test_crypto_slow.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. #include "orconfig.h"
  6. #define CRYPTO_S2K_PRIVATE
  7. #include "or.h"
  8. #include "test.h"
  9. #include "crypto_s2k.h"
  10. #include "crypto_pwbox.h"
  11. #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
  12. #define HAVE_LIBSCRYPT
  13. #include <libscrypt.h>
  14. #endif
  15. #include <openssl/evp.h>
  16. /** Run unit tests for our secret-to-key passphrase hashing functionality. */
  17. static void
  18. test_crypto_s2k_rfc2440(void *arg)
  19. {
  20. char buf[29];
  21. char buf2[29];
  22. char *buf3 = NULL;
  23. int i;
  24. (void)arg;
  25. memset(buf, 0, sizeof(buf));
  26. memset(buf2, 0, sizeof(buf2));
  27. buf3 = tor_malloc(65536);
  28. memset(buf3, 0, 65536);
  29. secret_to_key_rfc2440(buf+9, 20, "", 0, buf);
  30. crypto_digest(buf2+9, buf3, 1024);
  31. tt_mem_op(buf,OP_EQ, buf2, 29);
  32. memcpy(buf,"vrbacrda",8);
  33. memcpy(buf2,"vrbacrda",8);
  34. buf[8] = 96;
  35. buf2[8] = 96;
  36. secret_to_key_rfc2440(buf+9, 20, "12345678", 8, buf);
  37. for (i = 0; i < 65536; i += 16) {
  38. memcpy(buf3+i, "vrbacrda12345678", 16);
  39. }
  40. crypto_digest(buf2+9, buf3, 65536);
  41. tt_mem_op(buf,OP_EQ, buf2, 29);
  42. done:
  43. tor_free(buf3);
  44. }
  45. static void
  46. run_s2k_tests(const unsigned flags, const unsigned type,
  47. int speclen, const int keylen, int legacy)
  48. {
  49. uint8_t buf[S2K_MAXLEN], buf2[S2K_MAXLEN], buf3[S2K_MAXLEN];
  50. int r;
  51. size_t sz;
  52. const char pw1[] = "You can't come in here unless you say swordfish!";
  53. const char pw2[] = "Now, I give you one more guess.";
  54. r = secret_to_key_new(buf, sizeof(buf), &sz,
  55. pw1, strlen(pw1), flags);
  56. tt_int_op(r, OP_EQ, S2K_OKAY);
  57. tt_int_op(buf[0], OP_EQ, type);
  58. tt_int_op(sz, OP_EQ, keylen + speclen);
  59. if (legacy) {
  60. memmove(buf, buf+1, sz-1);
  61. --sz;
  62. --speclen;
  63. }
  64. tt_int_op(S2K_OKAY, OP_EQ,
  65. secret_to_key_check(buf, sz, pw1, strlen(pw1)));
  66. tt_int_op(S2K_BAD_SECRET, OP_EQ,
  67. secret_to_key_check(buf, sz, pw2, strlen(pw2)));
  68. /* Move key to buf2, and clear it. */
  69. memset(buf3, 0, sizeof(buf3));
  70. memcpy(buf2, buf+speclen, keylen);
  71. memset(buf+speclen, 0, sz - speclen);
  72. /* Derivekey should produce the same results. */
  73. tt_int_op(S2K_OKAY, OP_EQ,
  74. secret_to_key_derivekey(buf3, keylen, buf, speclen, pw1, strlen(pw1)));
  75. tt_mem_op(buf2, OP_EQ, buf3, keylen);
  76. /* Derivekey with a longer output should fill the output. */
  77. memset(buf2, 0, sizeof(buf2));
  78. tt_int_op(S2K_OKAY, OP_EQ,
  79. secret_to_key_derivekey(buf2, sizeof(buf2), buf, speclen,
  80. pw1, strlen(pw1)));
  81. tt_mem_op(buf2, OP_NE, buf3, sizeof(buf2));
  82. memset(buf3, 0, sizeof(buf3));
  83. tt_int_op(S2K_OKAY, OP_EQ,
  84. secret_to_key_derivekey(buf3, sizeof(buf3), buf, speclen,
  85. pw1, strlen(pw1)));
  86. tt_mem_op(buf2, OP_EQ, buf3, sizeof(buf3));
  87. tt_assert(!tor_mem_is_zero((char*)buf2+keylen, sizeof(buf2)-keylen));
  88. done:
  89. ;
  90. }
  91. static void
  92. test_crypto_s2k_general(void *arg)
  93. {
  94. const char *which = arg;
  95. if (!strcmp(which, "scrypt")) {
  96. run_s2k_tests(0, 2, 19, 32, 0);
  97. } else if (!strcmp(which, "scrypt-low")) {
  98. run_s2k_tests(S2K_FLAG_LOW_MEM, 2, 19, 32, 0);
