Added optimised implementation of P-256 that uses 32->64 multiplications (MUL31).
[BearSSL] / test / test_crypto.c
index 33f31a6..53a5f13 100644 (file)
@@ -47,9 +47,9 @@ hextobin(unsigned char *dst, const char *src)
                if (c >= '0' && c <= '9') {
                        c -= '0';
                } else if (c >= 'A' && c <= 'F') {
                if (c >= '0' && c <= '9') {
                        c -= '0';
                } else if (c >= 'A' && c <= 'F') {
-                       c -= ('A' - 10); \
+                       c -= ('A' - 10);
                } else if (c >= 'a' && c <= 'f') {
                } else if (c >= 'a' && c <= 'f') {
-                       c -= ('a' - 10); \
+                       c -= ('a' - 10);
                } else {
                        continue;
                }
                } else {
                        continue;
                }
@@ -4113,11 +4113,13 @@ static const struct {
 };
 
 static void
 };
 
 static void
-test_Poly1305_ctmul(void)
+test_Poly1305_inner(const char *name, br_poly1305_run ipoly,
+       br_poly1305_run iref)
 {
        size_t u;
 {
        size_t u;
+       br_hmac_drbg_context rng;
 
 
-       printf("Test Poly1305_ctmul: ");
+       printf("Test %s: ", name);
        fflush(stdout);
 
        for (u = 0; KAT_POLY1305[u].skey; u ++) {
        fflush(stdout);
 
        for (u = 0; KAT_POLY1305[u].skey; u ++) {
@@ -4133,7 +4135,7 @@ test_Poly1305_ctmul(void)
                hextobin(tag, KAT_POLY1305[u].stag);
 
                memcpy(data, plain, len);
                hextobin(tag, KAT_POLY1305[u].stag);
 
                memcpy(data, plain, len);
-               br_poly1305_ctmul_run(key, nonce, data, len,
+               ipoly(key, nonce, data, len,
                        aad, aad_len, tmp, br_chacha20_ct_run, 1);
                if (memcmp(data, cipher, len) != 0) {
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (1)\n");
                        aad, aad_len, tmp, br_chacha20_ct_run, 1);
                if (memcmp(data, cipher, len) != 0) {
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (1)\n");
@@ -4143,7 +4145,7 @@ test_Poly1305_ctmul(void)
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (2)\n");
                        exit(EXIT_FAILURE);
                }
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (2)\n");
                        exit(EXIT_FAILURE);
                }
-               br_poly1305_ctmul_run(key, nonce, data, len,
+               ipoly(key, nonce, data, len,
                        aad, aad_len, tmp, br_chacha20_ct_run, 0);
                if (memcmp(data, plain, len) != 0) {
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (3)\n");
                        aad, aad_len, tmp, br_chacha20_ct_run, 0);
                if (memcmp(data, plain, len) != 0) {
                        fprintf(stderr, "ChaCha20+Poly1305 KAT failed (3)\n");
@@ -4158,10 +4160,66 @@ test_Poly1305_ctmul(void)
                fflush(stdout);
        }
 
                fflush(stdout);
        }
 
+       printf(" ");
+       fflush(stdout);
+
+       /*
+        * We compare the "ipoly" and "iref" implementations together on
+        * a bunch of pseudo-random messages.
+        */
+       br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for Poly1305", 17);
+       for (u = 0; u < 100; u ++) {
+               unsigned char plain[100], aad[100], tmp[100];
+               unsigned char key[32], iv[12], tag1[16], tag2[16];
+
+               br_hmac_drbg_generate(&rng, key, sizeof key);
+               br_hmac_drbg_generate(&rng, iv, sizeof iv);
+               br_hmac_drbg_generate(&rng, plain, u);
+               br_hmac_drbg_generate(&rng, aad, u);
+               memcpy(tmp, plain, u);
+               memset(tmp + u, 0xFF, (sizeof tmp) - u);
+               ipoly(key, iv, tmp, u, aad, u, tag1,
+                       &br_chacha20_ct_run, 1);
+               memset(tmp + u, 0x00, (sizeof tmp) - u);
+               iref(key, iv, tmp, u, aad, u, tag2,
+                       &br_chacha20_ct_run, 0);
+               if (memcmp(tmp, plain, u) != 0) {
+                       fprintf(stderr, "cross enc/dec failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               if (memcmp(tag1, tag2, sizeof tag1) != 0) {
+                       fprintf(stderr, "cross MAC failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               printf(".");
+               fflush(stdout);
+       }
+
        printf(" done.\n");
        fflush(stdout);
 }
 
