This is consistent with the new convention in ssl_ecdh.c. Along the way, change newhope_test.c to not iterate 1000 times over each test. Change-Id: I7a500f45b838eba8f6df96957891aa8e880ba089 Reviewed-on: https://boringssl-review.googlesource.com/8012 Reviewed-by: David Benjamin <davidben@google.com>kris/onging/CECPQ3_patch15
@@ -46,14 +46,14 @@ static void decode_rec(const uint8_t *r, NEWHOPE_POLY *c) { | |||
} | |||
} | |||
void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) { | |||
void NEWHOPE_offer(uint8_t *offermsg, NEWHOPE_POLY *sk) { | |||
newhope_poly_getnoise(sk); | |||
newhope_poly_ntt(sk); | |||
/* The first part of the server's message is the seed, which compactly encodes | |||
/* The first part of the offer message is the seed, which compactly encodes | |||
* a. */ | |||
NEWHOPE_POLY a; | |||
uint8_t *seed = &servermsg[POLY_BYTES]; | |||
uint8_t *seed = &offermsg[POLY_BYTES]; | |||
RAND_bytes(seed, SEED_LENGTH); | |||
newhope_poly_uniform(&a, seed); | |||
@@ -61,18 +61,18 @@ void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) { | |||
newhope_poly_getnoise(&e); | |||
newhope_poly_ntt(&e); | |||
/* The second part of the server's message is the polynomial pk = a*sk+e */ | |||
/* The second part of the offer message is the polynomial pk = a*sk+e */ | |||
NEWHOPE_POLY r, pk; | |||
newhope_poly_pointwise(&r, sk, &a); | |||
newhope_poly_add(&pk, &e, &r); | |||
newhope_poly_tobytes(servermsg, &pk); | |||
newhope_poly_tobytes(offermsg, &pk); | |||
} | |||
int NEWHOPE_client_compute_key( | |||
uint8_t key[SHA256_DIGEST_LENGTH], | |||
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH], | |||
const uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len) { | |||
if (msg_len != NEWHOPE_SERVERMSG_LENGTH) { | |||
int NEWHOPE_accept(uint8_t key[SHA256_DIGEST_LENGTH], | |||
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH], | |||
const uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH], | |||
size_t msg_len) { | |||
if (msg_len != NEWHOPE_OFFERMSG_LENGTH) { | |||
return 0; | |||
} | |||
@@ -80,28 +80,28 @@ int NEWHOPE_client_compute_key( | |||
newhope_poly_getnoise(&sp); | |||
newhope_poly_ntt(&sp); | |||
/* The first part of the client's message is the polynomial bp=e'+a*s' */ | |||
/* The first part of the accept message is the polynomial bp=e'+a*s' */ | |||
{ | |||
NEWHOPE_POLY ep; | |||
newhope_poly_getnoise(&ep); | |||
newhope_poly_ntt(&ep); | |||
/* Generate the same |a| as the server, from the server's seed. */ | |||
/* Generate the same |a| as the peer, from the peer's seed. */ | |||
NEWHOPE_POLY a; | |||
const uint8_t *seed = &servermsg[POLY_BYTES]; | |||
const uint8_t *seed = &offermsg[POLY_BYTES]; | |||
newhope_poly_uniform(&a, seed); | |||
NEWHOPE_POLY bp; | |||
newhope_poly_pointwise(&bp, &a, &sp); | |||
newhope_poly_add(&bp, &bp, &ep); | |||
newhope_poly_tobytes(clientmsg, &bp); | |||
newhope_poly_tobytes(acceptmsg, &bp); | |||
} | |||
/* v = pk * s' + e'' */ | |||
NEWHOPE_POLY v; | |||
{ | |||
NEWHOPE_POLY pk; | |||
newhope_poly_frombytes(&pk, servermsg); | |||
newhope_poly_frombytes(&pk, offermsg); | |||
NEWHOPE_POLY epp; | |||
newhope_poly_getnoise(&epp); | |||
@@ -111,10 +111,10 @@ int NEWHOPE_client_compute_key( | |||
newhope_poly_add(&v, &v, &epp); | |||
} | |||
/* The second part of the client's message is the reconciliation data derived | |||
/* The second part of the accept message is the reconciliation data derived | |||
* from v. */ | |||
NEWHOPE_POLY c; | |||
uint8_t *reconciliation = &clientmsg[POLY_BYTES]; | |||
uint8_t *reconciliation = &acceptmsg[POLY_BYTES]; | |||
