static int test_invalid_ciphertext(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;
for (i = 0; i < 10; i++) {
/* Alice generates a public key */
NEWHOPE_offer(offermsg, sk);
/* Bob derives a secret key and creates a response */
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}
/* Change some byte in the "ciphertext" */
acceptmsg[42] ^= 1;
/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}
if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) {
fprintf(stderr, "ERROR invalid acceptmsg\n");
return 0;
}
}
NEWHOPE_POLY_free(sk);
return 1;
}
static int test_invalid_sk_a(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;
for (i = 0; i < NTESTS; i++) {
/* Alice generates a public key */
NEWHOPE_offer(offermsg, sk);
/* Bob derives a secret key and creates a response */
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}
/* Corrupt the secret key */
NEWHOPE_offer(offermsg /* not used below */, sk);
/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) {
fprintf(stderr, "ERROR invalid sk_a\n");
return 0;
}
}
NEWHOPE_POLY_free(sk);
return 1;
}
static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len) {
if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
*out_alert = SSL_AD_INTERNAL_ERROR;
assert(ctx->data != NULL);
cecpq1_data *data = ctx->data;
uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
if (secret == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!X25519(secret, data->x25519_key, peer_key)) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
goto err;
}
if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,
NEWHOPE_ACCEPTMSG_LENGTH)) {
*out_alert = SSL_AD_DECODE_ERROR;
goto err;
}
*out_secret = secret;
*out_secret_len = CECPQ1_SECRET_LENGTH;
return 1;
err:
OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
OPENSSL_free(secret);
return 0;
}
