Two new Poly1305 implementations: ctmul32 uses pure 32-bit multiplications (MUL15...

[BearSSL] / test / test_crypto.c
diff --git a/test/test_crypto.c b/test/test_crypto.c

index 58615ec..b62ed3f 100644 (file)
--- a/test/test_crypto.c
+++ b/test/test_crypto.c
@@ -47,9 +47,9 @@ hextobin(unsigned char *dst, const char *src)
                 if (c >= '0' && c <= '9') {
                         c -= '0';
                 } else if (c >= 'A' && c <= 'F') {
                 if (c >= '0' && c <= '9') {
                         c -= '0';
                 } else if (c >= 'A' && c <= 'F') {
-                       c -= ('A' - 10); \
+                       c -= ('A' - 10);
                 } else if (c >= 'a' && c <= 'f') {
                 } else if (c >= 'a' && c <= 'f') {
-                       c -= ('a' - 10); \
+                       c -= ('a' - 10);
                 } else {
                         continue;
                 }
                 } else {
                         continue;
                 }
@@ -65,7 +65,7 @@ hextobin(unsigned char *dst, const char *src)
  }
  
  static void
  }
  
  static void
-check_equals(char *banner, const void *v1, const void *v2, size_t len)
+check_equals(const char *banner, const void *v1, const void *v2, size_t len)
  {
         size_t u;
         const unsigned char *b;
  {
         size_t u;
         const unsigned char *b;
@@ -4113,11 +4113,13 @@ static const struct {
  };
  
  static void
  };
  
  static void
-test_Poly1305_ctmul(void)
+test_Poly1305_inner(const char *name, br_poly1305_run ipoly,
+       br_poly1305_run iref)
  {
         size_t u;
  {
         size_t u;
+       br_hmac_drbg_context rng;
  
  
-       printf("Test Poly1305_ctmul: ");
+       printf("Test %s: ", name);
         fflush(stdout);
  
         for (u = 0; KAT_POLY1305[u].skey; u ++) {
         fflush(stdout);
  
         for (u = 0; KAT_POLY1305[u].skey; u ++) {
@@ -4133,7 +4135,7 @@ test_Poly1305_ctmul(void)
                 hextobin(tag, KAT_POLY1305[u].stag);
  
                 memcpy(data, plain, len);
                 hextobin(tag, KAT_POLY1305[u].stag);
  
                 memcpy(data, plain, len);
-               br_poly1305_ctmul_run(key, nonce, data, len,
+               ipoly(key, nonce, data, len,
                         aad, aad_len, tmp, br_chacha20_ct_run, 1);
                 if (memcmp(data, cipher, len) != 0) {
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (1)\n");
                         aad, aad_len, tmp, br_chacha20_ct_run, 1);
                 if (memcmp(data, cipher, len) != 0) {
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (1)\n");
@@ -4143,7 +4145,7 @@ test_Poly1305_ctmul(void)
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (2)\n");
                         exit(EXIT_FAILURE);
                 }
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (2)\n");
                         exit(EXIT_FAILURE);
                 }
-               br_poly1305_ctmul_run(key, nonce, data, len,
+               ipoly(key, nonce, data, len,
                         aad, aad_len, tmp, br_chacha20_ct_run, 0);
                 if (memcmp(data, plain, len) != 0) {
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (3)\n");
                         aad, aad_len, tmp, br_chacha20_ct_run, 0);
                 if (memcmp(data, plain, len) != 0) {
                         fprintf(stderr, "ChaCha20+Poly1305 KAT failed (3)\n");
@@ -4158,10 +4160,66 @@ test_Poly1305_ctmul(void)
                 fflush(stdout);
         }
  
