kris
/
boringssl
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5234 커밋
12 브랜치
38 MiB
트리: d12f2ba55e
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from 'd12f2ba55e'
${ noResults }
boringssl/crypto/ecdh/ecdh_test.cc

ecdh_test.cc 10 KiB
Raw Normal View 히스토리

Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Check EC_POINT/EC_GROUP compatibility more accurately. Currently we only check that the underlying EC_METHODs match, which avoids the points being in different forms, but not that the points are on the same curves. (We fixed the APIs early on so off-curve EC_POINTs cannot be created.) In particular, this comes up with folks implementating Java's crypto APIs with ECDH_compute_key. These APIs are both unfortunate and should not be mimicked, as they allow folks to mismatch the groups on the two multiple EC_POINTs. Instead, ECDH APIs should take the public value as a byte string. Thanks also to Java's poor crypto APIs, we must support custom curves, which makes this particularly gnarly. This CL makes EC_GROUP_cmp work with custom curves and adds an additional subtle requirement to EC_GROUP_set_generator. Annoyingly, this change is additionally subtle because we now have a reference cycle to hack around. Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9 Reviewed-on: https://boringssl-review.googlesource.com/22245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Convert a number of tests to GTest. BUG=129 Change-Id: Ifcdacb2f5f59fd03b757f88778ceb1e672208fd9 Reviewed-on: https://boringssl-review.googlesource.com/16744 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Add an ECDH Wycheproof driver. Unfortunately, this driver suffers a lot from Wycheproof's Java heritgate, but so it goes. Their test formats bake in a lot of Java API mistakes. Change-Id: I3299e85efb58e99e4fa34841709c3bea6518968d Reviewed-on: https://boringssl-review.googlesource.com/27865 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Check EC_POINT/EC_GROUP compatibility more accurately. Currently we only check that the underlying EC_METHODs match, which avoids the points being in different forms, but not that the points are on the same curves. (We fixed the APIs early on so off-curve EC_POINTs cannot be created.) In particular, this comes up with folks implementating Java's crypto APIs with ECDH_compute_key. These APIs are both unfortunate and should not be mimicked, as they allow folks to mismatch the groups on the two multiple EC_POINTs. Instead, ECDH APIs should take the public value as a byte string. Thanks also to Java's poor crypto APIs, we must support custom curves, which makes this particularly gnarly. This CL makes EC_GROUP_cmp work with custom curves and adds an additional subtle requirement to EC_GROUP_set_generator. Annoyingly, this change is additionally subtle because we now have a reference cycle to hack around. Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9 Reviewed-on: https://boringssl-review.googlesource.com/22245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Add an ECDH Wycheproof driver. Unfortunately, this driver suffers a lot from Wycheproof's Java heritgate, but so it goes. Their test formats bake in a lot of Java API mistakes. Change-Id: I3299e85efb58e99e4fa34841709c3bea6518968d Reviewed-on: https://boringssl-review.googlesource.com/27865 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Convert a number of tests to GTest. BUG=129 Change-Id: Ifcdacb2f5f59fd03b757f88778ceb1e672208fd9 Reviewed-on: https://boringssl-review.googlesource.com/16744 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Add an ECDH Wycheproof driver. Unfortunately, this driver suffers a lot from Wycheproof's Java heritgate, but so it goes. Their test formats bake in a lot of Java API mistakes. Change-Id: I3299e85efb58e99e4fa34841709c3bea6518968d Reviewed-on: https://boringssl-review.googlesource.com/27865 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Replace Scoped* heap types with bssl::UniquePtr. Unlike the Scoped* types, bssl::UniquePtr is available to C++ users, and offered for a large variety of types. The 'extern "C++"' trick is used to make the C++ bits digestible to C callers that wrap header files in 'extern "C"'. Change-Id: Ifbca4c2997d6628e33028c7d7620c72aff0f862e Reviewed-on: https://boringssl-review.googlesource.com/10521 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Convert a number of tests to GTest. BUG=129 Change-Id: Ifcdacb2f5f59fd03b757f88778ceb1e672208fd9 Reviewed-on: https://boringssl-review.googlesource.com/16744 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Import NIST ECDH test vectors. This and the following commits will import NIST's ECC test vectors. Right now all our tests pass if I make P-224 act like P-521, which is kind of embarrassing. (Other curves are actually tested, but only because runner.go tests them against BoGo.) Change-Id: Id0b20451ebd5f10f1d09765a810ad140bea28fa0 Reviewed-on: https://boringssl-review.googlesource.com/10700 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
8 년 전
Check EC_POINT/EC_GROUP compatibility more accurately. Currently we only check that the underlying EC_METHODs match, which avoids the points being in different forms, but not that the points are on the same curves. (We fixed the APIs early on so off-curve EC_POINTs cannot be created.) In particular, this comes up with folks implementating Java's crypto APIs with ECDH_compute_key. These APIs are both unfortunate and should not be mimicked, as they allow folks to mismatch the groups on the two multiple EC_POINTs. Instead, ECDH APIs should take the public value as a byte string. Thanks also to Java's poor crypto APIs, we must support custom curves, which makes this particularly gnarly. This CL makes EC_GROUP_cmp work with custom curves and adds an additional subtle requirement to EC_GROUP_set_generator. Annoyingly, this change is additionally subtle because we now have a reference cycle to hack around. Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9 Reviewed-on: https://boringssl-review.googlesource.com/22245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
Add an ECDH Wycheproof driver. Unfortunately, this driver suffers a lot from Wycheproof's Java heritgate, but so it goes. Their test formats bake in a lot of Java API mistakes. Change-Id: I3299e85efb58e99e4fa34841709c3bea6518968d Reviewed-on: https://boringssl-review.googlesource.com/27865 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Rename third_party/wycheproof to satisfy a bureaucrat. Make it clear this is not a pristine full copy of all of Wycheproof as a library. Change-Id: I1aa5253a1d7c696e69b2e8d7897924f15303d9ac Reviewed-on: https://boringssl-review.googlesource.com/28188 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Martin Kreichgauer <martinkr@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Add an ECDH Wycheproof driver. Unfortunately, this driver suffers a lot from Wycheproof's Java heritgate, but so it goes. Their test formats bake in a lot of Java API mistakes. Change-Id: I3299e85efb58e99e4fa34841709c3bea6518968d Reviewed-on: https://boringssl-review.googlesource.com/27865 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 년 전
Check EC_POINT/EC_GROUP compatibility more accurately. Currently we only check that the underlying EC_METHODs match, which avoids the points being in different forms, but not that the points are on the same curves. (We fixed the APIs early on so off-curve EC_POINTs cannot be created.) In particular, this comes up with folks implementating Java's crypto APIs with ECDH_compute_key. These APIs are both unfortunate and should not be mimicked, as they allow folks to mismatch the groups on the two multiple EC_POINTs. Instead, ECDH APIs should take the public value as a byte string. Thanks also to Java's poor crypto APIs, we must support custom curves, which makes this particularly gnarly. This CL makes EC_GROUP_cmp work with custom curves and adds an additional subtle requirement to EC_GROUP_set_generator. Annoyingly, this change is additionally subtle because we now have a reference cycle to hack around. Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9 Reviewed-on: https://boringssl-review.googlesource.com/22245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 년 전
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269 
  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <stdio.h>

