iPXE
x25519_test.c
Go to the documentation of this file.
1/*
2 * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
26/** @file
27 *
28 * X25519 key exchange test
29 *
30 * Full key exchange test vectors are taken from RFC7748.
31 *
32 */
33
34/* Forcibly enable assertions */
35#undef NDEBUG
36
37#include <stdint.h>
38#include <string.h>
39#include <ipxe/x25519.h>
40#include <ipxe/test.h>
41
42/** Define inline multiplicand */
43#define MULTIPLICAND(...) { __VA_ARGS__ }
44
45/** Define inline multiplier */
46#define MULTIPLIER(...) { __VA_ARGS__ }
47
48/** Define inline invertend */
49#define INVERTEND(...) { __VA_ARGS__ }
50
51/** Define inline base point */
52#define BASE(...) { __VA_ARGS__ }
53
54/** Define inline scalar multiple */
55#define SCALAR(...) { __VA_ARGS__ }
56
57/** Define inline expected result */
58#define EXPECTED(...) { __VA_ARGS__ }
59
60/** An X25519 multiplication self-test */
61struct x25519_multiply_test {
62 /** Multiplicand */
63 const void *multiplicand;
64 /** Length of multiplicand */
65 size_t multiplicand_len;
66 /** Multiplier */
67 const void *multiplier;
68 /** Length of multiplier */
69 size_t multiplier_len;
70 /** Expected result */
71 const void *expected;
72 /** Length of expected result */
73 size_t expected_len;
74};
75
76/**
77 * Define an X25519 multiplication test
78 *
79 * @v name Test name
80 * @v MULTIPLICAND 258-bit multiplicand
81 * @v MULTIPLIER 258-bit multiplier
82 * @v EXPECTED 255-bit expected result
83 * @ret test X25519 multiplication test
84 */
85#define X25519_MULTIPLY_TEST( name, MULTIPLICAND, MULTIPLIER, \
86 EXPECTED ) \
87 static const uint8_t name ## _multiplicand[] = MULTIPLICAND; \
88 static const uint8_t name ## _multiplier[] = MULTIPLIER; \
89 static const uint8_t name ## _expected[] = EXPECTED; \
90 static struct x25519_multiply_test name = { \
91 .multiplicand = name ## _multiplicand, \
92 .multiplicand_len = sizeof ( name ## _multiplicand ), \
93 .multiplier = name ## _multiplier, \
94 .multiplier_len = sizeof ( name ## _multiplier ), \
95 .expected = name ## _expected, \
96 .expected_len = sizeof ( name ## _expected ), \
97 }
98
99/** An X25519 multiplicative inversion self-test */
100struct x25519_invert_test {
101 /** Invertend */
102 const void *invertend;
103 /** Length of invertend */
104 size_t invertend_len;
105 /** Expected result */
106 const void *expected;
107 /** Length of expected result */
108 size_t expected_len;
109};
110
111/**
112 * Define an X25519 multiplicative inversion test
113 *
114 * @v name Test name
115 * @v INVERTEND 258-bit invertend
116 * @v EXPECTED 255-bit expected result
117 * @ret test X25519 multiplicative inversion test
118 */
119#define X25519_INVERT_TEST( name, INVERTEND, EXPECTED ) \
120 static const uint8_t name ## _invertend[] = INVERTEND; \
121 static const uint8_t name ## _expected[] = EXPECTED; \
122 static struct x25519_invert_test name = { \
123 .invertend = name ## _invertend, \
124 .invertend_len = sizeof ( name ## _invertend ), \
125 .expected = name ## _expected, \
126 .expected_len = sizeof ( name ## _expected ), \
127 }
128
129/** An X25519 key exchange self-test */
130struct x25519_key_test {
131 /** Base */
132 struct x25519_value base;
133 /** Scalar */
134 struct x25519_value scalar;
135 /** Expected result */
136 struct x25519_value expected;
137 /** Number of iterations */
138 unsigned int count;
139 /** Key exchange is expected to fail (i.e. produce all-zeroes) */
140 int fail;
141};
142
143/**
144 * Define an X25519 key exchange test
