = 0;i < 32;++i) e2[i] ^= e1k[i]; 2008 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i]; 2009 } 2010 2011 test_memeq_hex(e1, e1_expected); 2012 test_memeq_hex(e2k, e2k_expected); 2013 test_memeq_hex(e1e2k, e1e2k_expected); 2014 2015 done: 2016 tor_free(mem_op_hex_tmp); 2017 } 2018 2019 static void 2020 test_crypto_curve25519_basepoint(void *arg) 2021 { 2022 uint8_t secret[32]; 2023 uint8_t public1[32]; 2024 uint8_t public2[32]; 2025 const int iters = 2048; 2026 int i; 2027 (void) arg; 2028 2029 for (i = 0; i < iters; ++i) { 2030 crypto_rand((char*)secret, 32); 2031 curve25519_set_impl_params(1); /* Use optimization */ 2032 curve25519_basepoint_impl(public1, secret); 2033 curve25519_set_impl_params(0); /* Disable optimization */ 2034 curve25519_basepoint_impl(public2, secret); 2035 tt_mem_op(public1, OP_EQ, public2, 32); 2036 } 2037 2038 done: 2039 ; 2040 } 2041 2042 static void 2043 test_crypto_curve25519_testvec(void *arg) 2044 { 2045 (void)arg; 2046 char *mem_op_hex_tmp = NULL; 2047 2048 /* From RFC 7748, section 6.1 */ 2049 /* Alice's private key, a: */ 2050 const char a16[] = 2051 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a"; 2052 /* Alice's public key, X25519(a, 9): */ 2053 const char a_pub16[] = 2054 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"; 2055 /* Bob's private key, b: */ 2056 const char b16[] = 2057 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb"; 2058 /* Bob's public key, X25519(b, 9): */ 2059 const char b_pub16[] = 2060 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f"; 2061 /* Their shared secret, K: */ 2062 const char k16[] = 2063 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742"; 2064 2065 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32]; 2066 base16_decode((char*)a, sizeof(a), a16, strlen(a16)); 2067 base16_decode((char*)b, sizeof(b), b16, strlen(b16)); 2068 curve25519_basepoint_impl(a_pub, a); 2069 curve25519_basepoint_impl(b_pub, b); 2070 curve25519_impl(k1, a, b_pub); 2071 curve25519_impl(k2, b, a_pub); 2072 2073 test_memeq_hex(a, a16); 2074 test_memeq_hex(b, b16); 2075 test_memeq_hex(a_pub, a_pub16); 2076 test_memeq_hex(b_pub, b_pub16); 2077 test_memeq_hex(k1, k16); 2078 test_memeq_hex(k2, k16); 2079 done: 2080 tor_free(mem_op_hex_tmp); 2081 } 2082 2083 static void 2084 test_crypto_curve25519_wrappers(void *arg) 2085 { 2086 curve25519_public_key_t pubkey1, pubkey2; 2087 curve25519_secret_key_t seckey1, seckey2; 2088 2089 uint8_t output1[CURVE25519_OUTPUT_LEN]; 2090 uint8_t output2[CURVE25519_OUTPUT_LEN]; 2091 (void)arg; 2092 2093 /* Test a simple handshake, serializing and deserializing some stuff. */ 2094 curve25519_secret_key_generate(&seckey1, 0); 2095 curve25519_secret_key_generate(&seckey2, 1); 2096 curve25519_public_key_generate(&pubkey1, &seckey1); 2097 curve25519_public_key_generate(&pubkey2, &seckey2); 2098 tt_assert(curve25519_public_key_is_ok(&pubkey1)); 2099 tt_assert(curve25519_public_key_is_ok(&pubkey2)); 2100 curve25519_handshake(output1, &seckey1, &pubkey2); 2101 curve25519_handshake(output2, &seckey2, &pubkey1); 2102 tt_mem_op(output1,OP_EQ, output2, sizeof(output1)); 2103 2104 done: 2105 ; 2106 } 2107 2108 static void 2109 test_crypto_curve25519_encode(void *arg) 2110 { 2111 curve25519_secret_key_t seckey; 2112 curve25519_public_key_t key1, key2, key3; 2113 char buf[64], buf_nopad[64]; 2114 2115 (void)arg; 2116 2117 curve25519_secret_key_generate(&seckey, 0); 2118 curve25519_public_key_generate(&key1, &seckey); 2119 curve25519_public_to_base64(buf, &key1, true); 2120 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf)); 2121 2122 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf)); 2123 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN); 2124 2125 curve25519_public_to_base64(buf_nopad, &key1, false); 2126 tt_int_op(CURVE25519_BASE64_LEN, OP_EQ, strlen(buf_nopad)); 2127 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf_nopad)); 2128 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN); 2129 2130 /* Now try bogus parses. */ 2131 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf)); 2132 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf)); 2133 2134 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf)); 2135 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf)); 2136 2137 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf)); 2138 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf)); 2139 2140 done: 2141 ; 2142 } 2143 2144 static void 2145 test_crypto_curve25519_persist(void *arg) 2146 { 2147 curve25519_keypair_t keypair, keypair2; 2148 char *fname = tor_strdup(get_fname("curve25519_keypair")); 2149 char *tag = NULL; 2150 char *content = NULL; 2151 const char *cp; 2152 struct stat st; 2153 size_t taglen; 2154 2155 (void)arg; 2156 2157 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0)); 2158 2159 tt_int_op(0,OP_EQ, 2160 curve25519_keypair_write_to_file(&keypair, fname, "testing")); 2161 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname)); 2162 tt_str_op(tag,OP_EQ,"testing"); 2163 tor_free(tag); 2164 2165 tt_mem_op(keypair.pubkey.public_key,OP_EQ, 2166 keypair2.pubkey.public_key, 2167 CURVE25519_PUBKEY_LEN); 2168 tt_mem_op(keypair.seckey.secret_key,OP_EQ, 2169 keypair2.seckey.secret_key, 2170 CURVE25519_SECKEY_LEN); 2171 2172 content = read_file_to_str(fname, RFTS_BIN, &st); 2173 tt_assert(content); 2174 taglen = strlen("== c25519v1: testing =="); 2175 tt_u64_op((uint64_t)st.st_size, OP_EQ, 2176 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN); 2177 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen)); 2178 tt_assert(fast_mem_is_zero(content+taglen, 32-taglen)); 2179 cp = content + 32; 2180 tt_mem_op(keypair.seckey.secret_key,OP_EQ, 2181 cp, 2182 CURVE25519_SECKEY_LEN); 2183 cp += CURVE25519_SECKEY_LEN; 2184 tt_mem_op(keypair.pubkey.public_key,OP_EQ, 2185 cp, 2186 CURVE25519_SECKEY_LEN); 2187 2188 tor_free(fname); 2189 fname = tor_strdup(get_fname("bogus_keypair")); 2190 2191 tt_int_op(-1, OP_EQ, 2192 curve25519_keypair_read_from_file(&keypair2, &tag, fname)); 2193 tor_free(tag); 2194 2195 content[69] ^= 0xff; 2196 tt_int_op(0, OP_EQ, 2197 write_bytes_to_file(fname, content, (size_t)st.st_size, 1)); 2198 tt_int_op(-1, OP_EQ, 2199 curve25519_keypair_read_from_file(&keypair2, &tag, fname)); 2200 2201 done: 2202 tor_free(fname); 2203 tor_free(content); 2204 tor_free(tag); 2205 } 2206 2207 static void 2208 test_crypto_ed25519_simple(void *arg) 2209 { 2210 ed25519_keypair_t kp1, kp2; 2211 ed25519_public_key_t pub1, pub2; 2212 ed25519_secret_key_t sec1, sec2; 2213 ed25519_signature_t sig1, sig2; 2214 const uint8_t msg[] = 2215 "GNU will be able to run Unix programs, " 2216 "but will not be identical to Unix."; 