newhope_helprec(&c, &v); | |||
encode_rec(&c, reconciliation); | |||
@@ -130,21 +130,21 @@ int NEWHOPE_client_compute_key( | |||
return 1; | |||
} | |||
int NEWHOPE_server_compute_key( | |||
uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, | |||
const uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len) { | |||
if (msg_len != NEWHOPE_CLIENTMSG_LENGTH) { | |||
int NEWHOPE_finish(uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, | |||
const uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH], | |||
size_t msg_len) { | |||
if (msg_len != NEWHOPE_ACCEPTMSG_LENGTH) { | |||
return 0; | |||
} | |||
NEWHOPE_POLY bp; | |||
newhope_poly_frombytes(&bp, clientmsg); | |||
newhope_poly_frombytes(&bp, acceptmsg); | |||
NEWHOPE_POLY v; | |||
newhope_poly_pointwise(&v, sk, &bp); | |||
newhope_poly_invntt(&v); | |||
NEWHOPE_POLY c; | |||
const uint8_t *reconciliation = &clientmsg[POLY_BYTES]; | |||
const uint8_t *reconciliation = &acceptmsg[POLY_BYTES]; | |||
decode_rec(reconciliation, &c); | |||
uint8_t k[KEY_LENGTH]; | |||
@@ -22,34 +22,32 @@ | |||
#include "internal.h" | |||
#define NTESTS 1000 | |||
#define NTESTS 1 | |||
static int test_keys(void) { | |||
NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); | |||
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; | |||
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; | |||
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; | |||
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; | |||
int i; | |||
for (i = 0; i < NTESTS; i++) { | |||
/* Alice generates a public key */ | |||
NEWHOPE_keygen(servermsg, sk); | |||
NEWHOPE_offer(offermsg, sk); | |||
/* Bob derives a secret key and creates a response */ | |||
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, | |||
sizeof(servermsg))) { | |||
fprintf(stderr, "ERROR client key exchange failed\n"); | |||
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { | |||
fprintf(stderr, "ERROR accept key exchange failed\n"); | |||
return 0; | |||
} | |||
/* Alice uses Bob's response to get her secret key */ | |||
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, | |||
sizeof(clientmsg))) { | |||
fprintf(stderr, "ERROR server key exchange failed\n"); | |||
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { | |||
fprintf(stderr, "ERROR finish key exchange failed\n"); | |||
return 0; | |||
} | |||
if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) != 0) { | |||
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) != 0) { | |||
fprintf(stderr, "ERROR keys did not agree\n"); | |||
return 0; | |||
} | |||
@@ -61,33 +59,31 @@ static int test_keys(void) { | |||
static int test_invalid_sk_a(void) { | |||
NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); | |||
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; | |||
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; | |||
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; | |||
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; | |||
int i; | |||
for (i = 0; i < NTESTS; i++) { | |||
/* Alice generates a public key */ | |||
NEWHOPE_keygen(servermsg, sk); | |||
NEWHOPE_offer(offermsg, sk); | |||
/* Bob derives a secret key and creates a response */ | |||
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, | |||
sizeof(servermsg))) { | |||
fprintf(stderr, "ERROR client key exchange failed\n"); | |||
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { | |||
fprintf(stderr, "ERROR accept key exchange failed\n"); | |||
return 0; | |||
} | |||
/* Corrupt the secret key */ | |||
NEWHOPE_keygen(servermsg /* not used below */, sk); | |||
