test_crypto.c 107 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2016, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. #include "orconfig.h"
  6. #define CRYPTO_CURVE25519_PRIVATE
  7. #define CRYPTO_PRIVATE
  8. #include "or.h"
  9. #include "test.h"
  10. #include "aes.h"
  11. #include "util.h"
  12. #include "siphash.h"
  13. #include "crypto_curve25519.h"
  14. #include "crypto_ed25519.h"
  15. #include "ed25519_vectors.inc"
  16. #include <openssl/evp.h>
  17. #include <openssl/rand.h>
  18. /** Run unit tests for Diffie-Hellman functionality. */
  19. static void
  20. test_crypto_dh(void *arg)
  21. {
  22. crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
  23. crypto_dh_t *dh1_dup = NULL;
  24. crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
  25. char p1[DH_BYTES];
  26. char p2[DH_BYTES];
  27. char s1[DH_BYTES];
  28. char s2[DH_BYTES];
  29. ssize_t s1len, s2len;
  30. (void)arg;
  31. tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH_BYTES);
  32. tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH_BYTES);
  33. memset(p1, 0, DH_BYTES);
  34. memset(p2, 0, DH_BYTES);
  35. tt_mem_op(p1,OP_EQ, p2, DH_BYTES);
  36. tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
  37. tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
  38. tt_mem_op(p1,OP_NE, p2, DH_BYTES);
  39. tt_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
  40. tt_mem_op(p1,OP_NE, p2, DH_BYTES);
  41. memset(s1, 0, DH_BYTES);
  42. memset(s2, 0xFF, DH_BYTES);
  43. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
  44. s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
  45. tt_assert(s1len > 0);
  46. tt_int_op(s1len,OP_EQ, s2len);
  47. tt_mem_op(s1,OP_EQ, s2, s1len);
  48. /* test dh_dup; make sure it works the same. */
  49. dh1_dup = crypto_dh_dup(dh1);
  50. s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH_BYTES, s1, 50);
  51. tt_mem_op(s1,OP_EQ, s2, s1len);
  52. {
  53. /* Now fabricate some bad values and make sure they get caught. */
  54. /* 1 and 0 should both fail. */
  55. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
  56. tt_int_op(-1, OP_EQ, s1len);
  57. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
  58. tt_int_op(-1, OP_EQ, s1len);
  59. memset(p1, 0, DH_BYTES); /* 0 with padding. */
  60. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  61. tt_int_op(-1, OP_EQ, s1len);
  62. p1[DH_BYTES-1] = 1; /* 1 with padding*/
  63. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  64. tt_int_op(-1, OP_EQ, s1len);
  65. /* 2 is okay, though weird. */
  66. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
  67. tt_int_op(50, OP_EQ, s1len);
  68. const char P[] =
  69. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  70. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  71. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  72. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  73. "49286651ECE65381FFFFFFFFFFFFFFFF";
  74. /* p-1, p, and so on are not okay. */
  75. base16_decode(p1, sizeof(p1), P, strlen(P));
  76. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  77. tt_int_op(-1, OP_EQ, s1len);
  78. p1[DH_BYTES-1] = 0xFE; /* p-1 */
  79. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  80. tt_int_op(-1, OP_EQ, s1len);
  81. p1[DH_BYTES-1] = 0xFD; /* p-2 works fine */
  82. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  83. tt_int_op(50, OP_EQ, s1len);
  84. const char P_plus_one[] =
  85. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  86. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  87. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  88. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  89. "49286651ECE653820000000000000000";
  90. base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
  91. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  92. tt_int_op(-1, OP_EQ, s1len);
  93. p1[DH_BYTES-1] = 0x01; /* p+2 */
  94. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  95. tt_int_op(-1, OP_EQ, s1len);
  96. p1[DH_BYTES-1] = 0xff; /* p+256 */
  97. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  98. tt_int_op(-1, OP_EQ, s1len);
  99. memset(p1, 0xff, DH_BYTES), /* 2^1024-1 */
  100. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50);
  101. tt_int_op(-1, OP_EQ, s1len);
  102. }
  103. {
  104. /* provoke an error in the openssl DH_compute_key function; make sure we
  105. * survive. */
  106. tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
  107. crypto_dh_free(dh2);
  108. dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
  109. s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
  110. p1, DH_BYTES,
  111. s1, 50);
  112. tt_int_op(s1len, OP_EQ, -1);
  113. }
  114. done:
  115. crypto_dh_free(dh1);
  116. crypto_dh_free(dh2);
  117. crypto_dh_free(dh1_dup);
  118. }
  119. static void
  120. test_crypto_openssl_version(void *arg)
  121. {
  122. (void)arg;
  123. const char *version = crypto_openssl_get_version_str();
  124. const char *h_version = crypto_openssl_get_header_version_str();
  125. tt_assert(version);
  126. tt_assert(h_version);
  127. tt_assert(!strcmpstart(version, h_version)); /* "-fips" suffix, etc */
  128. tt_assert(!strstr(version, "OpenSSL"));
  129. int a=-1,b=-1,c=-1;
  130. if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
  131. return;
  132. int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
  133. tt_int_op(r, OP_EQ, 3);
  134. tt_int_op(a, OP_GE, 0);
  135. tt_int_op(b, OP_GE, 0);
  136. tt_int_op(c, OP_GE, 0);
  137. done:
  138. ;
  139. }
  140. /** Run unit tests for our random number generation function and its wrappers.
  141. */
  142. static void
  143. test_crypto_rng(void *arg)
  144. {
  145. int i, j, allok;
  146. char data1[100], data2[100];
  147. double d;
  148. char *h=NULL;
  149. /* Try out RNG. */
  150. (void)arg;
  151. tt_assert(! crypto_seed_rng());
  152. crypto_rand(data1, 100);
  153. crypto_rand(data2, 100);
  154. tt_mem_op(data1,OP_NE, data2,100);
  155. allok = 1;
  156. for (i = 0; i < 100; ++i) {
  157. uint64_t big;
  158. char *host;
  159. j = crypto_rand_int(100);
  160. if (j < 0 || j >= 100)
  161. allok = 0;
  162. big = crypto_rand_uint64(U64_LITERAL(1)<<40);
  163. if (big >= (U64_LITERAL(1)<<40))
  164. allok = 0;
  165. big = crypto_rand_uint64(U64_LITERAL(5));
  166. if (big >= 5)
  167. allok = 0;
  168. d = crypto_rand_double();
  169. tt_assert(d >= 0);
  170. tt_assert(d < 1.0);
  171. host = crypto_random_hostname(3,8,"www.",".onion");
  172. if (strcmpstart(host,"www.") ||
  173. strcmpend(host,".onion") ||
  174. strlen(host) < 13 ||
  175. strlen(host) > 18)
  176. allok = 0;
  177. tor_free(host);
  178. }
  179. /* Make sure crypto_random_hostname clips its inputs properly. */
  180. h = crypto_random_hostname(20000, 9000, "www.", ".onion");
  181. tt_assert(! strcmpstart(h,"www."));
  182. tt_assert(! strcmpend(h,".onion"));
  183. tt_int_op(63+4+6, OP_EQ, strlen(h));
  184. tt_assert(allok);
  185. done:
  186. tor_free(h);
  187. }
  188. static void
  189. test_crypto_rng_range(void *arg)
  190. {
  191. int got_smallest = 0, got_largest = 0;
  192. int i;
  193. (void)arg;
  194. for (i = 0; i < 1000; ++i) {
  195. int x = crypto_rand_int_range(5,9);
  196. tt_int_op(x, OP_GE, 5);
  197. tt_int_op(x, OP_LT, 9);
  198. if (x == 5)
  199. got_smallest = 1;
  200. if (x == 8)
  201. got_largest = 1;
  202. }
  203. /* These fail with probability 1/10^603. */
  204. tt_assert(got_smallest);
  205. tt_assert(got_largest);
  206. got_smallest = got_largest = 0;
  207. const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
  208. for (i = 0; i < 1000; ++i) {
  209. uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
  210. tt_u64_op(x, OP_GE, ten_billion);
  211. tt_u64_op(x, OP_LT, ten_billion+10);
  212. if (x == ten_billion)
  213. got_smallest = 1;
  214. if (x == ten_billion+9)
  215. got_largest = 1;
  216. }
  217. tt_assert(got_smallest);
  218. tt_assert(got_largest);
  219. const time_t now = time(NULL);
  220. for (i = 0; i < 2000; ++i) {
  221. time_t x = crypto_rand_time_range(now, now+60);
  222. tt_i64_op(x, OP_GE, now);
  223. tt_i64_op(x, OP_LT, now+60);
  224. if (x == now)
  225. got_smallest = 1;
  226. if (x == now+59)
  227. got_largest = 1;
  228. }
  229. tt_assert(got_smallest);
  230. tt_assert(got_largest);
  231. done:
  232. ;
  233. }
  234. static void
  235. test_crypto_rng_strongest(void *arg)
  236. {
  237. const char *how = arg;
  238. int broken = 0;
  239. if (how == NULL) {
  240. ;
  241. } else if (!strcmp(how, "nosyscall")) {
  242. break_strongest_rng_syscall = 1;
  243. } else if (!strcmp(how, "nofallback")) {
  244. break_strongest_rng_fallback = 1;
  245. } else if (!strcmp(how, "broken")) {
  246. broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
  247. }
  248. #define N 128
  249. uint8_t combine_and[N];
  250. uint8_t combine_or[N];
  251. int i, j;
  252. memset(combine_and, 0xff, N);
  253. memset(combine_or, 0, N);
  254. for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
  255. uint8_t output[N];
  256. memset(output, 0, N);
  257. if (how == NULL) {
  258. /* this one can't fail. */
  259. crypto_strongest_rand(output, sizeof(output));
  260. } else {
  261. int r = crypto_strongest_rand_raw(output, sizeof(output));
  262. if (r == -1) {
  263. if (broken) {
  264. goto done; /* we're fine. */
  265. }
  266. /* This function is allowed to break, but only if it always breaks. */
  267. tt_int_op(i, OP_EQ, 0);
  268. tt_skip();
  269. } else {
  270. tt_assert(! broken);
  271. }
  272. }
  273. for (j = 0; j < N; ++j) {
  274. combine_and[j] &= output[j];
  275. combine_or[j] |= output[j];
  276. }
  277. }
  278. for (j = 0; j < N; ++j) {
  279. tt_int_op(combine_and[j], OP_EQ, 0);
  280. tt_int_op(combine_or[j], OP_EQ, 0xff);
  281. }
  282. done:
  283. ;
  284. #undef N
  285. }
  286. /* Test for rectifying openssl RAND engine. */
  287. static void
  288. test_crypto_rng_engine(void *arg)
  289. {
  290. (void)arg;
  291. RAND_METHOD dummy_method;
  292. memset(&dummy_method, 0, sizeof(dummy_method));
  293. /* We should be a no-op if we're already on RAND_OpenSSL */
  294. tt_int_op(0, ==, crypto_force_rand_ssleay());
  295. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  296. /* We should correct the method if it's a dummy. */
  297. RAND_set_rand_method(&dummy_method);
  298. #ifdef LIBRESSL_VERSION_NUMBER
  299. /* On libressl, you can't override the RNG. */
  300. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  301. tt_int_op(0, ==, crypto_force_rand_ssleay());
  302. #else
  303. tt_assert(RAND_get_rand_method() == &dummy_method);
  304. tt_int_op(1, ==, crypto_force_rand_ssleay());
  305. #endif
  306. tt_assert(RAND_get_rand_method() == RAND_OpenSSL());
  307. /* Make sure we aren't calling dummy_method */
  308. crypto_rand((void *) &dummy_method, sizeof(dummy_method));
  309. crypto_rand((void *) &dummy_method, sizeof(dummy_method));
  310. done:
  311. ;
  312. }
  313. /** Run unit tests for our AES functionality */
  314. static void
  315. test_crypto_aes(void *arg)
  316. {
  317. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  318. crypto_cipher_t *env1 = NULL, *env2 = NULL;
  319. int i, j;
  320. char *mem_op_hex_tmp=NULL;
  321. int use_evp = !strcmp(arg,"evp");
  322. evaluate_evp_for_aes(use_evp);
  323. evaluate_ctr_for_aes();
  324. data1 = tor_malloc(1024);
  325. data2 = tor_malloc(1024);
  326. data3 = tor_malloc(1024);
  327. /* Now, test encryption and decryption with stream cipher. */
  328. data1[0]='\0';
  329. for (i = 1023; i>0; i -= 35)
  330. strncat(data1, "Now is the time for all good onions", i);
  331. memset(data2, 0, 1024);
  332. memset(data3, 0, 1024);
  333. env1 = crypto_cipher_new(NULL);
  334. tt_ptr_op(env1, OP_NE, NULL);
  335. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  336. tt_ptr_op(env2, OP_NE, NULL);
  337. /* Try encrypting 512 chars. */
  338. crypto_cipher_encrypt(env1, data2, data1, 512);
  339. crypto_cipher_decrypt(env2, data3, data2, 512);
  340. tt_mem_op(data1,OP_EQ, data3, 512);
  341. tt_mem_op(data1,OP_NE, data2, 512);
  342. /* Now encrypt 1 at a time, and get 1 at a time. */
  343. for (j = 512; j < 560; ++j) {
  344. crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
  345. }
  346. for (j = 512; j < 560; ++j) {
  347. crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
