1*d20a2f80Stb /* $OpenBSD: ed25519test.c,v 1.10 2022/12/01 13:55:22 tb Exp $ */
234a3ed22Sjsing /*
3ac644cabStb * Copyright (c) 2019, 2022 Theo Buehler <tb@openbsd.org>
434a3ed22Sjsing *
534a3ed22Sjsing * Permission to use, copy, modify, and distribute this software for any
634a3ed22Sjsing * purpose with or without fee is hereby granted, provided that the above
734a3ed22Sjsing * copyright notice and this permission notice appear in all copies.
834a3ed22Sjsing *
934a3ed22Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
1034a3ed22Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
1134a3ed22Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
1234a3ed22Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
1334a3ed22Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
1434a3ed22Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1534a3ed22Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1634a3ed22Sjsing */
1734a3ed22Sjsing
1834a3ed22Sjsing #include <err.h>
1934a3ed22Sjsing #include <stdio.h>
20ac644cabStb #include <stdlib.h>
2134a3ed22Sjsing #include <string.h>
2234a3ed22Sjsing
2334a3ed22Sjsing #include <openssl/curve25519.h>
2434a3ed22Sjsing
2534a3ed22Sjsing struct testvector {
26d13005d7Sjsing const uint8_t sec_key[ED25519_PRIVATE_KEY_LENGTH];
27d13005d7Sjsing const uint8_t pub_key[ED25519_PUBLIC_KEY_LENGTH];
28d13005d7Sjsing const uint8_t signature[ED25519_SIGNATURE_LENGTH];
29e05b2835Stb const uint8_t message[1024];
3034a3ed22Sjsing size_t message_len;
3134a3ed22Sjsing };
3234a3ed22Sjsing
3334a3ed22Sjsing /*
3434a3ed22Sjsing * Test vectors from https://tools.ietf.org/html/rfc8032#section-7.1.
3534a3ed22Sjsing */
3625bbc04aStb static const struct testvector testvectors[] = {
3734a3ed22Sjsing {
3834a3ed22Sjsing .sec_key = {
3934a3ed22Sjsing 0x9d, 0x61, 0xb1, 0x9d, 0xef, 0xfd, 0x5a, 0x60,
4034a3ed22Sjsing 0xba, 0x84, 0x4a, 0xf4, 0x92, 0xec, 0x2c, 0xc4,
4134a3ed22Sjsing 0x44, 0x49, 0xc5, 0x69, 0x7b, 0x32, 0x69, 0x19,
4234a3ed22Sjsing 0x70, 0x3b, 0xac, 0x03, 0x1c, 0xae, 0x7f, 0x60,
4334a3ed22Sjsing },
4434a3ed22Sjsing .pub_key = {
4534a3ed22Sjsing 0xd7, 0x5a, 0x98, 0x01, 0x82, 0xb1, 0x0a, 0xb7,
4634a3ed22Sjsing 0xd5, 0x4b, 0xfe, 0xd3, 0xc9, 0x64, 0x07, 0x3a,
4734a3ed22Sjsing 0x0e, 0xe1, 0x72, 0xf3, 0xda, 0xa6, 0x23, 0x25,
4834a3ed22Sjsing 0xaf, 0x02, 0x1a, 0x68, 0xf7, 0x07, 0x51, 0x1a,
4934a3ed22Sjsing },
50e05b2835Stb .message = {
51aa8cdf20Stb 0x0, /* Windows has stupid compilers... */
52e05b2835Stb },
5334a3ed22Sjsing .message_len = 0,
5434a3ed22Sjsing .signature = {
5534a3ed22Sjsing 0xe5, 0x56, 0x43, 0x00, 0xc3, 0x60, 0xac, 0x72,
5634a3ed22Sjsing 0x90, 0x86, 0xe2, 0xcc, 0x80, 0x6e, 0x82, 0x8a,
5734a3ed22Sjsing 0x84, 0x87, 0x7f, 0x1e, 0xb8, 0xe5, 0xd9, 0x74,
5834a3ed22Sjsing 0xd8, 0x73, 0xe0, 0x65, 0x22, 0x49, 0x01, 0x55,
5934a3ed22Sjsing 0x5f, 0xb8, 0x82, 0x15, 0x90, 0xa3, 0x3b, 0xac,
6034a3ed22Sjsing 0xc6, 0x1e, 0x39, 0x70, 0x1c, 0xf9, 0xb4, 0x6b,
6134a3ed22Sjsing 0xd2, 0x5b, 0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24,