2217 const uint8_t msg2[] = 2218 "Microsoft Windows extends the features of the DOS operating system, " 2219 "yet is compatible with most existing applications that run under DOS."; 2220 size_t msg_len = strlen((const char*)msg); 2221 size_t msg2_len = strlen((const char*)msg2); 2222 2223 (void)arg; 2224 2225 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0)); 2226 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1)); 2227 2228 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1)); 2229 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1)); 2230 2231 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0); 2232 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0); 2233 2234 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey)); 2235 tt_assert(ed25519_pubkey_eq(&pub1, &pub2)); 2236 tt_assert(ed25519_pubkey_eq(&pub1, &pub1)); 2237 2238 memcpy(&kp1.pubkey, &pub1, sizeof(pub1)); 2239 memcpy(&kp1.seckey, &sec1, sizeof(sec1)); 2240 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1)); 2241 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1)); 2242 2243 /* Ed25519 signatures are deterministic */ 2244 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig)); 2245 2246 /* Basic signature is valid. */ 2247 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1)); 2248 2249 /* Altered signature doesn't work. */ 2250 sig1.sig[0] ^= 3; 2251 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1)); 2252 2253 /* Wrong public key doesn't work. */ 2254 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2)); 2255 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2)); 2256 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2)); 2257 2258 /* Wrong message doesn't work. */ 2259 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1)); 2260 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1)); 2261 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1)); 2262 2263 /* Batch signature checking works with some bad. */ 2264 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0)); 2265 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2)); 2266 { 2267 ed25519_checkable_t ch[] = { 2268 { &pub1, sig2, msg, msg_len }, /*ok*/ 2269 { &pub1, sig2, msg, msg_len-1 }, /*bad*/ 2270 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/ 2271 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/ 2272 }; 2273 int okay[4]; 2274 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4)); 2275 tt_int_op(okay[0], OP_EQ, 1); 2276 tt_int_op(okay[1], OP_EQ, 0); 2277 tt_int_op(okay[2], OP_EQ, 0); 2278 tt_int_op(okay[3], OP_EQ, 1); 2279 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4)); 2280 } 2281 2282 /* Batch signature checking works with all good. */ 2283 { 2284 ed25519_checkable_t ch[] = { 2285 { &pub1, sig2, msg, msg_len }, /*ok*/ 2286 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/ 2287 }; 2288 int okay[2]; 2289 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2)); 2290 tt_int_op(okay[0], OP_EQ, 1); 2291 tt_int_op(okay[1], OP_EQ, 1); 2292 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2)); 2293 } 2294 2295 /* Test the string-prefixed sign/checksig functions */ 2296 { 2297 ed25519_signature_t manual_sig; 2298 char *prefixed_msg; 2299 2300 /* Generate a signature with a prefixed msg. */ 2301 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len, 2302 "always in the mood", 2303 &kp1)); 2304 2305 /* First, check that ed25519_sign_prefixed() returns the exact same sig as 2306 if we had manually prefixed the msg ourselves. */ 2307 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg); 2308 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg, 2309 strlen(prefixed_msg), &kp1)); 2310 tor_free(prefixed_msg); 2311 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig))); 2312 2313 /* Test that prefixed checksig verifies it properly. */ 2314 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len, 2315 "always in the mood", 2316 &pub1)); 2317 2318 /* Test that checksig with wrong prefix fails. */ 2319 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len, 2320 "always in the moo", 2321 &pub1)); 2322 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len, 2323 "always in the moon", 2324 &pub1)); 2325 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len, 2326 "always in the mood!", 2327 &pub1)); 2328 } 2329 2330 done: 2331 ; 2332 } 2333 2334 static void 2335 test_crypto_ed25519_test_vectors(void *arg) 2336 { 2337 char *mem_op_hex_tmp=NULL; 2338 int i; 2339 struct { 2340 const char *sk; 2341 const char *pk; 2342 const char *sig; 2343 const char *msg; 2344 } items[] = { 2345 /* These test vectors were generated with the "ref" implementation of 2346 * ed25519 from SUPERCOP-20130419 */ 2347 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20", 2348 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87", 2349 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51" 2350 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06", 2351 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774" 2352 "204e554c2d7465726d696e617465642e" 2353 }, 2354 2355 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74", 2356 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac", 2357 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28" 2358 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601", 2359 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774" 2360 "204e554c2d7465726d696e617465642e" 2361 }, 2362 { "6578706f73656420627920456e676c697368207465787420617320696e707574", 2363 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706", 2364 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad" 2365 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209", 2366 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774" 2367 "204e554c2d7465726d696e617465642e" 2368 }, 2369 2370 /* These come from "sign.input" in ed25519's page */ 2371 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9", 2372 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257", 2373 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258" 2374 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e", 2375 "5a8d9d0a22357e6655f9c785" 2376 }, 2377 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800", 2378 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd", 2379 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d" 2380 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c", 2381 "b87d3813e03f58cf19fd0b6395" 2382 }, 2383 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738", 2384 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291", 2385 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0" 2386 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06", 