  16. 

  17. #include <utility>

  18. #include <vector>

  19. 

  20. #include <gtest/gtest.h>

  21. 

  22. #include <openssl/bn.h>

  23. #include <openssl/bytestring.h>

  24. #include <openssl/crypto.h>

  25. #include <openssl/ec.h>

  26. #include <openssl/ec_key.h>

  27. #include <openssl/ecdh.h>

  28. #include <openssl/err.h>

  29. #include <openssl/evp.h>

  30. #include <openssl/nid.h>

  31. 

  32. #include "../test/file_test.h"

  33. #include "../test/test_util.h"

  34. #include "../test/wycheproof_util.h"

  35. 

  36. 

  37. static bssl::UniquePtr<EC_GROUP> GetCurve(FileTest *t, const char *key) {

  38.   std::string curve_name;

  39.   if (!t->GetAttribute(&curve_name, key)) {

  40.     return nullptr;

  41.   }

  42. 

  43.   if (curve_name == "P-224") {

  44.     return bssl::UniquePtr<EC_GROUP>(EC_GROUP_new_by_curve_name(NID_secp224r1));

  45.   }

  46.   if (curve_name == "P-256") {

  47.     return bssl::UniquePtr<EC_GROUP>(EC_GROUP_new_by_curve_name(

  48.         NID_X9_62_prime256v1));

  49.   }

  50.   if (curve_name == "P-384") {

  51.     return bssl::UniquePtr<EC_GROUP>(EC_GROUP_new_by_curve_name(NID_secp384r1));

  52.   }

  53.   if (curve_name == "P-521") {

  54.     return bssl::UniquePtr<EC_GROUP>(EC_GROUP_new_by_curve_name(NID_secp521r1));

  55.   }

  56. 

  57.   t->PrintLine("Unknown curve '%s'", curve_name.c_str());

  58.   return nullptr;

  59. }

  60. 

  61. static bssl::UniquePtr<BIGNUM> GetBIGNUM(FileTest *t, const char *key) {

  62.   std::vector<uint8_t> bytes;

  63.   if (!t->GetBytes(&bytes, key)) {

  64.     return nullptr;

  65.   }

  66. 

  67.   return bssl::UniquePtr<BIGNUM>(BN_bin2bn(bytes.data(), bytes.size(), nullptr));

  68. }

  69. 

  70. TEST(ECDHTest, TestVectors) {

  71.   FileTestGTest("crypto/ecdh/ecdh_tests.txt", [](FileTest *t) {

  72.     bssl::UniquePtr<EC_GROUP> group = GetCurve(t, "Curve");

  73.     ASSERT_TRUE(group);

  74.     bssl::UniquePtr<BIGNUM> priv_key = GetBIGNUM(t, "Private");

  75.     ASSERT_TRUE(priv_key);

  76.     bssl::UniquePtr<BIGNUM> x = GetBIGNUM(t, "X");

  77.     ASSERT_TRUE(x);

  78.     bssl::UniquePtr<BIGNUM> y = GetBIGNUM(t, "Y");

  79.     ASSERT_TRUE(y);

  80.     bssl::UniquePtr<BIGNUM> peer_x = GetBIGNUM(t, "PeerX");

  81.     ASSERT_TRUE(peer_x);

  82.     bssl::UniquePtr<BIGNUM> peer_y = GetBIGNUM(t, "PeerY");

  83.     ASSERT_TRUE(peer_y);

  84.     std::vector<uint8_t> z;

  85.     ASSERT_TRUE(t->GetBytes(&z, "Z"));

  86. 

  87.     bssl::UniquePtr<EC_KEY> key(EC_KEY_new());

  88.     ASSERT_TRUE(key);

  89.     bssl::UniquePtr<EC_POINT> pub_key(EC_POINT_new(group.get()));

  90.     ASSERT_TRUE(pub_key);

  91.     bssl::UniquePtr<EC_POINT> peer_pub_key(EC_POINT_new(group.get()));

  92.     ASSERT_TRUE(peer_pub_key);

  93.     ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get()));

  94.     ASSERT_TRUE(EC_KEY_set_private_key(key.get(), priv_key.get()));

  95.     ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp(group.get(), pub_key.get(),

  96.                                                     x.get(), y.get(), nullptr));

  97.     ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp(

  98.         group.get(), peer_pub_key.get(), peer_x.get(), peer_y.get(), nullptr));

  99.     ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get()));

  100.     ASSERT_TRUE(EC_KEY_check_key(key.get()));

  101. 

  102.     std::vector<uint8_t> actual_z;

  103.     // Make |actual_z| larger than expected to ensure |ECDH_compute_key| returns

  104.     // the right amount of data.

  105.     actual_z.resize(z.size() + 1);

  106.     int ret = ECDH_compute_key(actual_z.data(), actual_z.size(),

  107.                                peer_pub_key.get(), key.get(), nullptr);

  108.     ASSERT_GE(ret, 0);

  109.     EXPECT_EQ(Bytes(z), Bytes(actual_z.data(), static_cast<size_t>(ret)));

  110. 

