test_crypto.c 87 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2016, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. #include "orconfig.h"
  6. #define CRYPTO_CURVE25519_PRIVATE
  7. #define CRYPTO_PRIVATE
  8. #include "or.h"
  9. #include "test.h"
  10. #include "aes.h"
  11. #include "util.h"
  12. #include "siphash.h"
  13. #include "crypto_curve25519.h"
  14. #include "crypto_ed25519.h"
  15. #include "ed25519_vectors.inc"
  16. #include <openssl/evp.h>
  17. #include <openssl/rand.h>
  18. extern const char AUTHORITY_SIGNKEY_3[];
  19. extern const char AUTHORITY_SIGNKEY_A_DIGEST[];
  20. extern const char AUTHORITY_SIGNKEY_A_DIGEST256[];
  21. /** Run unit tests for Diffie-Hellman functionality. */
  22. static void
  23. test_crypto_dh(void *arg)
  24. {
  25. crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
  26. crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
  27. char p1[DH_BYTES];
  28. char p2[DH_BYTES];
  29. char s1[DH_BYTES];
  30. char s2[DH_BYTES];
  31. ssize_t s1len, s2len;
  32. (void)arg;
  33. tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH_BYTES);
  34. tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH_BYTES);
  35. memset(p1, 0, DH_BYTES);
  36. memset(p2, 0, DH_BYTES);
  37. tt_mem_op(p1,OP_EQ, p2, DH_BYTES);
  38. tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
  39. tt_mem_op(p1,OP_NE, p2, DH_BYTES);
  40. tt_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
  41. tt_mem_op(p1,OP_NE, p2, DH_BYTES);
  42. memset(s1, 0, DH_BYTES);
  43. memset(s2, 0xFF, DH_BYTES);
  44. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
  45. s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
  46. tt_assert(s1len > 0);
  47. tt_int_op(s1len,OP_EQ, s2len);
  48. tt_mem_op(s1,OP_EQ, s2, s1len);
  49. {
  50. /* XXXX Now fabricate some bad values and make sure they get caught,
  51. * Check 0, 1, N-1, >= N, etc.
  52. */
  53. }
  54. done:
  55. crypto_dh_free(dh1);
  56. crypto_dh_free(dh2);
  57. }
  58. /** Run unit tests for our random number generation function and its wrappers.
  59. */
  60. static void
  61. test_crypto_rng(void *arg)
  62. {
  63. int i, j, allok;
  64. char data1[100], data2[100];
  65. double d;
  66. /* Try out RNG. */
  67. (void)arg;
  68. tt_assert(! crypto_seed_rng());
  69. crypto_rand(data1, 100);
  70. crypto_rand(data2, 100);
  71. tt_mem_op(data1,OP_NE, data2,100);
  72. allok = 1;
  73. for (i = 0; i < 100; ++i) {
  74. uint64_t big;
  75. char *host;
  76. j = crypto_rand_int(100);
  77. if (j < 0 || j >= 100)
  78. allok = 0;
  79. big = crypto_rand_uint64(U64_LITERAL(1)<<40);
  80. if (big >= (U64_LITERAL(1)<<40))
  81. allok = 0;
  82. big = crypto_rand_uint64(U64_LITERAL(5));
  83. if (big >= 5)
  84. allok = 0;
  85. d = crypto_rand_double();
  86. tt_assert(d >= 0);
  87. tt_assert(d < 1.0);
  88. host = crypto_random_hostname(3,8,"www.",".onion");
  89. if (strcmpstart(host,"www.") ||
  90. strcmpend(host,".onion") ||
  91. strlen(host) < 13 ||
  92. strlen(host) > 18)
  93. allok = 0;
  94. tor_free(host);
  95. }
  96. tt_assert(allok);
  97. done:
  98. ;
  99. }
  100. static void
  101. test_crypto_rng_range(void *arg)
  102. {
  103. int got_smallest = 0, got_largest = 0;
  104. int i;
  105. (void)arg;
  106. for (i = 0; i < 1000; ++i) {
  107. int x = crypto_rand_int_range(5,9);
  108. tt_int_op(x, OP_GE, 5);
  109. tt_int_op(x, OP_LT, 9);
  110. if (x == 5)
  111. got_smallest = 1;
  112. if (x == 8)
  113. got_largest = 1;
  114. }
  115. /* These fail with probability 1/10^603. */
  116. tt_assert(got_smallest);
  117. tt_assert(got_largest);
  118. done:
  119. ;
  120. }
  121. /* Test for rectifying openssl RAND engine. */
  122. static void
  123. test_crypto_rng_engine(void *arg)
  124. {
  125. (void)arg;
  126. RAND_METHOD dummy_method;
  127. memset(&dummy_method, 0, sizeof(dummy_method));
  128. /* We should be a no-op if we're already on RAND_OpenSSL */
  129. tt_int_op(0, ==, crypto_force_rand_ssleay());
  130. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  131. /* We should correct the method if it's a dummy. */
  132. RAND_set_rand_method(&dummy_method);
  133. #ifdef LIBRESSL_VERSION_NUMBER
  134. /* On libressl, you can't override the RNG. */
  135. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  136. tt_int_op(0, ==, crypto_force_rand_ssleay());
  137. #else
  138. tt_assert(RAND_get_rand_method() == &dummy_method);
  139. tt_int_op(1, ==, crypto_force_rand_ssleay());
  140. #endif
  141. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  142. /* Make sure we aren't calling dummy_method */
  143. crypto_rand((void *) &dummy_method, sizeof(dummy_method));
  144. crypto_rand((void *) &dummy_method, sizeof(dummy_method));
  145. done:
  146. ;
  147. }
  148. /** Run unit tests for our AES functionality */
  149. static void
  150. test_crypto_aes(void *arg)
  151. {
  152. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  153. crypto_cipher_t *env1 = NULL, *env2 = NULL;
  154. int i, j;
  155. char *mem_op_hex_tmp=NULL;
  156. int use_evp = !strcmp(arg,"evp");
  157. evaluate_evp_for_aes(use_evp);
  158. evaluate_ctr_for_aes();
  159. data1 = tor_malloc(1024);
  160. data2 = tor_malloc(1024);
  161. data3 = tor_malloc(1024);
  162. /* Now, test encryption and decryption with stream cipher. */
  163. data1[0]='\0';
  164. for (i = 1023; i>0; i -= 35)
  165. strncat(data1, "Now is the time for all good onions", i);
  166. memset(data2, 0, 1024);
  167. memset(data3, 0, 1024);
  168. env1 = crypto_cipher_new(NULL);
  169. tt_ptr_op(env1, OP_NE, NULL);
  170. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  171. tt_ptr_op(env2, OP_NE, NULL);
  172. /* Try encrypting 512 chars. */
  173. crypto_cipher_encrypt(env1, data2, data1, 512);
  174. crypto_cipher_decrypt(env2, data3, data2, 512);
  175. tt_mem_op(data1,OP_EQ, data3, 512);
  176. tt_mem_op(data1,OP_NE, data2, 512);
  177. /* Now encrypt 1 at a time, and get 1 at a time. */
  178. for (j = 512; j < 560; ++j) {
  179. crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
  180. }
  181. for (j = 512; j < 560; ++j) {
  182. crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
  183. }
  184. tt_mem_op(data1,OP_EQ, data3, 560);
  185. /* Now encrypt 3 at a time, and get 5 at a time. */
  186. for (j = 560; j < 1024-5; j += 3) {
  187. crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
  188. }
  189. for (j = 560; j < 1024-5; j += 5) {
  190. crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
  191. }
  192. tt_mem_op(data1,OP_EQ, data3, 1024-5);
  193. /* Now make sure that when we encrypt with different chunk sizes, we get
  194. the same results. */
  195. crypto_cipher_free(env2);
  196. env2 = NULL;
  197. memset(data3, 0, 1024);
  198. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  199. tt_ptr_op(env2, OP_NE, NULL);
  200. for (j = 0; j < 1024-16; j += 17) {
  201. crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
  202. }
  203. for (j= 0; j < 1024-16; ++j) {
  204. if (data2[j] != data3[j]) {
  205. printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
  206. }
  207. }
  208. tt_mem_op(data2,OP_EQ, data3, 1024-16);
  209. crypto_cipher_free(env1);
  210. env1 = NULL;
  211. crypto_cipher_free(env2);
  212. env2 = NULL;
  213. /* NIST test vector for aes. */
  214. /* IV starts at 0 */
  215. env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
  216. "\x00\x00\x00\x00\x00\x00\x00\x00");
  217. crypto_cipher_encrypt(env1, data1,
  218. "\x00\x00\x00\x00\x00\x00\x00\x00"
  219. "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  220. test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
  221. /* Now test rollover. All these values are originally from a python
  222. * script. */
  223. crypto_cipher_free(env1);
  224. env1 = crypto_cipher_new_with_iv(
  225. "\x80\x00\x00\x00\x00\x00\x00\x00"
  226. "\x00\x00\x00\x00\x00\x00\x00\x00",
  227. "\x00\x00\x00\x00\x00\x00\x00\x00"
  228. "\xff\xff\xff\xff\xff\xff\xff\xff");
  229. memset(data2, 0, 1024);
  230. crypto_cipher_encrypt(env1, data1, data2, 32);
  231. test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
  232. "cdd0b917dbc7186908a6bfb5ffd574d3");
  233. crypto_cipher_free(env1);
  234. env1 = crypto_cipher_new_with_iv(
  235. "\x80\x00\x00\x00\x00\x00\x00\x00"
  236. "\x00\x00\x00\x00\x00\x00\x00\x00",
  237. "\x00\x00\x00\x00\xff\xff\xff\xff"
  238. "\xff\xff\xff\xff\xff\xff\xff\xff");
  239. memset(data2, 0, 1024);
  240. crypto_cipher_encrypt(env1, data1, data2, 32);
  241. test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
  242. "3e63c721df790d2c6469cc1953a3ffac");
  243. crypto_cipher_free(env1);
