test_crypto.c 57 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2013, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. #include "orconfig.h"
  6. #define CRYPTO_CURVE25519_PRIVATE
  7. #include "or.h"
  8. #include "test.h"
  9. #include "aes.h"
  10. #include "util.h"
  11. #include "siphash.h"
  12. #ifdef CURVE25519_ENABLED
  13. #include "crypto_curve25519.h"
  14. #include "crypto_ed25519.h"
  15. #include "ed25519_vectors.inc"
  16. #endif
  17. extern const char AUTHORITY_SIGNKEY_3[];
  18. extern const char AUTHORITY_SIGNKEY_A_DIGEST[];
  19. extern const char AUTHORITY_SIGNKEY_A_DIGEST256[];
  20. /** Run unit tests for Diffie-Hellman functionality. */
  21. static void
  22. test_crypto_dh(void)
  23. {
  24. crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
  25. crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
  26. char p1[DH_BYTES];
  27. char p2[DH_BYTES];
  28. char s1[DH_BYTES];
  29. char s2[DH_BYTES];
  30. ssize_t s1len, s2len;
  31. test_eq(crypto_dh_get_bytes(dh1), DH_BYTES);
  32. test_eq(crypto_dh_get_bytes(dh2), DH_BYTES);
  33. memset(p1, 0, DH_BYTES);
  34. memset(p2, 0, DH_BYTES);
  35. test_memeq(p1, p2, DH_BYTES);
  36. test_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
  37. test_memneq(p1, p2, DH_BYTES);
  38. test_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
  39. test_memneq(p1, p2, DH_BYTES);
  40. memset(s1, 0, DH_BYTES);
  41. memset(s2, 0xFF, DH_BYTES);
  42. s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
  43. s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
  44. test_assert(s1len > 0);
  45. test_eq(s1len, s2len);
  46. test_memeq(s1, s2, s1len);
  47. {
  48. /* XXXX Now fabricate some bad values and make sure they get caught,
  49. * Check 0, 1, N-1, >= N, etc.
  50. */
  51. }
  52. done:
  53. crypto_dh_free(dh1);
  54. crypto_dh_free(dh2);
  55. }
  56. /** Run unit tests for our random number generation function and its wrappers.
  57. */
  58. static void
  59. test_crypto_rng(void)
  60. {
  61. int i, j, allok;
  62. char data1[100], data2[100];
  63. double d;
  64. /* Try out RNG. */
  65. test_assert(! crypto_seed_rng(0));
  66. crypto_rand(data1, 100);
  67. crypto_rand(data2, 100);
  68. test_memneq(data1,data2,100);
  69. allok = 1;
  70. for (i = 0; i < 100; ++i) {
  71. uint64_t big;
  72. char *host;
  73. j = crypto_rand_int(100);
  74. if (j < 0 || j >= 100)
  75. allok = 0;
  76. big = crypto_rand_uint64(U64_LITERAL(1)<<40);
  77. if (big >= (U64_LITERAL(1)<<40))
  78. allok = 0;
  79. big = crypto_rand_uint64(U64_LITERAL(5));
  80. if (big >= 5)
  81. allok = 0;
  82. d = crypto_rand_double();
  83. test_assert(d >= 0);
  84. test_assert(d < 1.0);
  85. host = crypto_random_hostname(3,8,"www.",".onion");
  86. if (strcmpstart(host,"www.") ||
  87. strcmpend(host,".onion") ||
  88. strlen(host) < 13 ||
  89. strlen(host) > 18)
  90. allok = 0;
  91. tor_free(host);
  92. }
  93. test_assert(allok);
  94. done:
  95. ;
  96. }
  97. /** Run unit tests for our AES functionality */
  98. static void
  99. test_crypto_aes(void *arg)
  100. {
  101. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  102. crypto_cipher_t *env1 = NULL, *env2 = NULL;
  103. int i, j;
  104. char *mem_op_hex_tmp=NULL;
  105. int use_evp = !strcmp(arg,"evp");
  106. evaluate_evp_for_aes(use_evp);
  107. evaluate_ctr_for_aes();
  108. data1 = tor_malloc(1024);
  109. data2 = tor_malloc(1024);
  110. data3 = tor_malloc(1024);
  111. /* Now, test encryption and decryption with stream cipher. */
  112. data1[0]='\0';
  113. for (i = 1023; i>0; i -= 35)
  114. strncat(data1, "Now is the time for all good onions", i);
  115. memset(data2, 0, 1024);
  116. memset(data3, 0, 1024);
  117. env1 = crypto_cipher_new(NULL);
  118. test_neq_ptr(env1, 0);
  119. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  120. test_neq_ptr(env2, 0);
  121. /* Try encrypting 512 chars. */
  122. crypto_cipher_encrypt(env1, data2, data1, 512);
  123. crypto_cipher_decrypt(env2, data3, data2, 512);
  124. test_memeq(data1, data3, 512);
  125. test_memneq(data1, data2, 512);
  126. /* Now encrypt 1 at a time, and get 1 at a time. */
  127. for (j = 512; j < 560; ++j) {
  128. crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
  129. }
  130. for (j = 512; j < 560; ++j) {
  131. crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
  132. }
  133. test_memeq(data1, data3, 560);
  134. /* Now encrypt 3 at a time, and get 5 at a time. */
  135. for (j = 560; j < 1024-5; j += 3) {
  136. crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
  137. }
  138. for (j = 560; j < 1024-5; j += 5) {
  139. crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
  140. }
  141. test_memeq(data1, data3, 1024-5);
  142. /* Now make sure that when we encrypt with different chunk sizes, we get
  143. the same results. */
  144. crypto_cipher_free(env2);
  145. env2 = NULL;
  146. memset(data3, 0, 1024);
  147. env2 = crypto_cipher_new(crypto_cipher_get_key(env1));
  148. test_neq_ptr(env2, NULL);
  149. for (j = 0; j < 1024-16; j += 17) {
  150. crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
  151. }
  152. for (j= 0; j < 1024-16; ++j) {
  153. if (data2[j] != data3[j]) {
  154. printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
  155. }
  156. }
  157. test_memeq(data2, data3, 1024-16);
  158. crypto_cipher_free(env1);
  159. env1 = NULL;
  160. crypto_cipher_free(env2);
  161. env2 = NULL;
  162. /* NIST test vector for aes. */
  163. /* IV starts at 0 */
  164. env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
  165. "\x00\x00\x00\x00\x00\x00\x00\x00");
  166. crypto_cipher_encrypt(env1, data1,
  167. "\x00\x00\x00\x00\x00\x00\x00\x00"
  168. "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  169. test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
  170. /* Now test rollover. All these values are originally from a python
  171. * script. */
  172. crypto_cipher_free(env1);
  173. env1 = crypto_cipher_new_with_iv(
  174. "\x80\x00\x00\x00\x00\x00\x00\x00"
  175. "\x00\x00\x00\x00\x00\x00\x00\x00",
  176. "\x00\x00\x00\x00\x00\x00\x00\x00"
  177. "\xff\xff\xff\xff\xff\xff\xff\xff");
  178. memset(data2, 0, 1024);
  179. crypto_cipher_encrypt(env1, data1, data2, 32);
  180. test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
  181. "cdd0b917dbc7186908a6bfb5ffd574d3");
  182. crypto_cipher_free(env1);
  183. env1 = crypto_cipher_new_with_iv(
  184. "\x80\x00\x00\x00\x00\x00\x00\x00"
  185. "\x00\x00\x00\x00\x00\x00\x00\x00",
  186. "\x00\x00\x00\x00\xff\xff\xff\xff"
  187. "\xff\xff\xff\xff\xff\xff\xff\xff");
  188. memset(data2, 0, 1024);
  189. crypto_cipher_encrypt(env1, data1, data2, 32);
  190. test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
  191. "3e63c721df790d2c6469cc1953a3ffac");
  192. crypto_cipher_free(env1);
  193. env1 = crypto_cipher_new_with_iv(
  194. "\x80\x00\x00\x00\x00\x00\x00\x00"
  195. "\x00\x00\x00\x00\x00\x00\x00\x00",
  196. "\xff\xff\xff\xff\xff\xff\xff\xff"
  197. "\xff\xff\xff\xff\xff\xff\xff\xff");
  198. memset(data2, 0, 1024);
  199. crypto_cipher_encrypt(env1, data1, data2, 32);
  200. test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
  201. "0EDD33D3C621E546455BD8BA1418BEC8");
  202. /* Now check rollover on inplace cipher. */
  203. crypto_cipher_free(env1);
  204. env1 = crypto_cipher_new_with_iv(
  205. "\x80\x00\x00\x00\x00\x00\x00\x00"
  206. "\x00\x00\x00\x00\x00\x00\x00\x00",
  207. "\xff\xff\xff\xff\xff\xff\xff\xff"
  208. "\xff\xff\xff\xff\xff\xff\xff\xff");