                 fflush(stdout);
         }
  
+       printf(" ");
+       fflush(stdout);
+
+       /*
+        * We compare the "ipoly" and "iref" implementations together on
+        * a bunch of pseudo-random messages.
+        */
+       br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for Poly1305", 17);
+       for (u = 0; u < 100; u ++) {
+               unsigned char plain[100], aad[100], tmp[100];
+               unsigned char key[32], iv[12], tag1[16], tag2[16];
+
+               br_hmac_drbg_generate(&rng, key, sizeof key);
+               br_hmac_drbg_generate(&rng, iv, sizeof iv);
+               br_hmac_drbg_generate(&rng, plain, u);
+               br_hmac_drbg_generate(&rng, aad, u);
+               memcpy(tmp, plain, u);
+               memset(tmp + u, 0xFF, (sizeof tmp) - u);
+               ipoly(key, iv, tmp, u, aad, u, tag1,
+                       &br_chacha20_ct_run, 1);
+               memset(tmp + u, 0x00, (sizeof tmp) - u);
+               iref(key, iv, tmp, u, aad, u, tag2,
+                       &br_chacha20_ct_run, 0);
+               if (memcmp(tmp, plain, u) != 0) {
+                       fprintf(stderr, "cross enc/dec failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               if (memcmp(tag1, tag2, sizeof tag1) != 0) {
+                       fprintf(stderr, "cross MAC failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               printf(".");
+               fflush(stdout);
+       }
+
         printf(" done.\n");
         fflush(stdout);
  }
  
         printf(" done.\n");
         fflush(stdout);
  }
  
+static void
+test_Poly1305_ctmul(void)
+{
+       test_Poly1305_inner("Poly1305_ctmul", &br_poly1305_ctmul_run,
+               &br_poly1305_i15_run);
+}
+
+static void
+test_Poly1305_ctmul32(void)
+{
+       test_Poly1305_inner("Poly1305_ctmul32", &br_poly1305_ctmul32_run,
+               &br_poly1305_i15_run);
+}
+
+static void
+test_Poly1305_i15(void)
+{
+       test_Poly1305_inner("Poly1305_i15", &br_poly1305_i15_run,
+               &br_poly1305_ctmul_run);
+}
+
  /*
   * A 1024-bit RSA key, generated with OpenSSL.
   */
  /*
   * A 1024-bit RSA key, generated with OpenSSL.
   */
@@ -4272,7 +4330,7 @@ static const br_rsa_private_key RSA_SK = {
  };
  
  static void
  };
  
  static void
-test_RSA_core(char *name, br_rsa_public fpub, br_rsa_private fpriv)
+test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv)
  {
         unsigned char t1[128], t2[128], t3[128];
  
  {
         unsigned char t1[128], t2[128], t3[128];
  
@@ -4300,24 +4358,95 @@ test_RSA_core(char *name, br_rsa_public fpub, br_rsa_private fpriv)
         fflush(stdout);
  }
  
         fflush(stdout);
  }
  
+static const unsigned char SHA1_OID[] = {
+       0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
+};
+
+static void
+test_RSA_sign(const char *name, br_rsa_private fpriv,
+       br_rsa_pkcs1_sign fsign, br_rsa_pkcs1_vrfy fvrfy)
+{
+       unsigned char t1[128], t2[128];
+       unsigned char hv[20], tmp[20];
+       br_sha1_context hc;
+       size_t u;
+
+       printf("Test %s: ", name);
+       fflush(stdout);
+
+       /*
+        * Verify the KAT test (computed with OpenSSL).
+        */
+       hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D");
+       br_sha1_init(&hc);
+       br_sha1_update(&hc, "test", 4);
+       br_sha1_out(&hc, hv);
+       if (!fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) {
+               fprintf(stderr, "Signature verification failed\n");
+               exit(EXIT_FAILURE);
+       }
+       check_equals("Extracted hash value", hv, tmp, sizeof tmp);
+
+       /*
+        * Regenerate the signature. This should yield the same value as
+        * the KAT test, since PKCS#1 v1.5 signatures are deterministic
+        * (except the usual detail about hash function parameter
+        * encoding, but OpenSSL uses the same convention as BearSSL).
+        */
+       if (!fsign(SHA1_OID, hv, 20, &RSA_SK, t2)) {
+               fprintf(stderr, "Signature generation failed\n");
+               exit(EXIT_FAILURE);
+       }
+       check_equals("Regenerated signature", t1, t2, sizeof t1);
+
+       /*
+        * Use the raw private core to generate fake signatures, where
+        * one byte of the padded hash value is altered. They should all be
+        * rejected.
+        */
+       hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3");
+       for (u = 0; u < (sizeof t2) - 20; u ++) {
+               memcpy(t1, t2, sizeof t2);
+               t1[u] ^= 0x01;
+               if (!fpriv(t1, &RSA_SK)) {
+                       fprintf(stderr, "RSA private key operation failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               if (fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) {
+                       fprintf(stderr,
+                               "Signature verification should have failed\n");
+                       exit(EXIT_FAILURE);
+               }
+               printf(".");
+               fflush(stdout);
+       }
+
+       printf(" done.\n");
+       fflush(stdout);
+}
+
+static void
+test_RSA_i15(void)
+{
+       test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private);
+       test_RSA_sign("RSA i15 sign", &br_rsa_i15_private,
+               &br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy);
+}
+
  static void
  test_RSA_i31(void)
  {
         test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private);
  static void
  test_RSA_i31(void)
  {
         test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private);
-       /* FIXME
-       test_RSA_sign("RSA i31 sign",
-               &br_rsa_i31_pkcs1_vrfy, &br_rsa_i31_pkcs1_sign);
-       */
+       test_RSA_sign("RSA i31 sign", &br_rsa_i31_private,
+               &br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy);
  }
  
