static int test_invalid_ciphertext(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;
for (i = 0; i < 10; i++) {
/* Alice generates a public key */
NEWHOPE_offer(offermsg, sk);
/* Bob derives a secret key and creates a response */
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}
/* Change some byte in the "ciphertext" */
acceptmsg[42] ^= 1;
/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}
if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) {
fprintf(stderr, "ERROR invalid acceptmsg\n");
return 0;
}
}
NEWHOPE_POLY_free(sk);
return 1;
}
static int test_invalid_sk_a(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;
for (i = 0; i < NTESTS; i++) {
/* Alice generates a public key */
NEWHOPE_offer(offermsg, sk);
/* Bob derives a secret key and creates a response */
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}
/* Corrupt the secret key */
NEWHOPE_offer(offermsg /* not used below */, sk);
/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) {
fprintf(stderr, "ERROR invalid sk_a\n");
return 0;
}
}
NEWHOPE_POLY_free(sk);
return 1;
}
static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len) {
if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
*out_alert = SSL_AD_INTERNAL_ERROR;
assert(ctx->data == NULL);
cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));
if (data == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
data->newhope_sk = NULL;
ctx->data = data;
uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
if (secret == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Generate message to server, and secret key, at once. */
uint8_t x25519_public_key[32];
X25519_keypair(x25519_public_key, data->x25519_key);
if (!X25519(secret, data->x25519_key, peer_key)) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
goto err;
}
uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,
NEWHOPE_OFFERMSG_LENGTH)) {
*out_alert = SSL_AD_DECODE_ERROR;
goto err;
}
if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||
!CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {
goto err;
}
*out_secret = secret;
*out_secret_len = CECPQ1_SECRET_LENGTH;
return 1;
err:
OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
OPENSSL_free(secret);
return 0;
}