  99. } else if (!strcmp(which, "pbkdf2")) {
  100. run_s2k_tests(S2K_FLAG_USE_PBKDF2, 1, 18, 20, 0);
  101. } else if (!strcmp(which, "rfc2440")) {
  102. run_s2k_tests(S2K_FLAG_NO_SCRYPT, 0, 10, 20, 0);
  103. } else if (!strcmp(which, "rfc2440-legacy")) {
  104. run_s2k_tests(S2K_FLAG_NO_SCRYPT, 0, 10, 20, 1);
  105. } else {
  106. tt_fail();
  107. }
  108. }
  109. #if defined(HAVE_LIBSCRYPT) && defined(HAVE_EVP_PBE_SCRYPT)
  110. static void
  111. test_libscrypt_eq_openssl(void *arg)
  112. {
  113. uint8_t buf1[64];
  114. uint8_t buf2[64];
  115. uint64_t N;
  116. uint32_t r, p;
  117. uint64_t maxmem = 0; // --> SCRYPT_MAX_MEM in OpenSSL.
  118. int libscrypt_retval, openssl_retval;
  119. size_t dk_len = 64;
  120. (void)arg;
  121. memset(buf1,0,64);
  122. memset(buf2,0,64);
  123. /* NOTE: we're using N,r the way OpenSSL and libscrypt define them,
  124. * not the way draft-josefsson-scrypt-kdf-00.txt define them.
  125. */
  126. N = 16;
  127. r = 1;
  128. p = 1;
  129. libscrypt_retval =
  130. libscrypt_scrypt((const uint8_t *)"", 0, (const uint8_t *)"", 0,
  131. N, r, p, buf1, dk_len);
  132. openssl_retval =
  133. EVP_PBE_scrypt((const char *)"", 0, (const unsigned char *)"", 0,
  134. N, r, p, maxmem, buf2, dk_len);
  135. tt_int_op(libscrypt_retval, OP_EQ, 0);
  136. tt_int_op(openssl_retval, OP_EQ, 1);
  137. tt_mem_op(buf1, OP_EQ, buf2, 64);
  138. memset(buf1,0,64);
  139. memset(buf2,0,64);
  140. N = 1024;
  141. r = 8;
  142. p = 16;
  143. libscrypt_retval =
  144. libscrypt_scrypt((const uint8_t *)"password", strlen("password"),
  145. (const uint8_t *)"NaCl", strlen("NaCl"),
  146. N, r, p, buf1, dk_len);
  147. openssl_retval =
  148. EVP_PBE_scrypt((const char *)"password", strlen("password"),
  149. (const unsigned char *)"NaCl", strlen("NaCl"),
  150. N, r, p, maxmem, buf2, dk_len);
  151. tt_int_op(libscrypt_retval, OP_EQ, 0);
  152. tt_int_op(openssl_retval, OP_EQ, 1);
  153. tt_mem_op(buf1, OP_EQ, buf2, 64);
  154. memset(buf1,0,64);
  155. memset(buf2,0,64);
  156. N = 16384;
  157. r = 8;
  158. p = 1;
  159. libscrypt_retval =
  160. libscrypt_scrypt((const uint8_t *)"pleaseletmein",
  161. strlen("pleaseletmein"),
  162. (const uint8_t *)"SodiumChloride",
  163. strlen("SodiumChloride"),
  164. N, r, p, buf1, dk_len);
  165. openssl_retval =
  166. EVP_PBE_scrypt((const char *)"pleaseletmein",
  167. strlen("pleaseletmein"),
  168. (const unsigned char *)"SodiumChloride",
  169. strlen("SodiumChloride"),
  170. N, r, p, maxmem, buf2, dk_len);
  171. tt_int_op(libscrypt_retval, OP_EQ, 0);
  172. tt_int_op(openssl_retval, OP_EQ, 1);
  173. tt_mem_op(buf1, OP_EQ, buf2, 64);
  174. memset(buf1,0,64);
  175. memset(buf2,0,64);
  176. N = 1048576;
  177. maxmem = 2 * 1024 * 1024 * (uint64_t)1024; // 2 GB
  178. libscrypt_retval =
  179. libscrypt_scrypt((const uint8_t *)"pleaseletmein",
  180. strlen("pleaseletmein"),
  181. (const uint8_t *)"SodiumChloride",
  182. strlen("SodiumChloride"),
  183. N, r, p, buf1, dk_len);
  184. openssl_retval =
  185. EVP_PBE_scrypt((const char *)"pleaseletmein",
  186. strlen("pleaseletmein"),
  187. (const unsigned char *)"SodiumChloride",
  188. strlen("SodiumChloride"),
  189. N, r, p, maxmem, buf2, dk_len);
  190. tt_int_op(libscrypt_retval, OP_EQ, 0);
  191. tt_int_op(openssl_retval, OP_EQ, 1);
  192. tt_mem_op(buf1, OP_EQ, buf2, 64);