  348. }
  349. tt_mem_op(data1,OP_EQ, data3, 560);
  350. /* Now encrypt 3 at a time, and get 5 at a time. */
  351. for (j = 560; j < 1024-5; j += 3) {
  352. crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
  353. }
  354. for (j = 560; j < 1024-5; j += 5) {
  355. crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
  356. }
  357. tt_mem_op(data1,OP_EQ, data3, 1024-5);
  358. /* Now make sure that when we encrypt with different chunk sizes, we get
  359. the same results. */
  360. crypto_cipher_free(env2);
  361. env2 = NULL;
  362. memset(data3, 0, 1024);
  363. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  364. tt_ptr_op(env2, OP_NE, NULL);
  365. for (j = 0; j < 1024-16; j += 17) {
  366. crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
  367. }
  368. for (j= 0; j < 1024-16; ++j) {
  369. if (data2[j] != data3[j]) {
  370. printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
  371. }
  372. }
  373. tt_mem_op(data2,OP_EQ, data3, 1024-16);
  374. crypto_cipher_free(env1);
  375. env1 = NULL;
  376. crypto_cipher_free(env2);
  377. env2 = NULL;
  378. /* NIST test vector for aes. */
  379. /* IV starts at 0 */
  380. env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
  381. "\x00\x00\x00\x00\x00\x00\x00\x00");
  382. crypto_cipher_encrypt(env1, data1,
  383. "\x00\x00\x00\x00\x00\x00\x00\x00"
  384. "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  385. test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
  386. /* Now test rollover. All these values are originally from a python
  387. * script. */
  388. crypto_cipher_free(env1);
  389. env1 = crypto_cipher_new_with_iv(
  390. "\x80\x00\x00\x00\x00\x00\x00\x00"
  391. "\x00\x00\x00\x00\x00\x00\x00\x00",
  392. "\x00\x00\x00\x00\x00\x00\x00\x00"
  393. "\xff\xff\xff\xff\xff\xff\xff\xff");
  394. memset(data2, 0, 1024);
  395. crypto_cipher_encrypt(env1, data1, data2, 32);
  396. test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
  397. "cdd0b917dbc7186908a6bfb5ffd574d3");
  398. crypto_cipher_free(env1);
  399. env1 = crypto_cipher_new_with_iv(
  400. "\x80\x00\x00\x00\x00\x00\x00\x00"
  401. "\x00\x00\x00\x00\x00\x00\x00\x00",
  402. "\x00\x00\x00\x00\xff\xff\xff\xff"
  403. "\xff\xff\xff\xff\xff\xff\xff\xff");
  404. memset(data2, 0, 1024);
  405. crypto_cipher_encrypt(env1, data1, data2, 32);
  406. test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
  407. "3e63c721df790d2c6469cc1953a3ffac");
  408. crypto_cipher_free(env1);
  409. env1 = crypto_cipher_new_with_iv(
  410. "\x80\x00\x00\x00\x00\x00\x00\x00"
  411. "\x00\x00\x00\x00\x00\x00\x00\x00",
  412. "\xff\xff\xff\xff\xff\xff\xff\xff"
  413. "\xff\xff\xff\xff\xff\xff\xff\xff");
  414. memset(data2, 0, 1024);
  415. crypto_cipher_encrypt(env1, data1, data2, 32);
  416. test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
  417. "0EDD33D3C621E546455BD8BA1418BEC8");
  418. /* Now check rollover on inplace cipher. */
  419. crypto_cipher_free(env1);
  420. env1 = crypto_cipher_new_with_iv(
  421. "\x80\x00\x00\x00\x00\x00\x00\x00"
  422. "\x00\x00\x00\x00\x00\x00\x00\x00",
  423. "\xff\xff\xff\xff\xff\xff\xff\xff"
  424. "\xff\xff\xff\xff\xff\xff\xff\xff");
  425. crypto_cipher_crypt_inplace(env1, data2, 64);
  426. test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
  427. "0EDD33D3C621E546455BD8BA1418BEC8"
  428. "93e2c5243d6839eac58503919192f7ae"
  429. "1908e67cafa08d508816659c2e693191");
  430. crypto_cipher_free(env1);
  431. env1 = crypto_cipher_new_with_iv(
  432. "\x80\x00\x00\x00\x00\x00\x00\x00"
  433. "\x00\x00\x00\x00\x00\x00\x00\x00",
  434. "\xff\xff\xff\xff\xff\xff\xff\xff"
  435. "\xff\xff\xff\xff\xff\xff\xff\xff");
  436. crypto_cipher_crypt_inplace(env1, data2, 64);
  437. tt_assert(tor_mem_is_zero(data2, 64));
  438. done:
  439. tor_free(mem_op_hex_tmp);
  440. if (env1)
  441. crypto_cipher_free(env1);
  442. if (env2)
  443. crypto_cipher_free(env2);
  444. tor_free(data1);
  445. tor_free(data2);
  446. tor_free(data3);
  447. }
  448. static void
  449. test_crypto_aes_ctr_testvec(void *arg)
  450. {
  451. (void)arg;
  452. char *mem_op_hex_tmp=NULL;
  453. /* from NIST SP800-38a, section F.5 */
  454. const char key16[] = "2b7e151628aed2a6abf7158809cf4f3c";
  455. const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
  456. const char plaintext16[] =
  457. "6bc1bee22e409f96e93d7e117393172a"
  458. "ae2d8a571e03ac9c9eb76fac45af8e51"
  459. "30c81c46a35ce411e5fbc1191a0a52ef"
  460. "f69f2445df4f9b17ad2b417be66c3710";
  461. const char ciphertext16[] =
  462. "874d6191b620e3261bef6864990db6ce"
  463. "9806f66b7970fdff8617187bb9fffdff"
  464. "5ae4df3edbd5d35e5b4f09020db03eab"
  465. "1e031dda2fbe03d1792170a0f3009cee";
  466. char key[16];
  467. char iv[16];
  468. char plaintext[16*4];
  469. base16_decode(key, sizeof(key), key16, strlen(key16));
  470. base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
  471. base16_decode(plaintext, sizeof(plaintext),
  472. plaintext16, strlen(plaintext16));
  473. crypto_cipher_t *c = crypto_cipher_new_with_iv(key, iv);
  474. crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
  475. test_memeq_hex(plaintext, ciphertext16);
  476. done:
  477. tor_free(mem_op_hex_tmp);
  478. crypto_cipher_free(c);
  479. }
  480. /** Run unit tests for our SHA-1 functionality */
  481. static void
  482. test_crypto_sha(void *arg)
  483. {
  484. crypto_digest_t *d1 = NULL, *d2 = NULL;
  485. int i;
  486. #define RFC_4231_MAX_KEY_SIZE 131
  487. char key[RFC_4231_MAX_KEY_SIZE];
  488. char digest[DIGEST256_LEN];
  489. char data[DIGEST512_LEN];
  490. char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  491. char *mem_op_hex_tmp=NULL;
  492. /* Test SHA-1 with a test vector from the specification. */
  493. (void)arg;
  494. i = crypto_digest(data, "abc", 3);
  495. test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
  496. tt_int_op(i, OP_EQ, 0);
  497. /* Test SHA-256 with a test vector from the specification. */
  498. i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
  499. test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
  500. "96177A9CB410FF61F20015AD");
  501. tt_int_op(i, OP_EQ, 0);
  502. /* Test SHA-512 with a test vector from the specification. */
  503. i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
  504. test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
  505. "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
  506. "feebbd454d4423643ce80e2a9ac94fa54ca49f");
  507. tt_int_op(i, OP_EQ, 0);
  508. /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
  509. /* Case empty (wikipedia) */
  510. crypto_hmac_sha256(digest, "", 0, "", 0);
  511. tt_str_op(hex_str(digest, 32),OP_EQ,
  512. "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
  513. /* Case quick-brown (wikipedia) */
  514. crypto_hmac_sha256(digest, "key", 3,
  515. "The quick brown fox jumps over the lazy dog", 43);
  516. tt_str_op(hex_str(digest, 32),OP_EQ,
  517. "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
  518. /* "Test Case 1" from RFC 4231 */
  519. memset(key, 0x0b, 20);
  520. crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
  521. test_memeq_hex(digest,
  522. "b0344c61d8db38535ca8afceaf0bf12b"
  523. "881dc200c9833da726e9376c2e32cff7");
  524. /* "Test Case 2" from RFC 4231 */
  525. memset(key, 0x0b, 20);
  526. crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
  527. test_memeq_hex(digest,
  528. "5bdcc146bf60754e6a042426089575c7"
  529. "5a003f089d2739839dec58b964ec3843");
  530. /* "Test case 3" from RFC 4231 */
  531. memset(key, 0xaa, 20);
  532. memset(data, 0xdd, 50);
  533. crypto_hmac_sha256(digest, key, 20, data, 50);
  534. test_memeq_hex(digest,
  535. "773ea91e36800e46854db8ebd09181a7"
  536. "2959098b3ef8c122d9635514ced565fe");
  537. /* "Test case 4" from RFC 4231 */
  538. base16_decode(key, 25,
  539. "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
  540. memset(data, 0xcd, 50);
  541. crypto_hmac_sha256(digest, key, 25, data, 50);
  542. test_memeq_hex(digest,
  543. "82558a389a443c0ea4cc819899f2083a"
  544. "85f0faa3e578f8077a2e3ff46729665b");
  545. /* "Test case 5" from RFC 4231 */
  546. memset(key, 0x0c, 20);
  547. crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
  548. test_memeq_hex(digest,
  549. "a3b6167473100ee06e0c796c2955552b");
  550. /* "Test case 6" from RFC 4231 */
  551. memset(key, 0xaa, 131);
  552. crypto_hmac_sha256(digest, key, 131,
  553. "Test Using Larger Than Block-Size Key - Hash Key First",
  554. 54);
  555. test_memeq_hex(digest,
  556. "60e431591ee0b67f0d8a26aacbf5b77f"
  557. "8e0bc6213728c5140546040f0ee37f54");
  558. /* "Test case 7" from RFC 4231 */
  559. memset(key, 0xaa, 131);
  560. crypto_hmac_sha256(digest, key, 131,
  561. "This is a test using a larger than block-size key and a "
  562. "larger than block-size data. The key needs to be hashed "
  563. "before being used by the HMAC algorithm.", 152);
  564. test_memeq_hex(digest,
  565. "9b09ffa71b942fcb27635fbcd5b0e944"
  566. "bfdc63644f0713938a7f51535c3a35e2");
  567. /* Incremental digest code. */
  568. d1 = crypto_digest_new();
  569. tt_assert(d1);
  570. crypto_digest_add_bytes(d1, "abcdef", 6);
  571. d2 = crypto_digest_dup(d1);
  572. tt_assert(d2);
  573. crypto_digest_add_bytes(d2, "ghijkl", 6);
  574. crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
  575. crypto_digest(d_out2, "abcdefghijkl", 12);
  576. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  577. crypto_digest_assign(d2, d1);
  578. crypto_digest_add_bytes(d2, "mno", 3);
  579. crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
  580. crypto_digest(d_out2, "abcdefmno", 9);
  581. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  582. crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
  583. crypto_digest(d_out2, "abcdef", 6);
  584. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
  585. crypto_digest_free(d1);
  586. crypto_digest_free(d2);
  587. /* Incremental digest code with sha256 */
  588. d1 = crypto_digest256_new(DIGEST_SHA256);
  589. tt_assert(d1);
  590. crypto_digest_add_bytes(d1, "abcdef", 6);
  591. d2 = crypto_digest_dup(d1);
  592. tt_assert(d2);
  593. crypto_digest_add_bytes(d2, "ghijkl", 6);
  594. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  595. crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
  596. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  597. crypto_digest_assign(d2, d1);
  598. crypto_digest_add_bytes(d2, "mno", 3);
  599. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  600. crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
  601. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  602. crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
  603. crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
  604. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  605. crypto_digest_free(d1);
  606. crypto_digest_free(d2);
  607. /* Incremental digest code with sha512 */
  608. d1 = crypto_digest512_new(DIGEST_SHA512);
  609. tt_assert(d1);
  610. crypto_digest_add_bytes(d1, "abcdef", 6);
  611. d2 = crypto_digest_dup(d1);
  612. tt_assert(d2);
  613. crypto_digest_add_bytes(d2, "ghijkl", 6);
  614. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  615. crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
  616. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  617. crypto_digest_assign(d2, d1);
  618. crypto_digest_add_bytes(d2, "mno", 3);
  619. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  620. crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
  621. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  622. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  623. crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
  624. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  625. done:
  626. if (d1)
  627. crypto_digest_free(d1);
  628. if (d2)
  629. crypto_digest_free(d2);
  630. tor_free(mem_op_hex_tmp);
  631. }
  632. static void
  633. test_crypto_sha3(void *arg)
  634. {
  635. crypto_digest_t *d1 = NULL, *d2 = NULL;
  636. int i;
  637. char data[DIGEST512_LEN];
  638. char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  639. char *mem_op_hex_tmp=NULL;
  640. char *large = NULL;
  641. (void)arg;
  642. /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
  643. *
  644. * NB: The code package's test vectors have length expressed in bits.
