Line data Source code
1 : /* Copyright (c) 2001-2004, Roger Dingledine.
2 : * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 : * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 : /* See LICENSE for licensing information */
5 :
6 : #include "orconfig.h"
7 : #define CRYPTO_CURVE25519_PRIVATE
8 : #define CRYPTO_RAND_PRIVATE
9 : #include "core/or/or.h"
10 : #include "test/test.h"
11 : #include "lib/crypt_ops/aes.h"
12 : #include "siphash.h"
13 : #include "lib/crypt_ops/crypto_curve25519.h"
14 : #include "lib/crypt_ops/crypto_dh.h"
15 : #include "lib/crypt_ops/crypto_ed25519.h"
16 : #include "lib/crypt_ops/crypto_format.h"
17 : #include "lib/crypt_ops/crypto_hkdf.h"
18 : #include "lib/crypt_ops/crypto_rand.h"
19 : #include "lib/crypt_ops/crypto_init.h"
20 : #include "ed25519_vectors.inc"
21 : #include "test/log_test_helpers.h"
22 :
23 : #ifdef HAVE_SYS_STAT_H
24 : #include <sys/stat.h>
25 : #endif
26 : #ifdef HAVE_UNISTD_H
27 : #include <unistd.h>
28 : #endif
29 :
30 : #if defined(ENABLE_OPENSSL)
31 : #include "lib/crypt_ops/compat_openssl.h"
32 : DISABLE_GCC_WARNING("-Wredundant-decls")
33 : #include <openssl/dh.h>
34 : ENABLE_GCC_WARNING("-Wredundant-decls")
35 : #endif /* defined(ENABLE_OPENSSL) */
36 :
37 : /** Run unit tests for Diffie-Hellman functionality. */
38 : static void
39 1 : test_crypto_dh(void *arg)
40 : {
41 1 : crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42 1 : crypto_dh_t *dh1_dup = NULL;
43 1 : crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44 1 : char p1[DH1024_KEY_LEN];
45 1 : char p2[DH1024_KEY_LEN];
46 1 : char s1[DH1024_KEY_LEN];
47 1 : char s2[DH1024_KEY_LEN];
48 1 : ssize_t s1len, s2len;
49 : #ifdef ENABLE_OPENSSL
50 1 : crypto_dh_t *dh3 = NULL;
51 1 : DH *dh4 = NULL;
52 1 : BIGNUM *pubkey_tmp = NULL;
53 : #endif
54 :
55 1 : (void)arg;
56 1 : tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
57 1 : tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58 :
59 1 : memset(p1, 0, DH1024_KEY_LEN);
60 1 : memset(p2, 0, DH1024_KEY_LEN);
61 1 : tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62 :
63 1 : tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */
64 :
65 1 : tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
66 1 : tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
67 1 : tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
68 1 : tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69 :
70 1 : memset(s1, 0, DH1024_KEY_LEN);
71 1 : memset(s2, 0xFF, DH1024_KEY_LEN);
72 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
73 1 : s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74 1 : tt_assert(s1len > 0);
75 1 : tt_int_op(s1len,OP_EQ, s2len);
76 1 : tt_mem_op(s1,OP_EQ, s2, s1len);
77 :
78 : /* test dh_dup; make sure it works the same. */
79 1 : dh1_dup = crypto_dh_dup(dh1);
80 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
81 : s1, 50);
82 1 : tt_i64_op(s1len, OP_GE, 0);
83 1 : tt_mem_op(s1,OP_EQ, s2, s1len);
84 :
85 : {
86 : /* Now fabricate some bad values and make sure they get caught. */
87 :
88 : /* 1 and 0 should both fail. */
89 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
90 1 : tt_int_op(-1, OP_EQ, s1len);
91 :
92 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
93 1 : tt_int_op(-1, OP_EQ, s1len);
94 :
95 1 : memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
96 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
97 : s1, 50);
98 1 : tt_int_op(-1, OP_EQ, s1len);
99 :
100 1 : p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
101 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
102 : s1, 50);
103 1 : tt_int_op(-1, OP_EQ, s1len);
104 :
105 : /* 2 is okay, though weird. */
106 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
107 1 : tt_int_op(50, OP_EQ, s1len);
108 :
109 : /* 2 a second time is still okay, though weird. */
110 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
111 1 : tt_int_op(50, OP_EQ, s1len);
112 :
113 1 : const char P[] =
114 : "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
115 : "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
116 : "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
117 : "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
118 : "49286651ECE65381FFFFFFFFFFFFFFFF";
119 :
120 : /* p-1, p, and so on are not okay. */
121 1 : base16_decode(p1, sizeof(p1), P, strlen(P));
122 :
123 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
124 : s1, 50);
125 1 : tt_int_op(-1, OP_EQ, s1len);
126 :
127 1 : p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
128 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
129 : s1, 50);
130 1 : tt_int_op(-1, OP_EQ, s1len);
131 :
132 1 : p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
133 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
134 : s1, 50);
135 1 : tt_int_op(50, OP_EQ, s1len);
136 :
137 1 : const char P_plus_one[] =
138 : "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
139 : "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
140 : "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
141 : "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
142 : "49286651ECE653820000000000000000";
143 :
144 1 : base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));
145 :
146 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
147 : s1, 50);
148 1 : tt_int_op(-1, OP_EQ, s1len);
149 :
150 1 : p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
151 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
152 : s1, 50);
153 1 : tt_int_op(-1, OP_EQ, s1len);
154 :
155 1 : p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
156 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
157 : s1, 50);
158 1 : tt_int_op(-1, OP_EQ, s1len);
159 :
160 1 : memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
161 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
162 : s1, 50);
163 1 : tt_int_op(-1, OP_EQ, s1len);
164 : }
165 :
166 : {
167 : /* provoke an error in the openssl DH_compute_key function; make sure we
168 : * survive. */
169 1 : tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170 :
171 1 : crypto_dh_free(dh2);
172 1 : dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
173 1 : s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174 : p1, DH1024_KEY_LEN,
175 : s1, 50);
176 1 : tt_int_op(s1len, OP_EQ, -1);
177 : }
178 :
179 : #if defined(ENABLE_OPENSSL)
180 : {
181 : /* Make sure that our crypto library can handshake with openssl. */
182 1 : dh3 = crypto_dh_new(DH_TYPE_TLS);
183 1 : tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));
184 :
185 1 : dh4 = crypto_dh_new_openssl_tls();
186 1 : tt_assert(DH_generate_key(dh4));
187 1 : const BIGNUM *pk=NULL;
188 : #ifdef OPENSSL_1_1_API
189 1 : const BIGNUM *sk=NULL;
190 1 : DH_get0_key(dh4, &pk, &sk);
191 : #else
192 : pk = dh4->pub_key;
193 : #endif /* defined(OPENSSL_1_1_API) */
194 1 : tt_assert(pk);
195 1 : tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
196 1 : tt_int_op(BN_num_bytes(pk), OP_GT, 0);
197 1 : memset(p2, 0, sizeof(p2));
198 : /* right-pad. */
199 1 : BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));
200 :
201 1 : s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
202 : (unsigned char *)s1, sizeof(s1));
203 1 : pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
204 1 : s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);
205 :
206 1 : tt_int_op(s1len, OP_EQ, s2len);
207 1 : tt_int_op(s1len, OP_GT, 0);
208 1 : tt_mem_op(s1, OP_EQ, s2, s1len);
209 : }
210 : #endif /* defined(ENABLE_OPENSSL) */
211 :
212 1 : done:
213 1 : crypto_dh_free(dh1);
214 1 : crypto_dh_free(dh2);
215 1 : crypto_dh_free(dh1_dup);
216 : #ifdef ENABLE_OPENSSL
217 1 : crypto_dh_free(dh3);
218 1 : if (dh4)
219 1 : DH_free(dh4);
220 1 : if (pubkey_tmp)
221 1 : BN_free(pubkey_tmp);
222 : #endif /* defined(ENABLE_OPENSSL) */
223 1 : }
224 :
225 : static void
226 1 : test_crypto_openssl_version(void *arg)
227 : {
228 1 : (void)arg;
229 : #ifdef ENABLE_NSS
230 : tt_skip();
231 : #else
232 1 : const char *version = crypto_openssl_get_version_str();
233 1 : const char *h_version = crypto_openssl_get_header_version_str();
234 1 : tt_assert(version);
235 1 : tt_assert(h_version);
236 1 : if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
237 0 : TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
238 : version, h_version));
239 : }
240 1 : if (strstr(version, "OpenSSL")) {
241 0 : TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
242 : }
243 1 : int a=-1,b=-1,c=-1;
244 1 : if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
245 0 : return;
246 1 : int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
247 1 : tt_int_op(r, OP_EQ, 3);
248 1 : tt_int_op(a, OP_GE, 0);
249 1 : tt_int_op(b, OP_GE, 0);
250 1 : tt_int_op(c, OP_GE, 0);
251 : #endif /* defined(ENABLE_NSS) */
252 :
253 1 : done:
254 1 : ;
255 : }
256 :
257 : /** Run unit tests for our AES128 functionality */
258 : static void
259 2 : test_crypto_aes128(void *arg)
260 : {
261 2 : char *data1 = NULL, *data2 = NULL, *data3 = NULL;
262 2 : crypto_cipher_t *env1 = NULL, *env2 = NULL;
263 2 : int i, j;
264 2 : char *mem_op_hex_tmp=NULL;
265 2 : char key[CIPHER_KEY_LEN];
266 2 : int use_evp = !strcmp(arg,"evp");
267 2 : evaluate_evp_for_aes(use_evp);
268 2 : evaluate_ctr_for_aes();
269 :
270 2 : data1 = tor_malloc(1024);
271 2 : data2 = tor_malloc(1024);
272 2 : data3 = tor_malloc(1024);
273 :
274 : /* Now, test encryption and decryption with stream cipher. */
275 2 : data1[0]='\0';
276 62 : for (i = 1023; i>0; i -= 35)
277 60 : strncat(data1, "Now is the time for all good onions", i);
278 :
279 2 : memset(data2, 0, 1024);
280 2 : memset(data3, 0, 1024);
281 2 : crypto_rand(key, sizeof(key));
282 2 : env1 = crypto_cipher_new(key);
283 2 : tt_ptr_op(env1, OP_NE, NULL);
284 2 : env2 = crypto_cipher_new(key);
285 2 : tt_ptr_op(env2, OP_NE, NULL);
286 :
287 : /* Try encrypting 512 chars. */
288 2 : crypto_cipher_encrypt(env1, data2, data1, 512);
289 2 : crypto_cipher_decrypt(env2, data3, data2, 512);
290 2 : tt_mem_op(data1,OP_EQ, data3, 512);
291 2 : tt_mem_op(data1,OP_NE, data2, 512);
292 :
293 : /* Now encrypt 1 at a time, and get 1 at a time. */
294 98 : for (j = 512; j < 560; ++j) {
295 96 : crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
296 : }
297 98 : for (j = 512; j < 560; ++j) {
298 96 : crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
299 : }
300 2 : tt_mem_op(data1,OP_EQ, data3, 560);
301 : /* Now encrypt 3 at a time, and get 5 at a time. */
302 308 : for (j = 560; j < 1024-5; j += 3) {
303 306 : crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
304 : }
305 186 : for (j = 560; j < 1024-5; j += 5) {
306 184 : crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
307 : }
308 2 : tt_mem_op(data1,OP_EQ, data3, 1024-5);
309 : /* Now make sure that when we encrypt with different chunk sizes, we get
310 : the same results. */
311 2 : crypto_cipher_free(env2);
312 2 : env2 = NULL;
313 :
314 2 : memset(data3, 0, 1024);
315 2 : env2 = crypto_cipher_new(key);
316 2 : tt_ptr_op(env2, OP_NE, NULL);
317 122 : for (j = 0; j < 1024-16; j += 17) {
318 120 : crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
319 : }
320 2018 : for (j= 0; j < 1024-16; ++j) {
321 2016 : if (data2[j] != data3[j]) {
322 2016 : printf("%d: %d\t%d\n", j, (int) data2[j], (int) data3[j]);
323 : }
324 : }
325 2 : tt_mem_op(data2,OP_EQ, data3, 1024-16);
326 2 : crypto_cipher_free(env1);
327 2 : env1 = NULL;
328 2 : crypto_cipher_free(env2);
329 2 : env2 = NULL;
330 :
331 : /* NIST test vector for aes. */
332 : /* IV starts at 0 */
333 2 : env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
334 : "\x00\x00\x00\x00\x00\x00\x00\x00");
335 2 : crypto_cipher_encrypt(env1, data1,
336 : "\x00\x00\x00\x00\x00\x00\x00\x00"
337 : "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
338 2 : test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");
339 :
340 : /* Now test rollover. All these values are originally from a python
341 : * script. */
342 2 : crypto_cipher_free(env1);
343 2 : env1 = crypto_cipher_new_with_iv(
344 : "\x80\x00\x00\x00\x00\x00\x00\x00"
345 : "\x00\x00\x00\x00\x00\x00\x00\x00",
346 : "\x00\x00\x00\x00\x00\x00\x00\x00"
347 : "\xff\xff\xff\xff\xff\xff\xff\xff");
348 2 : memset(data2, 0, 1024);
349 2 : crypto_cipher_encrypt(env1, data1, data2, 32);
350 2 : test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
351 : "cdd0b917dbc7186908a6bfb5ffd574d3");
352 2 : crypto_cipher_free(env1);
353 2 : env1 = crypto_cipher_new_with_iv(
354 : "\x80\x00\x00\x00\x00\x00\x00\x00"
355 : "\x00\x00\x00\x00\x00\x00\x00\x00",
356 : "\x00\x00\x00\x00\xff\xff\xff\xff"
357 : "\xff\xff\xff\xff\xff\xff\xff\xff");
358 2 : memset(data2, 0, 1024);
359 2 : crypto_cipher_encrypt(env1, data1, data2, 32);
360 2 : test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
361 : "3e63c721df790d2c6469cc1953a3ffac");
362 2 : crypto_cipher_free(env1);
363 2 : env1 = crypto_cipher_new_with_iv(
364 : "\x80\x00\x00\x00\x00\x00\x00\x00"
365 : "\x00\x00\x00\x00\x00\x00\x00\x00",
366 : "\xff\xff\xff\xff\xff\xff\xff\xff"
367 : "\xff\xff\xff\xff\xff\xff\xff\xff");
368 2 : memset(data2, 0, 1024);
369 2 : crypto_cipher_encrypt(env1, data1, data2, 32);
370 2 : test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
371 : "0EDD33D3C621E546455BD8BA1418BEC8");
372 :
373 : /* Now check rollover on inplace cipher. */
374 2 : crypto_cipher_free(env1);
375 2 : env1 = crypto_cipher_new_with_iv(
376 : "\x80\x00\x00\x00\x00\x00\x00\x00"
377 : "\x00\x00\x00\x00\x00\x00\x00\x00",
378 : "\xff\xff\xff\xff\xff\xff\xff\xff"
379 : "\xff\xff\xff\xff\xff\xff\xff\xff");
380 2 : crypto_cipher_crypt_inplace(env1, data2, 64);
381 2 : test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
382 : "0EDD33D3C621E546455BD8BA1418BEC8"
383 : "93e2c5243d6839eac58503919192f7ae"
384 : "1908e67cafa08d508816659c2e693191");
385 2 : crypto_cipher_free(env1);
386 2 : env1 = crypto_cipher_new_with_iv(
387 : "\x80\x00\x00\x00\x00\x00\x00\x00"
388 : "\x00\x00\x00\x00\x00\x00\x00\x00",
389 : "\xff\xff\xff\xff\xff\xff\xff\xff"
390 : "\xff\xff\xff\xff\xff\xff\xff\xff");
391 2 : crypto_cipher_crypt_inplace(env1, data2, 64);
392 2 : tt_assert(fast_mem_is_zero(data2, 64));
393 :
394 2 : done:
395 2 : tor_free(mem_op_hex_tmp);
396 2 : if (env1)
397 2 : crypto_cipher_free(env1);
398 2 : if (env2)
399 0 : crypto_cipher_free(env2);
400 2 : tor_free(data1);
401 2 : tor_free(data2);
402 2 : tor_free(data3);
403 2 : }
404 :
405 : static void
406 3 : test_crypto_aes_ctr_testvec(void *arg)
407 : {
408 3 : const char *bitstr = arg;
409 3 : char *mem_op_hex_tmp=NULL;
410 3 : crypto_cipher_t *c=NULL;
411 :
412 : /* from NIST SP800-38a, section F.5 */
413 3 : const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
414 3 : const char plaintext16[] =
415 : "6bc1bee22e409f96e93d7e117393172a"
416 : "ae2d8a571e03ac9c9eb76fac45af8e51"
417 : "30c81c46a35ce411e5fbc1191a0a52ef"
418 : "f69f2445df4f9b17ad2b417be66c3710";
419 3 : const char *ciphertext16;
420 3 : const char *key16;
421 3 : int bits;
422 :
423 3 : if (!strcmp(bitstr, "128")) {
424 : ciphertext16 = /* section F.5.1 */
425 : "874d6191b620e3261bef6864990db6ce"
426 : "9806f66b7970fdff8617187bb9fffdff"
427 : "5ae4df3edbd5d35e5b4f09020db03eab"
428 : "1e031dda2fbe03d1792170a0f3009cee";
429 : key16 = "2b7e151628aed2a6abf7158809cf4f3c";
430 : bits = 128;
431 2 : } else if (!strcmp(bitstr, "192")) {
432 : ciphertext16 = /* section F.5.3 */
433 : "1abc932417521ca24f2b0459fe7e6e0b"
434 : "090339ec0aa6faefd5ccc2c6f4ce8e94"
435 : "1e36b26bd1ebc670d1bd1d665620abf7"
436 : "4f78a7f6d29809585a97daec58c6b050";
437 : key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
438 : bits = 192;
439 1 : } else if (!strcmp(bitstr, "256")) {
440 : ciphertext16 = /* section F.5.5 */
441 : "601ec313775789a5b7a7f504bbf3d228"
442 : "f443e3ca4d62b59aca84e990cacaf5c5"
443 : "2b0930daa23de94ce87017ba2d84988d"
444 : "dfc9c58db67aada613c2dd08457941a6";
445 : key16 =
446 : "603deb1015ca71be2b73aef0857d7781"
447 : "1f352c073b6108d72d9810a30914dff4";
448 : bits = 256;
449 : } else {
450 0 : tt_abort_msg("AES doesn't support this number of bits.");
451 : }
452 :
453 3 : char key[32];
454 3 : char iv[16];
455 3 : char plaintext[16*4];
456 3 : memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
457 3 : base16_decode(key, sizeof(key), key16, strlen(key16));
458 3 : base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
459 3 : base16_decode(plaintext, sizeof(plaintext),
460 : plaintext16, strlen(plaintext16));
461 :
462 3 : c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
463 3 : crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
464 3 : test_memeq_hex(plaintext, ciphertext16);
465 :
466 3 : done:
467 3 : tor_free(mem_op_hex_tmp);
468 3 : crypto_cipher_free(c);
469 3 : }
470 :
471 : /** Run unit tests for our SHA-1 functionality */
472 : static void
473 1 : test_crypto_sha(void *arg)
474 : {
475 1 : crypto_digest_t *d1 = NULL, *d2 = NULL;
476 1 : int i;
477 : #define RFC_4231_MAX_KEY_SIZE 131
478 1 : char key[RFC_4231_MAX_KEY_SIZE];
479 1 : char digest[DIGEST256_LEN];
480 1 : char data[DIGEST512_LEN];
481 1 : char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
482 1 : char *mem_op_hex_tmp=NULL;
483 :
484 : /* Test SHA-1 with a test vector from the specification. */
485 1 : (void)arg;
486 1 : i = crypto_digest(data, "abc", 3);
487 1 : test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
488 1 : tt_int_op(i, OP_EQ, 0);
489 :
490 : /* Test SHA-256 with a test vector from the specification. */
491 1 : i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
492 1 : test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
493 : "96177A9CB410FF61F20015AD");
494 1 : tt_int_op(i, OP_EQ, 0);
495 :
496 : /* Test SHA-512 with a test vector from the specification. */
497 1 : i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
498 1 : test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
499 : "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
500 : "feebbd454d4423643ce80e2a9ac94fa54ca49f");
501 1 : tt_int_op(i, OP_EQ, 0);
502 :
503 : /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */
504 :
505 : /* Case empty (wikipedia) */
506 1 : crypto_hmac_sha256(digest, "", 0, "", 0);
507 1 : tt_str_op(hex_str(digest, 32),OP_EQ,
508 : "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
509 :
510 : /* Case quick-brown (wikipedia) */
511 1 : crypto_hmac_sha256(digest, "key", 3,
512 : "The quick brown fox jumps over the lazy dog", 43);
513 1 : tt_str_op(hex_str(digest, 32),OP_EQ,
514 : "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");
515 :
516 : /* "Test Case 1" from RFC 4231 */
