iPXE
x25519_test.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 /** @file
27  *
28  * X25519 key exchange test
29  *
30  * Full key exchange test vectors are taken from RFC7748.
31  *
32  */
33 
34 /* Forcibly enable assertions */
35 #undef NDEBUG
36 
37 #include <stdint.h>
38 #include <string.h>
39 #include <ipxe/x25519.h>
40 #include <ipxe/test.h>
41 
42 /** Define inline multiplicand */
43 #define MULTIPLICAND(...) { __VA_ARGS__ }
44 
45 /** Define inline multiplier */
46 #define MULTIPLIER(...) { __VA_ARGS__ }
47 
48 /** Define inline invertend */
49 #define INVERTEND(...) { __VA_ARGS__ }
50 
51 /** Define inline base point */
52 #define BASE(...) { __VA_ARGS__ }
53 
54 /** Define inline scalar multiple */
55 #define SCALAR(...) { __VA_ARGS__ }
56 
57 /** Define inline expected result */
58 #define EXPECTED(...) { __VA_ARGS__ }
59 
60 /** An X25519 multiplication self-test */
61 struct x25519_multiply_test {
62  /** Multiplicand */
63  const void *multiplicand;
64  /** Length of multiplicand */
65  size_t multiplicand_len;
66  /** Multiplier */
67  const void *multiplier;
68  /** Length of multiplier */
69  size_t multiplier_len;
70  /** Expected result */
71  const void *expected;
72  /** Length of expected result */
73  size_t expected_len;
74 };
75 
76 /**
77  * Define an X25519 multiplication test
78  *
79  * @v name Test name
80  * @v MULTIPLICAND 258-bit multiplicand
81  * @v MULTIPLIER 258-bit multiplier
82  * @v EXPECTED 255-bit expected result
83  * @ret test X25519 multiplication test
84  */
85 #define X25519_MULTIPLY_TEST( name, MULTIPLICAND, MULTIPLIER, \
86  EXPECTED ) \
87  static const uint8_t name ## _multiplicand[] = MULTIPLICAND; \
88  static const uint8_t name ## _multiplier[] = MULTIPLIER; \
89  static const uint8_t name ## _expected[] = EXPECTED; \
90  static struct x25519_multiply_test name = { \
91  .multiplicand = name ## _multiplicand, \
92  .multiplicand_len = sizeof ( name ## _multiplicand ), \
93  .multiplier = name ## _multiplier, \
94  .multiplier_len = sizeof ( name ## _multiplier ), \
95  .expected = name ## _expected, \
96  .expected_len = sizeof ( name ## _expected ), \
97  }
98 
99 /** An X25519 multiplicative inversion self-test */
100 struct x25519_invert_test {
101  /** Invertend */
102  const void *invertend;
103  /** Length of invertend */
104  size_t invertend_len;
105  /** Expected result */
106  const void *expected;
107  /** Length of expected result */
108  size_t expected_len;
109 };
110 
111 /**
112  * Define an X25519 multiplicative inversion test
113  *
114  * @v name Test name
115  * @v INVERTEND 258-bit invertend
116  * @v EXPECTED 255-bit expected result
117  * @ret test X25519 multiplicative inversion test
118  */
119 #define X25519_INVERT_TEST( name, INVERTEND, EXPECTED ) \
120  static const uint8_t name ## _invertend[] = INVERTEND; \
121  static const uint8_t name ## _expected[] = EXPECTED; \
122  static struct x25519_invert_test name = { \
123  .invertend = name ## _invertend, \
124  .invertend_len = sizeof ( name ## _invertend ), \
125  .expected = name ## _expected, \
126  .expected_len = sizeof ( name ## _expected ), \
127  }
128 
129 /** An X25519 key exchange self-test */
130 struct x25519_key_test {
131  /** Base */
132  struct x25519_value base;
133  /** Scalar */
134  struct x25519_value scalar;
135  /** Expected result */
136  struct x25519_value expected;
137  /** Number of iterations */
138  unsigned int count;
139  /** Key exchange is expected to fail (i.e. produce all-zeroes) */
140  int fail;
141 };
142 
143 /**
144  * Define an X25519 key exchange test
145  *
