jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
454 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 7691fb1380
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7691fb1380'
${ noResults }
ed448goldilocks/test/test_decaf.cxx

657 lines
22 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ tests, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/spongerng.hxx>

  14. #include <decaf/eddsa.hxx>

  15. #include <stdio.h>

  16. 

  17. using namespace decaf;

  18. 

  19. static bool passing = true;

  20. static const long NTESTS = 10000;

  21. 

  22. class Test {

  23. public:

  24.     bool passing_now;

  25.     Test(const char *test) {

  26.         passing_now = true;

  27.         printf("%s...", test);

  28.         if (strlen(test) < 27) printf("%*s",int(27-strlen(test)),"");

  29.         fflush(stdout);

  30.     }

  31.     ~Test() {

  32.         if (std::uncaught_exception()) {

  33.             fail();

  34.             printf("  due to uncaught exception.\n");

  35.         }

  36.         if (passing_now) printf("[PASS]\n");

  37.     }

  38.     void fail() {

  39.         if (!passing_now) return;

  40.         passing_now = passing = false;

  41.         printf("[FAIL]\n");

  42.     }

  43. };

  44. 

  45. static uint64_t leint(const SecureBuffer &xx) {

  46.     uint64_t out = 0;

  47.     for (unsigned int i=0; i<xx.size() && i<sizeof(out); i++) {

  48.         out |= uint64_t(xx[i]) << (8*i);

  49.     }

  50.     return out;

  51. }

  52. 

  53. template<typename Group> struct Tests {

  54. 

  55. typedef typename Group::Scalar Scalar;

  56. typedef typename Group::Point Point;

  57. typedef typename Group::DhLadder DhLadder;

  58. typedef typename Group::Precomputed Precomputed;

  59. 

  60. static void print(const char *name, const Scalar &x) {

  61.     unsigned char buffer[Scalar::SER_BYTES];

  62.     x.serialize_into(buffer);

  63.     printf("  %s = 0x", name);

  64.     for (int i=sizeof(buffer)-1; i>=0; i--) {

  65.         printf("%02x", buffer[i]);

  66.     }

  67.     printf("\n");

  68. }

  69. 

  70. static void hexprint(const char *name, const SecureBuffer &buffer) {

  71.     printf("  %s = 0x", name);

  72.     for (int i=buffer.size()-1; i>=0; i--) {

  73.         printf("%02x", buffer[i]);

  74.     }

  75.     printf("\n");

  76. }

  77. 

  78. static void print(const char *name, const Point &x) {

  79.     unsigned char buffer[Point::SER_BYTES];

  80.     x.serialize_into(buffer);

  81.     printf("  %s = 0x", name);

  82.     for (int i=Point::SER_BYTES-1; i>=0; i--) {

  83.         printf("%02x", buffer[i]);

  84.     }

  85.     printf("\n");

  86. }

  87. 

  88. static bool arith_check(

  89.     Test &test,

  90.     const Scalar &x,

  91.     const Scalar &y,

  92.     const Scalar &z,

  93.     const Scalar &l,

  94.     const Scalar &r,

  95.     const char *name

  96. ) {

  97.     if (l == r) return true;

  98.     test.fail();

  99.     printf("  %s", name);

  100.     print("x", x);

  101.     print("y", y);

  102.     print("z", z);

  103.     print("lhs", l);

  104.     print("rhs", r);

  105.     return false;

  106. }

  107. 

  108. static bool point_check(

  109.     Test &test,

  110.     const Point &p,

  111.     const Point &q,

  112.     const Point &R,

  113.     const Scalar &x,

  114.     const Scalar &y,

  115.     const Point &l,

  116.     const Point &r,

  117.     const char *name

  118. ) {

  119.     bool good = l==r;

  120.     if (!p.validate()) { good = false; printf("  p invalid\n"); }

  121.     if (!q.validate()) { good = false; printf("  q invalid\n"); }

  122.     if (!r.validate()) { good = false; printf("  r invalid\n"); }

  123.     if (!l.validate()) { good = false; printf("  l invalid\n"); }

  124.     if (good) return true;

  125.     