  193. done:
  194. return;
  195. }
  196. #endif /* defined(HAVE_LIBSCRYPT) && defined(HAVE_EVP_PBE_SCRYPT) */
  197. static void
  198. test_crypto_s2k_errors(void *arg)
  199. {
  200. uint8_t buf[S2K_MAXLEN], buf2[S2K_MAXLEN];
  201. size_t sz;
  202. (void)arg;
  203. /* Bogus specifiers: simple */
  204. tt_int_op(S2K_BAD_LEN, OP_EQ,
  205. secret_to_key_derivekey(buf, sizeof(buf),
  206. (const uint8_t*)"", 0, "ABC", 3));
  207. tt_int_op(S2K_BAD_ALGORITHM, OP_EQ,
  208. secret_to_key_derivekey(buf, sizeof(buf),
  209. (const uint8_t*)"\x10", 1, "ABC", 3));
  210. tt_int_op(S2K_BAD_LEN, OP_EQ,
  211. secret_to_key_derivekey(buf, sizeof(buf),
  212. (const uint8_t*)"\x01\x02", 2, "ABC", 3));
  213. tt_int_op(S2K_BAD_LEN, OP_EQ,
  214. secret_to_key_check((const uint8_t*)"", 0, "ABC", 3));
  215. tt_int_op(S2K_BAD_ALGORITHM, OP_EQ,
  216. secret_to_key_check((const uint8_t*)"\x10", 1, "ABC", 3));
  217. tt_int_op(S2K_BAD_LEN, OP_EQ,
  218. secret_to_key_check((const uint8_t*)"\x01\x02", 2, "ABC", 3));
  219. /* too long gets "BAD_LEN" too */
  220. memset(buf, 0, sizeof(buf));
  221. buf[0] = 2;
  222. tt_int_op(S2K_BAD_LEN, OP_EQ,
  223. secret_to_key_derivekey(buf2, sizeof(buf2),
  224. buf, sizeof(buf), "ABC", 3));
  225. /* Truncated output */
  226. #ifdef HAVE_LIBSCRYPT
  227. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 50, &sz,
  228. "ABC", 3, 0));
  229. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 50, &sz,
  230. "ABC", 3, S2K_FLAG_LOW_MEM));
  231. #endif /* defined(HAVE_LIBSCRYPT) */
  232. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 37, &sz,
  233. "ABC", 3, S2K_FLAG_USE_PBKDF2));
  234. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_new(buf, 29, &sz,
  235. "ABC", 3, S2K_FLAG_NO_SCRYPT));
  236. #ifdef HAVE_LIBSCRYPT
  237. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 18, 0));
  238. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 18,
  239. S2K_FLAG_LOW_MEM));
  240. #endif
  241. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 17,
  242. S2K_FLAG_USE_PBKDF2));
  243. tt_int_op(S2K_TRUNCATED, OP_EQ, secret_to_key_make_specifier(buf, 9,
  244. S2K_FLAG_NO_SCRYPT));
  245. /* Now try using type-specific bogus specifiers. */
  246. /* It's a bad pbkdf2 buffer if it has an iteration count that would overflow
  247. * int32_t. */
  248. memset(buf, 0, sizeof(buf));
  249. buf[0] = 1; /* pbkdf2 */
  250. buf[17] = 100; /* 1<<100 is much bigger than INT32_MAX */
  251. tt_int_op(S2K_BAD_PARAMS, OP_EQ,
  252. secret_to_key_derivekey(buf2, sizeof(buf2),
  253. buf, 18, "ABC", 3));
  254. #ifdef HAVE_LIBSCRYPT
  255. /* It's a bad scrypt buffer if N would overflow uint64 */
  256. memset(buf, 0, sizeof(buf));
  257. buf[0] = 2; /* scrypt */
  258. buf[17] = 100; /* 1<<100 is much bigger than UINT64_MAX */
  259. tt_int_op(S2K_BAD_PARAMS, OP_EQ,
  260. secret_to_key_derivekey(buf2, sizeof(buf2),
  261. buf, 19, "ABC", 3));
  262. #endif /* defined(HAVE_LIBSCRYPT) */
  263. done:
  264. ;
  265. }
  266. static void
  267. test_crypto_scrypt_vectors(void *arg)
  268. {
  269. char *mem_op_hex_tmp = NULL;
  270. uint8_t spec[64], out[64];
  271. (void)arg;
  272. #ifndef HAVE_LIBSCRYPT
  273. if (1)
  274. tt_skip();
  275. #endif
  276. /* Test vectors from
  277. http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00 section 11.
