8 #include "knuth-lfib.h"
10 #include "nettle-internal.h"
16 die(const char *format, ...)
19 va_start(args, format);
20 vfprintf(stderr, format, args);
29 void *p = malloc(size);
32 fprintf(stderr, "Virtual memory exhausted.\n");
39 static struct tstring *tstring_first = NULL;
42 tstring_alloc (size_t length)
44 struct tstring *s = xalloc(sizeof(struct tstring) + length);
46 s->next = tstring_first;
47 /* NUL-terminate, for convenience. */
48 s->data[length] = '\0';
58 struct tstring *s = tstring_first;
59 tstring_first = s->next;
65 tstring_data(size_t length, const char *data)
67 struct tstring *s = tstring_alloc (length);
68 memcpy (s->data, data, length);
73 tstring_hex(const char *hex)
75 struct base16_decode_ctx ctx;
77 size_t length = strlen(hex);
79 s = tstring_alloc(BASE16_DECODE_LENGTH (length));
80 base16_decode_init (&ctx);
81 ASSERT (base16_decode_update (&ctx, &s->length, s->data,
83 ASSERT (base16_decode_final (&ctx));
89 tstring_print_hex(const struct tstring *s)
91 print_hex (s->length, s->data);
95 print_hex(size_t length, const uint8_t *data)
99 for (i = 0; i < length; i++)
112 printf("%02x", data[i]);
120 main(int argc, char **argv)
124 if (argc == 2 && !strcmp(argv[1], "-v"))
128 fprintf(stderr, "Invalid argument `%s', only accepted option is `-v'.\n",
141 test_cipher(const struct nettle_cipher *cipher,
142 const struct tstring *key,
143 const struct tstring *cleartext,
144 const struct tstring *ciphertext)
146 void *ctx = xalloc(cipher->context_size);
147 uint8_t *data = xalloc(cleartext->length);
149 ASSERT (cleartext->length == ciphertext->length);
150 length = cleartext->length;
152 ASSERT (key->length == cipher->key_size);
153 cipher->set_encrypt_key(ctx, key->data);
154 cipher->encrypt(ctx, length, data, cleartext->data);
156 if (!MEMEQ(length, data, ciphertext->data))
158 fprintf(stderr, "Encrypt failed:\nInput:");
159 tstring_print_hex(cleartext);
160 fprintf(stderr, "\nOutput: ");
161 print_hex(length, data);
162 fprintf(stderr, "\nExpected:");
163 tstring_print_hex(ciphertext);
164 fprintf(stderr, "\n");
167 cipher->set_decrypt_key(ctx, key->data);
168 cipher->decrypt(ctx, length, data, data);
170 if (!MEMEQ(length, data, cleartext->data))
172 fprintf(stderr, "Decrypt failed:\nInput:");
173 tstring_print_hex(ciphertext);
174 fprintf(stderr, "\nOutput: ");
175 print_hex(length, data);
176 fprintf(stderr, "\nExpected:");
177 tstring_print_hex(cleartext);
178 fprintf(stderr, "\n");
187 test_cipher_cbc(const struct nettle_cipher *cipher,
188 const struct tstring *key,
189 const struct tstring *cleartext,
190 const struct tstring *ciphertext,
191 const struct tstring *iiv)
193 void *ctx = xalloc(cipher->context_size);
195 uint8_t *iv = xalloc(cipher->block_size);
198 ASSERT (cleartext->length == ciphertext->length);
199 length = cleartext->length;
201 ASSERT (key->length == cipher->key_size);
202 ASSERT (iiv->length == cipher->block_size);
204 data = xalloc(length);
205 cipher->set_encrypt_key(ctx, key->data);
206 memcpy(iv, iiv->data, cipher->block_size);
208 cbc_encrypt(ctx, cipher->encrypt,
209 cipher->block_size, iv,
210 length, data, cleartext->data);
212 if (!MEMEQ(length, data, ciphertext->data))
214 fprintf(stderr, "CBC encrypt failed:\nInput:");
215 tstring_print_hex(cleartext);
216 fprintf(stderr, "\nOutput: ");
217 print_hex(length, data);
218 fprintf(stderr, "\nExpected:");
219 tstring_print_hex(ciphertext);
220 fprintf(stderr, "\n");
223 cipher->set_decrypt_key(ctx, key->data);
224 memcpy(iv, iiv->data, cipher->block_size);
226 cbc_decrypt(ctx, cipher->decrypt,
227 cipher->block_size, iv,
230 if (!MEMEQ(length, data, cleartext->data))
232 fprintf(stderr, "CBC decrypt failed:\nInput:");
233 tstring_print_hex(ciphertext);
234 fprintf(stderr, "\nOutput: ");
235 print_hex(length, data);
236 fprintf(stderr, "\nExpected:");
237 tstring_print_hex(cleartext);
238 fprintf(stderr, "\n");
248 test_cipher_ctr(const struct nettle_cipher *cipher,
249 const struct tstring *key,
250 const struct tstring *cleartext,