146  * @v name Test name
147  * @v COUNT Number of iterations
148  * @v FAIL Expected failure status
149  * @v BASE Base point
150  * @v SCALAR Scalar multiple
151  * @v EXPECTED Expected result
152  * @ret test X25519 key exchange test
153  */
154 #define X25519_KEY_TEST( name, COUNT, FAIL, BASE, SCALAR, EXPECTED ) \
155  static struct x25519_key_test name = { \
156  .count = COUNT, \
157  .fail = FAIL, \
158  .base = { .raw = BASE }, \
159  .scalar = { .raw = SCALAR }, \
160  .expected = { .raw = EXPECTED }, \
161  }
162 
163 /**
164  * Report an X25519 multiplication test result
165  *
166  * @v test X25519 multiplication test
167  * @v file Test code file
168  * @v line Test code line
169  */
170 static void x25519_multiply_okx ( struct x25519_multiply_test *test,
171  const char *file, unsigned int line ) {
172  union x25519_oct258 multiplicand;
173  union x25519_oct258 multiplier;
174  union x25519_quad257 expected;
175  union x25519_quad257 actual;
176 
177  /* Construct big integers */
178  bigint_init ( &multiplicand.value, test->multiplicand,
179  test->multiplicand_len );
180  DBGC ( test, "X25519 multiplicand:\n" );
181  DBGC_HDA ( test, 0, &multiplicand, sizeof ( multiplicand ) );
182  bigint_init ( &multiplier.value, test->multiplier,
183  test->multiplier_len );
184  DBGC ( test, "X25519 multiplier:\n" );
185  DBGC_HDA ( test, 0, &multiplier, sizeof ( multiplier ) );
186  bigint_init ( &expected.value, test->expected, test->expected_len );
187  DBGC ( test, "X25519 expected product:\n" );
188  DBGC_HDA ( test, 0, &expected, sizeof ( expected ) );
189 
190  /* Perform multiplication */
191  x25519_multiply ( &multiplicand, &multiplier, &actual );
192 
193  /* Reduce result to allow for comparison */
194  x25519_reduce ( &actual );
195  DBGC ( test, "X25519 actual product:\n" );
196  DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
197 
198  /* Compare against expected result */
199  okx ( memcmp ( &actual, &expected, sizeof ( expected ) ) == 0,
200  file, line );
201 }
202 #define x25519_multiply_ok( test ) \
203  x25519_multiply_okx ( test, __FILE__, __LINE__ )
204 
205 /**
206  * Report an X25519 multiplicative inversion test result
207  *
208  * @v test X25519 multiplicative inversion test
209  * @v file Test code file
210  * @v line Test code line
211  */
212 static void x25519_invert_okx ( struct x25519_invert_test *test,
213  const char *file, unsigned int line ) {
214  static const uint8_t one[] = { 1 };
215  union x25519_oct258 invertend;
216  union x25519_quad257 expected;
217  union x25519_quad257 actual;
218  union x25519_quad257 product;
219  union x25519_quad257 identity;
220 
221  /* Construct big integers */
222  bigint_init ( &invertend.value, test->invertend, test->invertend_len );
223  DBGC ( test, "X25519 invertend:\n" );
224  DBGC_HDA ( test, 0, &invertend, sizeof ( invertend ) );
225  bigint_init ( &expected.value, test->expected, test->expected_len );
226  DBGC ( test, "X25519 expected inverse:\n" );
227  DBGC_HDA ( test, 0, &expected, sizeof ( expected ) );
228  bigint_init ( &identity.value, one, sizeof ( one ) );
229 
230  /* Perform inversion */
231  x25519_invert ( &invertend, &actual );
232 
233  /* Multiply invertend by inverse */
234  x25519_multiply ( &invertend, &actual.oct258, &product );
235 
236  /* Reduce results to allow for comparison */
237  x25519_reduce ( &actual );
238  DBGC ( test, "X25519 actual inverse:\n" );
239  DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
240  x25519_reduce ( &product );
241  DBGC ( test, "X25519 actual product:\n" );
242  DBGC_HDA ( test, 0, &product, sizeof ( product ) );