  278. Note that the names of 'r' and 'N' are switched in that section. Or
  279. possibly in libscrypt.
  280. */
  281. base16_decode((char*)spec, sizeof(spec),
  282. "0400", 4);
  283. memset(out, 0x00, sizeof(out));
  284. tt_int_op(64, OP_EQ,
  285. secret_to_key_compute_key(out, 64, spec, 2, "", 0, 2));
  286. test_memeq_hex(out,
  287. "77d6576238657b203b19ca42c18a0497"
  288. "f16b4844e3074ae8dfdffa3fede21442"
  289. "fcd0069ded0948f8326a753a0fc81f17"
  290. "e8d3e0fb2e0d3628cf35e20c38d18906");
  291. base16_decode((char*)spec, sizeof(spec),
  292. "4e61436c" "0A34", 12);
  293. memset(out, 0x00, sizeof(out));
  294. tt_int_op(64, OP_EQ,
  295. secret_to_key_compute_key(out, 64, spec, 6, "password", 8, 2));
  296. test_memeq_hex(out,
  297. "fdbabe1c9d3472007856e7190d01e9fe"
  298. "7c6ad7cbc8237830e77376634b373162"
  299. "2eaf30d92e22a3886ff109279d9830da"
  300. "c727afb94a83ee6d8360cbdfa2cc0640");
  301. base16_decode((char*)spec, sizeof(spec),
  302. "536f6469756d43686c6f72696465" "0e30", 32);
  303. memset(out, 0x00, sizeof(out));
  304. tt_int_op(64, OP_EQ,
  305. secret_to_key_compute_key(out, 64, spec, 16,
  306. "pleaseletmein", 13, 2));
  307. test_memeq_hex(out,
  308. "7023bdcb3afd7348461c06cd81fd38eb"
  309. "fda8fbba904f8e3ea9b543f6545da1f2"
  310. "d5432955613f0fcf62d49705242a9af9"
  311. "e61e85dc0d651e40dfcf017b45575887");
  312. base16_decode((char*)spec, sizeof(spec),
  313. "536f6469756d43686c6f72696465" "1430", 32);
  314. memset(out, 0x00, sizeof(out));
  315. tt_int_op(64, OP_EQ,
  316. secret_to_key_compute_key(out, 64, spec, 16,
  317. "pleaseletmein", 13, 2));
  318. test_memeq_hex(out,
  319. "2101cb9b6a511aaeaddbbe09cf70f881"
  320. "ec568d574a2ffd4dabe5ee9820adaa47"
  321. "8e56fd8f4ba5d09ffa1c6d927c40f4c3"
  322. "37304049e8a952fbcbf45c6fa77a41a4");
  323. done:
  324. tor_free(mem_op_hex_tmp);
  325. }
  326. static void
  327. test_crypto_pbkdf2_vectors(void *arg)
  328. {
  329. char *mem_op_hex_tmp = NULL;
  330. uint8_t spec[64], out[64];
  331. (void)arg;
  332. /* Test vectors from RFC6070, section 2 */
  333. base16_decode((char*)spec, sizeof(spec),
  334. "73616c74" "00" , 10);
  335. memset(out, 0x00, sizeof(out));
  336. tt_int_op(20, OP_EQ,
  337. secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
  338. test_memeq_hex(out, "0c60c80f961f0e71f3a9b524af6012062fe037a6");
  339. base16_decode((char*)spec, sizeof(spec),
  340. "73616c74" "01" , 10);
  341. memset(out, 0x00, sizeof(out));
  342. tt_int_op(20, OP_EQ,
  343. secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
  344. test_memeq_hex(out, "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957");
  345. base16_decode((char*)spec, sizeof(spec),
  346. "73616c74" "0C" , 10);
  347. memset(out, 0x00, sizeof(out));
  348. tt_int_op(20, OP_EQ,
  349. secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
  350. test_memeq_hex(out, "4b007901b765489abead49d926f721d065a429c1");
  351. /* This is the very slow one here. When enabled, it accounts for roughly
  352. * half the time spent in test-slow. */
  353. /*