  244. env1 = crypto_cipher_new_with_iv(
  245. "\x80\x00\x00\x00\x00\x00\x00\x00"
  246. "\x00\x00\x00\x00\x00\x00\x00\x00",
  247. "\xff\xff\xff\xff\xff\xff\xff\xff"
  248. "\xff\xff\xff\xff\xff\xff\xff\xff");
  249. memset(data2, 0, 1024);
  250. crypto_cipher_encrypt(env1, data1, data2, 32);
  251. test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
  252. "0EDD33D3C621E546455BD8BA1418BEC8");
  253. /* Now check rollover on inplace cipher. */
  254. crypto_cipher_free(env1);
  255. env1 = crypto_cipher_new_with_iv(
  256. "\x80\x00\x00\x00\x00\x00\x00\x00"
  257. "\x00\x00\x00\x00\x00\x00\x00\x00",
  258. "\xff\xff\xff\xff\xff\xff\xff\xff"
  259. "\xff\xff\xff\xff\xff\xff\xff\xff");
  260. crypto_cipher_crypt_inplace(env1, data2, 64);
  261. test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
  262. "0EDD33D3C621E546455BD8BA1418BEC8"
  263. "93e2c5243d6839eac58503919192f7ae"
  264. "1908e67cafa08d508816659c2e693191");
  265. crypto_cipher_free(env1);
  266. env1 = crypto_cipher_new_with_iv(
  267. "\x80\x00\x00\x00\x00\x00\x00\x00"
  268. "\x00\x00\x00\x00\x00\x00\x00\x00",
  269. "\xff\xff\xff\xff\xff\xff\xff\xff"
  270. "\xff\xff\xff\xff\xff\xff\xff\xff");
  271. crypto_cipher_crypt_inplace(env1, data2, 64);
  272. tt_assert(tor_mem_is_zero(data2, 64));
  273. done:
  274. tor_free(mem_op_hex_tmp);
  275. if (env1)
  276. crypto_cipher_free(env1);
  277. if (env2)
  278. crypto_cipher_free(env2);
  279. tor_free(data1);
  280. tor_free(data2);
  281. tor_free(data3);
  282. }
  283. /** Run unit tests for our SHA-1 functionality */
  284. static void
  285. test_crypto_sha(void *arg)
  286. {
  287. crypto_digest_t *d1 = NULL, *d2 = NULL;
  288. int i;
  289. #define RFC_4231_MAX_KEY_SIZE 131
  290. char key[RFC_4231_MAX_KEY_SIZE];
  291. char digest[DIGEST256_LEN];
  292. char data[DIGEST512_LEN];
  293. char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  294. char *mem_op_hex_tmp=NULL;
  295. /* Test SHA-1 with a test vector from the specification. */
  296. (void)arg;
  297. i = crypto_digest(data, "abc", 3);
  298. test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
  299. tt_int_op(i, OP_EQ, 0);
  300. /* Test SHA-256 with a test vector from the specification. */
  301. i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
  302. test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
  303. "96177A9CB410FF61F20015AD");
  304. tt_int_op(i, OP_EQ, 0);
  305. /* Test SHA-512 with a test vector from the specification. */
  306. i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
  307. test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
  308. "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
  309. "feebbd454d4423643ce80e2a9ac94fa54ca49f");
  310. tt_int_op(i, OP_EQ, 0);
  311. /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
  312. /* Case empty (wikipedia) */
  313. crypto_hmac_sha256(digest, "", 0, "", 0);
  314. tt_str_op(hex_str(digest, 32),OP_EQ,
  315. "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
  316. /* Case quick-brown (wikipedia) */
  317. crypto_hmac_sha256(digest, "key", 3,
  318. "The quick brown fox jumps over the lazy dog", 43);
  319. tt_str_op(hex_str(digest, 32),OP_EQ,
  320. "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
  321. /* "Test Case 1" from RFC 4231 */
  322. memset(key, 0x0b, 20);
  323. crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
  324. test_memeq_hex(digest,
  325. "b0344c61d8db38535ca8afceaf0bf12b"
  326. "881dc200c9833da726e9376c2e32cff7");
  327. /* "Test Case 2" from RFC 4231 */
  328. memset(key, 0x0b, 20);
  329. crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
  330. test_memeq_hex(digest,
  331. "5bdcc146bf60754e6a042426089575c7"
  332. "5a003f089d2739839dec58b964ec3843");
  333. /* "Test case 3" from RFC 4231 */
  334. memset(key, 0xaa, 20);
  335. memset(data, 0xdd, 50);
  336. crypto_hmac_sha256(digest, key, 20, data, 50);
  337. test_memeq_hex(digest,
  338. "773ea91e36800e46854db8ebd09181a7"
  339. "2959098b3ef8c122d9635514ced565fe");
  340. /* "Test case 4" from RFC 4231 */
  341. base16_decode(key, 25,
  342. "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
  343. memset(data, 0xcd, 50);
  344. crypto_hmac_sha256(digest, key, 25, data, 50);
  345. test_memeq_hex(digest,
  346. "82558a389a443c0ea4cc819899f2083a"
  347. "85f0faa3e578f8077a2e3ff46729665b");
  348. /* "Test case 5" from RFC 4231 */
  349. memset(key, 0x0c, 20);
  350. crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
  351. test_memeq_hex(digest,
  352. "a3b6167473100ee06e0c796c2955552b");
  353. /* "Test case 6" from RFC 4231 */
  354. memset(key, 0xaa, 131);
  355. crypto_hmac_sha256(digest, key, 131,
  356. "Test Using Larger Than Block-Size Key - Hash Key First",
  357. 54);
  358. test_memeq_hex(digest,
  359. "60e431591ee0b67f0d8a26aacbf5b77f"
  360. "8e0bc6213728c5140546040f0ee37f54");
  361. /* "Test case 7" from RFC 4231 */
  362. memset(key, 0xaa, 131);
  363. crypto_hmac_sha256(digest, key, 131,
  364. "This is a test using a larger than block-size key and a "
  365. "larger than block-size data. The key needs to be hashed "
  366. "before being used by the HMAC algorithm.", 152);
  367. test_memeq_hex(digest,
  368. "9b09ffa71b942fcb27635fbcd5b0e944"
  369. "bfdc63644f0713938a7f51535c3a35e2");
  370. /* Incremental digest code. */
  371. d1 = crypto_digest_new();
  372. tt_assert(d1);
  373. crypto_digest_add_bytes(d1, "abcdef", 6);
  374. d2 = crypto_digest_dup(d1);
  375. tt_assert(d2);
  376. crypto_digest_add_bytes(d2, "ghijkl", 6);
  377. crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
  378. crypto_digest(d_out2, "abcdefghijkl", 12);
  379. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  380. crypto_digest_assign(d2, d1);
  381. crypto_digest_add_bytes(d2, "mno", 3);
  382. crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
  383. crypto_digest(d_out2, "abcdefmno", 9);
  384. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  385. crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
  386. crypto_digest(d_out2, "abcdef", 6);
  387. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  388. crypto_digest_free(d1);
  389. crypto_digest_free(d2);
  390. /* Incremental digest code with sha256 */
  391. d1 = crypto_digest256_new(DIGEST_SHA256);
  392. tt_assert(d1);
  393. crypto_digest_add_bytes(d1, "abcdef", 6);
  394. d2 = crypto_digest_dup(d1);
  395. tt_assert(d2);
  396. crypto_digest_add_bytes(d2, "ghijkl", 6);
  397. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  398. crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
  399. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  400. crypto_digest_assign(d2, d1);
  401. crypto_digest_add_bytes(d2, "mno", 3);
  402. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  403. crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
  404. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  405. crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
  406. crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
  407. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  408. crypto_digest_free(d1);
  409. crypto_digest_free(d2);
  410. /* Incremental digest code with sha512 */
  411. d1 = crypto_digest512_new(DIGEST_SHA512);
  412. tt_assert(d1);
  413. crypto_digest_add_bytes(d1, "abcdef", 6);
  414. d2 = crypto_digest_dup(d1);
  415. tt_assert(d2);
  416. crypto_digest_add_bytes(d2, "ghijkl", 6);
  417. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  418. crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
  419. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  420. crypto_digest_assign(d2, d1);
  421. crypto_digest_add_bytes(d2, "mno", 3);
  422. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  423. crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
  424. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  425. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  426. crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
  427. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  428. done:
  429. if (d1)
  430. crypto_digest_free(d1);
  431. if (d2)
  432. crypto_digest_free(d2);
  433. tor_free(mem_op_hex_tmp);
  434. }
  435. static void
  436. test_crypto_sha3(void *arg)
  437. {
  438. crypto_digest_t *d1 = NULL, *d2 = NULL;
  439. int i;
  440. char data[DIGEST512_LEN];
  441. char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  442. char *mem_op_hex_tmp=NULL;
  443. char *large = NULL;
  444. (void)arg;
  445. /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
  446. *
  447. * NB: The code package's test vectors have length expressed in bits.