  645. */
  646. /* Len = 8, Msg = CC */
  647. const uint8_t keccak_kat_msg8[] = { 0xcc };
  648. i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
  649. test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
  650. "6252BB7CE180B00B582DD9B20AAAD7F0");
  651. tt_int_op(i, OP_EQ, 0);
  652. i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
  653. test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
  654. "C36E2EE0F652AC72E02624FA2E5ADEEC"
  655. "C7DD6BB3580224B4D6138706FC6E8059"
  656. "7B528051230B00621CC2B22999EAA205");
  657. tt_int_op(i, OP_EQ, 0);
  658. /* Len = 24, Msg = 1F877C */
  659. const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
  660. i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
  661. DIGEST_SHA3_256);
  662. test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
  663. "C9C966712A501B19D1B6632CCD408EC5");
  664. tt_int_op(i, OP_EQ, 0);
  665. i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
  666. DIGEST_SHA3_512);
  667. test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
  668. "1A2F0D0608C3A575163751F002DB30F4"
  669. "0F2F671834B22D208591CFAF1F5ECFE4"
  670. "3C49863A53B3225BDFD7C6591BA7658B");
  671. tt_int_op(i, OP_EQ, 0);
  672. /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
  673. const uint8_t keccak_kat_msg1080[] = {
  674. 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
  675. 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
  676. 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
  677. 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
  678. 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
  679. 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
  680. 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
  681. 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
  682. 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
  683. 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
  684. 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
  685. 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
  686. 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
  687. 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
  688. };
  689. i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
  690. DIGEST_SHA3_256);
  691. test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
  692. "BE9B7C736B8059ABFD6779AC35AC81B5");
  693. tt_int_op(i, OP_EQ, 0);
  694. i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
  695. DIGEST_SHA3_512);
  696. test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
  697. "CB78696773A212A5F62D02D14E3259D1"
  698. "92A87EBA4407DD83893527331407B6DA"
  699. "DAAD920DBC46489B677493CE5F20B595");
  700. tt_int_op(i, OP_EQ, 0);
  701. /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
  702. const uint8_t keccak_kat_msg1088[] = {
  703. 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
  704. 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
  705. 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
  706. 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
  707. 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
  708. 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
  709. 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
  710. 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
  711. 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
  712. 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
  713. 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
  714. 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
  715. 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
  716. 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
  717. };
  718. i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
  719. DIGEST_SHA3_256);
  720. test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
  721. "77B5286364FE16C59CC8A907AFF07732");
  722. tt_int_op(i, OP_EQ, 0);
  723. i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
  724. DIGEST_SHA3_512);
  725. test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
  726. "FB94A14C72DE5ACD10D0EB5ECE029CAD"
  727. "FA3BA17A40B2FFA2163991B17786E51C"
  728. "ABA79E5E0FFD34CF085E2A098BE8BACB");
  729. tt_int_op(i, OP_EQ, 0);
  730. /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
  731. const uint8_t keccak_kat_msg1096[] = {
  732. 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
  733. 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
  734. 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
  735. 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
  736. 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
  737. 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
  738. 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
  739. 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
  740. 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
  741. 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
  742. 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
  743. 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
  744. 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
  745. 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
  746. };
  747. i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
  748. DIGEST_SHA3_256);
  749. test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
  750. "735E0177279222E7AC0AF8504762FAA0");
  751. tt_int_op(i, OP_EQ, 0);
  752. i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
  753. DIGEST_SHA3_512);
  754. test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
  755. "40474041DE83D4A60645A826D7AF1ABE"
  756. "1EEFCB7B74B62CA6A514E5F2697D585B"
  757. "FECECE12931BBE1D4ED7EBF7B0BE660E");
  758. tt_int_op(i, OP_EQ, 0);
  759. /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
  760. const uint8_t keccak_kat_msg1144[] = {
  761. 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
  762. 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
  763. 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
  764. 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
  765. 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
  766. 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
  767. 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
  768. 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
  769. 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
  770. 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
  771. 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
  772. 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
  773. 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
  774. 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
  775. 0xDF, 0xAF, 0xEC,
  776. };
  777. i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
  778. DIGEST_SHA3_512);
  779. test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
  780. "605516615D96A062C8BE53A0D6C5A648"
  781. "7BE35D2A8F3CF6620D0C2DBA2C560D68"
  782. "295F284BE7F82F3B92919033C9CE5D80");
  783. tt_int_op(i, OP_EQ, 0);
  784. i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
  785. DIGEST_SHA3_256);
  786. test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
  787. "118C0C2C606BDCDA06E7943D2C95E0E5");
  788. tt_int_op(i, OP_EQ, 0);
  789. /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
  790. const uint8_t keccak_kat_msg1152[] = {
  791. 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
  792. 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
  793. 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
  794. 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
  795. 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
  796. 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
  797. 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
  798. 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
  799. 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
  800. 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
  801. 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
  802. 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
  803. 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
  804. 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
  805. 0x9E, 0xE0, 0x0C, 0x63,
  806. };
  807. i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
  808. DIGEST_SHA3_512);
  809. test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
  810. "22775DCB6019DCD22B8885994672A088"
  811. "9C69E8115C641DC8B83E39F7311815A1"
  812. "64DC46E0BA2FCA344D86D4BC2EF2532C");
  813. tt_int_op(i, OP_EQ, 0);
  814. i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
  815. DIGEST_SHA3_256);
  816. test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
  817. "84DA47678F3C2FFE5A39FDB5F7E63FFB");
  818. tt_int_op(i, OP_EQ, 0);
  819. /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
  820. const uint8_t keccak_kat_msg1160[] = {
  821. 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
  822. 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
  823. 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
  824. 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
  825. 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
  826. 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
  827. 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
  828. 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
  829. 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
  830. 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
  831. 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
  832. 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
  833. 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
  834. 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
  835. 0x70, 0x11, 0x04, 0x4C, 0x53,
  836. };
  837. i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
  838. DIGEST_SHA3_512);
  839. test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
  840. "05221AC5EFB1229842E4614F4A029C9B"
  841. "D14A0ED7FD99AF3681429F3F309FDB53"
  842. "166AA9A3CD9F1F1223D04B4A9015E94A");
  843. tt_int_op(i, OP_EQ, 0);
  844. i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
  845. DIGEST_SHA3_256);
  846. test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
  847. "3CF6235C6B0B7969342C45A35194B67E");
  848. tt_int_op(i, OP_EQ, 0);
  849. /* SHA3-[256,512] Empty case (wikipedia) */
  850. i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
  851. test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
  852. "f580ff4de43b49fa82d80a4b80f8434a");
  853. tt_int_op(i, OP_EQ, 0);
  854. i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
  855. test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
  856. "97c982164fe25859e0d1dcc1475c80a6"
  857. "15b2123af1f5f94c11e3e9402c3ac558"
  858. "f500199d95b6d3e301758586281dcd26");
  859. tt_int_op(i, OP_EQ, 0);
  860. /* Incremental digest code with SHA3-256 */
  861. d1 = crypto_digest256_new(DIGEST_SHA3_256);
  862. tt_assert(d1);
  863. crypto_digest_add_bytes(d1, "abcdef", 6);
  864. d2 = crypto_digest_dup(d1);
  865. tt_assert(d2);
  866. crypto_digest_add_bytes(d2, "ghijkl", 6);
  867. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  868. crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
  869. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  870. crypto_digest_assign(d2, d1);
  871. crypto_digest_add_bytes(d2, "mno", 3);
  872. crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  873. crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
  874. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  875. crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
  876. crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
  877. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  878. crypto_digest_free(d1);
  879. crypto_digest_free(d2);
  880. /* Incremental digest code with SHA3-512 */
  881. d1 = crypto_digest512_new(DIGEST_SHA3_512);
  882. tt_assert(d1);
  883. crypto_digest_add_bytes(d1, "abcdef", 6);
  884. d2 = crypto_digest_dup(d1);
  885. tt_assert(d2);
  886. crypto_digest_add_bytes(d2, "ghijkl", 6);
  887. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  888. crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
  889. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  890. crypto_digest_assign(d2, d1);
  891. crypto_digest_add_bytes(d2, "mno", 3);
  892. crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
  893. crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
  894. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  895. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  896. crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
  897. tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  898. crypto_digest_free(d1);
  899. /* Attempt to exercise the incremental hashing code by creating a randomized
  900. * 100 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
  901. * is used because it has a lowest rate of the family (the code is common,
  902. * but the slower rate exercises more of it).
  903. */
  904. const size_t bufsz = 100 * 1024;
  905. size_t j = 0;
  906. large = tor_malloc(bufsz);
  907. crypto_rand(large, bufsz);
  908. d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
  909. while (j < bufsz) {
  910. /* Pick how much data to add to the running digest. */
  911. size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
  912. incr = MIN(bufsz - j, incr);
  913. /* Add the data, and calculate the hash. */
  914. crypto_digest_add_bytes(d1, large + j, incr);
  915. crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
  916. /* One-shot hash the buffer up to the data that was just added,
  917. * and ensure that the values match up.
  918. *
  919. * XXX/yawning: If this actually fails, it'll be rather difficult to
  920. * reproduce. Improvements welcome.