517 1 : memset(key, 0x0b, 20);
518 1 : crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
519 1 : test_memeq_hex(digest,
520 : "b0344c61d8db38535ca8afceaf0bf12b"
521 : "881dc200c9833da726e9376c2e32cff7");
522 :
523 : /* "Test Case 2" from RFC 4231 */
524 1 : memset(key, 0x0b, 20);
525 1 : crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
526 1 : test_memeq_hex(digest,
527 : "5bdcc146bf60754e6a042426089575c7"
528 : "5a003f089d2739839dec58b964ec3843");
529 :
530 : /* "Test case 3" from RFC 4231 */
531 1 : memset(key, 0xaa, 20);
532 1 : memset(data, 0xdd, 50);
533 1 : crypto_hmac_sha256(digest, key, 20, data, 50);
534 1 : test_memeq_hex(digest,
535 : "773ea91e36800e46854db8ebd09181a7"
536 : "2959098b3ef8c122d9635514ced565fe");
537 :
538 : /* "Test case 4" from RFC 4231 */
539 1 : base16_decode(key, 25,
540 : "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
541 1 : memset(data, 0xcd, 50);
542 1 : crypto_hmac_sha256(digest, key, 25, data, 50);
543 1 : test_memeq_hex(digest,
544 : "82558a389a443c0ea4cc819899f2083a"
545 : "85f0faa3e578f8077a2e3ff46729665b");
546 :
547 : /* "Test case 5" from RFC 4231 */
548 1 : memset(key, 0x0c, 20);
549 1 : crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
550 1 : test_memeq_hex(digest,
551 : "a3b6167473100ee06e0c796c2955552b");
552 :
553 : /* "Test case 6" from RFC 4231 */
554 1 : memset(key, 0xaa, 131);
555 1 : crypto_hmac_sha256(digest, key, 131,
556 : "Test Using Larger Than Block-Size Key - Hash Key First",
557 : 54);
558 1 : test_memeq_hex(digest,
559 : "60e431591ee0b67f0d8a26aacbf5b77f"
560 : "8e0bc6213728c5140546040f0ee37f54");
561 :
562 : /* "Test case 7" from RFC 4231 */
563 1 : memset(key, 0xaa, 131);
564 1 : crypto_hmac_sha256(digest, key, 131,
565 : "This is a test using a larger than block-size key and a "
566 : "larger than block-size data. The key needs to be hashed "
567 : "before being used by the HMAC algorithm.", 152);
568 1 : test_memeq_hex(digest,
569 : "9b09ffa71b942fcb27635fbcd5b0e944"
570 : "bfdc63644f0713938a7f51535c3a35e2");
571 :
572 : /* Incremental digest code. */
573 1 : d1 = crypto_digest_new();
574 1 : tt_assert(d1);
575 1 : crypto_digest_add_bytes(d1, "abcdef", 6);
576 1 : d2 = crypto_digest_dup(d1);
577 1 : tt_assert(d2);
578 1 : crypto_digest_add_bytes(d2, "ghijkl", 6);
579 1 : crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
580 1 : crypto_digest(d_out2, "abcdefghijkl", 12);
581 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
582 1 : crypto_digest_assign(d2, d1);
583 1 : crypto_digest_add_bytes(d2, "mno", 3);
584 1 : crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
585 1 : crypto_digest(d_out2, "abcdefmno", 9);
586 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
587 1 : crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
588 1 : crypto_digest(d_out2, "abcdef", 6);
589 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
590 1 : crypto_digest_free(d1);
591 1 : crypto_digest_free(d2);
592 :
593 : /* Incremental digest code with sha256 */
594 1 : d1 = crypto_digest256_new(DIGEST_SHA256);
595 1 : tt_assert(d1);
596 1 : crypto_digest_add_bytes(d1, "abcdef", 6);
597 1 : d2 = crypto_digest_dup(d1);
598 1 : tt_assert(d2);
599 1 : crypto_digest_add_bytes(d2, "ghijkl", 6);
600 1 : crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
601 1 : crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
602 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
603 1 : crypto_digest_assign(d2, d1);
604 1 : crypto_digest_add_bytes(d2, "mno", 3);
605 1 : crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
606 1 : crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
607 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
608 1 : crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
609 1 : crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
610 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
611 1 : crypto_digest_free(d1);
612 1 : crypto_digest_free(d2);
613 :
614 : /* Incremental digest code with sha512 */
615 1 : d1 = crypto_digest512_new(DIGEST_SHA512);
616 1 : tt_assert(d1);
617 1 : crypto_digest_add_bytes(d1, "abcdef", 6);
618 1 : d2 = crypto_digest_dup(d1);
619 1 : tt_assert(d2);
620 1 : crypto_digest_add_bytes(d2, "ghijkl", 6);
621 1 : crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
622 1 : crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
623 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
624 1 : crypto_digest_assign(d2, d1);
625 1 : crypto_digest_add_bytes(d2, "mno", 3);
626 1 : crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
627 1 : crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
628 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
629 1 : crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
630 1 : crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
631 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
632 :
633 1 : done:
634 1 : if (d1)
635 1 : crypto_digest_free(d1);
636 1 : if (d2)
637 1 : crypto_digest_free(d2);
638 1 : tor_free(mem_op_hex_tmp);
639 1 : }
640 :
641 : static void
642 1 : test_crypto_sha3(void *arg)
643 : {
644 1 : crypto_digest_t *d1 = NULL, *d2 = NULL;
645 1 : int i;
646 1 : char data[DIGEST512_LEN];
647 1 : char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
648 1 : char *mem_op_hex_tmp=NULL;
649 1 : char *large = NULL;
650 :
651 1 : (void)arg;
652 :
653 : /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
654 : *
655 : * NB: The code package's test vectors have length expressed in bits.
656 : */
657 :
658 : /* Len = 8, Msg = CC */
659 1 : const uint8_t keccak_kat_msg8[] = { 0xcc };
660 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
661 1 : test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
662 : "6252BB7CE180B00B582DD9B20AAAD7F0");
663 1 : tt_int_op(i, OP_EQ, 0);
664 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
665 1 : test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
666 : "C36E2EE0F652AC72E02624FA2E5ADEEC"
667 : "C7DD6BB3580224B4D6138706FC6E8059"
668 : "7B528051230B00621CC2B22999EAA205");
669 1 : tt_int_op(i, OP_EQ, 0);
670 :
671 : /* Len = 24, Msg = 1F877C */
672 1 : const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
673 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
674 : DIGEST_SHA3_256);
675 1 : test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
676 : "C9C966712A501B19D1B6632CCD408EC5");
677 1 : tt_int_op(i, OP_EQ, 0);
678 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
679 : DIGEST_SHA3_512);
680 1 : test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
681 : "1A2F0D0608C3A575163751F002DB30F4"
682 : "0F2F671834B22D208591CFAF1F5ECFE4"
683 : "3C49863A53B3225BDFD7C6591BA7658B");
684 1 : tt_int_op(i, OP_EQ, 0);
685 :
686 : /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
687 1 : const uint8_t keccak_kat_msg1080[] = {
688 : 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
689 : 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
690 : 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
691 : 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
692 : 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
693 : 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
694 : 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
695 : 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
696 : 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
697 : 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
698 : 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
699 : 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
700 : 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
701 : 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
702 : };
703 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
704 : DIGEST_SHA3_256);
705 1 : test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
706 : "BE9B7C736B8059ABFD6779AC35AC81B5");
707 1 : tt_int_op(i, OP_EQ, 0);
708 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
709 : DIGEST_SHA3_512);
710 1 : test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
711 : "CB78696773A212A5F62D02D14E3259D1"
712 : "92A87EBA4407DD83893527331407B6DA"
713 : "DAAD920DBC46489B677493CE5F20B595");
714 1 : tt_int_op(i, OP_EQ, 0);
715 :
716 : /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
717 1 : const uint8_t keccak_kat_msg1088[] = {
718 : 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
719 : 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
720 : 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
721 : 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
722 : 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
723 : 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
724 : 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
725 : 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
726 : 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
727 : 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
728 : 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
729 : 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
730 : 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
731 : 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
732 : };
733 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
734 : DIGEST_SHA3_256);
735 1 : test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
736 : "77B5286364FE16C59CC8A907AFF07732");
737 1 : tt_int_op(i, OP_EQ, 0);
738 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
739 : DIGEST_SHA3_512);
740 1 : test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
741 : "FB94A14C72DE5ACD10D0EB5ECE029CAD"
742 : "FA3BA17A40B2FFA2163991B17786E51C"
743 : "ABA79E5E0FFD34CF085E2A098BE8BACB");
744 1 : tt_int_op(i, OP_EQ, 0);
745 :
746 : /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
747 1 : const uint8_t keccak_kat_msg1096[] = {
748 : 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
749 : 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
750 : 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
751 : 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
752 : 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
753 : 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
754 : 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
755 : 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
756 : 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
757 : 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
758 : 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
759 : 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
760 : 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
761 : 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
762 : };
763 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
764 : DIGEST_SHA3_256);
765 1 : test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
766 : "735E0177279222E7AC0AF8504762FAA0");
767 1 : tt_int_op(i, OP_EQ, 0);
768 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
769 : DIGEST_SHA3_512);
770 1 : test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
771 : "40474041DE83D4A60645A826D7AF1ABE"
772 : "1EEFCB7B74B62CA6A514E5F2697D585B"
773 : "FECECE12931BBE1D4ED7EBF7B0BE660E");
774 1 : tt_int_op(i, OP_EQ, 0);
775 :
776 : /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
777 1 : const uint8_t keccak_kat_msg1144[] = {
778 : 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
779 : 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
780 : 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
781 : 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
782 : 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
783 : 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
784 : 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
785 : 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
786 : 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
787 : 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
788 : 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
789 : 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
790 : 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
791 : 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
792 : 0xDF, 0xAF, 0xEC,
793 : };
794 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
795 : DIGEST_SHA3_512);
796 1 : test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
797 : "605516615D96A062C8BE53A0D6C5A648"
798 : "7BE35D2A8F3CF6620D0C2DBA2C560D68"
799 : "295F284BE7F82F3B92919033C9CE5D80");
800 1 : tt_int_op(i, OP_EQ, 0);
801 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
802 : DIGEST_SHA3_256);
803 1 : test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
804 : "118C0C2C606BDCDA06E7943D2C95E0E5");
805 1 : tt_int_op(i, OP_EQ, 0);
806 :
807 : /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
808 1 : const uint8_t keccak_kat_msg1152[] = {
809 : 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
810 : 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
811 : 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
812 : 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
813 : 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
814 : 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
815 : 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
816 : 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
817 : 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
818 : 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
819 : 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
820 : 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
821 : 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
822 : 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
823 : 0x9E, 0xE0, 0x0C, 0x63,
824 : };
825 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
826 : DIGEST_SHA3_512);
827 1 : test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
828 : "22775DCB6019DCD22B8885994672A088"
829 : "9C69E8115C641DC8B83E39F7311815A1"
830 : "64DC46E0BA2FCA344D86D4BC2EF2532C");
831 1 : tt_int_op(i, OP_EQ, 0);
832 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
833 : DIGEST_SHA3_256);
834 1 : test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
835 : "84DA47678F3C2FFE5A39FDB5F7E63FFB");
836 1 : tt_int_op(i, OP_EQ, 0);
837 :
838 : /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
839 1 : const uint8_t keccak_kat_msg1160[] = {
840 : 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
841 : 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
842 : 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
843 : 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
844 : 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
845 : 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
846 : 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
847 : 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
848 : 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
849 : 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
850 : 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
851 : 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
852 : 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
853 : 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
854 : 0x70, 0x11, 0x04, 0x4C, 0x53,
855 : };
856 1 : i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
857 : DIGEST_SHA3_512);
858 1 : test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
859 : "05221AC5EFB1229842E4614F4A029C9B"
860 : "D14A0ED7FD99AF3681429F3F309FDB53"
861 : "166AA9A3CD9F1F1223D04B4A9015E94A");
862 1 : tt_int_op(i, OP_EQ, 0);
863 1 : i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
864 : DIGEST_SHA3_256);
865 1 : test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
866 : "3CF6235C6B0B7969342C45A35194B67E");
867 1 : tt_int_op(i, OP_EQ, 0);
868 :
869 : /* SHA3-[256,512] Empty case (wikipedia) */
870 1 : i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
871 1 : test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
872 : "f580ff4de43b49fa82d80a4b80f8434a");
873 1 : tt_int_op(i, OP_EQ, 0);
874 1 : i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
875 1 : test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
876 : "97c982164fe25859e0d1dcc1475c80a6"
877 : "15b2123af1f5f94c11e3e9402c3ac558"
878 : "f500199d95b6d3e301758586281dcd26");
879 1 : tt_int_op(i, OP_EQ, 0);
880 :
881 : /* Incremental digest code with SHA3-256 */
882 1 : d1 = crypto_digest256_new(DIGEST_SHA3_256);
883 1 : tt_assert(d1);
884 1 : crypto_digest_add_bytes(d1, "abcdef", 6);
885 1 : d2 = crypto_digest_dup(d1);
886 1 : tt_assert(d2);
887 1 : crypto_digest_add_bytes(d2, "ghijkl", 6);
888 1 : crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
889 1 : crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
890 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
891 1 : crypto_digest_assign(d2, d1);
892 1 : crypto_digest_add_bytes(d2, "mno", 3);
893 1 : crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
894 1 : crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
895 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
896 1 : crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
897 1 : crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
898 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
899 1 : crypto_digest_free(d1);
900 1 : crypto_digest_free(d2);
901 :
902 : /* Incremental digest code with SHA3-512 */
903 1 : d1 = crypto_digest512_new(DIGEST_SHA3_512);
904 1 : tt_assert(d1);
905 1 : crypto_digest_add_bytes(d1, "abcdef", 6);
906 1 : d2 = crypto_digest_dup(d1);
907 1 : tt_assert(d2);
908 1 : crypto_digest_add_bytes(d2, "ghijkl", 6);
909 1 : crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
910 1 : crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
911 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
912 1 : crypto_digest_assign(d2, d1);
913 1 : crypto_digest_add_bytes(d2, "mno", 3);
914 1 : crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
915 1 : crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
916 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
917 1 : crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
918 1 : crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
919 1 : tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
920 1 : crypto_digest_free(d1);
921 :
922 : /* Attempt to exercise the incremental hashing code by creating a randomized
923 : * 30 KiB buffer, and hashing rand[1, 5 * Rate] bytes at a time. SHA3-512
924 : * is used because it has a lowest rate of the family (the code is common,
925 : * but the slower rate exercises more of it).