243 
244  /* Compare against expected results */
245  okx ( memcmp ( &actual, &expected, sizeof ( expected ) ) == 0,
246  file, line );
247  okx ( memcmp ( &product, &identity, sizeof ( identity ) ) == 0,
248  file, line );
249 }
250 #define x25519_invert_ok( test ) \
251  x25519_invert_okx ( test, __FILE__, __LINE__ )
252 
253 /**
254  * Report an X25519 key exchange test result
255  *
256  * @v test X25519 key exchange test
257  * @v file Test code file
258  * @v line Test code line
259  */
260 static void x25519_key_okx ( struct x25519_key_test *test,
261  const char *file, unsigned int line ) {
262  struct x25519_value base;
263  struct x25519_value scalar;
264  struct x25519_value actual;
265  unsigned int i;
266 
267  /* Construct input values */
268  memcpy ( &base, &test->base, sizeof ( test->base ) );
269  memcpy ( &scalar, &test->scalar, sizeof ( test->scalar ) );
270  DBGC ( test, "X25519 base:\n" );
271  DBGC_HDA ( test, 0, &base, sizeof ( base ) );
272  DBGC ( test, "X25519 scalar:\n" );
273  DBGC_HDA ( test, 0, &scalar, sizeof ( scalar ) );
274  DBGC ( test, "X25519 expected result (x%d):\n", test->count );
275  DBGC_HDA ( test, 0, &test->expected, sizeof ( test->expected ) );
276 
277  /* Calculate key */
278  for ( i = 0 ; i < test->count ; i++ ) {
279  x25519_key ( &base, &scalar, &actual );
280  if ( test->fail ) {
281  okx ( x25519_is_zero ( &actual ), file, line );
282  } else {
283  okx ( ( ! x25519_is_zero ( &actual ) ), file, line );
284  }
285  memcpy ( &base, &scalar, sizeof ( base ) );
286  memcpy ( &scalar, &actual, sizeof ( scalar ) );
287  }
288  DBGC ( test, "X25519 actual result (x%d):\n", test->count );
289  DBGC_HDA ( test, 0, &actual, sizeof ( actual ) );
290 
291  /* Compare against expected result */
292  okx ( memcmp ( &actual, &test->expected,
293  sizeof ( test->expected ) ) == 0, file, line );
294 }
295 #define x25519_key_ok( test ) \
296  x25519_key_okx ( test, __FILE__, __LINE__ )
297 
298 /* Test multiplying small numbers */
299 X25519_MULTIPLY_TEST ( multiply_small, MULTIPLICAND ( 6 ),
300  MULTIPLIER ( 9 ), EXPECTED ( 6 * 9 ) );
301 
302 /* Test exact multiple of field prime */
303 X25519_MULTIPLY_TEST ( multiply_k_p,
304  MULTIPLICAND ( 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
305  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
306  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
307  0xff, 0xff, 0xff, 0xff, 0xed ),
308  MULTIPLIER ( 0x00, 0xe8, 0x0d, 0x83, 0xd4, 0xe9, 0x1e, 0xdd, 0x7a,
309  0x45, 0x14, 0x87, 0xb7, 0xfc, 0x62, 0x54, 0x1f, 0xb2,
310  0x97, 0x24, 0xde, 0xfa, 0xd3, 0xe7, 0x3e, 0x83, 0x93,
311  0x60, 0xbc, 0x20, 0x97, 0x9b, 0x22 ),
312  EXPECTED ( 0x00 ) );
313 
314 /* 0x0223b8c1e9392456de3eb13b9046685257bdd640fb06671ad11c80317fa3b1799d *
315  * 0x006c031199972a846916419f828b9d2434e465e150bd9c66b3ad3c2d6d1a3d1fa7 =
316  * 0x1ba87e982f7c477616b4d5136ba54733e40081c1c2e27d864aa178ce893d1297 (mod p)
317  */
318 X25519_MULTIPLY_TEST ( multiply_1,
319  MULTIPLICAND ( 0x02, 0x23, 0xb8, 0xc1, 0xe9, 0x39, 0x24, 0x56, 0xde,
320  0x3e, 0xb1, 0x3b, 0x90, 0x46, 0x68, 0x52, 0x57, 0xbd,
321  0xd6, 0x40, 0xfb, 0x06, 0x67, 0x1a, 0xd1, 0x1c, 0x80,
322  0x31, 0x7f, 0xa3, 0xb1, 0x79, 0x9d ),
323  MULTIPLIER ( 0x00, 0x6c, 0x03, 0x11, 0x99, 0x97, 0x2a, 0x84, 0x69,
324  0x16, 0x41, 0x9f, 0x82, 0x8b, 0x9d, 0x24, 0x34, 0xe4,
325  0x65, 0xe1, 0x50, 0xbd, 0x9c, 0x66, 0xb3, 0xad, 0x3c,
326  0x2d, 0x6d, 0x1a, 0x3d, 0x1f, 0xa7 ),
327  EXPECTED ( 0x1b, 0xa8, 0x7e, 0x98, 0x2f, 0x7c, 0x47, 0x76, 0x16, 0xb4,
328  0xd5, 0x13, 0x6b, 0xa5, 0x47, 0x33, 0xe4, 0x00, 0x81, 0xc1,