145 *
146 * @v name Test name
147 * @v COUNT Number of iterations
148 * @v FAIL Expected failure status
149 * @v BASE Base point
150 * @v SCALAR Scalar multiple
151 * @v EXPECTED Expected result
152 * @ret test X25519 key exchange test
153 */
154#define X25519_KEY_TEST( name, COUNT, FAIL, BASE, SCALAR, EXPECTED ) \
155 static struct x25519_key_test name = { \
156 .count = COUNT, \
157 .fail = FAIL, \
158 .base = { .raw = BASE }, \
159 .scalar = { .raw = SCALAR }, \
160 .expected = { .raw = EXPECTED }, \
161 }
162
163/**
164 * Report an X25519 multiplication test result
165 *
166 * @v test X25519 multiplication test
167 * @v file Test code file
168 * @v line Test code line
169 */
170static void x25519_multiply_okx ( struct x25519_multiply_test *test,
171 const char *file, unsigned int line ) {
172 union x25519_oct258 multiplicand;
173 union x25519_oct258 multiplier;
174 union x25519_quad257 expected;
175 union x25519_quad257 actual;
176
177 /* Construct big integers */
178 bigint_init ( &multiplicand.value, test->multiplicand,
179 test->multiplicand_len );
180 DBGC ( test, "X25519 multiplicand:\n" );
181 DBGC_HDA ( test, 0, &multiplicand, sizeof ( multiplicand ) );
182 bigint_init ( &multiplier.value, test->multiplier,
183 test->multiplier_len );
184 DBGC ( test, "X25519 multiplier:\n" );
185 DBGC_HDA ( test, 0, &multiplier, sizeof ( multiplier ) );
186 bigint_init ( &expected.value, test->expected, test->expected_len );
187 DBGC ( test, "X25519 expected product:\n" );
188 DBGC_HDA ( test, 0, &expected, sizeof ( expected ) );
189
190 /* Perform multiplication */
191 x25519_multiply ( &multiplicand, &multiplier, &actual );
192
193 /* Reduce result to allow for comparison */
194 x25519_reduce ( &actual );
195 DBGC ( test, "X25519 actual product:\n" );
196 DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
197
198 /* Compare against expected result */
199 okx ( memcmp ( &actual, &expected, sizeof ( expected ) ) == 0,
200 file, line );
201}
202#define x25519_multiply_ok( test ) \
203 x25519_multiply_okx ( test, __FILE__, __LINE__ )
204
205/**
206 * Report an X25519 multiplicative inversion test result
207 *
208 * @v test X25519 multiplicative inversion test
209 * @v file Test code file
210 * @v line Test code line
211 */
212static void x25519_invert_okx ( struct x25519_invert_test *test,
213 const char *file, unsigned int line ) {
214 static const uint8_t one[] = { 1 };
215 union x25519_oct258 invertend;
216 union x25519_quad257 expected;
217 union x25519_quad257 actual;
218 union x25519_quad257 product;
219 union x25519_quad257 identity;
220
221 /* Construct big integers */
222 bigint_init ( &invertend.value, test->invertend, test->invertend_len );
223 DBGC ( test, "X25519 invertend:\n" );
224 DBGC_HDA ( test, 0, &invertend, sizeof ( invertend ) );
225 bigint_init ( &expected.value, test->expected, test->expected_len );
226 DBGC ( test, "X25519 expected inverse:\n" );
227 DBGC_HDA ( test, 0, &expected, sizeof ( expected ) );
228 bigint_init ( &identity.value, one, sizeof ( one ) );
229
230 /* Perform inversion */
231 x25519_invert ( &invertend, &actual );
232
233 /* Multiply invertend by inverse */
234 x25519_multiply ( &invertend, &actual.oct258, &product );
235
236 /* Reduce results to allow for comparison */
237 x25519_reduce ( &actual );
238 DBGC ( test, "X25519 actual inverse:\n" );
239 DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
240 x25519_reduce ( &product );
241 DBGC ( test, "X25519 actual product:\n" );