926 : */
927 1 : const size_t bufsz = 30 * 1024;
928 1 : size_t j = 0;
929 1 : large = tor_malloc(bufsz);
930 1 : crypto_rand(large, bufsz);
931 1 : d1 = crypto_digest512_new(DIGEST_SHA3_512); /* Running digest. */
932 162 : while (j < bufsz) {
933 : /* Pick how much data to add to the running digest. */
934 161 : size_t incr = (size_t)crypto_rand_int_range(1, 72 * 5);
935 161 : incr = MIN(bufsz - j, incr);
936 :
937 : /* Add the data, and calculate the hash. */
938 161 : crypto_digest_add_bytes(d1, large + j, incr);
939 161 : crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
940 :
941 : /* One-shot hash the buffer up to the data that was just added,
942 : * and ensure that the values match up.
943 : *
944 : * XXX/yawning: If this actually fails, it'll be rather difficult to
945 : * reproduce. Improvements welcome.
946 : */
947 161 : i = crypto_digest512(d_out2, large, j + incr, DIGEST_SHA3_512);
948 161 : tt_int_op(i, OP_EQ, 0);
949 161 : tt_mem_op(d_out1, OP_EQ, d_out2, DIGEST512_LEN);
950 :
951 : j += incr;
952 : }
953 :
954 1 : done:
955 1 : if (d1)
956 1 : crypto_digest_free(d1);
957 1 : if (d2)
958 1 : crypto_digest_free(d2);
959 1 : tor_free(large);
960 1 : tor_free(mem_op_hex_tmp);
961 1 : }
962 :
963 : /** Run unit tests for our XOF. */
964 : static void
965 1 : test_crypto_sha3_xof(void *arg)
966 : {
967 1 : uint8_t msg[255];
968 1 : uint8_t out[512];
969 1 : crypto_xof_t *xof;
970 1 : char *mem_op_hex_tmp=NULL;
971 :
972 1 : (void)arg;
973 :
974 : /* SHAKE256 test vector (Len = 2040) from the Keccak Code Package. */
975 1 : base16_decode((char *)msg, 255,
976 : "3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431"
977 : "E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1"
978 : "A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F"
979 : "0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD457"
980 : "4EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F114186"
981 : "90A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED3"
982 : "06FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565"
983 : "CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D7"
984 : "9DC266F6A5BE6BB0E4A92ECEEBAEB1", 510);
985 1 : const char *squeezed_hex =
986 : "8A5199B4A7E133E264A86202720655894D48CFF344A928CF8347F48379CE"
987 : "F347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA03B9EDB02B9635470A"
988 : "B9F1038985D55F9CA774572DD006470EA65145469609F9FA0831BF1FFD84"
989 : "2DC24ACADE27BD9816E3B5BF2876CB112232A0EB4475F1DFF9F5C713D9FF"
990 : "D4CCB89AE5607FE35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B60"
991 : "96E2B3FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F39F9"
992 : "9B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB5663727AAC34"
993 : "A401247FBAA7499E7D5EE5B69D31025E63D04C35C798BCA1262D5673A9CF"
994 : "0930B5AD89BD485599DC184528DA4790F088EBD170B635D9581632D2FF90"
995 : "DB79665CED430089AF13C9F21F6D443A818064F17AEC9E9C5457001FA8DC"
996 : "6AFBADBE3138F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F18"
997 : "9B534E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73FB1775"
998 : "B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA77114A16C15355B"
999 : "42877A1DB2A7DF0E155AE1D8670ABCEC3450F4E2EEC9838F895423EF63D2"
1000 : "61138BAAF5D9F104CB5A957AEA06C0B9B8C78B0D441796DC0350DDEABB78"
1001 : "A33B6F1F9E68EDE3D1805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9"
1002 : "096F2EDB221DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39"
1003 : "73D4";
1004 :
1005 : /* Test oneshot absorb/squeeze. */
1006 1 : xof = crypto_xof_new();
1007 1 : tt_assert(xof);
1008 1 : crypto_xof_add_bytes(xof, msg, sizeof(msg));
1009 1 : crypto_xof_squeeze_bytes(xof, out, sizeof(out));
1010 1 : test_memeq_hex(out, squeezed_hex);
1011 1 : crypto_xof_free(xof);
1012 1 : memset(out, 0, sizeof(out));
1013 :
1014 : /* Test one-function absorb/squeeze. */
1015 1 : crypto_xof(out, sizeof(out), msg, sizeof(msg));
1016 1 : test_memeq_hex(out, squeezed_hex);
1017 1 : memset(out, 0, sizeof(out));
1018 :
1019 : /* Test incremental absorb/squeeze. */
1020 1 : xof = crypto_xof_new();
1021 1 : tt_assert(xof);
1022 256 : for (size_t i = 0; i < sizeof(msg); i++)
1023 255 : crypto_xof_add_bytes(xof, msg + i, 1);
1024 513 : for (size_t i = 0; i < sizeof(out); i++) {
1025 512 : crypto_xof_squeeze_bytes(xof, out + i, 1);
1026 : }
1027 1 : test_memeq_hex(out, squeezed_hex);
1028 :
1029 1 : done:
1030 1 : if (xof)
1031 1 : crypto_xof_free(xof);
1032 1 : tor_free(mem_op_hex_tmp);
1033 1 : }
1034 :
1035 : /* Test our MAC-SHA3 function. There are not actually any MAC-SHA3 test
1036 : * vectors out there for our H(len(k) || k || m) construction. Hence what we
1037 : * are gonna do is test our crypto_mac_sha3_256() function against manually
1038 : * doing H(len(k) || k||m). If in the future the Keccak group decides to
1039 : * standarize an MAC construction and make test vectors, we should
1040 : * incorporate them here. */
1041 : static void
1042 1 : test_crypto_mac_sha3(void *arg)
1043 : {
1044 1 : const char msg[] = "i am in a library somewhere using my computer";
1045 1 : const char key[] = "i'm from the past talking to the future.";
1046 :
1047 1 : uint8_t hmac_test[DIGEST256_LEN];
1048 1 : char hmac_manual[DIGEST256_LEN];
1049 :
1050 1 : (void) arg;
1051 :
1052 : /* First let's use our nice HMAC-SHA3 function */
1053 1 : crypto_mac_sha3_256(hmac_test, sizeof(hmac_test),
1054 : (uint8_t *) key, strlen(key),
1055 : (uint8_t *) msg, strlen(msg));
1056 :
1057 : /* Now let's try a manual H(len(k) || k || m) construction */
1058 : {
1059 1 : char *key_msg_concat = NULL, *all = NULL;
1060 1 : int result;
1061 1 : const uint64_t key_len_netorder = tor_htonll(strlen(key));
1062 1 : size_t all_len;
1063 :
1064 1 : tor_asprintf(&key_msg_concat, "%s%s", key, msg);
1065 1 : all_len = sizeof(key_len_netorder) + strlen(key_msg_concat);
1066 1 : all = tor_malloc_zero(all_len);
1067 1 : memcpy(all, &key_len_netorder, sizeof(key_len_netorder));
1068 1 : memcpy(all + sizeof(key_len_netorder), key_msg_concat,
1069 : strlen(key_msg_concat));
1070 :
1071 1 : result = crypto_digest256(hmac_manual, all, all_len, DIGEST_SHA3_256);
1072 1 : tor_free(key_msg_concat);
1073 1 : tor_free(all);
1074 1 : tt_int_op(result, OP_EQ, 0);
1075 : }
1076 :
1077 : /* Now compare the two results */
1078 1 : tt_mem_op(hmac_test, OP_EQ, hmac_manual, DIGEST256_LEN);
1079 :
1080 1 : done: ;
1081 1 : }
1082 :
1083 : /** Run unit tests for our public key crypto functions */
1084 : static void
1085 1 : test_crypto_pk(void *arg)
1086 : {
1087 1 : crypto_pk_t *pk1 = NULL, *pk2 = NULL;
1088 1 : char *encoded = NULL;
1089 1 : char data1[1024], data2[1024], data3[1024];
1090 1 : size_t size;
1091 1 : int i, len;
1092 :
1093 : /* Public-key ciphers */
1094 1 : (void)arg;
1095 1 : pk1 = pk_generate(0);
1096 1 : pk2 = crypto_pk_new();
1097 1 : tt_assert(pk1 && pk2);
1098 1 : tt_assert(! crypto_pk_write_public_key_to_string(pk1, &encoded, &size));
1099 1 : tt_assert(! crypto_pk_read_public_key_from_string(pk2, encoded, size));
1100 1 : tt_int_op(0,OP_EQ, crypto_pk_cmp_keys(pk1, pk2));
1101 :
1102 : /* comparison between keys and NULL */
1103 1 : tt_int_op(crypto_pk_cmp_keys(NULL, pk1), OP_LT, 0);
1104 1 : tt_int_op(crypto_pk_cmp_keys(NULL, NULL), OP_EQ, 0);
1105 1 : tt_int_op(crypto_pk_cmp_keys(pk1, NULL), OP_GT, 0);
1106 :
1107 1 : tt_int_op(128,OP_EQ, crypto_pk_keysize(pk1));
1108 1 : tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk1));
1109 1 : tt_int_op(128,OP_EQ, crypto_pk_keysize(pk2));
1110 1 : tt_int_op(1024,OP_EQ, crypto_pk_num_bits(pk2));
1111 :
1112 1 : tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk2, data1, sizeof(data1),
1113 : "Hello whirled.", 15,
1114 : PK_PKCS1_OAEP_PADDING));
1115 1 : tt_int_op(128,OP_EQ, crypto_pk_public_encrypt(pk1, data2, sizeof(data1),
1116 : "Hello whirled.", 15,
1117 : PK_PKCS1_OAEP_PADDING));
1118 : /* oaep padding should make encryption not match */
1119 1 : tt_mem_op(data1,OP_NE, data2, 128);
1120 1 : tt_int_op(15,OP_EQ,
1121 : crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data1, 128,
1122 : PK_PKCS1_OAEP_PADDING,1));
1123 1 : tt_str_op(data3,OP_EQ, "Hello whirled.");
1124 1 : memset(data3, 0, 1024);
1125 1 : tt_int_op(15,OP_EQ,
1126 : crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1127 : PK_PKCS1_OAEP_PADDING,1));
1128 1 : tt_str_op(data3,OP_EQ, "Hello whirled.");
1129 : /* Can't decrypt with public key. */
1130 1 : tt_int_op(-1,OP_EQ,
1131 : crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data2, 128,
1132 : PK_PKCS1_OAEP_PADDING,1));
1133 : /* Try again with bad padding */
1134 1 : memcpy(data2+1, "XYZZY", 5); /* This has fails ~ once-in-2^40 */
1135 1 : tt_int_op(-1,OP_EQ,
1136 : crypto_pk_private_decrypt(pk1, data3, sizeof(data3), data2, 128,
1137 : PK_PKCS1_OAEP_PADDING,1));
1138 :
1139 : /* File operations: save and load private key */
1140 1 : tt_assert(! crypto_pk_write_private_key_to_filename(pk1,
1141 : get_fname("pkey1")));
1142 : /* failing case for read: can't read. */
1143 1 : tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1144 : OP_LT, 0);
1145 1 : write_str_to_file(get_fname("xyzzy"), "foobar", 6);
1146 : /* Failing case for read: no key. */
1147 1 : tt_int_op(crypto_pk_read_private_key_from_filename(pk2, get_fname("xyzzy")),
1148 : OP_LT, 0);
1149 1 : tt_assert(! crypto_pk_read_private_key_from_filename(pk2,
1150 : get_fname("pkey1")));
1151 1 : tt_int_op(15,OP_EQ,
1152 : crypto_pk_private_decrypt(pk2, data3, sizeof(data3), data1, 128,
1153 : PK_PKCS1_OAEP_PADDING,1));
1154 :
1155 : /* Now try signing. */
1156 1 : strlcpy(data1, "Ossifrage", 1024);
1157 1 : tt_int_op(128,OP_EQ,
1158 : crypto_pk_private_sign(pk1, data2, sizeof(data2), data1, 10));
1159 1 : tt_int_op(10,OP_EQ,
1160 : crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1161 1 : tt_str_op(data3,OP_EQ, "Ossifrage");
1162 : /* Try signing digests. */
1163 1 : tt_int_op(128,OP_EQ, crypto_pk_private_sign_digest(pk1, data2, sizeof(data2),
1164 : data1, 10));
1165 1 : tt_int_op(20,OP_EQ,
1166 : crypto_pk_public_checksig(pk1, data3, sizeof(data3), data2, 128));
1167 1 : tt_int_op(0,OP_EQ,
1168 : crypto_pk_public_checksig_digest(pk1, data1, 10, data2, 128));
1169 1 : tt_int_op(-1,OP_EQ,
1170 : crypto_pk_public_checksig_digest(pk1, data1, 11, data2, 128));
1171 :
1172 : /*XXXX test failed signing*/
1173 :
1174 : /* Try encoding */
1175 1 : crypto_pk_free(pk2);
1176 1 : pk2 = NULL;
1177 1 : i = crypto_pk_asn1_encode(pk1, data1, 1024);
1178 1 : tt_int_op(i, OP_GT, 0);
1179 1 : pk2 = crypto_pk_asn1_decode(data1, i);
1180 1 : tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1181 :
1182 : /* Try with hybrid encryption wrappers. */
1183 1 : crypto_rand(data1, 1024);
1184 57 : for (i = 85; i < 140; ++i) {
1185 55 : memset(data2,0,1024);
1186 55 : memset(data3,0,1024);
1187 55 : len = crypto_pk_obsolete_public_hybrid_encrypt(pk1,data2,sizeof(data2),
1188 : data1,i,PK_PKCS1_OAEP_PADDING,0);
1189 55 : tt_int_op(len, OP_GE, 0);
1190 55 : len = crypto_pk_obsolete_private_hybrid_decrypt(pk1,data3,sizeof(data3),
1191 : data2,len,PK_PKCS1_OAEP_PADDING,1);
1192 55 : tt_int_op(len,OP_EQ, i);
1193 55 : tt_mem_op(data1,OP_EQ, data3,i);
1194 : }
1195 :
1196 : /* Try copy_full */
1197 1 : crypto_pk_free(pk2);
1198 1 : pk2 = crypto_pk_copy_full(pk1);
1199 1 : tt_ptr_op(pk2, OP_NE, NULL);
1200 1 : tt_ptr_op(pk1, OP_NE, pk2);
1201 1 : tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1202 :
1203 1 : done:
1204 1 : if (pk1)
1205 1 : crypto_pk_free(pk1);
1206 1 : if (pk2)
1207 1 : crypto_pk_free(pk2);
1208 1 : tor_free(encoded);
1209 1 : }
1210 :
1211 : static void
1212 1 : test_crypto_pk_fingerprints(void *arg)
1213 : {
1214 1 : crypto_pk_t *pk = NULL;
1215 1 : char encoded[512];
1216 1 : char d[DIGEST_LEN], d2[DIGEST_LEN];
1217 1 : char fingerprint[FINGERPRINT_LEN+1];
1218 1 : int n;
1219 1 : unsigned i;
1220 1 : char *mem_op_hex_tmp=NULL;
1221 :
1222 1 : (void)arg;
1223 :
1224 1 : pk = pk_generate(1);
1225 1 : tt_assert(pk);
1226 1 : n = crypto_pk_asn1_encode(pk, encoded, sizeof(encoded));
1227 1 : tt_int_op(n, OP_GT, 0);
1228 1 : tt_int_op(n, OP_GT, 128);
1229 1 : tt_int_op(n, OP_LT, 256);
1230 :
1231 : /* Is digest as expected? */
1232 1 : crypto_digest(d, encoded, n);
1233 1 : tt_int_op(0, OP_EQ, crypto_pk_get_digest(pk, d2));
1234 1 : tt_mem_op(d,OP_EQ, d2, DIGEST_LEN);
1235 :
1236 : /* Is fingerprint right? */
1237 1 : tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 0));
1238 1 : tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1239 1 : test_memeq_hex(d, fingerprint);
1240 :
1241 : /* Are spaces right? */
1242 1 : tt_int_op(0, OP_EQ, crypto_pk_get_fingerprint(pk, fingerprint, 1));
1243 10 : for (i = 4; i < strlen(fingerprint); i += 5) {
1244 9 : tt_int_op(fingerprint[i], OP_EQ, ' ');
1245 : }
1246 1 : tor_strstrip(fingerprint, " ");
1247 1 : tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1248 1 : test_memeq_hex(d, fingerprint);
1249 :
1250 : /* Now hash again and check crypto_pk_get_hashed_fingerprint. */
1251 1 : crypto_digest(d2, d, sizeof(d));
1252 1 : tt_int_op(0, OP_EQ, crypto_pk_get_hashed_fingerprint(pk, fingerprint));
1253 1 : tt_int_op(strlen(fingerprint), OP_EQ, DIGEST_LEN * 2);
1254 1 : test_memeq_hex(d2, fingerprint);
1255 :
1256 1 : done:
1257 1 : crypto_pk_free(pk);
1258 1 : tor_free(mem_op_hex_tmp);
1259 1 : }
1260 :
1261 : static void
1262 1 : test_crypto_pk_base64(void *arg)
1263 : {
1264 1 : crypto_pk_t *pk1 = NULL;
1265 1 : crypto_pk_t *pk2 = NULL;
1266 1 : char *encoded = NULL;
1267 :
1268 1 : (void)arg;
1269 :
1270 : /* Test Base64 encoding a key. */
1271 1 : pk1 = pk_generate(0);
1272 1 : tt_assert(pk1);
1273 1 : tt_int_op(0, OP_EQ, crypto_pk_base64_encode_private(pk1, &encoded));
1274 1 : tt_assert(encoded);
1275 :
1276 : /* Test decoding a valid key. */
1277 1 : pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded));
1278 1 : tt_assert(pk2);
1279 1 : tt_int_op(crypto_pk_cmp_keys(pk1, pk2), OP_EQ, 0);
1280 1 : crypto_pk_free(pk2);
1281 :
1282 : /* Test decoding a invalid key (not Base64). */
1283 1 : static const char *invalid_b64 = "The key is in another castle!";
1284 1 : pk2 = crypto_pk_base64_decode_private(invalid_b64, strlen(invalid_b64));
1285 1 : tt_ptr_op(pk2, OP_EQ, NULL);
1286 :
1287 : /* Test decoding a truncated Base64 blob. */
1288 1 : pk2 = crypto_pk_base64_decode_private(encoded, strlen(encoded)/2);
1289 1 : tt_ptr_op(pk2, OP_EQ, NULL);
1290 :
1291 1 : done:
1292 1 : crypto_pk_free(pk1);
1293 1 : crypto_pk_free(pk2);
1294 1 : tor_free(encoded);
1295 1 : }
1296 :
1297 : static void
1298 1 : test_crypto_pk_pem_encrypted(void *arg)
1299 : {
1300 1 : crypto_pk_t *pk = NULL;
1301 1 : (void)arg;
1302 :
1303 1 : pk = crypto_pk_new();
1304 : /* we need to make sure that we won't stall if somebody gives us a key
1305 : that's encrypted with a password. */
1306 : {
1307 1 : const char *s =
1308 : "-----BEGIN RSA PRIVATE KEY-----\n"
1309 : "Proc-Type: 4,ENCRYPTED\n"
1310 : "DEK-Info: AES-128-CBC,EFA86BB9D2AB11E80B4E3DCD97782B16\n"
1311 : "\n"
1312 : "Z2Je4m0cFepc6coQkVbGcvNCHxTf941N2XYEVE6kn0CqWqoUH4tlwV6for5D91np\n"
1313 : "5NiEFTkWj31EhrvrYcuiJtQ/iEbABxZULFWFeJ058rb+1izBz5rScqnEacIS/3Go\n"
1314 : "YntnROBDwiKmUnue6PJVYg==\n"
1315 : "-----END RSA PRIVATE KEY-----\n";
1316 1 : tt_int_op(-1, OP_EQ,
1317 : crypto_pk_read_private_key_from_string(pk, s, strlen(s)));
1318 : }
1319 : /* For fun, make sure we aren't hit by OpenSSL issue
1320 : https://github.com/openssl/openssl/issues/6347 , where we get in trouble
1321 : if a cipher doesn't use an IV.