  209. crypto_cipher_crypt_inplace(env1, data2, 64);
  210. test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
  211. "0EDD33D3C621E546455BD8BA1418BEC8"
  212. "93e2c5243d6839eac58503919192f7ae"
  213. "1908e67cafa08d508816659c2e693191");
  214. crypto_cipher_free(env1);
  215. env1 = crypto_cipher_new_with_iv(
  216. "\x80\x00\x00\x00\x00\x00\x00\x00"
  217. "\x00\x00\x00\x00\x00\x00\x00\x00",
  218. "\xff\xff\xff\xff\xff\xff\xff\xff"
  219. "\xff\xff\xff\xff\xff\xff\xff\xff");
  220. crypto_cipher_crypt_inplace(env1, data2, 64);
  221. test_assert(tor_mem_is_zero(data2, 64));
  222. done:
  223. tor_free(mem_op_hex_tmp);
  224. if (env1)
  225. crypto_cipher_free(env1);
  226. if (env2)
  227. crypto_cipher_free(env2);
  228. tor_free(data1);
  229. tor_free(data2);
  230. tor_free(data3);
  231. }
  232. /** Run unit tests for our SHA-1 functionality */
  233. static void
  234. test_crypto_sha(void)
  235. {
  236. crypto_digest_t *d1 = NULL, *d2 = NULL;
  237. int i;
  238. char key[160];
  239. char digest[32];
  240. char data[50];
  241. char d_out1[DIGEST_LEN], d_out2[DIGEST256_LEN];
  242. char *mem_op_hex_tmp=NULL;
  243. /* Test SHA-1 with a test vector from the specification. */
  244. i = crypto_digest(data, "abc", 3);
  245. test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
  246. tt_int_op(i, ==, 0);
  247. /* Test SHA-256 with a test vector from the specification. */
  248. i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
  249. test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
  250. "96177A9CB410FF61F20015AD");
  251. tt_int_op(i, ==, 0);
  252. /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
  253. /* Case empty (wikipedia) */
  254. crypto_hmac_sha256(digest, "", 0, "", 0);
  255. test_streq(hex_str(digest, 32),
  256. "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
  257. /* Case quick-brown (wikipedia) */
  258. crypto_hmac_sha256(digest, "key", 3,
  259. "The quick brown fox jumps over the lazy dog", 43);
  260. test_streq(hex_str(digest, 32),
  261. "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
  262. /* "Test Case 1" from RFC 4231 */
  263. memset(key, 0x0b, 20);
  264. crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
  265. test_memeq_hex(digest,
  266. "b0344c61d8db38535ca8afceaf0bf12b"
  267. "881dc200c9833da726e9376c2e32cff7");
  268. /* "Test Case 2" from RFC 4231 */
  269. memset(key, 0x0b, 20);
  270. crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
  271. test_memeq_hex(digest,
  272. "5bdcc146bf60754e6a042426089575c7"
  273. "5a003f089d2739839dec58b964ec3843");
  274. /* "Test case 3" from RFC 4231 */
  275. memset(key, 0xaa, 20);
  276. memset(data, 0xdd, 50);
  277. crypto_hmac_sha256(digest, key, 20, data, 50);
  278. test_memeq_hex(digest,
  279. "773ea91e36800e46854db8ebd09181a7"
  280. "2959098b3ef8c122d9635514ced565fe");
  281. /* "Test case 4" from RFC 4231 */
  282. base16_decode(key, 25,
  283. "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
  284. memset(data, 0xcd, 50);
  285. crypto_hmac_sha256(digest, key, 25, data, 50);
  286. test_memeq_hex(digest,
  287. "82558a389a443c0ea4cc819899f2083a"
  288. "85f0faa3e578f8077a2e3ff46729665b");
  289. /* "Test case 5" from RFC 4231 */
  290. memset(key, 0x0c, 20);
  291. crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
  292. test_memeq_hex(digest,
  293. "a3b6167473100ee06e0c796c2955552b");
  294. /* "Test case 6" from RFC 4231 */
  295. memset(key, 0xaa, 131);
  296. crypto_hmac_sha256(digest, key, 131,
  297. "Test Using Larger Than Block-Size Key - Hash Key First",
  298. 54);
  299. test_memeq_hex(digest,
  300. "60e431591ee0b67f0d8a26aacbf5b77f"
  301. "8e0bc6213728c5140546040f0ee37f54");
  302. /* "Test case 7" from RFC 4231 */
  303. memset(key, 0xaa, 131);
  304. crypto_hmac_sha256(digest, key, 131,
  305. "This is a test using a larger than block-size key and a "
  306. "larger than block-size data. The key needs to be hashed "
  307. "before being used by the HMAC algorithm.", 152);
  308. test_memeq_hex(digest,
  309. "9b09ffa71b942fcb27635fbcd5b0e944"
  310. "bfdc63644f0713938a7f51535c3a35e2");
  311. /* Incremental digest code. */
  312. d1 = crypto_digest_new();
  313. test_assert(d1);
  314. crypto_digest_add_bytes(d1, "abcdef", 6);
  315. d2 = crypto_digest_dup(d1);
  316. test_assert(d2);
  317. crypto_digest_add_bytes(d2, "ghijkl", 6);
  318. crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
  319. crypto_digest(d_out2, "abcdefghijkl", 12);
  320. test_memeq(d_out1, d_out2, DIGEST_LEN);
  321. crypto_digest_assign(d2, d1);
  322. crypto_digest_add_bytes(d2, "mno", 3);
  323. crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
  324. crypto_digest(d_out2, "abcdefmno", 9);
  325. test_memeq(d_out1, d_out2, DIGEST_LEN);
  326. crypto_digest_get_digest(d1, d_out1, sizeof(d_out1));
  327. crypto_digest(d_out2, "abcdef", 6);
  328. test_memeq(d_out1, d_out2, DIGEST_LEN);
  329. crypto_digest_free(d1);
  330. crypto_digest_free(d2);
  331. /* Incremental digest code with sha256 */
  332. d1 = crypto_digest256_new(DIGEST_SHA256);
  333. test_assert(d1);
  334. crypto_digest_add_bytes(d1, "abcdef", 6);
  335. d2 = crypto_digest_dup(d1);
  336. test_assert(d2);
  337. crypto_digest_add_bytes(d2, "ghijkl", 6);
  338. crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
  339. crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
  340. test_memeq(d_out1, d_out2, DIGEST_LEN);
  341. crypto_digest_assign(d2, d1);
  342. crypto_digest_add_bytes(d2, "mno", 3);
  343. crypto_digest_get_digest(d2, d_out1, sizeof(d_out1));
  344. crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
  345. test_memeq(d_out1, d_out2, DIGEST_LEN);
  346. crypto_digest_get_digest(d1, d_out1, sizeof(d_out1));
  347. crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
  348. test_memeq(d_out1, d_out2, DIGEST_LEN);
  349. done:
  350. if (d1)
  351. crypto_digest_free(d1);
  352. if (d2)
  353. crypto_digest_free(d2);
  354. tor_free(mem_op_hex_tmp);
  355. }
  356. /** Run unit tests for our public key crypto functions */
  357. static void
  358. test_crypto_pk(void)
  359. {
  360. crypto_pk_t *pk1 = NULL, *pk2 = NULL;
  361. char *encoded = NULL;
  362. char data1[1024], data2[1024], data3[1024];
  363. size_t size;
  364. int i, len;
  365. /* Public-key ciphers */
  366. pk1 = pk_generate(0);
  367. pk2 = crypto_pk_new();
  368. test_assert(pk1 && pk2);
  369. test_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
  370. test_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
  371. test_eq(0, crypto_pk_cmp_keys(pk1, pk2));
  372. /* comparison between keys and NULL */
  373. tt_int_op(crypto_pk_cmp_keys(NULL, pk1), <, 0);
  374. tt_int_op(crypto_pk_cmp_keys(NULL, NULL), ==, 0);
  375. tt_int_op(crypto_pk_cmp_keys(pk1, NULL), >, 0);
  376. test_eq(128, crypto_pk_keysize(pk1));
  377. test_eq(1024, crypto_pk_num_bits(pk1));
  378. test_eq(128, crypto_pk_keysize(pk2));
  379. test_eq(1024, crypto_pk_num_bits(pk2));
  380. test_eq(128, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
  381. "Hello whirled.", 15,
  382. PK_PKCS1_OAEP_PADDING));
  383. test_eq(128, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
  384. "Hello whirled.", 15,
  385. PK_PKCS1_OAEP_PADDING));
  386. /* oaep padding should make encryption not match */
  387. test_memneq(data1, data2, 128);
  388. test_eq(15, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
  389. PK_PKCS1_OAEP_PADDING,1));
  390. test_streq(data3, "Hello whirled.");