6234a3ed22Sjsing 0x65, 0x51, 0x41, 0x43, 0x8e, 0x7a, 0x10, 0x0b,
6334a3ed22Sjsing },
6434a3ed22Sjsing },
6534a3ed22Sjsing {
6634a3ed22Sjsing .sec_key = {
6734a3ed22Sjsing 0x4c, 0xcd, 0x08, 0x9b, 0x28, 0xff, 0x96, 0xda,
6834a3ed22Sjsing 0x9d, 0xb6, 0xc3, 0x46, 0xec, 0x11, 0x4e, 0x0f,
6934a3ed22Sjsing 0x5b, 0x8a, 0x31, 0x9f, 0x35, 0xab, 0xa6, 0x24,
7034a3ed22Sjsing 0xda, 0x8c, 0xf6, 0xed, 0x4f, 0xb8, 0xa6, 0xfb,
7134a3ed22Sjsing },
7234a3ed22Sjsing .pub_key = {
7334a3ed22Sjsing 0x3d, 0x40, 0x17, 0xc3, 0xe8, 0x43, 0x89, 0x5a,
7434a3ed22Sjsing 0x92, 0xb7, 0x0a, 0xa7, 0x4d, 0x1b, 0x7e, 0xbc,
7534a3ed22Sjsing 0x9c, 0x98, 0x2c, 0xcf, 0x2e, 0xc4, 0x96, 0x8c,
7634a3ed22Sjsing 0xc0, 0xcd, 0x55, 0xf1, 0x2a, 0xf4, 0x66, 0x0c,
7734a3ed22Sjsing },
78e05b2835Stb .message = {
79e05b2835Stb 0x72,
80e05b2835Stb },
8134a3ed22Sjsing .message_len = 1,
8234a3ed22Sjsing .signature = {
8334a3ed22Sjsing 0x92, 0xa0, 0x09, 0xa9, 0xf0, 0xd4, 0xca, 0xb8,
8434a3ed22Sjsing 0x72, 0x0e, 0x82, 0x0b, 0x5f, 0x64, 0x25, 0x40,
8534a3ed22Sjsing 0xa2, 0xb2, 0x7b, 0x54, 0x16, 0x50, 0x3f, 0x8f,
8634a3ed22Sjsing 0xb3, 0x76, 0x22, 0x23, 0xeb, 0xdb, 0x69, 0xda,
8734a3ed22Sjsing 0x08, 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e,
8834a3ed22Sjsing 0x45, 0x8f, 0x36, 0x13, 0xd0, 0xf1, 0x1d, 0x8c,
8934a3ed22Sjsing 0x38, 0x7b, 0x2e, 0xae, 0xb4, 0x30, 0x2a, 0xee,
9034a3ed22Sjsing 0xb0, 0x0d, 0x29, 0x16, 0x12, 0xbb, 0x0c, 0x00,
9134a3ed22Sjsing },
9234a3ed22Sjsing },
9334a3ed22Sjsing {
9434a3ed22Sjsing .sec_key = {
9534a3ed22Sjsing 0xc5, 0xaa, 0x8d, 0xf4, 0x3f, 0x9f, 0x83, 0x7b,
9634a3ed22Sjsing 0xed, 0xb7, 0x44, 0x2f, 0x31, 0xdc, 0xb7, 0xb1,
9734a3ed22Sjsing 0x66, 0xd3, 0x85, 0x35, 0x07, 0x6f, 0x09, 0x4b,
9834a3ed22Sjsing 0x85, 0xce, 0x3a, 0x2e, 0x0b, 0x44, 0x58, 0xf7,
9934a3ed22Sjsing },
10034a3ed22Sjsing .pub_key = {
10134a3ed22Sjsing 0xfc, 0x51, 0xcd, 0x8e, 0x62, 0x18, 0xa1, 0xa3,
10234a3ed22Sjsing 0x8d, 0xa4, 0x7e, 0xd0, 0x02, 0x30, 0xf0, 0x58,
10334a3ed22Sjsing 0x08, 0x16, 0xed, 0x13, 0xba, 0x33, 0x03, 0xac,
10434a3ed22Sjsing 0x5d, 0xeb, 0x91, 0x15, 0x48, 0x90, 0x80, 0x25,
10534a3ed22Sjsing },
106e05b2835Stb .message = {
107e05b2835Stb 0xaf, 0x82,
108e05b2835Stb },
10934a3ed22Sjsing .message_len = 2,
11034a3ed22Sjsing .signature = {
11134a3ed22Sjsing 0x62, 0x91, 0xd6, 0x57, 0xde, 0xec, 0x24, 0x02,
11234a3ed22Sjsing 0x48, 0x27, 0xe6, 0x9c, 0x3a, 0xbe, 0x01, 0xa3,
11334a3ed22Sjsing 0x0c, 0xe5, 0x48, 0xa2, 0x84, 0x74, 0x3a, 0x44,
11434a3ed22Sjsing 0x5e, 0x36, 0x80, 0xd7, 0xdb, 0x5a, 0xc3, 0xac,
11534a3ed22Sjsing 0x18, 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90,
11634a3ed22Sjsing 0xae, 0x67, 0xf7, 0x60, 0x98, 0x4d, 0xc6, 0x59,
11734a3ed22Sjsing 0x4a, 0x7c, 0x15, 0xe9, 0x71, 0x6e, 0xd2, 0x8d,
11834a3ed22Sjsing 0xc0, 0x27, 0xbe, 0xce, 0xea, 0x1e, 0xc4, 0x0a,
11934a3ed22Sjsing },
12034a3ed22Sjsing },
12134a3ed22Sjsing {
12234a3ed22Sjsing .sec_key = {
12334a3ed22Sjsing 0xf5, 0xe5, 0x76, 0x7c, 0xf1, 0x53, 0x31, 0x95,
12434a3ed22Sjsing 0x17, 0x63, 0x0f, 0x22, 0x68, 0x76, 0xb8, 0x6c,