1322 : */
1323 : {
1324 1 : const char *s =
1325 : "-----BEGIN RSA PUBLIC KEY-----\n"
1326 : "Proc-Type:4,ENCRYPTED\n"
1327 : "DEK-Info:des-ede -\n"
1328 : "\n"
1329 : "iRqK\n"
1330 : "-----END RSA PUBLIC KEY-----\n";
1331 1 : tt_int_op(-1, OP_EQ,
1332 : crypto_pk_read_public_key_from_string(pk, s, strlen(s)));
1333 : }
1334 1 : done:
1335 1 : crypto_pk_free(pk);
1336 1 : }
1337 :
1338 : static void
1339 1 : test_crypto_pk_bad_size(void *arg)
1340 : {
1341 1 : (void)arg;
1342 1 : crypto_pk_t *pk1 = pk_generate(0);
1343 1 : crypto_pk_t *pk2 = NULL;
1344 1 : char buf[2048];
1345 1 : int n = crypto_pk_asn1_encode_private(pk1, buf, sizeof(buf));
1346 1 : tt_int_op(n, OP_GT, 0);
1347 :
1348 : /* Set the max bit count smaller: we should refuse to decode the key.*/
1349 1 : pk2 = crypto_pk_asn1_decode_private(buf, n, 1020);
1350 1 : tt_assert(! pk2);
1351 :
1352 : /* Set the max bit count one bit smaller: we should refuse to decode the
1353 : key.*/
1354 1 : pk2 = crypto_pk_asn1_decode_private(buf, n, 1023);
1355 1 : tt_assert(! pk2);
1356 :
1357 : /* Correct size: should work. */
1358 1 : pk2 = crypto_pk_asn1_decode_private(buf, n, 1024);
1359 1 : tt_assert(pk2);
1360 1 : crypto_pk_free(pk2);
1361 :
1362 : /* One bit larger: should work. */
1363 1 : pk2 = crypto_pk_asn1_decode_private(buf, n, 1025);
1364 1 : tt_assert(pk2);
1365 1 : crypto_pk_free(pk2);
1366 :
1367 : /* Set the max bit count larger: it should decode fine. */
1368 1 : pk2 = crypto_pk_asn1_decode_private(buf, n, 2048);
1369 1 : tt_assert(pk2);
1370 :
1371 1 : done:
1372 1 : crypto_pk_free(pk1);
1373 1 : crypto_pk_free(pk2);
1374 1 : }
1375 :
1376 : static void
1377 1 : test_crypto_pk_invalid_private_key(void *arg)
1378 : {
1379 1 : (void)arg;
1380 : /* Here is a simple invalid private key: it was produced by making
1381 : * a regular private key, and then adding 2 to the modulus. */
1382 1 : const char pem[] =
1383 : "-----BEGIN RSA PRIVATE KEY-----\n"
1384 : "MIIEpQIBAAKCAQEAskRyZrs+YAukvBmZlgo6/rCxyKF2xyUk073ap+2CgRUnSfGG\n"
1385 : "mflHlzqVq7tpH50DafpS+fFAbaEaNV/ac20QG0rUZi38HTB4qURWOu6n0Bws6E4l\n"
1386 : "UX/AkvDlWnuYH0pHHi2c3DGNFjwoJpjKuUTk+cRffVR8X3Kjr62SUDUaBNW0Kecz\n"
1387 : "3SYLbmgmZI16dFZ+g9sNM3znXZbhvb33WwPqpZSSPs37cPgF7eS6mAw/gUMx6zfE\n"
1388 : "HRmUnOQSzUdS05rvc/hsiCLhiIZ8hgfkD07XnTT1Ds8DwE55k7BUWY2wvwWCNLsH\n"
1389 : "qtqAxTr615XdkMxVkYgImpqPybarpfNYhFqkOwIDAQABAoIBACPC3VxEdbfYvhxJ\n"
1390 : "2mih9sG++nswAN7kUaX0cRe86rAwaShJPmJHApiQ1ROVTfpciiHJaLnhLraPWe2Z\n"
1391 : "I/6Bw3hmI4O399p3Lc1u+wlpdNqnvE6B1rSptx0DHE9xecvVH70rE0uM2Su7t6Y+\n"
1392 : "gnR2IKUGQs2mlCilm7aTUEWs0WJkkl4CG1dyxItuOSdNBjOEzXimJyiB10jEBFsp\n"
1393 : "SZeCF2FZ7AJbck5CVC42+oTsiDbZrHTHOn7v26rFGdONeHD1wOI1v7JwHFpCB923\n"
1394 : "aEHBzsPbMeq7DWG1rjzCYpcXHhTDBDBWSia4SEhyr2Nl7m7qxWWWwR+x4dqAj3rD\n"
1395 : "HeTmos0CgYEA6uf1CLpjPpOs5IaW1DQI8dJA/xFEAC/6GVgq4nFOGHZrm8G3L5o+\n"
1396 : "qvtQNMpDs2naWuZpqROFqv24o01DykHygR72GlPIY6uvmmf5tvJLoGnbFUay33L4\n"
1397 : "7b9dkNhuEIBNPzVDie0pgS77WgaPbYkVv5fnDwgPuVnkqfakEt7Pz2MCgYEAwkZ5\n"
1398 : "R1wLuTQEA2Poo6Gf4L8Bg6yNYI46LHDqDIs818iYLjtcnEEvbPfaoKNpOn7s7s4O\n"
1399 : "Pc+4HnT1aIQs0IKVLRTp+5a/9wfOkPZnobWOUHZk9UzBL3Hc1uy/qhp93iE3tSzx\n"
1400 : "v0O1pvR+hr3guTCZx8wZnDvaMgG3hlyPnVlHdrMCgYEAzQQxGbMC1ySv6quEjCP2\n"
1401 : "AogMbhE1lixJTUFj/EoDbNo9xKznIkauly/Lqqc1OysRhfA/G2+MY9YZBX1zwtyX\n"
1402 : "uBW7mPKynDrFgi9pBECnvJNmwET57Ic9ttIj6Tzbos83nAjyrzgr1zGX8dRz7ZeN\n"
1403 : "QbBj2vygLJbGOYinXkjUeh0CgYEAhN5aF9n2EqZmkEMGWtMxWy6HRJ0A3Cap1rcq\n"
1404 : "+4VHCXWhzwy+XAeg/e/N0MuyLlWcif7XcqLcE8h+BwtO8xQ8HmcNWApUJAls12wO\n"
1405 : "mGRpftJaXgIupdpD5aJpu1b++qrRRNIGTH9sf1D8L/8w8LcylZkbcuTkaAsQj45C\n"
1406 : "kqT64U0CgYEAq47IKS6xc3CDc17BqExR6t+1yRe+4ml+z1zcVbfUKony4pGvl1yo\n"
1407 : "rk0IYDN5Vd8h5xtXrkPdX9h+ywmohnelDKsayEuE+opyqEpSU4/96Bb22RZUoucb\n"
1408 : "LWkV5gZx5hFnDFtEd4vadMIiY4jVv/3JqiZDKwMVBJKlHRXJEEmIEBk=\n"
1409 : "-----END RSA PRIVATE KEY-----\n";
1410 :
1411 1 : crypto_pk_t *pk = NULL;
1412 :
1413 1 : pk = crypto_pk_new();
1414 1 : setup_capture_of_logs(LOG_WARN);
1415 1 : tt_int_op(-1, OP_EQ,
1416 : crypto_pk_read_private_key_from_string(pk, pem, strlen(pem)));
1417 : #ifdef ENABLE_NSS
1418 : expect_single_log_msg_containing("received bad data");
1419 : #else
1420 1 : expect_single_log_msg_containing("while checking RSA key");
1421 : #endif
1422 1 : done:
1423 1 : teardown_capture_of_logs();
1424 1 : crypto_pk_free(pk);
1425 1 : }
1426 :
1427 : #ifdef HAVE_TRUNCATE
1428 : #define do_truncate truncate
1429 : #else
1430 : static int
1431 : do_truncate(const char *fname, size_t len)
1432 : {
1433 : struct stat st;
1434 : char *bytes;
1435 :
1436 : bytes = read_file_to_str(fname, RFTS_BIN, &st);
1437 : if (!bytes)
1438 : return -1;
1439 : /* This cast isn't so great, but it should be safe given the actual files
1440 : * and lengths we're using. */
1441 : if (st.st_size < (off_t)len)
1442 : len = MIN(len, (size_t)st.st_size);
1443 :
1444 : int r = write_bytes_to_file(fname, bytes, len, 1);
1445 : tor_free(bytes);
1446 : return r;
1447 : }
1448 : #endif /* defined(HAVE_TRUNCATE) */
1449 :
1450 : /** Sanity check for crypto pk digests */
1451 : static void
1452 1 : test_crypto_digests(void *arg)
1453 : {
1454 1 : crypto_pk_t *k = NULL;
1455 1 : ssize_t r;
1456 1 : common_digests_t pkey_digests;
1457 1 : char digest[DIGEST_LEN];
1458 :
1459 1 : (void)arg;
1460 1 : k = crypto_pk_new();
1461 1 : tt_assert(k);
1462 2 : r = crypto_pk_read_private_key_from_string(k, AUTHORITY_SIGNKEY_3,
1463 1 : strlen(AUTHORITY_SIGNKEY_3));
1464 1 : tt_assert(!r);
1465 :
1466 1 : r = crypto_pk_get_digest(k, digest);
1467 1 : tt_assert(r == 0);
1468 1 : tt_mem_op(hex_str(digest, DIGEST_LEN),OP_EQ,
1469 1 : AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1470 :
1471 1 : r = crypto_pk_get_common_digests(k, &pkey_digests);
1472 1 : tt_int_op(r, OP_EQ, 0);
1473 :
1474 1 : tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA1], DIGEST_LEN),OP_EQ,
1475 1 : AUTHORITY_SIGNKEY_A_DIGEST, HEX_DIGEST_LEN);
1476 1 : tt_mem_op(hex_str(pkey_digests.d[DIGEST_SHA256], DIGEST256_LEN),OP_EQ,
1477 1 : AUTHORITY_SIGNKEY_A_DIGEST256, HEX_DIGEST256_LEN);
1478 1 : done:
1479 1 : crypto_pk_free(k);
1480 1 : }
1481 :
1482 : static void
1483 1 : test_crypto_digest_names(void *arg)
1484 : {
1485 1 : static const struct {
1486 : int a; const char *n;
1487 : } names[] = {
1488 : { DIGEST_SHA1, "sha1" },
1489 : { DIGEST_SHA256, "sha256" },
1490 : { DIGEST_SHA512, "sha512" },
1491 : { DIGEST_SHA3_256, "sha3-256" },
1492 : { DIGEST_SHA3_512, "sha3-512" },
1493 : { -1, NULL }
1494 : };
1495 1 : (void)arg;
1496 :
1497 1 : int i;
1498 6 : for (i = 0; names[i].n; ++i) {
1499 5 : tt_str_op(names[i].n, OP_EQ,crypto_digest_algorithm_get_name(names[i].a));
1500 5 : tt_int_op(names[i].a,
1501 : OP_EQ,crypto_digest_algorithm_parse_name(names[i].n));
1502 : }
1503 1 : tt_int_op(-1, OP_EQ,
1504 : crypto_digest_algorithm_parse_name("TimeCubeHash-4444"));
1505 1 : done:
1506 1 : ;
1507 1 : }
1508 :
1509 : /** Run unit tests for misc crypto formatting functionality (base64, base32,
1510 : * fingerprints, etc) */
1511 : static void
1512 1 : test_crypto_formats(void *arg)
1513 : {
1514 1 : char *data1 = NULL, *data2 = NULL, *data3 = NULL;
1515 1 : int i, j, idx;
1516 :
1517 1 : (void)arg;
1518 1 : data1 = tor_malloc(1024);
1519 1 : data2 = tor_malloc(1024);
1520 1 : data3 = tor_malloc(1024);
1521 1 : tt_assert(data1 && data2 && data3);
1522 :
1523 : /* Base64 tests */
1524 1 : memset(data1, 6, 1024);
1525 11 : for (idx = 0; idx < 10; ++idx) {
1526 10 : i = base64_encode(data2, 1024, data1, idx, 0);
1527 10 : tt_int_op(i, OP_GE, 0);
1528 10 : tt_int_op(i, OP_EQ, strlen(data2));
1529 10 : j = base64_decode(data3, 1024, data2, i);
1530 10 : tt_int_op(j,OP_EQ, idx);
1531 10 : tt_mem_op(data3,OP_EQ, data1, idx);
1532 :
1533 10 : i = base64_encode_nopad(data2, 1024, (uint8_t*)data1, idx);
1534 10 : tt_int_op(i, OP_GE, 0);
1535 10 : tt_int_op(i, OP_EQ, strlen(data2));
1536 10 : tt_assert(! strchr(data2, '='));
1537 10 : j = base64_decode(data3, 1024, data2, i);
1538 10 : tt_int_op(j, OP_EQ, idx);
1539 10 : tt_mem_op(data3,OP_EQ, data1, idx);
1540 : }
1541 :
1542 1 : strlcpy(data1, "Test string that contains 35 chars.", 1024);
1543 1 : strlcat(data1, " 2nd string that contains 35 chars.", 1024);
1544 :
1545 1 : i = base64_encode(data2, 1024, data1, 71, 0);
1546 1 : tt_int_op(i, OP_GE, 0);
1547 1 : j = base64_decode(data3, 1024, data2, i);
1548 1 : tt_int_op(j,OP_EQ, 71);
1549 1 : tt_str_op(data3,OP_EQ, data1);
1550 1 : tt_int_op(data2[i], OP_EQ, '\0');
1551 :
1552 1 : crypto_rand(data1, DIGEST_LEN);
1553 1 : memset(data2, 100, 1024);
1554 1 : digest_to_base64(data2, data1);
1555 1 : tt_int_op(BASE64_DIGEST_LEN,OP_EQ, strlen(data2));
1556 1 : tt_int_op(100,OP_EQ, data2[BASE64_DIGEST_LEN+2]);
1557 1 : memset(data3, 99, 1024);
1558 1 : tt_int_op(digest_from_base64(data3, data2),OP_EQ, 0);
1559 1 : tt_mem_op(data1,OP_EQ, data3, DIGEST_LEN);
1560 1 : tt_int_op(99,OP_EQ, data3[DIGEST_LEN+1]);
1561 :
1562 1 : tt_int_op(digest_from_base64(data3, "###"), OP_LT, 0);
1563 :
1564 : /* Encoding SHA256 */
1565 1 : crypto_rand(data2, DIGEST256_LEN);
1566 1 : memset(data2, 100, 1024);
1567 1 : digest256_to_base64(data2, data1);
1568 1 : tt_int_op(BASE64_DIGEST256_LEN,OP_EQ, strlen(data2));
1569 1 : tt_int_op(100,OP_EQ, data2[BASE64_DIGEST256_LEN+2]);
1570 1 : memset(data3, 99, 1024);
1571 1 : tt_int_op(digest256_from_base64(data3, data2),OP_EQ, 0);
1572 1 : tt_mem_op(data1,OP_EQ, data3, DIGEST256_LEN);
1573 1 : tt_int_op(99,OP_EQ, data3[DIGEST256_LEN+1]);
1574 :
1575 : /* Base32 tests */
1576 1 : strlcpy(data1, "5chrs", 1024);
1577 : /* bit pattern is: [35 63 68 72 73] ->
1578 : * [00110101 01100011 01101000 01110010 01110011]
1579 : * By 5s: [00110 10101 10001 10110 10000 11100 10011 10011]
1580 : */
1581 1 : base32_encode(data2, 9, data1, 5);
1582 1 : tt_str_op(data2,OP_EQ, "gvrwq4tt");
1583 :
1584 1 : strlcpy(data1, "\xFF\xF5\x6D\x44\xAE\x0D\x5C\xC9\x62\xC4", 1024);
1585 1 : base32_encode(data2, 30, data1, 10);
1586 1 : tt_str_op(data2,OP_EQ, "772w2rfobvomsywe");
1587 :
1588 : /* Base16 tests */
1589 1 : strlcpy(data1, "6chrs\xff", 1024);
1590 1 : base16_encode(data2, 13, data1, 6);
1591 1 : tt_str_op(data2,OP_EQ, "3663687273FF");
1592 :
1593 1 : strlcpy(data1, "f0d678affc000100", 1024);
1594 1 : i = base16_decode(data2, 8, data1, 16);
1595 1 : tt_int_op(i,OP_EQ, 8);
1596 1 : tt_mem_op(data2,OP_EQ, "\xf0\xd6\x78\xaf\xfc\x00\x01\x00",8);
1597 :
1598 : /* now try some failing base16 decodes */
1599 1 : tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 15)); /* odd input len */
1600 1 : tt_int_op(-1,OP_EQ, base16_decode(data2, 7, data1, 16)); /* dest too short */
1601 1 : strlcpy(data1, "f0dz!8affc000100", 1024);
1602 1 : tt_int_op(-1,OP_EQ, base16_decode(data2, 8, data1, 16));
1603 :
1604 1 : tor_free(data1);
1605 1 : tor_free(data2);
1606 1 : tor_free(data3);
1607 :
1608 : /* Add spaces to fingerprint */
1609 : {
1610 1 : data1 = tor_strdup("ABCD1234ABCD56780000ABCD1234ABCD56780000");
1611 1 : tt_int_op(strlen(data1),OP_EQ, 40);
1612 1 : data2 = tor_malloc(FINGERPRINT_LEN+1);
1613 1 : crypto_add_spaces_to_fp(data2, FINGERPRINT_LEN+1, data1);
1614 1 : tt_str_op(data2, OP_EQ,
1615 : "ABCD 1234 ABCD 5678 0000 ABCD 1234 ABCD 5678 0000");
1616 1 : tor_free(data1);
1617 1 : tor_free(data2);
1618 : }
1619 :
1620 1 : done:
1621 1 : tor_free(data1);
1622 1 : tor_free(data2);
1623 1 : tor_free(data3);
1624 1 : }
1625 :
1626 : /** Test AES-CTR encryption and decryption with IV. */
1627 : static void
1628 2 : test_crypto_aes_iv(void *arg)
1629 : {
1630 2 : char *plain, *encrypted1, *encrypted2, *decrypted1, *decrypted2;
1631 2 : char plain_1[1], plain_15[15], plain_16[16], plain_17[17];
1632 2 : char key1[16], key2[16];
1633 2 : ssize_t encrypted_size, decrypted_size;
1634 :
1635 2 : int use_evp = !strcmp(arg,"evp");
1636 2 : evaluate_evp_for_aes(use_evp);
1637 :
1638 2 : plain = tor_malloc(4095);
1639 2 : encrypted1 = tor_malloc(4095 + 1 + 16);
1640 2 : encrypted2 = tor_malloc(4095 + 1 + 16);
1641 2 : decrypted1 = tor_malloc(4095 + 1);
1642 2 : decrypted2 = tor_malloc(4095 + 1);
1643 :
1644 2 : crypto_rand(plain, 4095);
1645 2 : crypto_rand(key1, 16);
1646 2 : crypto_rand(key2, 16);
1647 2 : crypto_rand(plain_1, 1);
1648 2 : crypto_rand(plain_15, 15);
1649 2 : crypto_rand(plain_16, 16);
1650 2 : crypto_rand(plain_17, 17);
1651 2 : key1[0] = key2[0] + 128; /* Make sure that contents are different. */
1652 : /* Encrypt and decrypt with the same key. */
1653 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 4095,
1654 : plain, 4095);
1655 :
1656 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1657 2 : tt_assert(encrypted_size > 0); /* This is obviously true, since 4111 is
1658 : * greater than 0, but its truth is not
1659 : * obvious to all analysis tools. */
1660 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1661 : encrypted1, encrypted_size);
1662 :
1663 2 : tt_int_op(decrypted_size,OP_EQ, 4095);
1664 2 : tt_assert(decrypted_size > 0);
1665 2 : tt_mem_op(plain,OP_EQ, decrypted1, 4095);
1666 : /* Encrypt a second time (with a new random initialization vector). */
1667 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted2, 16 + 4095,
1668 : plain, 4095);
1669 :
1670 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 4095);
1671 2 : tt_assert(encrypted_size > 0);
1672 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted2, 4095,
1673 : encrypted2, encrypted_size);
1674 2 : tt_int_op(decrypted_size,OP_EQ, 4095);
1675 2 : tt_assert(decrypted_size > 0);
1676 2 : tt_mem_op(plain,OP_EQ, decrypted2, 4095);
1677 2 : tt_mem_op(encrypted1,OP_NE, encrypted2, encrypted_size);
1678 : /* Decrypt with the wrong key. */
1679 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key2, decrypted2, 4095,
1680 : encrypted1, encrypted_size);
1681 2 : tt_int_op(decrypted_size,OP_EQ, 4095);