  921. */
  922. i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
  923. tt_int_op(i, OP_EQ, 0);
  924. tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
  925. j += incr;
  926. }
  927. done:
  928. if (d1)
  929. crypto_digest_free(d1);
  930. if (d2)
  931. crypto_digest_free(d2);
  932. tor_free(large);
  933. tor_free(mem_op_hex_tmp);
  934. }
  935. /** Run unit tests for our XOF. */
  936. static void
  937. test_crypto_sha3_xof(void *arg)
  938. {
  939. uint8_t msg[255];
  940. uint8_t out[512];
  941. crypto_xof_t *xof;
  942. char *mem_op_hex_tmp=NULL;
  943. (void)arg;
  944. /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
  945. base16_decode((char *)msg, 255,
  946. "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
  947. "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
  948. "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
  949. "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
  950. "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
  951. "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
  952. "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
  953. "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
  954. "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
  955. const char *squeezed_hex =
  956. "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
  957. "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
  958. "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
  959. "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
  960. "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
  961. "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
  962. "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
  963. "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
  964. "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
  965. "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
  966. "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
  967. "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
  968. "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
  969. "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
  970. "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
  971. "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
  972. "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
  973. "73D4";
  974. /* Test oneshot absorb/squeeze. */
  975. xof = crypto_xof_new();
  976. tt_assert(xof);
  977. crypto_xof_add_bytes(xof, msg, sizeof(msg));
  978. crypto_xof_squeeze_bytes(xof, out, sizeof(out));
  979. test_memeq_hex(out, squeezed_hex);
  980. crypto_xof_free(xof);
  981. memset(out, 0, sizeof(out));
  982. /* Test incremental absorb/squeeze. */
  983. xof = crypto_xof_new();
  984. tt_assert(xof);
  985. for (size_t i = 0; i < sizeof(msg); i++)
  986. crypto_xof_add_bytes(xof, msg + i, 1);
  987. for (size_t i = 0; i < sizeof(out); i++)
  988. crypto_xof_squeeze_bytes(xof, out + i, 1);
  989. test_memeq_hex(out, squeezed_hex);
  990. done:
  991. if (xof)
  992. crypto_xof_free(xof);
  993. tor_free(mem_op_hex_tmp);
  994. }
  995. /** Run unit tests for our public key crypto functions */
  996. static void
  997. test_crypto_pk(void *arg)
  998. {
  999. crypto_pk_t *pk1 = NULL, *pk2 = NULL;
  1000. char *encoded = NULL;
  1001. char data1[1024], data2[1024], data3[1024];
  1002. size_t size;
  1003. int i, len;
  1004. /* Public-key ciphers */
  1005. (void)arg;
  1006. pk1 = pk_generate(0);
  1007. pk2 = crypto_pk_new();
  1008. tt_assert(pk1 && pk2);
  1009. tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
  1010. tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
  1011. tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
  1012. /* comparison between keys and NULL */
  1013. tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
  1014. tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
  1015. tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
  1016. tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
  1017. tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
  1018. tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
  1019. tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
  1020. tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
  1021. "Hello whirled.", 15,
  1022. PK_PKCS1_OAEP_PADDING));
  1023. tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
  1024. "Hello whirled.", 15,
  1025. PK_PKCS1_OAEP_PADDING));
  1026. /* oaep padding should make encryption not match */
  1027. tt_mem_op(data1,OP_NE, data2, 128);
  1028. tt_int_op(15,OP_EQ,
  1029. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
  1030. PK_PKCS1_OAEP_PADDING,1));
  1031. tt_str_op(data3,OP_EQ, "Hello whirled.");
  1032. memset(data3, 0, 1024);
  1033. tt_int_op(15,OP_EQ,
  1034. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  1035. PK_PKCS1_OAEP_PADDING,1));
  1036. tt_str_op(data3,OP_EQ, "Hello whirled.");
  1037. /* Can't decrypt with public key. */
  1038. tt_int_op(-1,OP_EQ,
  1039. crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
  1040. PK_PKCS1_OAEP_PADDING,1));
  1041. /* Try again with bad padding */
  1042. memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
  1043. tt_int_op(-1,OP_EQ,
  1044. crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  1045. PK_PKCS1_OAEP_PADDING,1));
  1046. /* File operations: save and load private key */
  1047. tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
  1048. get_fname("pkey1")));
  1049. /* failing case for read: can't read. */
  1050. tt_assert(crypto_pk_read_private_key_from_filename(pk2,
  1051. get_fname("xyzzy")) < 0);
  1052. write_str_to_file(get_fname("xyzzy"), "foobar", 6);
  1053. /* Failing case for read: no key. */
  1054. tt_assert(crypto_pk_read_private_key_from_filename(pk2,
  1055. get_fname("xyzzy")) < 0);
  1056. tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
  1057. get_fname("pkey1")));
  1058. tt_int_op(15,OP_EQ,
  1059. crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
  1060. PK_PKCS1_OAEP_PADDING,1));
  1061. /* Now try signing. */
  1062. strlcpy(data1, "Ossifrage", 1024);
  1063. tt_int_op(128,OP_EQ,
  1064. crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
  1065. tt_int_op(10,OP_EQ,
  1066. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  1067. tt_str_op(data3,OP_EQ, "Ossifrage");
  1068. /* Try signing digests. */
  1069. tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
  1070. data1, 10));
  1071. tt_int_op(20,OP_EQ,
  1072. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  1073. tt_int_op(0,OP_EQ,
  1074. crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
  1075. tt_int_op(-1,OP_EQ,
  1076. crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
  1077. /*XXXX test failed signing*/
  1078. /* Try encoding */
  1079. crypto_pk_free(pk2);
  1080. pk2 = NULL;
  1081. i = crypto_pk_asn1_encode(pk1, data1, 1024);
  1082. tt_int_op(i, OP_GT, 0);
  1083. pk2 = crypto_pk_asn1_decode(data1, i);
  1084. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  1085. /* Try with hybrid encryption wrappers. */
  1086. crypto_rand(data1, 1024);
  1087. for (i = 85; i < 140; ++i) {
  1088. memset(data2,0,1024);
  1089. memset(data3,0,1024);
  1090. len = crypto_pk_public_hybrid_encrypt(pk1,data2,sizeof(data2),
  1091. data1,i,PK_PKCS1_OAEP_PADDING,0);
  1092. tt_int_op(len, OP_GE, 0);
  1093. len = crypto_pk_private_hybrid_decrypt(pk1,data3,sizeof(data3),
  1094. data2,len,PK_PKCS1_OAEP_PADDING,1);
  1095. tt_int_op(len,OP_EQ, i);
  1096. tt_mem_op(data1,OP_EQ, data3,i);
  1097. }
  1098. /* Try copy_full */
  1099. crypto_pk_free(pk2);
  1100. pk2 = crypto_pk_copy_full(pk1);
  1101. tt_assert(pk2 != NULL);
  1102. tt_ptr_op(pk1, OP_NE, pk2);
  1103. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  1104. done:
  1105. if (pk1)
  1106. crypto_pk_free(pk1);
  1107. if (pk2)
  1108. crypto_pk_free(pk2);
  1109. tor_free(encoded);
  1110. }
  1111. static void
  1112. test_crypto_pk_fingerprints(void *arg)
  1113. {
  1114. crypto_pk_t *pk = NULL;
  1115. char encoded[512];
  1116. char d[DIGEST_LEN], d2[DIGEST_LEN];
  1117. char fingerprint[FINGERPRINT_LEN+1];
  1118. int n;
  1119. unsigned i;
  1120. char *mem_op_hex_tmp=NULL;
  1121. (void)arg;
  1122. pk = pk_generate(1);
  1123. tt_assert(pk);
  1124. n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
  1125. tt_int_op(n, OP_GT, 0);
  1126. tt_int_op(n, OP_GT, 128);
  1127. tt_int_op(n, OP_LT, 256);
  1128. /* Is digest as expected? */
  1129. crypto_digest(d, encoded, n);
  1130. tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
  1131. tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
  1132. /* Is fingerprint right? */
  1133. tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
  1134. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  1135. test_memeq_hex(d, fingerprint);
  1136. /* Are spaces right? */
  1137. tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
  1138. for (i = 4; i < strlen(fingerprint); i += 5) {
  1139. tt_int_op(fingerprint[i], OP_EQ, ' ');
  1140. }
  1141. tor_strstrip(fingerprint, " ");
  1142. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  1143. test_memeq_hex(d, fingerprint);
  1144. /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
  1145. crypto_digest(d2, d, sizeof(d));
  1146. tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
  1147. tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
  1148. test_memeq_hex(d2, fingerprint);
  1149. done:
  1150. crypto_pk_free(pk);
  1151. tor_free(mem_op_hex_tmp);
  1152. }
  1153. static void
  1154. test_crypto_pk_base64(void *arg)
  1155. {
  1156. crypto_pk_t *pk1 = NULL;
  1157. crypto_pk_t *pk2 = NULL;
  1158. char *encoded = NULL;
  1159. (void)arg;
  1160. /* Test Base64 encoding a key. */
  1161. pk1 = pk_generate(0);
  1162. tt_assert(pk1);
  1163. tt_int_op(0, OP_EQ, crypto_pk_base64_encode(pk1, &encoded));
  1164. tt_assert(encoded);
  1165. /* Test decoding a valid key. */
  1166. pk2 = crypto_pk_base64_decode(encoded, strlen(encoded));
  1167. tt_assert(pk2);
  1168. tt_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  1169. crypto_pk_free(pk2);
  1170. /* Test decoding a invalid key (not Base64). */
  1171. static const char *invalid_b64 = "The key is in another castle!";
  1172. pk2 = crypto_pk_base64_decode(invalid_b64, strlen(invalid_b64));
  1173. tt_assert(!pk2);
  1174. /* Test decoding a truncated Base64 blob. */
  1175. pk2 = crypto_pk_base64_decode(encoded, strlen(encoded)/2);
  1176. tt_assert(!pk2);
  1177. done:
  1178. crypto_pk_free(pk1);
  1179. crypto_pk_free(pk2);
  1180. tor_free(encoded);
  1181. }
  1182. #ifdef HAVE_TRUNCATE
  1183. #define do_truncate truncate
  1184. #else
  1185. static int
  1186. do_truncate(const char *fname, size_t len)
  1187. {
  1188. struct stat st;
  1189. char *bytes;
  1190. bytes = read_file_to_str(fname, RFTS_BIN, &st);
  1191. if (!bytes)
  1192. return -1;
  1193. /* This cast isn't so great, but it should be safe given the actual files
  1194. * and lengths we're using. */
  1195. if (st.st_size < (off_t)len)
  1196. len = MIN(len, (size_t)st.st_size);
  1197. int r = write_bytes_to_file(fname, bytes, len, 1);
  1198. tor_free(bytes);
  1199. return r;
  1200. }
  1201. #endif
  1202. /** Sanity check for crypto pk digests */
  1203. static void
  1204. test_crypto_digests(void *arg)
  1205. {
  1206. crypto_pk_t *k = NULL;
  1207. ssize_t r;
  1208. common_digests_t pkey_digests;
  1209. char digest[DIGEST_LEN];
  1210. (void)arg;
  1211. k = crypto_pk_new();
  1212. tt_assert(k);
  1213. r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, -1);
  1214. tt_assert(!r);
  1215. r = crypto_pk_get_digest(k, digest);
  1216. tt_assert(r == 0);
  1217. tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
  1218. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  1219. r = crypto_pk_get_common_digests(k, &pkey_digests);
  1220. tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
  1221. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  1222. tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
  1223. AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
  1224. done:
  1225. crypto_pk_free(k);
  1226. }
  1227. static void
  1228. test_crypto_digest_names(void *arg)
  1229. {
  1230. static const struct {
  1231. int a; const char *n;
  1232. } names[] = {
  1233. { DIGEST_SHA1, "sha1" },
  1234. { DIGEST_SHA256, "sha256" },
  1235. { DIGEST_SHA512, "sha512" },
  1236. { DIGEST_SHA3_256, "sha3-256" },
  1237. { DIGEST_SHA3_512, "sha3-512" },
  1238. { -1, NULL }
  1239. };
  1240. (void)arg;
  1241. int i;
  1242. for (i = 0; names[i].n; ++i) {
  1243. tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
  1244. tt_int_op(names[i].a,
  1245. OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
  1246. }
  1247. tt_int_op(-1, OP_EQ,
  1248. crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
  1249. done:
  1250. ;
  1251. }
  1252. #ifndef OPENSSL_1_1_API
  1253. #define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
  1254. #define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
  1255. #endif
  1256. /** Encode src into dest with OpenSSL's EVP Encode interface, returning the
  1257. * length of the encoded data in bytes.