  111.     // Test |ECDH_compute_key| truncates.

  112.     actual_z.resize(z.size() - 1);

  113.     ret = ECDH_compute_key(actual_z.data(), actual_z.size(), peer_pub_key.get(),

  114.                            key.get(), nullptr);

  115.     ASSERT_GE(ret, 0);

  116.     EXPECT_EQ(Bytes(z.data(), z.size() - 1),

  117.               Bytes(actual_z.data(), static_cast<size_t>(ret)));

  118.   });

  119. }

  120. 

  121. TEST(ECDHTest, Wycheproof) {

  122.   FileTestGTest("third_party/wycheproof_testvectors/ecdh_test.txt",

  123.                 [](FileTest *t) {

  124.     t->IgnoreInstruction("curve");  // This is redundant with the per-test one.

  125. 

  126.     bssl::UniquePtr<EC_GROUP> group = GetWycheproofCurve(t, "curve", false);

  127.     ASSERT_TRUE(group);

  128.     bssl::UniquePtr<BIGNUM> priv_key = GetWycheproofBIGNUM(t, "private", false);

  129.     ASSERT_TRUE(priv_key);

  130.     std::vector<uint8_t> peer_spki;

  131.     ASSERT_TRUE(t->GetBytes(&peer_spki, "public"));

  132.     WycheproofResult result;

  133.     ASSERT_TRUE(GetWycheproofResult(t, &result));

  134.     std::vector<uint8_t> shared;

  135.     ASSERT_TRUE(t->GetBytes(&shared, "shared"));

  136. 

  137.     // Wycheproof stores the peer key in an SPKI to mimic a Java API mistake.

  138.     // This is non-standard and error-prone.

  139.     CBS cbs;

  140.     CBS_init(&cbs, peer_spki.data(), peer_spki.size());

  141.     bssl::UniquePtr<EVP_PKEY> peer_evp(EVP_parse_public_key(&cbs));

  142.     if (!peer_evp) {

  143.       // Note some of Wycheproof's "acceptable" entries are unsupported by

  144.       // BoringSSL because they test named curves (explicitly forbidden by RFC

  145.       // 5480), while others are supported because they used compressed

  146.       // coordinates. If the peer key fails to parse, we consider it to match

  147.       // "acceptable", but if the resulting shared secret matches below, it too

  148.       // matches "acceptable".

  149.       //

  150.       // TODO(davidben): Use the flags field to disambiguate these. Possibly

  151.       // first get the Wycheproof folks to use flags more consistently.

  152.       EXPECT_NE(WycheproofResult::kValid, result);

  153.       return;

  154.     }

  155.     EC_KEY *peer_ec = EVP_PKEY_get0_EC_KEY(peer_evp.get());

  156.     ASSERT_TRUE(peer_ec);

  157. 

  158.     bssl::UniquePtr<EC_KEY> key(EC_KEY_new());

  159.     ASSERT_TRUE(key);

  160.     ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get()));

  161.     ASSERT_TRUE(EC_KEY_set_private_key(key.get(), priv_key.get()));

  162. 

  163.     std::vector<uint8_t> actual((EC_GROUP_get_degree(group.get()) + 7) / 8);

  164.     int ret =

  165.         ECDH_compute_key(actual.data(), actual.size(),

  166.                          EC_KEY_get0_public_key(peer_ec), key.get(), nullptr);

  167.     if (result == WycheproofResult::kInvalid) {

  168.       EXPECT_EQ(-1, ret);

  169.     } else {

  170.       EXPECT_EQ(static_cast<int>(actual.size()), ret);

  171.       EXPECT_EQ(Bytes(shared), Bytes(actual.data(), static_cast<size_t>(ret)));

  172.     }

  173.   });

  174. }

  175. 

  176. // MakeCustomGroup returns an |EC_GROUP| containing a non-standard group. (P-256

  177. // with the wrong generator.)