1682 2 : tt_mem_op(plain,OP_NE, decrypted2, decrypted_size);
1683 : /* Alter the initialization vector. */
1684 2 : encrypted1[0] += 42;
1685 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 4095,
1686 : encrypted1, encrypted_size);
1687 2 : tt_int_op(decrypted_size,OP_EQ, 4095);
1688 2 : tt_mem_op(plain,OP_NE, decrypted2, 4095);
1689 : /* Special length case: 1. */
1690 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 1,
1691 : plain_1, 1);
1692 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 1);
1693 2 : tt_assert(encrypted_size > 0);
1694 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 1,
1695 : encrypted1, encrypted_size);
1696 2 : tt_int_op(decrypted_size,OP_EQ, 1);
1697 2 : tt_assert(decrypted_size > 0);
1698 2 : tt_mem_op(plain_1,OP_EQ, decrypted1, 1);
1699 : /* Special length case: 15. */
1700 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 15,
1701 : plain_15, 15);
1702 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 15);
1703 2 : tt_assert(encrypted_size > 0);
1704 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 15,
1705 : encrypted1, encrypted_size);
1706 2 : tt_int_op(decrypted_size,OP_EQ, 15);
1707 2 : tt_assert(decrypted_size > 0);
1708 2 : tt_mem_op(plain_15,OP_EQ, decrypted1, 15);
1709 : /* Special length case: 16. */
1710 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 16,
1711 : plain_16, 16);
1712 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 16);
1713 2 : tt_assert(encrypted_size > 0);
1714 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 16,
1715 : encrypted1, encrypted_size);
1716 2 : tt_int_op(decrypted_size,OP_EQ, 16);
1717 2 : tt_assert(decrypted_size > 0);
1718 2 : tt_mem_op(plain_16,OP_EQ, decrypted1, 16);
1719 : /* Special length case: 17. */
1720 2 : encrypted_size = crypto_cipher_encrypt_with_iv(key1, encrypted1, 16 + 17,
1721 : plain_17, 17);
1722 2 : tt_int_op(encrypted_size,OP_EQ, 16 + 17);
1723 2 : tt_assert(encrypted_size > 0);
1724 2 : decrypted_size = crypto_cipher_decrypt_with_iv(key1, decrypted1, 17,
1725 : encrypted1, encrypted_size);
1726 2 : tt_int_op(decrypted_size,OP_EQ, 17);
1727 2 : tt_assert(decrypted_size > 0);
1728 2 : tt_mem_op(plain_17,OP_EQ, decrypted1, 17);
1729 :
1730 2 : done:
1731 : /* Free memory. */
1732 2 : tor_free(plain);
1733 2 : tor_free(encrypted1);
1734 2 : tor_free(encrypted2);
1735 2 : tor_free(decrypted1);
1736 2 : tor_free(decrypted2);
1737 2 : }
1738 :
1739 : /** Test base32 decoding. */
1740 : static void
1741 1 : test_crypto_base32_decode(void *arg)
1742 : {
1743 1 : char plain[60], encoded[96 + 1], decoded[60];
1744 1 : int res;
1745 1 : (void)arg;
1746 1 : crypto_rand(plain, 60);
1747 : /* Encode and decode a random string. */
1748 1 : base32_encode(encoded, 96 + 1, plain, 60);
1749 1 : res = base32_decode(decoded, 60, encoded, 96);
1750 1 : tt_int_op(res, OP_EQ, 60);
1751 1 : tt_mem_op(plain,OP_EQ, decoded, 60);
1752 : /* Encode, uppercase, and decode a random string. */
1753 1 : base32_encode(encoded, 96 + 1, plain, 60);
1754 1 : tor_strupper(encoded);
1755 1 : res = base32_decode(decoded, 60, encoded, 96);
1756 1 : tt_int_op(res, OP_EQ, 60);
1757 1 : tt_mem_op(plain,OP_EQ, decoded, 60);
1758 : /* Change encoded string and decode. */
1759 1 : if (encoded[0] == 'A' || encoded[0] == 'a')
1760 0 : encoded[0] = 'B';
1761 : else
1762 1 : encoded[0] = 'A';
1763 1 : res = base32_decode(decoded, 60, encoded, 96);
1764 1 : tt_int_op(res, OP_EQ, 60);
1765 1 : tt_mem_op(plain,OP_NE, decoded, 60);
1766 : /* Bad encodings. */
1767 1 : encoded[0] = '!';
1768 1 : res = base32_decode(decoded, 60, encoded, 96);
1769 1 : tt_int_op(res, OP_LT, 0);
1770 :
1771 1 : done:
1772 1 : ;
1773 1 : }
1774 :
1775 : static void
1776 1 : test_crypto_kdf_TAP(void *arg)
1777 : {
1778 1 : uint8_t key_material[100];
1779 1 : int r;
1780 1 : char *mem_op_hex_tmp = NULL;
1781 :
1782 1 : (void)arg;
1783 : #define EXPAND(s) \
1784 : r = crypto_expand_key_material_TAP( \
1785 : (const uint8_t*)(s), strlen(s), \
1786 : key_material, 100)
1787 :
1788 : /* Test vectors generated with a little python script; feel free to write
1789 : * your own. */
1790 1 : memset(key_material, 0, sizeof(key_material));
1791 1 : EXPAND("");
1792 1 : tt_int_op(r, OP_EQ, 0);
1793 1 : test_memeq_hex(key_material,
1794 : "5ba93c9db0cff93f52b521d7420e43f6eda2784fbf8b4530d8"
1795 : "d246dd74ac53a13471bba17941dff7c4ea21bb365bbeeaf5f2"
1796 : "c654883e56d11e43c44e9842926af7ca0a8cca12604f945414"
1797 : "f07b01e13da42c6cf1de3abfdea9b95f34687cbbe92b9a7383");
1798 :
1799 1 : EXPAND("Tor");
1800 1 : tt_int_op(r, OP_EQ, 0);
1801 1 : test_memeq_hex(key_material,
1802 : "776c6214fc647aaa5f683c737ee66ec44f03d0372e1cce6922"
1803 : "7950f236ddf1e329a7ce7c227903303f525a8c6662426e8034"
1804 : "870642a6dabbd41b5d97ec9bf2312ea729992f48f8ea2d0ba8"
1805 : "3f45dfda1a80bdc8b80de01b23e3e0ffae099b3e4ccf28dc28");
1806 :
1807 1 : EXPAND("AN ALARMING ITEM TO FIND ON A MONTHLY AUTO-DEBIT NOTICE");
1808 1 : tt_int_op(r, OP_EQ, 0);
1809 1 : test_memeq_hex(key_material,
1810 : "a340b5d126086c3ab29c2af4179196dbf95e1c72431419d331"
1811 : "4844bf8f6afb6098db952b95581fb6c33625709d6f4400b8e7"
1812 : "ace18a70579fad83c0982ef73f89395bcc39493ad53a685854"
1813 : "daf2ba9b78733b805d9a6824c907ee1dba5ac27a1e466d4d10");
1814 :
1815 1 : done:
1816 1 : tor_free(mem_op_hex_tmp);
1817 :
1818 : #undef EXPAND
1819 1 : }
1820 :
1821 : static void
1822 1 : test_crypto_hkdf_sha256(void *arg)
1823 : {
1824 1 : uint8_t key_material[100];
1825 1 : const uint8_t salt[] = "ntor-curve25519-sha256-1:key_extract";
1826 1 : const size_t salt_len = strlen((char*)salt);
1827 1 : const uint8_t m_expand[] = "ntor-curve25519-sha256-1:key_expand";
1828 1 : const size_t m_expand_len = strlen((char*)m_expand);
1829 1 : int r;
1830 1 : char *mem_op_hex_tmp = NULL;
1831 :
1832 1 : (void)arg;
1833 :
1834 : #define EXPAND(s) \
1835 : r = crypto_expand_key_material_rfc5869_sha256( \
1836 : (const uint8_t*)(s), strlen(s), \
1837 : salt, salt_len, \
1838 : m_expand, m_expand_len, \
1839 : key_material, 100)
1840 :
1841 : /* Test vectors generated with ntor_ref.py */
1842 1 : EXPAND("Tor");
1843 1 : tt_int_op(r, OP_EQ, 0);
1844 1 : test_memeq_hex(key_material,
1845 : "5521492a85139a8d9107a2d5c0d9c91610d0f95989975ebee6"
1846 : "c02a4f8d622a6cfdf9b7c7edd3832e2760ded1eac309b76f8d"
1847 : "66c4a3c4d6225429b3a016e3c3d45911152fc87bc2de9630c3"
1848 : "961be9fdb9f93197ea8e5977180801926d3321fa21513e59ac");
1849 :
1850 1 : EXPAND("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT");
1851 1 : tt_int_op(r, OP_EQ, 0);
1852 1 : test_memeq_hex(key_material,
1853 : "a2aa9b50da7e481d30463adb8f233ff06e9571a0ca6ab6df0f"
1854 : "b206fa34e5bc78d063fc291501beec53b36e5a0e434561200c"
1855 : "5f8bd13e0f88b3459600b4dc21d69363e2895321c06184879d"
1856 : "94b18f078411be70b767c7fc40679a9440a0c95ea83a23efbf");
1857 1 : done:
1858 1 : tor_free(mem_op_hex_tmp);
1859 : #undef EXPAND
1860 1 : }
1861 :
1862 : static void
1863 1 : test_crypto_hkdf_sha256_testvecs(void *arg)
1864 : {
1865 1 : (void) arg;
1866 : /* Test vectors from RFC5869, sections A.1 through A.3 */
1867 1 : const struct {
1868 : const char *ikm16, *salt16, *info16;
1869 : int L;
1870 : const char *okm16;
1871 1 : } vecs[] = {
1872 : { /* from A.1 */
1873 : "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1874 : "000102030405060708090a0b0c",
1875 : "f0f1f2f3f4f5f6f7f8f9",
1876 : 42,
1877 : "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
1878 : "34007208d5b887185865"
1879 : },
1880 : { /* from A.2 */
1881 : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
1882 : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"
1883 : "404142434445464748494a4b4c4d4e4f",
1884 : "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
1885 : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
1886 : "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
1887 : "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
1888 : "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef"
1889 : "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
1890 : 82,
1891 : "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c"
1892 : "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71"
1893 : "cc30c58179ec3e87c14c01d5c1f3434f1d87"
1894 : },
1895 : { /* from A.3 */
1896 : "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
1897 : "",
1898 : "",
1899 : 42,
1900 : "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"
1901 : "9d201395faa4b61a96c8",
1902 : },
1903 : { NULL, NULL, NULL, -1, NULL }
1904 : };
1905 :
1906 1 : int i;
1907 1 : char *ikm = NULL;
1908 1 : char *salt = NULL;
1909 1 : char *info = NULL;
1910 1 : char *okm = NULL;
1911 1 : char *mem_op_hex_tmp = NULL;
1912 :
1913 4 : for (i = 0; vecs[i].ikm16; ++i) {
1914 3 : size_t ikm_len = strlen(vecs[i].ikm16)/2;
1915 3 : size_t salt_len = strlen(vecs[i].salt16)/2;
1916 3 : size_t info_len = strlen(vecs[i].info16)/2;
1917 3 : size_t okm_len = vecs[i].L;
1918 :
1919 3 : ikm = tor_malloc(ikm_len);
1920 3 : salt = tor_malloc(salt_len);
1921 3 : info = tor_malloc(info_len);
1922 3 : okm = tor_malloc(okm_len);
1923 :
1924 3 : base16_decode(ikm, ikm_len, vecs[i].ikm16, strlen(vecs[i].ikm16));
1925 3 : base16_decode(salt, salt_len, vecs[i].salt16, strlen(vecs[i].salt16));
1926 3 : base16_decode(info, info_len, vecs[i].info16, strlen(vecs[i].info16));
1927 :
1928 3 : int r = crypto_expand_key_material_rfc5869_sha256(
1929 : (const uint8_t*)ikm, ikm_len,
1930 : (const uint8_t*)salt, salt_len,
1931 : (const uint8_t*)info, info_len,
1932 : (uint8_t*)okm, okm_len);
1933 3 : tt_int_op(r, OP_EQ, 0);
1934 3 : test_memeq_hex(okm, vecs[i].okm16);
1935 3 : tor_free(ikm);
1936 3 : tor_free(salt);
1937 3 : tor_free(info);
1938 3 : tor_free(okm);
1939 : }
1940 1 : done:
1941 1 : tor_free(ikm);
1942 1 : tor_free(salt);
1943 1 : tor_free(info);
1944 1 : tor_free(okm);
1945 1 : tor_free(mem_op_hex_tmp);
1946 1 : }
1947 :
1948 : static void
1949 2 : test_crypto_curve25519_impl(void *arg)
1950 : {
1951 : /* adapted from curve25519_donna, which adapted it from test-curve25519
1952 : version 20050915, by D. J. Bernstein, Public domain. */
1953 :
1954 2 : const int randomize_high_bit = (arg != NULL);
1955 :
1956 : #ifdef SLOW_CURVE25519_TEST
1957 : const int loop_max=10000;
1958 : const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5"
1959 : "7e0329f4dd2819f5f32d130f1296b500";
1960 : const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9"
1961 : "e0544770bc7de853b38f9100489e3e79";
1962 : const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88"
1963 : "bd13861475516bc2cd2b6e005e805064";
1964 : #else /* !defined(SLOW_CURVE25519_TEST) */
1965 2 : const int loop_max=200;
1966 2 : const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3"
1967 : "c6a1037d74cceb3712e9206871dcf654";
1968 2 : const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d"
1969 : "8e3ee1a63c7d14274ea5d4c67f065467";
1970 2 : const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e"
1971 : "c0ee98cb2257a4545c0cfb2ca3e1812b";
1972 : #endif /* defined(SLOW_CURVE25519_TEST) */
1973 :
1974 2 : unsigned char e1k[32];
1975 2 : unsigned char e2k[32];
1976 2 : unsigned char e1e2k[32];
1977 2 : unsigned char e2e1k[32];
1978 2 : unsigned char e1[32] = {3};
1979 2 : unsigned char e2[32] = {5};
1980 2 : unsigned char k[32] = {9};
1981 2 : int loop, i;
1982 :
1983 2 : char *mem_op_hex_tmp = NULL;
1984 :
1985 400 : for (loop = 0; loop < loop_max; ++loop) {
1986 400 : curve25519_impl(e1k,e1,k);
1987 400 : curve25519_impl(e2e1k,e2,e1k);
1988 400 : curve25519_impl(e2k,e2,k);
1989 400 : if (randomize_high_bit) {
1990 : /* We require that the high bit of the public key be ignored. So if
1991 : * we're doing this variant test, we randomize the high bit of e2k, and
1992 : * make sure that the handshake still works out the same as it would
1993 : * otherwise. */
1994 0 : uint8_t byte;
1995 0 : crypto_rand((char*)&byte, 1);
1996 0 : e2k[31] |= (byte & 0x80);
1997 : }
1998 400 : curve25519_impl(e1e2k,e1,e2k);
1999 400 : tt_mem_op(e1e2k,OP_EQ, e2e1k, 32);
2000 400 : if (loop == loop_max-1) {
2001 : break;
2002 : }
2003 13134 : for (i = 0;i < 32;++i) e1[i] ^= e2k[i];
2004 13134 : for (i = 0;i < 32;++i) e2[i] ^= e1k[i];
2005 13134 : for (i = 0;i < 32;++i) k[i] ^= e1e2k[i];
2006 : }
2007 :
2008 2 : test_memeq_hex(e1, e1_expected);
2009 2 : test_memeq_hex(e2k, e2k_expected);
2010 2 : test_memeq_hex(e1e2k, e1e2k_expected);
2011 :
2012 2 : done:
2013 2 : tor_free(mem_op_hex_tmp);
2014 2 : }
2015 :
2016 : static void
2017 1 : test_crypto_curve25519_basepoint(void *arg)
2018 : {
2019 1 : uint8_t secret[32];
2020 1 : uint8_t public1[32];
2021 1 : uint8_t public2[32];
2022 1 : const int iters = 2048;
2023 1 : int i;
2024 1 : (void) arg;
2025 :
2026 2049 : for (i = 0; i < iters; ++i) {
2027 2048 : crypto_rand((char*)secret, 32);
2028 2048 : curve25519_set_impl_params(1); /* Use optimization */
2029 2048 : curve25519_basepoint_impl(public1, secret);
2030 2048 : curve25519_set_impl_params(0); /* Disable optimization */
2031 2048 : curve25519_basepoint_impl(public2, secret);
2032 2048 : tt_mem_op(public1, OP_EQ, public2, 32);
2033 : }
2034 :
2035 1 : done:
2036 1 : ;
2037 1 : }
2038 :
2039 : static void
2040 1 : test_crypto_curve25519_testvec(void *arg)
2041 : {
2042 1 : (void)arg;
2043 1 : char *mem_op_hex_tmp = NULL;
2044 :
2045 : /* From RFC 7748, section 6.1 */
2046 : /* Alice's private key, a: */
2047 1 : const char a16[] =
2048 : "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
2049 : /* Alice's public key, X25519(a, 9): */
2050 1 : const char a_pub16[] =
2051 : "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
2052 : /* Bob's private key, b: */
2053 1 : const char b16[] =
2054 : "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
2055 : /* Bob's public key, X25519(b, 9): */
2056 1 : const char b_pub16[] =
2057 : "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