  126.     test.fail();

  127.     printf("  %s", name);

  128.     print("x", x);

  129.     print("y", y);

  130.     print("p", p);

  131.     print("q", q);

  132.     print("r", R);

  133.     print("lhs", r);

  134.     print("rhs", l);

  135.     return false;

  136. }

  137. 

  138. static void test_arithmetic() {

  139.     SpongeRng rng(Block("test_arithmetic"),SpongeRng::DETERMINISTIC);

  140.     

  141.     Test test("Arithmetic");

  142.     Scalar x(0),y(0),z(0);

  143.     arith_check(test,x,y,z,INT_MAX,(decaf_word_t)INT_MAX,"cast from max");

  144.     arith_check(test,x,y,z,INT_MIN,-Scalar(1+(decaf_word_t)INT_MAX),"cast from min");

  145.         

  146.     for (int i=0; i<NTESTS*10 && test.passing_now; i++) {

  147.         size_t sob = i % (2*Group::Scalar::SER_BYTES);

  148.         

  149.         SecureBuffer xx = rng.read(sob), yy = rng.read(sob), zz = rng.read(sob);

  150.         

  151.         Scalar x(xx);

  152.         Scalar y(yy);

  153.         Scalar z(zz);

  154. 

  155.         arith_check(test,x,y,z,x+y,y+x,"commute add");

  156.         arith_check(test,x,y,z,x,x+0,"ident add");

  157.         arith_check(test,x,y,z,x,x-0,"ident sub");

  158.         arith_check(test,x,y,z,x+-x,0,"inverse add");

  159.         arith_check(test,x,y,z,x-x,0,"inverse sub");

  160.         arith_check(test,x,y,z,x-(x+1),-1,"inverse add2");

  161.         arith_check(test,x,y,z,x+(y+z),(x+y)+z,"assoc add");

  162.         arith_check(test,x,y,z,x*(y+z),x*y + x*z,"distributive mul/add");

  163.         arith_check(test,x,y,z,x*(y-z),x*y - x*z,"distributive mul/add");

  164.         arith_check(test,x,y,z,x*(y*z),(x*y)*z,"assoc mul");

  165.         arith_check(test,x,y,z,x*y,y*x,"commute mul");

  166.         arith_check(test,x,y,z,x,x*1,"ident mul");

  167.         arith_check(test,x,y,z,0,x*0,"mul by 0");

  168.         arith_check(test,x,y,z,-x,x*-1,"mul by -1");

  169.         arith_check(test,x,y,z,x+x,x*2,"mul by 2");

  170.         arith_check(test,x,y,z,-(x*y),(-x)*y,"neg prop mul");

  171.         arith_check(test,x,y,z,x*y,(-x)*(-y),"double neg prop mul");

  172.         arith_check(test,x,y,z,-(x+y),(-x)+(-y),"neg prop add");

  173.         arith_check(test,x,y,z,x-y,(x)+(-y),"add neg sub");

  174.         arith_check(test,x,y,z,(-x)-y,-(x+y),"neg add");

  175.         

  176.         if (sob <= 4) {

  177.             uint64_t xi = leint(xx), yi = leint(yy);

  178.             arith_check(test,x,y,z,x,xi,"parse consistency");

  179.             arith_check(test,x,y,z,x+y,xi+yi,"add consistency");

  180.             arith_check(test,x,y,z,x*y,xi*yi,"mul consistency");

  181.         }

  182.         

  183.         if (i%20) continue;

  184.         if (y!=0) arith_check(test,x,y,z,x*y/y,x,"invert");

  185.         try {

  186.             y = x/0;

  187.             test.fail();

  188.             printf("  Inverted zero!");

  189.             print("x", x);

  190.             print("y", y);

  191.         } catch(CryptoException) {}

  192.     }

  193. }

  194. 

  195. static const Block sqrt_minus_one;

  196. static const Block minus_sqrt_minus_one;

  197. static const Block elli_patho; /* sqrt(1/(u(1-d))) */

  198. 

  199. static void test_elligator() {

  200.     SpongeRng rng(Block("test_elligator"),SpongeRng::DETERMINISTIC);

  201.     Test test("Elligator");

  202.     