  1258. */
  1259. static int
  1260. base64_encode_evp(char *dest, char *src, size_t srclen)
  1261. {
  1262. const unsigned char *s = (unsigned char*)src;
  1263. EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
  1264. int len, ret;
  1265. EVP_EncodeInit(ctx);
  1266. EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
  1267. EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
  1268. EVP_ENCODE_CTX_free(ctx);
  1269. return ret+ len;
  1270. }
  1271. /** Run unit tests for misc crypto formatting functionality (base64, base32,
  1272. * fingerprints, etc) */
  1273. static void
  1274. test_crypto_formats(void *arg)
  1275. {
  1276. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  1277. int i, j, idx;
  1278. (void)arg;
  1279. data1 = tor_malloc(1024);
  1280. data2 = tor_malloc(1024);
  1281. data3 = tor_malloc(1024);
  1282. tt_assert(data1 && data2 && data3);
  1283. /* Base64 tests */
  1284. memset(data1, 6, 1024);
  1285. for (idx = 0; idx < 10; ++idx) {
  1286. i = base64_encode(data2, 1024, data1, idx, 0);
  1287. tt_int_op(i, OP_GE, 0);
  1288. tt_int_op(i, OP_EQ, strlen(data2));
  1289. j = base64_decode(data3, 1024, data2, i);
  1290. tt_int_op(j,OP_EQ, idx);
  1291. tt_mem_op(data3,OP_EQ, data1, idx);
  1292. i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
  1293. tt_int_op(i, OP_GE, 0);
  1294. tt_int_op(i, OP_EQ, strlen(data2));
  1295. tt_assert(! strchr(data2, '='));
  1296. j = base64_decode_nopad((uint8_t*)data3, 1024, data2, i);
  1297. tt_int_op(j, OP_EQ, idx);
  1298. tt_mem_op(data3,OP_EQ, data1, idx);
  1299. }
  1300. strlcpy(data1, "Test string that contains 35 chars.", 1024);
  1301. strlcat(data1, " 2nd string that contains 35 chars.", 1024);
  1302. i = base64_encode(data2, 1024, data1, 71, 0);
  1303. tt_int_op(i, OP_GE, 0);
  1304. j = base64_decode(data3, 1024, data2, i);
  1305. tt_int_op(j,OP_EQ, 71);
  1306. tt_str_op(data3,OP_EQ, data1);
  1307. tt_int_op(data2[i], OP_EQ, '\0');
  1308. crypto_rand(data1, DIGEST_LEN);
  1309. memset(data2, 100, 1024);
  1310. digest_to_base64(data2, data1);
  1311. tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
  1312. tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
  1313. memset(data3, 99, 1024);
  1314. tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
  1315. tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
  1316. tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
  1317. tt_assert(digest_from_base64(data3, "###") < 0);
  1318. for (i = 0; i < 256; i++) {
  1319. /* Test the multiline format Base64 encoder with 0 .. 256 bytes of
  1320. * output against OpenSSL.
  1321. */
  1322. const size_t enclen = base64_encode_size(i, BASE64_ENCODE_MULTILINE);
  1323. data1[i] = i;
  1324. j = base64_encode(data2, 1024, data1, i, BASE64_ENCODE_MULTILINE);
  1325. tt_int_op(j, OP_EQ, enclen);
  1326. j = base64_encode_evp(data3, data1, i);
  1327. tt_int_op(j, OP_EQ, enclen);
  1328. tt_mem_op(data2, OP_EQ, data3, enclen);
  1329. tt_int_op(j, OP_EQ, strlen(data2));
  1330. }
  1331. /* Encoding SHA256 */
  1332. crypto_rand(data2, DIGEST256_LEN);
  1333. memset(data2, 100, 1024);
  1334. digest256_to_base64(data2, data1);
  1335. tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
  1336. tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
  1337. memset(data3, 99, 1024);
  1338. tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
  1339. tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
  1340. tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
  1341. /* Base32 tests */
  1342. strlcpy(data1, "5chrs", 1024);
  1343. /* bit pattern is: [35 63 68 72 73] ->
  1344. * [00110101 01100011 01101000 01110010 01110011]
  1345. * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
  1346. */
  1347. base32_encode(data2, 9, data1, 5);
  1348. tt_str_op(data2,OP_EQ, "gvrwq4tt");
  1349. strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
  1350. base32_encode(data2, 30, data1, 10);
  1351. tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
  1352. /* Base16 tests */
  1353. strlcpy(data1, "6chrs\xff", 1024);
  1354. base16_encode(data2, 13, data1, 6);
  1355. tt_str_op(data2,OP_EQ, "3663687273FF");
  1356. strlcpy(data1, "f0d678affc000100", 1024);
  1357. i = base16_decode(data2, 8, data1, 16);
  1358. tt_int_op(i,OP_EQ, 8);
  1359. tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
  1360. /* now try some failing base16 decodes */
  1361. tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
  1362. tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
  1363. strlcpy(data1, "f0dz!8affc000100", 1024);
  1364. tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
  1365. tor_free(data1);
  1366. tor_free(data2);
  1367. tor_free(data3);
  1368. /* Add spaces to fingerprint */
  1369. {
  1370. data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
  1371. tt_int_op(strlen(data1),OP_EQ, 40);
  1372. data2 = tor_malloc(FINGERPRINT_LEN+1);
  1373. crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
  1374. tt_str_op(data2, OP_EQ,
  1375. "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
  1376. tor_free(data1);
  1377. tor_free(data2);
  1378. }
  1379. done:
  1380. tor_free(data1);
  1381. tor_free(data2);
  1382. tor_free(data3);
  1383. }
  1384. /** Test AES-CTR encryption and decryption with IV. */
  1385. static void
  1386. test_crypto_aes_iv(void *arg)
  1387. {
  1388. char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
  1389. char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
  1390. char key1[16], key2[16];
  1391. ssize_t encrypted_size, decrypted_size;
  1392. int use_evp = !strcmp(arg,"evp");
  1393. evaluate_evp_for_aes(use_evp);
  1394. plain = tor_malloc(4095);
  1395. encrypted1 = tor_malloc(4095 + 1 + 16);
  1396. encrypted2 = tor_malloc(4095 + 1 + 16);
  1397. decrypted1 = tor_malloc(4095 + 1);
  1398. decrypted2 = tor_malloc(4095 + 1);
  1399. crypto_rand(plain, 4095);
  1400. crypto_rand(key1, 16);
  1401. crypto_rand(key2, 16);
  1402. crypto_rand(plain_1, 1);
  1403. crypto_rand(plain_15, 15);
  1404. crypto_rand(plain_16, 16);
  1405. crypto_rand(plain_17, 17);
  1406. key1[0] = key2[0] + 128; /* Make sure that contents are different. */
  1407. /* Encrypt and decrypt with the same key. */
  1408. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
  1409. plain, 4095);
  1410. tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
  1411. tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
  1412. * greater than 0, but its truth is not
  1413. * obvious to all analysis tools. */
  1414. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  1415. encrypted1, encrypted_size);
  1416. tt_int_op(decrypted_size,OP_EQ, 4095);
  1417. tt_assert(decrypted_size > 0);
  1418. tt_mem_op(plain,OP_EQ, decrypted1, 4095);
  1419. /* Encrypt a second time (with a new random initialization vector). */
  1420. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
  1421. plain, 4095);
  1422. tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
  1423. tt_assert(encrypted_size > 0);
  1424. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
  1425. encrypted2, encrypted_size);
  1426. tt_int_op(decrypted_size,OP_EQ, 4095);
  1427. tt_assert(decrypted_size > 0);
  1428. tt_mem_op(plain,OP_EQ, decrypted2, 4095);
  1429. tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
  1430. /* Decrypt with the wrong key. */
  1431. decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
  1432. encrypted1, encrypted_size);
  1433. tt_int_op(decrypted_size,OP_EQ, 4095);
  1434. tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
  1435. /* Alter the initialization vector. */
  1436. encrypted1[0] += 42;
  1437. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  1438. encrypted1, encrypted_size);
  1439. tt_int_op(decrypted_size,OP_EQ, 4095);
  1440. tt_mem_op(plain,OP_NE, decrypted2, 4095);
  1441. /* Special length case: 1. */
  1442. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
  1443. plain_1, 1);
  1444. tt_int_op(encrypted_size,OP_EQ, 16 + 1);
  1445. tt_assert(encrypted_size > 0);
  1446. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
  1447. encrypted1, encrypted_size);
  1448. tt_int_op(decrypted_size,OP_EQ, 1);
  1449. tt_assert(decrypted_size > 0);
  1450. tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
  1451. /* Special length case: 15. */
  1452. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
  1453. plain_15, 15);
  1454. tt_int_op(encrypted_size,OP_EQ, 16 + 15);
  1455. tt_assert(encrypted_size > 0);
  1456. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
  1457. encrypted1, encrypted_size);
  1458. tt_int_op(decrypted_size,OP_EQ, 15);
  1459. tt_assert(decrypted_size > 0);
  1460. tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
  1461. /* Special length case: 16. */
  1462. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
  1463. plain_16, 16);
  1464. tt_int_op(encrypted_size,OP_EQ, 16 + 16);
  1465. tt_assert(encrypted_size > 0);
  1466. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
  1467. encrypted1, encrypted_size);
  1468. tt_int_op(decrypted_size,OP_EQ, 16);
  1469. tt_assert(decrypted_size > 0);
  1470. tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
  1471. /* Special length case: 17. */
  1472. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
  1473. plain_17, 17);
  1474. tt_int_op(encrypted_size,OP_EQ, 16 + 17);
  1475. tt_assert(encrypted_size > 0);
  1476. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
  1477. encrypted1, encrypted_size);
  1478. tt_int_op(decrypted_size,OP_EQ, 17);
  1479. tt_assert(decrypted_size > 0);
  1480. tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
  1481. done:
  1482. /* Free memory. */
  1483. tor_free(plain);
  1484. tor_free(encrypted1);
  1485. tor_free(encrypted2);
  1486. tor_free(decrypted1);
  1487. tor_free(decrypted2);
  1488. }
  1489. /** Test base32 decoding. */
  1490. static void
  1491. test_crypto_base32_decode(void *arg)
  1492. {
  1493. char plain[60], encoded[96 + 1], decoded[60];
  1494. int res;
  1495. (void)arg;
  1496. crypto_rand(plain, 60);
  1497. /* Encode and decode a random string. */
  1498. base32_encode(encoded, 96 + 1, plain, 60);
  1499. res = base32_decode(decoded, 60, encoded, 96);
  1500. tt_int_op(res,OP_EQ, 0);
  1501. tt_mem_op(plain,OP_EQ, decoded, 60);
  1502. /* Encode, uppercase, and decode a random string. */
  1503. base32_encode(encoded, 96 + 1, plain, 60);
  1504. tor_strupper(encoded);
  1505. res = base32_decode(decoded, 60, encoded, 96);
  1506. tt_int_op(res,OP_EQ, 0);
  1507. tt_mem_op(plain,OP_EQ, decoded, 60);
  1508. /* Change encoded string and decode. */
  1509. if (encoded[0] == 'A' || encoded[0] == 'a')
  1510. encoded[0] = 'B';
  1511. else
  1512. encoded[0] = 'A';
  1513. res = base32_decode(decoded, 60, encoded, 96);
  1514. tt_int_op(res,OP_EQ, 0);
  1515. tt_mem_op(plain,OP_NE, decoded, 60);
  1516. /* Bad encodings. */
  1517. encoded[0] = '!';
  1518. res = base32_decode(decoded, 60, encoded, 96);
  1519. tt_int_op(0, OP_GT, res);
  1520. done:
  1521. ;
  1522. }
  1523. static void
  1524. test_crypto_kdf_TAP(void *arg)
  1525. {
  1526. uint8_t key_material[100];
  1527. int r;
  1528. char *mem_op_hex_tmp = NULL;
  1529. (void)arg;
  1530. #define EXPAND(s) \
  1531. r = crypto_expand_key_material_TAP( \
  1532. (const uint8_t*)(s), strlen(s), \
  1533. key_material, 100)
  1534. /* Test vectors generated with a little python script; feel free to write
  1535. * your own. */
  1536. memset(key_material, 0, sizeof(key_material));
  1537. EXPAND("");
  1538. tt_int_op(r, OP_EQ, 0);
  1539. test_memeq_hex(key_material,
  1540. "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
  1541. "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
  1542. "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
  1543. "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
  1544. EXPAND("Tor");
  1545. tt_int_op(r, OP_EQ, 0);
  1546. test_memeq_hex(key_material,
  1547. "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
  1548. "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
  1549. "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
  1550. "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
  1551. EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
  1552. tt_int_op(r, OP_EQ, 0);
  1553. test_memeq_hex(key_material,
  1554. "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
  1555. "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
  1556. "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
  1557. "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
  1558. done:
  1559. tor_free(mem_op_hex_tmp);
  1560. #undef EXPAND
  1561. }
  1562. static void
  1563. test_crypto_hkdf_sha256(void *arg)
  1564. {
  1565. uint8_t key_material[100];
  1566. const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
  1567. const size_t salt_len = strlen((char*)salt);
  1568. const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
  1569. const size_t m_expand_len = strlen((char*)m_expand);
  1570. int r;
  1571. char *mem_op_hex_tmp = NULL;
  1572. (void)arg;
  1573. #define EXPAND(s) \
  1574. r = crypto_expand_key_material_rfc5869_sha256( \
  1575. (const uint8_t*)(s), strlen(s), \
  1576. salt, salt_len, \
  1577. m_expand, m_expand_len, \
  1578. key_material, 100)
  1579. /* Test vectors generated with ntor_ref.py */
  1580. memset(key_material, 0, sizeof(key_material));
  1581. EXPAND("");
  1582. tt_int_op(r, OP_EQ, 0);
  1583. test_memeq_hex(key_material,
  1584. "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75"
  1585. "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd"
  1586. "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7"
  1587. "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8");
  1588. EXPAND("Tor");
  1589. tt_int_op(r, OP_EQ, 0);
  1590. test_memeq_hex(key_material,
  1591. "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
  1592. "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
  1593. "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
  1594. "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
  1595. EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
  1596. tt_int_op(r, OP_EQ, 0);
  1597. test_memeq_hex(key_material,
  1598. "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
  1599. "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
  1600. "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
  1601. "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
  1602. done:
  1603. tor_free(mem_op_hex_tmp);
  1604. #undef EXPAND
  1605. }
  1606. static void
  1607. test_crypto_hkdf_sha256_testvecs(void *arg)
  1608. {
  1609. (void) arg;
  1610. /* Test vectors from RFC5869, sections A.1 through A.3 */
  1611. const struct {
  1612. const char *ikm16, *salt16, *info16;
  1613. int L;
  1614. const char *okm16;
  1615. } vecs[] = {
