search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove unused function: dns_randfn_() in dns.c.
[tor.git] / src / test / test_crypto.c
blob5af0cce130e4a1a979545b888ee7bf3e2859eaf1
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2019, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define CRYPTO_CURVE25519_PRIVATE
8 #define CRYPTO_RAND_PRIVATE
9 #include "core/or/or.h"
10 #include "test/test.h"
11 #include "lib/crypt_ops/aes.h"
12 #include "siphash.h"
13 #include "lib/crypt_ops/crypto_curve25519.h"
14 #include "lib/crypt_ops/crypto_dh.h"
15 #include "lib/crypt_ops/crypto_ed25519.h"
16 #include "lib/crypt_ops/crypto_format.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_init.h"
20 #include "ed25519_vectors.inc"
21 #include "test/log_test_helpers.h"
22
23 #ifdef HAVE_SYS_STAT_H
24 #include <sys/stat.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
29
30 #if defined(ENABLE_OPENSSL)
31 #include "lib/crypt_ops/compat_openssl.h"
32 DISABLE_GCC_WARNING(redundant-decls)
33 #include <openssl/dh.h>
34 ENABLE_GCC_WARNING(redundant-decls)
35 #endif
36
37 /** Run unit tests for Diffie-Hellman functionality. */
38 static void
39 test_crypto_dh(void *arg)
40 {
41 crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 crypto_dh_t *dh1_dup = NULL;
43 crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 char p1[DH1024_KEY_LEN];
45 char p2[DH1024_KEY_LEN];
46 char s1[DH1024_KEY_LEN];
47 char s2[DH1024_KEY_LEN];
48 ssize_t s1len, s2len;
49 #ifdef ENABLE_OPENSSL
50 crypto_dh_t *dh3 = NULL;
51 DH *dh4 = NULL;
52 BIGNUM *pubkey_tmp = NULL;
53 #endif
54
55 (void)arg;
56 tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58
59 memset(p1, 0, DH1024_KEY_LEN);
60 memset(p2, 0, DH1024_KEY_LEN);
61 tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62
63 tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
64
65 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69
70 memset(s1, 0, DH1024_KEY_LEN);
71 memset(s2, 0xFF, DH1024_KEY_LEN);
72 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 tt_assert(s1len > 0);
75 tt_int_op(s1len,OP_EQ, s2len);
76 tt_mem_op(s1,OP_EQ, s2, s1len);
77
78 /* test dh_dup; make sure it works the same. */
79 dh1_dup = crypto_dh_dup(dh1);
80 s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 s1, 50);
82 tt_i64_op(s1len, OP_GE, 0);
83 tt_mem_op(s1,OP_EQ, s2, s1len);
84
85 {
86 /* Now fabricate some bad values and make sure they get caught. */
87
88 /* 1 and 0 should both fail. */
89 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 tt_int_op(-1, OP_EQ, s1len);
91
92 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 tt_int_op(-1, OP_EQ, s1len);
94
95 memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 s1, 50);
98 tt_int_op(-1, OP_EQ, s1len);
99
100 p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 s1, 50);
103 tt_int_op(-1, OP_EQ, s1len);
104
105 /* 2 is okay, though weird. */
106 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 tt_int_op(50, OP_EQ, s1len);
108
109 /* 2 a second time is still okay, though weird. */
110 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 tt_int_op(50, OP_EQ, s1len);
112
113 const char P[] =
114 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 "49286651ECE65381FFFFFFFFFFFFFFFF";
119
120 /* p-1, p, and so on are not okay. */
121 base16_decode(p1, sizeof(p1), P, strlen(P));
122
123 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 s1, 50);
125 tt_int_op(-1, OP_EQ, s1len);
126
127 p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 s1, 50);
130 tt_int_op(-1, OP_EQ, s1len);
131
132 p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 s1, 50);
135 tt_int_op(50, OP_EQ, s1len);
136
137 const char P_plus_one[] =
138 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 "49286651ECE653820000000000000000";
143
144 base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
145
146 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 s1, 50);
148 tt_int_op(-1, OP_EQ, s1len);
149
150 p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 s1, 50);
153 tt_int_op(-1, OP_EQ, s1len);
154
155 p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 s1, 50);
158 tt_int_op(-1, OP_EQ, s1len);
159
160 memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 s1, 50);
163 tt_int_op(-1, OP_EQ, s1len);
164 }
165
166 {
167 /* provoke an error in the openssl DH_compute_key function; make sure we
168 * survive. */
169 tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170
171 crypto_dh_free(dh2);
172 dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 p1, DH1024_KEY_LEN,
175 s1, 50);
176 tt_int_op(s1len, OP_EQ, -1);
177 }
178
179 #if defined(ENABLE_OPENSSL)
180 {
181 /* Make sure that our crypto library can handshake with openssl. */
182 dh3 = crypto_dh_new(DH_TYPE_TLS);
183 tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
184
185 dh4 = crypto_dh_new_openssl_tls();
186 tt_assert(DH_generate_key(dh4));
187 const BIGNUM *pk=NULL;
188 #ifdef OPENSSL_1_1_API
189 const BIGNUM *sk=NULL;
190 DH_get0_key(dh4, &pk, &sk);
191 #else
192 pk = dh4->pub_key;
193 #endif
194 tt_assert(pk);
195 tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 memset(p2, 0, sizeof(p2));
198 /* right-pad. */
199 BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
200
201 s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 (unsigned char *)s1, sizeof(s1));
203 pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
205
206 tt_int_op(s1len, OP_EQ, s2len);
207 tt_int_op(s1len, OP_GT, 0);
208 tt_mem_op(s1, OP_EQ, s2, s1len);
209 }
210 #endif
211
212 done:
213 crypto_dh_free(dh1);
214 crypto_dh_free(dh2);
215 crypto_dh_free(dh1_dup);
216 #ifdef ENABLE_OPENSSL
217 crypto_dh_free(dh3);
218 if (dh4)
219 DH_free(dh4);
220 if (pubkey_tmp)
221 BN_free(pubkey_tmp);
222 #endif
223 }
224
225 static void
226 test_crypto_openssl_version(void *arg)
227 {
228 (void)arg;
229 #ifdef ENABLE_NSS
230 tt_skip();
231 #else
232 const char *version = crypto_openssl_get_version_str();
233 const char *h_version = crypto_openssl_get_header_version_str();
234 tt_assert(version);
235 tt_assert(h_version);
236 if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 version, h_version));
239 }
240 if (strstr(version, "OpenSSL")) {
241 TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
242 }
243 int a=-1,b=-1,c=-1;
244 if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 return;
246 int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 tt_int_op(r, OP_EQ, 3);
248 tt_int_op(a, OP_GE, 0);
249 tt_int_op(b, OP_GE, 0);
250 tt_int_op(c, OP_GE, 0);
251 #endif
252
253 done:
254 ;
255 }
256
257 /** Run unit tests for our random number generation function and its wrappers.
258 */
259 static void
260 test_crypto_rng(void *arg)
261 {
262 int i, j, allok;
263 char data1[100], data2[100];
264 double d;
265 char *h=NULL;
266
267 /* Try out RNG. */
268 (void)arg;
269 tt_assert(! crypto_seed_rng());
270 crypto_rand(data1, 100);
271 crypto_rand(data2, 100);
272 tt_mem_op(data1,OP_NE, data2,100);
273 allok = 1;
274 for (i = 0; i < 100; ++i) {
275 uint64_t big;
276 char *host;
277 j = crypto_rand_int(100);
278 if (j < 0 || j >= 100)
279 allok = 0;
280 big = crypto_rand_uint64(UINT64_C(1)<<40);
281 if (big >= (UINT64_C(1)<<40))
282 allok = 0;
283 big = crypto_rand_uint64(UINT64_C(5));
284 if (big >= 5)
285 allok = 0;
286 d = crypto_rand_double();
287 tt_assert(d >= 0);
288 tt_assert(d < 1.0);
289 host = crypto_random_hostname(3,8,"www.",".onion");
290 if (strcmpstart(host,"www.") ||
291 strcmpend(host,".onion") ||
292 strlen(host) < 13 ||
293 strlen(host) > 18)
294 allok = 0;
295 tor_free(host);
296 }
297
298 /* Make sure crypto_random_hostname clips its inputs properly. */
299 h = crypto_random_hostname(20000, 9000, "www.", ".onion");
300 tt_assert(! strcmpstart(h,"www."));
301 tt_assert(! strcmpend(h,".onion"));
302 tt_int_op(63+4+6, OP_EQ, strlen(h));
303
304 tt_assert(allok);
305 done:
306 tor_free(h);
307 }
308
309 static void
310 test_crypto_rng_range(void *arg)
311 {
312 int got_smallest = 0, got_largest = 0;
313 int i;
314
315 (void)arg;
316 for (i = 0; i < 1000; ++i) {
317 int x = crypto_rand_int_range(5,9);
318 tt_int_op(x, OP_GE, 5);
319 tt_int_op(x, OP_LT, 9);
320 if (x == 5)
321 got_smallest = 1;
322 if (x == 8)
323 got_largest = 1;
324 }
325 /* These fail with probability 1/10^603. */
326 tt_assert(got_smallest);
327 tt_assert(got_largest);
328
329 got_smallest = got_largest = 0;
330 const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
331 for (i = 0; i < 1000; ++i) {
332 uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
333 tt_u64_op(x, OP_GE, ten_billion);
334 tt_u64_op(x, OP_LT, ten_billion+10);
335 if (x == ten_billion)
336 got_smallest = 1;
337 if (x == ten_billion+9)
338 got_largest = 1;
339 }
340
341 tt_assert(got_smallest);
342 tt_assert(got_largest);
343
344 const time_t now = time(NULL);
345 for (i = 0; i < 2000; ++i) {
346 time_t x = crypto_rand_time_range(now, now+60);
347 tt_i64_op(x, OP_GE, now);
348 tt_i64_op(x, OP_LT, now+60);
349 if (x == now)
350 got_smallest = 1;
351 if (x == now+59)
352 got_largest = 1;
353 }
354
355 tt_assert(got_smallest);
356 tt_assert(got_largest);
357 done:
358 ;
359 }
360
361 static void
362 test_crypto_rng_strongest(void *arg)
363 {
364 const char *how = arg;
365 int broken = 0;
366
367 if (how == NULL) {
368 ;
369 } else if (!strcmp(how, "nosyscall")) {
370 break_strongest_rng_syscall = 1;
371 } else if (!strcmp(how, "nofallback")) {
372 break_strongest_rng_fallback = 1;
373 } else if (!strcmp(how, "broken")) {
374 broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
375 }
376
377 #define N 128
378 uint8_t combine_and[N];
379 uint8_t combine_or[N];
380 int i, j;
381
382 memset(combine_and, 0xff, N);
383 memset(combine_or, 0, N);
384
385 for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
386 uint8_t output[N];
387 memset(output, 0, N);
388 if (how == NULL) {
389 /* this one can't fail. */
390 crypto_strongest_rand(output, sizeof(output));
391 } else {
392 int r = crypto_strongest_rand_raw(output, sizeof(output));
393 if (r == -1) {
394 if (broken) {
395 goto done; /* we're fine. */
396 }
397 /* This function is allowed to break, but only if it always breaks. */
398 tt_int_op(i, OP_EQ, 0);
399 tt_skip();
400 } else {
401 tt_assert(! broken);
402 }
403 }
404 for (j = 0; j < N; ++j) {
405 combine_and[j] &= output[j];
406 combine_or[j] |= output[j];
407 }
408 }
409
410 for (j = 0; j < N; ++j) {
411 tt_int_op(combine_and[j], OP_EQ, 0);
412 tt_int_op(combine_or[j], OP_EQ, 0xff);
413 }
414 done:
415 ;
416 #undef N
417 }
418
419 /** Run unit tests for our AES128 functionality */
420 static void
421 test_crypto_aes128(void *arg)
422 {
423 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
424 crypto_cipher_t *env1 = NULL, *env2 = NULL;
425 int i, j;
426 char *mem_op_hex_tmp=NULL;
427 char key[CIPHER_KEY_LEN];
428 int use_evp = !strcmp(arg,"evp");
429 evaluate_evp_for_aes(use_evp);
430 evaluate_ctr_for_aes();
431
432 data1 = tor_malloc(1024);
433 data2 = tor_malloc(1024);
434 data3 = tor_malloc(1024);
435
436 /* Now, test encryption and decryption with stream cipher. */
437 data1[0]='\0';
438 for (i = 1023; i>0; i -= 35)
439 strncat(data1, "Now is the time for all good onions", i);
440
441 memset(data2, 0, 1024);
442 memset(data3, 0, 1024);
443 crypto_rand(key, sizeof(key));
444 env1 = crypto_cipher_new(key);
445 tt_ptr_op(env1, OP_NE, NULL);
446 env2 = crypto_cipher_new(key);
447 tt_ptr_op(env2, OP_NE, NULL);
448
449 /* Try encrypting 512 chars. */
450 crypto_cipher_encrypt(env1, data2, data1, 512);
451 crypto_cipher_decrypt(env2, data3, data2, 512);
452 tt_mem_op(data1,OP_EQ, data3, 512);
453 tt_mem_op(data1,OP_NE, data2, 512);
454
455 /* Now encrypt 1 at a time, and get 1 at a time. */
456 for (j = 512; j < 560; ++j) {
457 crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
458 }
459 for (j = 512; j < 560; ++j) {
460 crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
461 }
462 tt_mem_op(data1,OP_EQ, data3, 560);
463 /* Now encrypt 3 at a time, and get 5 at a time. */
464 for (j = 560; j < 1024-5; j += 3) {
465 crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
466 }
467 for (j = 560; j < 1024-5; j += 5) {
468 crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
469 }
470 tt_mem_op(data1,OP_EQ, data3, 1024-5);
