From bb4493a7cd07adf85452fd551be54b47d4416a32 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Thu, 16 Jun 2022 11:47:27 +0200
Subject: [PATCH] tests: add X25519 low order point tests

---
 testdata/testkit/{bad_hmac => hmac_bad}       |  0
 ...lid_characters => stanza_valid_characters} |  6 ++-
 testdata/testkit/x25519_identity              | 10 +++++
 testdata/testkit/x25519_low_order             | 10 +++++
 tests/{bad_hmac.go => hmac_bad.go}            |  0
 ...aracters.go => stanza_valid_characters.go} |  5 ++-
 tests/x25519_identity.go                      | 34 +++++++++++++++++
 tests/x25519_low_order.go                     | 38 +++++++++++++++++++
 8 files changed, 99 insertions(+), 4 deletions(-)
 rename testdata/testkit/{bad_hmac => hmac_bad} (100%)
 rename testdata/testkit/{valid_characters => stanza_valid_characters} (69%)
 create mode 100644 testdata/testkit/x25519_identity
 create mode 100644 testdata/testkit/x25519_low_order
 rename tests/{bad_hmac.go => hmac_bad.go} (100%)
 rename tests/{valid_characters.go => stanza_valid_characters.go} (78%)
 create mode 100644 tests/x25519_identity.go
 create mode 100644 tests/x25519_low_order.go

diff --git a/testdata/testkit/bad_hmac b/testdata/testkit/hmac_bad
similarity index 100%
rename from testdata/testkit/bad_hmac
rename to testdata/testkit/hmac_bad
diff --git a/testdata/testkit/valid_characters b/testdata/testkit/stanza_valid_characters
similarity index 69%
rename from testdata/testkit/valid_characters
rename to testdata/testkit/stanza_valid_characters
index 0c88a6e..c506f30 100644
--- a/testdata/testkit/valid_characters
+++ b/testdata/testkit/stanza_valid_characters
@@ -4,9 +4,11 @@ file key: 59454c4c4f57205355424d4152494e45
 identity: AGE-SECRET-KEY-1XMWWC06LY3EE5RYTXM9MFLAZ2U56JJJ36S0MYPDRWSVLUL66MV4QX3S7F6
 
 age-encryption.org/v1
--> !"#$%&' ()*+,-./ 01234567 89:;<=>? @ABCDEFG HIJKLMNO PQRSTUVW XYZ[\]^_ `abcdefg hijklmno pqrstuvw xyz{|}~
+-> !"#$%&' ()*+,-./ 01234567 89:;<=>? @ABCDEFG HIJKLMNO
+
+-> PQRSTUVW XYZ[\]^_ `abcdefg hijklmno pqrstuvw xyz{|}~
 