  1616. { /* from A.1 */
  1617. "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
  1618. "000102030405060708090a0b0c",
  1619. "f0f1f2f3f4f5f6f7f8f9",
  1620. 42,
  1621. "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
  1622. "34007208d5b887185865"
  1623. },
  1624. { /* from A.2 */
  1625. "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
  1626. "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
  1627. "404142434445464748494a4b4c4d4e4f",
  1628. "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
  1629. "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
  1630. "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
  1631. "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
  1632. "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
  1633. "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
  1634. 82,
  1635. "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
  1636. "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
  1637. "cc30c58179ec3e87c14c01d5c1f3434f1d87"
  1638. },
  1639. { /* from A.3 */
  1640. "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
  1641. "",
  1642. "",
  1643. 42,
  1644. "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
  1645. "9d201395faa4b61a96c8",
  1646. },
  1647. { NULL, NULL, NULL, -1, NULL }
  1648. };
  1649. int i;
  1650. char *ikm = NULL;
  1651. char *salt = NULL;
  1652. char *info = NULL;
  1653. char *okm = NULL;
  1654. char *mem_op_hex_tmp = NULL;
  1655. for (i = 0; vecs[i].ikm16; ++i) {
  1656. size_t ikm_len = strlen(vecs[i].ikm16)/2;
  1657. size_t salt_len = strlen(vecs[i].salt16)/2;
  1658. size_t info_len = strlen(vecs[i].info16)/2;
  1659. size_t okm_len = vecs[i].L;
  1660. ikm = tor_malloc(ikm_len);
  1661. salt = tor_malloc(salt_len);
  1662. info = tor_malloc(info_len);
  1663. okm = tor_malloc(okm_len);
  1664. base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
  1665. base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
  1666. base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
  1667. int r = crypto_expand_key_material_rfc5869_sha256(
  1668. (const uint8_t*)ikm, ikm_len,
  1669. (const uint8_t*)salt, salt_len,
  1670. (const uint8_t*)info, info_len,
  1671. (uint8_t*)okm, okm_len);
  1672. tt_int_op(r, OP_EQ, 0);
  1673. test_memeq_hex(okm, vecs[i].okm16);
  1674. tor_free(ikm);
  1675. tor_free(salt);
  1676. tor_free(info);
  1677. tor_free(okm);
  1678. }
  1679. done:
  1680. tor_free(ikm);
  1681. tor_free(salt);
  1682. tor_free(info);
  1683. tor_free(okm);
  1684. tor_free(mem_op_hex_tmp);
  1685. }
  1686. static void
  1687. test_crypto_curve25519_impl(void *arg)
  1688. {
  1689. /* adapted from curve25519_donna, which adapted it from test-curve25519
  1690. version 20050915, by D. J. Bernstein, Public domain. */
  1691. const int randomize_high_bit = (arg != NULL);
  1692. #ifdef SLOW_CURVE25519_TEST
  1693. const int loop_max=10000;
  1694. const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
  1695. "7e0329f4dd2819f5f32d130f1296b500";
  1696. const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
  1697. "e0544770bc7de853b38f9100489e3e79";
  1698. const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
  1699. "bd13861475516bc2cd2b6e005e805064";
  1700. #else
  1701. const int loop_max=200;
  1702. const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
  1703. "c6a1037d74cceb3712e9206871dcf654";
  1704. const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
  1705. "8e3ee1a63c7d14274ea5d4c67f065467";
  1706. const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
  1707. "c0ee98cb2257a4545c0cfb2ca3e1812b";
  1708. #endif
  1709. unsigned char e1k[32];
  1710. unsigned char e2k[32];
  1711. unsigned char e1e2k[32];
  1712. unsigned char e2e1k[32];
  1713. unsigned char e1[32] = {3};
  1714. unsigned char e2[32] = {5};
  1715. unsigned char k[32] = {9};
  1716. int loop, i;
  1717. char *mem_op_hex_tmp = NULL;
  1718. for (loop = 0; loop < loop_max; ++loop) {
  1719. curve25519_impl(e1k,e1,k);
  1720. curve25519_impl(e2e1k,e2,e1k);
  1721. curve25519_impl(e2k,e2,k);
  1722. if (randomize_high_bit) {
  1723. /* We require that the high bit of the public key be ignored. So if
  1724. * we're doing this variant test, we randomize the high bit of e2k, and
  1725. * make sure that the handshake still works out the same as it would
  1726. * otherwise. */
  1727. uint8_t byte;
  1728. crypto_rand((char*)&byte, 1);
  1729. e2k[31] |= (byte & 0x80);
  1730. }
  1731. curve25519_impl(e1e2k,e1,e2k);
  1732. tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
  1733. if (loop == loop_max-1) {
  1734. break;
  1735. }
  1736. for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
  1737. for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
  1738. for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
  1739. }
  1740. test_memeq_hex(e1, e1_expected);
  1741. test_memeq_hex(e2k, e2k_expected);
  1742. test_memeq_hex(e1e2k, e1e2k_expected);
  1743. done:
  1744. tor_free(mem_op_hex_tmp);
  1745. }
  1746. static void
  1747. test_crypto_curve25519_basepoint(void *arg)
  1748. {
  1749. uint8_t secret[32];
  1750. uint8_t public1[32];
  1751. uint8_t public2[32];
  1752. const int iters = 2048;
  1753. int i;
  1754. (void) arg;
  1755. for (i = 0; i < iters; ++i) {
  1756. crypto_rand((char*)secret, 32);
  1757. curve25519_set_impl_params(1); /* Use optimization */
  1758. curve25519_basepoint_impl(public1, secret);
  1759. curve25519_set_impl_params(0); /* Disable optimization */
  1760. curve25519_basepoint_impl(public2, secret);
  1761. tt_mem_op(public1, OP_EQ, public2, 32);
  1762. }
  1763. done:
  1764. ;
  1765. }
  1766. static void
  1767. test_crypto_curve25519_testvec(void *arg)
  1768. {
  1769. (void)arg;
  1770. char *mem_op_hex_tmp = NULL;
  1771. /* From RFC 7748, section 6.1 */
  1772. /* Alice's private key, a: */
  1773. const char a16[] =
  1774. "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
  1775. /* Alice's public key, X25519(a, 9): */
  1776. const char a_pub16[] =
  1777. "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
  1778. /* Bob's private key, b: */
  1779. const char b16[] =
  1780. "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
  1781. /* Bob's public key, X25519(b, 9): */
  1782. const char b_pub16[] =
  1783. "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
  1784. /* Their shared secret, K: */
  1785. const char k16[] =
  1786. "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
  1787. uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
  1788. base16_decode((char*)a, sizeof(a), a16, strlen(a16));
  1789. base16_decode((char*)b, sizeof(b), b16, strlen(b16));
  1790. curve25519_basepoint_impl(a_pub, a);
  1791. curve25519_basepoint_impl(b_pub, b);
  1792. curve25519_impl(k1, a, b_pub);
  1793. curve25519_impl(k2, b, a_pub);
  1794. test_memeq_hex(a, a16);
  1795. test_memeq_hex(b, b16);
  1796. test_memeq_hex(a_pub, a_pub16);
  1797. test_memeq_hex(b_pub, b_pub16);
  1798. test_memeq_hex(k1, k16);
  1799. test_memeq_hex(k2, k16);
  1800. done:
  1801. tor_free(mem_op_hex_tmp);
  1802. }
  1803. static void
  1804. test_crypto_curve25519_wrappers(void *arg)
  1805. {
  1806. curve25519_public_key_t pubkey1, pubkey2;
  1807. curve25519_secret_key_t seckey1, seckey2;
  1808. uint8_t output1[CURVE25519_OUTPUT_LEN];
  1809. uint8_t output2[CURVE25519_OUTPUT_LEN];
  1810. (void)arg;
  1811. /* Test a simple handshake, serializing and deserializing some stuff. */
  1812. curve25519_secret_key_generate(&seckey1, 0);
  1813. curve25519_secret_key_generate(&seckey2, 1);
  1814. curve25519_public_key_generate(&pubkey1, &seckey1);
  1815. curve25519_public_key_generate(&pubkey2, &seckey2);
  1816. tt_assert(curve25519_public_key_is_ok(&pubkey1));
  1817. tt_assert(curve25519_public_key_is_ok(&pubkey2));
  1818. curve25519_handshake(output1, &seckey1, &pubkey2);
  1819. curve25519_handshake(output2, &seckey2, &pubkey1);
  1820. tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
  1821. done:
  1822. ;
  1823. }
  1824. static void
  1825. test_crypto_curve25519_encode(void *arg)
  1826. {
  1827. curve25519_secret_key_t seckey;
  1828. curve25519_public_key_t key1, key2, key3;
  1829. char buf[64];
  1830. (void)arg;
  1831. curve25519_secret_key_generate(&seckey, 0);
  1832. curve25519_public_key_generate(&key1, &seckey);
  1833. tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
  1834. tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
  1835. tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
  1836. tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
  1837. buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
  1838. tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
  1839. tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1840. tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
  1841. /* Now try bogus parses. */
  1842. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
  1843. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1844. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
  1845. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1846. strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
  1847. tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
  1848. done:
  1849. ;
  1850. }
  1851. static void
  1852. test_crypto_curve25519_persist(void *arg)
  1853. {
  1854. curve25519_keypair_t keypair, keypair2;
  1855. char *fname = tor_strdup(get_fname("curve25519_keypair"));
  1856. char *tag = NULL;
  1857. char *content = NULL;
  1858. const char *cp;
  1859. struct stat st;
  1860. size_t taglen;
  1861. (void)arg;
  1862. tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
  1863. tt_int_op(0,OP_EQ,
  1864. curve25519_keypair_write_to_file(&keypair, fname, "testing"));
  1865. tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1866. tt_str_op(tag,OP_EQ,"testing");
  1867. tor_free(tag);
  1868. tt_mem_op(keypair.pubkey.public_key,OP_EQ,
  1869. keypair2.pubkey.public_key,
  1870. CURVE25519_PUBKEY_LEN);
  1871. tt_mem_op(keypair.seckey.secret_key,OP_EQ,
  1872. keypair2.seckey.secret_key,
  1873. CURVE25519_SECKEY_LEN);
  1874. content = read_file_to_str(fname, RFTS_BIN, &st);
  1875. tt_assert(content);
  1876. taglen = strlen("== c25519v1: testing ==");
  1877. tt_u64_op((uint64_t)st.st_size, OP_EQ,
  1878. 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
  1879. tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
  1880. tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
  1881. cp = content + 32;
  1882. tt_mem_op(keypair.seckey.secret_key,OP_EQ,
  1883. cp,
  1884. CURVE25519_SECKEY_LEN);
  1885. cp += CURVE25519_SECKEY_LEN;
  1886. tt_mem_op(keypair.pubkey.public_key,OP_EQ,
  1887. cp,
  1888. CURVE25519_SECKEY_LEN);
  1889. tor_free(fname);
  1890. fname = tor_strdup(get_fname("bogus_keypair"));
  1891. tt_int_op(-1, OP_EQ,
  1892. curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1893. tor_free(tag);
  1894. content[69] ^= 0xff;
  1895. tt_int_op(0, OP_EQ,
  1896. write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
  1897. tt_int_op(-1, OP_EQ,
  1898. curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1899. done:
  1900. tor_free(fname);
  1901. tor_free(content);
  1902. tor_free(tag);
  1903. }
  1904. static void *
  1905. ed25519_testcase_setup(const struct testcase_t *testcase)
  1906. {
  1907. crypto_ed25519_testing_force_impl(testcase->setup_data);
  1908. return testcase->setup_data;
  1909. }
  1910. static int
  1911. ed25519_testcase_cleanup(const struct testcase_t *testcase, void *ptr)
  1912. {
  1913. (void)testcase;
  1914. (void)ptr;
  1915. crypto_ed25519_testing_restore_impl();
  1916. return 1;
  1917. }
  1918. static const struct testcase_setup_t ed25519_test_setup = {
  1919. ed25519_testcase_setup, ed25519_testcase_cleanup
  1920. };
  1921. static void
  1922. test_crypto_ed25519_simple(void *arg)
  1923. {
  1924. ed25519_keypair_t kp1, kp2;
  1925. ed25519_public_key_t pub1, pub2;
  1926. ed25519_secret_key_t sec1, sec2;
  1927. ed25519_signature_t sig1, sig2;
  1928. const uint8_t msg[] =
  1929. "GNU will be able to run Unix programs, "
  1930. "but will not be identical to Unix.";
  1931. const uint8_t msg2[] =
  1932. "Microsoft Windows extends the features of the DOS operating system, "
  1933. "yet is compatible with most existing applications that run under DOS.";
  1934. size_t msg_len = strlen((const char*)msg);
  1935. size_t msg2_len = strlen((const char*)msg2);
  1936. (void)arg;
  1937. tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
  1938. tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
  1939. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
  1940. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
  1941. tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
  1942. tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
  1943. tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
  1944. memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
  1945. memcpy(&kp1.seckey, &sec1, sizeof(sec1));
  1946. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
  1947. tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
  1948. /* Ed25519 signatures are deterministic */
  1949. tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
  1950. /* Basic signature is valid. */
  1951. tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1952. /* Altered signature doesn't work. */
  1953. sig1.sig[0] ^= 3;
  1954. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1955. /* Wrong public key doesn't work. */
  1956. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
  1957. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
  1958. tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
  1959. /* Wrong message doesn't work. */
  1960. tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
  1961. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
  1962. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
  1963. /* Batch signature checking works with some bad. */
  1964. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
  1965. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
  1966. {
  1967. ed25519_checkable_t ch[] = {
  1968. { &pub1, sig2, msg, msg_len }, /*ok*/
  1969. { &pub1, sig2, msg, msg_len-1 }, /*bad*/
  1970. { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
  1971. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1972. };
  1973. int okay[4];
  1974. tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
  1975. tt_int_op(okay[0], OP_EQ, 1);
  1976. tt_int_op(okay[1], OP_EQ, 0);
  1977. tt_int_op(okay[2], OP_EQ, 0);
  1978. tt_int_op(okay[3], OP_EQ, 1);
  1979. tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
  1980. }
  1981. /* Batch signature checking works with all good. */
  1982. {
  1983. ed25519_checkable_t ch[] = {
  1984. { &pub1, sig2, msg, msg_len }, /*ok*/