12534a3ed22Sjsing 0x81, 0x60, 0xcc, 0x58, 0x3b, 0xc0, 0x13, 0x74,
12634a3ed22Sjsing 0x4c, 0x6b, 0xf2, 0x55, 0xf5, 0xcc, 0x0e, 0xe5,
12734a3ed22Sjsing },
12834a3ed22Sjsing .pub_key = {
12934a3ed22Sjsing 0x27, 0x81, 0x17, 0xfc, 0x14, 0x4c, 0x72, 0x34,
13034a3ed22Sjsing 0x0f, 0x67, 0xd0, 0xf2, 0x31, 0x6e, 0x83, 0x86,
13134a3ed22Sjsing 0xce, 0xff, 0xbf, 0x2b, 0x24, 0x28, 0xc9, 0xc5,
13234a3ed22Sjsing 0x1f, 0xef, 0x7c, 0x59, 0x7f, 0x1d, 0x42, 0x6e,
13334a3ed22Sjsing },
134e05b2835Stb .message = {
13534a3ed22Sjsing 0x08, 0xb8, 0xb2, 0xb7, 0x33, 0x42, 0x42, 0x43,
13634a3ed22Sjsing 0x76, 0x0f, 0xe4, 0x26, 0xa4, 0xb5, 0x49, 0x08,
13734a3ed22Sjsing 0x63, 0x21, 0x10, 0xa6, 0x6c, 0x2f, 0x65, 0x91,
13834a3ed22Sjsing 0xea, 0xbd, 0x33, 0x45, 0xe3, 0xe4, 0xeb, 0x98,
13934a3ed22Sjsing 0xfa, 0x6e, 0x26, 0x4b, 0xf0, 0x9e, 0xfe, 0x12,
14034a3ed22Sjsing 0xee, 0x50, 0xf8, 0xf5, 0x4e, 0x9f, 0x77, 0xb1,
14134a3ed22Sjsing 0xe3, 0x55, 0xf6, 0xc5, 0x05, 0x44, 0xe2, 0x3f,
14234a3ed22Sjsing 0xb1, 0x43, 0x3d, 0xdf, 0x73, 0xbe, 0x84, 0xd8,
14334a3ed22Sjsing 0x79, 0xde, 0x7c, 0x00, 0x46, 0xdc, 0x49, 0x96,
14434a3ed22Sjsing 0xd9, 0xe7, 0x73, 0xf4, 0xbc, 0x9e, 0xfe, 0x57,
14534a3ed22Sjsing 0x38, 0x82, 0x9a, 0xdb, 0x26, 0xc8, 0x1b, 0x37,
14634a3ed22Sjsing 0xc9, 0x3a, 0x1b, 0x27, 0x0b, 0x20, 0x32, 0x9d,
14734a3ed22Sjsing 0x65, 0x86, 0x75, 0xfc, 0x6e, 0xa5, 0x34, 0xe0,
14834a3ed22Sjsing 0x81, 0x0a, 0x44, 0x32, 0x82, 0x6b, 0xf5, 0x8c,
14934a3ed22Sjsing 0x94, 0x1e, 0xfb, 0x65, 0xd5, 0x7a, 0x33, 0x8b,
15034a3ed22Sjsing 0xbd, 0x2e, 0x26, 0x64, 0x0f, 0x89, 0xff, 0xbc,
15134a3ed22Sjsing 0x1a, 0x85, 0x8e, 0xfc, 0xb8, 0x55, 0x0e, 0xe3,
15234a3ed22Sjsing 0xa5, 0xe1, 0x99, 0x8b, 0xd1, 0x77, 0xe9, 0x3a,
15334a3ed22Sjsing 0x73, 0x63, 0xc3, 0x44, 0xfe, 0x6b, 0x19, 0x9e,
15434a3ed22Sjsing 0xe5, 0xd0, 0x2e, 0x82, 0xd5, 0x22, 0xc4, 0xfe,
15534a3ed22Sjsing 0xba, 0x15, 0x45, 0x2f, 0x80, 0x28, 0x8a, 0x82,
15634a3ed22Sjsing 0x1a, 0x57, 0x91, 0x16, 0xec, 0x6d, 0xad, 0x2b,
15734a3ed22Sjsing 0x3b, 0x31, 0x0d, 0xa9, 0x03, 0x40, 0x1a, 0xa6,
15834a3ed22Sjsing 0x21, 0x00, 0xab, 0x5d, 0x1a, 0x36, 0x55, 0x3e,
15934a3ed22Sjsing 0x06, 0x20, 0x3b, 0x33, 0x89, 0x0c, 0xc9, 0xb8,
16034a3ed22Sjsing 0x32, 0xf7, 0x9e, 0xf8, 0x05, 0x60, 0xcc, 0xb9,
16134a3ed22Sjsing 0xa3, 0x9c, 0xe7, 0x67, 0x96, 0x7e, 0xd6, 0x28,
16234a3ed22Sjsing 0xc6, 0xad, 0x57, 0x3c, 0xb1, 0x16, 0xdb, 0xef,
16334a3ed22Sjsing 0xef, 0xd7, 0x54, 0x99, 0xda, 0x96, 0xbd, 0x68,
16434a3ed22Sjsing 0xa8, 0xa9, 0x7b, 0x92, 0x8a, 0x8b, 0xbc, 0x10,
16534a3ed22Sjsing 0x3b, 0x66, 0x21, 0xfc, 0xde, 0x2b, 0xec, 0xa1,
16634a3ed22Sjsing 0x23, 0x1d, 0x20, 0x6b, 0xe6, 0xcd, 0x9e, 0xc7,
16734a3ed22Sjsing 0xaf, 0xf6, 0xf6, 0xc9, 0x4f, 0xcd, 0x72, 0x04,
16834a3ed22Sjsing 0xed, 0x34, 0x55, 0xc6, 0x8c, 0x83, 0xf4, 0xa4,
16934a3ed22Sjsing 0x1d, 0xa4, 0xaf, 0x2b, 0x74, 0xef, 0x5c, 0x53,
17034a3ed22Sjsing 0xf1, 0xd8, 0xac, 0x70, 0xbd, 0xcb, 0x7e, 0xd1,
17134a3ed22Sjsing 0x85, 0xce, 0x81, 0xbd, 0x84, 0x35, 0x9d, 0x44,
17234a3ed22Sjsing 0x25, 0x4d, 0x95, 0x62, 0x9e, 0x98, 0x55, 0xa9,
17334a3ed22Sjsing 0x4a, 0x7c, 0x19, 0x58, 0xd1, 0xf8, 0xad, 0xa5,