242 DBGC_HDA ( test, 0, &product, sizeof ( product ) );
243
244 /* Compare against expected results */
245 okx ( memcmp ( &actual, &expected, sizeof ( expected ) ) == 0,
246 file, line );
247 okx ( memcmp ( &product, &identity, sizeof ( identity ) ) == 0,
248 file, line );
249}
250#define x25519_invert_ok( test ) \
251 x25519_invert_okx ( test, __FILE__, __LINE__ )
252
253/**
254 * Report an X25519 key exchange test result
255 *
256 * @v test X25519 key exchange test
257 * @v file Test code file
258 * @v line Test code line
259 */
260static void x25519_key_okx ( struct x25519_key_test *test,
261 const char *file, unsigned int line ) {
262 struct x25519_value base;
263 struct x25519_value scalar;
264 struct x25519_value actual;
265 unsigned int i;
266
267 /* Construct input values */
268 memcpy ( &base, &test->base, sizeof ( test->base ) );
269 memcpy ( &scalar, &test->scalar, sizeof ( test->scalar ) );
270 DBGC ( test, "X25519 base:\n" );
271 DBGC_HDA ( test, 0, &base, sizeof ( base ) );
272 DBGC ( test, "X25519 scalar:\n" );
273 DBGC_HDA ( test, 0, &scalar, sizeof ( scalar ) );
274 DBGC ( test, "X25519 expected result (x%d):\n", test->count );
275 DBGC_HDA ( test, 0, &test->expected, sizeof ( test->expected ) );
276
277 /* Calculate key */
278 for ( i = 0 ; i < test->count ; i++ ) {
279 x25519_key ( &base, &scalar, &actual );
280 if ( test->fail ) {
281 okx ( x25519_is_zero ( &actual ), file, line );
282 } else {
283 okx ( ( ! x25519_is_zero ( &actual ) ), file, line );
284 }
285 memcpy ( &base, &scalar, sizeof ( base ) );
286 memcpy ( &scalar, &actual, sizeof ( scalar ) );
287 }
288 DBGC ( test, "X25519 actual result (x%d):\n", test->count );
289 DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
290
291 /* Compare against expected result */
292 okx ( memcmp ( &actual, &test->expected,
293 sizeof ( test->expected ) ) == 0, file, line );
294}
295#define x25519_key_ok( test ) \
296 x25519_key_okx ( test, __FILE__, __LINE__ )
297
298/* Test multiplying small numbers */
299X25519_MULTIPLY_TEST ( multiply_small, MULTIPLICAND ( 6 ),
300 MULTIPLIER ( 9 ), EXPECTED ( 6 * 9 ) );
301
302/* Test exact multiple of field prime */
303X25519_MULTIPLY_TEST ( multiply_k_p,
304 MULTIPLICAND ( 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
307 0xff, 0xff, 0xff, 0xff, 0xed ),
308 MULTIPLIER ( 0x00, 0xe8, 0x0d, 0x83, 0xd4, 0xe9, 0x1e, 0xdd, 0x7a,
309 0x45, 0x14, 0x87, 0xb7, 0xfc, 0x62, 0x54, 0x1f, 0xb2,
310 0x97, 0x24, 0xde, 0xfa, 0xd3, 0xe7, 0x3e, 0x83, 0x93,
311 0x60, 0xbc, 0x20, 0x97, 0x9b, 0x22 ),
312 EXPECTED ( 0x00 ) );
313
314/* 0x0223b8c1e9392456de3eb13b9046685257bdd640fb06671ad11c80317fa3b1799d *
315 * 0x006c031199972a846916419f828b9d2434e465e150bd9c66b3ad3c2d6d1a3d1fa7 =
316 * 0x1ba87e982f7c477616b4d5136ba54733e40081c1c2e27d864aa178ce893d1297 (mod p)
317 */
318X25519_MULTIPLY_TEST ( multiply_1,
319 MULTIPLICAND ( 0x02, 0x23, 0xb8, 0xc1, 0xe9, 0x39, 0x24, 0x56, 0xde,
320 0x3e, 0xb1, 0x3b, 0x90, 0x46, 0x68, 0x52, 0x57, 0xbd,
321 0xd6, 0x40, 0xfb, 0x06, 0x67, 0x1a, 0xd1, 0x1c, 0x80,
322 0x31, 0x7f, 0xa3, 0xb1, 0x79, 0x9d ),
323 MULTIPLIER ( 0x00, 0x6c, 0x03, 0x11, 0x99, 0x97, 0x2a, 0x84, 0x69,
324 0x16, 0x41, 0x9f, 0x82, 0x8b, 0x9d, 0x24, 0x34, 0xe4,
325 0x65, 0xe1, 0x50, 0xbd, 0x9c, 0x66, 0xb3, 0xad, 0x3c,
326 0x2d, 0x6d, 0x1a, 0x3d, 0x1f, 0xa7 ),
327 EXPECTED ( 0x1b, 0xa8, 0x7e, 0x98, 0x2f, 0x7c, 0x47, 0x76, 0x16, 0xb4,
328 0xd5, 0x13, 0x6b, 0xa5, 0x47, 0x33, 0xe4, 0x00, 0x81, 0xc1,
329 0xc2, 0xe2, 0x7d, 0x86, 0x4a, 0xa1, 0x78, 0xce, 0x89, 0x3d,
330 0x12, 0x97 ) );
331