329  0xc2, 0xe2, 0x7d, 0x86, 0x4a, 0xa1, 0x78, 0xce, 0x89, 0x3d,
330  0x12, 0x97 ) );
331 
332 /* 0x008fadc1a606cb0fb39a1de644815ef6d13b8faa1837f8a88b17fc695a07a0ca6e *
333  * 0x0196da1dac72ff5d2a386ecbe06b65a6a48b8148f6b38a088ca65ed389b74d0fb1 =
334  * 0x351f7bf75ef580249ed6f9ff3996463b0730a1d49b5d36b863e192591157e950 (mod p)
335  */
336 X25519_MULTIPLY_TEST ( multiply_2,
337  MULTIPLICAND ( 0x00, 0x8f, 0xad, 0xc1, 0xa6, 0x06, 0xcb, 0x0f, 0xb3,
338  0x9a, 0x1d, 0xe6, 0x44, 0x81, 0x5e, 0xf6, 0xd1, 0x3b,
339  0x8f, 0xaa, 0x18, 0x37, 0xf8, 0xa8, 0x8b, 0x17, 0xfc,
340  0x69, 0x5a, 0x07, 0xa0, 0xca, 0x6e ),
341  MULTIPLIER ( 0x01, 0x96, 0xda, 0x1d, 0xac, 0x72, 0xff, 0x5d, 0x2a,
342  0x38, 0x6e, 0xcb, 0xe0, 0x6b, 0x65, 0xa6, 0xa4, 0x8b,
343  0x81, 0x48, 0xf6, 0xb3, 0x8a, 0x08, 0x8c, 0xa6, 0x5e,
344  0xd3, 0x89, 0xb7, 0x4d, 0x0f, 0xb1 ),
345  EXPECTED ( 0x35, 0x1f, 0x7b, 0xf7, 0x5e, 0xf5, 0x80, 0x24, 0x9e, 0xd6,
346  0xf9, 0xff, 0x39, 0x96, 0x46, 0x3b, 0x07, 0x30, 0xa1, 0xd4,
347  0x9b, 0x5d, 0x36, 0xb8, 0x63, 0xe1, 0x92, 0x59, 0x11, 0x57,
348  0xe9, 0x50 ) );
349 
350 /* 0x016c307511b2b9437a28df6ec4ce4a2bbdc241330b01a9e71fde8a774bcf36d58b *
351  * 0x0117be31111a2a73ed562b0f79c37459eef50bea63371ecd7b27cd813047229389 =
352  * 0x6b43b5185965f8f0920f31ae1b2cefadd7b078fecf68dbeaa17b9c385b558329 (mod p)
353  */
354 X25519_MULTIPLY_TEST ( multiply_3,
355  MULTIPLICAND ( 0x01, 0x6c, 0x30, 0x75, 0x11, 0xb2, 0xb9, 0x43, 0x7a,
356  0x28, 0xdf, 0x6e, 0xc4, 0xce, 0x4a, 0x2b, 0xbd, 0xc2,
357  0x41, 0x33, 0x0b, 0x01, 0xa9, 0xe7, 0x1f, 0xde, 0x8a,
358  0x77, 0x4b, 0xcf, 0x36, 0xd5, 0x8b ),
359  MULTIPLIER ( 0x01, 0x17, 0xbe, 0x31, 0x11, 0x1a, 0x2a, 0x73, 0xed,
360  0x56, 0x2b, 0x0f, 0x79, 0xc3, 0x74, 0x59, 0xee, 0xf5,
361  0x0b, 0xea, 0x63, 0x37, 0x1e, 0xcd, 0x7b, 0x27, 0xcd,
362  0x81, 0x30, 0x47, 0x22, 0x93, 0x89 ),
363  EXPECTED ( 0x6b, 0x43, 0xb5, 0x18, 0x59, 0x65, 0xf8, 0xf0, 0x92, 0x0f,
364  0x31, 0xae, 0x1b, 0x2c, 0xef, 0xad, 0xd7, 0xb0, 0x78, 0xfe,
365  0xcf, 0x68, 0xdb, 0xea, 0xa1, 0x7b, 0x9c, 0x38, 0x5b, 0x55,
366  0x83, 0x29 ) );
367 
368 /* 0x020b1f9163ce9ff57f43b7a3a69a8dca03580d7b71d8f564135be6128e18c26797 *
369  * 0x018d5288f1142c3fe860e7a113ec1b8ca1f91e1d4c1ff49b7889463e85759cde66 =
370  * 0x28a77d3c8a14323d63b288dbd40315b3f192b8485d86a02cb87d3dfb7a0b5447 (mod p)
371  */
372 X25519_MULTIPLY_TEST ( multiply_4,
373  MULTIPLICAND ( 0x02, 0x0b, 0x1f, 0x91, 0x63, 0xce, 0x9f, 0xf5, 0x7f,
374  0x43, 0xb7, 0xa3, 0xa6, 0x9a, 0x8d, 0xca, 0x03, 0x58,
375  0x0d, 0x7b, 0x71, 0xd8, 0xf5, 0x64, 0x13, 0x5b, 0xe6,
376  0x12, 0x8e, 0x18, 0xc2, 0x67, 0x97 ),
377  MULTIPLIER ( 0x01, 0x8d, 0x52, 0x88, 0xf1, 0x14, 0x2c, 0x3f, 0xe8,
378  0x60, 0xe7, 0xa1, 0x13, 0xec, 0x1b, 0x8c, 0xa1, 0xf9,
379  0x1e, 0x1d, 0x4c, 0x1f, 0xf4, 0x9b, 0x78, 0x89, 0x46,
380  0x3e, 0x85, 0x75, 0x9c, 0xde, 0x66 ),
381  EXPECTED ( 0x28, 0xa7, 0x7d, 0x3c, 0x8a, 0x14, 0x32, 0x3d, 0x63, 0xb2,
382  0x88, 0xdb, 0xd4, 0x03, 0x15, 0xb3, 0xf1, 0x92, 0xb8, 0x48,
383  0x5d, 0x86, 0xa0, 0x2c, 0xb8, 0x7d, 0x3d, 0xfb, 0x7a, 0x0b,
384  0x54, 0x47 ) );
385 
386 /* 0x023139d32c93cd59bf5c941cf0dc98d2c1e2acf72f9e574f7aa0ee89aed453dd32 *
387  * 0x03146d3f31fc377a4c4a15544dc5e7ce8a3a578a8ea9488d990bbb259911ce5dd2 =
388  * 0x4bdb7a35c0a5182000aa67554741e88cfdf460a78c6fae07adf83d2f005d2767 (mod p)
389  */
390 X25519_MULTIPLY_TEST ( multiply_5,
391  MULTIPLICAND ( 0x02, 0x31, 0x39, 0xd3, 0x2c, 0x93, 0xcd, 0x59, 0xbf,
392  0x5c, 0x94, 0x1c, 0xf0, 0xdc, 0x98, 0xd2, 0xc1, 0xe2,
393  0xac, 0xf7, 0x2f, 0x9e, 0x57, 0x4f, 0x7a, 0xa0, 0xee,
394  0x89, 0xae, 0xd4, 0x53, 0xdd, 0x32 ),
395  MULTIPLIER ( 0x03, 0x14, 0x6d, 0x3f, 0x31, 0xfc, 0x37, 0x7a, 0x4c,