17434a3ed22Sjsing 0xd0, 0x53, 0x2e, 0xd8, 0xa5, 0xaa, 0x3f, 0xb2,
17534a3ed22Sjsing 0xd1, 0x7b, 0xa7, 0x0e, 0xb6, 0x24, 0x8e, 0x59,
17634a3ed22Sjsing 0x4e, 0x1a, 0x22, 0x97, 0xac, 0xbb, 0xb3, 0x9d,
17734a3ed22Sjsing 0x50, 0x2f, 0x1a, 0x8c, 0x6e, 0xb6, 0xf1, 0xce,
17834a3ed22Sjsing 0x22, 0xb3, 0xde, 0x1a, 0x1f, 0x40, 0xcc, 0x24,
17934a3ed22Sjsing 0x55, 0x41, 0x19, 0xa8, 0x31, 0xa9, 0xaa, 0xd6,
18034a3ed22Sjsing 0x07, 0x9c, 0xad, 0x88, 0x42, 0x5d, 0xe6, 0xbd,
18134a3ed22Sjsing 0xe1, 0xa9, 0x18, 0x7e, 0xbb, 0x60, 0x92, 0xcf,
18234a3ed22Sjsing 0x67, 0xbf, 0x2b, 0x13, 0xfd, 0x65, 0xf2, 0x70,
18334a3ed22Sjsing 0x88, 0xd7, 0x8b, 0x7e, 0x88, 0x3c, 0x87, 0x59,
18434a3ed22Sjsing 0xd2, 0xc4, 0xf5, 0xc6, 0x5a, 0xdb, 0x75, 0x53,
18534a3ed22Sjsing 0x87, 0x8a, 0xd5, 0x75, 0xf9, 0xfa, 0xd8, 0x78,
18634a3ed22Sjsing 0xe8, 0x0a, 0x0c, 0x9b, 0xa6, 0x3b, 0xcb, 0xcc,
18734a3ed22Sjsing 0x27, 0x32, 0xe6, 0x94, 0x85, 0xbb, 0xc9, 0xc9,
18834a3ed22Sjsing 0x0b, 0xfb, 0xd6, 0x24, 0x81, 0xd9, 0x08, 0x9b,
18934a3ed22Sjsing 0xec, 0xcf, 0x80, 0xcf, 0xe2, 0xdf, 0x16, 0xa2,
19034a3ed22Sjsing 0xcf, 0x65, 0xbd, 0x92, 0xdd, 0x59, 0x7b, 0x07,
19134a3ed22Sjsing 0x07, 0xe0, 0x91, 0x7a, 0xf4, 0x8b, 0xbb, 0x75,
19234a3ed22Sjsing 0xfe, 0xd4, 0x13, 0xd2, 0x38, 0xf5, 0x55, 0x5a,
19334a3ed22Sjsing 0x7a, 0x56, 0x9d, 0x80, 0xc3, 0x41, 0x4a, 0x8d,
19434a3ed22Sjsing 0x08, 0x59, 0xdc, 0x65, 0xa4, 0x61, 0x28, 0xba,
19534a3ed22Sjsing 0xb2, 0x7a, 0xf8, 0x7a, 0x71, 0x31, 0x4f, 0x31,
19634a3ed22Sjsing 0x8c, 0x78, 0x2b, 0x23, 0xeb, 0xfe, 0x80, 0x8b,
19734a3ed22Sjsing 0x82, 0xb0, 0xce, 0x26, 0x40, 0x1d, 0x2e, 0x22,
19834a3ed22Sjsing 0xf0, 0x4d, 0x83, 0xd1, 0x25, 0x5d, 0xc5, 0x1a,
19934a3ed22Sjsing 0xdd, 0xd3, 0xb7, 0x5a, 0x2b, 0x1a, 0xe0, 0x78,
20034a3ed22Sjsing 0x45, 0x04, 0xdf, 0x54, 0x3a, 0xf8, 0x96, 0x9b,
20134a3ed22Sjsing 0xe3, 0xea, 0x70, 0x82, 0xff, 0x7f, 0xc9, 0x88,
20234a3ed22Sjsing 0x8c, 0x14, 0x4d, 0xa2, 0xaf, 0x58, 0x42, 0x9e,
20334a3ed22Sjsing 0xc9, 0x60, 0x31, 0xdb, 0xca, 0xd3, 0xda, 0xd9,
20434a3ed22Sjsing 0xaf, 0x0d, 0xcb, 0xaa, 0xaf, 0x26, 0x8c, 0xb8,
20534a3ed22Sjsing 0xfc, 0xff, 0xea, 0xd9, 0x4f, 0x3c, 0x7c, 0xa4,
20634a3ed22Sjsing 0x95, 0xe0, 0x56, 0xa9, 0xb4, 0x7a, 0xcd, 0xb7,
20734a3ed22Sjsing 0x51, 0xfb, 0x73, 0xe6, 0x66, 0xc6, 0xc6, 0x55,
20834a3ed22Sjsing 0xad, 0xe8, 0x29, 0x72, 0x97, 0xd0, 0x7a, 0xd1,
20934a3ed22Sjsing 0xba, 0x5e, 0x43, 0xf1, 0xbc, 0xa3, 0x23, 0x01,
21034a3ed22Sjsing 0x65, 0x13, 0x39, 0xe2, 0x29, 0x04, 0xcc, 0x8c,
21134a3ed22Sjsing 0x42, 0xf5, 0x8c, 0x30, 0xc0, 0x4a, 0xaf, 0xdb,
21234a3ed22Sjsing 0x03, 0x8d, 0xda, 0x08, 0x47, 0xdd, 0x98, 0x8d,
21334a3ed22Sjsing 0xcd, 0xa6, 0xf3, 0xbf, 0xd1, 0x5c, 0x4b, 0x4c,
21434a3ed22Sjsing 0x45, 0x25, 0x00, 0x4a, 0xa0, 0x6e, 0xef, 0xf8,
21534a3ed22Sjsing 0xca, 0x61, 0x78, 0x3a, 0xac, 0xec, 0x57, 0xfb,
21634a3ed22Sjsing 0x3d, 0x1f, 0x92, 0xb0, 0xfe, 0x2f, 0xd1, 0xa8,
21734a3ed22Sjsing 0x5f, 0x67, 0x24, 0x51, 0x7b, 0x65, 0xe6, 0x14,
21834a3ed22Sjsing 0xad, 0x68, 0x08, 0xd6, 0xf6, 0xee, 0x34, 0xdf,