  391. memset(data3, 0, 1024);
  392. test_eq(15, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  393. PK_PKCS1_OAEP_PADDING,1));
  394. test_streq(data3, "Hello whirled.");
  395. /* Can't decrypt with public key. */
  396. test_eq(-1, crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
  397. PK_PKCS1_OAEP_PADDING,1));
  398. /* Try again with bad padding */
  399. memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
  400. test_eq(-1, crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
  401. PK_PKCS1_OAEP_PADDING,1));
  402. /* File operations: save and load private key */
  403. test_assert(! crypto_pk_write_private_key_to_filename(pk1,
  404. get_fname("pkey1")));
  405. /* failing case for read: can't read. */
  406. test_assert(crypto_pk_read_private_key_from_filename(pk2,
  407. get_fname("xyzzy")) < 0);
  408. write_str_to_file(get_fname("xyzzy"), "foobar", 6);
  409. /* Failing case for read: no key. */
  410. test_assert(crypto_pk_read_private_key_from_filename(pk2,
  411. get_fname("xyzzy")) < 0);
  412. test_assert(! crypto_pk_read_private_key_from_filename(pk2,
  413. get_fname("pkey1")));
  414. test_eq(15, crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
  415. PK_PKCS1_OAEP_PADDING,1));
  416. /* Now try signing. */
  417. strlcpy(data1, "Ossifrage", 1024);
  418. test_eq(128, crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
  419. test_eq(10,
  420. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  421. test_streq(data3, "Ossifrage");
  422. /* Try signing digests. */
  423. test_eq(128, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
  424. data1, 10));
  425. test_eq(20,
  426. crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
  427. test_eq(0, crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
  428. test_eq(-1, crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
  429. /*XXXX test failed signing*/
  430. /* Try encoding */
  431. crypto_pk_free(pk2);
  432. pk2 = NULL;
  433. i = crypto_pk_asn1_encode(pk1, data1, 1024);
  434. test_assert(i>0);
  435. pk2 = crypto_pk_asn1_decode(data1, i);
  436. test_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  437. /* Try with hybrid encryption wrappers. */
  438. crypto_rand(data1, 1024);
  439. for (i = 85; i < 140; ++i) {
  440. memset(data2,0,1024);
  441. memset(data3,0,1024);
  442. len = crypto_pk_public_hybrid_encrypt(pk1,data2,sizeof(data2),
  443. data1,i,PK_PKCS1_OAEP_PADDING,0);
  444. test_assert(len>=0);
  445. len = crypto_pk_private_hybrid_decrypt(pk1,data3,sizeof(data3),
  446. data2,len,PK_PKCS1_OAEP_PADDING,1);
  447. test_eq(len,i);
  448. test_memeq(data1,data3,i);
  449. }
  450. /* Try copy_full */
  451. crypto_pk_free(pk2);
  452. pk2 = crypto_pk_copy_full(pk1);
  453. test_assert(pk2 != NULL);
  454. test_neq_ptr(pk1, pk2);
  455. test_assert(crypto_pk_cmp_keys(pk1,pk2) == 0);
  456. done:
  457. if (pk1)
  458. crypto_pk_free(pk1);
  459. if (pk2)
  460. crypto_pk_free(pk2);
  461. tor_free(encoded);
  462. }
  463. static void
  464. test_crypto_pk_fingerprints(void *arg)
  465. {
  466. crypto_pk_t *pk = NULL;
  467. char encoded[512];
  468. char d[DIGEST_LEN], d2[DIGEST_LEN];
  469. char fingerprint[FINGERPRINT_LEN+1];
  470. int n;
  471. unsigned i;
  472. char *mem_op_hex_tmp=NULL;
  473. (void)arg;
  474. pk = pk_generate(1);
  475. tt_assert(pk);
  476. n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
  477. tt_int_op(n, >, 0);
  478. tt_int_op(n, >, 128);
  479. tt_int_op(n, <, 256);
  480. /* Is digest as expected? */
  481. crypto_digest(d, encoded, n);
  482. tt_int_op(0, ==, crypto_pk_get_digest(pk, d2));
  483. test_memeq(d, d2, DIGEST_LEN);
  484. /* Is fingerprint right? */
  485. tt_int_op(0, ==, crypto_pk_get_fingerprint(pk, fingerprint, 0));
  486. tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
  487. test_memeq_hex(d, fingerprint);
  488. /* Are spaces right? */
  489. tt_int_op(0, ==, crypto_pk_get_fingerprint(pk, fingerprint, 1));
  490. for (i = 4; i < strlen(fingerprint); i += 5) {
  491. tt_int_op(fingerprint[i], ==, ' ');
  492. }
  493. tor_strstrip(fingerprint, " ");
  494. tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
  495. test_memeq_hex(d, fingerprint);
  496. /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
  497. crypto_digest(d2, d, sizeof(d));
  498. tt_int_op(0, ==, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
  499. tt_int_op(strlen(fingerprint), ==, DIGEST_LEN * 2);
  500. test_memeq_hex(d2, fingerprint);
  501. done:
  502. crypto_pk_free(pk);
  503. tor_free(mem_op_hex_tmp);
  504. }
  505. /** Sanity check for crypto pk digests */
  506. static void
  507. test_crypto_digests(void)
  508. {
  509. crypto_pk_t *k = NULL;
  510. ssize_t r;
  511. digests_t pkey_digests;
  512. char digest[DIGEST_LEN];
  513. k = crypto_pk_new();
  514. test_assert(k);
  515. r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3, -1);
  516. test_assert(!r);
  517. r = crypto_pk_get_digest(k, digest);
  518. test_assert(r == 0);
  519. test_memeq(hex_str(digest, DIGEST_LEN),
  520. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  521. r = crypto_pk_get_all_digests(k, &pkey_digests);
  522. test_memeq(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),
  523. AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
  524. test_memeq(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),
  525. AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
  526. done:
  527. crypto_pk_free(k);
  528. }
  529. /** Run unit tests for misc crypto formatting functionality (base64, base32,
  530. * fingerprints, etc) */
  531. static void
  532. test_crypto_formats(void)
  533. {
  534. char *data1 = NULL, *data2 = NULL, *data3 = NULL;
  535. int i, j, idx;
  536. data1 = tor_malloc(1024);
  537. data2 = tor_malloc(1024);
  538. data3 = tor_malloc(1024);
  539. test_assert(data1 && data2 && data3);
  540. /* Base64 tests */
  541. memset(data1, 6, 1024);
  542. for (idx = 0; idx < 10; ++idx) {
  543. i = base64_encode(data2, 1024, data1, idx);
  544. test_assert(i >= 0);
  545. j = base64_decode(data3, 1024, data2, i);
  546. test_eq(j,idx);
  547. test_memeq(data3, data1, idx);
  548. }
  549. strlcpy(data1, "Test string that contains 35 chars.", 1024);
  550. strlcat(data1, " 2nd string that contains 35 chars.", 1024);
  551. i = base64_encode(data2, 1024, data1, 71);
  552. test_assert(i >= 0);
  553. j = base64_decode(data3, 1024, data2, i);
  554. test_eq(j, 71);
  555. test_streq(data3, data1);
  556. test_assert(data2[i] == '\0');
  557. crypto_rand(data1, DIGEST_LEN);
  558. memset(data2, 100, 1024);
  559. digest_to_base64(data2, data1);
  560. test_eq(BASE64_DIGEST_LEN, strlen(data2));
  561. test_eq(100, data2[BASE64_DIGEST_LEN+2]);
  562. memset(data3, 99, 1024);
  563. test_eq(digest_from_base64(data3, data2), 0);
  564. test_memeq(data1, data3, DIGEST_LEN);
  565. test_eq(99, data3[DIGEST_LEN+1]);
  566. test_assert(digest_from_base64(data3, "###") < 0);
  567. /* Encoding SHA256 */
  568. crypto_rand(data2, DIGEST256_LEN);
  569. memset(data2, 100, 1024);
  570. digest256_to_base64(data2, data1);
  571. test_eq(BASE64_DIGEST256_LEN, strlen(data2));
  572. test_eq(100, data2[BASE64_DIGEST256_LEN+2]);
  573. memset(data3, 99, 1024);
  574. test_eq(digest256_from_base64(data3, data2), 0);
  575. test_memeq(data1, data3, DIGEST256_LEN);
  576. test_eq(99, data3[DIGEST256_LEN+1]);
  577. /* Base32 tests */
  578. strlcpy(data1, "5chrs", 1024);
  579. /* bit pattern is: [35 63 68 72 73] ->