  203.     const int NHINTS = 1<<Point::INVERT_ELLIGATOR_WHICH_BITS;

  204.     SecureBuffer *alts[NHINTS];

  205.     bool successes[NHINTS];

  206.     SecureBuffer *alts2[NHINTS];

  207.     bool successes2[NHINTS];

  208. 

  209.     for (unsigned int i=0; i<NTESTS/10 && (i<10 || test.passing_now); i++) {

  210.         size_t len =  (i % (2*Point::HASH_BYTES + 3));

  211.         SecureBuffer b1(len);

  212.         if (i!=Point::HASH_BYTES) rng.read(b1); /* special test case */

  213.         

  214.         /* Pathological cases */

  215.         if (i==1) b1[0] = 1;

  216.         if (i==2 && sqrt_minus_one.size()) b1 = sqrt_minus_one;

  217.         if (i==3 && minus_sqrt_minus_one.size()) b1 = minus_sqrt_minus_one;

  218.         if (i==4 && elli_patho.size()) b1 = elli_patho;

  219.         len = b1.size();

  220.         

  221.         

  222.         Point s = Point::from_hash(b1), ss=s;

  223.         for (unsigned int j=0; j<(i&3); j++) ss = ss.debugging_torque();

  224.         

  225.         ss = ss.debugging_pscale(rng);

  226.         

  227.         bool good = false;

  228.         for (int j=0; j<NHINTS; j++) {

  229.             alts[j] = new SecureBuffer(len);

  230.             alts2[j] = new SecureBuffer(len);

  231. 

  232.             if (len > Point::HASH_BYTES)

  233.                 memcpy(&(*alts[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);

  234.             

  235.             if (len > Point::HASH_BYTES)

  236.                 memcpy(&(*alts2[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);

  237.             

  238.             successes[j]  = decaf_successful( s.invert_elligator(*alts[j], j));

  239.             successes2[j] = decaf_successful(ss.invert_elligator(*alts2[j],j));

  240.             

  241.             if (successes[j] != successes2[j]

  242.                 || (successes[j] && successes2[j] && *alts[j] != *alts2[j])

  243.             ) {

  244.                 test.fail();

  245.                 printf("   Unscalable Elligator inversion: i=%d, hint=%d, s=%d,%d\n",i,j,

  246.                     -int(successes[j]),-int(successes2[j]));

  247.                 hexprint("x",b1);

  248.                 hexprint("X",*alts[j]);

  249.                 hexprint("X",*alts2[j]);

  250.             }

  251.            

  252.             if (successes[j]) {

  253.                 good = good || (b1 == *alts[j]);

  254.                 for (int k=0; k<j; k++) {

  255.                     if (successes[k] && *alts[j] == *alts[k]) {

  256.                         test.fail();

  257.                         printf("   Duplicate Elligator inversion: i=%d, hints=%d, %d\n",i,j,k);

  258.                         hexprint("x",b1);

  259.                         hexprint("X",*alts[j]);

  260.                     }

  261.                 }

  262.                 if (s != Point::from_hash(*alts[j])) {

  263.                     test.fail();

  264.                     printf("   Fail Elligator inversion round-trip: i=%d, hint=%d %s\n",i,j,

  265.                         (s==-Point::from_hash(*alts[j])) ? "[output was -input]": "");

  266.                     hexprint("x",b1);

  267.                     hexprint("X",*alts[j]);

  268.                 }

  269.             }

  270.         }

  271.         

  272.         if (!good) {

  273.             test.fail();

  274.             printf("   %s Elligator inversion: i=%d\n",good ? "Passed" : "Failed", i);

  275.             hexprint("B", b1);

  276.             for (int j=0; j<NHINTS; j++) {

  277.                 printf("  %d: %s%s", j, successes[j] ? "succ" : "fail\n", (successes[j] && *alts[j] == b1) ? " [x]" : "");

  278.                 if (successes[j]) {

  279.                     hexprint("b", *alts[j]);

  280.                 }

  281.             }

  282.             printf("\n");

  283.         }

  284.         

