commit f8068ce88574b36be69bd24d72290c9c3f5ceaf2
author Adam Langley <agl@google.com> Mon Dec 17 11:16:23 2018 -0800
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Dec 17 21:02:58 2018 +0000
tree d37c85fd0afd0ad0eb3215bc7f855969477723d7
parent 41c10e2b5f37edce8b9f292f7f3bacb7e30e25c4

HRSS: be strict about unused bits being zero.

It's excessively complex to worry about leaving these few bits for
extensions. If we need to change things, we can spin a new curve ID in
TLS. We don't need to support two versions during the transition because
a fallback to X25519 is still fine.

Change-Id: I0a4019d5693db0f0f3a5379909d99c2e2c762560
Reviewed-on: https://boringssl-review.googlesource.com/c/33704
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

crypto/hrss/hrss_test.cc

diff --git a/crypto/hrss/hrss_test.cc b/crypto/hrss/hrss_test.cc
index ead717d..714cc7a 100644
--- a/crypto/hrss/hrss_test.cc
+++ b/crypto/hrss/hrss_test.cc
@@ -208,7 +208,7 @@
     for (unsigned j = 0; j < 10; j++) {
       uint8_t encap_entropy[HRSS_ENCAP_BYTES];
       RAND_bytes(encap_entropy, sizeof(encap_entropy));
-      SCOPED_TRACE(Bytes(generate_key_entropy));
+      SCOPED_TRACE(Bytes(encap_entropy));
 
       uint8_t ciphertext[HRSS_CIPHERTEXT_BYTES];
       uint8_t shared_key[HRSS_KEY_BYTES];
@@ -216,8 +216,15 @@
 
       uint8_t shared_key2[HRSS_KEY_BYTES];
       HRSS_decap(shared_key2, &pub, &priv, ciphertext, sizeof(ciphertext));
-
       EXPECT_EQ(Bytes(shared_key), Bytes(shared_key2));
+
+      uint32_t offset;
+      RAND_bytes((uint8_t*) &offset, sizeof(offset));
+      uint8_t bit;
+      RAND_bytes(&bit, sizeof(bit));
+      ciphertext[offset % sizeof(ciphertext)] ^= (1 << (bit & 7));
+      HRSS_decap(shared_key2, &pub, &priv, ciphertext, sizeof(ciphertext));
+      EXPECT_NE(Bytes(shared_key), Bytes(shared_key2));
     }
   }
 }