  580. * [00110101 01100011 01101000 01110010 01110011]
  581. * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
  582. */
  583. base32_encode(data2, 9, data1, 5);
  584. test_streq(data2, "gvrwq4tt");
  585. strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
  586. base32_encode(data2, 30, data1, 10);
  587. test_streq(data2, "772w2rfobvomsywe");
  588. /* Base16 tests */
  589. strlcpy(data1, "6chrs\xff", 1024);
  590. base16_encode(data2, 13, data1, 6);
  591. test_streq(data2, "3663687273FF");
  592. strlcpy(data1, "f0d678affc000100", 1024);
  593. i = base16_decode(data2, 8, data1, 16);
  594. test_eq(i,0);
  595. test_memeq(data2, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
  596. /* now try some failing base16 decodes */
  597. test_eq(-1, base16_decode(data2, 8, data1, 15)); /* odd input len */
  598. test_eq(-1, base16_decode(data2, 7, data1, 16)); /* dest too short */
  599. strlcpy(data1, "f0dz!8affc000100", 1024);
  600. test_eq(-1, base16_decode(data2, 8, data1, 16));
  601. tor_free(data1);
  602. tor_free(data2);
  603. tor_free(data3);
  604. /* Add spaces to fingerprint */
  605. {
  606. data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
  607. test_eq(strlen(data1), 40);
  608. data2 = tor_malloc(FINGERPRINT_LEN+1);
  609. crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
  610. test_streq(data2, "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
  611. tor_free(data1);
  612. tor_free(data2);
  613. }
  614. done:
  615. tor_free(data1);
  616. tor_free(data2);
  617. tor_free(data3);
  618. }
  619. /** Run unit tests for our secret-to-key passphrase hashing functionality. */
  620. static void
  621. test_crypto_s2k(void)
  622. {
  623. char buf[29];
  624. char buf2[29];
  625. char *buf3 = NULL;
  626. int i;
  627. memset(buf, 0, sizeof(buf));
  628. memset(buf2, 0, sizeof(buf2));
  629. buf3 = tor_malloc(65536);
  630. memset(buf3, 0, 65536);
  631. secret_to_key(buf+9, 20, "", 0, buf);
  632. crypto_digest(buf2+9, buf3, 1024);
  633. test_memeq(buf, buf2, 29);
  634. memcpy(buf,"vrbacrda",8);
  635. memcpy(buf2,"vrbacrda",8);
  636. buf[8] = 96;
  637. buf2[8] = 96;
  638. secret_to_key(buf+9, 20, "12345678", 8, buf);
  639. for (i = 0; i < 65536; i += 16) {
  640. memcpy(buf3+i, "vrbacrda12345678", 16);
  641. }
  642. crypto_digest(buf2+9, buf3, 65536);
  643. test_memeq(buf, buf2, 29);
  644. done:
  645. tor_free(buf3);
  646. }
  647. /** Test AES-CTR encryption and decryption with IV. */
  648. static void
  649. test_crypto_aes_iv(void *arg)
  650. {
  651. char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
  652. char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
  653. char key1[16], key2[16];
  654. ssize_t encrypted_size, decrypted_size;
  655. int use_evp = !strcmp(arg,"evp");
  656. evaluate_evp_for_aes(use_evp);
  657. plain = tor_malloc(4095);
  658. encrypted1 = tor_malloc(4095 + 1 + 16);
  659. encrypted2 = tor_malloc(4095 + 1 + 16);
  660. decrypted1 = tor_malloc(4095 + 1);
  661. decrypted2 = tor_malloc(4095 + 1);
  662. crypto_rand(plain, 4095);
  663. crypto_rand(key1, 16);
  664. crypto_rand(key2, 16);
  665. crypto_rand(plain_1, 1);
  666. crypto_rand(plain_15, 15);
  667. crypto_rand(plain_16, 16);
  668. crypto_rand(plain_17, 17);
  669. key1[0] = key2[0] + 128; /* Make sure that contents are different. */
  670. /* Encrypt and decrypt with the same key. */
  671. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
  672. plain, 4095);
  673. test_eq(encrypted_size, 16 + 4095);
  674. tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
  675. * greater than 0, but its truth is not
  676. * obvious to all analysis tools. */
  677. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  678. encrypted1, encrypted_size);
  679. test_eq(decrypted_size, 4095);
  680. tt_assert(decrypted_size > 0);
  681. test_memeq(plain, decrypted1, 4095);
  682. /* Encrypt a second time (with a new random initialization vector). */
  683. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
  684. plain, 4095);
  685. test_eq(encrypted_size, 16 + 4095);
  686. tt_assert(encrypted_size > 0);
  687. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
  688. encrypted2, encrypted_size);
  689. test_eq(decrypted_size, 4095);
  690. tt_assert(decrypted_size > 0);
  691. test_memeq(plain, decrypted2, 4095);
  692. test_memneq(encrypted1, encrypted2, encrypted_size);
  693. /* Decrypt with the wrong key. */
  694. decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
  695. encrypted1, encrypted_size);
  696. test_eq(decrypted_size, 4095);
  697. test_memneq(plain, decrypted2, decrypted_size);
  698. /* Alter the initialization vector. */
  699. encrypted1[0] += 42;
  700. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
  701. encrypted1, encrypted_size);
  702. test_eq(decrypted_size, 4095);
  703. test_memneq(plain, decrypted2, 4095);
  704. /* Special length case: 1. */
  705. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
  706. plain_1, 1);
  707. test_eq(encrypted_size, 16 + 1);
  708. tt_assert(encrypted_size > 0);
  709. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
  710. encrypted1, encrypted_size);
  711. test_eq(decrypted_size, 1);
  712. tt_assert(decrypted_size > 0);
  713. test_memeq(plain_1, decrypted1, 1);
  714. /* Special length case: 15. */
  715. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
  716. plain_15, 15);
  717. test_eq(encrypted_size, 16 + 15);
  718. tt_assert(encrypted_size > 0);
  719. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
  720. encrypted1, encrypted_size);
  721. test_eq(decrypted_size, 15);
  722. tt_assert(decrypted_size > 0);
  723. test_memeq(plain_15, decrypted1, 15);
  724. /* Special length case: 16. */
  725. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
  726. plain_16, 16);
  727. test_eq(encrypted_size, 16 + 16);
  728. tt_assert(encrypted_size > 0);
  729. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
  730. encrypted1, encrypted_size);
  731. test_eq(decrypted_size, 16);
  732. tt_assert(decrypted_size > 0);
  733. test_memeq(plain_16, decrypted1, 16);
  734. /* Special length case: 17. */
  735. encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
  736. plain_17, 17);
  737. test_eq(encrypted_size, 16 + 17);
  738. tt_assert(encrypted_size > 0);
  739. decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
  740. encrypted1, encrypted_size);
  741. test_eq(decrypted_size, 17);
  742. tt_assert(decrypted_size > 0);
  743. test_memeq(plain_17, decrypted1, 17);
  744. done:
  745. /* Free memory. */
  746. tor_free(plain);
  747. tor_free(encrypted1);
  748. tor_free(encrypted2);
  749. tor_free(decrypted1);
  750. tor_free(decrypted2);
  751. }
  752. /** Test base32 decoding. */
  753. static void
  754. test_crypto_base32_decode(void)
  755. {
  756. char plain[60], encoded[96 + 1], decoded[60];
  757. int res;
  758. crypto_rand(plain, 60);
  759. /* Encode and decode a random string. */
  760. base32_encode(encoded, 96 + 1, plain, 60);
  761. res = base32_decode(decoded, 60, encoded, 96);
  762. test_eq(res, 0);
  763. test_memeq(plain, decoded, 60);
  764. /* Encode, uppercase, and decode a random string. */
  765. base32_encode(encoded, 96 + 1, plain, 60);
  766. tor_strupper(encoded);
  767. res = base32_decode(decoded, 60, encoded, 96);
  768. test_eq(res, 0);
  769. test_memeq(plain, decoded, 60);
  770. /* Change encoded string and decode. */
  771. if (encoded[0] == 'A' || encoded[0] == 'a')
  772. encoded[0] = 'B';