NEWHOPE_offer(offermsg /* not used below */, sk); | |||
/* Alice uses Bob's response to get her secret key */ | |||
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, | |||
sizeof(clientmsg))) { | |||
fprintf(stderr, "ERROR server key exchange failed\n"); | |||
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { | |||
fprintf(stderr, "ERROR finish key exchange failed\n"); | |||
return 0; | |||
} | |||
if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) == 0) { | |||
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) { | |||
fprintf(stderr, "ERROR invalid sk_a\n"); | |||
return 0; | |||
} | |||
@@ -99,34 +95,32 @@ static int test_invalid_sk_a(void) { | |||
static int test_invalid_ciphertext(void) { | |||
NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); | |||
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; | |||
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; | |||
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; | |||
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; | |||
int i; | |||
for (i = 0; i < 10; i++) { | |||
/* Alice generates a public key */ | |||
NEWHOPE_keygen(servermsg, sk); | |||
NEWHOPE_offer(offermsg, sk); | |||
/* Bob derives a secret key and creates a response */ | |||
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, | |||
sizeof(servermsg))) { | |||
fprintf(stderr, "ERROR client key exchange failed\n"); | |||
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { | |||
fprintf(stderr, "ERROR accept key exchange failed\n"); | |||
return 0; | |||
} | |||
/* Change some byte in the "ciphertext" */ | |||
clientmsg[42] ^= 1; | |||
acceptmsg[42] ^= 1; | |||
/* Alice uses Bob's response to get her secret key */ | |||
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, | |||
sizeof(clientmsg))) { | |||
fprintf(stderr, "ERROR server key exchange failed\n"); | |||
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { | |||
fprintf(stderr, "ERROR finish key exchange failed\n"); | |||
return 0; | |||
} | |||
if (!memcmp(server_key, client_key, SHA256_DIGEST_LENGTH)) { | |||
fprintf(stderr, "ERROR invalid clientmsg\n"); | |||
if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) { | |||
fprintf(stderr, "ERROR invalid acceptmsg\n"); | |||
return 0; | |||
} | |||
} | |||
@@ -38,37 +38,38 @@ OPENSSL_EXPORT NEWHOPE_POLY *NEWHOPE_POLY_new(void); | |||
/* NEWHOPE_POLY_free frees |p|. */ | |||
OPENSSL_EXPORT void NEWHOPE_POLY_free(NEWHOPE_POLY *p); | |||
/* NEWHOPE_SERVERMSG_LENGTH is the length of the server's message to the | |||
* client. */ | |||
#define NEWHOPE_SERVERMSG_LENGTH (((1024 * 14) / 8) + 32) | |||
/* NEWHOPE_OFFERMSG_LENGTH is the length of the offering party's message to the | |||
* accepting party. */ | |||
#define NEWHOPE_OFFERMSG_LENGTH (((1024 * 14) / 8) + 32) | |||
/* NEWHOPE_CLIENTMSG_LENGTH is the length of the client's message to the | |||
* server. */ | |||
#define NEWHOPE_CLIENTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4) | |||
/* NEWHOPE_ACCEPTMSG_LENGTH is the length of the accepting party's message to | |||
* the offering party. */ | |||
#define NEWHOPE_ACCEPTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4) | |||
/* NEWHOPE_keygen initializes |out_msg| and |out_sk| for a new key | |||
* exchange. |msg| must have room for |NEWHOPE_SERVERMSG_LENGTH| bytes. Neither | |||
/* NEWHOPE_offer initializes |out_msg| and |out_sk| for a new key | |||
* exchange. |msg| must have room for |NEWHOPE_OFFERMSG_LENGTH| bytes. Neither | |||
* output may be cached. */ | |||
OPENSSL_EXPORT void NEWHOPE_keygen(uint8_t out_msg[NEWHOPE_SERVERMSG_LENGTH], | |||