471 /* Now make sure that when we encrypt with different chunk sizes, we get
472 the same results. */
473 crypto_cipher_free(env2);
474 env2 = NULL;
475
476 memset(data3, 0, 1024);
477 env2 = crypto_cipher_new(key);
478 tt_ptr_op(env2, OP_NE, NULL);
479 for (j = 0; j < 1024-16; j += 17) {
480 crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
481 }
482 for (j= 0; j < 1024-16; ++j) {
483 if (data2[j] != data3[j]) {
484 printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
485 }
486 }
487 tt_mem_op(data2,OP_EQ, data3, 1024-16);
488 crypto_cipher_free(env1);
489 env1 = NULL;
490 crypto_cipher_free(env2);
491 env2 = NULL;
492
493 /* NIST test vector for aes. */
494 /* IV starts at 0 */
495 env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
496 "\x00\x00\x00\x00\x00\x00\x00\x00");
497 crypto_cipher_encrypt(env1, data1,
498 "\x00\x00\x00\x00\x00\x00\x00\x00"
499 "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
500 test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
501
502 /* Now test rollover. All these values are originally from a python
503 * script. */
504 crypto_cipher_free(env1);
505 env1 = crypto_cipher_new_with_iv(
506 "\x80\x00\x00\x00\x00\x00\x00\x00"
507 "\x00\x00\x00\x00\x00\x00\x00\x00",
508 "\x00\x00\x00\x00\x00\x00\x00\x00"
509 "\xff\xff\xff\xff\xff\xff\xff\xff");
510 memset(data2, 0, 1024);
511 crypto_cipher_encrypt(env1, data1, data2, 32);
512 test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
513 "cdd0b917dbc7186908a6bfb5ffd574d3");
514 crypto_cipher_free(env1);
515 env1 = crypto_cipher_new_with_iv(
516 "\x80\x00\x00\x00\x00\x00\x00\x00"
517 "\x00\x00\x00\x00\x00\x00\x00\x00",
518 "\x00\x00\x00\x00\xff\xff\xff\xff"
519 "\xff\xff\xff\xff\xff\xff\xff\xff");
520 memset(data2, 0, 1024);
521 crypto_cipher_encrypt(env1, data1, data2, 32);
522 test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
523 "3e63c721df790d2c6469cc1953a3ffac");
524 crypto_cipher_free(env1);
525 env1 = crypto_cipher_new_with_iv(
526 "\x80\x00\x00\x00\x00\x00\x00\x00"
527 "\x00\x00\x00\x00\x00\x00\x00\x00",
528 "\xff\xff\xff\xff\xff\xff\xff\xff"
529 "\xff\xff\xff\xff\xff\xff\xff\xff");
530 memset(data2, 0, 1024);
531 crypto_cipher_encrypt(env1, data1, data2, 32);
532 test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
533 "0EDD33D3C621E546455BD8BA1418BEC8");
534
535 /* Now check rollover on inplace cipher. */
536 crypto_cipher_free(env1);
537 env1 = crypto_cipher_new_with_iv(
538 "\x80\x00\x00\x00\x00\x00\x00\x00"
539 "\x00\x00\x00\x00\x00\x00\x00\x00",
540 "\xff\xff\xff\xff\xff\xff\xff\xff"
541 "\xff\xff\xff\xff\xff\xff\xff\xff");
542 crypto_cipher_crypt_inplace(env1, data2, 64);
543 test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
544 "0EDD33D3C621E546455BD8BA1418BEC8"
545 "93e2c5243d6839eac58503919192f7ae"
546 "1908e67cafa08d508816659c2e693191");
547 crypto_cipher_free(env1);
548 env1 = crypto_cipher_new_with_iv(
549 "\x80\x00\x00\x00\x00\x00\x00\x00"
550 "\x00\x00\x00\x00\x00\x00\x00\x00",
551 "\xff\xff\xff\xff\xff\xff\xff\xff"
552 "\xff\xff\xff\xff\xff\xff\xff\xff");
553 crypto_cipher_crypt_inplace(env1, data2, 64);
554 tt_assert(tor_mem_is_zero(data2, 64));
555
556 done:
557 tor_free(mem_op_hex_tmp);
558 if (env1)
559 crypto_cipher_free(env1);
560 if (env2)
561 crypto_cipher_free(env2);
562 tor_free(data1);
563 tor_free(data2);
564 tor_free(data3);
565 }
566
567 static void
568 test_crypto_aes_ctr_testvec(void *arg)
569 {
570 const char *bitstr = arg;
571 char *mem_op_hex_tmp=NULL;
572 crypto_cipher_t *c=NULL;
573
574 /* from NIST SP800-38a, section F.5 */
575 const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
576 const char plaintext16[] =
577 "6bc1bee22e409f96e93d7e117393172a"
578 "ae2d8a571e03ac9c9eb76fac45af8e51"
579 "30c81c46a35ce411e5fbc1191a0a52ef"
580 "f69f2445df4f9b17ad2b417be66c3710";
581 const char *ciphertext16;
582 const char *key16;
583 int bits;
584
585 if (!strcmp(bitstr, "128")) {
586 ciphertext16 = /* section F.5.1 */
587 "874d6191b620e3261bef6864990db6ce"
588 "9806f66b7970fdff8617187bb9fffdff"
589 "5ae4df3edbd5d35e5b4f09020db03eab"
590 "1e031dda2fbe03d1792170a0f3009cee";
591 key16 = "2b7e151628aed2a6abf7158809cf4f3c";
592 bits = 128;
593 } else if (!strcmp(bitstr, "192")) {
594 ciphertext16 = /* section F.5.3 */
595 "1abc932417521ca24f2b0459fe7e6e0b"
596 "090339ec0aa6faefd5ccc2c6f4ce8e94"
597 "1e36b26bd1ebc670d1bd1d665620abf7"
598 "4f78a7f6d29809585a97daec58c6b050";
599 key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
600 bits = 192;
601 } else if (!strcmp(bitstr, "256")) {
602 ciphertext16 = /* section F.5.5 */
603 "601ec313775789a5b7a7f504bbf3d228"
604 "f443e3ca4d62b59aca84e990cacaf5c5"
605 "2b0930daa23de94ce87017ba2d84988d"
606 "dfc9c58db67aada613c2dd08457941a6";
607 key16 =
608 "603deb1015ca71be2b73aef0857d7781"
609 "1f352c073b6108d72d9810a30914dff4";
610 bits = 256;
611 } else {
612 tt_abort_msg("AES doesn't support this number of bits.");
613 }
614
615 char key[32];
616 char iv[16];
617 char plaintext[16*4];
618 memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
619 base16_decode(key, sizeof(key), key16, strlen(key16));
620 base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
621 base16_decode(plaintext, sizeof(plaintext),
622 plaintext16, strlen(plaintext16));
623
624 c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
625 crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
626 test_memeq_hex(plaintext, ciphertext16);
627
628 done:
629 tor_free(mem_op_hex_tmp);
630 crypto_cipher_free(c);
631 }
632
633 /** Run unit tests for our SHA-1 functionality */
634 static void
635 test_crypto_sha(void *arg)
636 {
637 crypto_digest_t *d1 = NULL, *d2 = NULL;
638 int i;
639 #define RFC_4231_MAX_KEY_SIZE 131
640 char key[RFC_4231_MAX_KEY_SIZE];
641 char digest[DIGEST256_LEN];
642 char data[DIGEST512_LEN];
643 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
644 char *mem_op_hex_tmp=NULL;
645
646 /* Test SHA-1 with a test vector from the specification. */
647 (void)arg;
648 i = crypto_digest(data, "abc", 3);
649 test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
650 tt_int_op(i, OP_EQ, 0);
651
652 /* Test SHA-256 with a test vector from the specification. */
653 i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
654 test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
655 "96177A9CB410FF61F20015AD");
656 tt_int_op(i, OP_EQ, 0);
657
658 /* Test SHA-512 with a test vector from the specification. */
659 i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
660 test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
661 "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
662 "feebbd454d4423643ce80e2a9ac94fa54ca49f");
663 tt_int_op(i, OP_EQ, 0);
664
665 /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
666
667 /* Case empty (wikipedia) */
668 crypto_hmac_sha256(digest, "", 0, "", 0);
669 tt_str_op(hex_str(digest, 32),OP_EQ,
670 "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
671
672 /* Case quick-brown (wikipedia) */
673 crypto_hmac_sha256(digest, "key", 3,
674 "The quick brown fox jumps over the lazy dog", 43);
675 tt_str_op(hex_str(digest, 32),OP_EQ,
676 "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
677
678 /* "Test Case 1" from RFC 4231 */
679 memset(key, 0x0b, 20);
680 crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
681 test_memeq_hex(digest,
682 "b0344c61d8db38535ca8afceaf0bf12b"
683 "881dc200c9833da726e9376c2e32cff7");
684
685 /* "Test Case 2" from RFC 4231 */
686 memset(key, 0x0b, 20);
687 crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
688 test_memeq_hex(digest,
689 "5bdcc146bf60754e6a042426089575c7"
690 "5a003f089d2739839dec58b964ec3843");
691
692 /* "Test case 3" from RFC 4231 */
693 memset(key, 0xaa, 20);
694 memset(data, 0xdd, 50);
695 crypto_hmac_sha256(digest, key, 20, data, 50);
696 test_memeq_hex(digest,
697 "773ea91e36800e46854db8ebd09181a7"
698 "2959098b3ef8c122d9635514ced565fe");
699
700 /* "Test case 4" from RFC 4231 */
701 base16_decode(key, 25,
702 "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
703 memset(data, 0xcd, 50);
704 crypto_hmac_sha256(digest, key, 25, data, 50);
705 test_memeq_hex(digest,
706 "82558a389a443c0ea4cc819899f2083a"
707 "85f0faa3e578f8077a2e3ff46729665b");
708
709 /* "Test case 5" from RFC 4231 */
710 memset(key, 0x0c, 20);
711 crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
712 test_memeq_hex(digest,
713 "a3b6167473100ee06e0c796c2955552b");
714
715 /* "Test case 6" from RFC 4231 */
716 memset(key, 0xaa, 131);
717 crypto_hmac_sha256(digest, key, 131,
718 "Test Using Larger Than Block-Size Key - Hash Key First",
719 54);
720 test_memeq_hex(digest,
721 "60e431591ee0b67f0d8a26aacbf5b77f"
722 "8e0bc6213728c5140546040f0ee37f54");
723
724 /* "Test case 7" from RFC 4231 */
725 memset(key, 0xaa, 131);
726 crypto_hmac_sha256(digest, key, 131,
727 "This is a test using a larger than block-size key and a "
728 "larger than block-size data. The key needs to be hashed "
729 "before being used by the HMAC algorithm.", 152);
730 test_memeq_hex(digest,
731 "9b09ffa71b942fcb27635fbcd5b0e944"
732 "bfdc63644f0713938a7f51535c3a35e2");
733
734 /* Incremental digest code. */
735 d1 = crypto_digest_new();
736 tt_assert(d1);
737 crypto_digest_add_bytes(d1, "abcdef", 6);
738 d2 = crypto_digest_dup(d1);
739 tt_assert(d2);
740 crypto_digest_add_bytes(d2, "ghijkl", 6);
741 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
742 crypto_digest(d_out2, "abcdefghijkl", 12);
743 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
744 crypto_digest_assign(d2, d1);
745 crypto_digest_add_bytes(d2, "mno", 3);
746 crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
747 crypto_digest(d_out2, "abcdefmno", 9);
748 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
749 crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
750 crypto_digest(d_out2, "abcdef", 6);
751 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
752 crypto_digest_free(d1);
753 crypto_digest_free(d2);
754
755 /* Incremental digest code with sha256 */
756 d1 = crypto_digest256_new(DIGEST_SHA256);
757 tt_assert(d1);
758 crypto_digest_add_bytes(d1, "abcdef", 6);
759 d2 = crypto_digest_dup(d1);
760 tt_assert(d2);
761 crypto_digest_add_bytes(d2, "ghijkl", 6);
762 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
763 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
764 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
765 crypto_digest_assign(d2, d1);
766 crypto_digest_add_bytes(d2, "mno", 3);
767 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
768 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
769 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
770 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
771 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
772 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
773 crypto_digest_free(d1);
774 crypto_digest_free(d2);
775
776 /* Incremental digest code with sha512 */
777 d1 = crypto_digest512_new(DIGEST_SHA512);
778 tt_assert(d1);
779 crypto_digest_add_bytes(d1, "abcdef", 6);
780 d2 = crypto_digest_dup(d1);
781 tt_assert(d2);
782 crypto_digest_add_bytes(d2, "ghijkl", 6);
783 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
784 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
785 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
786 crypto_digest_assign(d2, d1);
787 crypto_digest_add_bytes(d2, "mno", 3);
788 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
789 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
790 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
791 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
792 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
793 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
794
795 done:
796 if (d1)
797 crypto_digest_free(d1);
798 if (d2)
799 crypto_digest_free(d2);
800 tor_free(mem_op_hex_tmp);
801 }
802
803 static void
804 test_crypto_sha3(void *arg)
805 {
806 crypto_digest_t *d1 = NULL, *d2 = NULL;
807 int i;
808 char data[DIGEST512_LEN];
809 char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
810 char *mem_op_hex_tmp=NULL;
811 char *large = NULL;
812
813 (void)arg;
814
815 /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
816 *
817 * NB: The code package's test vectors have length expressed in bits.