2058 : /* Their shared secret, K: */
2059 1 : const char k16[] =
2060 : "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
2061 :
2062 1 : uint8_t a[32], b[32], a_pub[32], b_pub[32], k1[32], k2[32];
2063 1 : base16_decode((char*)a, sizeof(a), a16, strlen(a16));
2064 1 : base16_decode((char*)b, sizeof(b), b16, strlen(b16));
2065 1 : curve25519_basepoint_impl(a_pub, a);
2066 1 : curve25519_basepoint_impl(b_pub, b);
2067 1 : curve25519_impl(k1, a, b_pub);
2068 1 : curve25519_impl(k2, b, a_pub);
2069 :
2070 1 : test_memeq_hex(a, a16);
2071 1 : test_memeq_hex(b, b16);
2072 1 : test_memeq_hex(a_pub, a_pub16);
2073 1 : test_memeq_hex(b_pub, b_pub16);
2074 1 : test_memeq_hex(k1, k16);
2075 1 : test_memeq_hex(k2, k16);
2076 1 : done:
2077 1 : tor_free(mem_op_hex_tmp);
2078 1 : }
2079 :
2080 : static void
2081 1 : test_crypto_curve25519_wrappers(void *arg)
2082 : {
2083 1 : curve25519_public_key_t pubkey1, pubkey2;
2084 1 : curve25519_secret_key_t seckey1, seckey2;
2085 :
2086 1 : uint8_t output1[CURVE25519_OUTPUT_LEN];
2087 1 : uint8_t output2[CURVE25519_OUTPUT_LEN];
2088 1 : (void)arg;
2089 :
2090 : /* Test a simple handshake, serializing and deserializing some stuff. */
2091 1 : curve25519_secret_key_generate(&seckey1, 0);
2092 1 : curve25519_secret_key_generate(&seckey2, 1);
2093 1 : curve25519_public_key_generate(&pubkey1, &seckey1);
2094 1 : curve25519_public_key_generate(&pubkey2, &seckey2);
2095 1 : tt_assert(curve25519_public_key_is_ok(&pubkey1));
2096 1 : tt_assert(curve25519_public_key_is_ok(&pubkey2));
2097 1 : curve25519_handshake(output1, &seckey1, &pubkey2);
2098 1 : curve25519_handshake(output2, &seckey2, &pubkey1);
2099 1 : tt_mem_op(output1,OP_EQ, output2, sizeof(output1));
2100 :
2101 1 : done:
2102 1 : ;
2103 1 : }
2104 :
2105 : static void
2106 1 : test_crypto_curve25519_encode(void *arg)
2107 : {
2108 1 : curve25519_secret_key_t seckey;
2109 1 : curve25519_public_key_t key1, key2, key3;
2110 1 : char buf[64], buf_nopad[64];
2111 :
2112 1 : (void)arg;
2113 :
2114 1 : curve25519_secret_key_generate(&seckey, 0);
2115 1 : curve25519_public_key_generate(&key1, &seckey);
2116 1 : curve25519_public_to_base64(buf, &key1, true);
2117 1 : tt_int_op(CURVE25519_BASE64_PADDED_LEN, OP_EQ, strlen(buf));
2118 :
2119 1 : tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key2, buf));
2120 1 : tt_mem_op(key1.public_key,OP_EQ, key2.public_key, CURVE25519_PUBKEY_LEN);
2121 :
2122 1 : curve25519_public_to_base64(buf_nopad, &key1, false);
2123 1 : tt_int_op(CURVE25519_BASE64_LEN, OP_EQ, strlen(buf_nopad));
2124 1 : tt_int_op(0, OP_EQ, curve25519_public_from_base64(&key3, buf_nopad));
2125 1 : tt_mem_op(key1.public_key,OP_EQ, key3.public_key, CURVE25519_PUBKEY_LEN);
2126 :
2127 : /* Now try bogus parses. */
2128 1 : strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=", sizeof(buf));
2129 1 : tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2130 :
2131 1 : strlcpy(buf, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", sizeof(buf));
2132 1 : tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2133 :
2134 1 : strlcpy(buf, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", sizeof(buf));
2135 1 : tt_int_op(-1, OP_EQ, curve25519_public_from_base64(&key3, buf));
2136 :
2137 1 : done:
2138 1 : ;
2139 1 : }
2140 :
2141 : static void
2142 1 : test_crypto_curve25519_persist(void *arg)
2143 : {
2144 1 : curve25519_keypair_t keypair, keypair2;
2145 1 : char *fname = tor_strdup(get_fname("curve25519_keypair"));
2146 1 : char *tag = NULL;
2147 1 : char *content = NULL;
2148 1 : const char *cp;
2149 1 : struct stat st;
2150 1 : size_t taglen;
2151 :
2152 1 : (void)arg;
2153 :
2154 1 : tt_int_op(0,OP_EQ,curve25519_keypair_generate(&keypair, 0));
2155 :
2156 1 : tt_int_op(0,OP_EQ,
2157 : curve25519_keypair_write_to_file(&keypair, fname, "testing"));
2158 1 : tt_int_op(0,OP_EQ,curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2159 1 : tt_str_op(tag,OP_EQ,"testing");
2160 1 : tor_free(tag);
2161 :
2162 1 : tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2163 : keypair2.pubkey.public_key,
2164 1 : CURVE25519_PUBKEY_LEN);
2165 1 : tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2166 : keypair2.seckey.secret_key,
2167 1 : CURVE25519_SECKEY_LEN);
2168 :
2169 1 : content = read_file_to_str(fname, RFTS_BIN, &st);
2170 1 : tt_assert(content);
2171 1 : taglen = strlen("== c25519v1: testing ==");
2172 1 : tt_u64_op((uint64_t)st.st_size, OP_EQ,
2173 : 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN);
2174 1 : tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen));
2175 1 : tt_assert(fast_mem_is_zero(content+taglen, 32-taglen));
2176 1 : cp = content + 32;
2177 1 : tt_mem_op(keypair.seckey.secret_key,OP_EQ,
2178 : cp,
2179 1 : CURVE25519_SECKEY_LEN);
2180 1 : cp += CURVE25519_SECKEY_LEN;
2181 1 : tt_mem_op(keypair.pubkey.public_key,OP_EQ,
2182 : cp,
2183 1 : CURVE25519_SECKEY_LEN);
2184 :
2185 1 : tor_free(fname);
2186 1 : fname = tor_strdup(get_fname("bogus_keypair"));
2187 :
2188 1 : tt_int_op(-1, OP_EQ,
2189 : curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2190 1 : tor_free(tag);
2191 :
2192 1 : content[69] ^= 0xff;
2193 1 : tt_int_op(0, OP_EQ,
2194 : write_bytes_to_file(fname, content, (size_t)st.st_size, 1));
2195 1 : tt_int_op(-1, OP_EQ,
2196 : curve25519_keypair_read_from_file(&keypair2, &tag, fname));
2197 :
2198 1 : done:
2199 1 : tor_free(fname);
2200 1 : tor_free(content);
2201 1 : tor_free(tag);
2202 1 : }
2203 :
2204 : static void
2205 2 : test_crypto_ed25519_simple(void *arg)
2206 : {
2207 2 : ed25519_keypair_t kp1, kp2;
2208 2 : ed25519_public_key_t pub1, pub2;
2209 2 : ed25519_secret_key_t sec1, sec2;
2210 2 : ed25519_signature_t sig1, sig2;
2211 2 : const uint8_t msg[] =
2212 : "GNU will be able to run Unix programs, "
2213 : "but will not be identical to Unix.";
2214 2 : const uint8_t msg2[] =
2215 : "Microsoft Windows extends the features of the DOS operating system, "
2216 : "yet is compatible with most existing applications that run under DOS.";
2217 2 : size_t msg_len = strlen((const char*)msg);
2218 2 : size_t msg2_len = strlen((const char*)msg2);
2219 :
2220 2 : (void)arg;
2221 :
2222 2 : tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec1, 0));
2223 2 : tt_int_op(0, OP_EQ, ed25519_secret_key_generate(&sec2, 1));
2224 :
2225 2 : tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub1, &sec1));
2226 2 : tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec1));
2227 :
2228 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2229 2 : tt_int_op(ed25519_validate_pubkey(&pub2), OP_EQ, 0);
2230 :
2231 2 : tt_mem_op(pub1.pubkey, OP_EQ, pub2.pubkey, sizeof(pub1.pubkey));
2232 2 : tt_assert(ed25519_pubkey_eq(&pub1, &pub2));
2233 2 : tt_assert(ed25519_pubkey_eq(&pub1, &pub1));
2234 :
2235 2 : memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
2236 2 : memcpy(&kp1.seckey, &sec1, sizeof(sec1));
2237 2 : tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp1));
2238 2 : tt_int_op(0, OP_EQ, ed25519_sign(&sig2, msg, msg_len, &kp1));
2239 :
2240 : /* Ed25519 signatures are deterministic */
2241 2 : tt_mem_op(sig1.sig, OP_EQ, sig2.sig, sizeof(sig1.sig));
2242 :
2243 : /* Basic signature is valid. */
2244 2 : tt_int_op(0, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2245 :
2246 : /* Altered signature doesn't work. */
2247 2 : sig1.sig[0] ^= 3;
2248 2 : tt_int_op(-1, OP_EQ, ed25519_checksig(&sig1, msg, msg_len, &pub1));
2249 :
2250 : /* Wrong public key doesn't work. */
2251 2 : tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pub2, &sec2));
2252 2 : tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub2));
2253 2 : tt_assert(! ed25519_pubkey_eq(&pub1, &pub2));
2254 :
2255 : /* Wrong message doesn't work. */
2256 2 : tt_int_op(0, OP_EQ, ed25519_checksig(&sig2, msg, msg_len, &pub1));
2257 2 : tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
2258 2 : tt_int_op(-1, OP_EQ, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
2259 :
2260 : /* Batch signature checking works with some bad. */
2261 2 : tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp2, 0));
2262 2 : tt_int_op(0, OP_EQ, ed25519_sign(&sig1, msg, msg_len, &kp2));
2263 : {
2264 2 : ed25519_checkable_t ch[] = {
2265 : { &pub1, sig2, msg, msg_len }, /*ok*/
2266 : { &pub1, sig2, msg, msg_len-1 }, /*bad*/
2267 : { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
2268 : { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2269 : };
2270 2 : int okay[4];
2271 2 : tt_int_op(-2, OP_EQ, ed25519_checksig_batch(okay, ch, 4));
2272 2 : tt_int_op(okay[0], OP_EQ, 1);
2273 2 : tt_int_op(okay[1], OP_EQ, 0);
2274 2 : tt_int_op(okay[2], OP_EQ, 0);
2275 2 : tt_int_op(okay[3], OP_EQ, 1);
2276 2 : tt_int_op(-2, OP_EQ, ed25519_checksig_batch(NULL, ch, 4));
2277 : }
2278 :
2279 : /* Batch signature checking works with all good. */
2280 : {
2281 2 : ed25519_checkable_t ch[] = {
2282 : { &pub1, sig2, msg, msg_len }, /*ok*/
2283 : { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
2284 : };
2285 2 : int okay[2];
2286 2 : tt_int_op(0, OP_EQ, ed25519_checksig_batch(okay, ch, 2));
2287 2 : tt_int_op(okay[0], OP_EQ, 1);
2288 2 : tt_int_op(okay[1], OP_EQ, 1);
2289 2 : tt_int_op(0, OP_EQ, ed25519_checksig_batch(NULL, ch, 2));
2290 : }
2291 :
2292 : /* Test the string-prefixed sign/checksig functions */
2293 : {
2294 2 : ed25519_signature_t manual_sig;
2295 2 : char *prefixed_msg;
2296 :
2297 : /* Generate a signature with a prefixed msg. */
2298 2 : tt_int_op(0, OP_EQ, ed25519_sign_prefixed(&sig1, msg, msg_len,
2299 : "always in the mood",
2300 : &kp1));
2301 :
2302 : /* First, check that ed25519_sign_prefixed() returns the exact same sig as
2303 : if we had manually prefixed the msg ourselves. */
2304 2 : tor_asprintf(&prefixed_msg, "%s%s", "always in the mood", msg);
2305 2 : tt_int_op(0, OP_EQ, ed25519_sign(&manual_sig, (uint8_t *)prefixed_msg,
2306 : strlen(prefixed_msg), &kp1));
2307 2 : tor_free(prefixed_msg);
2308 2 : tt_assert(fast_memeq(sig1.sig, manual_sig.sig, sizeof(sig1.sig)));
2309 :
2310 : /* Test that prefixed checksig verifies it properly. */
2311 2 : tt_int_op(0, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2312 : "always in the mood",
2313 : &pub1));
2314 :
2315 : /* Test that checksig with wrong prefix fails. */
2316 2 : tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2317 : "always in the moo",
2318 : &pub1));
2319 2 : tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2320 : "always in the moon",
2321 : &pub1));
2322 2 : tt_int_op(-1, OP_EQ, ed25519_checksig_prefixed(&sig1, msg, msg_len,
2323 : "always in the mood!",
2324 : &pub1));
2325 : }
2326 :
2327 2 : done:
2328 2 : ;
2329 2 : }
2330 :
2331 : static void
2332 2 : test_crypto_ed25519_test_vectors(void *arg)
2333 : {
2334 2 : char *mem_op_hex_tmp=NULL;
2335 2 : int i;
2336 2 : struct {
2337 : const char *sk;
2338 : const char *pk;
2339 : const char *sig;
2340 : const char *msg;
2341 2 : } items[] = {
2342 : /* These test vectors were generated with the "ref" implementation of
2343 : * ed25519 from SUPERCOP-20130419 */
2344 : { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
2345 : "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
2346 : "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
2347 : "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
2348 : "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2349 : "204e554c2d7465726d696e617465642e"
2350 : },
2351 :
2352 : { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
2353 : "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
2354 : "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
2355 : "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
2356 : "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2357 : "204e554c2d7465726d696e617465642e"
2358 : },
2359 : { "6578706f73656420627920456e676c697368207465787420617320696e707574",
2360 : "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
2361 : "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
2362 : "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
2363 : "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
2364 : "204e554c2d7465726d696e617465642e"
2365 : },
2366 :
2367 : /* These come from "sign.input" in ed25519's page */
2368 : { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
2369 : "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
2370 : "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
2371 : "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
2372 : "5a8d9d0a22357e6655f9c785"
2373 : },
2374 : { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
2375 : "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
2376 : "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
2377 : "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
2378 : "b87d3813e03f58cf19fd0b6395"
2379 : },
2380 : { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
2381 : "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
2382 : "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
2383 : "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
2384 : "55c7fa434f5ed8cdec2b7aeac173",
2385 : },
2386 : { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
2387 : "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
2388 : "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
2389 : "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
2390 : "0a688e79be24f866286d4646b5d81c"
2391 : },
2392 : /* These come from draft-irtf-cfrg-eddsa-05 section 7.1 */
2393 : {
2394 : "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
2395 : "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
2396 : "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
2397 : "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
2398 : ""
2399 : },
2400 : {
2401 : "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