251 const struct tstring *ciphertext,
252 const struct tstring *ictr)
254 void *ctx = xalloc(cipher->context_size);
256 uint8_t *ctr = xalloc(cipher->block_size);
257 uint8_t *octr = xalloc(cipher->block_size);
258 size_t length, nblocks;
261 ASSERT (cleartext->length == ciphertext->length);
262 length = cleartext->length;
264 ASSERT (key->length == cipher->key_size);
265 ASSERT (ictr->length == cipher->block_size);
267 /* Compute expected counter value after the operation. */
268 nblocks = (length + cipher->block_size - 1) / cipher->block_size;
269 ASSERT (nblocks < 0x100);
271 memcpy (octr, ictr->data, cipher->block_size - 1);
272 low = ictr->data[cipher->block_size - 1] + nblocks;
273 octr[cipher->block_size - 1] = low;
276 INCREMENT (cipher->block_size - 1, octr);
278 data = xalloc(length);
280 cipher->set_encrypt_key(ctx, key->data);
281 memcpy(ctr, ictr->data, cipher->block_size);
283 ctr_crypt(ctx, cipher->encrypt,
284 cipher->block_size, ctr,
285 length, data, cleartext->data);
287 if (!MEMEQ(length, data, ciphertext->data))
289 fprintf(stderr, "CTR encrypt failed:\nInput:");
290 tstring_print_hex(cleartext);
291 fprintf(stderr, "\nOutput: ");
292 print_hex(length, data);
293 fprintf(stderr, "\nExpected:");
294 tstring_print_hex(ciphertext);
295 fprintf(stderr, "\n");
299 ASSERT (MEMEQ (cipher->block_size, ctr, octr));
301 memcpy(ctr, ictr->data, cipher->block_size);
303 ctr_crypt(ctx, cipher->encrypt,
304 cipher->block_size, ctr,
307 if (!MEMEQ(length, data, cleartext->data))
309 fprintf(stderr, "CTR decrypt failed:\nInput:");
310 tstring_print_hex(ciphertext);
311 fprintf(stderr, "\nOutput: ");
312 print_hex(length, data);
313 fprintf(stderr, "\nExpected:");
314 tstring_print_hex(cleartext);
315 fprintf(stderr, "\n");
319 ASSERT (MEMEQ (cipher->block_size, ctr, octr));
329 test_cipher_stream(const struct nettle_cipher *cipher,
330 const struct tstring *key,
331 const struct tstring *cleartext,
332 const struct tstring *ciphertext)
336 void *ctx = xalloc(cipher->context_size);
340 ASSERT (cleartext->length == ciphertext->length);
341 length = cleartext->length;
343 data = xalloc(length + 1);
345 for (block = 1; block <= length; block++)
349 memset(data, 0x17, length + 1);
350 cipher->set_encrypt_key(ctx, key->length, key->data);
352 for (i = 0; i + block < length; i += block)
354 cipher->encrypt(ctx, block, data + i, cleartext->data + i);
355 ASSERT (data[i + block] == 0x17);
358 cipher->encrypt(ctx, length - i, data + i, cleartext->data + i);
359 ASSERT (data[length] == 0x17);
361 if (!MEMEQ(length, data, ciphertext->data))
363 fprintf(stderr, "Encrypt failed, block size %lu\nInput:",
364 (unsigned long) block);
365 tstring_print_hex(cleartext);
366 fprintf(stderr, "\nOutput: ");
367 print_hex(length, data);
368 fprintf(stderr, "\nExpected:");
369 tstring_print_hex(ciphertext);
370 fprintf(stderr, "\n");
375 cipher->set_decrypt_key(ctx, key->length, key->data);
376 cipher->decrypt(ctx, length, data, data);
378 ASSERT (data[length] == 0x17);
380 if (!MEMEQ(length, data, cleartext->data))
382 fprintf(stderr, "Decrypt failed\nInput:");
383 tstring_print_hex(ciphertext);
384 fprintf(stderr, "\nOutput: ");
385 print_hex(length, data);
386 fprintf(stderr, "\nExpected:");
387 tstring_print_hex(cleartext);
388 fprintf(stderr, "\n");
398 test_aead(const struct nettle_aead *aead,
399 nettle_hash_update_func *set_nonce,
400 const struct tstring *key,
401 const struct tstring *authtext,
402 const struct tstring *cleartext,
403 const struct tstring *ciphertext,
404 const struct tstring *nonce,
405 const struct tstring *digest)
407 void *ctx = xalloc(aead->context_size);
409 uint8_t *buffer = xalloc(aead->digest_size);
412 ASSERT (cleartext->length == ciphertext->length);
413 length = cleartext->length;
415 ASSERT (key->length == aead->key_size);
416 ASSERT (digest->length <= aead->digest_size);
418 data = xalloc(length);
421 memset(buffer, 0, aead->digest_size);
422 aead->set_encrypt_key(ctx, key->data);
424 if (nonce->length != aead->nonce_size)