818 */
819
820 /* Len = 8, Msg = CC */
821 const uint8_t keccak_kat_msg8[] = { 0xcc };
822 i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
823 test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
824 "6252BB7CE180B00B582DD9B20AAAD7F0");
825 tt_int_op(i, OP_EQ, 0);
826 i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
827 test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
828 "C36E2EE0F652AC72E02624FA2E5ADEEC"
829 "C7DD6BB3580224B4D6138706FC6E8059"
830 "7B528051230B00621CC2B22999EAA205");
831 tt_int_op(i, OP_EQ, 0);
832
833 /* Len = 24, Msg = 1F877C */
834 const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
835 i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
836 DIGEST_SHA3_256);
837 test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
838 "C9C966712A501B19D1B6632CCD408EC5");
839 tt_int_op(i, OP_EQ, 0);
840 i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
841 DIGEST_SHA3_512);
842 test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
843 "1A2F0D0608C3A575163751F002DB30F4"
844 "0F2F671834B22D208591CFAF1F5ECFE4"
845 "3C49863A53B3225BDFD7C6591BA7658B");
846 tt_int_op(i, OP_EQ, 0);
847
848 /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
849 const uint8_t keccak_kat_msg1080[] = {
850 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
851 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
852 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
853 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
854 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
855 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
856 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
857 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
858 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
859 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
860 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
861 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
862 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
863 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
864 };
865 i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
866 DIGEST_SHA3_256);
867 test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
868 "BE9B7C736B8059ABFD6779AC35AC81B5");
869 tt_int_op(i, OP_EQ, 0);
870 i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
871 DIGEST_SHA3_512);
872 test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
873 "CB78696773A212A5F62D02D14E3259D1"
874 "92A87EBA4407DD83893527331407B6DA"
875 "DAAD920DBC46489B677493CE5F20B595");
876 tt_int_op(i, OP_EQ, 0);
877
878 /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
879 const uint8_t keccak_kat_msg1088[] = {
880 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
881 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
882 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
883 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
884 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
885 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
886 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
887 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
888 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
889 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
890 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
891 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
892 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
893 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
894 };
895 i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
896 DIGEST_SHA3_256);
897 test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
898 "77B5286364FE16C59CC8A907AFF07732");
899 tt_int_op(i, OP_EQ, 0);
900 i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
901 DIGEST_SHA3_512);
902 test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
903 "FB94A14C72DE5ACD10D0EB5ECE029CAD"
904 "FA3BA17A40B2FFA2163991B17786E51C"
905 "ABA79E5E0FFD34CF085E2A098BE8BACB");
906 tt_int_op(i, OP_EQ, 0);
907
908 /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
909 const uint8_t keccak_kat_msg1096[] = {
910 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
911 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
912 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
913 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
914 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
915 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
916 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
917 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
918 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
919 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
920 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
921 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
922 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
923 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
924 };
925 i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
926 DIGEST_SHA3_256);
927 test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
928 "735E0177279222E7AC0AF8504762FAA0");
929 tt_int_op(i, OP_EQ, 0);
930 i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
931 DIGEST_SHA3_512);
932 test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
933 "40474041DE83D4A60645A826D7AF1ABE"
934 "1EEFCB7B74B62CA6A514E5F2697D585B"
935 "FECECE12931BBE1D4ED7EBF7B0BE660E");
936 tt_int_op(i, OP_EQ, 0);
937
938 /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
939 const uint8_t keccak_kat_msg1144[] = {
940 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
941 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
942 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
943 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
944 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
945 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
946 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
947 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
948 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
949 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
950 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
951 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
952 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
953 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
954 0xDF, 0xAF, 0xEC,
955 };
956 i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
957 DIGEST_SHA3_512);
958 test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
959 "605516615D96A062C8BE53A0D6C5A648"
960 "7BE35D2A8F3CF6620D0C2DBA2C560D68"
961 "295F284BE7F82F3B92919033C9CE5D80");
962 tt_int_op(i, OP_EQ, 0);
963 i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
964 DIGEST_SHA3_256);
965 test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
966 "118C0C2C606BDCDA06E7943D2C95E0E5");
967 tt_int_op(i, OP_EQ, 0);
968
969 /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
970 const uint8_t keccak_kat_msg1152[] = {
971 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
972 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
973 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
974 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
975 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
976 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
977 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
978 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
979 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
980 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
981 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
982 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
983 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
984 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
985 0x9E, 0xE0, 0x0C, 0x63,
986 };
987 i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
988 DIGEST_SHA3_512);
989 test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
990 "22775DCB6019DCD22B8885994672A088"
991 "9C69E8115C641DC8B83E39F7311815A1"
992 "64DC46E0BA2FCA344D86D4BC2EF2532C");
993 tt_int_op(i, OP_EQ, 0);
994 i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
995 DIGEST_SHA3_256);
996 test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
997 "84DA47678F3C2FFE5A39FDB5F7E63FFB");
998 tt_int_op(i, OP_EQ, 0);
999
1000 /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
1001 const uint8_t keccak_kat_msg1160[] = {
1002 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
1003 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
1004 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
1005 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
1006 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
1007 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
1008 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
1009 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
1010 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
1011 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
1012 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
1013 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
1014 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
1015 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
1016 0x70, 0x11, 0x04, 0x4C, 0x53,
1017 };
1018 i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
1019 DIGEST_SHA3_512);
1020 test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
1021 "05221AC5EFB1229842E4614F4A029C9B"
1022 "D14A0ED7FD99AF3681429F3F309FDB53"
1023 "166AA9A3CD9F1F1223D04B4A9015E94A");
1024 tt_int_op(i, OP_EQ, 0);
1025 i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
1026 DIGEST_SHA3_256);
1027 test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
1028 "3CF6235C6B0B7969342C45A35194B67E");
1029 tt_int_op(i, OP_EQ, 0);
1030
1031 /* SHA3-[256,512] Empty case (wikipedia) */
1032 i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
1033 test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
1034 "f580ff4de43b49fa82d80a4b80f8434a");
1035 tt_int_op(i, OP_EQ, 0);
1036 i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
1037 test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
1038 "97c982164fe25859e0d1dcc1475c80a6"
1039 "15b2123af1f5f94c11e3e9402c3ac558"
1040 "f500199d95b6d3e301758586281dcd26");
1041 tt_int_op(i, OP_EQ, 0);
1042
1043 /* Incremental digest code with SHA3-256 */
1044 d1 = crypto_digest256_new(DIGEST_SHA3_256);
1045 tt_assert(d1);
1046 crypto_digest_add_bytes(d1, "abcdef", 6);
1047 d2 = crypto_digest_dup(d1);
1048 tt_assert(d2);
1049 crypto_digest_add_bytes(d2, "ghijkl", 6);
1050 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
1051 crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
1052 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1053 crypto_digest_assign(d2, d1);
1054 crypto_digest_add_bytes(d2, "mno", 3);
1055 crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
1056 crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
1057 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1058 crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
1059 crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
1060 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
1061 crypto_digest_free(d1);
1062 crypto_digest_free(d2);
1063
1064 /* Incremental digest code with SHA3-512 */
1065 d1 = crypto_digest512_new(DIGEST_SHA3_512);
1066 tt_assert(d1);
1067 crypto_digest_add_bytes(d1, "abcdef", 6);
1068 d2 = crypto_digest_dup(d1);
1069 tt_assert(d2);
1070 crypto_digest_add_bytes(d2, "ghijkl", 6);
1071 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
1072 crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
1073 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1074 crypto_digest_assign(d2, d1);
1075 crypto_digest_add_bytes(d2, "mno", 3);
1076 crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
1077 crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
1078 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1079 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
1080 crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
1081 tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
1082 crypto_digest_free(d1);
1083
1084 /* Attempt to exercise the incremental hashing code by creating a randomized
1085 * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
1086 * is used because it has a lowest rate of the family (the code is common,
1087 * but the slower rate exercises more of it).
1088 */
1089 const size_t bufsz = 30 * 1024;
1090 size_t j = 0;
1091 large = tor_malloc(bufsz);
1092 crypto_rand(large, bufsz);
1093 d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
1094 while (j < bufsz) {
1095 /* Pick how much data to add to the running digest. */
1096 size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
1097 incr = MIN(bufsz - j, incr);
1098
1099 /* Add the data, and calculate the hash. */
1100 crypto_digest_add_bytes(d1, large + j, incr);
1101 crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
1102
1103 /* One-shot hash the buffer up to the data that was just added,
1104 * and ensure that the values match up.
1105 *
1106 * XXX/yawning: If this actually fails, it'll be rather difficult to
1107 * reproduce. Improvements welcome.