  static void
  test_RSA_i32(void)
  {
         test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private);
  }
  
  static void
  test_RSA_i32(void)
  {
         test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private);
-       /* FIXME
-       test_RSA_sign("RSA i32 sign",
-               &br_rsa_i32_pkcs1_vrfy, &br_rsa_i32_pkcs1_sign);
-       */
+       test_RSA_sign("RSA i32 sign", &br_rsa_i32_private,
+               &br_rsa_i32_pkcs1_sign, &br_rsa_i32_pkcs1_vrfy);
  }
  
  #if 0
  }
  
  #if 0
@@ -4489,7 +4618,7 @@ static const char *const KAT_GHASH[] = {
  };
  
  static void
  };
  
  static void
-test_GHASH(char *name, br_ghash gh)
+test_GHASH(const char *name, br_ghash gh)
  {
         size_t u;
  
  {
         size_t u;
  
@@ -4750,6 +4879,15 @@ test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask)
         fflush(stdout);
  }
  
         fflush(stdout);
  }
  
+static void
+test_EC_prime_i15(void)
+{
+       test_EC_KAT("EC_prime_i15", &br_ec_prime_i15,
+               (uint32_t)1 << BR_EC_secp256r1
+               | (uint32_t)1 << BR_EC_secp384r1
+               | (uint32_t)1 << BR_EC_secp521r1);
+}
+
  static void
  test_EC_prime_i31(void)
  {
  static void
  test_EC_prime_i31(void)
  {
@@ -4759,6 +4897,13 @@ test_EC_prime_i31(void)
                 | (uint32_t)1 << BR_EC_secp521r1);
  }
  
                 | (uint32_t)1 << BR_EC_secp521r1);
  }
  
+static void
+test_EC_p256_i15(void)
+{
+       test_EC_KAT("EC_p256_i15", &br_ec_p256_i15,
+               (uint32_t)1 << BR_EC_secp256r1);
+}
+
  static const unsigned char EC_P256_PUB_POINT[] = {
         0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
         0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
  static const unsigned char EC_P256_PUB_POINT[] = {
         0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
         0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
@@ -5131,7 +5276,8 @@ const ecdsa_kat_vector ECDSA_KAT[] = {
  };
  
  static void
  };
  
  static void
-test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
+test_ECDSA_KAT(const br_ec_impl *iec,
+       br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
  {
         size_t u;
  
  {
         size_t u;
  
@@ -5158,28 +5304,28 @@ test_ECDSA_KAT(br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
                         sig_len = hextobin(sig, kv->sraw);
                 }
  