  285.         for (int j=0; j<NHINTS; j++) {

  286.             delete alts[j];

  287.             alts[j] = NULL;

  288.             delete alts2[j];

  289.             alts2[j] = NULL;

  290.         }

  291.         

  292.         Point t(rng);

  293.         point_check(test,t,t,t,0,0,t,Point::from_hash(t.steg_encode(rng)),"steg round-trip");

  294.     }

  295. }

  296. 

  297. static void test_ec() {

  298.     SpongeRng rng(Block("test_ec"),SpongeRng::DETERMINISTIC);

  299.     

  300.     Test test("EC");

  301. 

  302.     Point id = Point::identity(), base = Point::base();

  303.     point_check(test,id,id,id,0,0,Point::from_hash(""),id,"fh0");

  304.     

  305.     unsigned char enc[Point::SER_BYTES] = {0};

  306.     

  307.     if (Group::FIELD_MODULUS_TYPE == 3) {

  308.         /* When p == 3 mod 4, the QNR is -1, so u*1^2 = -1 also produces the

  309.          * identity.

  310.          */

  311.         point_check(test,id,id,id,0,0,Point::from_hash("\x01"),id,"fh1");

  312.     }

  313.     

  314.     point_check(test,id,id,id,0,0,Point(FixedBlock<sizeof(enc)>(enc)),id,"decode [0]");

  315.     try {

  316.         enc[0] = 1;

  317.         Point f((FixedBlock<sizeof(enc)>(enc)));

  318.         test.fail();

  319.         printf("    Allowed deserialize of [1]: %d", f==id);

  320.     } catch (CryptoException) {

  321.         /* ok */

  322.     }

  323.     

  324.     if (sqrt_minus_one.size()) {

  325.         try {

  326.             Point f(sqrt_minus_one);

  327.             test.fail();

  328.             printf("    Allowed deserialize of [i]: %d", f==id);

  329.         } catch (CryptoException) {

  330.             /* ok */

  331.         }

  332.     }

  333.     

  334.     if (minus_sqrt_minus_one.size()) {

  335.         try {

  336.             Point f(minus_sqrt_minus_one);

  337.             test.fail();

  338.             printf("    Allowed deserialize of [-i]: %d", f==id);

  339.         } catch (CryptoException) {

  340.             /* ok */

  341.         }

  342.     }

  343.     

  344.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  345.         Scalar x(rng);

  346.         Scalar y(rng);

  347.         Point p(rng);

  348.         Point q(rng);

  349.         

  350.         Point d1, d2;

  351.         

  352.         SecureBuffer buffer(2*Point::HASH_BYTES);

  353.         rng.read(buffer);

  354.         Point r = Point::from_hash(buffer);

  355.         

  356.         try {

  357.             point_check(test,p,q,r,0,0,p,Point(p.serialize()),"round-trip");

  358.         } catch (CryptoException) {

  359.             test.fail();

  360.             printf("    Round-trip raised CryptoException!\n");

  361.         }

  362.         Point pp = p.debugging_torque().debugging_pscale(rng);

  363.         if (!memeq(pp.serialize(),p.serialize())) {

  364.             test.fail();

  365.             printf("    Fail torque seq test\n");

  366.         }

  367.         if (!memeq((p-pp).serialize(),id.serialize())) {

  368.             test.fail();

  369.             printf("    Fail torque id test\n");

  370.         }

  371.         if (!memeq((p-p).serialize(),id.serialize())) {

  372.             test.fail();

  373.             printf("    Fail id test\n");

  374.         }

  375.         point_check(test,p,q,r,0,0,p,pp,"torque eq");

  376.         point_check(test,p,q,r,0,0,p+q,q+p,"commute add");

  377.         point_check(test,p,q,r,0,0,(p-q)+q,p,"correct sub");

  378.         point_check(test,p,q,r,0,0,p+(q+r),(p+q)+r,"assoc add");

  379.         point_check(test,p,q,r,0,0,p.times_two(),p+p,"dbl add");

  380.         