21934a3ed22Sjsing 0xf7, 0x31, 0x0f, 0xdc, 0x82, 0xae, 0xbf, 0xd9,
22034a3ed22Sjsing 0x04, 0xb0, 0x1e, 0x1d, 0xc5, 0x4b, 0x29, 0x27,
22134a3ed22Sjsing 0x09, 0x4b, 0x2d, 0xb6, 0x8d, 0x6f, 0x90, 0x3b,
22234a3ed22Sjsing 0x68, 0x40, 0x1a, 0xde, 0xbf, 0x5a, 0x7e, 0x08,
22334a3ed22Sjsing 0xd7, 0x8f, 0xf4, 0xef, 0x5d, 0x63, 0x65, 0x3a,
22434a3ed22Sjsing 0x65, 0x04, 0x0c, 0xf9, 0xbf, 0xd4, 0xac, 0xa7,
22534a3ed22Sjsing 0x98, 0x4a, 0x74, 0xd3, 0x71, 0x45, 0x98, 0x67,
22634a3ed22Sjsing 0x80, 0xfc, 0x0b, 0x16, 0xac, 0x45, 0x16, 0x49,
22734a3ed22Sjsing 0xde, 0x61, 0x88, 0xa7, 0xdb, 0xdf, 0x19, 0x1f,
22834a3ed22Sjsing 0x64, 0xb5, 0xfc, 0x5e, 0x2a, 0xb4, 0x7b, 0x57,
22934a3ed22Sjsing 0xf7, 0xf7, 0x27, 0x6c, 0xd4, 0x19, 0xc1, 0x7a,
23034a3ed22Sjsing 0x3c, 0xa8, 0xe1, 0xb9, 0x39, 0xae, 0x49, 0xe4,
23134a3ed22Sjsing 0x88, 0xac, 0xba, 0x6b, 0x96, 0x56, 0x10, 0xb5,
23234a3ed22Sjsing 0x48, 0x01, 0x09, 0xc8, 0xb1, 0x7b, 0x80, 0xe1,
23334a3ed22Sjsing 0xb7, 0xb7, 0x50, 0xdf, 0xc7, 0x59, 0x8d, 0x5d,
23434a3ed22Sjsing 0x50, 0x11, 0xfd, 0x2d, 0xcc, 0x56, 0x00, 0xa3,
23534a3ed22Sjsing 0x2e, 0xf5, 0xb5, 0x2a, 0x1e, 0xcc, 0x82, 0x0e,
23634a3ed22Sjsing 0x30, 0x8a, 0xa3, 0x42, 0x72, 0x1a, 0xac, 0x09,
23734a3ed22Sjsing 0x43, 0xbf, 0x66, 0x86, 0xb6, 0x4b, 0x25, 0x79,
23834a3ed22Sjsing 0x37, 0x65, 0x04, 0xcc, 0xc4, 0x93, 0xd9, 0x7e,
23934a3ed22Sjsing 0x6a, 0xed, 0x3f, 0xb0, 0xf9, 0xcd, 0x71, 0xa4,
24034a3ed22Sjsing 0x3d, 0xd4, 0x97, 0xf0, 0x1f, 0x17, 0xc0, 0xe2,
24134a3ed22Sjsing 0xcb, 0x37, 0x97, 0xaa, 0x2a, 0x2f, 0x25, 0x66,
24234a3ed22Sjsing 0x56, 0x16, 0x8e, 0x6c, 0x49, 0x6a, 0xfc, 0x5f,
24334a3ed22Sjsing 0xb9, 0x32, 0x46, 0xf6, 0xb1, 0x11, 0x63, 0x98,
24434a3ed22Sjsing 0xa3, 0x46, 0xf1, 0xa6, 0x41, 0xf3, 0xb0, 0x41,
24534a3ed22Sjsing 0xe9, 0x89, 0xf7, 0x91, 0x4f, 0x90, 0xcc, 0x2c,
24634a3ed22Sjsing 0x7f, 0xff, 0x35, 0x78, 0x76, 0xe5, 0x06, 0xb5,
24734a3ed22Sjsing 0x0d, 0x33, 0x4b, 0xa7, 0x7c, 0x22, 0x5b, 0xc3,
24834a3ed22Sjsing 0x07, 0xba, 0x53, 0x71, 0x52, 0xf3, 0xf1, 0x61,
24934a3ed22Sjsing 0x0e, 0x4e, 0xaf, 0xe5, 0x95, 0xf6, 0xd9, 0xd9,
25034a3ed22Sjsing 0x0d, 0x11, 0xfa, 0xa9, 0x33, 0xa1, 0x5e, 0xf1,
25134a3ed22Sjsing 0x36, 0x95, 0x46, 0x86, 0x8a, 0x7f, 0x3a, 0x45,
25234a3ed22Sjsing 0xa9, 0x67, 0x68, 0xd4, 0x0f, 0xd9, 0xd0, 0x34,
25334a3ed22Sjsing 0x12, 0xc0, 0x91, 0xc6, 0x31, 0x5c, 0xf4, 0xfd,
25434a3ed22Sjsing 0xe7, 0xcb, 0x68, 0x60, 0x69, 0x37, 0x38, 0x0d,
25534a3ed22Sjsing 0xb2, 0xea, 0xaa, 0x70, 0x7b, 0x4c, 0x41, 0x85,
25634a3ed22Sjsing 0xc3, 0x2e, 0xdd, 0xcd, 0xd3, 0x06, 0x70, 0x5e,
25734a3ed22Sjsing 0x4d, 0xc1, 0xff, 0xc8, 0x72, 0xee, 0xee, 0x47,
25834a3ed22Sjsing 0x5a, 0x64, 0xdf, 0xac, 0x86, 0xab, 0xa4, 0x1c,
25934a3ed22Sjsing 0x06, 0x18, 0x98, 0x3f, 0x87, 0x41, 0xc5, 0xef,
26034a3ed22Sjsing 0x68, 0xd3, 0xa1, 0x01, 0xe8, 0xa3, 0xb8, 0xca,
26134a3ed22Sjsing 0xc6, 0x0c, 0x90, 0x5c, 0x15, 0xfc, 0x91, 0x08,
26234a3ed22Sjsing 0x40, 0xb9, 0x4c, 0x00, 0xa0, 0xb9, 0xd0,
26334a3ed22Sjsing },
264e05b2835Stb .message_len = 1023,
26534a3ed22Sjsing .signature = {
26634a3ed22Sjsing 0x0a, 0xab, 0x4c, 0x90, 0x05, 0x01, 0xb3, 0xe2,