                         sig_len = hextobin(sig, kv->sraw);
                 }
  
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                         kv->pub, sig, sig_len) != 1)
                 {
                         fprintf(stderr, "ECDSA KAT verify failed (1)\n");
                         exit(EXIT_FAILURE);
                 }
                 hash[0] ^= 0x80;
                         kv->pub, sig, sig_len) != 1)
                 {
                         fprintf(stderr, "ECDSA KAT verify failed (1)\n");
                         exit(EXIT_FAILURE);
                 }
                 hash[0] ^= 0x80;
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                         kv->pub, sig, sig_len) != 0)
                 {
                         fprintf(stderr, "ECDSA KAT verify shoud have failed\n");
                         exit(EXIT_FAILURE);
                 }
                 hash[0] ^= 0x80;
                         kv->pub, sig, sig_len) != 0)
                 {
                         fprintf(stderr, "ECDSA KAT verify shoud have failed\n");
                         exit(EXIT_FAILURE);
                 }
                 hash[0] ^= 0x80;
-               if (vrfy(&br_ec_prime_i31, hash, hash_len,
+               if (vrfy(iec, hash, hash_len,
                         kv->pub, sig, sig_len) != 1)
                 {
                         fprintf(stderr, "ECDSA KAT verify failed (2)\n");
                         exit(EXIT_FAILURE);
                 }
  
                         kv->pub, sig, sig_len) != 1)
                 {
                         fprintf(stderr, "ECDSA KAT verify failed (2)\n");
                         exit(EXIT_FAILURE);
                 }
  
-               sig2_len = sign(&br_ec_prime_i31, kv->hf, hash, kv->priv, sig2);
+               sig2_len = sign(iec, kv->hf, hash, kv->priv, sig2);
                 if (sig2_len == 0) {
                         fprintf(stderr, "ECDSA KAT sign failed\n");
                         exit(EXIT_FAILURE);
                 if (sig2_len == 0) {
                         fprintf(stderr, "ECDSA KAT sign failed\n");
                         exit(EXIT_FAILURE);
@@ -5201,10 +5347,29 @@ test_ECDSA_i31(void)
         fflush(stdout);
         printf("[raw]");
         fflush(stdout);
         fflush(stdout);
         printf("[raw]");
         fflush(stdout);
-       test_ECDSA_KAT(&br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0);
+       printf(" [asn1]");
+       fflush(stdout);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1);
+       printf(" done.\n");
+       fflush(stdout);
+}
+
+static void
+test_ECDSA_i15(void)
+{
+       printf("Test ECDSA/i15: ");
+       fflush(stdout);
+       printf("[raw]");
+       fflush(stdout);
+       test_ECDSA_KAT(&br_ec_prime_i15,
+               &br_ecdsa_i15_sign_raw, &br_ecdsa_i15_vrfy_raw, 0);
         printf(" [asn1]");
         fflush(stdout);
         printf(" [asn1]");
         fflush(stdout);
-       test_ECDSA_KAT(&br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1);
+       test_ECDSA_KAT(&br_ec_prime_i31,
+               &br_ecdsa_i15_sign_asn1, &br_ecdsa_i15_vrfy_asn1, 1);
         printf(" done.\n");
         fflush(stdout);
  }
         printf(" done.\n");
         fflush(stdout);
  }
@@ -5252,7 +5417,7 @@ eq_name(const char *s1, const char *s2)
  
  static const struct {
         void (*fn)(void);
  
  static const struct {
         void (*fn)(void);
-       char *name;
+       const char *name;
  } tfns[] = {
         STU(MD5),
         STU(SHA1),
  } tfns[] = {
         STU(MD5),
         STU(SHA1),
@@ -5273,13 +5438,19 @@ static const struct {
         STU(DES_ct),
         STU(ChaCha20_ct),
         STU(Poly1305_ctmul),
         STU(DES_ct),
         STU(ChaCha20_ct),
         STU(Poly1305_ctmul),
+       STU(Poly1305_ctmul32),
+       STU(Poly1305_i15),
+       STU(RSA_i15),
         STU(RSA_i31),
         STU(RSA_i32),
         STU(GHASH_ctmul),
         STU(GHASH_ctmul32),
         STU(GHASH_ctmul64),
         STU(RSA_i31),
         STU(RSA_i32),
         STU(GHASH_ctmul),
         STU(GHASH_ctmul32),
         STU(GHASH_ctmul64),
+       STU(EC_prime_i15),
         STU(EC_prime_i31),
         STU(EC_prime_i31),
+       STU(EC_p256_i15),
         /* STU(EC_prime_i32), */
         /* STU(EC_prime_i32), */
+       STU(ECDSA_i15),
         STU(ECDSA_i31),
         { 0, 0 }
  };
         STU(ECDSA_i31),
         { 0, 0 }
  };