2387 "55c7fa434f5ed8cdec2b7aeac173", 2388 }, 2389 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300", 2390 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5", 2391 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395" 2392 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00", 2393 "0a688e79be24f866286d4646b5d81c" 2394 }, 2395 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */ 2396 { 2397 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60", 2398 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", 2399 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155" 2400 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b", 2401 "" 2402 }, 2403 { 2404 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb", 2405 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", 2406 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da" 2407 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00", 2408 "72" 2409 }, 2410 { 2411 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5", 2412 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e", 2413 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350" 2414 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03", 2415 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98" 2416 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8" 2417 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d" 2418 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc" 2419 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe" 2420 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e" 2421 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef" 2422 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7" 2423 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1" 2424 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2" 2425 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24" 2426 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270" 2427 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc" 2428 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07" 2429 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba" 2430 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a" 2431 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e" 2432 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7" 2433 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c" 2434 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8" 2435 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df" 2436 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08" 2437 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649" 2438 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4" 2439 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3" 2440 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e" 2441 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f" 2442 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5" 2443 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1" 2444 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d" 2445 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c" 2446 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0" 2447 }, 2448 { 2449 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42", 2450 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf", 2451 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589" 2452 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704", 2453 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a" 2454 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" 2455 }, 2456 { NULL, NULL, NULL, NULL} 2457 }; 2458 2459 (void)arg; 2460 2461 for (i = 0; items[i].pk; ++i) { 2462 ed25519_keypair_t kp; 2463 ed25519_signature_t sig; 2464 uint8_t sk_seed[32]; 2465 uint8_t *msg; 2466 size_t msg_len; 2467 base16_decode((char*)sk_seed, sizeof(sk_seed), 2468 items[i].sk, 64); 2469 ed25519_secret_key_from_seed(&kp.seckey, sk_seed); 2470 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey)); 2471 test_memeq_hex(kp.pubkey.pubkey, items[i].pk); 2472 2473 msg_len = strlen(items[i].msg) / 2; 2474 msg = tor_malloc(msg_len); 2475 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg)); 2476 2477 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp)); 2478 test_memeq_hex(sig.sig, items[i].sig); 2479 2480 tor_free(msg); 2481 } 2482 2483 done: 2484 tor_free(mem_op_hex_tmp); 2485 } 2486 2487 static void 2488 test_crypto_ed25519_encode(void *arg) 2489 { 2490 char buf[ED25519_SIG_BASE64_LEN+1]; 2491 ed25519_keypair_t kp; 2492 ed25519_public_key_t pk; 2493 ed25519_signature_t sig1, sig2; 2494 char *mem_op_hex_tmp = NULL; 2495 (void) arg; 2496 2497 /* Test roundtrip. */ 2498 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0)); 2499 ed25519_public_to_base64(buf, &kp.pubkey); 2500 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf)); 2501 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf)); 2502 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN); 2503 2504 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp)); 2505 ed25519_signature_to_base64(buf, &sig1); 2506 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf)); 2507 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN); 2508 2509 /* Test known value. */ 2510 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, 2511 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM")); 2512 test_memeq_hex(pk.pubkey, 2513 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3"); 2514 2515 done: 2516 tor_free(mem_op_hex_tmp); 2517 } 2518 2519 static void 2520 test_crypto_ed25519_convert(void *arg) 2521 { 2522 const uint8_t msg[] = 2523 "The eyes are not here / There are no eyes here."; 2524 const int N = 30; 2525 int i; 2526 (void)arg; 2527 2528 for (i = 0; i < N; ++i) { 2529 curve25519_keypair_t curve25519_keypair; 2530 ed25519_keypair_t ed25519_keypair; 2531 ed25519_public_key_t ed25519_pubkey; 2532 2533 int bit=0; 2534 ed25519_signature_t sig; 2535 2536 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1)); 2537 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair( 2538 &ed25519_keypair, &bit, &curve25519_keypair)); 2539 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key( 2540 &ed25519_pubkey, &curve25519_keypair.pubkey, bit)); 2541 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32); 2542 2543 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair)); 2544 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg), 2545 &ed25519_pubkey)); 2546 2547 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1, 2548 &ed25519_pubkey)); 2549 sig.sig[0] ^= 15; 2550 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg), 2551 &ed25519_pubkey)); 2552 } 2553 2554 