396  0x4a, 0x15, 0x54, 0x4d, 0xc5, 0xe7, 0xce, 0x8a, 0x3a,
397  0x57, 0x8a, 0x8e, 0xa9, 0x48, 0x8d, 0x99, 0x0b, 0xbb,
398  0x25, 0x99, 0x11, 0xce, 0x5d, 0xd2 ),
399  EXPECTED ( 0x4b, 0xdb, 0x7a, 0x35, 0xc0, 0xa5, 0x18, 0x20, 0x00, 0xaa,
400  0x67, 0x55, 0x47, 0x41, 0xe8, 0x8c, 0xfd, 0xf4, 0x60, 0xa7,
401  0x8c, 0x6f, 0xae, 0x07, 0xad, 0xf8, 0x3d, 0x2f, 0x00, 0x5d,
402  0x27, 0x67 ) );
403 
404 /* 0x01d58842dea2bc372f7412b29347294739614ff3d719db3ad0ddd1dfb23b982ef8 ^ -1 =
405  * 0x093ff51750809d181a9a5481c564e37cff618def8ec45f464b1a6e24f8b826bd (mod p)
406  */
407 X25519_INVERT_TEST ( invert_1,
408  INVERTEND ( 0x01, 0xd5, 0x88, 0x42, 0xde, 0xa2, 0xbc, 0x37, 0x2f,
409  0x74, 0x12, 0xb2, 0x93, 0x47, 0x29, 0x47, 0x39, 0x61,
410  0x4f, 0xf3, 0xd7, 0x19, 0xdb, 0x3a, 0xd0, 0xdd, 0xd1,
411  0xdf, 0xb2, 0x3b, 0x98, 0x2e, 0xf8 ),
412  EXPECTED ( 0x09, 0x3f, 0xf5, 0x17, 0x50, 0x80, 0x9d, 0x18, 0x1a, 0x9a,
413  0x54, 0x81, 0xc5, 0x64, 0xe3, 0x7c, 0xff, 0x61, 0x8d, 0xef,
414  0x8e, 0xc4, 0x5f, 0x46, 0x4b, 0x1a, 0x6e, 0x24, 0xf8, 0xb8,
415  0x26, 0xbd ) );
416 
417 /* 0x02efc89849b3aa7efe4458a885ab9099a435a240ae5af305535ec42e0829a3b2e9 ^ -1 =
418  * 0x591607b163e89d0ac33a62c881e984a25d3826e3db5ce229af240dc58e5b579a (mod p)
419  */
420 X25519_INVERT_TEST ( invert_2,
421  INVERTEND ( 0x02, 0xef, 0xc8, 0x98, 0x49, 0xb3, 0xaa, 0x7e, 0xfe,
422  0x44, 0x58, 0xa8, 0x85, 0xab, 0x90, 0x99, 0xa4, 0x35,
423  0xa2, 0x40, 0xae, 0x5a, 0xf3, 0x05, 0x53, 0x5e, 0xc4,
424  0x2e, 0x08, 0x29, 0xa3, 0xb2, 0xe9 ),
425  EXPECTED ( 0x59, 0x16, 0x07, 0xb1, 0x63, 0xe8, 0x9d, 0x0a, 0xc3, 0x3a,
426  0x62, 0xc8, 0x81, 0xe9, 0x84, 0xa2, 0x5d, 0x38, 0x26, 0xe3,
427  0xdb, 0x5c, 0xe2, 0x29, 0xaf, 0x24, 0x0d, 0xc5, 0x8e, 0x5b,
428  0x57, 0x9a ) );
429 
430 /* 0x003eabedcbbaa80dd488bd64072bcfbe01a28defe39bf0027312476f57a5e5a5ab ^ -1 =
431  * 0x7d87c2e565b27c5038181a0a7cae9ebe826c8afc1f77128a4d62cce96d2759a2 (mod p)
432  */
433 X25519_INVERT_TEST ( invert_3,
434  INVERTEND ( 0x00, 0x3e, 0xab, 0xed, 0xcb, 0xba, 0xa8, 0x0d, 0xd4,
435  0x88, 0xbd, 0x64, 0x07, 0x2b, 0xcf, 0xbe, 0x01, 0xa2,
436  0x8d, 0xef, 0xe3, 0x9b, 0xf0, 0x02, 0x73, 0x12, 0x47,
437  0x6f, 0x57, 0xa5, 0xe5, 0xa5, 0xab ),
438  EXPECTED ( 0x7d, 0x87, 0xc2, 0xe5, 0x65, 0xb2, 0x7c, 0x50, 0x38, 0x18,
439  0x1a, 0x0a, 0x7c, 0xae, 0x9e, 0xbe, 0x82, 0x6c, 0x8a, 0xfc,
440  0x1f, 0x77, 0x12, 0x8a, 0x4d, 0x62, 0xcc, 0xe9, 0x6d, 0x27,
441  0x59, 0xa2 ) );
442 
443 /* 0x008e944239b02b61c4a3d70628ece66fa2fd5166e6451b4cf36123fdf77656af72 ^ -1 =
444  * 0x08e96161a0eee1b29af396f154950d5c715dc61aff66ee97377ab22adf3321d7 (mod p)
445  */
446 X25519_INVERT_TEST ( invert_4,
447  INVERTEND ( 0x00, 0x8e, 0x94, 0x42, 0x39, 0xb0, 0x2b, 0x61, 0xc4,
448  0xa3, 0xd7, 0x06, 0x28, 0xec, 0xe6, 0x6f, 0xa2, 0xfd,
449  0x51, 0x66, 0xe6, 0x45, 0x1b, 0x4c, 0xf3, 0x61, 0x23,
450  0xfd, 0xf7, 0x76, 0x56, 0xaf, 0x72 ),
451  EXPECTED ( 0x08, 0xe9, 0x61, 0x61, 0xa0, 0xee, 0xe1, 0xb2, 0x9a, 0xf3,
452  0x96, 0xf1, 0x54, 0x95, 0x0d, 0x5c, 0x71, 0x5d, 0xc6, 0x1a,
453  0xff, 0x66, 0xee, 0x97, 0x37, 0x7a, 0xb2, 0x2a, 0xdf, 0x33,
454  0x21, 0xd7 ) );
455 
456 /* 0x00d261a7ab3aa2e4f90e51f30dc6a7ee39c4b032ccd7c524a55304317faf42e12f ^ -1 =
457  * 0x0738781c0aeabfbe6e840c85bd30996ef71bc54988ce16cedd5ab4f30c281597 (mod p)
458  */
459 X25519_INVERT_TEST ( invert_5,
460  INVERTEND ( 0x00, 0xd2, 0x61, 0xa7, 0xab, 0x3a, 0xa2, 0xe4, 0xf9,
461  0x0e, 0x51, 0xf3, 0x0d, 0xc6, 0xa7, 0xee, 0x39, 0xc4,
462  0xb0, 0x32, 0xcc, 0xd7, 0xc5, 0x24, 0xa5, 0x53, 0x04,
463  0x31, 0x7f, 0xaf, 0x42, 0xe1, 0x2f ),
464  EXPECTED ( 0x07, 0x38, 0x78, 0x1c, 0x0a, 0xea, 0xbf, 0xbe, 0x6e, 0x84,