  448. */
  449. /* Len = 8, Msg = CC */
  450. const uint8_t keccak_kat_msg8[] = { 0xcc };
  451. i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
  452. test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
  453. "6252BB7CE180B00B582DD9B20AAAD7F0");
  454. tt_int_op(i, OP_EQ, 0);
  455. i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
  456. test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
  457. "C36E2EE0F652AC72E02624FA2E5ADEEC"
  458. "C7DD6BB3580224B4D6138706FC6E8059"
  459. "7B528051230B00621CC2B22999EAA205");
  460. tt_int_op(i, OP_EQ, 0);
  461. /* Len = 24, Msg = 1F877C */
  462. const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
  463. i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
  464. DIGEST_SHA3_256);
  465. test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
  466. "C9C966712A501B19D1B6632CCD408EC5");
  467. tt_int_op(i, OP_EQ, 0);
  468. i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
  469. DIGEST_SHA3_512);
  470. test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
  471. "1A2F0D0608C3A575163751F002DB30F4"
  472. "0F2F671834B22D208591CFAF1F5ECFE4"
  473. "3C49863A53B3225BDFD7C6591BA7658B");
  474. tt_int_op(i, OP_EQ, 0);
  475. /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
  476. const uint8_t keccak_kat_msg1080[] = {
  477. 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
  478. 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
  479. 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
  480. 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
  481. 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
  482. 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
  483. 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
  484. 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
  485. 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
  486. 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
  487. 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
  488. 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
  489. 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
  490. 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
  491. };
  492. i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
  493. DIGEST_SHA3_256);
  494. test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
  495. "BE9B7C736B8059ABFD6779AC35AC81B5");
  496. tt_int_op(i, OP_EQ, 0);
  497. i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
  498. DIGEST_SHA3_512);
  499. test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
  500. "CB78696773A212A5F62D02D14E3259D1"
  501. "92A87EBA4407DD83893527331407B6DA"
  502. "DAAD920DBC46489B677493CE5F20B595");
  503. tt_int_op(i, OP_EQ, 0);
  504. /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
  505. const uint8_t keccak_kat_msg1088[] = {
  506. 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
  507. 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
  508. 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
  509. 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
  510. 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
  511. 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
  512. 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
  513. 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
  514. 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
  515. 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
  516. 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
  517. 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
  518. 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
  519. 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
  520. };
  521. i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
  522. DIGEST_SHA3_256);
  523. test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
  524. "77B5286364FE16C59CC8A907AFF07732");
  525. tt_int_op(i, OP_EQ, 0);
  526. i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
  527. DIGEST_SHA3_512);
  528. test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
  529. "FB94A14C72DE5ACD10D0EB5ECE029CAD"
  530. "FA3BA17A40B2FFA2163991B17786E51C"
  531. "ABA79E5E0FFD34CF085E2A098BE8BACB");
  532. tt_int_op(i, OP_EQ, 0);
  533. /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
  534. const uint8_t keccak_kat_msg1096[] = {
  535. 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
  536. 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
  537. 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
  538. 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
  539. 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
  540. 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
  541. 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
  542. 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
  543. 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
  544. 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
  545. 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
  546. 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
  547. 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
  548. 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
  549. };
  550. i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
  551. DIGEST_SHA3_256);
  552. test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
  553. "735E0177279222E7AC0AF8504762FAA0");
  554. tt_int_op(i, OP_EQ, 0);
  555. i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
  556. DIGEST_SHA3_512);
  557. test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
  558. "40474041DE83D4A60645A826D7AF1ABE"
  559. "1EEFCB7B74B62CA6A514E5F2697D585B"
  560. "FECECE12931BBE1D4ED7EBF7B0BE660E");
  561. tt_int_op(i, OP_EQ, 0);
  562. /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
  563. const uint8_t keccak_kat_msg1144[] = {
  564. 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
  565. 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
  566. 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
  567. 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
  568. 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
  569. 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
  570. 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
  571. 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
  572. 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
  573. 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
  574. 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
  575. 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
  576. 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
  577. 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
  578. 0xDF, 0xAF, 0xEC,
  579. };
  580. i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
  581. DIGEST_SHA3_512);
  582. test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
  583. "605516615D96A062C8BE53A0D6C5A648"
  584. "7BE35D2A8F3CF6620D0C2DBA2C560D68"
  585. "295F284BE7F82F3B92919033C9CE5D80");
  586. tt_int_op(i, OP_EQ, 0);
  587. i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
  588. DIGEST_SHA3_256);
  589. test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
  590. "118C0C2C606BDCDA06E7943D2C95E0E5");
  591. tt_int_op(i, OP_EQ, 0);
  592. /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
  593. const uint8_t keccak_kat_msg1152[] = {
  594. 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
  595. 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
  596. 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
  597. 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
  598. 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
  599. 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
  600. 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
  601. 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
  602. 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
  603. 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
  604. 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
  605. 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
  606. 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
  607. 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
  608. 0x9E, 0xE0, 0x0C, 0x63,
  609. };
  610. i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
  611. DIGEST_SHA3_512);
  612. test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
  613. "22775DCB6019DCD22B8885994672A088"
  614. "9C69E8115C641DC8B83E39F7311815A1"
  615. "64DC46E0BA2FCA344D86D4BC2EF2532C");
  616. tt_int_op(i, OP_EQ, 0);
  617. i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
  618. DIGEST_SHA3_256);
  619. test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
  620. "84DA47678F3C2FFE5A39FDB5F7E63FFB");
  621. tt_int_op(i, OP_EQ, 0);
  622. /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
  623. const uint8_t keccak_kat_msg1160[] = {
  624. 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
  625. 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
  626. 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
  627. 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
  628. 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
  629. 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
  630. 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
  631. 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
  632. 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
  633. 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
  634. 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
  635. 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
  636. 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
  637. 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
  638. 0x70, 0x11, 0x04, 0x4C, 0x53,
  639. };
  640. i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
  641. DIGEST_SHA3_512);
  642. test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
  643. "05221AC5EFB1229842E4614F4A029C9B"
  644. "D14A0ED7FD99AF3681429F3F309FDB53"
  645. "166AA9A3CD9F1F1223D04B4A9015E94A");
  646. tt_int_op(i, OP_EQ, 0);
  647. i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
  648. DIGEST_SHA3_256);
  649. test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
  650. "3CF6235C6B0B7969342C45A35194B67E");
  651. tt_int_op(i, OP_EQ, 0);
  652. /* SHA3-[256,512] Empty case (wikipedia) */
  653. i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
  654. test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
  655. "f580ff4de43b49fa82d80a4b80f8434a");
  656. tt_int_op(i, OP_EQ, 0);
  657. i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
  658. test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
  659. "97c982164fe25859e0d1dcc1475c80a6"
  660. "15b2123af1f5f94c11e3e9402c3ac558"
  661. "f500199d95b6d3e301758586281dcd26");
  662. tt_int_op(i, OP_EQ, 0);
  663. /* Incremental digest code with SHA3-256 */
  664. d1 = crypto_digest256_new(DIGEST_SHA3_256);
  665. tt_assert(d1);
  666. crypto_digest_add_bytes(d1, "abcdef", 6);
  667. d2 = crypto_digest_dup(d1);
  668. tt_assert(d2);
  669. crypto_digest_add_bytes(d2, "ghijkl", 6);
  670. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  671. crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
  672. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  673. crypto_digest_assign(d2, d1);
  674. crypto_digest_add_bytes(d2, "mno", 3);
  675. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  676. crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
  677. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  678. crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
  679. crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
  680. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  681. crypto_digest_free(d1);
  682. crypto_digest_free(d2);
  683. /* Incremental digest code with SHA3-512 */
  684. d1 = crypto_digest512_new(DIGEST_SHA3_512);
  685. tt_assert(d1);
  686. crypto_digest_add_bytes(d1, "abcdef", 6);
  687. d2 = crypto_digest_dup(d1);
  688. tt_assert(d2);
  689. crypto_digest_add_bytes(d2, "ghijkl", 6);
  690. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  691. crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
  692. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  693. crypto_digest_assign(d2, d1);
  694. crypto_digest_add_bytes(d2, "mno", 3);
  695. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  696. crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
  697. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  698. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  699. crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
  700. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  701. crypto_digest_free(d1);
  702. /* Attempt to exercise the incremental hashing code by creating a randomized
  703. * 100 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
  704. * is used because it has a lowest rate of the family (the code is common,
  705. * but the slower rate exercises more of it).
  706. */
  707. const size_t bufsz = 100 * 1024;
  708. size_t j = 0;
  709. large = tor_malloc(bufsz);
  710. crypto_rand(large, bufsz);
  711. d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
  712. while (j < bufsz) {
  713. /* Pick how much data to add to the running digest. */
  714. size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
  715. incr = MIN(bufsz - j, incr);
  716. /* Add the data, and calculate the hash. */
  717. crypto_digest_add_bytes(d1, large + j, incr);
  718. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  719. /* One-shot hash the buffer up to the data that was just added,
  720. * and ensure that the values match up.
  721. *
  722. * XXX/yawning: If this actually fails, it'll be rather difficult to
  723. * reproduce. Improvements welcome.