        printf(" done.\n");
        fflush(stdout);
 }
 
+static void
+test_Poly1305_ctmul(void)
+{
+       test_Poly1305_inner("Poly1305_ctmul", &br_poly1305_ctmul_run,
+               &br_poly1305_i15_run);
+}
+
+static void
+test_Poly1305_ctmul32(void)
+{
+       test_Poly1305_inner("Poly1305_ctmul32", &br_poly1305_ctmul32_run,
+               &br_poly1305_i15_run);
+}
+
+static void
+test_Poly1305_i15(void)
+{
+       test_Poly1305_inner("Poly1305_i15", &br_poly1305_i15_run,
+               &br_poly1305_ctmul_run);
+}
+
 /*
  * A 1024-bit RSA key, generated with OpenSSL.
  */
 /*
  * A 1024-bit RSA key, generated with OpenSSL.
  */
@@ -4367,6 +4425,14 @@ test_RSA_sign(const char *name, br_rsa_private fpriv,
        fflush(stdout);
 }
 
        fflush(stdout);
 }
 
+static void
+test_RSA_i15(void)
+{
+       test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private);
+       test_RSA_sign("RSA i15 sign", &br_rsa_i15_private,
+               &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy);
+}
+
 static void
 test_RSA_i31(void)
 {
 static void
 test_RSA_i31(void)
 {
@@ -4724,6 +4790,20 @@ test_EC_inner(const char *sk, const char *sU,
                        exit(EXIT_FAILURE);
                }
 
                        exit(EXIT_FAILURE);
                }
 
+               /*
+                * Also recomputed D = z*G with mulgen(). This must
+                * again match.
+                */
+               memset(eD, 0, ulen);
+               if (impl->mulgen(eD, bz, nlen, cd->curve) != ulen) {
+                       fprintf(stderr, "mulgen() failed: wrong length\n");
+                       exit(EXIT_FAILURE);
+               }
+               if (memcmp(eC, eD, nlen) != 0) {
+                       fprintf(stderr, "mulgen() / muladd() mismatch\n");
+                       exit(EXIT_FAILURE);
+               }
+
                /*
                 * Check with x*A = y*B. We do so by setting b = x and y = a.
                 */
                /*
                 * Check with x*A = y*B. We do so by setting b = x and y = a.
                 */
@@ -4813,6 +4893,15 @@ test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask)
        fflush(stdout);
 }
 
        fflush(stdout);
 }
 
+static void
+test_EC_prime_i15(void)
+{
+       test_EC_KAT("EC_prime_i15", &br_ec_prime_i15,
+               (uint32_t)1 << BR_EC_secp256r1
+               | (uint32_t)1 << BR_EC_secp384r1
+               | (uint32_t)1 << BR_EC_secp521r1);
+}
+
 static void
 test_EC_prime_i31(void)
 {
 static void
 test_EC_prime_i31(void)
 {
@@ -4822,6 +4911,124 @@ test_EC_prime_i31(void)
                | (uint32_t)1 << BR_EC_secp521r1);
 }
 