  381.         if (i%10) continue;

  382.         point_check(test,p,q,r,0,0,p.times_two(),p*Scalar(2),"add times two");

  383.         point_check(test,p,q,r,x,0,x*(p+q),x*p+x*q,"distr mul");

  384.         point_check(test,p,q,r,x,y,(x*y)*p,x*(y*p),"assoc mul");

  385.         point_check(test,p,q,r,x,y,x*p+y*q,Point::double_scalarmul(x,p,y,q),"double mul");

  386.         

  387.         p.dual_scalarmul(d1,d2,x,y);

  388.         point_check(test,p,q,r,x,y,x*p,d1,"dual mul 1");

  389.         point_check(test,p,q,r,x,y,y*p,d2,"dual mul 2");

  390.         

  391.         point_check(test,base,q,r,x,y,x*base+y*q,q.non_secret_combo_with_base(y,x),"ds vt mul");

  392.         point_check(test,p,q,r,x,0,Precomputed(p)*x,p*x,"precomp mul");

  393.         point_check(test,p,q,r,0,0,r,

  394.             Point::from_hash(Buffer(buffer).slice(0,Point::HASH_BYTES))

  395.             + Point::from_hash(Buffer(buffer).slice(Point::HASH_BYTES,Point::HASH_BYTES)),

  396.             "unih = hash+add"

  397.         );

  398.         

  399.         try {

  400.             point_check(test,p,q,r,x,0,Point(x.direct_scalarmul(p.serialize())),x*p,"direct mul");

  401.         } catch (CryptoException) {

  402.             printf("    Direct mul raised CryptoException!\n");

  403.             test.fail();

  404.         }

  405.         

  406.         q=p;

  407.         for (int j=1; j<Group::REMOVED_COFACTOR; j<<=1) q = q.times_two();

  408.         decaf_error_t error = r.decode_like_eddsa_and_ignore_cofactor_noexcept(

  409.             p.mul_by_cofactor_and_encode_like_eddsa()

  410.         );

  411.         if (error != DECAF_SUCCESS) {

  412.             test.fail();

  413.             printf("    Decode like EdDSA failed.");

  414.         }

  415.         point_check(test,-q,q,r,i,0,q,r,"Encode like EdDSA round-trip");

  416.         

  417.     }

  418. }

  419. 

  420. static const uint8_t rfc7748_1[DhLadder::PUBLIC_BYTES];

  421. static const uint8_t rfc7748_1000[DhLadder::PUBLIC_BYTES];

  422. static const uint8_t rfc7748_1000000[DhLadder::PUBLIC_BYTES];

  423. 

  424. static void test_cfrg_crypto() {

  425.     Test test("CFRG crypto");

  426.     SpongeRng rng(Block("test_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  427.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  428.         

  429.         FixedArrayBuffer<DhLadder::PUBLIC_BYTES> base(rng);

  430.         FixedArrayBuffer<DhLadder::PRIVATE_BYTES> s1(rng), s2(rng);

  431.         

  432.         SecureBuffer p1  = DhLadder::shared_secret(base,s1);

  433.         SecureBuffer p2  = DhLadder::shared_secret(base,s2);

  434.         SecureBuffer ss1 = DhLadder::shared_secret(p2,s1);

  435.         SecureBuffer ss2 = DhLadder::shared_secret(p1,s2);

  436. 

  437.         if (!memeq(ss1,ss2)) {

  438.             test.fail();

  439.             printf("    Shared secrets disagree on iteration %d.\n",i);

  440.         }

  441.         

  442.         if (!memeq(

  443.             DhLadder::shared_secret(DhLadder::base_point(),s1),

  444.             DhLadder::derive_public_key(s1)

  445.         )) {

  446.             test.fail();

  447.             printf("    Public keys disagree on iteration %d.\n",i);

  448.         }

  449.     }

  450. }

  451. 

  452. static const bool eddsa_prehashed[];

  453. static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[];

  454. 

  455. static void test_cfrg_vectors() {

  456.     Test test("CFRG test vectors");

  457.     SecureBuffer k = DhLadder::base_point();

  458.     SecureBuffer u = DhLadder::base_point();

  459.     

  460.     int the_ntests = (NTESTS < 1000000) ? 1000 : 1000000;

  461.     