 -> X25519 TEiF0ypqr+bpvcqXNyCVJpL7OuwPdVwPL7KQEbFDOCc
 EmECAEcKN+n/Vs9SbWiV+Hu0r+E8R77DdWYyd83nw7U
---- XdSsgCFKtyPBxU0ard+ElUYUfOp6XQtDhzDGFUCLbjo
+--- x538z9xJq9XEK1aTTTv80aWDVvVdROvaXn2tpqXPC8g
 îÏbÇÎ‘´3'NhÔòùL·L[þ÷¾ªRÈð¼™,ƒ1ûf
\ No newline at end of file
diff --git a/testdata/testkit/x25519_identity b/testdata/testkit/x25519_identity
new file mode 100644
index 0000000..eb254e7
--- /dev/null
+++ b/testdata/testkit/x25519_identity
@@ -0,0 +1,10 @@
+expect: header failure
+file key: 59454c4c4f57205355424d4152494e45
+identity: AGE-SECRET-KEY-1EGTZVFFV20835NWYV6270LXYVK2VKNX2MMDKWYKLMGR48UAWX40Q2P2LM0
+comment: the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value
+
+age-encryption.org/v1
+-> X25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+W3E/OCRme9TiTY97JoK31Z71arNur77WIIdB90XnN3M
+--- Pne3IPMDvBj7wRbPMcNViffpVZAx814tgMxp8AwyMhs
+¬]?7åPqÓ¦ F—¹	•Â÷õÛ®èzŒ(rŠóÎ|
\ No newline at end of file
diff --git a/testdata/testkit/x25519_low_order b/testdata/testkit/x25519_low_order
new file mode 100644
index 0000000..84e9fa3
--- /dev/null
+++ b/testdata/testkit/x25519_low_order
@@ -0,0 +1,10 @@
+expect: header failure
+file key: 59454c4c4f57205355424d4152494e45
+identity: AGE-SECRET-KEY-1EGTZVFFV20835NWYV6270LXYVK2VKNX2MMDKWYKLMGR48UAWX40Q2P2LM0
+comment: the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value
+
+age-encryption.org/v1
+-> X25519 X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEdc
+3E0NpFans/m0WLWF7+54ZBdNj3iqQqpraGDFiaRkvBA
+--- sXw327YMT1/ULXe+ZyRMbMY0Z2jnWHGgI9j1we6yQ8A
+¬]?7åPqÓ¦ F—¹	•Â÷õÛ®èzŒ(rŠóÎ|
\ No newline at end of file
diff --git a/tests/bad_hmac.go b/tests/hmac_bad.go
similarity index 100%
rename from tests/bad_hmac.go
rename to tests/hmac_bad.go
diff --git a/tests/valid_characters.go b/tests/stanza_valid_characters.go
similarity index 78%
rename from tests/valid_characters.go
rename to tests/stanza_valid_characters.go
index b617d69..049c683 100644
--- a/tests/valid_characters.go
+++ b/tests/stanza_valid_characters.go
@@ -11,8 +11,9 @@ import "filippo.io/age/internal/testkit"
 func main() {
 	f := testkit.NewTestFile()
 	f.VersionLine("v1")
-	f.ArgsLine("!\"#$%&'", "()*+,-./", "01234567", "89:;<=>?", "@ABCDEFG",
-		"HIJKLMNO", "PQRSTUVW", "XYZ[\\]^_", "`abcdefg", "hijklmno", "pqrstuvw", "xyz{|}~")
+	f.ArgsLine("!\"#$%&'", "()*+,-./", "01234567", "89:;<=>?", "@ABCDEFG", "HIJKLMNO")
+	f.Body([]byte(""))
+	f.ArgsLine("PQRSTUVW", "XYZ[\\]^_", "`abcdefg", "hijklmno", "pqrstuvw", "xyz{|}~")
 	f.Body([]byte(""))
 	f.X25519(testkit.TestX25519Recipient)
 	f.HMAC()
diff --git a/tests/x25519_identity.go b/tests/x25519_identity.go
new file mode 100644
index 0000000..be8e531
--- /dev/null
+++ b/tests/x25519_identity.go
@@ -0,0 +1,34 @@
+// Copyright 2022 The age Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ignore
+
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+
+	"filippo.io/age/internal/testkit"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
+)
+
+func main() {
+	f := testkit.NewTestFile()
+	f.VersionLine("v1")
+	f.X25519RecordIdentity(testkit.TestX25519Identity)
+	share := make([]byte, curve25519.PointSize)
+	f.ArgsLine("X25519", base64.RawStdEncoding.EncodeToString(share))
+	secret := make([]byte, curve25519.PointSize)
+	key := make([]byte, 32)
+	hkdf.New(sha256.New, secret, append(share, testkit.TestX25519Recipient...),
+		[]byte("age-encryption.org/v1/X25519")).Read(key)
+	f.AEADBody(key, testkit.TestFileKey)
+	f.HMAC()
+	f.Payload("age")
+	f.ExpectHeaderFailure()
+	f.Comment("the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value")
+	f.Generate()
+}
diff --git a/tests/x25519_low_order.go b/tests/x25519_low_order.go
new file mode 100644
index 0000000..fbc374a
--- /dev/null
+++ b/tests/x25519_low_order.go
@@ -0,0 +1,38 @@
+// Copyright 2022 The age Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ignore
+
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+
+	"filippo.io/age/internal/testkit"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
+)
+
+func main() {
+	f := testkit.NewTestFile()
+	f.VersionLine("v1")
+	f.X25519RecordIdentity(testkit.TestX25519Identity)
+	// Point of order 8 on Curve25519, chosen to be the least likely to be
+	// flagged by hardcoded list exclusions.
+	share := []byte{0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0,
+		0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c,
+		0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7}
+	f.ArgsLine("X25519", base64.RawStdEncoding.EncodeToString(share))
+	secret := make([]byte, curve25519.PointSize)
+	key := make([]byte, 32)
+	hkdf.New(sha256.New, secret, append(share, testkit.TestX25519Recipient...),
+		[]byte("age-encryption.org/v1/X25519")).Read(key)
+	f.AEADBody(key, testkit.TestFileKey)
+	f.HMAC()
+	f.Payload("age")
+	f.ExpectHeaderFailure()
+	f.Comment("the X25519 share is a low-order point, so the shared secret is the disallowed all-zero value")
+	f.Generate()
+}