  773. else
  774. encoded[0] = 'A';
  775. res = base32_decode(decoded, 60, encoded, 96);
  776. test_eq(res, 0);
  777. test_memneq(plain, decoded, 60);
  778. /* Bad encodings. */
  779. encoded[0] = '!';
  780. res = base32_decode(decoded, 60, encoded, 96);
  781. test_assert(res < 0);
  782. done:
  783. ;
  784. }
  785. static void
  786. test_crypto_kdf_TAP(void *arg)
  787. {
  788. uint8_t key_material[100];
  789. int r;
  790. char *mem_op_hex_tmp = NULL;
  791. (void)arg;
  792. #define EXPAND(s) \
  793. r = crypto_expand_key_material_TAP( \
  794. (const uint8_t*)(s), strlen(s), \
  795. key_material, 100)
  796. /* Test vectors generated with a little python script; feel free to write
  797. * your own. */
  798. memset(key_material, 0, sizeof(key_material));
  799. EXPAND("");
  800. tt_int_op(r, ==, 0);
  801. test_memeq_hex(key_material,
  802. "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
  803. "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
  804. "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
  805. "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
  806. EXPAND("Tor");
  807. tt_int_op(r, ==, 0);
  808. test_memeq_hex(key_material,
  809. "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
  810. "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
  811. "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
  812. "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
  813. EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
  814. tt_int_op(r, ==, 0);
  815. test_memeq_hex(key_material,
  816. "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
  817. "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
  818. "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
  819. "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
  820. done:
  821. tor_free(mem_op_hex_tmp);
  822. #undef EXPAND
  823. }
  824. static void
  825. test_crypto_hkdf_sha256(void *arg)
  826. {
  827. uint8_t key_material[100];
  828. const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
  829. const size_t salt_len = strlen((char*)salt);
  830. const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
  831. const size_t m_expand_len = strlen((char*)m_expand);
  832. int r;
  833. char *mem_op_hex_tmp = NULL;
  834. (void)arg;
  835. #define EXPAND(s) \
  836. r = crypto_expand_key_material_rfc5869_sha256( \
  837. (const uint8_t*)(s), strlen(s), \
  838. salt, salt_len, \
  839. m_expand, m_expand_len, \
  840. key_material, 100)
  841. /* Test vectors generated with ntor_ref.py */
  842. memset(key_material, 0, sizeof(key_material));
  843. EXPAND("");
  844. tt_int_op(r, ==, 0);
  845. test_memeq_hex(key_material,
  846. "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75"
  847. "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd"
  848. "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7"
  849. "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8");
  850. EXPAND("Tor");
  851. tt_int_op(r, ==, 0);
  852. test_memeq_hex(key_material,
  853. "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
  854. "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
  855. "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
  856. "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
  857. EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
  858. tt_int_op(r, ==, 0);
  859. test_memeq_hex(key_material,
  860. "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
  861. "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
  862. "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
  863. "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
  864. done:
  865. tor_free(mem_op_hex_tmp);
  866. #undef EXPAND
  867. }
  868. #ifdef CURVE25519_ENABLED
  869. static void
  870. test_crypto_curve25519_impl(void *arg)
  871. {
  872. /* adapted from curve25519_donna, which adapted it from test-curve25519
  873. version 20050915, by D. J. Bernstein, Public domain. */
  874. const int randomize_high_bit = (arg != NULL);
  875. #ifdef SLOW_CURVE25519_TEST
  876. const int loop_max=10000;
  877. const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
  878. "7e0329f4dd2819f5f32d130f1296b500";
  879. const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
  880. "e0544770bc7de853b38f9100489e3e79";
  881. const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
  882. "bd13861475516bc2cd2b6e005e805064";
  883. #else
  884. const int loop_max=200;
  885. const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
  886. "c6a1037d74cceb3712e9206871dcf654";
  887. const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
  888. "8e3ee1a63c7d14274ea5d4c67f065467";
  889. const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
  890. "c0ee98cb2257a4545c0cfb2ca3e1812b";
  891. #endif
  892. unsigned char e1k[32];
  893. unsigned char e2k[32];
  894. unsigned char e1e2k[32];
  895. unsigned char e2e1k[32];
  896. unsigned char e1[32] = {3};
  897. unsigned char e2[32] = {5};
  898. unsigned char k[32] = {9};
  899. int loop, i;
  900. char *mem_op_hex_tmp = NULL;
  901. for (loop = 0; loop < loop_max; ++loop) {
  902. curve25519_impl(e1k,e1,k);
  903. curve25519_impl(e2e1k,e2,e1k);
  904. curve25519_impl(e2k,e2,k);
  905. if (randomize_high_bit) {
  906. /* We require that the high bit of the public key be ignored. So if
  907. * we're doing this variant test, we randomize the high bit of e2k, and
  908. * make sure that the handshake still works out the same as it would
  909. * otherwise. */
  910. uint8_t byte;
  911. crypto_rand((char*)&byte, 1);
  912. e2k[31] |= (byte & 0x80);
  913. }
  914. curve25519_impl(e1e2k,e1,e2k);
  915. test_memeq(e1e2k, e2e1k, 32);
  916. if (loop == loop_max-1) {
  917. break;
  918. }
  919. for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
  920. for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
  921. for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
  922. }
  923. test_memeq_hex(e1, e1_expected);
  924. test_memeq_hex(e2k, e2k_expected);
  925. test_memeq_hex(e1e2k, e1e2k_expected);
  926. done:
  927. tor_free(mem_op_hex_tmp);
  928. }
  929. static void
  930. test_crypto_curve25519_wrappers(void *arg)
  931. {
  932. curve25519_public_key_t pubkey1, pubkey2;
  933. curve25519_secret_key_t seckey1, seckey2;
  934. uint8_t output1[CURVE25519_OUTPUT_LEN];
  935. uint8_t output2[CURVE25519_OUTPUT_LEN];
  936. (void)arg;
  937. /* Test a simple handshake, serializing and deserializing some stuff. */
  938. curve25519_secret_key_generate(&seckey1, 0);
  939. curve25519_secret_key_generate(&seckey2, 1);
  940. curve25519_public_key_generate(&pubkey1, &seckey1);
  941. curve25519_public_key_generate(&pubkey2, &seckey2);
  942. test_assert(curve25519_public_key_is_ok(&pubkey1));
  943. test_assert(curve25519_public_key_is_ok(&pubkey2));
  944. curve25519_handshake(output1, &seckey1, &pubkey2);
  945. curve25519_handshake(output2, &seckey2, &pubkey1);
  946. test_memeq(output1, output2, sizeof(output1));
  947. done:
  948. ;
  949. }
  950. static void
  951. test_crypto_curve25519_encode(void *arg)
  952. {
  953. curve25519_secret_key_t seckey;
  954. curve25519_public_key_t key1, key2, key3;
  955. char buf[64];
  956. (void)arg;
  957. curve25519_secret_key_generate(&seckey, 0);
  958. curve25519_public_key_generate(&key1, &seckey);
  959. tt_int_op(0, ==, curve25519_public_to_base64(buf, &key1));
  960. tt_int_op(CURVE25519_BASE64_PADDED_LEN, ==, strlen(buf));