427 set_nonce (ctx, nonce->length, nonce->data);
430 aead->set_nonce(ctx, nonce->data);
432 if (authtext->length)
433 aead->update(ctx, authtext->length, authtext->data);
436 aead->encrypt(ctx, length, data, cleartext->data);
438 aead->digest(ctx, digest->length, buffer);
440 ASSERT(MEMEQ(length, data, ciphertext->data));
441 ASSERT(MEMEQ(digest->length, buffer, digest->data));
444 memset(buffer, 0, aead->digest_size);
446 aead->set_decrypt_key(ctx, key->data);
448 if (nonce->length != aead->nonce_size)
451 set_nonce (ctx, nonce->length, nonce->data);
454 aead->set_nonce(ctx, nonce->data);
456 if (authtext->length)
457 aead->update(ctx, authtext->length, authtext->data);
460 aead->decrypt(ctx, length, data, data);
462 aead->digest(ctx, digest->length, buffer);
464 ASSERT(MEMEQ(length, data, cleartext->data));
465 ASSERT(MEMEQ(digest->length, buffer, digest->data));
473 test_hash(const struct nettle_hash *hash,
474 const struct tstring *msg,
475 const struct tstring *digest)
477 void *ctx = xalloc(hash->context_size);
478 uint8_t *buffer = xalloc(hash->digest_size);
482 ASSERT (digest->length == hash->digest_size);
485 hash->update(ctx, msg->length, msg->data);
486 hash->digest(ctx, hash->digest_size, buffer);
488 if (MEMEQ(hash->digest_size, digest->data, buffer) == 0)
490 fprintf(stdout, "\nGot:\n");
491 print_hex(hash->digest_size, buffer);
492 fprintf(stdout, "\nExpected:\n");
493 print_hex(hash->digest_size, digest->data);
497 memset(buffer, 0, hash->digest_size);
499 hash->update(ctx, msg->length, msg->data);
500 hash->digest(ctx, hash->digest_size - 1, buffer);
502 ASSERT(MEMEQ(hash->digest_size - 1, digest->data, buffer));
504 ASSERT(buffer[hash->digest_size - 1] == 0);
506 input = xalloc (msg->length + 16);
507 for (offset = 0; offset < 16; offset++)
509 memset (input, 0, msg->length + 16);
510 memcpy (input + offset, msg->data, msg->length);
511 hash->update (ctx, msg->length, input + offset);
512 hash->digest (ctx, hash->digest_size, buffer);
513 if (MEMEQ(hash->digest_size, digest->data, buffer) == 0)
515 fprintf(stdout, "hash input address: %p\nGot:\n", input + offset);
516 print_hex(hash->digest_size, buffer);
517 fprintf(stdout, "\nExpected:\n");
518 print_hex(hash->digest_size, digest->data);
528 test_hash_large(const struct nettle_hash *hash,
529 size_t count, size_t length,
531 const struct tstring *digest)
533 void *ctx = xalloc(hash->context_size);
534 uint8_t *buffer = xalloc(hash->digest_size);
535 uint8_t *data = xalloc(length);
538 ASSERT (digest->length == hash->digest_size);
540 memset(data, c, length);
543 for (i = 0; i < count; i++)
545 hash->update(ctx, length, data);
546 if (i % (count / 50) == 0)
547 fprintf (stderr, ".");
549 fprintf (stderr, "\n");
551 hash->digest(ctx, hash->digest_size, buffer);
553 print_hex(hash->digest_size, buffer);
555 ASSERT (MEMEQ(hash->digest_size, digest->data, buffer));
563 test_armor(const struct nettle_armor *armor,
566 const uint8_t *ascii)
568 size_t ascii_length = strlen(ascii);
569 uint8_t *buffer = xalloc(1 + ascii_length);
570 uint8_t *check = xalloc(1 + armor->decode_length(ascii_length));
571 void *encode = xalloc(armor->encode_context_size);
572 void *decode = xalloc(armor->decode_context_size);
576 <= (armor->encode_length(data_length) + armor->encode_final_length));
577 ASSERT(data_length <= armor->decode_length(ascii_length));
579 memset(buffer, 0x33, 1 + ascii_length);
580 memset(check, 0x55, 1 + data_length);
582 armor->encode_init(encode);
584 done = armor->encode_update(encode, buffer, data_length, data);
585 done += armor->encode_final(encode, buffer + done);
586 ASSERT(done == ascii_length);
588 ASSERT (MEMEQ(ascii_length, buffer, ascii));
589 ASSERT (0x33 == buffer[strlen(ascii)]);
591 armor->decode_init(decode);
592 done = armor->decode_length(ascii_length);
594 ASSERT(armor->decode_update(decode, &done, check, ascii_length, buffer));
595 ASSERT(done == data_length);
596 ASSERT(armor->decode_final(decode));
598 ASSERT (MEMEQ(data_length, check, data));
599 ASSERT (0x55 == check[data_length]);