1108 */
1109 i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
1110 tt_int_op(i, OP_EQ, 0);
1111 tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
1112
1113 j += incr;
1114 }
1115
1116 done:
1117 if (d1)
1118 crypto_digest_free(d1);
1119 if (d2)
1120 crypto_digest_free(d2);
1121 tor_free(large);
1122 tor_free(mem_op_hex_tmp);
1123 }
1124
1125 /** Run unit tests for our XOF. */
1126 static void
1127 test_crypto_sha3_xof(void *arg)
1128 {
1129 uint8_t msg[255];
1130 uint8_t out[512];
1131 crypto_xof_t *xof;
1132 char *mem_op_hex_tmp=NULL;
1133
1134 (void)arg;
1135
1136 /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
1137 base16_decode((char *)msg, 255,
1138 "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
1139 "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
1140 "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
1141 "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
1142 "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
1143 "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
1144 "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
1145 "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
1146 "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
1147 const char *squeezed_hex =
1148 "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
1149 "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
1150 "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
1151 "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
1152 "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
1153 "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
1154 "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
1155 "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
1156 "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
1157 "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
1158 "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
1159 "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
1160 "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
1161 "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1162 "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1163 "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1164 "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1165 "73D4";
1166
1167 /* Test oneshot absorb/squeeze. */
1168 xof = crypto_xof_new();
1169 tt_assert(xof);
1170 crypto_xof_add_bytes(xof, msg, sizeof(msg));
1171 crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1172 test_memeq_hex(out, squeezed_hex);
1173 crypto_xof_free(xof);
1174 memset(out, 0, sizeof(out));
1175
1176 /* Test incremental absorb/squeeze. */
1177 xof = crypto_xof_new();
1178 tt_assert(xof);
1179 for (size_t i = 0; i < sizeof(msg); i++)
1180 crypto_xof_add_bytes(xof, msg + i, 1);
1181 for (size_t i = 0; i < sizeof(out); i++)
1182 crypto_xof_squeeze_bytes(xof, out + i, 1);
1183 test_memeq_hex(out, squeezed_hex);
1184
1185 done:
1186 if (xof)
1187 crypto_xof_free(xof);
1188 tor_free(mem_op_hex_tmp);
1189 }
1190
1191 /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1192 * vectors out there for our H(len(k) || k || m) construction. Hence what we
1193 * are gonna do is test our crypto_mac_sha3_256() function against manually
1194 * doing H(len(k) || k||m). If in the future the Keccak group decides to
1195 * standarize an MAC construction and make test vectors, we should
1196 * incorporate them here. */
1197 static void
1198 test_crypto_mac_sha3(void *arg)
1199 {
1200 const char msg[] = "i am in a library somewhere using my computer";
1201 const char key[] = "i'm from the past talking to the future.";
1202
1203 uint8_t hmac_test[DIGEST256_LEN];
1204 char hmac_manual[DIGEST256_LEN];
1205
1206 (void) arg;
1207
1208 /* First let's use our nice HMAC-SHA3 function */
1209 crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1210 (uint8_t *) key, strlen(key),
1211 (uint8_t *) msg, strlen(msg));
1212
1213 /* Now let's try a manual H(len(k) || k || m) construction */
1214 {
1215 char *key_msg_concat = NULL, *all = NULL;
1216 int result;
1217 const uint64_t key_len_netorder = tor_htonll(strlen(key));
1218 size_t all_len;
1219
1220 tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1221 all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1222 all = tor_malloc_zero(all_len);
1223 memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1224 memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1225 strlen(key_msg_concat));
1226
1227 result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1228 tor_free(key_msg_concat);
1229 tor_free(all);
1230 tt_int_op(result, OP_EQ, 0);
1231 }
1232
1233 /* Now compare the two results */
1234 tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1235
1236 done: ;
1237 }
1238
1239 /** Run unit tests for our public key crypto functions */
1240 static void
1241 test_crypto_pk(void *arg)
1242 {
1243 crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1244 char *encoded = NULL;
1245 char data1[1024], data2[1024], data3[1024];
1246 size_t size;
1247 int i, len;
1248
1249 /* Public-key ciphers */
1250 (void)arg;
1251 pk1 = pk_generate(0);
1252 pk2 = crypto_pk_new();
1253 tt_assert(pk1 && pk2);
1254 tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1255 tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1256 tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1257
1258 /* comparison between keys and NULL */
1259 tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1260 tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1261 tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1262
1263 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1264 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1265 tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1266 tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1267
1268 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1269 "Hello whirled.", 15,
1270 PK_PKCS1_OAEP_PADDING));
1271 tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1272 "Hello whirled.", 15,
1273 PK_PKCS1_OAEP_PADDING));
1274 /* oaep padding should make encryption not match */
1275 tt_mem_op(data1,OP_NE, data2, 128);
1276 tt_int_op(15,OP_EQ,
1277 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1278 PK_PKCS1_OAEP_PADDING,1));
1279 tt_str_op(data3,OP_EQ, "Hello whirled.");
1280 memset(data3, 0, 1024);
1281 tt_int_op(15,OP_EQ,
1282 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1283 PK_PKCS1_OAEP_PADDING,1));
1284 tt_str_op(data3,OP_EQ, "Hello whirled.");
1285 /* Can't decrypt with public key. */
1286 tt_int_op(-1,OP_EQ,
1287 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1288 PK_PKCS1_OAEP_PADDING,1));
1289 /* Try again with bad padding */
1290 memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1291 tt_int_op(-1,OP_EQ,
1292 crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1293 PK_PKCS1_OAEP_PADDING,1));
1294
1295 /* File operations: save and load private key */
1296 tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1297 get_fname("pkey1")));
1298 /* failing case for read: can't read. */
1299 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1300 OP_LT, 0);
1301 write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1302 /* Failing case for read: no key. */
1303 tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1304 OP_LT, 0);
1305 tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1306 get_fname("pkey1")));
1307 tt_int_op(15,OP_EQ,
1308 crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1309 PK_PKCS1_OAEP_PADDING,1));
1310
1311 /* Now try signing. */
1312 strlcpy(data1, "Ossifrage", 1024);
1313 tt_int_op(128,OP_EQ,
1314 crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1315 tt_int_op(10,OP_EQ,
1316 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1317 tt_str_op(data3,OP_EQ, "Ossifrage");
1318 /* Try signing digests. */
1319 tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1320 data1, 10));
1321 tt_int_op(20,OP_EQ,
1322 crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1323 tt_int_op(0,OP_EQ,
1324 crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1325 tt_int_op(-1,OP_EQ,
1326 crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1327
1328 /*XXXX test failed signing*/
1329
1330 /* Try encoding */
1331 crypto_pk_free(pk2);
1332 pk2 = NULL;
1333 i = crypto_pk_asn1_encode(pk1, data1, 1024);
1334 tt_int_op(i, OP_GT, 0);
1335 pk2 = crypto_pk_asn1_decode(data1, i);
1336 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1337
1338 /* Try with hybrid encryption wrappers. */
1339 crypto_rand(data1, 1024);
1340 for (i = 85; i < 140; ++i) {
1341 memset(data2,0,1024);
1342 memset(data3,0,1024);
1343 len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1344 data1,i,PK_PKCS1_OAEP_PADDING,0);
1345 tt_int_op(len, OP_GE, 0);
1346 len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1347 data2,len,PK_PKCS1_OAEP_PADDING,1);
1348 tt_int_op(len,OP_EQ, i);
1349 tt_mem_op(data1,OP_EQ, data3,i);
1350 }
1351
1352 /* Try copy_full */
1353 crypto_pk_free(pk2);
1354 pk2 = crypto_pk_copy_full(pk1);
1355 tt_ptr_op(pk2, OP_NE, NULL);
1356 tt_ptr_op(pk1, OP_NE, pk2);
1357 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1358
1359 done:
1360 if (pk1)
1361 crypto_pk_free(pk1);
1362 if (pk2)
1363 crypto_pk_free(pk2);
1364 tor_free(encoded);
1365 }
1366
1367 static void
1368 test_crypto_pk_fingerprints(void *arg)
1369 {
1370 crypto_pk_t *pk = NULL;
1371 char encoded[512];
1372 char d[DIGEST_LEN], d2[DIGEST_LEN];
1373 char fingerprint[FINGERPRINT_LEN+1];
1374 int n;
1375 unsigned i;
1376 char *mem_op_hex_tmp=NULL;
1377
1378 (void)arg;
1379
1380 pk = pk_generate(1);
1381 tt_assert(pk);
1382 n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1383 tt_int_op(n, OP_GT, 0);
1384 tt_int_op(n, OP_GT, 128);
1385 tt_int_op(n, OP_LT, 256);
1386
1387 /* Is digest as expected? */
1388 crypto_digest(d, encoded, n);
1389 tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1390 tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1391
1392 /* Is fingerprint right? */
1393 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1394 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1395 test_memeq_hex(d, fingerprint);
1396
1397 /* Are spaces right? */
1398 tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1399 for (i = 4; i < strlen(fingerprint); i += 5) {
1400 tt_int_op(fingerprint[i], OP_EQ, ' ');
1401 }
1402 tor_strstrip(fingerprint, " ");
1403 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1404 test_memeq_hex(d, fingerprint);
1405
1406 /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1407 crypto_digest(d2, d, sizeof(d));
1408 tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1409 tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1410 test_memeq_hex(d2, fingerprint);
1411
1412 done:
1413 crypto_pk_free(pk);
1414 tor_free(mem_op_hex_tmp);
1415 }
1416
1417 static void
1418 test_crypto_pk_base64(void *arg)
1419 {
1420 crypto_pk_t *pk1 = NULL;
1421 crypto_pk_t *pk2 = NULL;
1422 char *encoded = NULL;
1423
1424 (void)arg;
1425
1426 /* Test Base64 encoding a key. */
1427 pk1 = pk_generate(0);
1428 tt_assert(pk1);
1429 tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1430 tt_assert(encoded);
1431
1432 /* Test decoding a valid key. */
1433 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1434 tt_assert(pk2);
1435 tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1436 crypto_pk_free(pk2);
1437
1438 /* Test decoding a invalid key (not Base64). */
1439 static const char *invalid_b64 = "The key is in another castle!";
1440 pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1441 tt_ptr_op(pk2, OP_EQ, NULL);
1442
1443 /* Test decoding a truncated Base64 blob. */
1444 pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1445 tt_ptr_op(pk2, OP_EQ, NULL);
1446
1447 done:
1448 crypto_pk_free(pk1);
1449 crypto_pk_free(pk2);
1450 tor_free(encoded);
1451 }
1452
1453 static void
1454 test_crypto_pk_pem_encrypted(void *arg)
1455 {
1456 crypto_pk_t *pk = NULL;
1457 (void)arg;
1458
1459 pk = crypto_pk_new();
1460 /* we need to make sure that we won't stall if somebody gives us a key
1461 that's encrypted with a password. */
1462 {
1463 const char *s =
1464 "-----BEGIN RSA PRIVATE KEY-----\n"
1465 "Proc-Type: 4,ENCRYPTED\n"
1466 "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1467 "\n"
1468 "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1469 "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1470 "YntnROBDwiKmUnue6PJVYg==\n"
1471 "-----END RSA PRIVATE KEY-----\n";
1472 tt_int_op(-1, OP_EQ,
1473 crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1474 }
1475 /* For fun, make sure we aren't hit by OpenSSL issue
1476 https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1477 if a cipher doesn't use an IV.