done: 2555 ; 2556 } 2557 2558 static void 2559 test_crypto_ed25519_blinding(void *arg) 2560 { 2561 const uint8_t msg[] = 2562 "Eyes I dare not meet in dreams / In death's dream kingdom"; 2563 2564 const int N = 30; 2565 int i; 2566 (void)arg; 2567 2568 for (i = 0; i < N; ++i) { 2569 uint8_t blinding[32]; 2570 ed25519_keypair_t ed25519_keypair; 2571 ed25519_keypair_t ed25519_keypair_blinded; 2572 ed25519_public_key_t ed25519_pubkey_blinded; 2573 2574 ed25519_signature_t sig; 2575 2576 crypto_rand((char*) blinding, sizeof(blinding)); 2577 2578 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0)); 2579 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded, 2580 &ed25519_keypair, blinding)); 2581 2582 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded, 2583 &ed25519_keypair.pubkey, blinding)); 2584 2585 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ, 2586 ed25519_keypair_blinded.pubkey.pubkey, 32); 2587 2588 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), 2589 &ed25519_keypair_blinded)); 2590 2591 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg), 2592 &ed25519_pubkey_blinded)); 2593 2594 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1, 2595 &ed25519_pubkey_blinded)); 2596 sig.sig[0] ^= 15; 2597 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg), 2598 &ed25519_pubkey_blinded)); 2599 } 2600 2601 done: 2602 ; 2603 } 2604 2605 /** Test that our blinding functions will fail if we pass them bad pubkeys */ 2606 static void 2607 test_crypto_ed25519_blinding_fail(void *arg) 2608 { 2609 int retval; 2610 uint8_t param[32] = {2}; 2611 ed25519_public_key_t pub; 2612 ed25519_public_key_t pub_blinded; 2613 2614 (void)arg; 2615 2616 /* This point is not on the curve: the blind routines should fail */ 2617 const char badkey[] = 2618 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0"; 2619 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey), 2620 badkey, strlen(badkey)); 2621 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey)); 2622 retval = ed25519_public_blind(&pub_blinded, &pub, param); 2623 tt_int_op(retval, OP_EQ, -1); 2624 2625 /* This point is legit: blind routines should be happy */ 2626 const char goodkey[] = 2627 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794"; 2628 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey), 2629 goodkey, strlen(goodkey)); 2630 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey)); 2631 retval = ed25519_public_blind(&pub_blinded, &pub, param); 2632 tt_int_op(retval, OP_EQ, 0); 2633 2634 done: 2635 ; 2636 } 2637 2638 static void 2639 test_crypto_ed25519_testvectors(void *arg) 2640 { 2641 unsigned i; 2642 char *mem_op_hex_tmp = NULL; 2643 (void)arg; 2644 2645 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) { 2646 uint8_t sk[32]; 2647 ed25519_secret_key_t esk; 2648 ed25519_public_key_t pk, blind_pk, pkfromcurve; 2649 ed25519_keypair_t keypair, blind_keypair; 2650 curve25519_keypair_t curvekp; 2651 uint8_t blinding_param[32]; 2652 ed25519_signature_t sig; 2653 int sign; 2654 2655 memset(&curvekp, 0xd0, sizeof(curvekp)); 2656 2657 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s)) 2658 #define EQ(a,h) test_memeq_hex((const char*)(a), (h)) 2659 2660 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i])); 2661 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param, 2662 ED25519_BLINDING_PARAMS[i])); 2663 2664 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk)); 2665 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]); 2666 2667 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk)); 2668 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]); 2669 2670 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32); 2671 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey); 2672 2673 tt_int_op(0, OP_EQ, 2674 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp)); 2675 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key( 2676 &pkfromcurve, &curvekp.pubkey, sign)); 2677 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32); 2678 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]); 2679 2680 /* Self-signing */ 2681 memcpy(&keypair.seckey, &esk, sizeof(esk)); 2682 memcpy(&keypair.pubkey, &pk, sizeof(pk)); 2683 2684 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair)); 2685 2686 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]); 2687 2688 /* Blinding */ 2689 tt_int_op(0, OP_EQ, 2690 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param)); 2691 tt_int_op(0, OP_EQ, 2692 ed25519_public_blind(&blind_pk, &pk, blinding_param)); 2693 2694 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]); 2695 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]); 2696 2697 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32); 2698 2699 #undef DECODE 2700 #undef EQ 2701 } 2702 done: 2703 tor_free(mem_op_hex_tmp); 2704 } 2705 2706 static void 2707 test_crypto_ed25519_storage(void *arg) 2708 { 2709 (void)arg; 2710 ed25519_keypair_t *keypair = NULL; 2711 ed25519_public_key_t pub; 2712 ed25519_secret_key_t sec; 2713 char *fname_1 = tor_strdup(get_fname("ed_seckey_1")); 2714 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2")); 2715 char *contents = NULL; 2716 char *tag = NULL; 2717 2718 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t)); 2719 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0)); 2720 tt_int_op(0,OP_EQ, 2721 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo")); 2722 tt_int_op(0,OP_EQ, 2723 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar")); 2724 2725 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1)); 2726 tt_ptr_op(tag, OP_EQ, NULL); 2727 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2)); 2728 tt_ptr_op(tag, OP_EQ, NULL); 2729 2730 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2)); 2731 tt_str_op(tag, OP_EQ, "bar"); 2732 tor_free(tag); 2733 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1)); 2734 tt_str_op(tag, OP_EQ, "foo"); 2735 tor_free(tag); 2736 2737 /* whitebox test: truncated keys. */ 2738 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40)); 2739 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40)); 2740 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2)); 2741 tt_ptr_op(tag, OP_EQ, NULL); 2742 tor_free(tag); 2743 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1)); 2744 tt_ptr_op(tag, OP_EQ, NULL); 2745 2746 done: 2747 tor_free(fname_1); 2748 tor_free(fname_2); 2749 tor_free(contents); 2750 tor_free(tag); 2751 ed25519_keypair_free(keypair); 2752 } 2753 2754 static void 2755 test_crypto_siphash(void *arg) 2756 { 2757 /* From the reference implementation, taking 2758 k = 00 01 02 ... 0f 2759 and in = 00; 00 01; 00 01 02; ... 