  462.     /* EdDSA */

  463.     for (unsigned int t=0; eddsa_sk[t].size(); t++) {

  464.         typename EdDSA<Group>::PrivateKey priv(eddsa_sk[t]);

  465.         SecureBuffer eddsa_pk2 = priv.pub().serialize();

  466.         if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) {

  467.             test.fail();

  468.             printf("    EdDSA PK vectors disagree.");

  469.             printf("\n    Correct:   ");

  470.             for (unsigned i=0; i<eddsa_pk[t].size(); i++) printf("%02x", eddsa_pk[t][i]);

  471.             printf("\n    Incorrect: ");

  472. 

  473.             for (unsigned i=0; i<eddsa_pk2.size(); i++) printf("%02x", eddsa_pk2[i]);

  474.             printf("\n");

  475.         }

  476.         SecureBuffer sig;

  477.         

  478.         if (eddsa_prehashed[t]) {

  479.             typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]); 

  480.             sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);

  481.         } else {

  482.             sig = priv.sign(eddsa_message[t],eddsa_context[t]);

  483.         }

  484. 

  485.         if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {

  486.             test.fail();

  487.             printf("    EdDSA sig vectors disagree.");

  488.             printf("\n    Correct:   ");

  489.             for (unsigned i=0; i<eddsa_sig[t].size(); i++) printf("%02x", eddsa_sig[t][i]);

  490.             printf("\n    Incorrect: ");

  491. 

  492.             for (unsigned i=0; i<sig.size(); i++) printf("%02x", sig[i]);

  493.             printf("\n");

  494.         }

  495.     }

  496.     

  497.     /* X25519/X448 */

  498.     for (int i=0; i<the_ntests && test.passing_now; i++) {

  499.         SecureBuffer n = DhLadder::shared_secret(u,k);

  500.         u = k; k = n;

  501.         if (i==1-1) {

  502.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1)))) {

  503.                 test.fail();

  504.                 printf("    Test vectors disagree at 1.");

  505.             }

  506.         } else if (i==1000-1) {

  507.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1000)))) {

  508.                 test.fail();

  509.                 printf("    Test vectors disagree at 1000.");

  510.             }

  511.         } else if (i==1000000-1) {

  512.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1000000)))) {

  513.                 test.fail();

  514.                 printf("    Test vectors disagree at 1000000.");

  515.             }

  516.         }

  517.     }

  518. }

  519. 

  520. static void test_eddsa() {

  521.     Test test("EdDSA");

  522.     SpongeRng rng(Block("test_eddsa"),SpongeRng::DETERMINISTIC);

  523.     

  524.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  525.         

  526.         typename EdDSA<Group>::PrivateKey priv(rng);

  527.         typename EdDSA<Group>::PublicKey pub(priv);

  528.         

  529.         SecureBuffer message(i);

  530.         rng.read(message);

  531.         

  532.         SecureBuffer context(i%256);

  533.         rng.read(context);

  534.         

  535.         SecureBuffer sig = priv.sign(message,context); 

  536.         

  537.         try {

  538.             pub.verify(sig,message,context); 

  539.         } catch(CryptoException) {

  540.             test.fail();

  541.             printf("    Signature validation failed on sig %d\n", i);

  542.         }    

  543.     }

  544. }

  545. 

  546. /* Thanks Johan Pascal */

  547. static void test_convert_eddsa_to_x() {

  548.     Test test("ECDH using EdDSA keys");

  549.     SpongeRng rng(Block("test_x_on_eddsa_key"),SpongeRng::DETERMINISTIC);

  550. 

  551.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  552.         /* generate 2 pairs of EdDSA keys */

  553.         typename EdDSA<Group>::PrivateKey alice_priv(rng);

  554.         typename EdDSA<Group>::PublicKey alice_pub(alice_priv);

  555.         typename EdDSA<Group>::PrivateKey bob_priv(rng);

  556.         typename EdDSA<Group>::PublicKey bob_pub(bob_priv);

  557. 