1478 */
1479 {
1480 const char *s =
1481 "-----BEGIN RSA PUBLIC KEY-----\n"
1482 "Proc-Type:4,ENCRYPTED\n"
1483 "DEK-Info:des-ede -\n"
1484 "\n"
1485 "iRqK\n"
1486 "-----END RSA PUBLIC KEY-----\n";
1487 tt_int_op(-1, OP_EQ,
1488 crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1489 }
1490 done:
1491 crypto_pk_free(pk);
1492 }
1493
1494 static void
1495 test_crypto_pk_bad_size(void *arg)
1496 {
1497 (void)arg;
1498 crypto_pk_t *pk1 = pk_generate(0);
1499 crypto_pk_t *pk2 = NULL;
1500 char buf[2048];
1501 int n = crypto_pk_asn1_encode_private(pk1, buf, sizeof(buf));
1502 tt_int_op(n, OP_GT, 0);
1503
1504 /* Set the max bit count smaller: we should refuse to decode the key.*/
1505 pk2 = crypto_pk_asn1_decode_private(buf, n, 1020);
1506 tt_assert(! pk2);
1507
1508 /* Set the max bit count one bit smaller: we should refuse to decode the
1509 key.*/
1510 pk2 = crypto_pk_asn1_decode_private(buf, n, 1023);
1511 tt_assert(! pk2);
1512
1513 /* Correct size: should work. */
1514 pk2 = crypto_pk_asn1_decode_private(buf, n, 1024);
1515 tt_assert(pk2);
1516 crypto_pk_free(pk2);
1517
1518 /* One bit larger: should work. */
1519 pk2 = crypto_pk_asn1_decode_private(buf, n, 1025);
1520 tt_assert(pk2);
1521 crypto_pk_free(pk2);
1522
1523 /* Set the max bit count larger: it should decode fine. */
1524 pk2 = crypto_pk_asn1_decode_private(buf, n, 2048);
1525 tt_assert(pk2);
1526
1527 done:
1528 crypto_pk_free(pk1);
1529 crypto_pk_free(pk2);
1530 }
1531
1532 static void
1533 test_crypto_pk_invalid_private_key(void *arg)
1534 {
1535 (void)arg;
1536 /* Here is a simple invalid private key: it was produced by making
1537 * a regular private key, and then adding 2 to the modulus. */
1538 const char pem[] =
1539 "-----BEGIN RSA PRIVATE KEY-----\n"
1540 "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1541 "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1542 "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1543 "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1544 "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1545 "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1546 "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1547 "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1548 "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1549 "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1550 "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1551 "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1552 "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1553 "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1554 "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1555 "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1556 "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1557 "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1558 "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1559 "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1560 "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1561 "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1562 "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1563 "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1564 "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1565 "-----END RSA PRIVATE KEY-----\n";
1566
1567 crypto_pk_t *pk = NULL;
1568
1569 pk = crypto_pk_new();
1570 setup_capture_of_logs(LOG_WARN);
1571 tt_int_op(-1, OP_EQ,
1572 crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1573 #ifdef ENABLE_NSS
1574 expect_single_log_msg_containing("received bad data");
1575 #else
1576 expect_single_log_msg_containing("while checking RSA key");
1577 #endif
1578 done:
1579 teardown_capture_of_logs();
1580 crypto_pk_free(pk);
1581 }
1582
1583 #ifdef HAVE_TRUNCATE
1584 #define do_truncate truncate
1585 #else
1586 static int
1587 do_truncate(const char *fname, size_t len)
1588 {
1589 struct stat st;
1590 char *bytes;
1591
1592 bytes = read_file_to_str(fname, RFTS_BIN, &st);
1593 if (!bytes)
1594 return -1;
1595 /* This cast isn't so great, but it should be safe given the actual files
1596 * and lengths we're using. */
1597 if (st.st_size < (off_t)len)
1598 len = MIN(len, (size_t)st.st_size);
1599
1600 int r = write_bytes_to_file(fname, bytes, len, 1);
1601 tor_free(bytes);
1602 return r;
1603 }
1604 #endif /* defined(HAVE_TRUNCATE) */
1605
1606 /** Sanity check for crypto pk digests */
1607 static void
1608 test_crypto_digests(void *arg)
1609 {
1610 crypto_pk_t *k = NULL;
1611 ssize_t r;
1612 common_digests_t pkey_digests;
1613 char digest[DIGEST_LEN];
1614
1615 (void)arg;
1616 k = crypto_pk_new();
1617 tt_assert(k);
1618 r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1619 strlen(AUTHORITY_SIGNKEY_3));
1620 tt_assert(!r);
1621
1622 r = crypto_pk_get_digest(k, digest);
1623 tt_assert(r == 0);
1624 tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1625 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1626
1627 r = crypto_pk_get_common_digests(k, &pkey_digests);
1628 tt_int_op(r, OP_EQ, 0);
1629
1630 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1631 AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1632 tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1633 AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1634 done:
1635 crypto_pk_free(k);
1636 }
1637
1638 static void
1639 test_crypto_digest_names(void *arg)
1640 {
1641 static const struct {
1642 int a; const char *n;
1643 } names[] = {
1644 { DIGEST_SHA1, "sha1" },
1645 { DIGEST_SHA256, "sha256" },
1646 { DIGEST_SHA512, "sha512" },
1647 { DIGEST_SHA3_256, "sha3-256" },
1648 { DIGEST_SHA3_512, "sha3-512" },
1649 { -1, NULL }
1650 };
1651 (void)arg;
1652
1653 int i;
1654 for (i = 0; names[i].n; ++i) {
1655 tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1656 tt_int_op(names[i].a,
1657 OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1658 }
1659 tt_int_op(-1, OP_EQ,
1660 crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1661 done:
1662 ;
1663 }
1664
1665 /** Run unit tests for misc crypto formatting functionality (base64, base32,
1666 * fingerprints, etc) */
1667 static void
1668 test_crypto_formats(void *arg)
1669 {
1670 char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1671 int i, j, idx;
1672
1673 (void)arg;
1674 data1 = tor_malloc(1024);
1675 data2 = tor_malloc(1024);
1676 data3 = tor_malloc(1024);
1677 tt_assert(data1 && data2 && data3);
1678
1679 /* Base64 tests */
1680 memset(data1, 6, 1024);
1681 for (idx = 0; idx < 10; ++idx) {
1682 i = base64_encode(data2, 1024, data1, idx, 0);
1683 tt_int_op(i, OP_GE, 0);
1684 tt_int_op(i, OP_EQ, strlen(data2));
1685 j = base64_decode(data3, 1024, data2, i);
1686 tt_int_op(j,OP_EQ, idx);
1687 tt_mem_op(data3,OP_EQ, data1, idx);
1688
1689 i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1690 tt_int_op(i, OP_GE, 0);
1691 tt_int_op(i, OP_EQ, strlen(data2));
1692 tt_assert(! strchr(data2, '='));
1693 j = base64_decode(data3, 1024, data2, i);
1694 tt_int_op(j, OP_EQ, idx);
1695 tt_mem_op(data3,OP_EQ, data1, idx);
1696 }
1697
1698 strlcpy(data1, "Test string that contains 35 chars.", 1024);
1699 strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1700
1701 i = base64_encode(data2, 1024, data1, 71, 0);
1702 tt_int_op(i, OP_GE, 0);
1703 j = base64_decode(data3, 1024, data2, i);
1704 tt_int_op(j,OP_EQ, 71);
1705 tt_str_op(data3,OP_EQ, data1);
1706 tt_int_op(data2[i], OP_EQ, '\0');
1707
1708 crypto_rand(data1, DIGEST_LEN);
1709 memset(data2, 100, 1024);
1710 digest_to_base64(data2, data1);
1711 tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1712 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1713 memset(data3, 99, 1024);
1714 tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1715 tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1716 tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1717
1718 tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1719
1720 /* Encoding SHA256 */
1721 crypto_rand(data2, DIGEST256_LEN);
1722 memset(data2, 100, 1024);
1723 digest256_to_base64(data2, data1);
1724 tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1725 tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1726 memset(data3, 99, 1024);
1727 tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1728 tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1729 tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1730
1731 /* Base32 tests */
1732 strlcpy(data1, "5chrs", 1024);
1733 /* bit pattern is: [35 63 68 72 73] ->
1734 * [00110101 01100011 01101000 01110010 01110011]
1735 * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1736 */
1737 base32_encode(data2, 9, data1, 5);
1738 tt_str_op(data2,OP_EQ, "gvrwq4tt");
1739
1740 strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1741 base32_encode(data2, 30, data1, 10);
1742 tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1743
1744 /* Base16 tests */
1745 strlcpy(data1, "6chrs\xff", 1024);
1746 base16_encode(data2, 13, data1, 6);
1747 tt_str_op(data2,OP_EQ, "3663687273FF");
1748
1749 strlcpy(data1, "f0d678affc000100", 1024);
1750 i = base16_decode(data2, 8, data1, 16);
1751 tt_int_op(i,OP_EQ, 8);
1752 tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1753
1754 /* now try some failing base16 decodes */
1755 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1756 tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1757 strlcpy(data1, "f0dz!8affc000100", 1024);
1758 tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1759
1760 tor_free(data1);
1761 tor_free(data2);
1762 tor_free(data3);
1763
1764 /* Add spaces to fingerprint */
1765 {
1766 data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1767 tt_int_op(strlen(data1),OP_EQ, 40);
1768 data2 = tor_malloc(FINGERPRINT_LEN+1);
1769 crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1770 tt_str_op(data2, OP_EQ,
1771 "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1772 tor_free(data1);
1773 tor_free(data2);
1774 }
1775
1776 done:
1777 tor_free(data1);
1778 tor_free(data2);
1779 tor_free(data3);
1780 }
1781
1782 /** Test AES-CTR encryption and decryption with IV. */
1783 static void
1784 test_crypto_aes_iv(void *arg)
1785 {
1786 char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1787 char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1788 char key1[16], key2[16];
1789 ssize_t encrypted_size, decrypted_size;
1790
1791 int use_evp = !strcmp(arg,"evp");
1792 evaluate_evp_for_aes(use_evp);
1793
1794 plain = tor_malloc(4095);
1795 encrypted1 = tor_malloc(4095 + 1 + 16);
1796 encrypted2 = tor_malloc(4095 + 1 + 16);
1797 decrypted1 = tor_malloc(4095 + 1);
1798 decrypted2 = tor_malloc(4095 + 1);
1799
1800 crypto_rand(plain, 4095);
1801 crypto_rand(key1, 16);
1802 crypto_rand(key2, 16);
1803 crypto_rand(plain_1, 1);
1804 crypto_rand(plain_15, 15);
1805 crypto_rand(plain_16, 16);
1806 crypto_rand(plain_17, 17);
1807 key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1808 /* Encrypt and decrypt with the same key. */
1809 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1810 plain, 4095);
1811
1812 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1813 tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1814 * greater than 0, but its truth is not
1815 * obvious to all analysis tools. */
1816 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1817 encrypted1, encrypted_size);
1818
1819 tt_int_op(decrypted_size,OP_EQ, 4095);
1820 tt_assert(decrypted_size > 0);
1821 tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1822 /* Encrypt a second time (with a new random initialization vector). */
1823 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1824 plain, 4095);
1825
1826 tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1827 tt_assert(encrypted_size > 0);
1828 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1829 encrypted2, encrypted_size);
1830 tt_int_op(decrypted_size,OP_EQ, 4095);
1831 tt_assert(decrypted_size > 0);
1832 tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1833 tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1834 /* Decrypt with the wrong key. */
1835 decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1836 encrypted1, encrypted_size);
1837 tt_int_op(decrypted_size,OP_EQ, 4095);
1838 tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1839 /* Alter the initialization vector. */
1840 encrypted1[0] += 42;
1841 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1842 encrypted1, encrypted_size);
1843 tt_int_op(decrypted_size,OP_EQ, 4095);
1844 tt_mem_op(plain,OP_NE, decrypted2, 4095);
1845 /* Special length case: 1. */
1846 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1847 plain_1, 1);
1848 tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1849 tt_assert(encrypted_size > 0);
1850 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1851 encrypted1, encrypted_size);
1852 tt_int_op(decrypted_size,OP_EQ, 1);
1853 tt_assert(decrypted_size > 0);
1854 tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1855 /* Special length case: 15. */
1856 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1857 plain_15, 15);
1858 tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1859 tt_assert(encrypted_size > 0);
1860 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1861 encrypted1, encrypted_size);
1862 tt_int_op(decrypted_size,OP_EQ, 15);
1863 tt_assert(decrypted_size > 0);
1864 tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1865 /* Special length case: 16. */
1866 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1867 plain_16, 16);
1868 tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1869 tt_assert(encrypted_size > 0);
1870 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1871 encrypted1, encrypted_size);
1872 tt_int_op(decrypted_size,OP_EQ, 16);
1873 tt_assert(decrypted_size > 0);
1874 tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1875 /* Special length case: 17. */
1876 encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1877 plain_17, 17);
1878 tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1879 tt_assert(encrypted_size > 0);
1880 decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1881 encrypted1, encrypted_size);
1882 tt_int_op(decrypted_size,OP_EQ, 17);
1883 tt_assert(decrypted_size > 0);
1884 tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1885
1886 done:
1887 /* Free memory. */
1888 tor_free(plain);
1889 tor_free(encrypted1);
1890 tor_free(encrypted2);
1891 tor_free(decrypted1);
1892 tor_free(decrypted2);
1893 }
1894
1895 /** Test base32 decoding. */
1896 static void
1897 test_crypto_base32_decode(void *arg)
1898 {
1899 char plain[60], encoded[96 + 1], decoded[60];
1900 int res;
1901 (void)arg;
1902 crypto_rand(plain, 60);
1903 /* Encode and decode a random string. */
1904 base32_encode(encoded, 96 + 1, plain, 60);
1905 res = base32_decode(decoded, 60, encoded, 96);
1906 tt_int_op(res,OP_EQ, 0);
1907 tt_mem_op(plain,OP_EQ, decoded, 60);
1908 /* Encode, uppercase, and decode a random string. */
1909 base32_encode(encoded, 96 + 1, plain, 60);
1910 tor_strupper(encoded);
1911 res = base32_decode(decoded, 60, encoded, 96);
1912 tt_int_op(res,OP_EQ, 0);
1913 tt_mem_op(plain,OP_EQ, decoded, 60);
1914 /* Change encoded string and decode. */
1915 if (encoded[0] == 'A' || encoded[0] == 'a')
1916 encoded[0] = 'B';
1917 else
1918 encoded[0] = 'A';
1919 res = base32_decode(decoded, 60, encoded, 96);
1920 tt_int_op(res,OP_EQ, 0);
1921 tt_mem_op(plain,OP_NE, decoded, 60);
1922 /* Bad encodings. */
1923 encoded[0] = '!';
1924 res = base32_decode(decoded, 60, encoded, 96);
1925 tt_int_op(0, OP_GT, res);
1926
1927 done:
1928 ;
1929 }
1930
1931 static void
1932 test_crypto_kdf_TAP(void *arg)
1933 {