465  0x0c, 0x85, 0xbd, 0x30, 0x99, 0x6e, 0xf7, 0x1b, 0xc5, 0x49,
466  0x88, 0xce, 0x16, 0xce, 0xdd, 0x5a, 0xb4, 0xf3, 0x0c, 0x28,
467  0x15, 0x97 ) );
468 
469 /* Base: 0xe6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c
470  * Scalar: 0xa546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4
471  * Result: 0xc3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552
472  */
473 X25519_KEY_TEST ( rfc7748_1, 1, 0,
474  BASE ( 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 0x35, 0x94,
475  0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 0x72, 0x66, 0x24, 0xec,
476  0x26, 0xb3, 0x35, 0x3b, 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab,
477  0x1c, 0x4c ),
478  SCALAR ( 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 0x3b, 0x16,
479  0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 0x62, 0x14, 0x4c, 0x0a,
480  0xc1, 0xfc, 0x5a, 0x18, 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44,
481  0x9a, 0xc4 ),
482  EXPECTED ( 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 0x8e, 0x94,
483  0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03,
484  0x49, 0x1c, 0x71, 0xf7, 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2,
485  0x85, 0x52 ) );
486 
487 /* Base: 0xe5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493
488  * Scalar: 0x4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d
489  * Result: 0x95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957
490  */
491 X25519_KEY_TEST ( rfc7748_2, 1, 0,
492  BASE ( 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 0xf4, 0xb7,
493  0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 0x31, 0xdb, 0xe7, 0x10,
494  0x6f, 0xc0, 0x3c, 0x3e, 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15,
495  0xa4, 0x93 ),
496  SCALAR ( 0x4b, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, 0x5a, 0xd2,
497  0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, 0xc1, 0x1b, 0x64, 0x21,
498  0xe0, 0xea, 0x01, 0xd4, 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18,
499  0xba, 0x0d ),
500  EXPECTED ( 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 0x7a, 0xad,
501  0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 0x8b, 0x59, 0x5a, 0x68,
502  0x79, 0x9f, 0xa1, 0x52, 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac,
503  0x79, 0x57 ) );
504 
505 /* Base: 0x0900000000000000000000000000000000000000000000000000000000000000
506  * Scalar: 0x0900000000000000000000000000000000000000000000000000000000000000
507  * Result: 0x422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079
508  */
509 X25519_KEY_TEST ( rfc7748_3, 1, 0,
510  BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
513  0x00, 0x00 ),
514  SCALAR ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
515  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
516  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
517  0x00, 0x00 ),
518  EXPECTED ( 0x42, 0x2c, 0x8e, 0x7a, 0x62, 0x27, 0xd7, 0xbc, 0xa1, 0x35,
519  0x0b, 0x3e, 0x2b, 0xb7, 0x27, 0x9f, 0x78, 0x97, 0xb8, 0x7b,
520  0xb6, 0x85, 0x4b, 0x78, 0x3c, 0x60, 0xe8, 0x03, 0x11, 0xae,
521  0x30, 0x79 ) );
522 
523 /* Base: 0x0900000000000000000000000000000000000000000000000000000000000000
524  * Scalar: 0x0900000000000000000000000000000000000000000000000000000000000000
525  * Result: 0xb1a5a73158904c020866c13939dd7e1aa26852ee1d2609c92e5a8f1debe2150a
526  * (after 100 iterations)
527  *
528  * RFC7748 gives test vectors for 1000 and 1000000 iterations with
529  * these starting values. This test case stops after 100 iterations
530  * to avoid a pointlessly slow test cycle in the common case of
531  * running tests under Valgrind.