26734a3ed22Sjsing 0x4d, 0x7c, 0xdf, 0x46, 0x63, 0x32, 0x6a, 0x3a,
26834a3ed22Sjsing 0x87, 0xdf, 0x5e, 0x48, 0x43, 0xb2, 0xcb, 0xdb,
26934a3ed22Sjsing 0x67, 0xcb, 0xf6, 0xe4, 0x60, 0xfe, 0xc3, 0x50,
27034a3ed22Sjsing 0xaa, 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45,
27134a3ed22Sjsing 0x28, 0xec, 0xea, 0x23, 0xc4, 0x36, 0xd9, 0x4b,
27234a3ed22Sjsing 0x5e, 0x8f, 0xcd, 0x4f, 0x68, 0x1e, 0x30, 0xa6,
27334a3ed22Sjsing 0xac, 0x00, 0xa9, 0x70, 0x4a, 0x18, 0x8a, 0x03,
27434a3ed22Sjsing },
27534a3ed22Sjsing },
27634a3ed22Sjsing {
27734a3ed22Sjsing .sec_key = {
27834a3ed22Sjsing 0x83, 0x3f, 0xe6, 0x24, 0x09, 0x23, 0x7b, 0x9d,
27934a3ed22Sjsing 0x62, 0xec, 0x77, 0x58, 0x75, 0x20, 0x91, 0x1e,
28034a3ed22Sjsing 0x9a, 0x75, 0x9c, 0xec, 0x1d, 0x19, 0x75, 0x5b,
28134a3ed22Sjsing 0x7d, 0xa9, 0x01, 0xb9, 0x6d, 0xca, 0x3d, 0x42,
28234a3ed22Sjsing },
28334a3ed22Sjsing .pub_key = {
28434a3ed22Sjsing 0xec, 0x17, 0x2b, 0x93, 0xad, 0x5e, 0x56, 0x3b,
28534a3ed22Sjsing 0xf4, 0x93, 0x2c, 0x70, 0xe1, 0x24, 0x50, 0x34,
28634a3ed22Sjsing 0xc3, 0x54, 0x67, 0xef, 0x2e, 0xfd, 0x4d, 0x64,
28734a3ed22Sjsing 0xeb, 0xf8, 0x19, 0x68, 0x34, 0x67, 0xe2, 0xbf,
28834a3ed22Sjsing },
289e05b2835Stb .message = {
29034a3ed22Sjsing 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba,
29134a3ed22Sjsing 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,
29234a3ed22Sjsing 0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2,
29334a3ed22Sjsing 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,
29434a3ed22Sjsing 0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,
29534a3ed22Sjsing 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,
29634a3ed22Sjsing 0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e,
29734a3ed22Sjsing 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f,
29834a3ed22Sjsing },
299e05b2835Stb .message_len = 64,
30034a3ed22Sjsing .signature = {
30134a3ed22Sjsing 0xdc, 0x2a, 0x44, 0x59, 0xe7, 0x36, 0x96, 0x33,
30234a3ed22Sjsing 0xa5, 0x2b, 0x1b, 0xf2, 0x77, 0x83, 0x9a, 0x00,
30334a3ed22Sjsing 0x20, 0x10, 0x09, 0xa3, 0xef, 0xbf, 0x3e, 0xcb,
30434a3ed22Sjsing 0x69, 0xbe, 0xa2, 0x18, 0x6c, 0x26, 0xb5, 0x89,
30534a3ed22Sjsing 0x09, 0x35, 0x1f, 0xc9, 0xac, 0x90, 0xb3, 0xec,
30634a3ed22Sjsing 0xfd, 0xfb, 0xc7, 0xc6, 0x64, 0x31, 0xe0, 0x30,
30734a3ed22Sjsing 0x3d, 0xca, 0x17, 0x9c, 0x13, 0x8a, 0xc1, 0x7a,
30834a3ed22Sjsing 0xd9, 0xbe, 0xf1, 0x17, 0x73, 0x31, 0xa7, 0x04,
30934a3ed22Sjsing },
31034a3ed22Sjsing },
31134a3ed22Sjsing };
31234a3ed22Sjsing
31334a3ed22Sjsing const size_t num_testvectors = sizeof(testvectors) / sizeof(testvectors[0]);
31434a3ed22Sjsing
315e05b2835Stb static int
test_ED25519_verify(void)31634a3ed22Sjsing test_ED25519_verify(void)
31734a3ed22Sjsing {
31834a3ed22Sjsing size_t i;
31934a3ed22Sjsing int failed = 0;
32034a3ed22Sjsing
32134a3ed22Sjsing for (i = 0; i < num_testvectors; i++) {
32225bbc04aStb const struct testvector *tc = &testvectors[i];
32334a3ed22Sjsing
32434a3ed22Sjsing if (!ED25519_verify(tc->message, tc->message_len, tc->signature,
