| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
RANK768 and RANK1024 are awfully short and generic names for public
constants. Before we make it worse with similarly named constants for
ML-DSA, let's fix this. This follows the naming convention used by the
other macros in the mlkem code.
ok kenjiro jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
Skip the tests for now since they increase the test's runtime by ~50%.
A later commit will gate these tests behind REGRESS_SKIP_SLOW.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Since this has grown organically, the test selection has become a weird mix
of globs, regexes and test variants and it is hard to reason about what is
run and why. Instead, load all the json files from testvectors_v1/ and look
at algorithm (almost always available) and test schema to figure out if we
support it in libcrypto and the test harness. This separates the logic of
the test runner better from the test selection. Also make it a fatal error
if we don't explicitly skip an unknown algorithm.
|
| | |
|
| | |
|
| |
|
|
|
| |
This prepares an upcoming change by not only skipping small curves but
also binary curves that have test vectors.
|
| | |
|
| |
|
|
|
|
|
| |
The webcrypto test files for P-256, P-384, and P-521 are identical to
the P1363 test files for these curves with the hashes SHA-256, SHA-384,
and SHA-512, respectively. The only real differences in the test paths
is the Go glue code to translate to libcrypto, so they're pointless.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are no longer supported in v1 and we skipped them anyway.
|
| | |
|
| |
|
|
|
|
| |
This checks for a collection of prime order groups (secp, Brainpool, FRP)
the curve parameters are corrct. The collection is a superset of our
built-in curves, so we get one more validation for exxentially free.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since the wycheproof tests were written in Java, they inherited some of
that language's weirdnesses. For example, the hex representation may have
odd length, is 2-complement and needs zero-padding if the top bit of a
nibble is set, similar to ASN.1 integers.
This is needed for correctly decoding the Primality test cases, which
worked nicely in v0 but no longer for v1. Convert the Primality test
to use this.
|
| |
|
|
|
|
| |
There's more work needed here since some of the tests are designed to
test the signing side of things, where we only verify. To be dealt with
later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This excludes the bitcoin tests since our ECDSA_verify() doesn't have the
logic to enforce s < order / 2 to avoid the well-known malleability issue
with secp256k1 that (r, s) is valid if and only if (r, order - s) is valid.
Moreover, add a workaround for overly picky P1363 tests where only
correctly padded P1363 signatures are accepted. As the test authors say
"To our knowledge no standard (i.e., IEEE P1363 or RFC 7515) requires any
explicit checks of the signature size during signature verification."
In fact, the problem really is in the test code, not in libcrypto and
is a bit annoying to fix in a non-silly way.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
eddsa_test.json is now ed25519_test.json and again key* was renamed to
PublicKey*.
|
| |
|
|
| |
key* are now called PublicKey*, so change teh json tags accordingly.
|
| | |
|
| | |
|
| |
|
|
|
| |
This is straightforward since the schema did not change. This adds
coverage for HMAC-SHA512/224 and HMAC-SHA512/256.
|
| | |
|
| |
|
|
|
| |
The version is passed to the test runner, so it can unmarshal the v0
and v1 JSON as appropriate later on.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In https://github.com/C2SP/wycheproof/pull/169, upstream removed the
testvector/ path, thereby creating the need to migrate if we want to
benefit from future changes and tests. While this has been around for
a very long time and generally provided more and better coverage, there
never was sufficient motivation to do so.
As a first step, change use of the testVectorPath constant to use of
a path variable so we can switch the tests one by one by appending _v1
when appropriate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While it may be acceptable for Go to fill regular users' homedirs with a
compiler cache that is unable to deal with corruption and full disks,
this is terrible for people running regress as root since the cache can
quickly grow to hundreds of megs and can thus result in all sorts hilarity
below /root. Move the GOCACHE under ${.OBJDIR} and use a cleanup target to
get rid of it again. This makes these tests a bit slower for regular users
as well, but so be it. Let's see how this goes before I switch libtls to
the same model.
discussed with claudio and jsing
|
| | |
|
| |
|
|
|
| |
This needs quite a bit of cleanup but let's have some tests rather than
none.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The hex decoding is only done from the JSON files provided by the
wycheproof-testvectors package. Failure is always fatal. So there
is no need for repeated error checks, and we can use an ergonomic
wrapper.
Also rework the calculation of the message digest from input data
this had a similar deficit.
All in all this shaves off about 10% of the code and removes a lot
of tedious repetition.
|
| | |
|
| | |
|
| |
|
|
| |
This simplifies and unifies a lot of error messages.
|
| |
|
|
|
|
|
|
| |
The determination of the test group type and the JSON unmarshalling can be
done before the closure without performance impact. This is more readable
and eliminates the need of a temporary variable again.
Suggested by jsing
|
| |
|
|
|
| |
This factors another ugly switch into a helper function. This should
probably become a map eventually, but for now keep things straightforward.
|