  961. tt_int_op(0, ==, curve25519_public_from_base64(&key2, buf));
  962. test_memeq(key1.public_key, key2.public_key, CURVE25519_PUBKEY_LEN);
  963. buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
  964. tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, ==, strlen(buf));
  965. tt_int_op(0, ==, curve25519_public_from_base64(&key3, buf));
  966. test_memeq(key1.public_key, key3.public_key, CURVE25519_PUBKEY_LEN);
  967. /* Now try bogus parses. */
  968. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
  969. tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
  970. strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
  971. tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
  972. strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
  973. tt_int_op(-1, ==, curve25519_public_from_base64(&key3, buf));
  974. done:
  975. ;
  976. }
  977. static void
  978. test_crypto_curve25519_persist(void *arg)
  979. {
  980. curve25519_keypair_t keypair, keypair2;
  981. char *fname = tor_strdup(get_fname("curve25519_keypair"));
  982. char *tag = NULL;
  983. char *content = NULL;
  984. const char *cp;
  985. struct stat st;
  986. size_t taglen;
  987. (void)arg;
  988. tt_int_op(0,==,curve25519_keypair_generate(&keypair, 0));
  989. tt_int_op(0,==,curve25519_keypair_write_to_file(&keypair, fname, "testing"));
  990. tt_int_op(0,==,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  991. tt_str_op(tag,==,"testing");
  992. tor_free(tag);
  993. test_memeq(keypair.pubkey.public_key,
  994. keypair2.pubkey.public_key,
  995. CURVE25519_PUBKEY_LEN);
  996. test_memeq(keypair.seckey.secret_key,
  997. keypair2.seckey.secret_key,
  998. CURVE25519_SECKEY_LEN);
  999. content = read_file_to_str(fname, RFTS_BIN, &st);
  1000. tt_assert(content);
  1001. taglen = strlen("== c25519v1: testing ==");
  1002. tt_u64_op((uint64_t)st.st_size, ==,
  1003. 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
  1004. tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
  1005. tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
  1006. cp = content + 32;
  1007. test_memeq(keypair.seckey.secret_key,
  1008. cp,
  1009. CURVE25519_SECKEY_LEN);
  1010. cp += CURVE25519_SECKEY_LEN;
  1011. test_memeq(keypair.pubkey.public_key,
  1012. cp,
  1013. CURVE25519_SECKEY_LEN);
  1014. tor_free(fname);
  1015. fname = tor_strdup(get_fname("bogus_keypair"));
  1016. tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1017. tor_free(tag);
  1018. content[69] ^= 0xff;
  1019. tt_int_op(0, ==, write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
  1020. tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname));
  1021. done:
  1022. tor_free(fname);
  1023. tor_free(content);
  1024. tor_free(tag);
  1025. }
  1026. static void
  1027. test_crypto_ed25519_simple(void *arg)
  1028. {
  1029. ed25519_keypair_t kp1, kp2;
  1030. ed25519_public_key_t pub1, pub2;
  1031. ed25519_secret_key_t sec1, sec2;
  1032. ed25519_signature_t sig1, sig2;
  1033. const uint8_t msg[] =
  1034. "GNU will be able to run Unix programs, "
  1035. "but will not be identical to Unix.";
  1036. const uint8_t msg2[] =
  1037. "Microsoft Windows extends the features of the DOS operating system, "
  1038. "yet is compatible with most existing applications that run under DOS.";
  1039. size_t msg_len = strlen((const char*)msg);
  1040. size_t msg2_len = strlen((const char*)msg2);
  1041. (void)arg;
  1042. tt_int_op(0, ==, ed25519_secret_key_generate(&sec1, 0));
  1043. tt_int_op(0, ==, ed25519_secret_key_generate(&sec2, 1));
  1044. tt_int_op(0, ==, ed25519_public_key_generate(&pub1, &sec1));
  1045. tt_int_op(0, ==, ed25519_public_key_generate(&pub2, &sec1));
  1046. test_memeq(pub1.pubkey, pub2.pubkey, sizeof(pub1.pubkey));
  1047. memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
  1048. memcpy(&kp1.seckey, &sec1, sizeof(sec1));
  1049. tt_int_op(0, ==, ed25519_sign(&sig1, msg, msg_len, &kp1));
  1050. tt_int_op(0, ==, ed25519_sign(&sig2, msg, msg_len, &kp1));
  1051. /* Ed25519 signatures are deterministic */
  1052. test_memeq(sig1.sig, sig2.sig, sizeof(sig1.sig));
  1053. /* Basic signature is valid. */
  1054. tt_int_op(0, ==, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1055. /* Altered signature doesn't work. */
  1056. sig1.sig[0] ^= 3;
  1057. tt_int_op(-1, ==, ed25519_checksig(&sig1, msg, msg_len, &pub1));
  1058. /* Wrong public key doesn't work. */
  1059. tt_int_op(0, ==, ed25519_public_key_generate(&pub2, &sec2));
  1060. tt_int_op(-1, ==, ed25519_checksig(&sig2, msg, msg_len, &pub2));
  1061. /* Wrong message doesn't work. */
  1062. tt_int_op(0, ==, ed25519_checksig(&sig2, msg, msg_len, &pub1));
  1063. tt_int_op(-1, ==, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
  1064. tt_int_op(-1, ==, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
  1065. /* Batch signature checking works with some bad. */
  1066. tt_int_op(0, ==, ed25519_keypair_generate(&kp2, 0));
  1067. tt_int_op(0, ==, ed25519_sign(&sig1, msg, msg_len, &kp2));
  1068. {
  1069. ed25519_checkable_t ch[] = {
  1070. { &pub1, sig2, msg, msg_len }, /*ok*/
  1071. { &pub1, sig2, msg, msg_len-1 }, /*bad*/
  1072. { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
  1073. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1074. };
  1075. int okay[4];
  1076. tt_int_op(-2, ==, ed25519_checksig_batch(okay, ch, 4));
  1077. tt_int_op(okay[0], ==, 1);
  1078. tt_int_op(okay[1], ==, 0);
  1079. tt_int_op(okay[2], ==, 0);
  1080. tt_int_op(okay[3], ==, 1);
  1081. tt_int_op(-2, ==, ed25519_checksig_batch(NULL, ch, 4));
  1082. }
  1083. /* Batch signature checking works with all good. */
  1084. {
  1085. ed25519_checkable_t ch[] = {
  1086. { &pub1, sig2, msg, msg_len }, /*ok*/
  1087. { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
  1088. };
  1089. int okay[2];
  1090. tt_int_op(0, ==, ed25519_checksig_batch(okay, ch, 2));
  1091. tt_int_op(okay[0], ==, 1);
  1092. tt_int_op(okay[1], ==, 1);
  1093. tt_int_op(0, ==, ed25519_checksig_batch(NULL, ch, 2));
  1094. }
  1095. done:
  1096. ;
  1097. }
  1098. static void
  1099. test_crypto_ed25519_test_vectors(void *arg)
  1100. {
  1101. char *mem_op_hex_tmp=NULL;
  1102. int i;
  1103. struct {
  1104. const char *sk;
  1105. const char *pk;
  1106. const char *sig;
  1107. const char *msg;
  1108. } items[] = {
  1109. /* These test vectors were generated with the "ref" implementation of
  1110. * ed25519 from SUPERCOP-20130419 */
  1111. { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
  1112. "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
  1113. "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
  1114. "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
  1115. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1116. "204e554c2d7465726d696e617465642e"
  1117. },
  1118. { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
  1119. "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
  1120. "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
  1121. "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
  1122. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1123. "204e554c2d7465726d696e617465642e"
  1124. },
  1125. { "6578706f73656420627920456e676c697368207465787420617320696e707574",
  1126. "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
  1127. "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
  1128. "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
  1129. "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