32534a3ed22Sjsing tc->pub_key)) {
32634a3ed22Sjsing warnx("failed verification in test case %zu", i);
32734a3ed22Sjsing failed = 1;
32834a3ed22Sjsing }
32934a3ed22Sjsing }
33034a3ed22Sjsing
33134a3ed22Sjsing return failed;
33234a3ed22Sjsing }
33334a3ed22Sjsing
334e05b2835Stb static int
test_ED25519_sign(void)33534a3ed22Sjsing test_ED25519_sign(void)
33634a3ed22Sjsing {
33734a3ed22Sjsing size_t i;
33834a3ed22Sjsing int failed = 0;
33934a3ed22Sjsing
34034a3ed22Sjsing for (i = 0; i < num_testvectors; i++) {
34125bbc04aStb const struct testvector *tc = &testvectors[i];
34234a3ed22Sjsing uint8_t signature[64];
34334a3ed22Sjsing
34434a3ed22Sjsing if (!ED25519_sign(signature, tc->message, tc->message_len,
345d13005d7Sjsing tc->pub_key, tc->sec_key)) {
34634a3ed22Sjsing warnx("failed signature in test case %zu", i);
34734a3ed22Sjsing failed = 1;
34834a3ed22Sjsing }
34934a3ed22Sjsing
35034a3ed22Sjsing if (memcmp(tc->signature, signature, sizeof signature) != 0) {
35134a3ed22Sjsing warnx("signature mismatch in test case %zu", i);
35234a3ed22Sjsing failed = 1;
35334a3ed22Sjsing }
35434a3ed22Sjsing }
35534a3ed22Sjsing
35634a3ed22Sjsing return failed;
35734a3ed22Sjsing }
35834a3ed22Sjsing
359ac644cabStb static void
hexdump(const unsigned char * buf,size_t len)360ac644cabStb hexdump(const unsigned char *buf, size_t len)
361ac644cabStb {
362ac644cabStb size_t i;
363ac644cabStb
364ac644cabStb for (i = 1; i <= len; i++)
365ac644cabStb fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
366ac644cabStb
367ac644cabStb if (len % 8)
368ac644cabStb fprintf(stderr, "\n");
369ac644cabStb }
370ac644cabStb
371ac644cabStb static void
dump_info(const uint8_t * message,size_t message_len,const uint8_t * public_key,const uint8_t * private_key,const uint8_t * signature)372ac644cabStb dump_info(const uint8_t *message, size_t message_len, const uint8_t *public_key,
373ac644cabStb const uint8_t *private_key, const uint8_t *signature)
374ac644cabStb {
375ac644cabStb
376ac644cabStb fprintf(stderr, "message:\n");
377ac644cabStb hexdump(message, message_len);
378ac644cabStb
379ac644cabStb fprintf(stderr, "public key:\n");
380ac644cabStb hexdump(public_key, ED25519_PUBLIC_KEY_LENGTH);
381ac644cabStb fprintf(stderr, "private key:\n");
382ac644cabStb hexdump(private_key, ED25519_PRIVATE_KEY_LENGTH);
383ac644cabStb
384ac644cabStb if (signature != NULL) {
385ac644cabStb fprintf(stderr, "signature:\n");
386ac644cabStb hexdump(signature, ED25519_SIGNATURE_LENGTH);
387ac644cabStb }
388ac644cabStb }
389ac644cabStb
390ac644cabStb /*
391ac644cabStb * Little-endian representation of the order of edwards25519,
392ac644cabStb * see https://www.rfc-editor.org/rfc/rfc7748#section-4.1
393ac644cabStb */
394ac644cabStb static const uint8_t order[] = {
395ac644cabStb 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
396ac644cabStb 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
397ac644cabStb 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
398ac644cabStb 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