332/* 0x008fadc1a606cb0fb39a1de644815ef6d13b8faa1837f8a88b17fc695a07a0ca6e *
333 * 0x0196da1dac72ff5d2a386ecbe06b65a6a48b8148f6b38a088ca65ed389b74d0fb1 =
334 * 0x351f7bf75ef580249ed6f9ff3996463b0730a1d49b5d36b863e192591157e950 (mod p)
335 */
336X25519_MULTIPLY_TEST ( multiply_2,
337 MULTIPLICAND ( 0x00, 0x8f, 0xad, 0xc1, 0xa6, 0x06, 0xcb, 0x0f, 0xb3,
338 0x9a, 0x1d, 0xe6, 0x44, 0x81, 0x5e, 0xf6, 0xd1, 0x3b,
339 0x8f, 0xaa, 0x18, 0x37, 0xf8, 0xa8, 0x8b, 0x17, 0xfc,
340 0x69, 0x5a, 0x07, 0xa0, 0xca, 0x6e ),
341 MULTIPLIER ( 0x01, 0x96, 0xda, 0x1d, 0xac, 0x72, 0xff, 0x5d, 0x2a,
342 0x38, 0x6e, 0xcb, 0xe0, 0x6b, 0x65, 0xa6, 0xa4, 0x8b,
343 0x81, 0x48, 0xf6, 0xb3, 0x8a, 0x08, 0x8c, 0xa6, 0x5e,
344 0xd3, 0x89, 0xb7, 0x4d, 0x0f, 0xb1 ),
345 EXPECTED ( 0x35, 0x1f, 0x7b, 0xf7, 0x5e, 0xf5, 0x80, 0x24, 0x9e, 0xd6,
346 0xf9, 0xff, 0x39, 0x96, 0x46, 0x3b, 0x07, 0x30, 0xa1, 0xd4,
347 0x9b, 0x5d, 0x36, 0xb8, 0x63, 0xe1, 0x92, 0x59, 0x11, 0x57,
348 0xe9, 0x50 ) );
349
350/* 0x016c307511b2b9437a28df6ec4ce4a2bbdc241330b01a9e71fde8a774bcf36d58b *
351 * 0x0117be31111a2a73ed562b0f79c37459eef50bea63371ecd7b27cd813047229389 =
352 * 0x6b43b5185965f8f0920f31ae1b2cefadd7b078fecf68dbeaa17b9c385b558329 (mod p)
353 */
354X25519_MULTIPLY_TEST ( multiply_3,
355 MULTIPLICAND ( 0x01, 0x6c, 0x30, 0x75, 0x11, 0xb2, 0xb9, 0x43, 0x7a,
356 0x28, 0xdf, 0x6e, 0xc4, 0xce, 0x4a, 0x2b, 0xbd, 0xc2,
357 0x41, 0x33, 0x0b, 0x01, 0xa9, 0xe7, 0x1f, 0xde, 0x8a,
358 0x77, 0x4b, 0xcf, 0x36, 0xd5, 0x8b ),
359 MULTIPLIER ( 0x01, 0x17, 0xbe, 0x31, 0x11, 0x1a, 0x2a, 0x73, 0xed,
360 0x56, 0x2b, 0x0f, 0x79, 0xc3, 0x74, 0x59, 0xee, 0xf5,
361 0x0b, 0xea, 0x63, 0x37, 0x1e, 0xcd, 0x7b, 0x27, 0xcd,
362 0x81, 0x30, 0x47, 0x22, 0x93, 0x89 ),
363 EXPECTED ( 0x6b, 0x43, 0xb5, 0x18, 0x59, 0x65, 0xf8, 0xf0, 0x92, 0x0f,
364 0x31, 0xae, 0x1b, 0x2c, 0xef, 0xad, 0xd7, 0xb0, 0x78, 0xfe,
365 0xcf, 0x68, 0xdb, 0xea, 0xa1, 0x7b, 0x9c, 0x38, 0x5b, 0x55,
366 0x83, 0x29 ) );
367
368/* 0x020b1f9163ce9ff57f43b7a3a69a8dca03580d7b71d8f564135be6128e18c26797 *
369 * 0x018d5288f1142c3fe860e7a113ec1b8ca1f91e1d4c1ff49b7889463e85759cde66 =
370 * 0x28a77d3c8a14323d63b288dbd40315b3f192b8485d86a02cb87d3dfb7a0b5447 (mod p)
371 */
372X25519_MULTIPLY_TEST ( multiply_4,
373 MULTIPLICAND ( 0x02, 0x0b, 0x1f, 0x91, 0x63, 0xce, 0x9f, 0xf5, 0x7f,
374 0x43, 0xb7, 0xa3, 0xa6, 0x9a, 0x8d, 0xca, 0x03, 0x58,
375 0x0d, 0x7b, 0x71, 0xd8, 0xf5, 0x64, 0x13, 0x5b, 0xe6,
376 0x12, 0x8e, 0x18, 0xc2, 0x67, 0x97 ),
377 MULTIPLIER ( 0x01, 0x8d, 0x52, 0x88, 0xf1, 0x14, 0x2c, 0x3f, 0xe8,
378 0x60, 0xe7, 0xa1, 0x13, 0xec, 0x1b, 0x8c, 0xa1, 0xf9,
379 0x1e, 0x1d, 0x4c, 0x1f, 0xf4, 0x9b, 0x78, 0x89, 0x46,
380 0x3e, 0x85, 0x75, 0x9c, 0xde, 0x66 ),
381 EXPECTED ( 0x28, 0xa7, 0x7d, 0x3c, 0x8a, 0x14, 0x32, 0x3d, 0x63, 0xb2,
382 0x88, 0xdb, 0xd4, 0x03, 0x15, 0xb3, 0xf1, 0x92, 0xb8, 0x48,
383 0x5d, 0x86, 0xa0, 0x2c, 0xb8, 0x7d, 0x3d, 0xfb, 0x7a, 0x0b,
384 0x54, 0x47 ) );
385
386/* 0x023139d32c93cd59bf5c941cf0dc98d2c1e2acf72f9e574f7aa0ee89aed453dd32 *
387 * 0x03146d3f31fc377a4c4a15544dc5e7ce8a3a578a8ea9488d990bbb259911ce5dd2 =
388 * 0x4bdb7a35c0a5182000aa67554741e88cfdf460a78c6fae07adf83d2f005d2767 (mod p)
389 */
390X25519_MULTIPLY_TEST ( multiply_5,
391 MULTIPLICAND ( 0x02, 0x31, 0x39, 0xd3, 0x2c, 0x93, 0xcd, 0x59, 0xbf,
392 0x5c, 0x94, 0x1c, 0xf0, 0xdc, 0x98, 0xd2, 0xc1, 0xe2,
393 0xac, 0xf7, 0x2f, 0x9e, 0x57, 0x4f, 0x7a, 0xa0, 0xee,
394 0x89, 0xae, 0xd4, 0x53, 0xdd, 0x32 ),
395 MULTIPLIER ( 0x03, 0x14, 0x6d, 0x3f, 0x31, 0xfc, 0x37, 0x7a, 0x4c,
396 0x4a, 0x15, 0x54, 0x4d, 0xc5, 0xe7, 0xce, 0x8a, 0x3a,
