From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sat, 16 Jun 2018 10:29:34 +0000 (+0200)
Subject: Improved the test suite
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=9469dba309872e58c733e679f39a03aa4719b8d4;p=Monocypher.git

Improved the test suite

The test suite has been trimmed down a little, and improved a bit.  The
main goal was to have the TIS interpreter to run the entire test suite
in less than 20 hours, so I (and others) could realistically run it on
each new release.

- We now have much less Argon2i test vectors.  Only those at block size
  boundaries have been kept (for instance, it is important that we test
  both below and above 512 blocks, and below and above 64 bytes hashes,
  to hit all code paths.

- X25519 test vectors have been cut in half.  We have official test
  vectors and the Monte Carlo test already, we don't need too many
  vectors.  The main advantage here is to reduce the size of the test
  vector header file.

- The tests for chacha20_set_ctr() explore the test space more
  efficiently.

- The comparison between crypto_argon2i() and crypto_argon2i_general()
  is no longer repeated 128 times.

- The overlap tests for Argon2i have been cut down, and the overlap
  space has been reduced to compensate (so we're still sure there will
  be lots of overlap).

- The incremental tests for Blake2b and SHA-512 were cut down to a
  number of iterations, and total message size, that is *not* a multiple
  of a block length, so tests can fail more reliably if the MIN() macro
  has an error.

- The roundtrip tests for EdDSA have now been cut down, and try several
  message sizes as well.

- The random tests for EdDSA (which are mostly meant to test what
  happens when the point is outside the curve), have beet cut down (from
  1000 to 100), and try several message sizes as well.
---

diff --git a/tests/gen/argon2i.c b/tests/gen/argon2i.c
index 108c021..328c94a 100644
--- a/tests/gen/argon2i.c
+++ b/tests/gen/argon2i.c
@@ -30,8 +30,8 @@ void test(size_t nb_blocks, size_t hash_size, size_t nb_iterations)
 int main(void)
 {
     SODIUM_INIT;
-    FOR (nb_blocks    , 384, 640) { test(nb_blocks, 32       , 3            ); }
-    FOR (hash_size    ,  16, 256) { test(8        , hash_size, 3            ); }
-    FOR (nb_iterations,   3,  10) { test(8        , 32       , nb_iterations); }
+    FOR (nb_blocks    , 508, 516) { test(nb_blocks, 32       , 3            ); }
+    FOR (hash_size    ,  63,  65) { test(8        , hash_size, 3            ); }
+    FOR (nb_iterations,   3,   6) { test(8        , 32       , nb_iterations); }
     return 0;
 }
diff --git a/tests/gen/x25519.c b/tests/gen/x25519.c
index a44c002..5c66b5c 100644
--- a/tests/gen/x25519.c
+++ b/tests/gen/x25519.c
@@ -27,6 +27,6 @@ void test()
 int main(void)
 {
     SODIUM_INIT;
-    FOR (i, 0, 100) { test(); }
+    FOR (i, 0, 50) { test(); }
     return 0;
 }
diff --git a/tests/test.c b/tests/test.c
index 6081766..fdee2bb 100644
--- a/tests/test.c
+++ b/tests/test.c
@@ -340,20 +340,19 @@ static int p_chacha20_set_ctr()
 {
 #define STREAM_SIZE (CHACHA_BLOCK_SIZE * CHACHA_NB_BLOCKS)
     int status = 0;
-    FOR (i, 0, 1000) {
+    FOR (i, 0, CHACHA_NB_BLOCKS) {
         u8 output_part[STREAM_SIZE    ];
         u8 output_all [STREAM_SIZE    ];
         u8 output_more[STREAM_SIZE * 2];
         RANDOM_INPUT(key  , 32);
         RANDOM_INPUT(nonce, 8);
-        u64 ctr      = rand64() % CHACHA_NB_BLOCKS;
-        size_t limit = ctr * CHACHA_BLOCK_SIZE;
+        size_t limit = i * CHACHA_BLOCK_SIZE;
         // Encrypt all at once
         crypto_chacha_ctx ctx;
         crypto_chacha20_init(&ctx, key, nonce);
         crypto_chacha20_stream(&ctx, output_all, STREAM_SIZE);
         // Encrypt second part
-        crypto_chacha20_set_ctr(&ctx, ctr);
+        crypto_chacha20_set_ctr(&ctx, i);
         crypto_chacha20_stream(&ctx, output_part + limit, STREAM_SIZE - limit);
         // Encrypt first part
         crypto_chacha20_set_ctr(&ctx, 0);
@@ -362,7 +361,7 @@ static int p_chacha20_set_ctr()
         status |= memcmp(output_part, output_all, STREAM_SIZE);
 