  724. */
  725. i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
  726. tt_int_op(i, OP_EQ, 0);
  727. tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
  728. j += incr;
  729. }
  730. done:
  731. if (d1)
  732. crypto_digest_free(d1);
  733. if (d2)
  734. crypto_digest_free(d2);
  735. tor_free(large);
  736. tor_free(mem_op_hex_tmp);
  737. }
  738. /** Run unit tests for our XOF. */
  739. static void
  740. test_crypto_sha3_xof(void *arg)
  741. {
  742. uint8_t msg[255];
  743. uint8_t out[512];
  744. crypto_xof_t *xof;
  745. char *mem_op_hex_tmp=NULL;
  746. (void)arg;
  747. /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
  748. base16_decode((char *)msg, 255,
  749. "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
  750. "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
  751. "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
  752. "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
  753. "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
  754. "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
  755. "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
  756. "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
  757. "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
  758. const char *squeezed_hex =
  759. "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
  760. "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
  761. "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
  762. "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
  763. "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
  764. "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
  765. "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
  766. "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
  767. "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
  768. "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
  769. "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
  770. "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
  771. "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
  772. "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
  773. "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
  774. "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
  775. "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
  776. "73D4";
  777. /* Test oneshot absorb/squeeze. */
  778. xof = crypto_xof_new();
  779. tt_assert(xof);
  780. crypto_xof_add_bytes(xof, msg, sizeof(msg));
  781. crypto_xof_squeeze_bytes(xof, out, sizeof(out));
  782. test_memeq_hex(out, squeezed_hex);
  783. crypto_xof_free(xof);
  784. memset(out, 0, sizeof(out));
  785. /* Test incremental absorb/squeeze. */
  786. xof = crypto_xof_new();
  787. tt_assert(xof);
  788. for (size_t i = 0; i < sizeof(msg); i++)
  789. crypto_xof_add_bytes(xof, msg + i, 1);
  790. for (size_t i = 0; i < sizeof(out); i++)
  791. crypto_xof_squeeze_bytes(xof, out + i, 1);
  792. test_memeq_hex(out, squeezed_hex);
  793. done:
  794. if (xof)
  795. crypto_xof_free(xof);
  796. tor_free(mem_op_hex_tmp);
  797. }
  798. /** Run unit tests for our public key crypto functions */
  799. static void
  800. test_crypto_pk(void *arg)
  801. {
  802. crypto_pk_t *pk1 = NULL, *pk2 = NULL;
  803. char *encoded = NULL;
  804. char data1[1024], data2[1024], data3[1024];
  805. size_t size;
  806. int i, len;
  807. /* Public-key ciphers */
  808. (void)arg;
  809. pk1 = pk_generate(0);
  810. pk2 = crypto_pk_new();
  811. tt_assert(pk1 && pk2);
  812. tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
  813. tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
  814. tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
  815. /* comparison between keys and NULL */
  816. tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
  817. tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
  818. tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
  819. tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
  820. tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
  821. tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
  822. tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
  823. tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
  824. "Hello whirled.", 15,
  825. PK_PKCS1_OAEP_PADDING));
  826. tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
  827. "Hello whirled.", 15,
  828. PK_PKCS1_OAEP_PADDING));
  829. /* oaep padding should make encryption not match */
  830. tt_mem_op(data1,OP_NE, data2, 128);
  831. tt_int_op(15,OP_EQ,
  832. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
  833. PK_PKCS1_OAEP_PADDING,1));
  834. tt_str_op(data3,OP_EQ, "Hello whirled.");
  835. memset(data3, 0, 1024);
  836. tt_int_op(15,OP_EQ,
  837. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  838. PK_PKCS1_OAEP_PADDING,1));
  839. tt_str_op(data3,OP_EQ, "Hello whirled.");
  840. /* Can't decrypt with public key. */
  841. tt_int_op(-1,OP_EQ,
  842. crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
  843. PK_PKCS1_OAEP_PADDING,1));
  844. /* Try again with bad padding */
  845. memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
  846. tt_int_op(-1,OP_EQ,
  847. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  848. PK_PKCS1_OAEP_PADDING,1));
  849. /* File operations: save and load private key */
  850. tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
  851. get_fname("pkey1")));
  852. /* failing case for read: can't read. */
  853. tt_assert(crypto_pk_read_private_key_from_filename(pk2,
  854. get_fname("xyzzy")) < 0);
  855. write_str_to_file(get_fname("xyzzy"), "foobar", 6);
  856. /* Failing case for read: no key. */
  857. tt_assert(crypto_pk_read_private_key_from_filename(pk2,
  858. get_fname("xyzzy")) < 0);
  859. tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
  860. get_fname("pkey1")));
  861. tt_int_op(15,OP_EQ,
  862. crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
  863. PK_PKCS1_OAEP_PADDING,1));
  864. /* Now try signing. */
  865. strlcpy(data1, "Ossifrage", 1024);
  866. tt_int_op(128,OP_EQ,
  867. crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
  868. tt_int_op(10,OP_EQ,
  869. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  870. tt_str_op(data3,OP_EQ, "Ossifrage");
  871. /* Try signing digests. */
  872. tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
  873. data1, 10));
  874. tt_int_op(20,OP_EQ,
  875. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  876. tt_int_op(0,OP_EQ,
  877. crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
  878. tt_int_op(-1,OP_EQ,
  879. crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
  880. /*XXXX test failed signing*/
  881. /* Try encoding */
  882. crypto_pk_free(pk2);
  883. pk2 = NULL;
  884. i = crypto_pk_asn1_encode(pk1, data1, 1024);
  885. tt_int_op(i, OP_GT, 0);
  886. pk2 = crypto_pk_asn1_decode(data1, i);
  887. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  888. /* Try with hybrid encryption wrappers. */
  889. crypto_rand(data1, 1024);
  890. for (i = 85; i < 140; ++i) {
  891. memset(data2,0,1024);
  892. memset(data3,0,1024);
  893. len = crypto_pk_public_hybrid_encrypt(pk1,data2,sizeof(data2),
  894. data1,i,PK_PKCS1_OAEP_PADDING,0);
  895. tt_int_op(len, OP_GE, 0);
  896. len = crypto_pk_private_hybrid_decrypt(pk1,data3,sizeof(data3),
  897. data2,len,PK_PKCS1_OAEP_PADDING,1);
  898. tt_int_op(len,OP_EQ, i);
  899. tt_mem_op(data1,OP_EQ, data3,i);
  900. }
  901. /* Try copy_full */
  902. crypto_pk_free(pk2);
  903. pk2 = crypto_pk_copy_full(pk1);
  904. tt_assert(pk2 != NULL);
  905. tt_ptr_op(pk1, OP_NE, pk2);
  906. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  907. done:
  908. if (pk1)
  909. crypto_pk_free(pk1);
  910. if (pk2)
  911. crypto_pk_free(pk2);
  912. tor_free(encoded);
  913. }
  914. static void
  915. test_crypto_pk_fingerprints(void *arg)
  916. {
  917. crypto_pk_t *pk = NULL;
  918. char encoded[512];
  919. char d[DIGEST_LEN], d2[DIGEST_LEN];
  920. char fingerprint[FINGERPRINT_LEN+1];
  921. int n;
  922. unsigned i;
  923. char *mem_op_hex_tmp=NULL;
  924. (void)arg;
  925. pk = pk_generate(1);
  926. tt_assert(pk);
  927. n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
  928. tt_int_op(n, OP_GT, 0);
  929. tt_int_op(n, OP_GT, 128);
  930. tt_int_op(n, OP_LT, 256);
  931. /* Is digest as expected? */
  932. crypto_digest(d, encoded, n);
  933. tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
  934. tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
  935. /* Is fingerprint right? */
  936. tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
  937. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  938. test_memeq_hex(d, fingerprint);
  939. /* Are spaces right? */
  940. tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
  941. for (i = 4; i < strlen(fingerprint); i += 5) {
  942. tt_int_op(fingerprint[i], OP_EQ, ' ');
  943. }
  944. tor_strstrip(fingerprint, " ");
  945. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  946. test_memeq_hex(d, fingerprint);
  947. /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
  948. crypto_digest(d2, d, sizeof(d));
  949. tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
  950. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  951. test_memeq_hex(d2, fingerprint);
  952. done:
  953. crypto_pk_free(pk);
  954. tor_free(mem_op_hex_tmp);
  955. }
  956. static void
  957. test_crypto_pk_base64(void *arg)
  958. {
  959. crypto_pk_t *pk1 = NULL;
  960. crypto_pk_t *pk2 = NULL;
  961. char *encoded = NULL;
  962. (void)arg;
  963. /* Test Base64 encoding a key. */
  964. pk1 = pk_generate(0);
  965. tt_assert(pk1);
  966. tt_int_op(0, OP_EQ, crypto_pk_base64_encode(pk1, &encoded));
  967. tt_assert(encoded);
  968. /* Test decoding a valid key. */
  969. pk2 = crypto_pk_base64_decode(encoded, strlen(encoded));
  970. tt_assert(pk2);
  971. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  972. crypto_pk_free(pk2);
  973. /* Test decoding a invalid key (not Base64). */
  974. static const char *invalid_b64 = "The key is in another castle!";
  975. pk2 = crypto_pk_base64_decode(invalid_b64, strlen(invalid_b64));
  976. tt_assert(!pk2);
  977. /* Test decoding a truncated Base64 blob. */
  978. pk2 = crypto_pk_base64_decode(encoded, strlen(encoded)/2);
  979. tt_assert(!pk2);
  980. done:
  981. crypto_pk_free(pk1);
  982. crypto_pk_free(pk2);
  983. tor_free(encoded);
  984. }
  985. /** Sanity check for crypto pk digests */
  986. static void
  987. test_crypto_digests(void *arg)
  988. {
  989. crypto_pk_t *k = NULL;
  990. ssize_t r;
  991. common_digests_t pkey_digests;
  992. char digest[DIGEST_LEN];
  993. (void)arg;
  994. k = crypto_pk_new();
  995. tt_assert(k);
  996. r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, -1);
  997. tt_assert(!r);
  998. r = crypto_pk_get_digest(k, digest);
  999. tt_assert(r == 0);
  1000. tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
  1001. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  1002. r = crypto_pk_get_common_digests(k, &pkey_digests);
  1003. tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
  1004. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  1005. tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
  1006. AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
  1007. done:
  1008. crypto_pk_free(k);
  1009. }
  1010. #ifndef OPENSSL_1_1_API
  1011. #define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
  1012. #define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
  1013. #endif
  1014. /** Encode src into dest with OpenSSL's EVP Encode interface, returning the
  1015. * length of the encoded data in bytes.
  1016. */
  1017. static int
  1018. base64_encode_evp(char *dest, char *src, size_t srclen)
  1019. {
  1020. const unsigned char *s = (unsigned char*)src;
  1021. EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
  1022. int len, ret;
  1023. EVP_EncodeInit(ctx);
  1024. EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
  1025. EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
  1026. EVP_ENCODE_CTX_free(ctx);
  1027. return ret+ len;
  1028. }
  1029. /** Run unit tests for misc crypto formatting functionality (base64, base32,
  1030. * fingerprints, etc) */
  1031. static void
  1032. test_crypto_formats(void *arg)
  1033. {
  1034. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  1035. int i, j, idx;
  1036. (void)arg;
  1037. data1 = tor_malloc(1024);
  1038. data2 = tor_malloc(1024);
  1039. data3 = tor_malloc(1024);
  1040. tt_assert(data1 && data2 && data3);
  1041. /* Base64 tests */
  1042. memset(data1, 6, 1024);
  1043. for (idx = 0; idx < 10; ++idx) {
  1044. i = base64_encode(data2, 1024, data1, idx, 0);
  1045. tt_int_op(i, OP_GE, 0);
  1046. tt_int_op(i, OP_EQ, strlen(data2));
  1047. j = base64_decode(data3, 1024, data2, i);
  1048. tt_int_op(j,OP_EQ, idx);
  1049. tt_mem_op(data3,OP_EQ, data1, idx);
  1050. i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
  1051. tt_int_op(i, OP_GE, 0);
  1052. tt_int_op(i, OP_EQ, strlen(data2));
  1053. tt_assert(! strchr(data2, '='));
  1054. j = base64_decode_nopad((uint8_t*)data3, 1024, data2, i);
  1055. tt_int_op(j, OP_EQ, idx);
  1056. tt_mem_op(data3,OP_EQ, data1, idx);
  1057. }
  1058. strlcpy(data1, "Test string that contains 35 chars.", 1024);
  1059. strlcat(data1, " 2nd string that contains 35 chars.", 1024);
  1060. i = base64_encode(data2, 1024, data1, 71, 0);
  1061. tt_int_op(i, OP_GE, 0);
  1062. j = base64_decode(data3, 1024, data2, i);
  1063. tt_int_op(j,OP_EQ, 71);
  1064. tt_str_op(data3,OP_EQ, data1);
  1065. tt_int_op(data2[i], OP_EQ, '\0');
  1066. crypto_rand(data1, DIGEST_LEN);
  1067. memset(data2, 100, 1024);
  1068. digest_to_base64(data2, data1);
  1069. tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
  1070. tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
  1071. memset(data3, 99, 1024);
  1072. tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
  1073. tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
  1074. tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
  1075. tt_assert(digest_from_base64(data3, "###") < 0);
  1076. for (i = 0; i < 256; i++) {
  1077. /* Test the multiline format Base64 encoder with 0 .. 256 bytes of
  1078. * output against OpenSSL.