397 0x57, 0x8a, 0x8e, 0xa9, 0x48, 0x8d, 0x99, 0x0b, 0xbb,
398 0x25, 0x99, 0x11, 0xce, 0x5d, 0xd2 ),
399 EXPECTED ( 0x4b, 0xdb, 0x7a, 0x35, 0xc0, 0xa5, 0x18, 0x20, 0x00, 0xaa,
400 0x67, 0x55, 0x47, 0x41, 0xe8, 0x8c, 0xfd, 0xf4, 0x60, 0xa7,
401 0x8c, 0x6f, 0xae, 0x07, 0xad, 0xf8, 0x3d, 0x2f, 0x00, 0x5d,
402 0x27, 0x67 ) );
403
404/* 0x01d58842dea2bc372f7412b29347294739614ff3d719db3ad0ddd1dfb23b982ef8 ^ -1 =
405 * 0x093ff51750809d181a9a5481c564e37cff618def8ec45f464b1a6e24f8b826bd (mod p)
406 */
407X25519_INVERT_TEST ( invert_1,
408 INVERTEND ( 0x01, 0xd5, 0x88, 0x42, 0xde, 0xa2, 0xbc, 0x37, 0x2f,
409 0x74, 0x12, 0xb2, 0x93, 0x47, 0x29, 0x47, 0x39, 0x61,
410 0x4f, 0xf3, 0xd7, 0x19, 0xdb, 0x3a, 0xd0, 0xdd, 0xd1,
411 0xdf, 0xb2, 0x3b, 0x98, 0x2e, 0xf8 ),
412 EXPECTED ( 0x09, 0x3f, 0xf5, 0x17, 0x50, 0x80, 0x9d, 0x18, 0x1a, 0x9a,
413 0x54, 0x81, 0xc5, 0x64, 0xe3, 0x7c, 0xff, 0x61, 0x8d, 0xef,
414 0x8e, 0xc4, 0x5f, 0x46, 0x4b, 0x1a, 0x6e, 0x24, 0xf8, 0xb8,
415 0x26, 0xbd ) );
416
417/* 0x02efc89849b3aa7efe4458a885ab9099a435a240ae5af305535ec42e0829a3b2e9 ^ -1 =
418 * 0x591607b163e89d0ac33a62c881e984a25d3826e3db5ce229af240dc58e5b579a (mod p)
419 */
420X25519_INVERT_TEST ( invert_2,
421 INVERTEND ( 0x02, 0xef, 0xc8, 0x98, 0x49, 0xb3, 0xaa, 0x7e, 0xfe,
422 0x44, 0x58, 0xa8, 0x85, 0xab, 0x90, 0x99, 0xa4, 0x35,
423 0xa2, 0x40, 0xae, 0x5a, 0xf3, 0x05, 0x53, 0x5e, 0xc4,
424 0x2e, 0x08, 0x29, 0xa3, 0xb2, 0xe9 ),
425 EXPECTED ( 0x59, 0x16, 0x07, 0xb1, 0x63, 0xe8, 0x9d, 0x0a, 0xc3, 0x3a,
426 0x62, 0xc8, 0x81, 0xe9, 0x84, 0xa2, 0x5d, 0x38, 0x26, 0xe3,
427 0xdb, 0x5c, 0xe2, 0x29, 0xaf, 0x24, 0x0d, 0xc5, 0x8e, 0x5b,
428 0x57, 0x9a ) );
429
430/* 0x003eabedcbbaa80dd488bd64072bcfbe01a28defe39bf0027312476f57a5e5a5ab ^ -1 =
431 * 0x7d87c2e565b27c5038181a0a7cae9ebe826c8afc1f77128a4d62cce96d2759a2 (mod p)
432 */
433X25519_INVERT_TEST ( invert_3,
434 INVERTEND ( 0x00, 0x3e, 0xab, 0xed, 0xcb, 0xba, 0xa8, 0x0d, 0xd4,
435 0x88, 0xbd, 0x64, 0x07, 0x2b, 0xcf, 0xbe, 0x01, 0xa2,
436 0x8d, 0xef, 0xe3, 0x9b, 0xf0, 0x02, 0x73, 0x12, 0x47,
437 0x6f, 0x57, 0xa5, 0xe5, 0xa5, 0xab ),
438 EXPECTED ( 0x7d, 0x87, 0xc2, 0xe5, 0x65, 0xb2, 0x7c, 0x50, 0x38, 0x18,
439 0x1a, 0x0a, 0x7c, 0xae, 0x9e, 0xbe, 0x82, 0x6c, 0x8a, 0xfc,
440 0x1f, 0x77, 0x12, 0x8a, 0x4d, 0x62, 0xcc, 0xe9, 0x6d, 0x27,
441 0x59, 0xa2 ) );
442
443/* 0x008e944239b02b61c4a3d70628ece66fa2fd5166e6451b4cf36123fdf77656af72 ^ -1 =
444 * 0x08e96161a0eee1b29af396f154950d5c715dc61aff66ee97377ab22adf3321d7 (mod p)
445 */
446X25519_INVERT_TEST ( invert_4,
447 INVERTEND ( 0x00, 0x8e, 0x94, 0x42, 0x39, 0xb0, 0x2b, 0x61, 0xc4,
448 0xa3, 0xd7, 0x06, 0x28, 0xec, 0xe6, 0x6f, 0xa2, 0xfd,
449 0x51, 0x66, 0xe6, 0x45, 0x1b, 0x4c, 0xf3, 0x61, 0x23,
450 0xfd, 0xf7, 0x76, 0x56, 0xaf, 0x72 ),
451 EXPECTED ( 0x08, 0xe9, 0x61, 0x61, 0xa0, 0xee, 0xe1, 0xb2, 0x9a, 0xf3,
452 0x96, 0xf1, 0x54, 0x95, 0x0d, 0x5c, 0x71, 0x5d, 0xc6, 0x1a,
453 0xff, 0x66, 0xee, 0x97, 0x37, 0x7a, 0xb2, 0x2a, 0xdf, 0x33,
454 0x21, 0xd7 ) );
455
456/* 0x00d261a7ab3aa2e4f90e51f30dc6a7ee39c4b032ccd7c524a55304317faf42e12f ^ -1 =
457 * 0x0738781c0aeabfbe6e840c85bd30996ef71bc54988ce16cedd5ab4f30c281597 (mod p)
458 */
459X25519_INVERT_TEST ( invert_5,
460 INVERTEND ( 0x00, 0xd2, 0x61, 0xa7, 0xab, 0x3a, 0xa2, 0xe4, 0xf9,
461 0x0e, 0x51, 0xf3, 0x0d, 0xc6, 0xa7, 0xee, 0x39, 0xc4,
462 0xb0, 0x32, 0xcc, 0xd7, 0xc5, 0x24, 0xa5, 0x53, 0x04,
463 0x31, 0x7f, 0xaf, 0x42, 0xe1, 0x2f ),
464 EXPECTED ( 0x07, 0x38, 0x78, 0x1c, 0x0a, 0xea, 0xbf, 0xbe, 0x6e, 0x84,
465 0x0c, 0x85, 0xbd, 0x30, 0x99, 0x6e, 0xf7, 0x1b, 0xc5, 0x49,