         // Encrypt before the begining
-        crypto_chacha20_set_ctr(&ctx, -ctr);
+        crypto_chacha20_set_ctr(&ctx, -i);
         crypto_chacha20_stream(&ctx,
                                output_more + STREAM_SIZE - limit,
                                STREAM_SIZE + limit);
@@ -430,7 +429,7 @@ static int p_poly1305_overlap()
 static int p_blake2b()
 {
 #undef INPUT_SIZE
-#define INPUT_SIZE (BLAKE2B_BLOCK_SIZE * 4) // total input size
+#define INPUT_SIZE (BLAKE2B_BLOCK_SIZE * 4 - 32) // total input size
     int status = 0;
     FOR (i, 0, INPUT_SIZE) {
         // outputs
@@ -478,7 +477,7 @@ static int p_blake2b_overlap()
 static int p_sha512()
 {
 #undef INPUT_SIZE
-#define INPUT_SIZE (SHA_512_BLOCK_SIZE * 4) // total input size
+#define INPUT_SIZE (SHA_512_BLOCK_SIZE * 4 - 32) // total input size
     int status = 0;
     FOR (i, 0, INPUT_SIZE) {
         // outputs
@@ -525,16 +524,14 @@ static int p_argon2i_easy()
 {
     int   status    = 0;
     void *work_area = alloc(8 * 1024);
-    FOR (i, 0, 128) {
-        RANDOM_INPUT(password , 32);
-        RANDOM_INPUT(salt     , 16);
-        u8 hash_general[32];
-        u8 hash_easy   [32];
-        crypto_argon2i_general(hash_general, 32, work_area, 8, 1,
-                               password, 32, salt, 16, 0, 0, 0, 0);
-        crypto_argon2i(hash_easy, 32, work_area, 8, 1, password, 32, salt, 16);
-        status |= memcmp(hash_general, hash_easy, 32);
-   }
+    RANDOM_INPUT(password , 32);
+    RANDOM_INPUT(salt     , 16);
+    u8 hash_general[32];
+    u8 hash_easy   [32];
+    crypto_argon2i_general(hash_general, 32, work_area, 8, 1,
+                           password, 32, salt, 16, 0, 0, 0, 0);
+    crypto_argon2i(hash_easy, 32, work_area, 8, 1, password, 32, salt, 16);
+    status |= memcmp(hash_general, hash_easy, 32);
     free(work_area);
     printf("%s: Argon2i (easy interface)\n", status != 0 ? "FAILED" : "OK");
     return status;
@@ -545,12 +542,12 @@ static int p_argon2i_overlap()
     int status          = 0;
     u8 *work_area       = (u8*)alloc(8 * 1024);
     u8 *clean_work_area = (u8*)alloc(8 * 1024);
-    FOR (i, 0, 128) {
+    FOR (i, 0, 10) {
         p_random(work_area, 8 * 1024);
-        u32 pass_offset = rand64() % 128;
-        u32 salt_offset = rand64() % 128;
-        u32 key_offset  = rand64() % 128;
-        u32 ad_offset   = rand64() % 128;
+        u32 pass_offset = rand64() % 64;
+        u32 salt_offset = rand64() % 64;
+        u32 key_offset  = rand64() % 64;
+        u32 ad_offset   = rand64() % 64;
         u8 hash1[32];
         u8 hash2[32];
         u8 pass [16];  FOR (i, 0, 16) { pass[i] = work_area[i + pass_offset]; }
@@ -575,14 +572,14 @@ static int p_argon2i_overlap()
 
 static int p_eddsa_roundtrip()
 {
-#define MESSAGE_SIZE 32
+#define MESSAGE_SIZE 30
     int status = 0;
-    FOR (i, 0, 1000) {
+    FOR (i, 0, MESSAGE_SIZE) {
         RANDOM_INPUT(message, MESSAGE_SIZE);
         RANDOM_INPUT(sk, 32);
-        u8 pk       [32];  crypto_sign_public_key(pk, sk);
-        u8 signature[64];  crypto_sign(signature, sk, pk, message, MESSAGE_SIZE);
-        status |= crypto_check(signature, pk, message, MESSAGE_SIZE);
+        u8 pk       [32]; crypto_sign_public_key(pk, sk);
+        u8 signature[64]; crypto_sign(signature, sk, pk, message, i);
+        status |= crypto_check(signature, pk, message, i);
     }
     printf("%s: EdDSA (roundtrip)\n", status != 0 ? "FAILED" : "OK");
     return status;
@@ -594,11 +591,11 @@ static int p_eddsa_roundtrip()
 static int p_eddsa_random()
 {
     int status = 0;
-    RANDOM_INPUT(message, MESSAGE_SIZE);
-    FOR (i, 0, 1000) {
+    FOR (i, 0, 100) {
+        RANDOM_INPUT(message, i);
         RANDOM_INPUT(pk, 32);
         RANDOM_INPUT(signature , 64);
-        status |= ~crypto_check(signature, pk, message, MESSAGE_SIZE);
+        status |= ~crypto_check(signature, pk, message, i);
     }
     printf("%s: EdDSA (random)\n", status != 0 ? "FAILED" : "OK");
     return status;