NEWHOPE_POLY *out_sk); | |||
/* NEWHOPE_server_compute_key completes a key exchange given a client message | |||
* |msg| and the previously generated server secret |sk|. The result of the | |||
* key exchange is written to |out_key|, which must have space for | |||
OPENSSL_EXPORT void NEWHOPE_offer(uint8_t out_msg[NEWHOPE_OFFERMSG_LENGTH], | |||
NEWHOPE_POLY *out_sk); | |||
/* NEWHOPE_accept completes a key exchange given an offer message |msg|. The | |||
* result of the key exchange is written to |out_key|, which must have space for | |||
* |SHA256_DIGEST_LENGTH| bytes. The message to be send to the offering party is | |||
* written to |out_msg|, which must have room for |NEWHOPE_ACCEPTMSG_LENGTH| | |||
* bytes. Returns 1 on success and 0 on error. */ | |||
OPENSSL_EXPORT int NEWHOPE_accept(uint8_t out_key[SHA256_DIGEST_LENGTH], | |||
uint8_t out_msg[NEWHOPE_ACCEPTMSG_LENGTH], | |||
const uint8_t msg[NEWHOPE_OFFERMSG_LENGTH], | |||
size_t msg_len); | |||
/* NEWHOPE_finish completes a key exchange for the offering party, given an | |||
* accept message |msg| and the previously generated secret |sk|. The result of | |||
* the key exchange is written to |out_key|, which must have space for | |||
* |SHA256_DIGEST_LENGTH| bytes. Returns 1 on success and 0 on error. */ | |||
OPENSSL_EXPORT int NEWHOPE_server_compute_key( | |||
uint8_t out_key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, | |||
const uint8_t msg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len); | |||
/* NEWHOPE_client_compute_key completes a key exchange given a server message | |||
* |msg|. The result of the key exchange is written to |out_key|, which must | |||
* have space for |SHA256_DIGEST_LENGTH| bytes. The message to be send to the | |||
* client is written to |out_msg|, which must have room for | |||
* |NEWHOPE_CLIENTMSG_LENGTH| bytes. Returns 1 on success and 0 on error. */ | |||
OPENSSL_EXPORT int NEWHOPE_client_compute_key( | |||
uint8_t out_key[SHA256_DIGEST_LENGTH], | |||
uint8_t out_msg[NEWHOPE_CLIENTMSG_LENGTH], | |||
const uint8_t msg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len); | |||
OPENSSL_EXPORT int NEWHOPE_finish(uint8_t out_key[SHA256_DIGEST_LENGTH], | |||
const NEWHOPE_POLY *sk, | |||
const uint8_t msg[NEWHOPE_ACCEPTMSG_LENGTH], | |||
size_t msg_len); | |||
#if defined(__cplusplus) | |||
@@ -522,15 +522,14 @@ static bool SpeedNewHope(const std::string &selected) { | |||
TimeResults results; | |||
NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); | |||
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; | |||
RAND_bytes(clientmsg, sizeof(clientmsg)); | |||
if (!TimeFunction(&results, [sk, &clientmsg]() -> bool { | |||
uint8_t server_key[SHA256_DIGEST_LENGTH]; | |||
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; | |||
NEWHOPE_keygen(servermsg, sk); | |||
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, | |||
NEWHOPE_CLIENTMSG_LENGTH)) { | |||
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; | |||
RAND_bytes(acceptmsg, sizeof(acceptmsg)); | |||
if (!TimeFunction(&results, [sk, &acceptmsg]() -> bool { | |||
uint8_t key[SHA256_DIGEST_LENGTH]; | |||
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; | |||
NEWHOPE_offer(offermsg, sk); | |||
if (!NEWHOPE_finish(key, sk, acceptmsg, NEWHOPE_ACCEPTMSG_LENGTH)) { | |||
return false; | |||
} | |||
return true; | |||
@@ -540,7 +539,7 @@ static bool SpeedNewHope(const std::string &selected) { | |||
} | |||
NEWHOPE_POLY_free(sk); | |||
results.Print("newhope server key exchange"); | |||
results.Print("newhope key exchange"); | |||
return true; | |||
} | |||