2760 */ 2761 const uint8_t VECTORS[64][8] = 2762 { 2763 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, }, 2764 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, }, 2765 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, }, 2766 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, }, 2767 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, }, 2768 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, }, 2769 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, }, 2770 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, }, 2771 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, }, 2772 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, }, 2773 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, }, 2774 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, }, 2775 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, }, 2776 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, }, 2777 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, }, 2778 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, }, 2779 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, }, 2780 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, }, 2781 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, }, 2782 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, }, 2783 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, }, 2784 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, }, 2785 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, }, 2786 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, }, 2787 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, }, 2788 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, }, 2789 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, }, 2790 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, }, 2791 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, }, 2792 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, }, 2793 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, }, 2794 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, }, 2795 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, }, 2796 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, }, 2797 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, }, 2798 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, }, 2799 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, }, 2800 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, }, 2801 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, }, 2802 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, }, 2803 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, }, 2804 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, }, 2805 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, }, 2806 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, }, 2807 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, }, 2808 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, }, 2809 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, }, 2810 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, }, 2811 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, }, 2812 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, }, 2813 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, }, 2814 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, }, 2815 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, }, 2816 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, }, 2817 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, }, 2818 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, }, 2819 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, }, 2820 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, }, 2821 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, }, 2822 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, }, 2823 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, }, 2824 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, }, 2825 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, }, 2826 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, } 2827 }; 2828 2829 const struct sipkey K = { UINT64_C(0x0706050403020100), 2830 UINT64_C(0x0f0e0d0c0b0a0908) }; 2831 uint8_t input[64]; 2832 int i, j; 2833 2834 (void)arg; 2835 2836 for (i = 0; i < 64; ++i) 2837 input[i] = i; 2838 2839 for (i = 0; i < 64; ++i) { 2840 uint64_t r = siphash24(input, i, &K); 2841 for (j = 0; j < 8; ++j) { 2842 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]); 2843 } 2844 } 2845 2846 done: 2847 ; 2848 } 2849 2850 static void 2851 test_crypto_blake2b(void *arg) 2852 { 2853 (void)arg; 2854 2855 /* There is no official blake2b test vector set, but these are inspired 2856 * by RFC7693 and OpenSSL. Note that we need to test shorter hash lengths 2857 * separately even though they are implemented by truncating a 512-bit 2858 * hash, because the requested length is included in the hash initial state. 2859 */ 2860 static const struct { 2861 const char *in_literal; 2862 const char *out_hex; 2863 } vectors[] = { 2864 { "", 2865 "786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419" 2866 "d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce" 2867 }, 2868 { "a", 2869 "333fcb4ee1aa7c115355ec66ceac917c8bfd815bf7587d325aec1864edd24e34" 2870 "d5abe2c6b1b5ee3face62fed78dbef802f2a85cb91d455a8f5249d330853cb3c" 2871 }, 2872 { "ab", 2873 "b32c0573d242b3a987d8f66bd43266b7925cefab3a854950641a81ef6a3f4b97" 2874 "928443850545770f64abac2a75f18475653fa3d9a52c66a840da3b8617ae9607" 2875 }, 2876 { "abc", 2877 "ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d1" 2878 "7d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923" 2879 }, 2880 { "", "2e" }, 2881 { "a", "de" }, 2882 { "ab", "0e" }, 2883 { "abc", "6b" }, 2884 { "", "1271cf25" }, 2885 { "a", "ca234c55" }, 2886 { "ab", "3ae897a7" }, 2887 { "abc", "63906248" }, 2888 { "A somewhat longer test vector for blake2b xxxxxxxxxxxxxxxxxxxxxx" 2889 "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" 2890 "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.", 2891 "1d27b0988061a82ff7563a55f9289ff3d878783e688d9e001b3c4b99b675c7f7" 2892 "1d4ae57805c6a8e670eb8145ba97960a7859451ab7b1558a60e5b7660d2f4639" 2893 }, 2894 { "A somewhat longer test vector for blake2b xxxxxxxxxxxxxxxxxxxxxx" 2895 "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" 2896 "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.", 2897 "48600bb0" 2898 } 2899 }; 2900 2901 static const struct { 2902 int update_size; 2903 } variations[] = { 2904 {BLAKE2B_BLOCKBYTES*2}, 2905 {BLAKE2B_BLOCKBYTES}, 2906 {BLAKE2B_BLOCKBYTES-1}, 2907 {1}, 2908 {2}, 2909 {3} 2910 }; 2911 2912 const size_t num_vectors = sizeof vectors / sizeof vectors[0]; 