  1079. */
  1080. const size_t enclen = base64_encode_size(i, BASE64_ENCODE_MULTILINE);
  1081. data1[i] = i;
  1082. j = base64_encode(data2, 1024, data1, i, BASE64_ENCODE_MULTILINE);
  1083. tt_int_op(j, OP_EQ, enclen);
  1084. j = base64_encode_evp(data3, data1, i);
  1085. tt_int_op(j, OP_EQ, enclen);
  1086. tt_mem_op(data2, OP_EQ, data3, enclen);
  1087. tt_int_op(j, OP_EQ, strlen(data2));
  1088. }
  1089. /* Encoding SHA256 */
  1090. crypto_rand(data2, DIGEST256_LEN);
  1091. memset(data2, 100, 1024);
  1092. digest256_to_base64(data2, data1);
  1093. tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
  1094. tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
  1095. memset(data3, 99, 1024);
  1096. tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
  1097. tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
  1098. tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
  1099. /* Base32 tests */
  1100. strlcpy(data1, "5chrs", 1024);
  1101. /* bit pattern is: [35 63 68 72 73] ->
  1102. * [00110101 01100011 01101000 01110010 01110011]
  1103. * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
  1104. */
  1105. base32_encode(data2, 9, data1, 5);
  1106. tt_str_op(data2,OP_EQ, "gvrwq4tt");
  1107. strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
  1108. base32_encode(data2, 30, data1, 10);
  1109. tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
  1110. /* Base16 tests */
  1111. strlcpy(data1, "6chrs\xff", 1024);
  1112. base16_encode(data2, 13, data1, 6);
  1113. tt_str_op(data2,OP_EQ, "3663687273FF");
  1114. strlcpy(data1, "f0d678affc000100", 1024);
  1115. i = base16_decode(data2, 8, data1, 16);
  1116. tt_int_op(i,OP_EQ, 0);
  1117. tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
  1118. /* now try some failing base16 decodes */
  1119. tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
  1120. tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
  1121. strlcpy(data1, "f0dz!8affc000100", 1024);
  1122. tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
  1123. tor_free(data1);
  1124. tor_free(data2);
  1125. tor_free(data3);
  1126. /* Add spaces to fingerprint */
  1127. {
  1128. data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
  1129. tt_int_op(strlen(data1),OP_EQ, 40);
  1130. data2 = tor_malloc(FINGERPRINT_LEN+1);
  1131. crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
  1132. tt_str_op(data2, OP_EQ,
  1133. "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
  1134. tor_free(data1);
  1135. tor_free(data2);
  1136. }
  1137. done:
  1138. tor_free(data1);
  1139. tor_free(data2);
  1140. tor_free(data3);
  1141. }
  1142. /** Test AES-CTR encryption and decryption with IV. */
  1143. static void
  1144. test_crypto_aes_iv(void *arg)
  1145. {
  1146. char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
  1147. char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
  1148. char key1[16], key2[16];
  1149. ssize_t encrypted_size, decrypted_size;
  1150. int use_evp = !strcmp(arg,"evp");
  1151. evaluate_evp_for_aes(use_evp);
  1152. plain = tor_malloc(4095);
  1153. encrypted1 = tor_malloc(4095 + 1 + 16);
  1154. encrypted2 = tor_malloc(4095 + 1 + 16);
  1155. decrypted1 = tor_malloc(4095 + 1);
  1156. decrypted2 = tor_malloc(4095 + 1);
  1157. crypto_rand(plain, 4095);
  1158. crypto_rand(key1, 16);
  1159. crypto_rand(key2, 16);
  1160. crypto_rand(plain_1, 1);
  1161. crypto_rand(plain_15, 15);
  1162. crypto_rand(plain_16, 16);
  1163. crypto_rand(plain_17, 17);
  1164. key1[0] = key2[0] + 128; /* Make sure that contents are different. */
  1165. /* Encrypt and decrypt with the same key. */
  1166. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
  1167. plain, 4095);
  1168. tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
  1169. tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
  1170. * greater than 0, but its truth is not
  1171. * obvious to all analysis tools. */
  1172. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  1173. encrypted1, encrypted_size);
  1174. tt_int_op(decrypted_size,OP_EQ, 4095);
  1175. tt_assert(decrypted_size > 0);
  1176. tt_mem_op(plain,OP_EQ, decrypted1, 4095);
  1177. /* Encrypt a second time (with a new random initialization vector). */
  1178. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
  1179. plain, 4095);
  1180. tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
  1181. tt_assert(encrypted_size > 0);
  1182. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
  1183. encrypted2, encrypted_size);
  1184. tt_int_op(decrypted_size,OP_EQ, 4095);
  1185. tt_assert(decrypted_size > 0);
  1186. tt_mem_op(plain,OP_EQ, decrypted2, 4095);
  1187. tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
  1188. /* Decrypt with the wrong key. */
  1189. decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
  1190. encrypted1, encrypted_size);
  1191. tt_int_op(decrypted_size,OP_EQ, 4095);
  1192. tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
  1193. /* Alter the initialization vector. */
  1194. encrypted1[0] += 42;
  1195. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  1196. encrypted1, encrypted_size);
  1197. tt_int_op(decrypted_size,OP_EQ, 4095);
  1198. tt_mem_op(plain,OP_NE, decrypted2, 4095);
  1199. /* Special length case: 1. */
  1200. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
  1201. plain_1, 1);
  1202. tt_int_op(encrypted_size,OP_EQ, 16 + 1);
  1203. tt_assert(encrypted_size > 0);
  1204. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
  1205. encrypted1, encrypted_size);
  1206. tt_int_op(decrypted_size,OP_EQ, 1);
  1207. tt_assert(decrypted_size > 0);
  1208. tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
  1209. /* Special length case: 15. */
  1210. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
  1211. plain_15, 15);
  1212. tt_int_op(encrypted_size,OP_EQ, 16 + 15);
  1213. tt_assert(encrypted_size > 0);
  1214. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
  1215. encrypted1, encrypted_size);
  1216. tt_int_op(decrypted_size,OP_EQ, 15);
  1217. tt_assert(decrypted_size > 0);
  1218. tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
  1219. /* Special length case: 16. */
  1220. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
  1221. plain_16, 16);
  1222. tt_int_op(encrypted_size,OP_EQ, 16 + 16);
  1223. tt_assert(encrypted_size > 0);
  1224. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
  1225. encrypted1, encrypted_size);
  1226. tt_int_op(decrypted_size,OP_EQ, 16);
  1227. tt_assert(decrypted_size > 0);
  1228. tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
  1229. /* Special length case: 17. */
  1230. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
  1231. plain_17, 17);
  1232. tt_int_op(encrypted_size,OP_EQ, 16 + 17);
  1233. tt_assert(encrypted_size > 0);
  1234. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
  1235. encrypted1, encrypted_size);
  1236. tt_int_op(decrypted_size,OP_EQ, 17);
  1237. tt_assert(decrypted_size > 0);
  1238. tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
  1239. done:
  1240. /* Free memory. */
  1241. tor_free(plain);
  1242. tor_free(encrypted1);
  1243. tor_free(encrypted2);
  1244. tor_free(decrypted1);
  1245. tor_free(decrypted2);
  1246. }
  1247. /** Test base32 decoding. */
  1248. static void
  1249. test_crypto_base32_decode(void *arg)
  1250. {
  1251. char plain[60], encoded[96 + 1], decoded[60];
  1252. int res;
  1253. (void)arg;
  1254. crypto_rand(plain, 60);
  1255. /* Encode and decode a random string. */
  1256. base32_encode(encoded, 96 + 1, plain, 60);
  1257. res = base32_decode(decoded, 60, encoded, 96);
  1258. tt_int_op(res,OP_EQ, 0);
  1259. tt_mem_op(plain,OP_EQ, decoded, 60);
  1260. /* Encode, uppercase, and decode a random string. */
  1261. base32_encode(encoded, 96 + 1, plain, 60);
  1262. tor_strupper(encoded);
  1263. res = base32_decode(decoded, 60, encoded, 96);
  1264. tt_int_op(res,OP_EQ, 0);
  1265. tt_mem_op(plain,OP_EQ, decoded, 60);
  1266. /* Change encoded string and decode. */
  1267. if (encoded[0] == 'A' || encoded[0] == 'a')
  1268. encoded[0] = 'B';
  1269. else
  1270. encoded[0] = 'A';
  1271. res = base32_decode(decoded, 60, encoded, 96);
  1272. tt_int_op(res,OP_EQ, 0);
  1273. tt_mem_op(plain,OP_NE, decoded, 60);
  1274. /* Bad encodings. */
  1275. encoded[0] = '!';
  1276. res = base32_decode(decoded, 60, encoded, 96);
  1277. tt_int_op(0, OP_GT, res);
  1278. done:
  1279. ;
  1280. }
  1281. static void
  1282. test_crypto_kdf_TAP(void *arg)
  1283. {
  1284. uint8_t key_material[100];
  1285. int r;
  1286. char *mem_op_hex_tmp = NULL;
  1287. (void)arg;
  1288. #define EXPAND(s) \
  1289. r = crypto_expand_key_material_TAP( \
  1290. (const uint8_t*)(s), strlen(s), \
  1291. key_material, 100)
  1292. /* Test vectors generated with a little python script; feel free to write
  1293. * your own. */
  1294. memset(key_material, 0, sizeof(key_material));
  1295. EXPAND("");
  1296. tt_int_op(r, OP_EQ, 0);
  1297. test_memeq_hex(key_material,
  1298. "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
  1299. "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
  1300. "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
  1301. "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
  1302. EXPAND("Tor");
  1303. tt_int_op(r, OP_EQ, 0);
  1304. test_memeq_hex(key_material,
  1305. "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
  1306. "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
  1307. "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
  1308. "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
  1309. EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
  1310. tt_int_op(r, OP_EQ, 0);
  1311. test_memeq_hex(key_material,
  1312. "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
  1313. "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
  1314. "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
  1315. "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
  1316. done:
  1317. tor_free(mem_op_hex_tmp);
  1318. #undef EXPAND
  1319. }
  1320. static void
  1321. test_crypto_hkdf_sha256(void *arg)
  1322. {
  1323. uint8_t key_material[100];
  1324. const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
  1325. const size_t salt_len = strlen((char*)salt);
  1326. const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
  1327. const size_t m_expand_len = strlen((char*)m_expand);
  1328. int r;
  1329. char *mem_op_hex_tmp = NULL;
  1330. (void)arg;
  1331. #define EXPAND(s) \
  1332. r = crypto_expand_key_material_rfc5869_sha256( \
  1333. (const uint8_t*)(s), strlen(s), \
  1334. salt, salt_len, \
  1335. m_expand, m_expand_len, \
  1336. key_material, 100)
  1337. /* Test vectors generated with ntor_ref.py */
  1338. memset(key_material, 0, sizeof(key_material));
  1339. EXPAND("");
  1340. tt_int_op(r, OP_EQ, 0);
  1341. test_memeq_hex(key_material,
  1342. "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75"
  1343. "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd"