  1985. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1986. };
  1987. int okay[2];
  1988. tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
  1989. tt_int_op(okay[0], OP_EQ, 1);
  1990. tt_int_op(okay[1], OP_EQ, 1);
  1991. tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
  1992. }
  1993. /* Test the string-prefixed sign/checksig functions */
  1994. {
  1995. ed25519_signature_t manual_sig;
  1996. char *prefixed_msg;
  1997. /* Generate a signature with a prefixed msg. */
  1998. tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
  1999. "always in the mood",
  2000. &kp1));
  2001. /* First, check that ed25519_sign_prefixed() returns the exact same sig as
  2002. if we had manually prefixed the msg ourselves. */
  2003. tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
  2004. tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
  2005. strlen(prefixed_msg), &kp1));
  2006. tor_free(prefixed_msg);
  2007. tt_assert(!memcmp(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
  2008. /* Test that prefixed checksig verifies it properly. */
  2009. tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
  2010. "always in the mood",
  2011. &pub1));
  2012. /* Test that checksig with wrong prefix fails. */
  2013. tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
  2014. "always in the moo",
  2015. &pub1));
  2016. tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
  2017. "always in the moon",
  2018. &pub1));
  2019. tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
  2020. "always in the mood!",
  2021. &pub1));
  2022. }
  2023. done:
  2024. ;
  2025. }
  2026. static void
  2027. test_crypto_ed25519_test_vectors(void *arg)
  2028. {
  2029. char *mem_op_hex_tmp=NULL;
  2030. int i;
  2031. struct {
  2032. const char *sk;
  2033. const char *pk;
  2034. const char *sig;
  2035. const char *msg;
  2036. } items[] = {
  2037. /* These test vectors were generated with the "ref" implementation of
  2038. * ed25519 from SUPERCOP-20130419 */
  2039. { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
  2040. "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
  2041. "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
  2042. "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
  2043. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  2044. "204e554c2d7465726d696e617465642e"
  2045. },
  2046. { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
  2047. "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
  2048. "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
  2049. "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
  2050. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  2051. "204e554c2d7465726d696e617465642e"
  2052. },
  2053. { "6578706f73656420627920456e676c697368207465787420617320696e707574",
  2054. "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
  2055. "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
  2056. "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
  2057. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  2058. "204e554c2d7465726d696e617465642e"
  2059. },
  2060. /* These come from "sign.input" in ed25519's page */
  2061. { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
  2062. "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
  2063. "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
  2064. "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
  2065. "5a8d9d0a22357e6655f9c785"
  2066. },
  2067. { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
  2068. "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
  2069. "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
  2070. "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
  2071. "b87d3813e03f58cf19fd0b6395"
  2072. },
  2073. { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
  2074. "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
  2075. "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
  2076. "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
  2077. "55c7fa434f5ed8cdec2b7aeac173",
  2078. },
  2079. { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
  2080. "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
  2081. "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
  2082. "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
  2083. "0a688e79be24f866286d4646b5d81c"
  2084. },
  2085. /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
  2086. {
  2087. "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
  2088. "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
  2089. "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
  2090. "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
  2091. ""
  2092. },
  2093. {
  2094. "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
  2095. "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
  2096. "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
  2097. "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
  2098. "72"
  2099. },
  2100. {
  2101. "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
  2102. "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
  2103. "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
  2104. "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
  2105. "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
  2106. "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
  2107. "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
  2108. "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
  2109. "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
  2110. "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
  2111. "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
  2112. "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
  2113. "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
  2114. "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
  2115. "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
  2116. "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
  2117. "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
  2118. "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
  2119. "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
  2120. "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
  2121. "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
  2122. "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
  2123. "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
  2124. "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
  2125. "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
  2126. "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
  2127. "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
  2128. "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
  2129. "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
  2130. "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
  2131. "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
  2132. "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
  2133. "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
  2134. "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
  2135. "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
  2136. "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
  2137. },
  2138. {
  2139. "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
  2140. "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
  2141. "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
  2142. "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
  2143. "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
  2144. "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
  2145. },
  2146. { NULL, NULL, NULL, NULL}
  2147. };
  2148. (void)arg;
  2149. for (i = 0; items[i].pk; ++i) {
  2150. ed25519_keypair_t kp;
  2151. ed25519_signature_t sig;
  2152. uint8_t sk_seed[32];
  2153. uint8_t *msg;
  2154. size_t msg_len;
  2155. base16_decode((char*)sk_seed, sizeof(sk_seed),
  2156. items[i].sk, 64);
  2157. ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
  2158. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
  2159. test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
  2160. msg_len = strlen(items[i].msg) / 2;
  2161. msg = tor_malloc(msg_len);
  2162. base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
  2163. tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
  2164. test_memeq_hex(sig.sig, items[i].sig);
  2165. tor_free(msg);
  2166. }
  2167. done:
  2168. tor_free(mem_op_hex_tmp);
  2169. }
  2170. static void
  2171. test_crypto_ed25519_encode(void *arg)
  2172. {
  2173. char buf[ED25519_SIG_BASE64_LEN+1];
  2174. ed25519_keypair_t kp;
  2175. ed25519_public_key_t pk;
  2176. ed25519_signature_t sig1, sig2;
  2177. char *mem_op_hex_tmp = NULL;
  2178. (void) arg;
  2179. /* Test roundtrip. */
  2180. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
  2181. tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
  2182. tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
  2183. tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
  2184. tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
  2185. tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
  2186. tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
  2187. tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
  2188. tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
  2189. /* Test known value. */
  2190. tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
  2191. "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
  2192. test_memeq_hex(pk.pubkey,
  2193. "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
  2194. done:
  2195. tor_free(mem_op_hex_tmp);
  2196. }
  2197. static void
  2198. test_crypto_ed25519_convert(void *arg)
  2199. {
  2200. const uint8_t msg[] =
  2201. "The eyes are not here / There are no eyes here.";
  2202. const int N = 30;
  2203. int i;
  2204. (void)arg;
  2205. for (i = 0; i < N; ++i) {
  2206. curve25519_keypair_t curve25519_keypair;
  2207. ed25519_keypair_t ed25519_keypair;
  2208. ed25519_public_key_t ed25519_pubkey;
  2209. int bit=0;
  2210. ed25519_signature_t sig;
  2211. tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
  2212. tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
  2213. &ed25519_keypair, &bit, &curve25519_keypair));
  2214. tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
  2215. &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
  2216. tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
  2217. tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
  2218. tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  2219. &ed25519_pubkey));
  2220. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  2221. &ed25519_pubkey));
  2222. sig.sig[0] ^= 15;
  2223. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  2224. &ed25519_pubkey));
  2225. }
  2226. done:
  2227. ;
  2228. }
  2229. static void
  2230. test_crypto_ed25519_blinding(void *arg)
  2231. {
  2232. const uint8_t msg[] =
  2233. "Eyes I dare not meet in dreams / In death's dream kingdom";
  2234. const int N = 30;
  2235. int i;
  2236. (void)arg;
  2237. for (i = 0; i < N; ++i) {
  2238. uint8_t blinding[32];
  2239. ed25519_keypair_t ed25519_keypair;
  2240. ed25519_keypair_t ed25519_keypair_blinded;
  2241. ed25519_public_key_t ed25519_pubkey_blinded;
  2242. ed25519_signature_t sig;
  2243. crypto_rand((char*) blinding, sizeof(blinding));
  2244. tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
  2245. tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
  2246. &ed25519_keypair, blinding));
  2247. tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
  2248. &ed25519_keypair.pubkey, blinding));
  2249. tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
  2250. ed25519_keypair_blinded.pubkey.pubkey, 32);
  2251. tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
  2252. &ed25519_keypair_blinded));
  2253. tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  2254. &ed25519_pubkey_blinded));
  2255. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  2256. &ed25519_pubkey_blinded));
  2257. sig.sig[0] ^= 15;
  2258. tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
  2259. &ed25519_pubkey_blinded));
  2260. }
  2261. done:
  2262. ;
  2263. }
  2264. static void
  2265. test_crypto_ed25519_testvectors(void *arg)
  2266. {
  2267. unsigned i;
  2268. char *mem_op_hex_tmp = NULL;
  2269. (void)arg;
  2270. for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
  2271. uint8_t sk[32];
  2272. ed25519_secret_key_t esk;
  2273. ed25519_public_key_t pk, blind_pk, pkfromcurve;
  2274. ed25519_keypair_t keypair, blind_keypair;
  2275. curve25519_keypair_t curvekp;
  2276. uint8_t blinding_param[32];
  2277. ed25519_signature_t sig;
  2278. int sign;
  2279. #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
  2280. #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
  2281. tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
  2282. tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
  2283. ED25519_BLINDING_PARAMS[i]));
  2284. tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
  2285. EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
  2286. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
  2287. EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
  2288. memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
  2289. curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
  2290. tt_int_op(0, OP_EQ,
  2291. ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
  2292. tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
  2293. &pkfromcurve, &curvekp.pubkey, sign));
  2294. tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
  2295. EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
  2296. /* Self-signing */
  2297. memcpy(&keypair.seckey, &esk, sizeof(esk));
  2298. memcpy(&keypair.pubkey, &pk, sizeof(pk));
  2299. tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
  2300. EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
  2301. /* Blinding */
  2302. tt_int_op(0, OP_EQ,
  2303. ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
  2304. tt_int_op(0, OP_EQ,
  2305. ed25519_public_blind(&blind_pk, &pk, blinding_param));
  2306. EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
  2307. EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
  2308. tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
  2309. #undef DECODE
  2310. #undef EQ
  2311. }
  2312. done:
  2313. tor_free(mem_op_hex_tmp);
  2314. }
  2315. static void
  2316. test_crypto_ed25519_fuzz_donna(void *arg)
  2317. {
  2318. const unsigned iters = 1024;
  2319. uint8_t msg[1024];
  2320. unsigned i;
  2321. (void)arg;
  2322. tt_assert(sizeof(msg) == iters);
  2323. crypto_rand((char*) msg, sizeof(msg));
  2324. /* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
  2325. * generate keys/sign per iteration.