610 /* Missing in older gmp */
612 mpz_combit (mpz_t x, unsigned long int bit)
614 if (mpz_tstbit(x, bit))
623 mpn_zero_p (mp_srcptr ap, mp_size_t n)
635 mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn)
638 mpz_out_str (f, base, mpz_roinit_n (x, xp, xn));
641 #if NETTLE_USE_MINI_GMP
643 gmp_randinit_default (struct knuth_lfib_ctx *ctx)
645 knuth_lfib_init (ctx, 17);
648 mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits)
650 size_t bytes = (bits+7)/8;
651 uint8_t *buf = xalloc (bytes);
653 knuth_lfib_random (ctx, bytes, buf);
654 buf[bytes-1] &= 0xff >> (8*bytes - bits);
655 nettle_mpz_set_str_256_u (r, bytes, buf);
658 #endif /* NETTLE_USE_MINI_GMP */
661 xalloc_limbs (mp_size_t n)
663 return xalloc (n * sizeof (mp_limb_t));
666 /* Expects local variables pub, key, rstate, digest, signature */
667 #define SIGN(hash, msg, expected) do { \
668 hash##_update(&hash, LDATA(msg)); \
669 ASSERT(rsa_##hash##_sign(key, &hash, signature)); \
672 fprintf(stderr, "rsa-%s signature: ", #hash); \
673 mpz_out_str(stderr, 16, signature); \
674 fprintf(stderr, "\n"); \
676 ASSERT(mpz_cmp (signature, expected) == 0); \
678 hash##_update(&hash, LDATA(msg)); \
679 ASSERT(rsa_##hash##_sign_tr(pub, key, &rstate, \
680 (nettle_random_func *) knuth_lfib_random, \
681 &hash, signature)); \
682 ASSERT(mpz_cmp (signature, expected) == 0); \
684 hash##_update(&hash, LDATA(msg)); \
685 hash##_digest(&hash, sizeof(digest), digest); \
686 ASSERT(rsa_##hash##_sign_digest(key, digest, signature)); \
687 ASSERT(mpz_cmp (signature, expected) == 0); \
689 ASSERT(rsa_##hash##_sign_digest_tr(pub, key, &rstate, \
690 (nettle_random_func *)knuth_lfib_random, \
691 digest, signature)); \
692 ASSERT(mpz_cmp (signature, expected) == 0); \
695 #define VERIFY(key, hash, msg, signature) ( \
696 hash##_update(&hash, LDATA(msg)), \
697 rsa_##hash##_verify(key, &hash, signature) \
701 test_rsa_set_key_1(struct rsa_public_key *pub,
702 struct rsa_private_key *key)
704 /* Initialize key pair for test programs */
705 /* 1000-bit key, generated by
707 * lsh-keygen -a rsa -l 1000 -f advanced-hex
709 * (private-key (rsa-pkcs1
710 * (n #69abd505285af665 36ddc7c8f027e6f0 ed435d6748b16088
711 * 4fd60842b3a8d7fb bd8a3c98f0cc50ae 4f6a9f7dd73122cc
712 * ec8afa3f77134406 f53721973115fc2d 8cfbba23b145f28d
713 * 84f81d3b6ae8ce1e 2850580c026e809b cfbb52566ea3a3b3
714 * df7edf52971872a7 e35c1451b8636d22 279a8fb299368238
717 * (d #3240a56f4cd0dcc2 4a413eb4ea545259 5c83d771a1c2ba7b
718 * ec47c5b43eb4b374 09bd2aa1e236dd86 481eb1768811412f
719 * f8d91be3545912af b55c014cb55ceac6 54216af3b85d5c4f
720 * 4a32894e3b5dfcde 5b2875aa4dc8d9a8 6afd0ca92ef50d35
721 * bd09f1c47efb4c8d c631e07698d362aa 4a83fd304e66d6c5
723 * (p #0a66399919be4b4d e5a78c5ea5c85bf9 aba8c013cb4a8732
724 * 14557a12bd67711e bb4073fd39ad9a86 f4e80253ad809e5b
725 * f2fad3bc37f6f013 273c9552c9f489#)
726 * (q #0a294f069f118625 f5eae2538db9338c 776a298eae953329
727 * 9fd1eed4eba04e82 b2593bc98ba8db27 de034da7daaea795
728 * 2d55b07b5f9a5875 d1ca5f6dcab897#)
729 * (a #011b6c48eb592eee e85d1bb35cfb6e07 344ea0b5e5f03a28
730 * 5b405396cbc78c5c 868e961db160ba8d 4b984250930cf79a
731 * 1bf8a9f28963de53 128aa7d690eb87#)
732 * (b #0409ecf3d2557c88 214f1af5e1f17853 d8b2d63782fa5628
733 * 60cf579b0833b7ff 5c0529f2a97c6452 2fa1a8878a9635ab
734 * ce56debf431bdec2 70b308fa5bf387#)
735 * (c #04e103ee925cb5e6 6653949fa5e1a462 c9e65e1adcd60058
736 * e2df9607cee95fa8 daec7a389a7d9afc 8dd21fef9d83805a
737 * 40d46f49676a2f6b 2926f70c572c00#)))
741 "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088"
742 "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc"
743 "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d"
744 "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3"
745 "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238"
747 mpz_set_str(pub->e, "0db2ad57", 16);
749 ASSERT (rsa_public_key_prepare(pub));
754 "3240a56f4cd0dcc2" "4a413eb4ea545259" "5c83d771a1c2ba7b"
755 "ec47c5b43eb4b374" "09bd2aa1e236dd86" "481eb1768811412f"