1934 uint8_t key_material[100];
1935 int r;
1936 char *mem_op_hex_tmp = NULL;
1937
1938 (void)arg;
1939 #define EXPAND(s) \
1940 r = crypto_expand_key_material_TAP( \
1941 (const uint8_t*)(s), strlen(s), \
1942 key_material, 100)
1943
1944 /* Test vectors generated with a little python script; feel free to write
1945 * your own. */
1946 memset(key_material, 0, sizeof(key_material));
1947 EXPAND("");
1948 tt_int_op(r, OP_EQ, 0);
1949 test_memeq_hex(key_material,
1950 "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1951 "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1952 "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1953 "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1954
1955 EXPAND("Tor");
1956 tt_int_op(r, OP_EQ, 0);
1957 test_memeq_hex(key_material,
1958 "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1959 "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1960 "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1961 "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1962
1963 EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1964 tt_int_op(r, OP_EQ, 0);
1965 test_memeq_hex(key_material,
1966 "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1967 "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1968 "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1969 "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1970
1971 done:
1972 tor_free(mem_op_hex_tmp);
1973
1974 #undef EXPAND
1975 }
1976
1977 static void
1978 test_crypto_hkdf_sha256(void *arg)
1979 {
1980 uint8_t key_material[100];
1981 const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1982 const size_t salt_len = strlen((char*)salt);
1983 const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1984 const size_t m_expand_len = strlen((char*)m_expand);
1985 int r;
1986 char *mem_op_hex_tmp = NULL;
1987
1988 (void)arg;
1989
1990 #define EXPAND(s) \
1991 r = crypto_expand_key_material_rfc5869_sha256( \
1992 (const uint8_t*)(s), strlen(s), \
1993 salt, salt_len, \
1994 m_expand, m_expand_len, \
1995 key_material, 100)
1996
1997 /* Test vectors generated with ntor_ref.py */
1998 EXPAND("Tor");
1999 tt_int_op(r, OP_EQ, 0);
2000 test_memeq_hex(key_material,
2001 "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
2002 "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
2003 "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
2004 "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
2005
2006 EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
2007 tt_int_op(r, OP_EQ, 0);
2008 test_memeq_hex(key_material,
2009 "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
2010 "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
2011 "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
2012 "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
2013 done:
2014 tor_free(mem_op_hex_tmp);
2015 #undef EXPAND
2016 }
2017
2018 static void
2019 test_crypto_hkdf_sha256_testvecs(void *arg)
2020 {
2021 (void) arg;
2022 /* Test vectors from RFC5869, sections A.1 through A.3 */
2023 const struct {
2024 const char *ikm16, *salt16, *info16;
2025 int L;
2026 const char *okm16;
2027 } vecs[] = {
2028 { /* from A.1 */
2029 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
2030 "000102030405060708090a0b0c",
2031 "f0f1f2f3f4f5f6f7f8f9",
2032 42,
2033 "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
2034 "34007208d5b887185865"
2035 },
2036 { /* from A.2 */
2037 "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
2038 "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
2039 "404142434445464748494a4b4c4d4e4f",
2040 "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
2041 "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
2042 "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
2043 "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
2044 "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
2045 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2046 82,
2047 "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
2048 "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
2049 "cc30c58179ec3e87c14c01d5c1f3434f1d87"
2050 },
2051 { /* from A.3 */
2052 "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
2053 "",
2054 "",
2055 42,
2056 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
2057 "9d201395faa4b61a96c8",
2058 },
2059 { NULL, NULL, NULL, -1, NULL }
2060 };
2061
2062 int i;
2063 char *ikm = NULL;
2064 char *salt = NULL;
2065 char *info = NULL;
2066 char *okm = NULL;
2067 char *mem_op_hex_tmp = NULL;
2068
2069 for (i = 0; vecs[i].ikm16; ++i) {
2070 size_t ikm_len = strlen(vecs[i].ikm16)/2;
2071 size_t salt_len = strlen(vecs[i].salt16)/2;
2072 size_t info_len = strlen(vecs[i].info16)/2;
2073 size_t okm_len = vecs[i].L;
2074
2075 ikm = tor_malloc(ikm_len);
2076 salt = tor_malloc(salt_len);
2077 info = tor_malloc(info_len);
2078 okm = tor_malloc(okm_len);
2079
2080 base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
2081 base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
2082 base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
2083
2084 int r = crypto_expand_key_material_rfc5869_sha256(
2085 (const uint8_t*)ikm, ikm_len,
2086 (const uint8_t*)salt, salt_len,
2087 (const uint8_t*)info, info_len,
2088 (uint8_t*)okm, okm_len);
2089 tt_int_op(r, OP_EQ, 0);
2090 test_memeq_hex(okm, vecs[i].okm16);
2091 tor_free(ikm);
2092 tor_free(salt);
2093 tor_free(info);
2094 tor_free(okm);
2095 }
2096 done:
2097 tor_free(ikm);
2098 tor_free(salt);
2099 tor_free(info);
2100 tor_free(okm);
2101 tor_free(mem_op_hex_tmp);
2102 }
2103
2104 static void
2105 test_crypto_curve25519_impl(void *arg)
2106 {
2107 /* adapted from curve25519_donna, which adapted it from test-curve25519
2108 version 20050915, by D. J. Bernstein, Public domain. */
2109
2110 const int randomize_high_bit = (arg != NULL);
2111
2112 #ifdef SLOW_CURVE25519_TEST
2113 const int loop_max=10000;
2114 const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
2115 "7e0329f4dd2819f5f32d130f1296b500";
2116 const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
2117 "e0544770bc7de853b38f9100489e3e79";
2118 const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
2119 "bd13861475516bc2cd2b6e005e805064";
2120 #else /* !(defined(SLOW_CURVE25519_TEST)) */
2121 const int loop_max=200;
2122 const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
2123 "c6a1037d74cceb3712e9206871dcf654";
2124 const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
2125 "8e3ee1a63c7d14274ea5d4c67f065467";
2126 const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
2127 "c0ee98cb2257a4545c0cfb2ca3e1812b";
2128 #endif /* defined(SLOW_CURVE25519_TEST) */
2129
2130 unsigned char e1k[32];
2131 unsigned char e2k[32];
2132 unsigned char e1e2k[32];
2133 unsigned char e2e1k[32];
2134 unsigned char e1[32] = {3};
2135 unsigned char e2[32] = {5};
2136 unsigned char k[32] = {9};
2137 int loop, i;
2138
2139 char *mem_op_hex_tmp = NULL;
2140
2141 for (loop = 0; loop < loop_max; ++loop) {
2142 curve25519_impl(e1k,e1,k);
2143 curve25519_impl(e2e1k,e2,e1k);
2144 curve25519_impl(e2k,e2,k);
2145 if (randomize_high_bit) {
2146 /* We require that the high bit of the public key be ignored. So if
2147 * we're doing this variant test, we randomize the high bit of e2k, and
2148 * make sure that the handshake still works out the same as it would
2149 * otherwise. */
2150 uint8_t byte;
2151 crypto_rand((char*)&byte, 1);
2152 e2k[31] |= (byte & 0x80);
2153 }
2154 curve25519_impl(e1e2k,e1,e2k);
2155 tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
2156 if (loop == loop_max-1) {
2157 break;
2158 }
2159 for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
2160 for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
2161 for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
2162 }
2163
2164 test_memeq_hex(e1, e1_expected);
2165 test_memeq_hex(e2k, e2k_expected);
2166 test_memeq_hex(e1e2k, e1e2k_expected);
2167
2168 done:
2169 tor_free(mem_op_hex_tmp);
2170 }
2171
2172 static void
2173 test_crypto_curve25519_basepoint(void *arg)
2174 {
2175 uint8_t secret[32];
2176 uint8_t public1[32];
2177 uint8_t public2[32];
2178 const int iters = 2048;
2179 int i;
2180 (void) arg;
2181
2182 for (i = 0; i < iters; ++i) {
2183 crypto_rand((char*)secret, 32);
2184 curve25519_set_impl_params(1); /* Use optimization */
2185 curve25519_basepoint_impl(public1, secret);
2186 curve25519_set_impl_params(0); /* Disable optimization */
2187 curve25519_basepoint_impl(public2, secret);
2188 tt_mem_op(public1, OP_EQ, public2, 32);
2189 }
2190
2191 done:
2192 ;
2193 }
2194
2195 static void
2196 test_crypto_curve25519_testvec(void *arg)
2197 {
2198 (void)arg;
2199 char *mem_op_hex_tmp = NULL;
2200
2201 /* From RFC 7748, section 6.1 */
2202 /* Alice's private key, a: */
2203 const char a16[] =
2204 "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2205 /* Alice's public key, X25519(a, 9): */
2206 const char a_pub16[] =
2207 "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2208 /* Bob's private key, b: */
2209 const char b16[] =
2210 "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2211 /* Bob's public key, X25519(b, 9): */
2212 const char b_pub16[] =
2213 "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2214 /* Their shared secret, K: */
2215 const char k16[] =
2216 "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2217
2218 uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2219 base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2220 base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2221 curve25519_basepoint_impl(a_pub, a);
2222 curve25519_basepoint_impl(b_pub, b);
2223 curve25519_impl(k1, a, b_pub);
2224 curve25519_impl(k2, b, a_pub);
2225
2226 test_memeq_hex(a, a16);
2227 test_memeq_hex(b, b16);
2228 test_memeq_hex(a_pub, a_pub16);
2229 test_memeq_hex(b_pub, b_pub16);
2230 test_memeq_hex(k1, k16);
2231 test_memeq_hex(k2, k16);
2232 done:
2233 tor_free(mem_op_hex_tmp);
2234 }
2235
2236 static void
2237 test_crypto_curve25519_wrappers(void *arg)
2238 {
2239 curve25519_public_key_t pubkey1, pubkey2;
2240 curve25519_secret_key_t seckey1, seckey2;
2241
2242 uint8_t output1[CURVE25519_OUTPUT_LEN];
2243 uint8_t output2[CURVE25519_OUTPUT_LEN];
2244 (void)arg;
2245
2246 /* Test a simple handshake, serializing and deserializing some stuff. */
2247 curve25519_secret_key_generate(&seckey1, 0);
2248 curve25519_secret_key_generate(&seckey2, 1);
2249 curve25519_public_key_generate(&pubkey1, &seckey1);
2250 curve25519_public_key_generate(&pubkey2, &seckey2);
2251 tt_assert(curve25519_public_key_is_ok(&pubkey1));
2252 tt_assert(curve25519_public_key_is_ok(&pubkey2));
2253 curve25519_handshake(output1, &seckey1, &pubkey2);
2254 curve25519_handshake(output2, &seckey2, &pubkey1);
2255 tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2256
2257 done:
2258 ;
2259 }
2260
2261 static void
2262 test_crypto_curve25519_encode(void *arg)
2263 {
2264 curve25519_secret_key_t seckey;
2265 curve25519_public_key_t key1, key2, key3;
2266 char buf[64];
2267
2268 (void)arg;
2269
2270 curve25519_secret_key_generate(&seckey, 0);
2271 curve25519_public_key_generate(&key1, &seckey);
2272 tt_int_op(0, OP_EQ, curve25519_public_to_base64(buf, &key1));
2273 tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2274
2275 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2276 tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2277
2278 buf[CURVE25519_BASE64_PADDED_LEN - 1] = '\0';
2279 tt_int_op(CURVE25519_BASE64_PADDED_LEN-1, OP_EQ, strlen(buf));
2280 tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf));
2281 tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2282
2283 /* Now try bogus parses. */
2284 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2285 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2286
2287 strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2288 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2289
2290 strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2291 tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2292
2293 done:
2294 ;
2295 }
2296
2297 static void
2298 test_crypto_curve25519_persist(void *arg)
2299 {
2300 curve25519_keypair_t keypair, keypair2;
2301 char *fname = tor_strdup(get_fname("curve25519_keypair"));
2302 char *tag = NULL;
2303 char *content = NULL;
2304 const char *cp;
2305 struct stat st;
2306 size_t taglen;
2307
2308 (void)arg;
2309
2310 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2311
2312 tt_int_op(0,OP_EQ,
2313 curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2314 tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2315 tt_str_op(tag,OP_EQ,"testing");
2316 tor_free(tag);
2317
2318 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2319 keypair2.pubkey.public_key,
2320 CURVE25519_PUBKEY_LEN);
2321 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2322 keypair2.seckey.secret_key,
2323 CURVE25519_SECKEY_LEN);
2324
2325 content = read_file_to_str(fname, RFTS_BIN, &st);
2326 tt_assert(content);
2327 taglen = strlen("== c25519v1: testing ==");
2328 tt_u64_op((uint64_t)st.st_size, OP_EQ,
2329 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2330 tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2331 tt_assert(tor_mem_is_zero(content+taglen, 32-taglen));
2332 cp = content + 32;
2333 tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2334 cp,
2335 CURVE25519_SECKEY_LEN);
2336 cp += CURVE25519_SECKEY_LEN;
2337 tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2338 cp,
2339 CURVE25519_SECKEY_LEN);
2340
2341 tor_free(fname);
2342 fname = tor_strdup(get_fname("bogus_keypair"));
2343
2344 tt_int_op(-1, OP_EQ,
2345 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2346 tor_free(tag);
2347
2348 content[69] ^= 0xff;
2349 tt_int_op(0, OP_EQ,
2350 write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2351 tt_int_op(-1, OP_EQ,
2352 curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2353
2354 done:
2355 tor_free(fname);
2356 tor_free(content);
2357 tor_free(tag);
2358 }
2359
2360 static void
2361 test_crypto_ed25519_simple(void *arg)
2362 {
2363 ed25519_keypair_t kp1, kp2;
2364 ed25519_public_key_t pub1, pub2;
2365 ed25519_secret_key_t sec1, sec2;
2366 ed25519_signature_t sig1, sig2;
2367 const uint8_t msg[] =
2368 "GNU will be able to run Unix programs, "
2369 "but will not be identical to Unix.";
2370 const uint8_t msg2[] =
2371 "Microsoft Windows extends the features of the DOS operating system, "
2372 "yet is compatible with most existing applications that run under DOS.";
2373 size_t msg_len = strlen((const char*)msg);
2374 size_t msg2_len = strlen((const char*)msg2);
2375
2376 (void)arg;
2377
2378 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2379 tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2380
2381 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2382 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2383
2384 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2385 tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2386
2387 tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2388 tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2389 tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2390
2391 memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2392 memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2393 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2394 tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2395
2396 /* Ed25519 signatures are deterministic */
2397 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2398
2399 /* Basic signature is valid. */
2400 tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2401