2913 const size_t num_variations = sizeof variations / sizeof variations[0]; 2914 2915 for (unsigned vec_i = 0; vec_i < num_vectors; vec_i++) { 2916 const char *in_literal = vectors[vec_i].in_literal; 2917 const char *out_hex = vectors[vec_i].out_hex; 2918 const size_t in_len = strlen(in_literal); 2919 const size_t out_hex_len = strlen(out_hex); 2920 const size_t hash_size = out_hex_len / 2; 2921 2922 int retval = -1; 2923 uint8_t out_expected[BLAKE2B_OUTBYTES] = { 0 }; 2924 tt_int_op(out_hex_len, OP_EQ, 2 * hash_size); 2925 tt_int_op(hash_size, OP_LE, sizeof out_expected); 2926 retval = base16_decode((char*)out_expected, hash_size, 2927 out_hex, out_hex_len); 2928 tt_int_op(retval, OP_EQ, hash_size); 2929 2930 for (size_t vari_i = 0; vari_i < num_variations; vari_i++) { 2931 const size_t update_size = variations[vari_i].update_size; 2932 uint8_t out_actual[BLAKE2B_OUTBYTES] = { 0 }; 2933 2934 blake2b_state b2_state; 2935 retval = blake2b_init(&b2_state, hash_size); 2936 tt_int_op(retval, OP_EQ, 0); 2937 2938 for (size_t in_off = 0; in_off < in_len;) { 2939 const size_t this_update = MIN(update_size, in_len - in_off); 2940 blake2b_update(&b2_state, (uint8_t*)in_literal + in_off, this_update); 2941 in_off += this_update; 2942 } 2943 2944 memset(out_actual, 0xa5, sizeof out_actual); 2945 blake2b_final(&b2_state, out_actual, hash_size); 2946 tt_mem_op(out_actual, OP_EQ, out_expected, hash_size); 2947 } 2948 } 2949 2950 done: 2951 ; 2952 } 2953 2954 static void 2955 test_crypto_hashx(void *arg) 2956 { 2957 (void)arg; 2958 2959 /* Specifically test the embedded instance of HashX inside Equi-X. 2960 * It uses a non-default setting of HASHX_SIZE=8 */ 2961 static const struct { 2962 const char *seed_literal; 2963 uint64_t hash_input; 2964 const char *out_hex; 2965 } vectors[] = { 2966 { "", 0, "466cc2021c268560" }, 2967 { "a", 0, "b2a110ee695c475c" }, 2968 { "ab", 0, "57c77f7e0d2c1727" }, 2969 { "abc", 0, "ef560991338086d1" }, 2970 { "", 999, "304068b62bc4874e" }, 2971 { "a", 999, "c8b66a8eb4bba304" }, 2972 { "ab", 999, "26c1f7031f0b3645" }, 2973 { "abc", 999, "de84f9d286b39ab5" }, 2974 { "abc", UINT64_MAX, "f756c266a3cb3b5a" } 2975 }; 2976 2977 static const struct { 2978 hashx_type type; 2979 } variations[] = { 2980 { HASHX_TYPE_INTERPRETED }, 2981 #if defined(_M_X64) || defined(__x86_64__) || defined(__aarch64__) 2982 { HASHX_TYPE_COMPILED }, 2983 #endif 2984 }; 2985 2986 const unsigned num_vectors = sizeof vectors / sizeof vectors[0]; 2987 const unsigned num_variations = sizeof variations / sizeof variations[0]; 2988 hashx_ctx *ctx = NULL; 2989 2990 for (unsigned vec_i = 0; vec_i < num_vectors; vec_i++) { 2991 const char *seed_literal = vectors[vec_i].seed_literal; 2992 const uint64_t hash_input = vectors[vec_i].hash_input; 2993 const char *out_hex = vectors[vec_i].out_hex; 2994 const size_t seed_len = strlen(seed_literal); 2995 const size_t out_hex_len = strlen(out_hex); 2996 2997 int retval = -1; 2998 uint8_t out_expected[HASHX_SIZE] = { 0 }; 2999 tt_int_op(out_hex_len, OP_EQ, 2 * HASHX_SIZE); 3000 retval = base16_decode((char*)out_expected, HASHX_SIZE, 3001 out_hex, out_hex_len); 3002 tt_int_op(retval, OP_EQ, HASHX_SIZE); 3003 3004 for (unsigned vari_i = 0; vari_i < num_variations; vari_i++) { 3005 uint8_t out_actual[HASHX_SIZE] = { 0 }; 3006 3007 hashx_free(ctx); 3008 ctx = hashx_alloc(variations[vari_i].type); 3009 3010 tt_ptr_op(ctx, OP_NE, NULL); 3011 retval = hashx_make(ctx, seed_literal, seed_len); 3012 tt_int_op(retval, OP_EQ, HASHX_OK); 3013 3014 memset(out_actual, 0xa5, sizeof out_actual); 3015 retval = hashx_exec(ctx, hash_input, out_actual); 3016 tt_int_op(retval, OP_EQ, HASHX_OK); 3017 tt_mem_op(out_actual, OP_EQ, out_expected, sizeof out_actual); 3018 } 3019 } 3020 3021 done: 3022 hashx_free(ctx); 3023 } 3024 3025 /* We want the likelihood that the random buffer exhibits any regular pattern 3026 * to be far less than the memory bit error rate in the int return value. 3027 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call 3028 * 3 functions, leading to an overall error rate of 1/10^616. 3029 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range. 3030 */ 3031 #define FAILURE_MODE_BUFFER_SIZE (2048/8) 3032 3033 /** Check crypto_rand for a failure mode where it does nothing to the buffer, 3034 * or it sets the buffer to all zeroes. Return 0 when the check passes, 3035 * or -1 when it fails. */ 3036 static int 3037 crypto_rand_check_failure_mode_zero(void) 3038 { 3039 char buf[FAILURE_MODE_BUFFER_SIZE]; 3040 3041 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE); 3042 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE); 3043 3044 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) { 3045 if (buf[i] != 0) { 3046 return 0; 3047 } 3048 } 3049 3050 return -1; 3051 } 3052 3053 /** Check crypto_rand for a failure mode where every int64_t in the buffer is 3054 * the same. Return 0 when the check passes, or -1 when it fails. */ 3055 static int 3056 crypto_rand_check_failure_mode_identical(void) 3057 { 3058 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */ 3059 #define FAILURE_MODE_BUFFER_SIZE_I64 \ 3060 (FAILURE_MODE_BUFFER_SIZE/8) 3061 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \ 3062 (FAILURE_MODE_BUFFER_SIZE_I64*8) 3063 3064 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2 3065 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8 3066 #endif 3067 3068 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64]; 3069 3070 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES); 3071 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES); 3072 3073 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) { 3074 if (buf[i] != buf[i-1]) { 3075 return 0; 3076 } 3077 } 3078 3079 return -1; 3080 } 3081 3082 /** Check crypto_rand for a failure mode where it increments the "random" 3083 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.) 