756 "f8d91be3545912af" "b55c014cb55ceac6" "54216af3b85d5c4f"
757 "4a32894e3b5dfcde" "5b2875aa4dc8d9a8" "6afd0ca92ef50d35"
758 "bd09f1c47efb4c8d" "c631e07698d362aa" "4a83fd304e66d6c5"
763 "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732"
764 "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b"
765 "f2fad3bc37f6f013" "273c9552c9f489", 16);
768 "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329"
769 "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795"
770 "2d55b07b5f9a5875" "d1ca5f6dcab897", 16);
773 "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28"
774 "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a"
775 "1bf8a9f28963de53" "128aa7d690eb87", 16);
778 "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628"
779 "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab"
780 "ce56debf431bdec2" "70b308fa5bf387", 16);
783 "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058"
784 "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a"
785 "40d46f49676a2f6b" "2926f70c572c00", 16);
787 ASSERT (rsa_private_key_prepare(key));
788 ASSERT (pub->size == key->size);
792 test_rsa_md5(struct rsa_public_key *pub,
793 struct rsa_private_key *key,
797 struct knuth_lfib_ctx rstate;
798 uint8_t digest[MD5_DIGEST_SIZE];
803 knuth_lfib_init (&rstate, 15);
805 SIGN(md5, "The magic words are squeamish ossifrage", expected);
808 ASSERT (!VERIFY(pub, md5,
809 "The magick words are squeamish ossifrage", signature));
811 /* Try correct data */
812 ASSERT (VERIFY(pub, md5,
813 "The magic words are squeamish ossifrage", signature));
815 /* Try bad signature */
816 mpz_combit(signature, 17);
817 ASSERT (!VERIFY(pub, md5,
818 "The magic words are squeamish ossifrage", signature));
820 mpz_clear(signature);
824 test_rsa_sha1(struct rsa_public_key *pub,
825 struct rsa_private_key *key,
828 struct sha1_ctx sha1;
829 struct knuth_lfib_ctx rstate;
830 uint8_t digest[SHA1_DIGEST_SIZE];
835 knuth_lfib_init (&rstate, 16);
837 SIGN(sha1, "The magic words are squeamish ossifrage", expected);
840 ASSERT (!VERIFY(pub, sha1,
841 "The magick words are squeamish ossifrage", signature));
843 /* Try correct data */
844 ASSERT (VERIFY(pub, sha1,
845 "The magic words are squeamish ossifrage", signature));
847 /* Try bad signature */
848 mpz_combit(signature, 17);
849 ASSERT (!VERIFY(pub, sha1,
850 "The magic words are squeamish ossifrage", signature));
852 mpz_clear(signature);
856 test_rsa_sha256(struct rsa_public_key *pub,
857 struct rsa_private_key *key,
860 struct sha256_ctx sha256;
861 struct knuth_lfib_ctx rstate;
862 uint8_t digest[SHA256_DIGEST_SIZE];
865 sha256_init(&sha256);
867 knuth_lfib_init (&rstate, 17);
869 SIGN(sha256, "The magic words are squeamish ossifrage", expected);
872 ASSERT (!VERIFY(pub, sha256,
873 "The magick words are squeamish ossifrage", signature));
875 /* Try correct data */
876 ASSERT (VERIFY(pub, sha256,
877 "The magic words are squeamish ossifrage", signature));
879 /* Try bad signature */
880 mpz_combit(signature, 17);
881 ASSERT (!VERIFY(pub, sha256,
882 "The magic words are squeamish ossifrage", signature));
884 mpz_clear(signature);
888 test_rsa_sha512(struct rsa_public_key *pub,
889 struct rsa_private_key *key,
892 struct sha512_ctx sha512;
893 struct knuth_lfib_ctx rstate;
894 uint8_t digest[SHA512_DIGEST_SIZE];
897 sha512_init(&sha512);
899 knuth_lfib_init (&rstate, 18);
901 SIGN(sha512, "The magic words are squeamish ossifrage", expected);
904 ASSERT (!VERIFY(pub, sha512,
905 "The magick words are squeamish ossifrage", signature));
907 /* Try correct data */
908 ASSERT (VERIFY(pub, sha512,
909 "The magic words are squeamish ossifrage", signature));
911 /* Try bad signature */
912 mpz_combit(signature, 17);
913 ASSERT (!VERIFY(pub, sha512,
914 "The magic words are squeamish ossifrage", signature));
916 mpz_clear(signature);
923 test_rsa_key(struct rsa_public_key *pub,
924 struct rsa_private_key *key)
929 mpz_init(tmp); mpz_init(phi);
933 /* FIXME: Use gmp_printf */
934 fprintf(stderr, "Public key: n=");
935 mpz_out_str(stderr, 16, pub->n);