2402 : "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
2403 : "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
2404 : "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
2405 : "72"
2406 : },
2407 : {
2408 : "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
2409 : "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
2410 : "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
2411 : "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
2412 : "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
2413 : "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
2414 : "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
2415 : "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
2416 : "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
2417 : "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
2418 : "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
2419 : "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
2420 : "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
2421 : "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
2422 : "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
2423 : "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
2424 : "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
2425 : "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
2426 : "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
2427 : "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
2428 : "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
2429 : "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
2430 : "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
2431 : "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
2432 : "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
2433 : "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
2434 : "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
2435 : "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
2436 : "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
2437 : "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
2438 : "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
2439 : "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
2440 : "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
2441 : "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
2442 : "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
2443 : "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0"
2444 : },
2445 : {
2446 : "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
2447 : "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
2448 : "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
2449 : "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704",
2450 : "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
2451 : "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"
2452 : },
2453 : { NULL, NULL, NULL, NULL}
2454 : };
2455 :
2456 2 : (void)arg;
2457 :
2458 24 : for (i = 0; items[i].pk; ++i) {
2459 22 : ed25519_keypair_t kp;
2460 22 : ed25519_signature_t sig;
2461 22 : uint8_t sk_seed[32];
2462 22 : uint8_t *msg;
2463 22 : size_t msg_len;
2464 22 : base16_decode((char*)sk_seed, sizeof(sk_seed),
2465 : items[i].sk, 64);
2466 22 : ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
2467 22 : tt_int_op(0, OP_EQ, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
2468 22 : test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
2469 :
2470 22 : msg_len = strlen(items[i].msg) / 2;
2471 22 : msg = tor_malloc(msg_len);
2472 22 : base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
2473 :
2474 22 : tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, msg_len, &kp));
2475 22 : test_memeq_hex(sig.sig, items[i].sig);
2476 :
2477 22 : tor_free(msg);
2478 : }
2479 :
2480 2 : done:
2481 2 : tor_free(mem_op_hex_tmp);
2482 2 : }
2483 :
2484 : static void
2485 2 : test_crypto_ed25519_encode(void *arg)
2486 : {
2487 2 : char buf[ED25519_SIG_BASE64_LEN+1];
2488 2 : ed25519_keypair_t kp;
2489 2 : ed25519_public_key_t pk;
2490 2 : ed25519_signature_t sig1, sig2;
2491 2 : char *mem_op_hex_tmp = NULL;
2492 2 : (void) arg;
2493 :
2494 : /* Test roundtrip. */
2495 2 : tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, 0));
2496 2 : ed25519_public_to_base64(buf, &kp.pubkey);
2497 2 : tt_int_op(ED25519_BASE64_LEN, OP_EQ, strlen(buf));
2498 2 : tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk, buf));
2499 2 : tt_mem_op(kp.pubkey.pubkey, OP_EQ, pk.pubkey, ED25519_PUBKEY_LEN);
2500 :
2501 2 : tt_int_op(0, OP_EQ, ed25519_sign(&sig1, (const uint8_t*)"ABC", 3, &kp));
2502 2 : ed25519_signature_to_base64(buf, &sig1);
2503 2 : tt_int_op(0, OP_EQ, ed25519_signature_from_base64(&sig2, buf));
2504 2 : tt_mem_op(sig1.sig, OP_EQ, sig2.sig, ED25519_SIG_LEN);
2505 :
2506 : /* Test known value. */
2507 2 : tt_int_op(0, OP_EQ, ed25519_public_from_base64(&pk,
2508 : "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
2509 2 : test_memeq_hex(pk.pubkey,
2510 : "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
2511 :
2512 2 : done:
2513 2 : tor_free(mem_op_hex_tmp);
2514 2 : }
2515 :
2516 : static void
2517 2 : test_crypto_ed25519_convert(void *arg)
2518 : {
2519 2 : const uint8_t msg[] =
2520 : "The eyes are not here / There are no eyes here.";
2521 2 : const int N = 30;
2522 2 : int i;
2523 2 : (void)arg;
2524 :
2525 62 : for (i = 0; i < N; ++i) {
2526 60 : curve25519_keypair_t curve25519_keypair;
2527 60 : ed25519_keypair_t ed25519_keypair;
2528 60 : ed25519_public_key_t ed25519_pubkey;
2529 :
2530 60 : int bit=0;
2531 60 : ed25519_signature_t sig;
2532 :
2533 60 : tt_int_op(0,OP_EQ,curve25519_keypair_generate(&curve25519_keypair, i&1));
2534 60 : tt_int_op(0,OP_EQ,ed25519_keypair_from_curve25519_keypair(
2535 : &ed25519_keypair, &bit, &curve25519_keypair));
2536 60 : tt_int_op(0,OP_EQ,ed25519_public_key_from_curve25519_public_key(
2537 : &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
2538 60 : tt_mem_op(ed25519_pubkey.pubkey, OP_EQ, ed25519_keypair.pubkey.pubkey, 32);
2539 :
2540 60 : tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
2541 60 : tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2542 : &ed25519_pubkey));
2543 :
2544 60 : tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2545 : &ed25519_pubkey));
2546 60 : sig.sig[0] ^= 15;
2547 60 : tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2548 : &ed25519_pubkey));
2549 : }
2550 :
2551 2 : done:
2552 2 : ;
2553 2 : }
2554 :
2555 : static void
2556 2 : test_crypto_ed25519_blinding(void *arg)
2557 : {
2558 2 : const uint8_t msg[] =
2559 : "Eyes I dare not meet in dreams / In death's dream kingdom";
2560 :
2561 2 : const int N = 30;
2562 2 : int i;
2563 2 : (void)arg;
2564 :
2565 62 : for (i = 0; i < N; ++i) {
2566 60 : uint8_t blinding[32];
2567 60 : ed25519_keypair_t ed25519_keypair;
2568 60 : ed25519_keypair_t ed25519_keypair_blinded;
2569 60 : ed25519_public_key_t ed25519_pubkey_blinded;
2570 :
2571 60 : ed25519_signature_t sig;
2572 :
2573 60 : crypto_rand((char*) blinding, sizeof(blinding));
2574 :
2575 60 : tt_int_op(0,OP_EQ,ed25519_keypair_generate(&ed25519_keypair, 0));
2576 60 : tt_int_op(0,OP_EQ,ed25519_keypair_blind(&ed25519_keypair_blinded,
2577 : &ed25519_keypair, blinding));
2578 :
2579 60 : tt_int_op(0,OP_EQ,ed25519_public_blind(&ed25519_pubkey_blinded,
2580 : &ed25519_keypair.pubkey, blinding));
2581 :
2582 60 : tt_mem_op(ed25519_pubkey_blinded.pubkey, OP_EQ,
2583 60 : ed25519_keypair_blinded.pubkey.pubkey, 32);
2584 :
2585 60 : tt_int_op(0,OP_EQ,ed25519_sign(&sig, msg, sizeof(msg),
2586 : &ed25519_keypair_blinded));
2587 :
2588 60 : tt_int_op(0,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2589 : &ed25519_pubkey_blinded));
2590 :
2591 60 : tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg)-1,
2592 : &ed25519_pubkey_blinded));
2593 60 : sig.sig[0] ^= 15;
2594 60 : tt_int_op(-1,OP_EQ,ed25519_checksig(&sig, msg, sizeof(msg),
2595 : &ed25519_pubkey_blinded));
2596 : }
2597 :
2598 2 : done:
2599 2 : ;
2600 2 : }
2601 :
2602 : /** Test that our blinding functions will fail if we pass them bad pubkeys */
2603 : static void
2604 2 : test_crypto_ed25519_blinding_fail(void *arg)
2605 : {
2606 2 : int retval;
2607 2 : uint8_t param[32] = {2};
2608 2 : ed25519_public_key_t pub;
2609 2 : ed25519_public_key_t pub_blinded;
2610 :
2611 2 : (void)arg;
2612 :
2613 : /* This point is not on the curve: the blind routines should fail */
2614 2 : const char badkey[] =
2615 : "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2616 2 : retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2617 : badkey, strlen(badkey));
2618 2 : tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2619 2 : retval = ed25519_public_blind(&pub_blinded, &pub, param);
2620 2 : tt_int_op(retval, OP_EQ, -1);
2621 :
2622 : /* This point is legit: blind routines should be happy */
2623 2 : const char goodkey[] =
2624 : "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2625 2 : retval = base16_decode((char*)pub.pubkey, sizeof(pub.pubkey),
2626 : goodkey, strlen(goodkey));
2627 2 : tt_int_op(retval, OP_EQ, sizeof(pub.pubkey));
2628 2 : retval = ed25519_public_blind(&pub_blinded, &pub, param);
2629 2 : tt_int_op(retval, OP_EQ, 0);
2630 :
2631 2 : done:
2632 2 : ;
2633 2 : }
2634 :
2635 : static void
2636 2 : test_crypto_ed25519_testvectors(void *arg)
2637 : {
2638 2 : unsigned i;
2639 2 : char *mem_op_hex_tmp = NULL;
2640 2 : (void)arg;
2641 :
2642 22 : for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
2643 20 : uint8_t sk[32];
2644 20 : ed25519_secret_key_t esk;
2645 20 : ed25519_public_key_t pk, blind_pk, pkfromcurve;
2646 20 : ed25519_keypair_t keypair, blind_keypair;
2647 20 : curve25519_keypair_t curvekp;
2648 20 : uint8_t blinding_param[32];
2649 20 : ed25519_signature_t sig;
2650 20 : int sign;
2651 :
2652 20 : memset(&curvekp, 0xd0, sizeof(curvekp));
2653 :
2654 : #define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
2655 : #define EQ(a,h) test_memeq_hex((const char*)(a), (h))
2656 :
2657 20 : tt_int_op(sizeof(sk), OP_EQ, DECODE(sk, ED25519_SECRET_KEYS[i]));
2658 20 : tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
2659 : ED25519_BLINDING_PARAMS[i]));
2660 :
2661 20 : tt_int_op(0, OP_EQ, ed25519_secret_key_from_seed(&esk, sk));
2662 20 : EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
2663 :
2664 20 : tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &esk));
2665 20 : EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
2666 :
2667 20 : memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
2668 20 : curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
2669 :
2670 20 : tt_int_op(0, OP_EQ,
2671 : ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
2672 20 : tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
2673 : &pkfromcurve, &curvekp.pubkey, sign));
2674 20 : tt_mem_op(keypair.pubkey.pubkey, OP_EQ, pkfromcurve.pubkey, 32);
2675 20 : EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
2676 :
2677 : /* Self-signing */
2678 20 : memcpy(&keypair.seckey, &esk, sizeof(esk));
2679 20 : memcpy(&keypair.pubkey, &pk, sizeof(pk));
2680 :
2681 20 : tt_int_op(0, OP_EQ, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
2682 :
2683 20 : EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
2684 :
2685 : /* Blinding */
2686 20 : tt_int_op(0, OP_EQ,
2687 : ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
2688 20 : tt_int_op(0, OP_EQ,
2689 : ed25519_public_blind(&blind_pk, &pk, blinding_param));
2690 :
2691 20 : EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
2692 20 : EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
2693 :
2694 20 : tt_mem_op(blind_pk.pubkey, OP_EQ, blind_keypair.pubkey.pubkey, 32);
2695 :
2696 : #undef DECODE
2697 : #undef EQ
2698 : }
2699 2 : done:
2700 2 : tor_free(mem_op_hex_tmp);
2701 2 : }
2702 :
2703 : static void
2704 1 : test_crypto_ed25519_storage(void *arg)
2705 : {
2706 1 : (void)arg;
2707 1 : ed25519_keypair_t *keypair = NULL;
2708 1 : ed25519_public_key_t pub;
2709 1 : ed25519_secret_key_t sec;
2710 1 : char *fname_1 = tor_strdup(get_fname("ed_seckey_1"));
2711 1 : char *fname_2 = tor_strdup(get_fname("ed_pubkey_2"));
2712 1 : char *contents = NULL;
2713 1 : char *tag = NULL;
2714 :
2715 1 : keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
2716 1 : tt_int_op(0,OP_EQ,ed25519_keypair_generate(keypair, 0));
2717 1 : tt_int_op(0,OP_EQ,
2718 : ed25519_seckey_write_to_file(&keypair->seckey, fname_1, "foo"));
2719 1 : tt_int_op(0,OP_EQ,
2720 : ed25519_pubkey_write_to_file(&keypair->pubkey, fname_2, "bar"));
2721 :
2722 1 : tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_1));
2723 1 : tt_ptr_op(tag, OP_EQ, NULL);
2724 1 : tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_2));
2725 1 : tt_ptr_op(tag, OP_EQ, NULL);
2726 :
2727 1 : tt_int_op(0, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2728 1 : tt_str_op(tag, OP_EQ, "bar");
2729 1 : tor_free(tag);
2730 1 : tt_int_op(0, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2731 1 : tt_str_op(tag, OP_EQ, "foo");
2732 1 : tor_free(tag);
2733 :
2734 : /* whitebox test: truncated keys. */
2735 1 : tt_int_op(0, OP_EQ, do_truncate(fname_1, 40));
2736 1 : tt_int_op(0, OP_EQ, do_truncate(fname_2, 40));
2737 1 : tt_int_op(-1, OP_EQ, ed25519_pubkey_read_from_file(&pub, &tag, fname_2));
2738 1 : tt_ptr_op(tag, OP_EQ, NULL);
2739 1 : tor_free(tag);
2740 1 : tt_int_op(-1, OP_EQ, ed25519_seckey_read_from_file(&sec, &tag, fname_1));
2741 1 : tt_ptr_op(tag, OP_EQ, NULL);
2742 :
2743 1 : done:
2744 1 : tor_free(fname_1);
2745 1 : tor_free(fname_2);
2746 1 : tor_free(contents);
2747 1 : tor_free(tag);
2748 1 : ed25519_keypair_free(keypair);
2749 1 : }
2750 :
2751 : static void
2752 1 : test_crypto_siphash(void *arg)
2753 : {
2754 : /* From the reference implementation, taking
2755 : k = 00 01 02 ... 0f
2756 : and in = 00; 00 01; 00 01 02; ...