  1130. "204e554c2d7465726d696e617465642e"
  1131. },
  1132. /* These come from "sign.input" in ed25519's page */
  1133. { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
  1134. "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
  1135. "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
  1136. "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
  1137. "5a8d9d0a22357e6655f9c785"
  1138. },
  1139. { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
  1140. "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
  1141. "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
  1142. "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
  1143. "b87d3813e03f58cf19fd0b6395"
  1144. },
  1145. { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
  1146. "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
  1147. "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
  1148. "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
  1149. "55c7fa434f5ed8cdec2b7aeac173",
  1150. },
  1151. { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
  1152. "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
  1153. "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
  1154. "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
  1155. "0a688e79be24f866286d4646b5d81c"
  1156. },
  1157. { NULL, NULL, NULL, NULL}
  1158. };
  1159. (void)arg;
  1160. for (i = 0; items[i].pk; ++i) {
  1161. ed25519_keypair_t kp;
  1162. ed25519_signature_t sig;
  1163. uint8_t sk_seed[32];
  1164. uint8_t *msg;
  1165. size_t msg_len;
  1166. base16_decode((char*)sk_seed, sizeof(sk_seed),
  1167. items[i].sk, 64);
  1168. ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
  1169. tt_int_op(0, ==, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
  1170. test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
  1171. msg_len = strlen(items[i].msg) / 2;
  1172. msg = tor_malloc(msg_len);
  1173. base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
  1174. tt_int_op(0, ==, ed25519_sign(&sig, msg, msg_len, &kp));
  1175. test_memeq_hex(sig.sig, items[i].sig);
  1176. tor_free(msg);
  1177. }
  1178. done:
  1179. tor_free(mem_op_hex_tmp);
  1180. }
  1181. #endif
  1182. static void
  1183. test_crypto_ed25519_encode(void *arg)
  1184. {
  1185. char buf[ED25519_BASE64_LEN+1];
  1186. ed25519_keypair_t kp;
  1187. ed25519_public_key_t pk;
  1188. char *mem_op_hex_tmp = NULL;
  1189. (void) arg;
  1190. /* Test roundtrip. */
  1191. tt_int_op(0, ==, ed25519_keypair_generate(&kp, 0));
  1192. tt_int_op(0, ==, ed25519_public_to_base64(buf, &kp.pubkey));
  1193. tt_int_op(ED25519_BASE64_LEN, ==, strlen(buf));
  1194. tt_int_op(0, ==, ed25519_public_from_base64(&pk, buf));
  1195. test_memeq(kp.pubkey.pubkey, pk.pubkey, ED25519_PUBKEY_LEN);
  1196. /* Test known value. */
  1197. tt_int_op(0, ==, ed25519_public_from_base64(&pk,
  1198. "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
  1199. test_memeq_hex(pk.pubkey,
  1200. "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
  1201. done:
  1202. tor_free(mem_op_hex_tmp);
  1203. }
  1204. static void
  1205. test_crypto_ed25519_convert(void *arg)
  1206. {
  1207. const uint8_t msg[] =
  1208. "The eyes are not here / There are no eyes here.";
  1209. const int N = 30;
  1210. int i;
  1211. (void)arg;
  1212. for (i = 0; i < N; ++i) {
  1213. curve25519_keypair_t curve25519_keypair;
  1214. ed25519_keypair_t ed25519_keypair;
  1215. ed25519_public_key_t ed25519_pubkey;
  1216. int bit=0;
  1217. ed25519_signature_t sig;
  1218. tt_int_op(0,==,curve25519_keypair_generate(&curve25519_keypair, i&1));
  1219. tt_int_op(0,==,ed25519_keypair_from_curve25519_keypair(
  1220. &ed25519_keypair, &bit, &curve25519_keypair));
  1221. tt_int_op(0,==,ed25519_public_key_from_curve25519_public_key(
  1222. &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
  1223. tt_mem_op(ed25519_pubkey.pubkey, ==, ed25519_keypair.pubkey.pubkey, 32);
  1224. tt_int_op(0,==,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
  1225. tt_int_op(0,==,ed25519_checksig(&sig, msg, sizeof(msg),
  1226. &ed25519_pubkey));
  1227. tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  1228. &ed25519_pubkey));
  1229. sig.sig[0] ^= 15;
  1230. tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg),
  1231. &ed25519_pubkey));
  1232. }
  1233. done:
  1234. ;
  1235. }
  1236. static void
  1237. test_crypto_ed25519_blinding(void *arg)
  1238. {
  1239. const uint8_t msg[] =
  1240. "Eyes I dare not meet in dreams / In death's dream kingdom";
  1241. const int N = 30;
  1242. int i;
  1243. (void)arg;
  1244. for (i = 0; i < N; ++i) {
  1245. uint8_t blinding[32];
  1246. ed25519_keypair_t ed25519_keypair;
  1247. ed25519_keypair_t ed25519_keypair_blinded;
  1248. ed25519_public_key_t ed25519_pubkey_blinded;
  1249. ed25519_signature_t sig;
  1250. crypto_rand((char*) blinding, sizeof(blinding));
  1251. tt_int_op(0,==,ed25519_keypair_generate(&ed25519_keypair, 0));
  1252. tt_int_op(0,==,ed25519_keypair_blind(&ed25519_keypair_blinded,
  1253. &ed25519_keypair, blinding));
  1254. tt_int_op(0,==,ed25519_public_blind(&ed25519_pubkey_blinded,
  1255. &ed25519_keypair.pubkey, blinding));
  1256. tt_mem_op(ed25519_pubkey_blinded.pubkey, ==,
  1257. ed25519_keypair_blinded.pubkey.pubkey, 32);
  1258. tt_int_op(0,==,ed25519_sign(&sig, msg, sizeof(msg),
  1259. &ed25519_keypair_blinded));
  1260. tt_int_op(0,==,ed25519_checksig(&sig, msg, sizeof(msg),
  1261. &ed25519_pubkey_blinded));
  1262. tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg)-1,
  1263. &ed25519_pubkey_blinded));
  1264. sig.sig[0] ^= 15;
  1265. tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg),
  1266. &ed25519_pubkey_blinded));
  1267. }
  1268. done:
  1269. ;
  1270. }
  1271. static void
  1272. test_crypto_ed25519_testvectors(void *arg)
  1273. {
  1274. unsigned i;
  1275. char *mem_op_hex_tmp = NULL;
  1276. (void)arg;
  1277. for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
  1278. uint8_t sk[32];
  1279. ed25519_secret_key_t esk;
  1280. ed25519_public_key_t pk, blind_pk, pkfromcurve;
  1281. ed25519_keypair_t keypair, blind_keypair;
  1282. curve25519_keypair_t curvekp;
  1283. uint8_t blinding_param[32];
  1284. ed25519_signature_t sig;
  1285. int sign;
  1286. #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
  1287. #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
  1288. tt_int_op(0, ==, DECODE(sk, ED25519_SECRET_KEYS[i]));
  1289. tt_int_op(0, ==, DECODE(blinding_param, ED25519_BLINDING_PARAMS[i]));
  1290. tt_int_op(0, ==, ed25519_secret_key_from_seed(&esk, sk));
  1291. EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
  1292. tt_int_op(0, ==, ed25519_public_key_generate(&pk, &esk));
  1293. EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
  1294. memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
  1295. curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
  1296. tt_int_op(0, ==,
  1297. ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
  1298. tt_int_op(0, ==, ed25519_public_key_from_curve25519_public_key(
  1299. &pkfromcurve, &curvekp.pubkey, sign));
  1300. tt_mem_op(keypair.pubkey.pubkey, ==, pkfromcurve.pubkey, 32);
  1301. EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
  1302. /* Self-signing */
  1303. memcpy(&keypair.seckey, &esk, sizeof(esk));
  1304. memcpy(&keypair.pubkey, &pk, sizeof(pk));
  1305. tt_int_op(0, ==, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
  1306. EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