936 fprintf(stderr, "\n e=");
937 mpz_out_str(stderr, 16, pub->e);
939 fprintf(stderr, "\n\nPrivate key: d=");
940 mpz_out_str(stderr, 16, key->d);
941 fprintf(stderr, "\n p=");
942 mpz_out_str(stderr, 16, key->p);
943 fprintf(stderr, "\n q=");
944 mpz_out_str(stderr, 16, key->q);
945 fprintf(stderr, "\n a=");
946 mpz_out_str(stderr, 16, key->a);
947 fprintf(stderr, "\n b=");
948 mpz_out_str(stderr, 16, key->b);
949 fprintf(stderr, "\n c=");
950 mpz_out_str(stderr, 16, key->c);
951 fprintf(stderr, "\n\n");
955 mpz_mul(tmp, key->p, key->q);
956 ASSERT (mpz_cmp(tmp, pub->n)== 0);
958 /* Check c q = 1 mod p */
959 mpz_mul(tmp, key->c, key->q);
960 mpz_fdiv_r(tmp, tmp, key->p);
961 ASSERT (mpz_cmp_ui(tmp, 1) == 0);
963 /* Check ed = 1 (mod phi) */
964 mpz_sub_ui(phi, key->p, 1);
965 mpz_sub_ui(tmp, key->q, 1);
967 mpz_mul(phi, phi, tmp);
969 mpz_mul(tmp, pub->e, key->d);
970 mpz_fdiv_r(tmp, tmp, phi);
971 ASSERT (mpz_cmp_ui(tmp, 1) == 0);
973 /* Check a e = 1 (mod (p-1) ) */
974 mpz_sub_ui(phi, key->p, 1);
975 mpz_mul(tmp, pub->e, key->a);
976 mpz_fdiv_r(tmp, tmp, phi);
977 ASSERT (mpz_cmp_ui(tmp, 1) == 0);
979 /* Check b e = 1 (mod (q-1) ) */
980 mpz_sub_ui(phi, key->q, 1);
981 mpz_mul(tmp, pub->e, key->b);
982 mpz_fdiv_r(tmp, tmp, phi);
983 ASSERT (mpz_cmp_ui(tmp, 1) == 0);
985 mpz_clear(tmp); mpz_clear(phi);
988 /* Requires that the context is named like the hash algorithm. */
989 #define DSA_VERIFY(key, hash, msg, signature) \
990 (hash##_update(&hash, LDATA(msg)), \
991 dsa_##hash##_verify(key, &hash, signature))
994 test_dsa160(const struct dsa_public_key *pub,
995 const struct dsa_private_key *key,
996 const struct dsa_signature *expected)
998 struct sha1_ctx sha1;
999 struct dsa_signature signature;
1000 struct knuth_lfib_ctx lfib;
1003 dsa_signature_init(&signature);
1004 knuth_lfib_init(&lfib, 1111);
1006 sha1_update(&sha1, LDATA("The magic words are squeamish ossifrage"));
1007 ASSERT (dsa_sha1_sign(pub, key,
1008 &lfib, (nettle_random_func *) knuth_lfib_random,
1009 &sha1, &signature));
1013 fprintf(stderr, "dsa160 signature: ");
1014 mpz_out_str(stderr, 16, signature.r);
1015 fprintf(stderr, ", ");
1016 mpz_out_str(stderr, 16, signature.s);
1017 fprintf(stderr, "\n");
1021 ASSERT (mpz_cmp (signature.r, expected->r) == 0
1022 && mpz_cmp (signature.s, expected->s) == 0);
1025 ASSERT (!DSA_VERIFY(pub, sha1,
1026 "The magick words are squeamish ossifrage",
1029 /* Try correct data */
1030 ASSERT (DSA_VERIFY(pub, sha1,
1031 "The magic words are squeamish ossifrage",
1034 /* Try bad signature */
1035 mpz_combit(signature.r, 17);
1036 ASSERT (!DSA_VERIFY(pub, sha1,
1037 "The magic words are squeamish ossifrage",
1040 dsa_signature_clear(&signature);
1044 test_dsa256(const struct dsa_public_key *pub,
1045 const struct dsa_private_key *key,
1046 const struct dsa_signature *expected)
1048 struct sha256_ctx sha256;
1049 struct dsa_signature signature;
1050 struct knuth_lfib_ctx lfib;
1052 sha256_init(&sha256);
1053 dsa_signature_init(&signature);
1054 knuth_lfib_init(&lfib, 1111);
1056 sha256_update(&sha256, LDATA("The magic words are squeamish ossifrage"));
1057 ASSERT (dsa_sha256_sign(pub, key,
1058 &lfib, (nettle_random_func *) knuth_lfib_random,
1059 &sha256, &signature));
1063 fprintf(stderr, "dsa256 signature: ");
1064 mpz_out_str(stderr, 16, signature.r);
1065 fprintf(stderr, ", ");
1066 mpz_out_str(stderr, 16, signature.s);
1067 fprintf(stderr, "\n");
1071 ASSERT (mpz_cmp (signature.r, expected->r) == 0
1072 && mpz_cmp (signature.s, expected->s) == 0);
1075 ASSERT (!DSA_VERIFY(pub, sha256,
1076 "The magick words are squeamish ossifrage",
1079 /* Try correct data */
1080 ASSERT (DSA_VERIFY(pub, sha256,
1081 "The magic words are squeamish ossifrage",
1084 /* Try bad signature */
1085 mpz_combit(signature.r, 17);
1086 ASSERT (!DSA_VERIFY(pub, sha256,
1087 "The magic words are squeamish ossifrage",
1090 dsa_signature_clear(&signature);
1095 test_dsa_sign(const struct dsa_public_key *pub,
1096 const struct dsa_private_key *key,