                | (uint32_t)1 << BR_EC_secp521r1);
 }
 
+static void
+test_EC_p256_m15(void)
+{
+       test_EC_KAT("EC_p256_m15", &br_ec_p256_m15,
+               (uint32_t)1 << BR_EC_secp256r1);
+}
+
+static void
+test_EC_p256_m31(void)
+{
+       test_EC_KAT("EC_p256_m31", &br_ec_p256_m31,
+               (uint32_t)1 << BR_EC_secp256r1);
+}
+
+const struct {
+       const char *scalar;
+       const char *u_in;
+       const char *u_out;
+} C25519_KAT[] = {
+       { "A546E36BF0527C9D3B16154B82465EDD62144C0AC1FC5A18506A2244BA449AC4",
+         "E6DB6867583030DB3594C1A424B15F7C726624EC26B3353B10A903A6D0AB1C4C",
+         "C3DA55379DE9C6908E94EA4DF28D084F32ECCF03491C71F754B4075577A28552" },
+       { "4B66E9D4D1B4673C5AD22691957D6AF5C11B6421E0EA01D42CA4169E7918BA0D",
+         "E5210F12786811D3F4B7959D0538AE2C31DBE7106FC03C3EFC4CD549C715A493",
+         "95CBDE9476E8907D7AADE45CB4B873F88B595A68799FA152E6F8F7647AAC7957" },
+       { 0, 0, 0 }
+};
+
+static void
+test_EC_c25519(const char *name, const br_ec_impl *iec)
+{
+       unsigned char bu[32], bk[32], br[32];
+       size_t v;
+       int i;
+
+       printf("Test %s: ", name);
+       fflush(stdout);
+       for (v = 0; C25519_KAT[v].scalar; v ++) {
+               hextobin(bk, C25519_KAT[v].scalar);
+               hextobin(bu, C25519_KAT[v].u_in);
+               hextobin(br, C25519_KAT[v].u_out);
+               if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) {
+                       fprintf(stderr, "Curve25519 multiplication failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               if (memcmp(bu, br, sizeof bu) != 0) {
+                       fprintf(stderr, "Curve25519 failed KAT\n");
+                       exit(EXIT_FAILURE);
+               }
+               printf(".");
+               fflush(stdout);
+       }
+       printf(" ");
+       fflush(stdout);
+
+       memset(bu, 0, sizeof bu);
+       bu[0] = 0x09;
+       memcpy(bk, bu, sizeof bu);
+       for (i = 1; i <= 1000; i ++) {
+               if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) {
+                       fprintf(stderr, "Curve25519 multiplication failed"
+                               " (iter=%d)\n", i);
+                       exit(EXIT_FAILURE);
+               }
+               for (v = 0; v < sizeof bu; v ++) {
+                       unsigned t;
+
+                       t = bu[v];
+                       bu[v] = bk[v];
+                       bk[v] = t;
+               }
+               if (i == 1 || i == 1000) {
+                       const char *sref;
+
+                       sref = (i == 1)
+                               ? "422C8E7A6227D7BCA1350B3E2BB7279F7897B87BB6854B783C60E80311AE3079"
+                               : "684CF59BA83309552800EF566F2F4D3C1C3887C49360E3875F2EB94D99532C51";
+                       hextobin(br, sref);
+                       if (memcmp(bk, br, sizeof bk) != 0) {
+                               fprintf(stderr,
+                                       "Curve25519 failed KAT (iter=%d)\n", i);
+                               exit(EXIT_FAILURE);
+                       }
+               }
+               if (i % 100 == 0) {
+                       printf(".");
+                       fflush(stdout);
+               }
+       }
+
+       printf(" done.\n");
+       fflush(stdout);
+}
+
+static void
+test_EC_c25519_i15(void)
+{
+       test_EC_c25519("EC_c25519_i15", &br_ec_c25519_i15);
+}
+
+static void
+test_EC_c25519_i31(void)
+{
+       test_EC_c25519("EC_c25519_i31", &br_ec_c25519_i31);
+}
+
+static void
+test_EC_c25519_m15(void)
+{
+       test_EC_c25519("EC_c25519_m15", &br_ec_c25519_m15);
+}
+
+static void
+test_EC_c25519_m31(void)
+{
+       test_EC_c25519("EC_c25519_m31", &br_ec_c25519_m31);
+}
+
 static const unsigned char EC_P256_PUB_POINT[] = {
        0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
        0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
 static const unsigned char EC_P256_PUB_POINT[] = {
        0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
        0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
@@ -5194,7 +5401,8 @@ const ecdsa_kat_vector ECDSA_KAT[] = {
 };
 
 static void
 };
 
 static void
-test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
+test_ECDSA_KAT(const br_ec_impl *iec,
+       br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
 {
        size_t u;
 
 {
        size_t u;
 
@@ -5221,28 +5429,28 @@ test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
                        sig_len = hextobin(sig, kv->sraw);
                }
 