532  */
533 X25519_KEY_TEST ( rfc7748_4_100, 100, 0,
534  BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
537  0x00, 0x00 ),
538  SCALAR ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
539  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
540  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
541  0x00, 0x00 ),
542  EXPECTED ( 0xb1, 0xa5, 0xa7, 0x31, 0x58, 0x90, 0x4c, 0x02, 0x08, 0x66,
543  0xc1, 0x39, 0x39, 0xdd, 0x7e, 0x1a, 0xa2, 0x68, 0x52, 0xee,
544  0x1d, 0x26, 0x09, 0xc9, 0x2e, 0x5a, 0x8f, 0x1d, 0xeb, 0xe2,
545  0x15, 0x0a ) );
546 
547 /* Base: 2^255 - 19 + 1 (deliberately malicious public key)
548  * Scalar: 0x000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
549  * Result: Failure (all zeros)
550  */
551 X25519_KEY_TEST ( malicious, 1, 1,
552  BASE ( 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
553  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
554  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
555  0xff, 0x7f ),
556  SCALAR ( 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
557  0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03,
558  0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
559  0x0e, 0x0f ),
560  EXPECTED ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
562  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
563  0x00, 0x00 ) );
564 
565 /**
566  * Perform X25519 self-tests
567  *
568  */
569 static void x25519_test_exec ( void ) {
570 
571  /* Perform multiplication tests */
572  x25519_multiply_ok ( &multiply_small );
573  x25519_multiply_ok ( &multiply_k_p );
574  x25519_multiply_ok ( &multiply_1 );
575  x25519_multiply_ok ( &multiply_2 );
576  x25519_multiply_ok ( &multiply_3 );
577  x25519_multiply_ok ( &multiply_4 );
578  x25519_multiply_ok ( &multiply_5 );
579 
580  /* Perform multiplicative inversion tests */
581  x25519_invert_ok ( &invert_1 );
582  x25519_invert_ok ( &invert_2 );
583  x25519_invert_ok ( &invert_3 );
584  x25519_invert_ok ( &invert_4 );
585  x25519_invert_ok ( &invert_5 );
586 
587  /* Perform key exchange tests */
588  x25519_key_ok ( &rfc7748_1 );
589  x25519_key_ok ( &rfc7748_2 );
590  x25519_key_ok ( &rfc7748_3 );
591  x25519_key_ok ( &rfc7748_4_100 );
592  x25519_key_ok ( &malicious );
593 }
594 
595 /** X25519 self-test */
596 struct self_test x25519_test __self_test = {
597  .name = "x25519",
598  .exec = x25519_test_exec,
599 };
base
uint32_t base
Base.
Definition: librm.h:138
x25519_multiply_okx
static void x25519_multiply_okx(struct x25519_multiply_test *test, const char *file, unsigned int line)
Report an X25519 multiplication test result.
Definition: x25519_test.c:170
x25519_reduce
void x25519_reduce(union x25519_quad257 *value)
Reduce big integer to canonical range.
Definition: x25519.c:585
x25519_multiply_ok
#define x25519_multiply_ok(test)
Definition: x25519_test.c:202
x25519_key_test::base
struct x25519_value base
Base.
Definition: x25519_test.c:132
x25519_multiply
void x25519_multiply(const union x25519_oct258 *multiplicand, const union x25519_oct258 *multiplier, union x25519_quad257 *result)
Multiply big integers modulo field prime.
Definition: x25519.c:426
x25519_quad257::oct258
const union x25519_oct258 oct258
X25519 unsigned 258-bit integer.
Definition: x25519.h:73
EXPECTED
#define EXPECTED(...)
Define inline expected result.
Definition: x25519_test.c:58
x25519_quad257
An X25519 unsigned 257-bit integer.
Definition: x25519.h:64
x25519_multiply_test::multiplier_len
size_t multiplier_len
Length of multiplier.
Definition: x25519_test.c:69
DBGC
#define DBGC(...)
Definition: compiler.h:505
x25519_invert_test::invertend
const void * invertend
Invertend.
