| /* Copyright (c) 2023, Google Inc. |
| * |
| * Permission to use, copy, modify, and/or distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| |
| #include <vector> |
| |
| #include <string.h> |
| |
| #include <gtest/gtest.h> |
| |
| #include <openssl/bytestring.h> |
| #include <openssl/ctrdrbg.h> |
| #include <openssl/experimental/kyber.h> |
| |
| #include "../test/file_test.h" |
| #include "../test/test_util.h" |
| #include "../keccak/internal.h" |
| #include "./internal.h" |
| |
| |
| template <typename T> |
| static std::vector<uint8_t> Marshal(int (*marshal_func)(CBB *, const T *), |
| const T *t) { |
| bssl::ScopedCBB cbb; |
| uint8_t *encoded; |
| size_t encoded_len; |
| if (!CBB_init(cbb.get(), 1) || // |
| !marshal_func(cbb.get(), t) || // |
| !CBB_finish(cbb.get(), &encoded, &encoded_len)) { |
| abort(); |
| } |
| |
| std::vector<uint8_t> ret(encoded, encoded + encoded_len); |
| OPENSSL_free(encoded); |
| return ret; |
| } |
| |
| TEST(KyberTest, Basic) { |
| // This function makes several Kyber keys, which runs up against stack limits. |
| // Heap-allocate them instead. |
| |
| uint8_t encoded_public_key[KYBER_PUBLIC_KEY_BYTES]; |
| auto priv = std::make_unique<KYBER_private_key>(); |
| KYBER_generate_key(encoded_public_key, priv.get()); |
| |
| uint8_t first_two_bytes[2]; |
| OPENSSL_memcpy(first_two_bytes, encoded_public_key, sizeof(first_two_bytes)); |
| OPENSSL_memset(encoded_public_key, 0xff, sizeof(first_two_bytes)); |
| CBS encoded_public_key_cbs; |
| CBS_init(&encoded_public_key_cbs, encoded_public_key, |
| sizeof(encoded_public_key)); |
| auto pub = std::make_unique<KYBER_public_key>(); |
| // Parsing should fail because the first coefficient is >= kPrime; |
| ASSERT_FALSE(KYBER_parse_public_key(pub.get(), &encoded_public_key_cbs)); |
| |
| OPENSSL_memcpy(encoded_public_key, first_two_bytes, sizeof(first_two_bytes)); |
| CBS_init(&encoded_public_key_cbs, encoded_public_key, |
| sizeof(encoded_public_key)); |
| ASSERT_TRUE(KYBER_parse_public_key(pub.get(), &encoded_public_key_cbs)); |
| EXPECT_EQ(CBS_len(&encoded_public_key_cbs), 0u); |
| |
| EXPECT_EQ(Bytes(encoded_public_key), |
| Bytes(Marshal(KYBER_marshal_public_key, pub.get()))); |
| |
| auto pub2 = std::make_unique<KYBER_public_key>(); |
| KYBER_public_from_private(pub2.get(), priv.get()); |
| EXPECT_EQ(Bytes(encoded_public_key), |
| Bytes(Marshal(KYBER_marshal_public_key, pub2.get()))); |
| |
| std::vector<uint8_t> encoded_private_key( |
| Marshal(KYBER_marshal_private_key, priv.get())); |
| EXPECT_EQ(encoded_private_key.size(), size_t{KYBER_PRIVATE_KEY_BYTES}); |
| |
| OPENSSL_memcpy(first_two_bytes, encoded_private_key.data(), |
| sizeof(first_two_bytes)); |
| OPENSSL_memset(encoded_private_key.data(), 0xff, sizeof(first_two_bytes)); |
| CBS cbs; |
| CBS_init(&cbs, encoded_private_key.data(), encoded_private_key.size()); |
| auto priv2 = std::make_unique<KYBER_private_key>(); |
| // Parsing should fail because the first coefficient is >= kPrime. |
| ASSERT_FALSE(KYBER_parse_private_key(priv2.get(), &cbs)); |
| |
| OPENSSL_memcpy(encoded_private_key.data(), first_two_bytes, |
| sizeof(first_two_bytes)); |
| CBS_init(&cbs, encoded_private_key.data(), encoded_private_key.size()); |
| ASSERT_TRUE(KYBER_parse_private_key(priv2.get(), &cbs)); |
| EXPECT_EQ(Bytes(encoded_private_key), |
| Bytes(Marshal(KYBER_marshal_private_key, priv2.get()))); |
| |
| uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES]; |
| uint8_t shared_secret1[KYBER_SHARED_SECRET_BYTES]; |
| uint8_t shared_secret2[KYBER_SHARED_SECRET_BYTES]; |
| KYBER_encap(ciphertext, shared_secret1, pub.get()); |
| KYBER_decap(shared_secret2, ciphertext, priv.get()); |
| EXPECT_EQ(Bytes(shared_secret1), Bytes(shared_secret2)); |