466 0x88, 0xce, 0x16, 0xce, 0xdd, 0x5a, 0xb4, 0xf3, 0x0c, 0x28,
467 0x15, 0x97 ) );
468
469/* Base: 0xe6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c
470 * Scalar: 0xa546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4
471 * Result: 0xc3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552
472 */
473X25519_KEY_TEST ( rfc7748_1, 1, 0,
474 BASE ( 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 0x35, 0x94,
475 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 0x72, 0x66, 0x24, 0xec,
476 0x26, 0xb3, 0x35, 0x3b, 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab,
477 0x1c, 0x4c ),
478 SCALAR ( 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 0x3b, 0x16,
479 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 0x62, 0x14, 0x4c, 0x0a,
480 0xc1, 0xfc, 0x5a, 0x18, 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44,
481 0x9a, 0xc4 ),
482 EXPECTED ( 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 0x8e, 0x94,
483 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03,
484 0x49, 0x1c, 0x71, 0xf7, 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2,
485 0x85, 0x52 ) );
486
487/* Base: 0xe5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493
488 * Scalar: 0x4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d
489 * Result: 0x95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957
490 */
491X25519_KEY_TEST ( rfc7748_2, 1, 0,
492 BASE ( 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 0xf4, 0xb7,
493 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 0x31, 0xdb, 0xe7, 0x10,
494 0x6f, 0xc0, 0x3c, 0x3e, 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15,
495 0xa4, 0x93 ),
496 SCALAR ( 0x4b, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, 0x5a, 0xd2,
497 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, 0xc1, 0x1b, 0x64, 0x21,
498 0xe0, 0xea, 0x01, 0xd4, 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18,
499 0xba, 0x0d ),
500 EXPECTED ( 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 0x7a, 0xad,
501 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 0x8b, 0x59, 0x5a, 0x68,
502 0x79, 0x9f, 0xa1, 0x52, 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac,
503 0x79, 0x57 ) );
504
505/* Base: 0x0900000000000000000000000000000000000000000000000000000000000000
506 * Scalar: 0x0900000000000000000000000000000000000000000000000000000000000000
507 * Result: 0x422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079
508 */
509X25519_KEY_TEST ( rfc7748_3, 1, 0,
510 BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
513 0x00, 0x00 ),
514 SCALAR ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
515 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
516 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
517 0x00, 0x00 ),
518 EXPECTED ( 0x42, 0x2c, 0x8e, 0x7a, 0x62, 0x27, 0xd7, 0xbc, 0xa1, 0x35,
519 0x0b, 0x3e, 0x2b, 0xb7, 0x27, 0x9f, 0x78, 0x97, 0xb8, 0x7b,
520 0xb6, 0x85, 0x4b, 0x78, 0x3c, 0x60, 0xe8, 0x03, 0x11, 0xae,
521 0x30, 0x79 ) );
522
523/* Base: 0x0900000000000000000000000000000000000000000000000000000000000000
524 * Scalar: 0x0900000000000000000000000000000000000000000000000000000000000000
525 * Result: 0xb1a5a73158904c020866c13939dd7e1aa26852ee1d2609c92e5a8f1debe2150a
526 * (after 100 iterations)
527 *
528 * RFC7748 gives test vectors for 1000 and 1000000 iterations with
529 * these starting values. This test case stops after 100 iterations
530 * to avoid a pointlessly slow test cycle in the common case of
531 * running tests under Valgrind.