  1307. /* Blinding */
  1308. tt_int_op(0, ==,
  1309. ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
  1310. tt_int_op(0, ==,
  1311. ed25519_public_blind(&blind_pk, &pk, blinding_param));
  1312. EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
  1313. EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
  1314. tt_mem_op(blind_pk.pubkey, ==, blind_keypair.pubkey.pubkey, 32);
  1315. #undef DECODE
  1316. #undef EQ
  1317. }
  1318. done:
  1319. tor_free(mem_op_hex_tmp);
  1320. }
  1321. static void
  1322. test_crypto_siphash(void *arg)
  1323. {
  1324. /* From the reference implementation, taking
  1325. k = 00 01 02 ... 0f
  1326. and in = 00; 00 01; 00 01 02; ...
  1327. */
  1328. const uint8_t VECTORS[64][8] =
  1329. {
  1330. { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
  1331. { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
  1332. { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
  1333. { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
  1334. { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
  1335. { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
  1336. { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
  1337. { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
  1338. { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
  1339. { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
  1340. { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
  1341. { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
  1342. { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
  1343. { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
  1344. { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
  1345. { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
  1346. { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
  1347. { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
  1348. { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
  1349. { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
  1350. { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
  1351. { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
  1352. { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
  1353. { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
  1354. { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
  1355. { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
  1356. { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
  1357. { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
  1358. { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
  1359. { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
  1360. { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
  1361. { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
  1362. { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
  1363. { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
  1364. { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
  1365. { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
  1366. { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
  1367. { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
  1368. { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
  1369. { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
  1370. { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
  1371. { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
  1372. { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
  1373. { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
  1374. { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
  1375. { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
  1376. { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
  1377. { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
  1378. { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
  1379. { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
  1380. { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
  1381. { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
  1382. { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
  1383. { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
  1384. { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
  1385. { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
  1386. { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
  1387. { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
  1388. { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
  1389. { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
  1390. { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
  1391. { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
  1392. { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
  1393. { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
  1394. };
  1395. const struct sipkey K = { U64_LITERAL(0x0706050403020100),
  1396. U64_LITERAL(0x0f0e0d0c0b0a0908) };
  1397. uint8_t input[64];
  1398. int i, j;
  1399. (void)arg;
  1400. for (i = 0; i < 64; ++i)
  1401. input[i] = i;
  1402. for (i = 0; i < 64; ++i) {
  1403. uint64_t r = siphash24(input, i, &K);
  1404. for (j = 0; j < 8; ++j) {
  1405. tt_int_op( (r >> (j*8)) & 0xff, ==, VECTORS[i][j]);
  1406. }
  1407. }
  1408. done:
  1409. ;
  1410. }
  1411. static void *
  1412. pass_data_setup_fn(const struct testcase_t *testcase)
  1413. {
  1414. return testcase->setup_data;
  1415. }
  1416. static int
  1417. pass_data_cleanup_fn(const struct testcase_t *testcase, void *ptr)
  1418. {
  1419. (void)ptr;
  1420. (void)testcase;
  1421. return 1;
  1422. }
  1423. static const struct testcase_setup_t pass_data = {
  1424. pass_data_setup_fn, pass_data_cleanup_fn
  1425. };
  1426. #define CRYPTO_LEGACY(name) \
  1427. { #name, legacy_test_helper, 0, &legacy_setup, test_crypto_ ## name }
  1428. struct testcase_t crypto_tests[] = {
  1429. CRYPTO_LEGACY(formats),
  1430. CRYPTO_LEGACY(rng),
  1431. { "aes_AES", test_crypto_aes, TT_FORK, &pass_data, (void*)"aes" },
  1432. { "aes_EVP", test_crypto_aes, TT_FORK, &pass_data, (void*)"evp" },
  1433. CRYPTO_LEGACY(sha),
  1434. CRYPTO_LEGACY(pk),
  1435. { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
  1436. CRYPTO_LEGACY(digests),
  1437. CRYPTO_LEGACY(dh),
  1438. CRYPTO_LEGACY(s2k),
  1439. { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &pass_data, (void*)"aes" },
  1440. { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &pass_data, (void*)"evp" },
  1441. CRYPTO_LEGACY(base32_decode),
  1442. { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
  1443. { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
  1444. #ifdef CURVE25519_ENABLED
  1445. { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
  1446. { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
  1447. { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
  1448. { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
  1449. { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
  1450. { "ed25519_simple", test_crypto_ed25519_simple, 0, NULL, NULL },
  1451. { "ed25519_test_vectors", test_crypto_ed25519_test_vectors, 0, NULL, NULL },
  1452. { "ed25519_encode", test_crypto_ed25519_encode, 0, NULL, NULL },
  1453. { "ed25519_convert", test_crypto_ed25519_convert, 0, NULL, NULL },
  1454. { "ed25519_blinding", test_crypto_ed25519_blinding, 0, NULL, NULL },
  1455. { "ed25519_testvectors", test_crypto_ed25519_testvectors, 0, NULL, NULL },
  1456. #endif
  1457. { "siphash", test_crypto_siphash, 0, NULL, NULL },
  1458. END_OF_TESTCASES
  1459. };