2402 /* Altered signature doesn't work. */
2403 sig1.sig[0] ^= 3;
2404 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2405
2406 /* Wrong public key doesn't work. */
2407 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2408 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2409 tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2410
2411 /* Wrong message doesn't work. */
2412 tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2413 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2414 tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2415
2416 /* Batch signature checking works with some bad. */
2417 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2418 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2419 {
2420 ed25519_checkable_t ch[] = {
2421 { &pub1, sig2, msg, msg_len }, /*ok*/
2422 { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2423 { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2424 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2425 };
2426 int okay[4];
2427 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2428 tt_int_op(okay[0], OP_EQ, 1);
2429 tt_int_op(okay[1], OP_EQ, 0);
2430 tt_int_op(okay[2], OP_EQ, 0);
2431 tt_int_op(okay[3], OP_EQ, 1);
2432 tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2433 }
2434
2435 /* Batch signature checking works with all good. */
2436 {
2437 ed25519_checkable_t ch[] = {
2438 { &pub1, sig2, msg, msg_len }, /*ok*/
2439 { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2440 };
2441 int okay[2];
2442 tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2443 tt_int_op(okay[0], OP_EQ, 1);
2444 tt_int_op(okay[1], OP_EQ, 1);
2445 tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2446 }
2447
2448 /* Test the string-prefixed sign/checksig functions */
2449 {
2450 ed25519_signature_t manual_sig;
2451 char *prefixed_msg;
2452
2453 /* Generate a signature with a prefixed msg. */
2454 tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2455 "always in the mood",
2456 &kp1));
2457
2458 /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2459 if we had manually prefixed the msg ourselves. */
2460 tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2461 tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2462 strlen(prefixed_msg), &kp1));
2463 tor_free(prefixed_msg);
2464 tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2465
2466 /* Test that prefixed checksig verifies it properly. */
2467 tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2468 "always in the mood",
2469 &pub1));
2470
2471 /* Test that checksig with wrong prefix fails. */
2472 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2473 "always in the moo",
2474 &pub1));
2475 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2476 "always in the moon",
2477 &pub1));
2478 tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2479 "always in the mood!",
2480 &pub1));
2481 }
2482
2483 done:
2484 ;
2485 }
2486
2487 static void
2488 test_crypto_ed25519_test_vectors(void *arg)
2489 {
2490 char *mem_op_hex_tmp=NULL;
2491 int i;
2492 struct {
2493 const char *sk;
2494 const char *pk;
2495 const char *sig;
2496 const char *msg;
2497 } items[] = {
2498 /* These test vectors were generated with the "ref" implementation of
2499 * ed25519 from SUPERCOP-20130419 */
2500 { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2501 "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2502 "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2503 "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2504 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2505 "204e554c2d7465726d696e617465642e"
2506 },
2507
2508 { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2509 "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2510 "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2511 "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2512 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2513 "204e554c2d7465726d696e617465642e"
2514 },
2515 { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2516 "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2517 "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2518 "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2519 "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2520 "204e554c2d7465726d696e617465642e"
2521 },
2522
2523 /* These come from "sign.input" in ed25519's page */
2524 { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2525 "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2526 "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2527 "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2528 "5a8d9d0a22357e6655f9c785"
2529 },
2530 { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2531 "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2532 "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2533 "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2534 "b87d3813e03f58cf19fd0b6395"
2535 },
2536 { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2537 "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2538 "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2539 "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2540 "55c7fa434f5ed8cdec2b7aeac173",
2541 },
2542 { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2543 "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2544 "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2545 "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2546 "0a688e79be24f866286d4646b5d81c"
2547 },
2548 /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2549 {
2550 "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2551 "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2552 "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2553 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2554 ""
2555 },
2556 {
2557 "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2558 "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2559 "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2560 "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2561 "72"
2562 },
2563 {
2564 "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2565 "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2566 "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2567 "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2568 "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2569 "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2570 "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2571 "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2572 "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2573 "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2574 "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2575 "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2576 "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2577 "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2578 "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2579 "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2580 "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2581 "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2582 "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2583 "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2584 "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2585 "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2586 "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2587 "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2588 "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2589 "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2590 "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2591 "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2592 "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2593 "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2594 "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2595 "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2596 "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2597 "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2598 "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2599 "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2600 },
2601 {
2602 "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2603 "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2604 "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2605 "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2606 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2607 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2608 },
2609 { NULL, NULL, NULL, NULL}
2610 };
2611
2612 (void)arg;
2613
2614 for (i = 0; items[i].pk; ++i) {
2615 ed25519_keypair_t kp;
2616 ed25519_signature_t sig;
2617 uint8_t sk_seed[32];
2618 uint8_t *msg;
2619 size_t msg_len;
2620 base16_decode((char*)sk_seed, sizeof(sk_seed),
2621 items[i].sk, 64);
2622 ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2623 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2624 test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2625
2626 msg_len = strlen(items[i].msg) / 2;
2627 msg = tor_malloc(msg_len);
2628 base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2629
2630 tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2631 test_memeq_hex(sig.sig, items[i].sig);
2632
2633 tor_free(msg);
2634 }
2635
2636 done:
2637 tor_free(mem_op_hex_tmp);
2638 }
2639
2640 static void
2641 test_crypto_ed25519_encode(void *arg)
2642 {
2643 char buf[ED25519_SIG_BASE64_LEN+1];
2644 ed25519_keypair_t kp;
2645 ed25519_public_key_t pk;
2646 ed25519_signature_t sig1, sig2;
2647 char *mem_op_hex_tmp = NULL;
2648 (void) arg;
2649
2650 /* Test roundtrip. */
2651 tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2652 tt_int_op(0, OP_EQ, ed25519_public_to_base64(buf, &kp.pubkey));
2653 tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2654 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2655 tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2656
2657 tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2658 tt_int_op(0, OP_EQ, ed25519_signature_to_base64(buf, &sig1));
2659 tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2660 tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2661
2662 /* Test known value. */
2663 tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2664 "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2665 test_memeq_hex(pk.pubkey,
2666 "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2667
2668 done:
2669 tor_free(mem_op_hex_tmp);
2670 }
2671
2672 static void
2673 test_crypto_ed25519_convert(void *arg)
2674 {
2675 const uint8_t msg[] =
2676 "The eyes are not here / There are no eyes here.";
2677 const int N = 30;
2678 int i;
2679 (void)arg;
2680
2681 for (i = 0; i < N; ++i) {
2682 curve25519_keypair_t curve25519_keypair;
2683 ed25519_keypair_t ed25519_keypair;
2684 ed25519_public_key_t ed25519_pubkey;
2685
2686 int bit=0;
2687 ed25519_signature_t sig;
2688
2689 tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2690 tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2691 &ed25519_keypair, &bit, &curve25519_keypair));
2692 tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2693 &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2694 tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2695
2696 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2697 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2698 &ed25519_pubkey));
2699
2700 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2701 &ed25519_pubkey));
2702 sig.sig[0] ^= 15;
2703 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2704 &ed25519_pubkey));
2705 }
2706
2707 done:
2708 ;
2709 }
2710
2711 static void
2712 test_crypto_ed25519_blinding(void *arg)
2713 {
2714 const uint8_t msg[] =
2715 "Eyes I dare not meet in dreams / In death's dream kingdom";
2716
2717 const int N = 30;
2718 int i;
2719 (void)arg;
2720
2721 for (i = 0; i < N; ++i) {
2722 uint8_t blinding[32];
2723 ed25519_keypair_t ed25519_keypair;
2724 ed25519_keypair_t ed25519_keypair_blinded;
2725 ed25519_public_key_t ed25519_pubkey_blinded;
2726
2727 ed25519_signature_t sig;
2728
2729 crypto_rand((char*) blinding, sizeof(blinding));
2730
2731 tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2732 tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2733 &ed25519_keypair, blinding));
2734
2735 tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2736 &ed25519_keypair.pubkey, blinding));
2737
2738 tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2739 ed25519_keypair_blinded.pubkey.pubkey, 32);
2740
2741 tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2742 &ed25519_keypair_blinded));
2743
2744 tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2745 &ed25519_pubkey_blinded));
2746
2747 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2748 &ed25519_pubkey_blinded));
2749 sig.sig[0] ^= 15;
2750 tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2751 &ed25519_pubkey_blinded));
2752 }
2753
2754 done:
2755 ;
2756 }
2757
2758 /** Test that our blinding functions will fail if we pass them bad pubkeys */
2759 static void
2760 test_crypto_ed25519_blinding_fail(void *arg)
2761 {
2762 int retval;
2763 uint8_t param[32] = {2};
2764 ed25519_public_key_t pub;
2765 ed25519_public_key_t pub_blinded;
2766
2767 (void)arg;
2768
2769 /* This point is not on the curve: the blind routines should fail */
2770 const char badkey[] =
2771 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2772 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2773 badkey, strlen(badkey));
2774 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2775 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2776 tt_int_op(retval, OP_EQ, -1);
2777
2778 /* This point is legit: blind routines should be happy */
2779 const char goodkey[] =
2780 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2781 retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2782 goodkey, strlen(goodkey));
2783 tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2784 retval = ed25519_public_blind(&pub_blinded, &pub, param);
2785 tt_int_op(retval, OP_EQ, 0);
2786
2787 done:
2788 ;
2789 }
2790
2791 static void
2792 test_crypto_ed25519_testvectors(void *arg)
2793 {
2794 unsigned i;
2795 char *mem_op_hex_tmp = NULL;
2796 (void)arg;
2797
2798 for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2799 uint8_t sk[32];
2800 ed25519_secret_key_t esk;
2801 ed25519_public_key_t pk, blind_pk, pkfromcurve;
2802 ed25519_keypair_t keypair, blind_keypair;
2803 curve25519_keypair_t curvekp;
2804 uint8_t blinding_param[32];
2805 ed25519_signature_t sig;
2806 int sign;
2807
2808 memset(&curvekp, 0xd0, sizeof(curvekp));
2809
2810 #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2811 #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2812
2813 tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2814 tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2815 ED25519_BLINDING_PARAMS[i]));
2816
2817 tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2818 EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2819
2820 tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2821 EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2822
2823 memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2824 curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2825
2826 tt_int_op(0, OP_EQ,
2827 ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2828 tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2829 &pkfromcurve, &curvekp.pubkey, sign));
2830 tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2831 EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2832