532 */
533X25519_KEY_TEST ( rfc7748_4_100, 100, 0,
534 BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
537 0x00, 0x00 ),
538 SCALAR ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
541 0x00, 0x00 ),
542 EXPECTED ( 0xb1, 0xa5, 0xa7, 0x31, 0x58, 0x90, 0x4c, 0x02, 0x08, 0x66,
543 0xc1, 0x39, 0x39, 0xdd, 0x7e, 0x1a, 0xa2, 0x68, 0x52, 0xee,
544 0x1d, 0x26, 0x09, 0xc9, 0x2e, 0x5a, 0x8f, 0x1d, 0xeb, 0xe2,
545 0x15, 0x0a ) );
546
547/* Base: 2^255 - 19 + 1 (deliberately malicious public key)
548 * Scalar: 0x000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
549 * Result: Failure (all zeros)
550 */
551X25519_KEY_TEST ( malicious, 1, 1,
552 BASE ( 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
553 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
554 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
555 0xff, 0x7f ),
556 SCALAR ( 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
557 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03,
558 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
559 0x0e, 0x0f ),
560 EXPECTED ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
562 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
563 0x00, 0x00 ) );
564
565/**
566 * Perform X25519 self-tests
567 *
568 */
569static void x25519_test_exec ( void ) {
570
571 /* Perform multiplication tests */
572 x25519_multiply_ok ( &multiply_small );
573 x25519_multiply_ok ( &multiply_k_p );
574 x25519_multiply_ok ( &multiply_1 );
575 x25519_multiply_ok ( &multiply_2 );
576 x25519_multiply_ok ( &multiply_3 );
577 x25519_multiply_ok ( &multiply_4 );
578 x25519_multiply_ok ( &multiply_5 );
579
580 /* Perform multiplicative inversion tests */
581 x25519_invert_ok ( &invert_1 );
582 x25519_invert_ok ( &invert_2 );
583 x25519_invert_ok ( &invert_3 );
584 x25519_invert_ok ( &invert_4 );
585 x25519_invert_ok ( &invert_5 );
586
587 /* Perform key exchange tests */
588 x25519_key_ok ( &rfc7748_1 );
589 x25519_key_ok ( &rfc7748_2 );
590 x25519_key_ok ( &rfc7748_3 );
591 x25519_key_ok ( &rfc7748_4_100 );
592 x25519_key_ok ( &malicious );
593}
594
595/** X25519 self-test */
596struct self_test x25519_test __self_test = {
597 .name = "x25519",
598 .exec = x25519_test_exec,
599};
BASE
#define BASE
Definition 3c595.h:69
uint8_t
unsigned char uint8_t
Definition stdint.h:10
multiplier
static const uint32_t multiplier
Port multiplier number.
Definition bigint.h:335
EXPECTED
#define EXPECTED(...)
Define inline expected result point.
Definition elliptic_test.h:62
SCALAR
#define SCALAR(...)
Define inline scalar multiple.
Definition elliptic_test.h:53
test
static int test
Definition epic100.c:73
DBGC
#define DBGC(...)
Definition compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
bigint_init
#define bigint_init(value, data, len)
Initialise big integer.
Definition bigint.h:62
product
uint8_t product
Product string.
Definition smbios.h:5
string.h
String functions.
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
base
uint32_t base
Base.
Definition librm.h:3
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115
self_test
A self-test set.
Definition test.h:15
x25519_invert_test
An X25519 multiplicative inversion self-test.
Definition x25519_test.c:100
x25519_invert_test::expected
const void * expected
Expected result.
Definition x25519_test.c:106
x25519_invert_test::invertend_len
size_t invertend_len
Length of invertend.
Definition x25519_test.c:104
x25519_invert_test::invertend
const void * invertend
Invertend.
Definition x25519_test.c:102
x25519_invert_test::expected_len
size_t expected_len
Length of expected result.