  2326. */
  2327. for (i = 0; i < iters; ++i) {
  2328. const int use_donna = i & 1;
  2329. uint8_t blinding[32];
  2330. curve25519_keypair_t ckp;
  2331. ed25519_keypair_t kp, kp_blind, kp_curve25519;
  2332. ed25519_public_key_t pk, pk_blind, pk_curve25519;
  2333. ed25519_signature_t sig, sig_blind;
  2334. int bit = 0;
  2335. crypto_rand((char*) blinding, sizeof(blinding));
  2336. /* Impl. A:
  2337. * 1. Generate a keypair.
  2338. * 2. Blinded the keypair.
  2339. * 3. Sign a message (unblinded).
  2340. * 4. Sign a message (blinded).
  2341. * 5. Generate a curve25519 keypair, and convert it to Ed25519.
  2342. */
  2343. ed25519_set_impl_params(use_donna);
  2344. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
  2345. tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
  2346. tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
  2347. tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
  2348. tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
  2349. tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
  2350. &kp_curve25519, &bit, &ckp));
  2351. /* Impl. B:
  2352. * 1. Validate the public key by rederiving it.
  2353. * 2. Validate the blinded public key by rederiving it.
  2354. * 3. Validate the unblinded signature (and test a invalid signature).
  2355. * 4. Validate the blinded signature.
  2356. * 5. Validate the public key (from Curve25519) by rederiving it.
  2357. */
  2358. ed25519_set_impl_params(!use_donna);
  2359. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
  2360. tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
  2361. tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
  2362. tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
  2363. tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
  2364. sig.sig[0] ^= 15;
  2365. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
  2366. tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
  2367. tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
  2368. &pk_curve25519, &ckp.pubkey, bit));
  2369. tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
  2370. }
  2371. done:
  2372. ;
  2373. }
  2374. static void
  2375. test_crypto_ed25519_storage(void *arg)
  2376. {
  2377. (void)arg;
  2378. ed25519_keypair_t *keypair = NULL;
  2379. ed25519_public_key_t pub;
  2380. ed25519_secret_key_t sec;
  2381. char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
  2382. char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
  2383. char *contents = NULL;
  2384. char *tag = NULL;
  2385. keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
  2386. tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
  2387. tt_int_op(0,OP_EQ,
  2388. ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
  2389. tt_int_op(0,OP_EQ,
  2390. ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
  2391. tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
  2392. tt_ptr_op(tag, OP_EQ, NULL);
  2393. tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
  2394. tt_ptr_op(tag, OP_EQ, NULL);
  2395. tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
  2396. tt_str_op(tag, OP_EQ, "bar");
  2397. tor_free(tag);
  2398. tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
  2399. tt_str_op(tag, OP_EQ, "foo");
  2400. tor_free(tag);
  2401. /* whitebox test: truncated keys. */
  2402. tt_int_op(0, ==, do_truncate(fname_1, 40));
  2403. tt_int_op(0, ==, do_truncate(fname_2, 40));
  2404. tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
  2405. tt_ptr_op(tag, OP_EQ, NULL);
  2406. tor_free(tag);
  2407. tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
  2408. tt_ptr_op(tag, OP_EQ, NULL);
  2409. done:
  2410. tor_free(fname_1);
  2411. tor_free(fname_2);
  2412. tor_free(contents);
  2413. tor_free(tag);
  2414. ed25519_keypair_free(keypair);
  2415. }
  2416. static void
  2417. test_crypto_siphash(void *arg)
  2418. {
  2419. /* From the reference implementation, taking
  2420. k = 00 01 02 ... 0f
  2421. and in = 00; 00 01; 00 01 02; ...
  2422. */
  2423. const uint8_t VECTORS[64][8] =
  2424. {
  2425. { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
  2426. { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
  2427. { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
  2428. { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
  2429. { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
  2430. { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
  2431. { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
  2432. { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
  2433. { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
  2434. { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
  2435. { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
  2436. { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
  2437. { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
  2438. { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
  2439. { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
  2440. { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
  2441. { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
  2442. { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
  2443. { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
  2444. { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
  2445. { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
  2446. { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
  2447. { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
  2448. { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
  2449. { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
  2450. { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
  2451. { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
  2452. { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
  2453. { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
  2454. { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
  2455. { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
  2456. { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
  2457. { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
  2458. { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
  2459. { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
  2460. { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
  2461. { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
  2462. { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
  2463. { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
  2464. { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
  2465. { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
  2466. { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
  2467. { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
  2468. { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
  2469. { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
  2470. { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
  2471. { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
  2472. { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
  2473. { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
  2474. { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
  2475. { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
  2476. { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
  2477. { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
  2478. { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
  2479. { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
  2480. { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
  2481. { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
  2482. { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
  2483. { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
  2484. { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
  2485. { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
  2486. { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
  2487. { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
  2488. { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
  2489. };
  2490. const struct sipkey K = { U64_LITERAL(0x0706050403020100),
  2491. U64_LITERAL(0x0f0e0d0c0b0a0908) };
  2492. uint8_t input[64];
  2493. int i, j;
  2494. (void)arg;
  2495. for (i = 0; i < 64; ++i)
  2496. input[i] = i;
  2497. for (i = 0; i < 64; ++i) {
  2498. uint64_t r = siphash24(input, i, &K);
  2499. for (j = 0; j < 8; ++j) {
  2500. tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
  2501. }
  2502. }
  2503. done:
  2504. ;
  2505. }
  2506. /* We want the likelihood that the random buffer exhibits any regular pattern
  2507. * to be far less than the memory bit error rate in the int return value.
  2508. * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
  2509. * 3 functions, leading to an overall error rate of 1/10^616.
  2510. * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
  2511. */
  2512. #define FAILURE_MODE_BUFFER_SIZE (2048/8)
  2513. /** Check crypto_rand for a failure mode where it does nothing to the buffer,
  2514. * or it sets the buffer to all zeroes. Return 0 when the check passes,
  2515. * or -1 when it fails. */
  2516. static int
  2517. crypto_rand_check_failure_mode_zero(void)
  2518. {
  2519. char buf[FAILURE_MODE_BUFFER_SIZE];
  2520. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
  2521. crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
  2522. for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
  2523. if (buf[i] != 0) {
  2524. return 0;
  2525. }
  2526. }
  2527. return -1;
  2528. }
  2529. /** Check crypto_rand for a failure mode where every int64_t in the buffer is
  2530. * the same. Return 0 when the check passes, or -1 when it fails. */
  2531. static int
  2532. crypto_rand_check_failure_mode_identical(void)
  2533. {
  2534. /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
  2535. #define FAILURE_MODE_BUFFER_SIZE_I64 \
  2536. (FAILURE_MODE_BUFFER_SIZE/SIZEOF_INT64_T)
  2537. #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
  2538. (FAILURE_MODE_BUFFER_SIZE_I64*SIZEOF_INT64_T)
  2539. #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
  2540. #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*SIZEOF_INT64_T
  2541. #endif
  2542. int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
  2543. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
  2544. crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
  2545. for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
  2546. if (buf[i] != buf[i-1]) {
  2547. return 0;
  2548. }
  2549. }
  2550. return -1;
  2551. }
  2552. /** Check crypto_rand for a failure mode where it increments the "random"
  2553. * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
  2554. * Return 0 when the check passes, or -1 when it fails. */
  2555. static int
  2556. crypto_rand_check_failure_mode_predict(void)
  2557. {
  2558. unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
  2559. memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
  2560. crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
  2561. for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
  2562. /* check if the last byte was incremented by 1, including integer
  2563. * wrapping */
  2564. if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
  2565. return 0;
  2566. }
  2567. }
  2568. return -1;
  2569. }
  2570. #undef FAILURE_MODE_BUFFER_SIZE
  2571. static void
  2572. test_crypto_failure_modes(void *arg)
  2573. {
  2574. int rv = 0;
  2575. (void)arg;
  2576. rv = crypto_early_init();
  2577. tt_assert(rv == 0);
  2578. /* Check random works */
  2579. rv = crypto_rand_check_failure_mode_zero();
  2580. tt_assert(rv == 0);
  2581. rv = crypto_rand_check_failure_mode_identical();
  2582. tt_assert(rv == 0);
  2583. rv = crypto_rand_check_failure_mode_predict();
  2584. tt_assert(rv == 0);
  2585. done:
  2586. ;
  2587. }
  2588. #define CRYPTO_LEGACY(name) \
  2589. { #name, test_crypto_ ## name , 0, NULL, NULL }
  2590. #define ED25519_TEST_ONE(name, fl, which) \
  2591. { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
  2592. &ed25519_test_setup, (void*)which }
  2593. #define ED25519_TEST(name, fl) \
  2594. ED25519_TEST_ONE(name, (fl), "donna"), \
  2595. ED25519_TEST_ONE(name, (fl), "ref10")
  2596. struct testcase_t crypto_tests[] = {
  2597. CRYPTO_LEGACY(formats),
  2598. CRYPTO_LEGACY(rng),
  2599. { "rng_range", test_crypto_rng_range, 0, NULL, NULL },
  2600. { "rng_engine", test_crypto_rng_engine, TT_FORK, NULL, NULL },
  2601. { "rng_strongest", test_crypto_rng_strongest, TT_FORK, NULL, NULL },
  2602. { "rng_strongest_nosyscall", test_crypto_rng_strongest, TT_FORK,
  2603. &passthrough_setup, (void*)"nosyscall" },
  2604. { "rng_strongest_nofallback", test_crypto_rng_strongest, TT_FORK,
  2605. &passthrough_setup, (void*)"nofallback" },
  2606. { "rng_strongest_broken", test_crypto_rng_strongest, TT_FORK,
  2607. &passthrough_setup, (void*)"broken" },
  2608. { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
  2609. { "aes_AES", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"aes" },
  2610. { "aes_EVP", test_crypto_aes, TT_FORK, &passthrough_setup, (void*)"evp" },
  2611. { "aes_ctr_testvec", test_crypto_aes_ctr_testvec, 0, NULL, NULL },
  2612. CRYPTO_LEGACY(sha),
  2613. CRYPTO_LEGACY(pk),
  2614. { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
  2615. { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
  2616. CRYPTO_LEGACY(digests),
  2617. { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
  2618. { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
  2619. { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
  2620. CRYPTO_LEGACY(dh),
  2621. { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
  2622. (void*)"aes" },
  2623. { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
  2624. (void*)"evp" },
  2625. CRYPTO_LEGACY(base32_decode),
  2626. { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
  2627. { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
  2628. { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
  2629. { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
  2630. { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
  2631. { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
  2632. { "curve25519_basepoint",
  2633. test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
  2634. { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
  2635. { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
  2636. { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
  2637. ED25519_TEST(simple, 0),
  2638. ED25519_TEST(test_vectors, 0),
  2639. ED25519_TEST(encode, 0),
  2640. ED25519_TEST(convert, 0),
  2641. ED25519_TEST(blinding, 0),
  2642. ED25519_TEST(testvectors, 0),
  2643. ED25519_TEST(fuzz_donna, TT_FORK),
  2644. { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
  2645. { "siphash", test_crypto_siphash, 0, NULL, NULL },
  2646. { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
  2647. END_OF_TESTCASES
  2648. };