3084 * Return 0 when the check passes, or -1 when it fails. */ 3085 static int 3086 crypto_rand_check_failure_mode_predict(void) 3087 { 3088 unsigned char buf[FAILURE_MODE_BUFFER_SIZE]; 3089 3090 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE); 3091 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE); 3092 3093 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) { 3094 /* check if the last byte was incremented by 1, including integer 3095 * wrapping */ 3096 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) { 3097 return 0; 3098 } 3099 } 3100 3101 return -1; 3102 } 3103 3104 #undef FAILURE_MODE_BUFFER_SIZE 3105 3106 /** Test that our ed25519 validation function rejects evil public keys and 3107 * accepts good ones. */ 3108 static void 3109 test_crypto_ed25519_validation(void *arg) 3110 { 3111 (void) arg; 3112 3113 int retval; 3114 ed25519_public_key_t pub1; 3115 3116 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html 3117 for a list of points with torsion components in ed25519. */ 3118 3119 { /* Point with torsion component (order 8l) */ 3120 const char badkey[] = 3121 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e"; 3122 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey), 3123 badkey, strlen(badkey)); 3124 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey)); 3125 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1); 3126 } 3127 3128 { /* Point with torsion component (order 4l) */ 3129 const char badkey[] = 3130 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7"; 3131 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey), 3132 badkey, strlen(badkey)); 3133 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey)); 3134 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1); 3135 } 3136 3137 { /* Point with torsion component (order 2l) */ 3138 const char badkey[] = 3139 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af"; 3140 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey), 3141 badkey, strlen(badkey)); 3142 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey)); 3143 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1); 3144 } 3145 3146 { /* This point is not even on the curve */ 3147 const char badkey[] = 3148 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0"; 3149 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey), 3150 badkey, strlen(badkey)); 3151 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey)); 3152 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1); 3153 } 3154 3155 { /* This one is a good key */ 3156 const char goodkey[] = 3157 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794"; 3158 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey), 3159 goodkey, strlen(goodkey)); 3160 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey)); 3161 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0); 3162 } 3163 3164 done: ; 3165 } 3166 3167 static void 3168 test_crypto_failure_modes(void *arg) 3169 { 3170 int rv = 0; 3171 (void)arg; 3172 3173 rv = crypto_early_init(); 3174 tt_int_op(rv, OP_EQ, 0); 3175 3176 /* Check random works */ 3177 rv = crypto_rand_check_failure_mode_zero(); 3178 tt_int_op(rv, OP_EQ, 0); 3179 3180 rv = crypto_rand_check_failure_mode_identical(); 3181 tt_int_op(rv, OP_EQ, 0); 3182 3183 rv = crypto_rand_check_failure_mode_predict(); 3184 tt_int_op(rv, OP_EQ, 0); 3185 3186 done: 3187 ; 3188 } 3189 3190 static void 3191 test_crypto_polyval(void *arg) 3192 { 3193 (void)arg; 3194 polyval_t pv; 3195 uint8_t key[16]; 3196 uint8_t input[48]; 3197 uint8_t output[16]; 3198 uint8_t output2[16]; 3199 char *mem_op_hex_tmp=NULL; 3200 uint8_t *longer = NULL; 3201 3202 // From RFC 8452 3203 const char *key_hex = "25629347589242761d31f826ba4b757b"; 3204 const char *input_hex = 3205 "4f4f95668c83dfb6401762bb2d01a262" 3206 "d1a24ddd2721d006bbe45f20d3c9f362"; 3207 memset(input, 0, sizeof(input)); 3208 base16_decode((char*)key,sizeof(key), key_hex, strlen(key_hex)); 3209 base16_decode((char*)input,sizeof(input), input_hex, strlen(input_hex)); 3210 3211 // Two blocks, directly. 3212 polyval_init(&pv, key); 3213 polyval_add_block(&pv, input); 3214 polyval_add_block(&pv, input+16); 3215 polyval_get_tag(&pv, output); 3216 test_memeq_hex(output, "f7a3b47b846119fae5b7866cf5e5b77e"); 3217 // Two blocks, as a string. 3218 polyval_reset(&pv); 3219 polyval_add_zpad(&pv, input, 32); 3220 polyval_get_tag(&pv, output); 3221 test_memeq_hex(output, "f7a3b47b846119fae5b7866cf5e5b77e"); 3222 3223 // Now make sure that zero-padding works. 3224 input[32] = 77; 3225 polyval_reset(&pv); 3226 polyval_add_block(&pv, input); 3227 polyval_add_block(&pv, input+16); 3228 polyval_add_block(&pv, input+32); 3229 polyval_get_tag(&pv, output); 3230 3231 polyval_reset(&pv); 3232 polyval_add_zpad(&pv, input, 33); 3233 polyval_get_tag(&pv, output2); 3234 tt_mem_op(output, OP_EQ, output2, 16); 3235 3236 // Try a long input both ways, and make sure the answer is the same. 3237 longer = tor_malloc_zero(4096); 3238 crypto_rand((char *)longer, 4090); // leave zeros at the end. 3239 polyval_reset(&pv); 3240 polyval_add_zpad(&pv, longer, 4090); 3241 polyval_get_tag(&pv, output); 3242 3243 polyval_reset(&pv); 3244 const uint8_t *cp; 3245 for (cp = longer; cp < longer + 4096; cp += 16) { 3246 polyval_add_block(&pv, cp); 3247 } 3248 polyval_get_tag(&pv, output2); 3249 tt_mem_op(output, OP_EQ, output2, 16); 3250 3251 // Now the same with polyvalx. 3252 polyvalx_t pvx; 3253 polyvalx_init(&pvx, key); 3254 polyvalx_add_zpad(&pvx, longer, 4090); 3255 polyvalx_get_tag(&pvx, output2); 3256 tt_mem_op(output, OP_EQ, output2, 16); 3257 3258 polyvalx_reset(&pvx); 3259 for (cp = longer; cp < longer + 4096; cp += 16) { 3260 polyvalx_add_block(&pvx, cp); 3261 } 3262 polyvalx_get_tag(&pvx, output2); 3263 tt_mem_op(output, OP_EQ, output2, 16); 3264 3265 done: 3266 tor_free(mem_op_hex_tmp); 3267 tor_free(longer); 3268 } 3269 3270 static void 3271 test_aes_raw_one(int keybits, 3272 const char *key_hex, 3273 const char *plaintext_hex, 3274 const char *ciphertext_hex) 3275 { 3276 aes_raw_t *enc = NULL; 3277 aes_raw_t *dec = NULL; 3278 uint8_t key[32]; // max key size. 3279 uint8_t pt[16], ct[16], block[16]; 3280 tt_int_op(keybits, OP_EQ, strlen(key_hex) * 8 / 2); 3281 base16_decode((char*)key, sizeof(key), key_hex, strlen(key_hex)); 3282 base16_decode((char*)pt, sizeof(pt), plaintext_hex, strlen(plaintext_hex)); 3283 base16_decode((char*)ct, sizeof(ct), ciphertext_hex, strlen(ciphertext_hex)); 3284 3285 enc = aes_raw_new(key, keybits, true); 3286 dec = aes_raw_new(key, keybits, false); 3287 memcpy(block, pt, sizeof(pt)); 3288 aes_raw_encrypt(enc, block); 3289 tt_mem_op(block, OP_EQ, ct, 16); 3290 aes_raw_decrypt(dec, block); 3291 tt_mem_op(block, OP_EQ, pt, 16); 3292 3293 done: 3294 aes_raw_free(enc); 3295 aes_raw_free(dec); 3296 } 3297 3298 static void 3299 test_crypto_aes_raw(void *arg) 3300 { 3301 (void)arg; 3302 3303 #define T test_aes_raw_one 3304 3305 /* From https://csrc.nist.gov/CSRC/media/Projects/ 3306 Cryptographic-Algorithm-Validation-Program/documents/aes/AESAVS.pdf */ 3307 const char *z128 = 3308 "00000000000000000000000000000000"; 3309 const char *z192 = 3310 "00000000000000000000000000000000" 3311 "0000000000000000"; 3312 const char *z256 = 3313 "00000000000000000000000000000000" 3314 "00000000000000000000000000000000"; 3315 3316 T(128, z128, 3317 "f34481ec3cc627bacd5dc3fb08f273e6", 3318 "0336763e966d92595a567cc9ce537f5e"); 3319 T(192, z192, 3320 "1b077a6af4b7f98229de786d7516b639", 