Definition x25519_test.c:108
x25519_key_test
An X25519 key exchange self-test.
Definition x25519_test.c:130
x25519_key_test::fail
int fail
Key exchange is expected to fail (i.e.
Definition x25519_test.c:140
x25519_key_test::base
struct x25519_value base
Base.
Definition x25519_test.c:132
x25519_key_test::scalar
struct x25519_value scalar
Scalar.
Definition x25519_test.c:134
x25519_key_test::count
unsigned int count
Number of iterations.
Definition x25519_test.c:138
x25519_key_test::expected
struct x25519_value expected
Expected result.
Definition x25519_test.c:136
x25519_multiply_test
An X25519 multiplication self-test.
Definition x25519_test.c:61
x25519_multiply_test::multiplicand
const void * multiplicand
Multiplicand.
Definition x25519_test.c:63
x25519_multiply_test::multiplier_len
size_t multiplier_len
Length of multiplier.
Definition x25519_test.c:69
x25519_multiply_test::multiplier
const void * multiplier
Multiplier.
Definition x25519_test.c:67
x25519_multiply_test::multiplicand_len
size_t multiplicand_len
Length of multiplicand.
Definition x25519_test.c:65
x25519_multiply_test::expected_len
size_t expected_len
Length of expected result.
Definition x25519_test.c:73
x25519_multiply_test::expected
const void * expected
Expected result.
Definition x25519_test.c:71
x25519_value
An X25519 32-byte value.
Definition x25519.h:78
test.h
Self-test infrastructure.
okx
#define okx(success, file, line)
Report test result.
Definition test.h:44
__self_test
#define __self_test
Declare a self-test.
Definition test.h:32
x25519_oct258
An X25519 unsigned 258-bit integer.
Definition x25519.h:46
x25519_oct258::value
x25519_t value
Big integer value.
Definition x25519.h:48
x25519_quad257
An X25519 unsigned 257-bit integer.
Definition x25519.h:65
x25519_quad257::value
x25519_t value
Big integer value.
Definition x25519.h:67
x25519_quad257::oct258
const union x25519_oct258 oct258
X25519 unsigned 258-bit integer.
Definition x25519.h:74
x25519_is_zero
int x25519_is_zero(const struct x25519_value *value)
Check if X25519 value is zero.
Definition x25519.c:793
x25519_multiply
void x25519_multiply(const union x25519_oct258 *multiplicand, const union x25519_oct258 *multiplier, union x25519_quad257 *result)
Multiply big integers modulo field prime.
Definition x25519.c:427
x25519_reduce
void x25519_reduce(union x25519_quad257 *value)
Reduce big integer to canonical range.
Definition x25519.c:586
x25519_key
void x25519_key(const struct x25519_value *base, const struct x25519_value *scalar, struct x25519_value *result)
Calculate X25519 key.
Definition x25519.c:808
x25519_invert
void x25519_invert(const union x25519_oct258 *invertend, union x25519_quad257 *result)
Compute multiplicative inverse.
Definition x25519.c:529
x25519.h
X25519 key exchange.
INVERTEND
#define INVERTEND(...)
Define inline invertend.
Definition x25519_test.c:49
X25519_KEY_TEST
#define X25519_KEY_TEST(name, COUNT, FAIL, BASE, SCALAR, EXPECTED)
Define an X25519 key exchange test.
Definition x25519_test.c:154
X25519_MULTIPLY_TEST
#define X25519_MULTIPLY_TEST(name, MULTIPLICAND, MULTIPLIER, EXPECTED)
Define an X25519 multiplication test.
Definition x25519_test.c:85
x25519_key_ok
#define x25519_key_ok(test)
Definition x25519_test.c:295
x25519_multiply_okx
static void x25519_multiply_okx(struct x25519_multiply_test *test, const char *file, unsigned int line)
Report an X25519 multiplication test result.
Definition x25519_test.c:170
MULTIPLIER
#define MULTIPLIER(...)
Define inline multiplier.
Definition x25519_test.c:46
X25519_INVERT_TEST
#define X25519_INVERT_TEST(name, INVERTEND, EXPECTED)
Define an X25519 multiplicative inversion test.
Definition x25519_test.c:119
x25519_key_okx
static void x25519_key_okx(struct x25519_key_test *test, const char *file, unsigned int line)
Report an X25519 key exchange test result.
Definition x25519_test.c:260
x25519_invert_okx
static void x25519_invert_okx(struct x25519_invert_test *test, const char *file, unsigned int line)
Report an X25519 multiplicative inversion test result.
Definition x25519_test.c:212
x25519_invert_ok
#define x25519_invert_ok(test)
Definition x25519_test.c:250
MULTIPLICAND
#define MULTIPLICAND(...)
Define inline multiplicand.
Definition x25519_test.c:43
x25519_multiply_ok
#define x25519_multiply_ok(test)
Definition x25519_test.c:202
x25519_test_exec
static void x25519_test_exec(void)
Perform X25519 self-tests.
Definition x25519_test.c:569
Generated by doxygen 1.14.0