                        sig_len = hextobin(sig, kv->sraw);
                }
 
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                        kv->pub, sig, sig_len) != 1)
                {
                        fprintf(stderr, "ECDSA KAT verify failed (1)\n");
                        exit(EXIT_FAILURE);
                }
                hash[0] ^= 0x80;
                        kv->pub, sig, sig_len) != 1)
                {
                        fprintf(stderr, "ECDSA KAT verify failed (1)\n");
                        exit(EXIT_FAILURE);
                }
                hash[0] ^= 0x80;
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                        kv->pub, sig, sig_len) != 0)
                {
                        fprintf(stderr, "ECDSA KAT verify shoud have failed\n");
                        exit(EXIT_FAILURE);
                }
                hash[0] ^= 0x80;
                        kv->pub, sig, sig_len) != 0)
                {
                        fprintf(stderr, "ECDSA KAT verify shoud have failed\n");
                        exit(EXIT_FAILURE);
                }
                hash[0] ^= 0x80;
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                        kv->pub, sig, sig_len) != 1)
                {
                        fprintf(stderr, "ECDSA KAT verify failed (2)\n");
                        exit(EXIT_FAILURE);
                }
 
                        kv->pub, sig, sig_len) != 1)
                {
                        fprintf(stderr, "ECDSA KAT verify failed (2)\n");
                        exit(EXIT_FAILURE);
                }
 
-               sig2_len = sign(&br_ec_prime_i31, kv->hf, hash, kv->priv, sig2);
+               sig2_len = sign(iec, kv->hf, hash, kv->priv, sig2);
                if (sig2_len == 0) {
                        fprintf(stderr, "ECDSA KAT sign failed\n");
                        exit(EXIT_FAILURE);
                if (sig2_len == 0) {
                        fprintf(stderr, "ECDSA KAT sign failed\n");
                        exit(EXIT_FAILURE);
@@ -5264,10 +5472,29 @@ test_ECDSA_i31(void)
        fflush(stdout);
        printf("[raw]");
        fflush(stdout);
        fflush(stdout);
        printf("[raw]");
        fflush(stdout);
-       test_ECDSA_KAT(&br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0);
+       printf(" [asn1]");
+       fflush(stdout);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1);
+       printf(" done.\n");
+       fflush(stdout);
+}
+
+static void
+test_ECDSA_i15(void)
+{
+       printf("Test ECDSA/i15: ");
+       fflush(stdout);
+       printf("[raw]");
+       fflush(stdout);
+       test_ECDSA_KAT(&br_ec_prime_i15,
+               &br_ecdsa_i15_sign_raw, &br_ecdsa_i15_vrfy_raw, 0);
        printf(" [asn1]");
        fflush(stdout);
        printf(" [asn1]");
        fflush(stdout);
-       test_ECDSA_KAT(&br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i15_sign_asn1, &br_ecdsa_i15_vrfy_asn1, 1);
        printf(" done.\n");
        fflush(stdout);
 }
        printf(" done.\n");
        fflush(stdout);
 }
@@ -5336,13 +5563,23 @@ static const struct {
        STU(DES_ct),
        STU(ChaCha20_ct),
        STU(Poly1305_ctmul),
        STU(DES_ct),
        STU(ChaCha20_ct),
        STU(Poly1305_ctmul),
+       STU(Poly1305_ctmul32),
+       STU(Poly1305_i15),
+       STU(RSA_i15),
        STU(RSA_i31),
        STU(RSA_i32),
        STU(GHASH_ctmul),
        STU(GHASH_ctmul32),
        STU(GHASH_ctmul64),
        STU(RSA_i31),
        STU(RSA_i32),
        STU(GHASH_ctmul),
        STU(GHASH_ctmul32),
        STU(GHASH_ctmul64),
+       STU(EC_prime_i15),
        STU(EC_prime_i31),
        STU(EC_prime_i31),
-       /* STU(EC_prime_i32), */
+       STU(EC_p256_m15),
+       STU(EC_p256_m31),
+       STU(EC_c25519_i15),
+       STU(EC_c25519_i31),
+       STU(EC_c25519_m15),
+       STU(EC_c25519_m31),
+       STU(ECDSA_i15),
        STU(ECDSA_i31),
        { 0, 0 }
 };
        STU(ECDSA_i31),
        { 0, 0 }
 };