newhope_test: corrupt things harder.
This ensures that the test is not flaky after lots of iterations.
Along the way, change newhope_test.cc to C++.
Change-Id: I4ef139444b8c8a98db53d075105eb6806f6c5fc7
Reviewed-on: https://boringssl-review.googlesource.com/8110
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/newhope/CMakeLists.txt b/crypto/newhope/CMakeLists.txt
index 7787cce..ff928fe 100644
--- a/crypto/newhope/CMakeLists.txt
+++ b/crypto/newhope/CMakeLists.txt
@@ -14,7 +14,7 @@
add_executable(
newhope_test
- newhope_test.c
+ newhope_test.cc
$<TARGET_OBJECTS:test_support>
)
diff --git a/crypto/newhope/newhope_test.c b/crypto/newhope/newhope_test.c
deleted file mode 100644
index f3e011f..0000000
--- a/crypto/newhope/newhope_test.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* Copyright (c) 2016, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <math.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/crypto.h>
-#include <openssl/rand.h>
-
-#include "internal.h"
-
-
-#define NTESTS 1
-
-static int test_keys(void) {
- NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
- uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
- uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
- uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
- int i;
-
- for (i = 0; i < NTESTS; i++) {
- /* Alice generates a public key */
- NEWHOPE_offer(offermsg, sk);
-
- /* Bob derives a secret key and creates a response */
- if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
- fprintf(stderr, "ERROR accept key exchange failed\n");
- return 0;
- }
-
- /* Alice uses Bob's response to get her secret key */
- if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
- fprintf(stderr, "ERROR finish key exchange failed\n");
- return 0;
- }
-
- if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) != 0) {
- fprintf(stderr, "ERROR keys did not agree\n");
- return 0;
- }
- }
-
- NEWHOPE_POLY_free(sk);
- return 1;
-}
-
-static int test_invalid_sk_a(void) {
- NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
- uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
- uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
- uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
- int i;
-
- for (i = 0; i < NTESTS; i++) {
- /* Alice generates a public key */
- NEWHOPE_offer(offermsg, sk);
-
- /* Bob derives a secret key and creates a response */
- if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
- fprintf(stderr, "ERROR accept key exchange failed\n");
- return 0;
- }
-
- /* Corrupt the secret key */
- NEWHOPE_offer(offermsg /* not used below */, sk);
-
- /* Alice uses Bob's response to get her secret key */
- if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
- fprintf(stderr, "ERROR finish key exchange failed\n");
- return 0;
- }
-
- if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) {
- fprintf(stderr, "ERROR invalid sk_a\n");
- return 0;
- }
- }
-
- NEWHOPE_POLY_free(sk);
- return 1;
-}
-
-static int test_invalid_ciphertext(void) {
- NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
- uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
- uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
- uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
- int i;
-
- for (i = 0; i < 10; i++) {
- /* Alice generates a public key */
- NEWHOPE_offer(offermsg, sk);
-
- /* Bob derives a secret key and creates a response */
- if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
- fprintf(stderr, "ERROR accept key exchange failed\n");
- return 0;
- }
-
- /* Change some byte in the "ciphertext" */
- acceptmsg[42] ^= 1;
-
- /* Alice uses Bob's response to get her secret key */
- if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
- fprintf(stderr, "ERROR finish key exchange failed\n");
- return 0;
- }
-
- if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) {
- fprintf(stderr, "ERROR invalid acceptmsg\n");
- return 0;
- }
- }
-
- NEWHOPE_POLY_free(sk);
- return 1;
-}
-
-int main(void) {
- if (!test_keys() || !test_invalid_sk_a() || !test_invalid_ciphertext()) {
- return 1;
- }
- printf("PASS\n");
- return 0;
-}
diff --git a/crypto/newhope/newhope_test.cc b/crypto/newhope/newhope_test.cc
new file mode 100644
index 0000000..6637393
--- /dev/null
+++ b/crypto/newhope/newhope_test.cc
@@ -0,0 +1,142 @@
+/* Copyright (c) 2016, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <math.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+
+#include "../test/scoped_types.h"
+#include "internal.h"
+
+
+// Set to 10 for quick execution. Tested up to 1,000,000.
+static const int kNumTests = 10;
+
+static bool TestKeys(void) {
+ // Alice generates a public key.
+ ScopedNEWHOPE_POLY sk(NEWHOPE_POLY_new());
+ uint8_t offer_msg[NEWHOPE_OFFERMSG_LENGTH];
+ NEWHOPE_offer(offer_msg, sk.get());
+
+ // Bob derives a secret key and creates a response.