  1344. "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7"
  1345. "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8");
  1346. EXPAND("Tor");
  1347. tt_int_op(r, OP_EQ, 0);
  1348. test_memeq_hex(key_material,
  1349. "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
  1350. "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
  1351. "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
  1352. "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
  1353. EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
  1354. tt_int_op(r, OP_EQ, 0);
  1355. test_memeq_hex(key_material,
  1356. "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
  1357. "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
  1358. "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
  1359. "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
  1360. done:
  1361. tor_free(mem_op_hex_tmp);
  1362. #undef EXPAND
  1363. }
  1364. static void
  1365. test_crypto_curve25519_impl(void *arg)
  1366. {
  1367. /* adapted from curve25519_donna, which adapted it from test-curve25519
  1368. version 20050915, by D. J. Bernstein, Public domain. */
  1369. const int randomize_high_bit = (arg != NULL);
  1370. #ifdef SLOW_CURVE25519_TEST
  1371. const int loop_max=10000;
  1372. const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
  1373. "7e0329f4dd2819f5f32d130f1296b500";
  1374. const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
  1375. "e0544770bc7de853b38f9100489e3e79";
  1376. const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
  1377. "bd13861475516bc2cd2b6e005e805064";
  1378. #else
  1379. const int loop_max=200;
  1380. const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
  1381. "c6a1037d74cceb3712e9206871dcf654";
  1382. const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
  1383. "8e3ee1a63c7d14274ea5d4c67f065467";
  1384. const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
  1385. "c0ee98cb2257a4545c0cfb2ca3e1812b";
  1386. #endif
  1387. unsigned char e1k[32];
  1388. unsigned char e2k[32];
  1389. unsigned char e1e2k[32];
  1390. unsigned char e2e1k[32];
  1391. unsigned char e1[32] = {3};
  1392. unsigned char e2[32] = {5};
  1393. unsigned char k[32] = {9};
  1394. int loop, i;
  1395. char *mem_op_hex_tmp = NULL;
  1396. for (loop = 0; loop < loop_max; ++loop) {
  1397. curve25519_impl(e1k,e1,k);
  1398. curve25519_impl(e2e1k,e2,e1k);
  1399. curve25519_impl(e2k,e2,k);
  1400. if (randomize_high_bit) {
  1401. /* We require that the high bit of the public key be ignored. So if
  1402. * we're doing this variant test, we randomize the high bit of e2k, and
  1403. * make sure that the handshake still works out the same as it would
  1404. * otherwise. */
  1405. uint8_t byte;
  1406. crypto_rand((char*)&byte, 1);
  1407. e2k[31] |= (byte & 0x80);
  1408. }
  1409. curve25519_impl(e1e2k,e1,e2k);
  1410. tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
  1411. if (loop == loop_max-1) {
  1412. break;
  1413. }
  1414. for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
  1415. for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
  1416. for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
  1417. }
  1418. test_memeq_hex(e1, e1_expected);
  1419. test_memeq_hex(e2k, e2k_expected);
  1420. test_memeq_hex(e1e2k, e1e2k_expected);
  1421. done:
  1422. tor_free(mem_op_hex_tmp);
  1423. }
  1424. static void
  1425. test_crypto_curve25519_basepoint(void *arg)
  1426. {
  1427. uint8_t secret[32];
  1428. uint8_t public1[32];
  1429. uint8_t public2[32];
  1430. const int iters = 2048;
  1431. int i;
  1432. (void) arg;
  1433. for (i = 0; i < iters; ++i) {
  1434. crypto_rand((char*)secret, 32);
  1435. curve25519_set_impl_params(1); /* Use optimization */
  1436. curve25519_basepoint_impl(public1, secret);
  1437. curve25519_set_impl_params(0); /* Disable optimization */
  1438. curve25519_basepoint_impl(public2, secret);
  1439. tt_mem_op(public1, OP_EQ, public2, 32);
  1440. }
  1441. done:
  1442. ;
  1443. }
  1444. static void
  1445. test_crypto_curve25519_wrappers(void *arg)
  1446. {
  1447. curve25519_public_key_t pubkey1, pubkey2;
  1448. curve25519_secret_key_t seckey1, seckey2;
  1449. uint8_t output1[CURVE25519_OUTPUT_LEN];
  1450. uint8_t output2[CURVE25519_OUTPUT_LEN];
  1451. (void)arg;
  1452. /* Test a simple handshake, serializing and deserializing some stuff. */
  1453. curve25519_secret_key_generate(&seckey1, 0);
  1454. curve25519_secret_key_generate(&seckey2, 1);
  1455. curve25519_public_key_generate(&pubkey1, &seckey1);
  1456. curve25519_public_key_generate(&pubkey2, &seckey2);
  1457. tt_assert(curve25519_public_key_is_ok(&pubkey1));
  1458. tt_assert(curve25519_public_key_is_ok(&pubkey2));
  1459. curve25519_handshake(output1, &seckey1, &pubkey2);
  1460. curve25519_handshake(output2, &seckey2, &pubkey1);
  1461. tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
  1462. done:
  1463. ;
  1464. }
  1465. static void
  1466. test_crypto_curve25519_encode(void *arg)
  1467. {
  1468. curve25519_secret_key_t seckey;
  1469. curve25519_public_key_t key1, key2, key3;
  1470. char buf[64];
  1471. (void)arg;
  1472. curve25519_secret_key_generate(&seckey, 0);
  1473. curve25519_public_key_generate(&key1, &seckey);
  1474. tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
  1475. tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
  1476. tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
  1477. tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
  1478. buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
  1479. tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
  1480. tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1481. tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
  1482. /* Now try bogus parses. */
  1483. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
  1484. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1485. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
  1486. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1487. strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
  1488. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1489. done:
  1490. ;
  1491. }
  1492. static void
  1493. test_crypto_curve25519_persist(void *arg)
  1494. {
  1495. curve25519_keypair_t keypair, keypair2;
  1496. char *fname = tor_strdup(get_fname("curve25519_keypair"));
  1497. char *tag = NULL;
  1498. char *content = NULL;
  1499. const char *cp;
  1500. struct stat st;
  1501. size_t taglen;
  1502. (void)arg;
  1503. tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
  1504. tt_int_op(0,OP_EQ,
  1505. curve25519_keypair_write_to_file(&keypair, fname, "testing"));
  1506. tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1507. tt_str_op(tag,OP_EQ,"testing");
  1508. tor_free(tag);
  1509. tt_mem_op(keypair.pubkey.public_key,OP_EQ,
  1510. keypair2.pubkey.public_key,
  1511. CURVE25519_PUBKEY_LEN);
  1512. tt_mem_op(keypair.seckey.secret_key,OP_EQ,
  1513. keypair2.seckey.secret_key,
  1514. CURVE25519_SECKEY_LEN);
  1515. content = read_file_to_str(fname, RFTS_BIN, &st);
  1516. tt_assert(content);
  1517. taglen = strlen("== c25519v1: testing ==");
  1518. tt_u64_op((uint64_t)st.st_size, OP_EQ,
  1519. 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
  1520. tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
  1521. tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
  1522. cp = content + 32;
  1523. tt_mem_op(keypair.seckey.secret_key,OP_EQ,
  1524. cp,
  1525. CURVE25519_SECKEY_LEN);
  1526. cp += CURVE25519_SECKEY_LEN;
  1527. tt_mem_op(keypair.pubkey.public_key,OP_EQ,
  1528. cp,
  1529. CURVE25519_SECKEY_LEN);
  1530. tor_free(fname);
  1531. fname = tor_strdup(get_fname("bogus_keypair"));
  1532. tt_int_op(-1, OP_EQ,
  1533. curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1534. tor_free(tag);
  1535. content[69] ^= 0xff;
  1536. tt_int_op(0, OP_EQ,
  1537. write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
  1538. tt_int_op(-1, OP_EQ,
  1539. curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1540. done:
  1541. tor_free(fname);
  1542. tor_free(content);
  1543. tor_free(tag);
  1544. }
  1545. static void *
  1546. ed25519_testcase_setup(const struct testcase_t *testcase)
  1547. {
  1548. crypto_ed25519_testing_force_impl(testcase->setup_data);
  1549. return testcase->setup_data;
  1550. }
  1551. static int
  1552. ed25519_testcase_cleanup(const struct testcase_t *testcase, void *ptr)
  1553. {
  1554. (void)testcase;
  1555. (void)ptr;
  1556. crypto_ed25519_testing_restore_impl();
  1557. return 1;
  1558. }
  1559. static const struct testcase_setup_t ed25519_test_setup = {
  1560. ed25519_testcase_setup, ed25519_testcase_cleanup
  1561. };
  1562. static void
  1563. test_crypto_ed25519_simple(void *arg)
  1564. {
  1565. ed25519_keypair_t kp1, kp2;
  1566. ed25519_public_key_t pub1, pub2;
  1567. ed25519_secret_key_t sec1, sec2;
  1568. ed25519_signature_t sig1, sig2;
  1569. const uint8_t msg[] =
  1570. "GNU will be able to run Unix programs, "
  1571. "but will not be identical to Unix.";
  1572. const uint8_t msg2[] =
  1573. "Microsoft Windows extends the features of the DOS operating system, "
  1574. "yet is compatible with most existing applications that run under DOS.";
  1575. size_t msg_len = strlen((const char*)msg);
  1576. size_t msg2_len = strlen((const char*)msg2);
  1577. (void)arg;
  1578. tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
  1579. tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
  1580. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
  1581. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
  1582. tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
  1583. tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
  1584. tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
  1585. memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
  1586. memcpy(&kp1.seckey, &sec1, sizeof(sec1));
  1587. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
  1588. tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
  1589. /* Ed25519 signatures are deterministic */
  1590. tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
  1591. /* Basic signature is valid. */
  1592. tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1593. /* Altered signature doesn't work. */
  1594. sig1.sig[0] ^= 3;
  1595. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1596. /* Wrong public key doesn't work. */
  1597. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
  1598. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
  1599. tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
  1600. /* Wrong message doesn't work. */
  1601. tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
  1602. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
  1603. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
  1604. /* Batch signature checking works with some bad. */
  1605. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
  1606. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