Definition: x25519_test.c:102
x25519_oct258
An X25519 unsigned 258-bit integer.
Definition: x25519.h:45
bigint_init
#define bigint_init(value, data, len)
Initialise big integer.
Definition: bigint.h:61
MULTIPLICAND
#define MULTIPLICAND(...)
Define inline multiplicand.
Definition: x25519_test.c:43
test.h
Self-test infrastructure.
self_test::name
const char * name
Test set name.
Definition: test.h:17
x25519_key
void x25519_key(const struct x25519_value *base, const struct x25519_value *scalar, struct x25519_value *result)
Calculate X25519 key.
Definition: x25519.c:807
X25519_KEY_TEST
#define X25519_KEY_TEST(name, COUNT, FAIL, BASE, SCALAR, EXPECTED)
Define an X25519 key exchange test.
Definition: x25519_test.c:154
self_test
A self-test set.
Definition: test.h:15
x25519_multiply_test::expected_len
size_t expected_len
Length of expected result.
Definition: x25519_test.c:73
SCALAR
#define SCALAR(...)
Define inline scalar multiple.
Definition: x25519_test.c:55
x25519_key_test::scalar
struct x25519_value scalar
Scalar.
Definition: x25519_test.c:134
MULTIPLIER
#define MULTIPLIER(...)
Define inline multiplier.
Definition: x25519_test.c:46
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
okx
#define okx(success, file, line)
Report test result.
Definition: test.h:44
x25519.h
X25519 key exchange.
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x25519_key_test
An X25519 key exchange self-test.
Definition: x25519_test.c:130
BASE
#define BASE(...)
Define inline base point.
Definition: x25519_test.c:52
x25519_quad257::value
x25519_t value
Big integer value.
Definition: x25519.h:66
x25519_multiply_test::multiplicand
const void * multiplicand
Multiplicand.
Definition: x25519_test.c:63
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
x25519_invert_test::expected
const void * expected
Expected result.
Definition: x25519_test.c:106
x25519_invert_test
An X25519 multiplicative inversion self-test.
Definition: x25519_test.c:100
x25519_key_test::fail
int fail
Key exchange is expected to fail (i.e.
Definition: x25519_test.c:140
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
x25519_is_zero
int x25519_is_zero(const struct x25519_value *value)
Check if X25519 value is zero.
Definition: x25519.c:792
x25519_key_test::count
unsigned int count
Number of iterations.
Definition: x25519_test.c:138
multiplier
static const uint32_t multiplier
Port multiplier number.
Definition: bigint.h:334
x25519_invert_ok
#define x25519_invert_ok(test)
Definition: x25519_test.c:250
x25519_multiply_test::multiplier
const void * multiplier
Multiplier.
Definition: x25519_test.c:67
x25519_multiply_test::multiplicand_len
size_t multiplicand_len
Length of multiplicand.
Definition: x25519_test.c:65
x25519_multiply_test
An X25519 multiplication self-test.
Definition: x25519_test.c:61
x25519_key_ok
#define x25519_key_ok(test)
Definition: x25519_test.c:295
x25519_key_test::expected
struct x25519_value expected
Expected result.
Definition: x25519_test.c:136
x25519_invert_test::invertend_len
size_t invertend_len
Length of invertend.
Definition: x25519_test.c:104
product
uint8_t product
Product string.
Definition: smbios.h:16
x25519_invert
void x25519_invert(const union x25519_oct258 *invertend, union x25519_quad257 *result)
Compute multiplicative inverse.
Definition: x25519.c:528
X25519_INVERT_TEST
#define X25519_INVERT_TEST(name, INVERTEND, EXPECTED)
Define an X25519 multiplicative inversion test.
Definition: x25519_test.c:119
X25519_MULTIPLY_TEST
#define X25519_MULTIPLY_TEST(name, MULTIPLICAND, MULTIPLIER, EXPECTED)
Define an X25519 multiplication test.
Definition: x25519_test.c:85
x25519_key_okx
static void x25519_key_okx(struct x25519_key_test *test, const char *file, unsigned int line)
Report an X25519 key exchange test result.
Definition: x25519_test.c:260
x25519_invert_okx
static void x25519_invert_okx(struct x25519_invert_test *test, const char *file, unsigned int line)
Report an X25519 multiplicative inversion test result.
Definition: x25519_test.c:212
INVERTEND
#define INVERTEND(...)
Define inline invertend.
Definition: x25519_test.c:49
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
string.h
String functions.
x25519_invert_test::expected_len
size_t expected_len
Length of expected result.
Definition: x25519_test.c:108
__self_test
struct self_test x25519_test __self_test
X25519 self-test.
Definition: x25519_test.c:596
test
static int test
Definition: epic100.c:73
x25519_value
An X25519 32-byte value.
Definition: x25519.h:77
x25519_multiply_test::expected
const void * expected
Expected result.
Definition: x25519_test.c:71
x25519_test_exec
static void x25519_test_exec(void)
Perform X25519 self-tests.
Definition: x25519_test.c:569
x25519_oct258::value
x25519_t value
Big integer value.
Definition: x25519.h:47
Generated by   doxygen 1.8.15