+ uint8_t accept_msg[NEWHOPE_ACCEPTMSG_LENGTH];
+ uint8_t accept_key[SHA256_DIGEST_LENGTH];
+ if (!NEWHOPE_accept(accept_key, accept_msg, offer_msg, sizeof(offer_msg))) {
+ fprintf(stderr, "ERROR accept key exchange failed\n");
+ return false;
+ }
+
+ // Alice uses Bob's response to get her secret key.
+ uint8_t offer_key[SHA256_DIGEST_LENGTH];
+ if (!NEWHOPE_finish(offer_key, sk.get(), accept_msg, sizeof(accept_msg))) {
+ fprintf(stderr, "ERROR finish key exchange failed\n");
+ return false;
+ }
+
+ if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) != 0) {
+ fprintf(stderr, "ERROR keys did not agree\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestInvalidSK(void) {
+ // Alice generates a public key.
+ uint8_t offer_msg[NEWHOPE_OFFERMSG_LENGTH];
+ ScopedNEWHOPE_POLY sk(NEWHOPE_POLY_new());
+ NEWHOPE_offer(offer_msg, sk.get());
+
+ // Bob derives a secret key and creates a response.
+ uint8_t accept_key[SHA256_DIGEST_LENGTH];
+ uint8_t accept_msg[NEWHOPE_ACCEPTMSG_LENGTH];
+ if (!NEWHOPE_accept(accept_key, accept_msg, offer_msg, sizeof(offer_msg))) {
+ fprintf(stderr, "ERROR accept key exchange failed\n");
+ return false;
+ }
+
+ // Corrupt the secret key. It turns out that you need to corrupt a lot of
+ // bits to ensure that the key exchange always fails!
+ sk->coeffs[PARAM_N - 1] = 0;
+ sk->coeffs[PARAM_N - 2] = 0;
+ sk->coeffs[PARAM_N - 3] = 0;
+ sk->coeffs[PARAM_N - 4] = 0;
+
+ // Alice uses Bob's response to get her secret key.
+ uint8_t offer_key[SHA256_DIGEST_LENGTH];
+ if (!NEWHOPE_finish(offer_key, sk.get(), accept_msg, sizeof(accept_msg))) {
+ fprintf(stderr, "ERROR finish key exchange failed\n");
+ return false;
+ }
+
+ if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) {
+ fprintf(stderr, "ERROR keys agreed despite corrupt sk\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestInvalidAcceptMsg(void) {
+ // Alice generates a public key.
+ ScopedNEWHOPE_POLY sk(NEWHOPE_POLY_new());
+ uint8_t offer_msg[NEWHOPE_OFFERMSG_LENGTH];
+ NEWHOPE_offer(offer_msg, sk.get());
+
+ // Bob derives a secret key and creates a response.
+ uint8_t accept_key[SHA256_DIGEST_LENGTH];
+ uint8_t accept_msg[NEWHOPE_ACCEPTMSG_LENGTH];
+ if (!NEWHOPE_accept(accept_key, accept_msg, offer_msg, sizeof(offer_msg))) {
+ fprintf(stderr, "ERROR accept key exchange failed\n");
+ return false;
+ }
+
+ // Corrupt the (polynomial part of the) accept message. It turns out that
+ // you need to corrupt a lot of bits to ensure that the key exchange always
+ // fails!
+ accept_msg[PARAM_N - 1] = 0;
+ accept_msg[PARAM_N - 2] = 0;
+ accept_msg[PARAM_N - 3] = 0;
+ accept_msg[PARAM_N - 4] = 0;
+
+ // Alice uses Bob's response to get her secret key.
+ uint8_t offer_key[SHA256_DIGEST_LENGTH];
+ if (!NEWHOPE_finish(offer_key, sk.get(), accept_msg, sizeof(accept_msg))) {
+ fprintf(stderr, "ERROR finish key exchange failed\n");
+ return false;
+ }
+
+ if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) {
+ fprintf(stderr, "ERROR keys agreed despite corrupt accept message\n");
+ return false;
+ }
+
+ return true;
+}
+
+int main(void) {
+ for (int i = 0; i < kNumTests; i++) {
+ if (!TestKeys() ||
+ !TestInvalidSK() ||
+ !TestInvalidAcceptMsg()) {
+ return 1;
+ }
+ }
+
+ printf("PASS\n");
+ return 0;
+}