  354. base16_decode((char*)spec, sizeof(spec),
  355. "73616c74" "18" , 10);
  356. memset(out, 0x00, sizeof(out));
  357. tt_int_op(20, OP_EQ,
  358. secret_to_key_compute_key(out, 20, spec, 5, "password", 8, 1));
  359. test_memeq_hex(out, "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984");
  360. */
  361. base16_decode((char*)spec, sizeof(spec),
  362. "73616c7453414c5473616c7453414c5473616c745"
  363. "3414c5473616c7453414c5473616c74" "0C" , 74);
  364. memset(out, 0x00, sizeof(out));
  365. tt_int_op(25, OP_EQ,
  366. secret_to_key_compute_key(out, 25, spec, 37,
  367. "passwordPASSWORDpassword", 24, 1));
  368. test_memeq_hex(out, "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038");
  369. base16_decode((char*)spec, sizeof(spec),
  370. "7361006c74" "0c" , 12);
  371. memset(out, 0x00, sizeof(out));
  372. tt_int_op(16, OP_EQ,
  373. secret_to_key_compute_key(out, 16, spec, 6, "pass\0word", 9, 1));
  374. test_memeq_hex(out, "56fa6aa75548099dcc37d7f03425e0c3");
  375. done:
  376. tor_free(mem_op_hex_tmp);
  377. }
  378. static void
  379. test_crypto_pwbox(void *arg)
  380. {
  381. uint8_t *boxed=NULL, *decoded=NULL;
  382. size_t len, dlen;
  383. unsigned i;
  384. const char msg[] = "This bunny reminds you that you still have a "
  385. "salamander in your sylladex. She is holding the bunny Dave got you. "
  386. "It’s sort of uncanny how similar they are, aside from the knitted "
  387. "enhancements. Seriously, what are the odds?? So weird.";
  388. const char pw[] = "I'm a night owl and a wise bird too";
  389. const unsigned flags[] = { 0,
  390. S2K_FLAG_NO_SCRYPT,
  391. S2K_FLAG_LOW_MEM,
  392. S2K_FLAG_NO_SCRYPT|S2K_FLAG_LOW_MEM,
  393. S2K_FLAG_USE_PBKDF2 };
  394. (void)arg;
  395. for (i = 0; i < ARRAY_LENGTH(flags); ++i) {
  396. tt_int_op(0, OP_EQ, crypto_pwbox(&boxed, &len,
  397. (const uint8_t*)msg, strlen(msg),
  398. pw, strlen(pw), flags[i]));
  399. tt_assert(boxed);
  400. tt_assert(len > 128+32);
  401. tt_int_op(0, OP_EQ, crypto_unpwbox(&decoded, &dlen, boxed, len,
  402. pw, strlen(pw)));
  403. tt_assert(decoded);
  404. tt_uint_op(dlen, OP_EQ, strlen(msg));
  405. tt_mem_op(decoded, OP_EQ, msg, dlen);
  406. tor_free(decoded);
  407. tt_int_op(UNPWBOX_BAD_SECRET, OP_EQ, crypto_unpwbox(&decoded, &dlen,
  408. boxed, len,
  409. pw, strlen(pw)-1));
  410. boxed[len-1] ^= 1;
  411. tt_int_op(UNPWBOX_BAD_SECRET, OP_EQ, crypto_unpwbox(&decoded, &dlen,
  412. boxed, len,
  413. pw, strlen(pw)));
  414. boxed[0] = 255;
  415. tt_int_op(UNPWBOX_CORRUPTED, OP_EQ, crypto_unpwbox(&decoded, &dlen,
  416. boxed, len,
  417. pw, strlen(pw)));
  418. tor_free(boxed);
  419. }
  420. done:
  421. tor_free(boxed);
  422. tor_free(decoded);
  423. }
  424. static void
  425. test_crypto_ed25519_fuzz_donna(void *arg)
  426. {
  427. const unsigned iters = 1024;
  428. uint8_t msg[1024];
  429. unsigned i;
  430. (void)arg;
  431. tt_uint_op(iters, OP_EQ, sizeof(msg));
  432. crypto_rand((char*) msg, sizeof(msg));
  433. /* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
  434. * generate keys/sign per iteration.
