static int test_invalid_ciphertext(void) { NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; int i; for (i = 0; i < 10; i++) { /* Alice generates a public key */ NEWHOPE_offer(offermsg, sk); /* Bob derives a secret key and creates a response */ if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { fprintf(stderr, "ERROR accept key exchange failed\n"); return 0; } /* Change some byte in the "ciphertext" */ acceptmsg[42] ^= 1; /* Alice uses Bob's response to get her secret key */ if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { fprintf(stderr, "ERROR finish key exchange failed\n"); return 0; } if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) { fprintf(stderr, "ERROR invalid acceptmsg\n"); return 0; } } NEWHOPE_POLY_free(sk); return 1; }
static int test_invalid_sk_a(void) { NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; int i; for (i = 0; i < NTESTS; i++) { /* Alice generates a public key */ NEWHOPE_offer(offermsg, sk); /* Bob derives a secret key and creates a response */ if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { fprintf(stderr, "ERROR accept key exchange failed\n"); return 0; } /* Corrupt the secret key */ NEWHOPE_offer(offermsg /* not used below */, sk); /* Alice uses Bob's response to get her secret key */ if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { fprintf(stderr, "ERROR finish key exchange failed\n"); return 0; } if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) { fprintf(stderr, "ERROR invalid sk_a\n"); return 0; } } NEWHOPE_POLY_free(sk); return 1; }
static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert, const uint8_t *peer_key, size_t peer_key_len) { if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) { *out_alert = SSL_AD_DECODE_ERROR; return 0; } *out_alert = SSL_AD_INTERNAL_ERROR; assert(ctx->data != NULL); cecpq1_data *data = ctx->data; uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH); if (secret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return 0; } if (!X25519(secret, data->x25519_key, peer_key)) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); goto err; } if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32, NEWHOPE_ACCEPTMSG_LENGTH)) { *out_alert = SSL_AD_DECODE_ERROR; goto err; } *out_secret = secret; *out_secret_len = CECPQ1_SECRET_LENGTH; return 1; err: OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH); OPENSSL_free(secret); return 0; }