2833 /* Self-signing */
2834 memcpy(&keypair.seckey, &esk, sizeof(esk));
2835 memcpy(&keypair.pubkey, &pk, sizeof(pk));
2836
2837 tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2838
2839 EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2840
2841 /* Blinding */
2842 tt_int_op(0, OP_EQ,
2843 ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2844 tt_int_op(0, OP_EQ,
2845 ed25519_public_blind(&blind_pk, &pk, blinding_param));
2846
2847 EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2848 EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2849
2850 tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2851
2852 #undef DECODE
2853 #undef EQ
2854 }
2855 done:
2856 tor_free(mem_op_hex_tmp);
2857 }
2858
2859 static void
2860 test_crypto_ed25519_storage(void *arg)
2861 {
2862 (void)arg;
2863 ed25519_keypair_t *keypair = NULL;
2864 ed25519_public_key_t pub;
2865 ed25519_secret_key_t sec;
2866 char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2867 char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2868 char *contents = NULL;
2869 char *tag = NULL;
2870
2871 keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2872 tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2873 tt_int_op(0,OP_EQ,
2874 ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2875 tt_int_op(0,OP_EQ,
2876 ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2877
2878 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2879 tt_ptr_op(tag, OP_EQ, NULL);
2880 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2881 tt_ptr_op(tag, OP_EQ, NULL);
2882
2883 tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2884 tt_str_op(tag, OP_EQ, "bar");
2885 tor_free(tag);
2886 tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2887 tt_str_op(tag, OP_EQ, "foo");
2888 tor_free(tag);
2889
2890 /* whitebox test: truncated keys. */
2891 tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2892 tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2893 tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2894 tt_ptr_op(tag, OP_EQ, NULL);
2895 tor_free(tag);
2896 tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2897 tt_ptr_op(tag, OP_EQ, NULL);
2898
2899 done:
2900 tor_free(fname_1);
2901 tor_free(fname_2);
2902 tor_free(contents);
2903 tor_free(tag);
2904 ed25519_keypair_free(keypair);
2905 }
2906
2907 static void
2908 test_crypto_siphash(void *arg)
2909 {
2910 /* From the reference implementation, taking
2911 k = 00 01 02 ... 0f
2912 and in = 00; 00 01; 00 01 02; ...
2913 */
2914 const uint8_t VECTORS[64][8] =
2915 {
2916 { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2917 { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2918 { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2919 { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2920 { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2921 { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2922 { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2923 { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2924 { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2925 { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2926 { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2927 { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2928 { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2929 { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2930 { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2931 { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2932 { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2933 { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2934 { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2935 { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2936 { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2937 { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2938 { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2939 { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2940 { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2941 { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2942 { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2943 { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2944 { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2945 { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2946 { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2947 { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2948 { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2949 { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2950 { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2951 { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2952 { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2953 { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2954 { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2955 { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2956 { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2957 { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2958 { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2959 { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2960 { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2961 { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2962 { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2963 { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2964 { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2965 { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2966 { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2967 { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2968 { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2969 { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2970 { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2971 { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2972 { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2973 { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2974 { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2975 { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2976 { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2977 { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2978 { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2979 { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2980 };
2981
2982 const struct sipkey K = { UINT64_C(0x0706050403020100),
2983 UINT64_C(0x0f0e0d0c0b0a0908) };
2984 uint8_t input[64];
2985 int i, j;
2986
2987 (void)arg;
2988
2989 for (i = 0; i < 64; ++i)
2990 input[i] = i;
2991
2992 for (i = 0; i < 64; ++i) {
2993 uint64_t r = siphash24(input, i, &K);
2994 for (j = 0; j < 8; ++j) {
2995 tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2996 }
2997 }
2998
2999 done:
3000 ;
3001 }
3002
3003 /* We want the likelihood that the random buffer exhibits any regular pattern
3004 * to be far less than the memory bit error rate in the int return value.
3005 * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
3006 * 3 functions, leading to an overall error rate of 1/10^616.
3007 * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
3008 */
3009 #define FAILURE_MODE_BUFFER_SIZE (2048/8)
3010
3011 /** Check crypto_rand for a failure mode where it does nothing to the buffer,
3012 * or it sets the buffer to all zeroes. Return 0 when the check passes,
3013 * or -1 when it fails. */
3014 static int
3015 crypto_rand_check_failure_mode_zero(void)
3016 {
3017 char buf[FAILURE_MODE_BUFFER_SIZE];
3018
3019 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
3020 crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
3021
3022 for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
3023 if (buf[i] != 0) {
3024 return 0;
3025 }
3026 }
3027
3028 return -1;
3029 }
3030
3031 /** Check crypto_rand for a failure mode where every int64_t in the buffer is
3032 * the same. Return 0 when the check passes, or -1 when it fails. */
3033 static int
3034 crypto_rand_check_failure_mode_identical(void)
3035 {
3036 /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
3037 #define FAILURE_MODE_BUFFER_SIZE_I64 \
3038 (FAILURE_MODE_BUFFER_SIZE/8)
3039 #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
3040 (FAILURE_MODE_BUFFER_SIZE_I64*8)
3041
3042 #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
3043 #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
3044 #endif
3045
3046 int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
3047
3048 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
3049 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
3050
3051 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
3052 if (buf[i] != buf[i-1]) {
3053 return 0;
3054 }
3055 }
3056
3057 return -1;
3058 }
3059
3060 /** Check crypto_rand for a failure mode where it increments the "random"
3061 * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
3062 * Return 0 when the check passes, or -1 when it fails. */
3063 static int
3064 crypto_rand_check_failure_mode_predict(void)
3065 {
3066 unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
3067
3068 memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
3069 crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
3070
3071 for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
3072 /* check if the last byte was incremented by 1, including integer
3073 * wrapping */
3074 if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
3075 return 0;
3076 }
3077 }
3078
3079 return -1;
3080 }
3081
3082 #undef FAILURE_MODE_BUFFER_SIZE
3083
3084 /** Test that our ed25519 validation function rejects evil public keys and
3085 * accepts good ones. */
3086 static void
3087 test_crypto_ed25519_validation(void *arg)
3088 {
3089 (void) arg;
3090
3091 int retval;
3092 ed25519_public_key_t pub1;
3093
3094 /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
3095 for a list of points with torsion components in ed25519. */
3096
3097 { /* Point with torsion component (order 8l) */
3098 const char badkey[] =
3099 "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
3100 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3101 badkey, strlen(badkey));
3102 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3103 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3104 }
3105
3106 { /* Point with torsion component (order 4l) */
3107 const char badkey[] =
3108 "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
3109 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3110 badkey, strlen(badkey));
3111 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3112 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3113 }
3114
3115 { /* Point with torsion component (order 2l) */
3116 const char badkey[] =
3117 "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
3118 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3119 badkey, strlen(badkey));
3120 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3121 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3122 }
3123
3124 { /* This point is not even on the curve */
3125 const char badkey[] =
3126 "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
3127 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3128 badkey, strlen(badkey));
3129 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3130 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
3131 }
3132
3133 { /* This one is a good key */
3134 const char goodkey[] =
3135 "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
3136 retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
3137 goodkey, strlen(goodkey));
3138 tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
3139 tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
3140 }
3141
3142 done: ;
3143 }
3144
3145 static void
3146 test_crypto_failure_modes(void *arg)
3147 {
3148 int rv = 0;
3149 (void)arg;
3150
3151 rv = crypto_early_init();
3152 tt_int_op(rv, OP_EQ, 0);
3153
3154 /* Check random works */
3155 rv = crypto_rand_check_failure_mode_zero();
3156 tt_int_op(rv, OP_EQ, 0);
3157
3158 rv = crypto_rand_check_failure_mode_identical();
3159 tt_int_op(rv, OP_EQ, 0);
3160
3161 rv = crypto_rand_check_failure_mode_predict();
3162 tt_int_op(rv, OP_EQ, 0);
3163
3164 done:
3165 ;
3166 }
3167
3168 #define CRYPTO_LEGACY(name) \
3169 { #name, test_crypto_ ## name , 0, NULL, NULL }
3170
3171 #define ED25519_TEST_ONE(name, fl, which) \
3172 { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3173 &ed25519_test_setup, (void*)which }
3174
3175 #define ED25519_TEST(name, fl) \
3176 ED25519_TEST_ONE(name, (fl), "donna"), \
3177 ED25519_TEST_ONE(name, (fl), "ref10")
3178
3179 struct testcase_t crypto_tests[] = {
3180 CRYPTO_LEGACY(formats),
3181 CRYPTO_LEGACY(rng),
3182 { "rng_range", test_crypto_rng_range, 0, NULL, NULL },
3183 { "rng_strongest", test_crypto_rng_strongest, TT_FORK, NULL, NULL },
3184 { "rng_strongest_nosyscall", test_crypto_rng_strongest, TT_FORK,
3185 &passthrough_setup, (void*)"nosyscall" },
3186 { "rng_strongest_nofallback", test_crypto_rng_strongest, TT_FORK,
3187 &passthrough_setup, (void*)"nofallback" },
3188 { "rng_strongest_broken", test_crypto_rng_strongest, TT_FORK,
3189 &passthrough_setup, (void*)"broken" },
3190 { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
3191 { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
3192 { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
3193 { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3194 &passthrough_setup, (void*)"128" },
3195 { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3196 &passthrough_setup, (void*)"192" },
3197 { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3198 &passthrough_setup, (void*)"256" },
3199 CRYPTO_LEGACY(sha),
3200 CRYPTO_LEGACY(pk),
3201 { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
3202 { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
3203 { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
3204 { "pk_bad_size", test_crypto_pk_bad_size, 0, NULL, NULL },
3205 { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
3206 NULL, NULL },
3207 CRYPTO_LEGACY(digests),
3208 { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
3209 { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3210 { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3211 { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3212 CRYPTO_LEGACY(dh),
3213 { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3214 (void*)"aes" },
3215 { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3216 (void*)"evp" },
3217 CRYPTO_LEGACY(base32_decode),
3218 { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3219 { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3220 { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3221 { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3222 { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3223 { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3224 { "curve25519_basepoint",
3225 test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3226 { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3227 { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3228 { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3229 ED25519_TEST(simple, 0),
3230 ED25519_TEST(test_vectors, 0),
3231 ED25519_TEST(encode, 0),
3232 ED25519_TEST(convert, 0),
3233 ED25519_TEST(blinding, 0),
3234 ED25519_TEST(blinding_fail, 0),
3235 ED25519_TEST(testvectors, 0),
3236 ED25519_TEST(validation, 0),
3237 { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3238 { "siphash", test_crypto_siphash, 0, NULL, NULL },
3239 { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3240 END_OF_TESTCASES
3241 };
The Onion Router