  178. static bssl::UniquePtr<EC_GROUP> MakeCustomGroup() {

  179.   static const uint8_t kP[] = {

  180.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,

  181.       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,

  182.       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,

  183.   };

  184.   static const uint8_t kA[] = {

  185.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,

  186.       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,

  187.       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc,

  188.   };

  189.   static const uint8_t kB[] = {

  190.       0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd,

  191.       0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53,

  192.       0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b,

  193.   };

  194.   static const uint8_t kX[] = {

  195.       0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e,

  196.       0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d,

  197.       0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a,

  198.   };

  199.   static const uint8_t kY[] = {

  200.       0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3,

  201.       0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5,

  202.       0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1,

  203.   };

  204.   static const uint8_t kOrder[] = {

  205.       0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,

  206.       0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17,

  207.       0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51,

  208.   };

  209.   bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new());

  210.   bssl::UniquePtr<BIGNUM> p(BN_bin2bn(kP, sizeof(kP), nullptr));

  211.   bssl::UniquePtr<BIGNUM> a(BN_bin2bn(kA, sizeof(kA), nullptr));

  212.   bssl::UniquePtr<BIGNUM> b(BN_bin2bn(kB, sizeof(kB), nullptr));

  213.   bssl::UniquePtr<BIGNUM> x(BN_bin2bn(kX, sizeof(kX), nullptr));

  214.   bssl::UniquePtr<BIGNUM> y(BN_bin2bn(kY, sizeof(kY), nullptr));

  215.   bssl::UniquePtr<BIGNUM> order(BN_bin2bn(kOrder, sizeof(kOrder), nullptr));

  216.   if (!ctx || !p || !a || !b || !x || !y || !order) {

  217.     return nullptr;

  218.   }

  219.   bssl::UniquePtr<EC_GROUP> group(

  220.       EC_GROUP_new_curve_GFp(p.get(), a.get(), b.get(), ctx.get()));

  221.   if (!group) {

  222.     return nullptr;

  223.   }

  224.   bssl::UniquePtr<EC_POINT> generator(EC_POINT_new(group.get()));

  225.   if (!generator ||

  226.       !EC_POINT_set_affine_coordinates_GFp(group.get(), generator.get(),

  227.                                            x.get(), y.get(), ctx.get()) ||

  228.       !EC_GROUP_set_generator(group.get(), generator.get(), order.get(),

  229.                               BN_value_one())) {

  230.     return nullptr;

  231.   }

  232.   return group;

  233. }

  234. 

  235. TEST(ECDHTest, GroupMismatch) {

  236.   const size_t num_curves = EC_get_builtin_curves(nullptr, 0);

  237.   std::vector<EC_builtin_curve> curves(num_curves);

  238.   EC_get_builtin_curves(curves.data(), num_curves);

  239. 

  240.   // Instantiate all the built-in curves.

  241.   std::vector<bssl::UniquePtr<EC_GROUP>> groups;

  242.   for (const auto &curve : curves) {

  243.     groups.emplace_back(EC_GROUP_new_by_curve_name(curve.nid));

  244.     ASSERT_TRUE(groups.back());

  245.   }

  246. 

  247.   // Also create some arbitrary group. (This is P-256 with the wrong generator.)

  248.   groups.push_back(MakeCustomGroup());

  249.   ASSERT_TRUE(groups.back());

  250. 

  251.   for (const auto &a : groups) {

  252.     for (const auto &b : groups) {

  253.       if (a.get() == b.get()) {

  254.         continue;

  255.       }

  256. 

  257.       bssl::UniquePtr<EC_KEY> key(EC_KEY_new());

  258.       ASSERT_TRUE(EC_KEY_set_group(key.get(), a.get()));

  259.       ASSERT_TRUE(EC_KEY_generate_key(key.get()));

  260. 

  261.       // ECDH across the groups should not work.

  262.       char out[64];

  263.       const EC_POINT *peer = EC_GROUP_get0_generator(b.get());

  264.       EXPECT_EQ(-1,

  265.                 ECDH_compute_key(out, sizeof(out), peer, key.get(), nullptr));

  266.       ERR_clear_error();

  267.     }

  268.   }

  269. }