  1607. {
  1608. ed25519_checkable_t ch[] = {
  1609. { &pub1, sig2, msg, msg_len }, /*ok*/
  1610. { &pub1, sig2, msg, msg_len-1 }, /*bad*/
  1611. { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
  1612. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1613. };
  1614. int okay[4];
  1615. tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
  1616. tt_int_op(okay[0], OP_EQ, 1);
  1617. tt_int_op(okay[1], OP_EQ, 0);
  1618. tt_int_op(okay[2], OP_EQ, 0);
  1619. tt_int_op(okay[3], OP_EQ, 1);
  1620. tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
  1621. }
  1622. /* Batch signature checking works with all good. */
  1623. {
  1624. ed25519_checkable_t ch[] = {
  1625. { &pub1, sig2, msg, msg_len }, /*ok*/
  1626. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1627. };
  1628. int okay[2];
  1629. tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
  1630. tt_int_op(okay[0], OP_EQ, 1);
  1631. tt_int_op(okay[1], OP_EQ, 1);
  1632. tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
  1633. }
  1634. done:
  1635. ;
  1636. }
  1637. static void
  1638. test_crypto_ed25519_test_vectors(void *arg)
  1639. {
  1640. char *mem_op_hex_tmp=NULL;
  1641. int i;
  1642. struct {
  1643. const char *sk;
  1644. const char *pk;
  1645. const char *sig;
  1646. const char *msg;
  1647. } items[] = {
  1648. /* These test vectors were generated with the "ref" implementation of
  1649. * ed25519 from SUPERCOP-20130419 */
  1650. { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
  1651. "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
  1652. "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
  1653. "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
  1654. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1655. "204e554c2d7465726d696e617465642e"
  1656. },
  1657. { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
  1658. "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
  1659. "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
  1660. "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
  1661. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1662. "204e554c2d7465726d696e617465642e"
  1663. },
  1664. { "6578706f73656420627920456e676c697368207465787420617320696e707574",
  1665. "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
  1666. "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
  1667. "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
  1668. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1669. "204e554c2d7465726d696e617465642e"
  1670. },
  1671. /* These come from "sign.input" in ed25519's page */
  1672. { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
  1673. "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
  1674. "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
  1675. "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
  1676. "5a8d9d0a22357e6655f9c785"
  1677. },
  1678. { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
  1679. "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
  1680. "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
  1681. "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
  1682. "b87d3813e03f58cf19fd0b6395"
  1683. },
  1684. { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
  1685. "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
  1686. "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
  1687. "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
  1688. "55c7fa434f5ed8cdec2b7aeac173",
  1689. },
  1690. { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
  1691. "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
  1692. "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
  1693. "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
  1694. "0a688e79be24f866286d4646b5d81c"
  1695. },
  1696. { NULL, NULL, NULL, NULL}
  1697. };
  1698. (void)arg;
  1699. for (i = 0; items[i].pk; ++i) {
  1700. ed25519_keypair_t kp;
  1701. ed25519_signature_t sig;
  1702. uint8_t sk_seed[32];
  1703. uint8_t *msg;
  1704. size_t msg_len;
  1705. base16_decode((char*)sk_seed, sizeof(sk_seed),
  1706. items[i].sk, 64);
  1707. ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
  1708. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
  1709. test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
  1710. msg_len = strlen(items[i].msg) / 2;
  1711. msg = tor_malloc(msg_len);
  1712. base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
  1713. tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
  1714. test_memeq_hex(sig.sig, items[i].sig);
  1715. tor_free(msg);
  1716. }
  1717. done:
  1718. tor_free(mem_op_hex_tmp);
  1719. }
  1720. static void
  1721. test_crypto_ed25519_encode(void *arg)
  1722. {
  1723. char buf[ED25519_SIG_BASE64_LEN+1];
  1724. ed25519_keypair_t kp;
  1725. ed25519_public_key_t pk;
  1726. ed25519_signature_t sig1, sig2;
  1727. char *mem_op_hex_tmp = NULL;
  1728. (void) arg;
  1729. /* Test roundtrip. */
  1730. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
  1731. tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
  1732. tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
  1733. tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
  1734. tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
  1735. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
  1736. tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
  1737. tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
  1738. tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
  1739. /* Test known value. */
  1740. tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
  1741. "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
  1742. test_memeq_hex(pk.pubkey,
  1743. "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
  1744. done:
  1745. tor_free(mem_op_hex_tmp);
  1746. }
  1747. static void
  1748. test_crypto_ed25519_convert(void *arg)
  1749. {
  1750. const uint8_t msg[] =
  1751. "The eyes are not here / There are no eyes here.";
  1752. const int N = 30;
  1753. int i;
  1754. (void)arg;
  1755. for (i = 0; i < N; ++i) {
  1756. curve25519_keypair_t curve25519_keypair;
  1757. ed25519_keypair_t ed25519_keypair;
  1758. ed25519_public_key_t ed25519_pubkey;
  1759. int bit=0;
  1760. ed25519_signature_t sig;
  1761. tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
  1762. tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
  1763. &ed25519_keypair, &bit, &curve25519_keypair));
  1764. tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
  1765. &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
  1766. tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
  1767. tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
  1768. tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  1769. &ed25519_pubkey));
  1770. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  1771. &ed25519_pubkey));
  1772. sig.sig[0] ^= 15;
  1773. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  1774. &ed25519_pubkey));
  1775. }
  1776. done:
  1777. ;
  1778. }
  1779. static void
  1780. test_crypto_ed25519_blinding(void *arg)
  1781. {
  1782. const uint8_t msg[] =
  1783. "Eyes I dare not meet in dreams / In death's dream kingdom";
  1784. const int N = 30;
  1785. int i;
  1786. (void)arg;
  1787. for (i = 0; i < N; ++i) {
  1788. uint8_t blinding[32];
  1789. ed25519_keypair_t ed25519_keypair;
  1790. ed25519_keypair_t ed25519_keypair_blinded;
  1791. ed25519_public_key_t ed25519_pubkey_blinded;
  1792. ed25519_signature_t sig;
  1793. crypto_rand((char*) blinding, sizeof(blinding));
  1794. tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
  1795. tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
  1796. &ed25519_keypair, blinding));
  1797. tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
  1798. &ed25519_keypair.pubkey, blinding));
  1799. tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
  1800. ed25519_keypair_blinded.pubkey.pubkey, 32);
  1801. tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
  1802. &ed25519_keypair_blinded));
  1803. tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  1804. &ed25519_pubkey_blinded));
  1805. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  1806. &ed25519_pubkey_blinded));
  1807. sig.sig[0] ^= 15;
  1808. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  1809. &ed25519_pubkey_blinded));
  1810. }
  1811. done:
  1812. ;
  1813. }
  1814. static void
  1815. test_crypto_ed25519_testvectors(void *arg)
  1816. {
  1817. unsigned i;
  1818. char *mem_op_hex_tmp = NULL;
  1819. (void)arg;
  1820. for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
  1821. uint8_t sk[32];
  1822. ed25519_secret_key_t esk;
  1823. ed25519_public_key_t pk, blind_pk, pkfromcurve;
  1824. ed25519_keypair_t keypair, blind_keypair;
  1825. curve25519_keypair_t curvekp;
  1826. uint8_t blinding_param[32];
  1827. ed25519_signature_t sig;
  1828. int sign;
  1829. #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
  1830. #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
  1831. tt_int_op(0, OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
  1832. tt_int_op(0, OP_EQ, DECODE(blinding_param, ED25519_BLINDING_PARAMS[i]));
  1833. tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
  1834. EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
  1835. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
  1836. EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
  1837. memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
  1838. curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
  1839. tt_int_op(0, OP_EQ,
  1840. ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
  1841. tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
  1842. &pkfromcurve, &curvekp.pubkey, sign));
  1843. tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
  1844. EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
  1845. /* Self-signing */
  1846. memcpy(&keypair.seckey, &esk, sizeof(esk));
  1847. memcpy(&keypair.pubkey, &pk, sizeof(pk));
  1848. tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
  1849. EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
  1850. /* Blinding */
  1851. tt_int_op(0, OP_EQ,
  1852. ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
  1853. tt_int_op(0, OP_EQ,
  1854. ed25519_public_blind(&blind_pk, &pk, blinding_param));
  1855. EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
  1856. EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
  1857. tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
  1858. #undef DECODE
  1859. #undef EQ
  1860. }
  1861. done:
  1862. tor_free(mem_op_hex_tmp);
  1863. }
  1864. static void
  1865. test_crypto_ed25519_fuzz_donna(void *arg)
  1866. {
  1867. const unsigned iters = 1024;
  1868. uint8_t msg[1024];
  1869. unsigned i;
  1870. (void)arg;
  1871. tt_assert(sizeof(msg) == iters);
  1872. crypto_rand((char*) msg, sizeof(msg));
  1873. /* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
  1874. * generate keys/sign per iteration.