3321 "275cfc0413d8ccb70513c3859b1d0f72"); 3322 T(256, z256, 3323 "014730f80ac625fe84f026c60bfd547d", 3324 "5c9d844ed46f9885085e5d6a4f94c7d7"); 3325 T(128, 3326 "10a58869d74be5a374cf867cfb473859", z128, 3327 "6d251e6944b051e04eaa6fb4dbf78465"); 3328 T(192, 3329 "e9f065d7c13573587f7875357dfbb16c53489f6a4bd0f7cd", z128, 3330 "0956259c9cd5cfd0181cca53380cde06"); 3331 T(256, 3332 "c47b0294dbbbee0fec4757f22ffeee35" 3333 "87ca4730c3d33b691df38bab076bc558", z128, 3334 "46f2fb342d6f0ab477476fc501242c5f"); 3335 3336 #undef T 3337 } 3338 3339 /** Make sure that we can set keys on live AES instances correctly. */ 3340 static void 3341 test_crypto_aes_keymanip_cnt(void *arg) 3342 { 3343 (void) arg; 3344 uint8_t k1[16] = "123456780123678"; 3345 uint8_t k2[16] = "abcdefghijklmno"; 3346 int kbits = 128; 3347 uint8_t iv1[16]= "{return 4;}////"; 3348 uint8_t iv2[16] = {0}; 3349 uint8_t buf[128] = {0}; 3350 uint8_t buf2[128] = {0}; 3351 3352 aes_cnt_cipher_t *aes = aes_new_cipher(k1, iv1, kbits); 3353 aes_crypt_inplace(aes, (char*)buf, sizeof(buf)); 3354 3355 aes_cnt_cipher_t *aes2 = aes_new_cipher(k2, iv2, kbits); 3356 // 128-5 to make sure internal buf is cleared when we set key. 3357 aes_crypt_inplace(aes2, (char*)buf2, sizeof(buf2)-5); 3358 aes_cipher_set_key(aes2, k1, kbits); 3359 aes_cipher_set_iv_aligned(aes2, iv1); // should work in this case. 3360 memset(buf2, 0, sizeof(buf2)); 3361 aes_crypt_inplace(aes2, (char*)buf2, sizeof(buf2)); 3362 tt_mem_op(buf, OP_EQ, buf2, sizeof(buf)); 3363 3364 done: 3365 aes_cipher_free(aes); 3366 aes_cipher_free(aes2); 3367 } 3368 3369 static void 3370 test_crypto_aes_keymanip_ecb(void *arg) 3371 { 3372 (void) arg; 3373 uint8_t k1[16] = "123456780123678"; 3374 uint8_t k2[16] = "abcdefghijklmno"; 3375 int kbits = 128; 3376 uint8_t buf_orig[16] = {1,2,3,0}; 3377 uint8_t buf1[16]; 3378 uint8_t buf2[16]; 3379 3380 aes_raw_t *aes1 = aes_raw_new(k1, kbits, true); 3381 aes_raw_t *aes2 = aes_raw_new(k1, kbits, false); 3382 aes_raw_set_key(&aes2, k2, kbits, false); 3383 3384 memcpy(buf1, buf_orig, 16); 3385 memcpy(buf2, buf_orig, 16); 3386 3387 aes_raw_encrypt(aes1, buf1); 3388 aes_raw_encrypt(aes1, buf2); 3389 tt_mem_op(buf1, OP_EQ, buf2, 16); 3390 3391 aes_raw_decrypt(aes2, buf1); 3392 aes_raw_set_key(&aes2, k1, kbits, false); 3393 aes_raw_decrypt(aes2, buf2); 3394 3395 tt_mem_op(buf1, OP_NE, buf2, 16); 3396 tt_mem_op(buf2, OP_EQ, buf_orig, 16); 3397 3398 done: 3399 aes_raw_free(aes1); 3400 aes_raw_free(aes2); 3401 } 3402 3403 static void 3404 test_crypto_aes_cnt_set_iv(void *arg) 3405 { 3406 (void)arg; 3407 uint8_t k1[16] = "123456780123678"; 3408 uint8_t iv_zero[16] = {0}; 3409 int kbits = 128; 3410 const int iters = 100; 3411 uint8_t buf1[128]; 3412 uint8_t buf2[128]; 3413 3414 aes_cnt_cipher_t *aes1, *aes2 = NULL; 3415 aes1 = aes_new_cipher(k1, iv_zero, kbits); 3416 3417 for (int i = 0; i < iters; ++i) { 3418 uint8_t iv[16]; 3419 crypto_rand((char*) iv, sizeof(iv)); 3420 memset(buf1, 0, sizeof(buf1)); 3421 memset(buf2, 0, sizeof(buf2)); 3422 3423 aes_cipher_set_iv_aligned(aes1, iv); 3424 aes2 = aes_new_cipher(k1, iv, kbits); 3425 3426 aes_crypt_inplace(aes1, (char*)buf1, sizeof(buf1)); 3427 aes_crypt_inplace(aes2, (char*)buf1, sizeof(buf2)); 3428 tt_mem_op(buf1, OP_EQ, buf2, sizeof(buf1)); 3429 3430 aes_cipher_free(aes2); 3431 } 3432 done: 3433 aes_cipher_free(aes1); 3434 aes_cipher_free(aes2); 3435 } 3436 3437 #ifndef COCCI 3438 #define CRYPTO_LEGACY(name) \ 3439 { #name, test_crypto_ ## name , 0, NULL, NULL } 3440 3441 #define ED25519_TEST_ONE(name, fl, which) \ 3442 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \ 3443 &ed25519_test_setup, (void*)which } 3444 3445 #define ED25519_TEST(name, fl) \ 3446 ED25519_TEST_ONE(name, (fl), "donna"), \ 3447 ED25519_TEST_ONE(name, (fl), "ref10") 3448 #endif /* !defined(COCCI) */ 3449 3450 struct testcase_t crypto_tests[] = { 3451 CRYPTO_LEGACY(formats), 3452 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL }, 3453 { "aes", test_crypto_aes128, TT_FORK, NULL, NULL }, 3454 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0, 3455 &passthrough_setup, (void*)"128" }, 3456 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0, 3457 &passthrough_setup, (void*)"192" }, 3458 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0, 3459 &passthrough_setup, (void*)"256" }, 3460 CRYPTO_LEGACY(sha), 3461 CRYPTO_LEGACY(pk), 3462 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL }, 3463 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL }, 3464 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL }, 3465 { "pk_bad_size", test_crypto_pk_bad_size, 0, NULL, NULL }, 3466 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0, 3467 NULL, NULL }, 3468 CRYPTO_LEGACY(digests), 3469 { "digest_names", test_crypto_digest_names, 0, NULL, NULL }, 3470 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL}, 3471 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL}, 3472 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL}, 3473 CRYPTO_LEGACY(dh), 3474 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, NULL, NULL }, 3475 CRYPTO_LEGACY(base32_decode), 3476 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL }, 3477 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL }, 3478 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL }, 3479 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL }, 3480 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"}, 3481 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL }, 3482 { "curve25519_basepoint", 3483 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL }, 3484 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL }, 3485 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL }, 3486 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL }, 3487 ED25519_TEST(simple, 0), 3488 ED25519_TEST(test_vectors, 0), 3489 ED25519_TEST(encode, 0), 3490 ED25519_TEST(convert, 0), 3491 ED25519_TEST(blinding, 0), 3492 ED25519_TEST(blinding_fail, 0), 3493 ED25519_TEST(testvectors, 0), 3494 ED25519_TEST(validation, 0), 3495 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL }, 3496 { "siphash", test_crypto_siphash, 0, NULL, NULL }, 3497 { "blake2b", test_crypto_blake2b, 0, NULL, NULL }, 3498 { "hashx", test_crypto_hashx, 0, NULL, NULL }, 3499 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL }, 3500 { "polyval", test_crypto_polyval, 0, NULL, NULL }, 3501 { "aes_raw", test_crypto_aes_raw, 0, NULL, NULL }, 3502 { "aes_keymanip_cnt", test_crypto_aes_keymanip_cnt, 0, NULL, NULL }, 3503 { "aes_keymanip_ecb", test_crypto_aes_keymanip_ecb, 0, NULL, NULL }, 3504 { "aes_cnt_set_iv", test_crypto_aes_cnt_set_iv, 0, NULL, NULL }, 3505 END_OF_TESTCASES 3506 };