1097 const struct nettle_hash *hash,
1098 const struct dsa_signature *expected)
1100 void *ctx = xalloc (hash->context_size);
1101 uint8_t *digest = xalloc (hash->digest_size);
1102 uint8_t *bad_digest = xalloc (hash->digest_size);
1103 struct dsa_signature signature;
1104 struct knuth_lfib_ctx lfib;
1106 dsa_signature_init(&signature);
1107 knuth_lfib_init(&lfib, 1111);
1111 hash->update(ctx, LDATA("The magic words are squeamish ossifrage"));
1112 hash->digest(ctx, hash->digest_size, digest);
1113 ASSERT (dsa_sign(pub, key,
1114 &lfib, (nettle_random_func *) knuth_lfib_random,
1115 hash->digest_size, digest, &signature));
1119 fprintf(stderr, "dsa-%s signature: ", hash->name);
1120 mpz_out_str(stderr, 16, signature.r);
1121 fprintf(stderr, ", ");
1122 mpz_out_str(stderr, 16, signature.s);
1123 fprintf(stderr, "\n");
1127 ASSERT (mpz_cmp (signature.r, expected->r) == 0
1128 && mpz_cmp (signature.s, expected->s) == 0);
1130 /* Try correct data */
1131 ASSERT (dsa_verify(pub, hash->digest_size, digest,
1134 hash->update(ctx, LDATA("The magick words are squeamish ossifrage"));
1135 hash->digest(ctx, hash->digest_size, bad_digest);
1137 ASSERT (!dsa_verify(pub, hash->digest_size, bad_digest,
1140 /* Try bad signature */
1141 mpz_combit(signature.r, 17);
1142 ASSERT (!dsa_verify(pub, hash->digest_size, digest,
1148 dsa_signature_clear(&signature);
1153 test_dsa_verify(const struct dsa_params *params,
1155 const struct nettle_hash *hash,
1156 struct tstring *msg,
1157 const struct dsa_signature *ref)
1159 void *ctx = xalloc (hash->context_size);
1160 uint8_t *digest = xalloc (hash->digest_size);
1161 struct dsa_signature signature;
1163 dsa_signature_init (&signature);
1167 hash->update (ctx, msg->length, msg->data);
1168 hash->digest (ctx, hash->digest_size, digest);
1170 mpz_set (signature.r, ref->r);
1171 mpz_set (signature.s, ref->s);
1173 ASSERT (dsa_verify (params, pub,
1174 hash->digest_size, digest,
1177 /* Try bad signature */
1178 mpz_combit(signature.r, 17);
1179 ASSERT (!dsa_verify (params, pub,
1180 hash->digest_size, digest,
1184 digest[hash->digest_size / 2-1] ^= 8;
1185 ASSERT (!dsa_verify (params, pub,
1186 hash->digest_size, digest,
1191 dsa_signature_clear(&signature);
1195 test_dsa_key(const struct dsa_params *params,
1204 ASSERT(mpz_sizeinbase(params->q, 2) == q_size);
1205 ASSERT(mpz_sizeinbase(params->p, 2) >= DSA_SHA1_MIN_P_BITS);
1207 ASSERT(mpz_probab_prime_p(params->p, 10));
1209 ASSERT(mpz_probab_prime_p(params->q, 10));
1211 mpz_fdiv_r(t, params->p, params->q);
1213 ASSERT(0 == mpz_cmp_ui(t, 1));
1215 ASSERT(mpz_cmp_ui(params->g, 1) > 0);
1217 mpz_powm(t, params->g, params->q, params->p);
1218 ASSERT(0 == mpz_cmp_ui(t, 1));
1220 mpz_powm(t, params->g, key, params->p);
1221 ASSERT(0 == mpz_cmp(t, pub));
1226 const struct ecc_curve * const ecc_curves[] = {
1232 &_nettle_curve25519,
1237 test_mpn (const char *ref, const mp_limb_t *xp, mp_size_t n)
1242 mpz_init_set_str (r, ref, 16);
1243 while (n > 0 && xp[n-1] == 0)
1246 res = (mpz_limbs_cmp (r, xp, n) == 0);
1252 write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n)
1255 mpz_out_str (f, base, mpz_roinit_n (t,xp, n));
1259 test_ecc_point (const struct ecc_curve *ecc,
1260 const struct ecc_ref_point *ref,
1263 if (! (test_mpn (ref->x, p, ecc->p.size)
1264 && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) ))
1266 fprintf (stderr, "Incorrect point!\n"
1268 write_mpn (stderr, 16, p, ecc->p.size);
1269 fprintf (stderr, "\n"
1271 write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size);
1272 fprintf (stderr, "\n"
1281 test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p)
1283 /* For each curve, the points 2 g, 3 g and 4 g */
1284 static const struct ecc_ref_point ref[6][3] = {
1285 { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888",
1286 "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" },
1287 { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da",
1288 "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd" },
1289 { "35433907297cc378b0015703374729d7a4fe46647084e4ba",