  435. */
  436. for (i = 0; i < iters; ++i) {
  437. const int use_donna = i & 1;
  438. uint8_t blinding[32];
  439. curve25519_keypair_t ckp;
  440. ed25519_keypair_t kp, kp_blind, kp_curve25519;
  441. ed25519_public_key_t pk, pk_blind, pk_curve25519;
  442. ed25519_signature_t sig, sig_blind;
  443. int bit = 0;
  444. crypto_rand((char*) blinding, sizeof(blinding));
  445. /* Impl. A:
  446. * 1. Generate a keypair.
  447. * 2. Blinded the keypair.
  448. * 3. Sign a message (unblinded).
  449. * 4. Sign a message (blinded).
  450. * 5. Generate a curve25519 keypair, and convert it to Ed25519.
  451. */
  452. ed25519_set_impl_params(use_donna);
  453. tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
  454. tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
  455. tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
  456. tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
  457. tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
  458. tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
  459. &kp_curve25519, &bit, &ckp));
  460. /* Impl. B:
  461. * 1. Validate the public key by rederiving it.
  462. * 2. Validate the blinded public key by rederiving it.
  463. * 3. Validate the unblinded signature (and test a invalid signature).
  464. * 4. Validate the blinded signature.
  465. * 5. Validate the public key (from Curve25519) by rederiving it.
  466. */
  467. ed25519_set_impl_params(!use_donna);
  468. tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
  469. tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
  470. tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
  471. tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
  472. tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
  473. sig.sig[0] ^= 15;
  474. tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
  475. tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
  476. tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
  477. &pk_curve25519, &ckp.pubkey, bit));
  478. tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
  479. }
  480. done:
  481. ;
  482. }
  483. #define CRYPTO_LEGACY(name) \
  484. { #name, test_crypto_ ## name , 0, NULL, NULL }
  485. #define ED25519_TEST_ONE(name, fl, which) \
  486. { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
  487. &ed25519_test_setup, (void*)which }
  488. #define ED25519_TEST(name, fl) \
  489. ED25519_TEST_ONE(name, (fl), "donna"), \
  490. ED25519_TEST_ONE(name, (fl), "ref10")
  491. struct testcase_t slow_crypto_tests[] = {
  492. CRYPTO_LEGACY(s2k_rfc2440),
  493. #ifdef HAVE_LIBSCRYPT
  494. { "s2k_scrypt", test_crypto_s2k_general, 0, &passthrough_setup,
  495. (void*)"scrypt" },
  496. { "s2k_scrypt_low", test_crypto_s2k_general, 0, &passthrough_setup,
  497. (void*)"scrypt-low" },
  498. #ifdef HAVE_EVP_PBE_SCRYPT
  499. { "libscrypt_eq_openssl", test_libscrypt_eq_openssl, 0, NULL, NULL },
  500. #endif
  501. #endif /* defined(HAVE_LIBSCRYPT) */
  502. { "s2k_pbkdf2", test_crypto_s2k_general, 0, &passthrough_setup,
  503. (void*)"pbkdf2" },
  504. { "s2k_rfc2440_general", test_crypto_s2k_general, 0, &passthrough_setup,
  505. (void*)"rfc2440" },
  506. { "s2k_rfc2440_legacy", test_crypto_s2k_general, 0, &passthrough_setup,
  507. (void*)"rfc2440-legacy" },
  508. { "s2k_errors", test_crypto_s2k_errors, 0, NULL, NULL },
  509. { "scrypt_vectors", test_crypto_scrypt_vectors, 0, NULL, NULL },
  510. { "pbkdf2_vectors", test_crypto_pbkdf2_vectors, 0, NULL, NULL },
  511. { "pwbox", test_crypto_pwbox, 0, NULL, NULL },
  512. ED25519_TEST(fuzz_donna, TT_FORK),
  513. END_OF_TESTCASES
  514. };