399ac644cabStb };
400ac644cabStb
401ac644cabStb /*
402ac644cabStb * Modify signature by adding the group order to the upper half of the
403ac644cabStb * signature. This is caught by the check added in curve25519.c r1.14.
404ac644cabStb */
405ac644cabStb static void
modify_signature(uint8_t * signature)406ac644cabStb modify_signature(uint8_t *signature)
407ac644cabStb {
4086011a1f9Stb uint16_t sum;
409ac644cabStb uint8_t *upper_half = &signature[32];
4106011a1f9Stb uint16_t carry = 0;
411ac644cabStb size_t i;
412ac644cabStb
413ac644cabStb for (i = 0; i < sizeof(order); i++) {
4146011a1f9Stb sum = carry + order[i] + upper_half[i];
4156011a1f9Stb carry = (sum > 0xff);
4166011a1f9Stb upper_half[i] = sum & 0xff;
417ac644cabStb }
4186011a1f9Stb
4196011a1f9Stb /* carry == 0 since 0 <= upper_half < order and 2 * order < 2^256. */
420ac644cabStb }
421ac644cabStb
422ac644cabStb static int
test_ED25519_signature_malleability(void)4236011a1f9Stb test_ED25519_signature_malleability(void)
424ac644cabStb {
425ac644cabStb uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH];
426ac644cabStb uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH];
427ac644cabStb uint8_t message[32];
428ac644cabStb uint8_t signature[ED25519_SIGNATURE_LENGTH];
429ac644cabStb int failed = 1;
430ac644cabStb
431ac644cabStb ED25519_keypair(public_key, private_key);
432ac644cabStb arc4random_buf(message, sizeof(message));
433ac644cabStb
434ac644cabStb if (!ED25519_sign(signature, message, sizeof(message),
435ac644cabStb public_key, private_key)) {
436ac644cabStb fprintf(stderr, "Failed to sign random message\n");
437ac644cabStb dump_info(message, sizeof(message), public_key, private_key,
438ac644cabStb NULL);
439ac644cabStb goto err;
440ac644cabStb }
441ac644cabStb
442ac644cabStb if (!ED25519_verify(message, sizeof(message), signature, public_key)) {
443ac644cabStb fprintf(stderr, "Failed to verify random message\n");
444ac644cabStb dump_info(message, sizeof(message), public_key, private_key,
445ac644cabStb signature);
446ac644cabStb goto err;
447ac644cabStb }
448ac644cabStb
449ac644cabStb modify_signature(signature);
450ac644cabStb
451ac644cabStb if (ED25519_verify(message, sizeof(message), signature, public_key)) {
4526011a1f9Stb fprintf(stderr, "Verified with modified signature\n");
4536011a1f9Stb dump_info(message, sizeof(message), public_key, private_key,
4546011a1f9Stb signature);
455ac644cabStb goto err;
456ac644cabStb }
457ac644cabStb
458ac644cabStb failed = 0;
459ac644cabStb
460ac644cabStb err:
461ac644cabStb return failed;
462ac644cabStb }
463ac644cabStb
46434a3ed22Sjsing int
main(int argc,char * argv[])46534a3ed22Sjsing main(int argc, char *argv[])
46634a3ed22Sjsing {
46734a3ed22Sjsing int failed = 0;
46834a3ed22Sjsing
46934a3ed22Sjsing failed |= test_ED25519_verify();
47034a3ed22Sjsing failed |= test_ED25519_sign();
471ac644cabStb failed |= test_ED25519_signature_malleability();
47234a3ed22Sjsing
47334a3ed22Sjsing return failed;
47434a3ed22Sjsing }
475