| KYBER_decap(shared_secret2, ciphertext, priv2.get()); |
| EXPECT_EQ(Bytes(shared_secret1), Bytes(shared_secret2)); |
| } |
| |
| static void KyberFileTest(FileTest *t) { |
| std::vector<uint8_t> seed, public_key_expected, private_key_expected, |
| ciphertext_expected, shared_secret_expected, given_generate_entropy, |
| given_encap_entropy_pre_hash; |
| t->IgnoreAttribute("count"); |
| ASSERT_TRUE(t->GetBytes(&seed, "seed")); |
| ASSERT_TRUE(t->GetBytes(&public_key_expected, "pk")); |
| ASSERT_TRUE(t->GetBytes(&private_key_expected, "sk")); |
| ASSERT_TRUE(t->GetBytes(&ciphertext_expected, "ct")); |
| ASSERT_TRUE(t->GetBytes(&shared_secret_expected, "ss")); |
| ASSERT_TRUE(t->GetBytes(&given_generate_entropy, "generateEntropy")); |
| ASSERT_TRUE( |
| t->GetBytes(&given_encap_entropy_pre_hash, "encapEntropyPreHash")); |
| |
| KYBER_private_key priv; |
| uint8_t encoded_private_key[KYBER_PRIVATE_KEY_BYTES]; |
| KYBER_public_key pub; |
| uint8_t encoded_public_key[KYBER_PUBLIC_KEY_BYTES]; |
| uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES]; |
| uint8_t gen_key_entropy[KYBER_GENERATE_KEY_ENTROPY]; |
| uint8_t encap_entropy[KYBER_ENCAP_ENTROPY]; |
| uint8_t encapsulated_key[KYBER_SHARED_SECRET_BYTES]; |
| uint8_t decapsulated_key[KYBER_SHARED_SECRET_BYTES]; |
| // The test vectors provide a CTR-DRBG seed which is used to generate the |
| // input entropy. |
| ASSERT_EQ(seed.size(), size_t{CTR_DRBG_ENTROPY_LEN}); |
| { |
| bssl::UniquePtr<CTR_DRBG_STATE> state( |
| CTR_DRBG_new(seed.data(), nullptr, 0)); |
| ASSERT_TRUE(state); |
| ASSERT_TRUE( |
| CTR_DRBG_generate(state.get(), gen_key_entropy, 32, nullptr, 0)); |
| ASSERT_TRUE( |
| CTR_DRBG_generate(state.get(), gen_key_entropy + 32, 32, nullptr, 0)); |
| ASSERT_TRUE(CTR_DRBG_generate(state.get(), encap_entropy, |
| KYBER_ENCAP_ENTROPY, nullptr, 0)); |
| } |
| |
| EXPECT_EQ(Bytes(gen_key_entropy), Bytes(given_generate_entropy)); |
| EXPECT_EQ(Bytes(encap_entropy), Bytes(given_encap_entropy_pre_hash)); |
| |
| BORINGSSL_keccak(encap_entropy, sizeof(encap_entropy), encap_entropy, |
| sizeof(encap_entropy), boringssl_sha3_256); |
| |
| KYBER_generate_key_external_entropy(encoded_public_key, &priv, |
| gen_key_entropy); |
| CBB cbb; |
| CBB_init_fixed(&cbb, encoded_private_key, sizeof(encoded_private_key)); |
| ASSERT_TRUE(KYBER_marshal_private_key(&cbb, &priv)); |
| CBS encoded_public_key_cbs; |
| CBS_init(&encoded_public_key_cbs, encoded_public_key, |
| sizeof(encoded_public_key)); |
| ASSERT_TRUE(KYBER_parse_public_key(&pub, &encoded_public_key_cbs)); |
| KYBER_encap_external_entropy(ciphertext, encapsulated_key, &pub, |
| encap_entropy); |
| KYBER_decap(decapsulated_key, ciphertext, &priv); |
| |
| EXPECT_EQ(Bytes(encapsulated_key), Bytes(decapsulated_key)); |
| EXPECT_EQ(Bytes(private_key_expected), Bytes(encoded_private_key)); |
| EXPECT_EQ(Bytes(public_key_expected), Bytes(encoded_public_key)); |
| EXPECT_EQ(Bytes(ciphertext_expected), Bytes(ciphertext)); |
| EXPECT_EQ(Bytes(shared_secret_expected), Bytes(encapsulated_key)); |
| |
| uint8_t corrupted_ciphertext[KYBER_CIPHERTEXT_BYTES]; |
| OPENSSL_memcpy(corrupted_ciphertext, ciphertext, KYBER_CIPHERTEXT_BYTES); |
| corrupted_ciphertext[3] ^= 0x40; |
| uint8_t corrupted_decapsulated_key[KYBER_SHARED_SECRET_BYTES]; |
| KYBER_decap(corrupted_decapsulated_key, corrupted_ciphertext, &priv); |
| // It would be nice to have actual test vectors for the failure case, but the |
| // NIST submission currently does not include those, so we are just testing |
| // for inequality. |
| EXPECT_NE(Bytes(encapsulated_key), Bytes(corrupted_decapsulated_key)); |
| } |
| |
| TEST(KyberTest, TestVectors) { |
| FileTestGTest("crypto/kyber/kyber_tests.txt", KyberFileTest); |
| } |