1290 "a2649984f2135c301ea3acb0776cd4f125389b311db3be32" }
1292 { { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6",
1293 "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb" },
1294 { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04",
1295 "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925" },
1296 { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301",
1297 "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" },
1299 { { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
1300 "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1" },
1301 { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c",
1302 "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032" },
1303 { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852",
1304 "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6" },
1306 { { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e"
1307 "4fe0e86ebe0e64f85b96a9c75295df61",
1308 "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab425"
1309 "5ffd43e94d39e22d61501e700a940e80" },
1310 { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6"
1311 "b408bbae5026580d02d7e5c70500c831",
1312 "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eac"
1313 "c24abd6be4b5d298b65f28600a2f1df1" },
1314 { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d"
1315 "1589a1597e3a5120e1efd631c63e1835",
1316 "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dc"
1317 "ed7387be37bba569549f1c02b270ed67" },
1320 "3c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97"
1321 "b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d",
1323 "bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbb"
1324 "b3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02"
1327 "3d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1"
1328 "ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d",
1330 "9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec"
1331 "2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5" },
1333 "b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac"
1334 "8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3",
1336 "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2"
1337 "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" },
1339 { { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e",
1340 "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" },
1341 { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c",
1342 "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" },
1343 { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870",
1344 "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" },
1351 /* Makes sense for curve25519 only */
1352 const struct ecc_curve *ecc = ecc_curves[curve];
1353 assert (ecc->p.bit_size == 255);
1354 if (!mpn_zero_p (p, ecc->p.size)
1355 || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0)
1357 fprintf (stderr, "Incorrect point (expected (0, 1))!\n"
1359 write_mpn (stderr, 16, p, ecc->p.size);
1360 fprintf (stderr, "\n"
1362 write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size);
1363 fprintf (stderr, "\n");
1369 const struct ecc_curve *ecc = ecc_curves[curve];
1370 if (mpn_cmp (p, ecc->g, 2*ecc->p.size) != 0)
1372 fprintf (stderr, "Incorrect point (expected g)!\n"
1374 write_mpn (stderr, 16, p, ecc->p.size);
1375 fprintf (stderr, "\n"
1377 write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size);
1378 fprintf (stderr, "\n"
1380 write_mpn (stderr, 16, ecc->g, ecc->p.size);
1381 fprintf (stderr, "\n"
1383 write_mpn (stderr, 16, ecc->g + ecc->p.size, ecc->p.size);
1384 fprintf (stderr, "\n");
1389 test_ecc_point (ecc_curves[curve], &ref[curve][n-2], p);
1393 test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p)
1395 const struct ecc_curve *ecc = ecc_curves[curve];
1396 mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc));
1397 mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch);
1398 ecc->h_to_a (ecc, 0, np, p, scratch);
1400 test_ecc_mul_a (curve, n, np);
1406 #endif /* WITH_HOGWEED */