  1875. */
  1876. for (i = 0; i < iters; ++i) {
  1877. const int use_donna = i & 1;
  1878. uint8_t blinding[32];
  1879. curve25519_keypair_t ckp;
  1880. ed25519_keypair_t kp, kp_blind, kp_curve25519;
  1881. ed25519_public_key_t pk, pk_blind, pk_curve25519;
  1882. ed25519_signature_t sig, sig_blind;
  1883. int bit = 0;
  1884. crypto_rand((char*) blinding, sizeof(blinding));
  1885. /* Impl. A:
  1886. * 1. Generate a keypair.
  1887. * 2. Blinded the keypair.
  1888. * 3. Sign a message (unblinded).
  1889. * 4. Sign a message (blinded).
  1890. * 5. Generate a curve25519 keypair, and convert it to Ed25519.
  1891. */
  1892. ed25519_set_impl_params(use_donna);
  1893. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
  1894. tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
  1895. tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
  1896. tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
  1897. tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
  1898. tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
  1899. &kp_curve25519, &bit, &ckp));
  1900. /* Impl. B:
  1901. * 1. Validate the public key by rederiving it.
  1902. * 2. Validate the blinded public key by rederiving it.
  1903. * 3. Validate the unblinded signature (and test a invalid signature).
  1904. * 4. Validate the blinded signature.
  1905. * 5. Validate the public key (from Curve25519) by rederiving it.
  1906. */
  1907. ed25519_set_impl_params(!use_donna);
  1908. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
  1909. tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
  1910. tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
  1911. tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
  1912. tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
  1913. sig.sig[0] ^= 15;
  1914. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
  1915. tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
  1916. tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
  1917. &pk_curve25519, &ckp.pubkey, bit));
  1918. tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
  1919. }
  1920. done:
  1921. ;
  1922. }
  1923. static void
  1924. test_crypto_siphash(void *arg)
  1925. {
  1926. /* From the reference implementation, taking
  1927. k = 00 01 02 ... 0f
  1928. and in = 00; 00 01; 00 01 02; ...
  1929. */
  1930. const uint8_t VECTORS[64][8] =
  1931. {
  1932. { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
  1933. { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
  1934. { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
  1935. { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
  1936. { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
  1937. { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
  1938. { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
  1939. { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
  1940. { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
  1941. { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
  1942. { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
  1943. { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
  1944. { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
  1945. { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
  1946. { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
  1947. { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
  1948. { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
  1949. { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
  1950. { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
  1951. { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
  1952. { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
  1953. { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
  1954. { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
  1955. { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
  1956. { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
  1957. { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
  1958. { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
  1959. { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
  1960. { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
  1961. { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
  1962. { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
  1963. { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
  1964. { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
  1965. { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
  1966. { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
  1967. { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
  1968. { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
  1969. { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
  1970. { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
  1971. { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
  1972. { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
  1973. { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
  1974. { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
  1975. { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
  1976. { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
  1977. { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
  1978. { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
  1979. { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
  1980. { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
  1981. { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
  1982. { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
  1983. { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
  1984. { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
  1985. { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
  1986. { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
  1987. { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
  1988. { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
  1989. { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
  1990. { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
  1991. { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
  1992. { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
  1993. { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
  1994. { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
  1995. { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
  1996. };
  1997. const struct sipkey K = { U64_LITERAL(0x0706050403020100),
  1998. U64_LITERAL(0x0f0e0d0c0b0a0908) };
  1999. uint8_t input[64];
  2000. int i, j;
  2001. (void)arg;
  2002. for (i = 0; i < 64; ++i)
  2003. input[i] = i;
  2004. for (i = 0; i < 64; ++i) {
  2005. uint64_t r = siphash24(input, i, &K);
  2006. for (j = 0; j < 8; ++j) {
  2007. tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
  2008. }
  2009. }
  2010. done:
  2011. ;
  2012. }
  2013. /* We want the likelihood that the random buffer exhibits any regular pattern
  2014. * to be far less than the memory bit error rate in the int return value.
  2015. * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
  2016. * 3 functions, leading to an overall error rate of 1/10^616.
  2017. * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
  2018. */
  2019. #define FAILURE_MODE_BUFFER_SIZE (2048/8)
  2020. /** Check crypto_rand for a failure mode where it does nothing to the buffer,
  2021. * or it sets the buffer to all zeroes. Return 0 when the check passes,
  2022. * or -1 when it fails. */
  2023. static int
  2024. crypto_rand_check_failure_mode_zero(void)
  2025. {
  2026. char buf[FAILURE_MODE_BUFFER_SIZE];
  2027. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
  2028. crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
  2029. for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
  2030. if (buf[i] != 0) {
  2031. return 0;
  2032. }
  2033. }
  2034. return -1;
  2035. }
  2036. /** Check crypto_rand for a failure mode where every int64_t in the buffer is
  2037. * the same. Return 0 when the check passes, or -1 when it fails. */
  2038. static int
  2039. crypto_rand_check_failure_mode_identical(void)
  2040. {
  2041. /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
  2042. #define FAILURE_MODE_BUFFER_SIZE_I64 \
  2043. (FAILURE_MODE_BUFFER_SIZE/SIZEOF_INT64_T)
  2044. #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
  2045. (FAILURE_MODE_BUFFER_SIZE_I64*SIZEOF_INT64_T)
  2046. #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
  2047. #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*SIZEOF_INT64_T
  2048. #endif
  2049. int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
  2050. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
  2051. crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
  2052. for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
  2053. if (buf[i] != buf[i-1]) {
  2054. return 0;
  2055. }
  2056. }
  2057. return -1;
  2058. }
  2059. /** Check crypto_rand for a failure mode where it increments the "random"
  2060. * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
  2061. * Return 0 when the check passes, or -1 when it fails. */
  2062. static int
  2063. crypto_rand_check_failure_mode_predict(void)
  2064. {
  2065. unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
  2066. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
  2067. crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
  2068. for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
  2069. /* check if the last byte was incremented by 1, including integer
  2070. * wrapping */
  2071. if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
  2072. return 0;
  2073. }
  2074. }
  2075. return -1;
  2076. }
  2077. #undef FAILURE_MODE_BUFFER_SIZE
  2078. static void
  2079. test_crypto_failure_modes(void *arg)
  2080. {
  2081. int rv = 0;
  2082. (void)arg;
  2083. rv = crypto_early_init();
  2084. tt_assert(rv == 0);
  2085. /* Check random works */
  2086. rv = crypto_rand_check_failure_mode_zero();
  2087. tt_assert(rv == 0);
  2088. rv = crypto_rand_check_failure_mode_identical();
  2089. tt_assert(rv == 0);
  2090. rv = crypto_rand_check_failure_mode_predict();
  2091. tt_assert(rv == 0);
  2092. done:
  2093. ;
  2094. }
  2095. #define CRYPTO_LEGACY(name) \
  2096. { #name, test_crypto_ ## name , 0, NULL, NULL }
  2097. #define ED25519_TEST_ONE(name, fl, which) \
  2098. { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
  2099. &ed25519_test_setup, (void*)which }
  2100. #define ED25519_TEST(name, fl) \
  2101. ED25519_TEST_ONE(name, (fl), "donna"), \
  2102. ED25519_TEST_ONE(name, (fl), "ref10")
  2103. struct testcase_t crypto_tests[] = {
  2104. CRYPTO_LEGACY(formats),
  2105. CRYPTO_LEGACY(rng),
  2106. { "rng_range", test_crypto_rng_range, 0, NULL, NULL },
  2107. { "rng_engine", test_crypto_rng_engine, TT_FORK, NULL, NULL },
  2108. { "aes_AES", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"aes" },
  2109. { "aes_EVP", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"evp" },
  2110. CRYPTO_LEGACY(sha),
  2111. CRYPTO_LEGACY(pk),
  2112. { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
  2113. { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
  2114. CRYPTO_LEGACY(digests),
  2115. { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
  2116. { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
  2117. CRYPTO_LEGACY(dh),
  2118. { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
  2119. (void*)"aes" },
  2120. { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
  2121. (void*)"evp" },
  2122. CRYPTO_LEGACY(base32_decode),
  2123. { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
  2124. { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
  2125. { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
  2126. { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
  2127. { "curve25519_basepoint",
  2128. test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
  2129. { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
  2130. { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
  2131. { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
  2132. ED25519_TEST(simple, 0),
  2133. ED25519_TEST(test_vectors, 0),
  2134. ED25519_TEST(encode, 0),
  2135. ED25519_TEST(convert, 0),
  2136. ED25519_TEST(blinding, 0),
  2137. ED25519_TEST(testvectors, 0),
  2138. ED25519_TEST(fuzz_donna, TT_FORK),
  2139. { "siphash", test_crypto_siphash, 0, NULL, NULL },
  2140. { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
  2141. END_OF_TESTCASES
  2142. };