diff options
author | Nick Mathewson <nickm@torproject.org> | 2013-02-07 14:09:17 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2013-02-07 14:09:17 -0500 |
commit | 0175209e6b3bf990633838e35b9c70d4099124ae (patch) | |
tree | 4db90ea35eede519e119ee57a065cdc9deee5929 /src | |
parent | b4a68d174793dddf2969e08dc4facd758a4f2680 (diff) | |
parent | 266419d244c1a4795407479693b016c5a8b5da96 (diff) | |
download | tor-0175209e6b3bf990633838e35b9c70d4099124ae.tar.gz tor-0175209e6b3bf990633838e35b9c70d4099124ae.zip |
Merge branch 'bug8121_squashed'
Diffstat (limited to 'src')
-rw-r--r-- | src/common/crypto_curve25519.c | 11 | ||||
-rw-r--r-- | src/test/test_crypto.c | 14 |
2 files changed, 21 insertions, 4 deletions
diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index 425a1a078c..3e4004db2e 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -33,13 +33,20 @@ int curve25519_impl(uint8_t *output, const uint8_t *secret, const uint8_t *basepoint) { + uint8_t bp[CURVE25519_PUBKEY_LEN]; + int r; + memcpy(bp, basepoint, CURVE25519_PUBKEY_LEN); + /* Clear the high bit, in case our backend foolishly looks at it. */ + bp[31] &= 0x7f; #ifdef USE_CURVE25519_DONNA - return curve25519_donna(output, secret, basepoint); + r = curve25519_donna(output, secret, bp); #elif defined(USE_CURVE25519_NACL) - return crypto_scalarmult_curve25519(output, secret, basepoint); + r = crypto_scalarmult_curve25519(output, secret, bp); #else #error "No implementation of curve25519 is available." #endif + memwipe(bp, 0, sizeof(bp)); + return r; } /* ============================== diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index 37843d1110..273e03b9d9 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -941,6 +941,8 @@ test_crypto_curve25519_impl(void *arg) /* adapted from curve25519_donna, which adapted it from test-curve25519 version 20050915, by D. J. Bernstein, Public domain. */ + const int randomize_high_bit = (arg != NULL); + unsigned char e1k[32]; unsigned char e2k[32]; unsigned char e1e2k[32]; @@ -952,12 +954,19 @@ test_crypto_curve25519_impl(void *arg) const int loop_max=10000; char *mem_op_hex_tmp = NULL; - (void)arg; - for (loop = 0; loop < loop_max; ++loop) { curve25519_impl(e1k,e1,k); curve25519_impl(e2e1k,e2,e1k); curve25519_impl(e2k,e2,k); + if (randomize_high_bit) { + /* We require that the high bit of the public key be ignored. So if + * we're doing this variant test, we randomize the high bit of e2k, and + * make sure that the handshake still works out the same as it would + * otherwise. */ + uint8_t byte; + crypto_rand((char*)&byte, 1); + e2k[31] |= (byte & 0x80); + } curve25519_impl(e1e2k,e1,e2k); test_memeq(e1e2k, e2e1k, 32); if (loop == loop_max-1) { @@ -1135,6 +1144,7 @@ struct testcase_t crypto_tests[] = { { "hkdf_sha256", test_crypto_hkdf_sha256, 0, NULL, NULL }, #ifdef CURVE25519_ENABLED { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL }, + { "curve25519_impl_hibit", test_crypto_curve25519_impl, 0, NULL, (void*)"y" }, { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL }, { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL }, { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL }, |