  558.         /* convert them to ECDH format

  559.          * check public key value by computing it from direct conversion and regeneration from converted private)

  560.          */

  561.         SecureBuffer alice_priv_x = alice_priv.convert_to_x();

  562.         SecureBuffer alice_pub_x_conversion = alice_pub.convert_to_x();

  563.         SecureBuffer alice_pub_x_generated  = DhLadder::derive_public_key(alice_priv_x);

  564.         if (!memeq(alice_pub_x_conversion, alice_pub_x_generated)) {

  565.             test.fail();

  566.             printf("    Ed2X Public key convertion and regeneration from converted private key differs.\n");

  567.         }

  568.         SecureBuffer bob_priv_x = bob_priv.convert_to_x();

  569.         SecureBuffer bob_pub_x_conversion = bob_pub.convert_to_x();

  570.         SecureBuffer bob_pub_x_generated  = DhLadder::derive_public_key(bob_priv_x);

  571.         if (!memeq(bob_pub_x_conversion, bob_pub_x_generated)) {

  572.             test.fail();

  573.             printf("    Ed2X Public key convertion and regeneration from converted private key differs.\n");

  574.         }

  575. 

  576.         /* compute shared secrets and check they match */

  577.         SecureBuffer alice_shared = DhLadder::shared_secret(bob_pub_x_conversion, alice_priv_x);

  578.         SecureBuffer bob_shared   = DhLadder::shared_secret(alice_pub_x_conversion, bob_priv_x);

  579. 

  580.         if (!memeq(alice_shared, bob_shared)) {

  581.             test.fail();

  582.             printf("    ECDH shared secret mismatch.\n");

  583.         }

  584.     }

  585. }

  586. 

  587. static void run() {

  588.     printf("Testing %s:\n",Group::name());

  589.     test_arithmetic();

  590.     test_elligator();

  591.     test_ec();

  592.     test_eddsa();

  593.     test_convert_eddsa_to_x();

  594.     test_cfrg_crypto();

  595.     test_cfrg_vectors();

  596.     printf("\n");

  597. }

  598. 

  599. }; /* template<GroupId GROUP> struct Tests */

  600. 

  601. static void test_rng() {

  602.     Test test("RNG");

  603.     SpongeRng rng_d1(Block("test_rng"),SpongeRng::DETERMINISTIC);

  604.     SpongeRng rng_d2(Block("test_rng"),SpongeRng::DETERMINISTIC);

  605.     SpongeRng rng_d3(Block("best_rng"),SpongeRng::DETERMINISTIC);

  606.     SpongeRng rng_n1;

  607.     SpongeRng rng_n2;

  608.     SecureBuffer s1,s2,s3;

  609.     

  610.     for (int i=0; i<5; i++) {

  611.         s1 = rng_d1.read(16<<i);

  612.         s2 = rng_d2.read(16<<i);

  613.         s3 = rng_d3.read(16<<i);

  614.         if (s1 != s2) {

  615.             test.fail();

  616.             printf("  Deterministic RNG didn't match!\n");

  617.         }

  618.         if (s1 == s3) {

  619.             test.fail();

  620.             printf("  Deterministic matched with different data!\n");

  621.         }

  622.         

  623.         rng_d1.stir("hello");

  624.         rng_d2.stir("hello");

  625.         rng_d3.stir("hello");

  626.         

  627.         

  628.         s1 = rng_n1.read(16<<i);

  629.         s2 = rng_n2.read(16<<i);

  630.         if (s1 == s2) {

  631.             test.fail();

  632.             printf("  Nondeterministic RNG matched!\n");

  633.         }

  634.     }

  635.     

  636.     

  637.     rng_d1.stir("hello");

  638.     rng_d2.stir("jello");

  639.     s1 = rng_d1.read(16);

  640.     s2 = rng_d2.read(16);

  641.     if (s1 == s2) {

  642.         test.fail();

  643.         printf("  Deterministic matched with different data!\n");

  644.     }

  645. }

  646. 

  647. #include "vectors.inc.cxx"

  648. 

  649. int main(int argc, char **argv) {

  650.     (void) argc; (void) argv;

  651.     test_rng();

  652.     printf("\n");

  653.     run_for_all_curves<Tests>();

  654.     if (passing) printf("Passed all tests.\n");

  655.     return passing ? 0 : 1;

  656. }