2757 : */
2758 1 : const uint8_t VECTORS[64][8] =
2759 : {
2760 : { 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
2761 : { 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
2762 : { 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
2763 : { 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
2764 : { 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
2765 : { 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
2766 : { 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
2767 : { 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
2768 : { 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
2769 : { 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
2770 : { 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
2771 : { 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
2772 : { 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
2773 : { 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
2774 : { 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
2775 : { 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
2776 : { 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
2777 : { 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
2778 : { 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
2779 : { 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
2780 : { 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
2781 : { 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
2782 : { 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
2783 : { 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
2784 : { 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
2785 : { 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
2786 : { 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
2787 : { 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
2788 : { 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
2789 : { 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
2790 : { 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
2791 : { 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
2792 : { 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
2793 : { 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
2794 : { 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
2795 : { 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
2796 : { 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
2797 : { 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
2798 : { 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
2799 : { 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
2800 : { 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
2801 : { 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
2802 : { 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
2803 : { 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
2804 : { 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
2805 : { 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
2806 : { 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
2807 : { 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
2808 : { 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
2809 : { 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
2810 : { 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
2811 : { 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
2812 : { 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
2813 : { 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
2814 : { 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
2815 : { 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
2816 : { 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
2817 : { 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
2818 : { 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
2819 : { 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
2820 : { 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
2821 : { 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
2822 : { 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
2823 : { 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
2824 : };
2825 :
2826 1 : const struct sipkey K = { UINT64_C(0x0706050403020100),
2827 : UINT64_C(0x0f0e0d0c0b0a0908) };
2828 1 : uint8_t input[64];
2829 1 : int i, j;
2830 :
2831 1 : (void)arg;
2832 :
2833 65 : for (i = 0; i < 64; ++i)
2834 64 : input[i] = i;
2835 :
2836 65 : for (i = 0; i < 64; ++i) {
2837 64 : uint64_t r = siphash24(input, i, &K);
2838 640 : for (j = 0; j < 8; ++j) {
2839 512 : tt_int_op( (r >> (j*8)) & 0xff, OP_EQ, VECTORS[i][j]);
2840 : }
2841 : }
2842 :
2843 1 : done:
2844 1 : ;
2845 1 : }
2846 :
2847 : /* We want the likelihood that the random buffer exhibits any regular pattern
2848 : * to be far less than the memory bit error rate in the int return value.
2849 : * Using 2048 bits provides a failure rate of 1/(3 * 10^616), and we call
2850 : * 3 functions, leading to an overall error rate of 1/10^616.
2851 : * This is comparable with the 1/10^603 failure rate of test_crypto_rng_range.
2852 : */
2853 : #define FAILURE_MODE_BUFFER_SIZE (2048/8)
2854 :
2855 : /** Check crypto_rand for a failure mode where it does nothing to the buffer,
2856 : * or it sets the buffer to all zeroes. Return 0 when the check passes,
2857 : * or -1 when it fails. */
2858 : static int
2859 1 : crypto_rand_check_failure_mode_zero(void)
2860 : {
2861 1 : char buf[FAILURE_MODE_BUFFER_SIZE];
2862 :
2863 1 : memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2864 1 : crypto_rand(buf, FAILURE_MODE_BUFFER_SIZE);
2865 :
2866 1 : for (size_t i = 0; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2867 1 : if (buf[i] != 0) {
2868 : return 0;
2869 : }
2870 : }
2871 :
2872 : return -1;
2873 : }
2874 :
2875 : /** Check crypto_rand for a failure mode where every int64_t in the buffer is
2876 : * the same. Return 0 when the check passes, or -1 when it fails. */
2877 : static int
2878 1 : crypto_rand_check_failure_mode_identical(void)
2879 : {
2880 : /* just in case the buffer size isn't a multiple of sizeof(int64_t) */
2881 : #define FAILURE_MODE_BUFFER_SIZE_I64 \
2882 : (FAILURE_MODE_BUFFER_SIZE/8)
2883 : #define FAILURE_MODE_BUFFER_SIZE_I64_BYTES \
2884 : (FAILURE_MODE_BUFFER_SIZE_I64*8)
2885 :
2886 : #if FAILURE_MODE_BUFFER_SIZE_I64 < 2
2887 : #error FAILURE_MODE_BUFFER_SIZE needs to be at least 2*8
2888 : #endif
2889 :
2890 1 : int64_t buf[FAILURE_MODE_BUFFER_SIZE_I64];
2891 :
2892 1 : memset(buf, 0, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2893 1 : crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE_I64_BYTES);
2894 :
2895 1 : for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE_I64; i++) {
2896 1 : if (buf[i] != buf[i-1]) {
2897 : return 0;
2898 : }
2899 : }
2900 :
2901 : return -1;
2902 : }
2903 :
2904 : /** Check crypto_rand for a failure mode where it increments the "random"
2905 : * value by 1 for every byte in the buffer. (This is OpenSSL's PREDICT mode.)
2906 : * Return 0 when the check passes, or -1 when it fails. */
2907 : static int
2908 1 : crypto_rand_check_failure_mode_predict(void)
2909 : {
2910 1 : unsigned char buf[FAILURE_MODE_BUFFER_SIZE];
2911 :
2912 1 : memset(buf, 0, FAILURE_MODE_BUFFER_SIZE);
2913 1 : crypto_rand((char *)buf, FAILURE_MODE_BUFFER_SIZE);
2914 :
2915 1 : for (size_t i = 1; i < FAILURE_MODE_BUFFER_SIZE; i++) {
2916 : /* check if the last byte was incremented by 1, including integer
2917 : * wrapping */
2918 1 : if (buf[i] - buf[i-1] != 1 && buf[i-1] - buf[i] != 255) {
2919 : return 0;
2920 : }
2921 : }
2922 :
2923 : return -1;
2924 : }
2925 :
2926 : #undef FAILURE_MODE_BUFFER_SIZE
2927 :
2928 : /** Test that our ed25519 validation function rejects evil public keys and
2929 : * accepts good ones. */
2930 : static void
2931 2 : test_crypto_ed25519_validation(void *arg)
2932 : {
2933 2 : (void) arg;
2934 :
2935 2 : int retval;
2936 2 : ed25519_public_key_t pub1;
2937 :
2938 : /* See https://lists.torproject.org/pipermail/tor-dev/2017-April/012230.html
2939 : for a list of points with torsion components in ed25519. */
2940 :
2941 : { /* Point with torsion component (order 8l) */
2942 2 : const char badkey[] =
2943 : "300ef2e64e588e1df55b48e4da0416ffb64cc85d5b00af6463d5cc6c2b1c185e";
2944 2 : retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2945 : badkey, strlen(badkey));
2946 2 : tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2947 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2948 : }
2949 :
2950 : { /* Point with torsion component (order 4l) */
2951 2 : const char badkey[] =
2952 : "f43e3a046db8749164c6e69b193f1e942c7452e7d888736f40b98093d814d5e7";
2953 2 : retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2954 : badkey, strlen(badkey));
2955 2 : tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2956 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2957 : }
2958 :
2959 : { /* Point with torsion component (order 2l) */
2960 2 : const char badkey[] =
2961 : "c9fff3af0471c28e33e98c2043e44f779d0427b1e37c521a6bddc011ed1869af";
2962 2 : retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2963 : badkey, strlen(badkey));
2964 2 : tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2965 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2966 : }
2967 :
2968 : { /* This point is not even on the curve */
2969 2 : const char badkey[] =
2970 : "e19c65de75c68cf3b7643ea732ba9eb1a3d20d6d57ba223c2ece1df66feb5af0";
2971 2 : retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2972 : badkey, strlen(badkey));
2973 2 : tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2974 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, -1);
2975 : }
2976 :
2977 : { /* This one is a good key */
2978 2 : const char goodkey[] =
2979 : "4ba2e44760dff4c559ef3c38768c1c14a8a54740c782c8d70803e9d6e3ad8794";
2980 2 : retval = base16_decode((char*)pub1.pubkey, sizeof(pub1.pubkey),
2981 : goodkey, strlen(goodkey));
2982 2 : tt_int_op(retval, OP_EQ, sizeof(pub1.pubkey));
2983 2 : tt_int_op(ed25519_validate_pubkey(&pub1), OP_EQ, 0);
2984 : }
2985 :
2986 2 : done: ;
2987 2 : }
2988 :
2989 : static void
2990 1 : test_crypto_failure_modes(void *arg)
2991 : {
2992 1 : int rv = 0;
2993 1 : (void)arg;
2994 :
2995 1 : rv = crypto_early_init();
2996 1 : tt_int_op(rv, OP_EQ, 0);
2997 :
2998 : /* Check random works */
2999 1 : rv = crypto_rand_check_failure_mode_zero();
3000 1 : tt_int_op(rv, OP_EQ, 0);
3001 :
3002 1 : rv = crypto_rand_check_failure_mode_identical();
3003 1 : tt_int_op(rv, OP_EQ, 0);
3004 :
3005 1 : rv = crypto_rand_check_failure_mode_predict();
3006 1 : tt_int_op(rv, OP_EQ, 0);
3007 :
3008 1 : done:
3009 1 : ;
3010 1 : }
3011 :
3012 : #ifndef COCCI
3013 : #define CRYPTO_LEGACY(name) \
3014 : { #name, test_crypto_ ## name , 0, NULL, NULL }
3015 :
3016 : #define ED25519_TEST_ONE(name, fl, which) \
3017 : { #name "/ed25519_" which, test_crypto_ed25519_ ## name, (fl), \
3018 : &ed25519_test_setup, (void*)which }
3019 :
3020 : #define ED25519_TEST(name, fl) \
3021 : ED25519_TEST_ONE(name, (fl), "donna"), \
3022 : ED25519_TEST_ONE(name, (fl), "ref10")
3023 : #endif /* !defined(COCCI) */
3024 :
3025 : struct testcase_t crypto_tests[] = {
3026 : CRYPTO_LEGACY(formats),
3027 : { "openssl_version", test_crypto_openssl_version, TT_FORK, NULL, NULL },
3028 : { "aes_AES", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"aes" },
3029 : { "aes_EVP", test_crypto_aes128, TT_FORK, &passthrough_setup, (void*)"evp" },
3030 : { "aes128_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3031 : &passthrough_setup, (void*)"128" },
3032 : { "aes192_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3033 : &passthrough_setup, (void*)"192" },
3034 : { "aes256_ctr_testvec", test_crypto_aes_ctr_testvec, 0,
3035 : &passthrough_setup, (void*)"256" },
3036 : CRYPTO_LEGACY(sha),
3037 : CRYPTO_LEGACY(pk),
3038 : { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
3039 : { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
3040 : { "pk_pem_encrypted", test_crypto_pk_pem_encrypted, TT_FORK, NULL, NULL },
3041 : { "pk_bad_size", test_crypto_pk_bad_size, 0, NULL, NULL },
3042 : { "pk_invalid_private_key", test_crypto_pk_invalid_private_key, 0,
3043 : NULL, NULL },
3044 : CRYPTO_LEGACY(digests),
3045 : { "digest_names", test_crypto_digest_names, 0, NULL, NULL },
3046 : { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
3047 : { "sha3_xof", test_crypto_sha3_xof, TT_FORK, NULL, NULL},
3048 : { "mac_sha3", test_crypto_mac_sha3, TT_FORK, NULL, NULL},
3049 : CRYPTO_LEGACY(dh),
3050 : { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3051 : (void*)"aes" },
3052 : { "aes_iv_EVP", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
3053 : (void*)"evp" },
3054 : CRYPTO_LEGACY(base32_decode),
3055 : { "kdf_TAP", test_crypto_kdf_TAP, 0, NULL, NULL },
3056 : { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL },
3057 : { "hkdf_sha256_testvecs", test_crypto_hkdf_sha256_testvecs, 0, NULL, NULL },
3058 : { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL },
3059 : { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y"},
3060 : { "curve25516_testvec", test_crypto_curve25519_testvec, 0, NULL, NULL },
3061 : { "curve25519_basepoint",
3062 : test_crypto_curve25519_basepoint, TT_FORK, NULL, NULL },
3063 : { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
3064 : { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
3065 : { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
3066 : ED25519_TEST(simple, 0),
3067 : ED25519_TEST(test_vectors, 0),
3068 : ED25519_TEST(encode, 0),
3069 : ED25519_TEST(convert, 0),
3070 : ED25519_TEST(blinding, 0),
3071 : ED25519_TEST(blinding_fail, 0),
3072 : ED25519_TEST(testvectors, 0),
3073 : ED25519_TEST(validation, 0),
3074 : { "ed25519_storage", test_crypto_ed25519_storage, 0, NULL, NULL },
3075 : { "siphash", test_crypto_siphash, 0, NULL, NULL },
3076 : { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL },
3077 : END_OF_TESTCASES
3078 : };
|
