bool unit_test_onetimeauth(){
// Global length
uint64_t len = HACL_UNIT_TESTS_SIZE * sizeof(uint8_t);
// Scratch buffers
uint8_t hacl_mac[POLY_MACSIZE], expected_mac[POLY_MACSIZE], key[POLY_KEYSIZE];
uint8_t *plaintext = malloc(HACL_UNIT_TESTS_SIZE * sizeof (uint8_t));
// Initializing random plaintext
READ_RANDOM_BYTES(HACL_UNIT_TESTS_SIZE, plaintext);
// Tests
int a;
bool pass = true;
for (int i = 0; i < 3 * POLY_BLOCKSIZE; i++){
// Testing crypto_onetimeauth on different length
tweet_crypto_onetimeauth(expected_mac, plaintext, i, key);
crypto_onetimeauth(hacl_mac, plaintext, i, key);
a = memcmp(hacl_mac, expected_mac, 16 * sizeof (uint8_t));
if (a != 0){
pass = false;
printf("Poly1305 failed on input of size %d\n.", i);
break;
}
// Testing crypto_onetimeauth verify on different length
a = crypto_onetimeauth_verify(hacl_mac, plaintext, i, key);
if (a != 0){
pass = false;
printf("Poly1305 verify failed on input of size %d\n.", i);
break;
}
hacl_mac[i%16] = ~(hacl_mac[i%16]);
// Testing crypto_onetimeauth proper failure on different length
a = crypto_onetimeauth_verify(hacl_mac, plaintext, i, key);
if (a == 0){
pass = false;
printf("Poly1305 verify fail failed on input of size %d\n.", i);
break;
}
}
tweet_crypto_onetimeauth(expected_mac, plaintext, HACL_UNIT_TESTS_SIZE, key);
crypto_onetimeauth(hacl_mac, plaintext, HACL_UNIT_TESTS_SIZE, key);
a = memcmp(hacl_mac, expected_mac, 16 * sizeof (uint8_t));
if (a != 0){
pass = false;
printf("Poly1305 failed on input of size %d\n.", HACL_UNIT_TESTS_SIZE);
}
free(plaintext);
return pass;
}
static nif_term_t
salt_onetimeauth(nif_heap_t *hp, int argc, const nif_term_t argv[])
{
/* salt_onetimeauth(Message, Secret_key) -> Authenticator. */
nif_bin_t ms;
nif_bin_t sk;
nif_bin_t au;
if (argc != 2)
return (BADARG);
/* Unpack arguments ensuring they're suitably typed. */
if (! enif_inspect_iolist_as_binary(hp, argv[0], &ms))
return (BADARG);
if (! enif_inspect_binary(hp, argv[1], &sk))
return (BADARG);
/* Check constraints on size. */
if (ms.size < 1 || ms.size > SALT_MAX_MESSAGE_SIZE)
return (BADARG);
if (sk.size != crypto_onetimeauth_KEYBYTES)
return (BADARG);
/* Allocate space for authenticator. NB: Passing ENOMEM as BADARG. */
if (! enif_alloc_binary(crypto_onetimeauth_BYTES, &au))
return (BADARG);
(void)crypto_onetimeauth(au.data, ms.data, ms.size, sk.data);
return (enif_make_binary(hp, &au));
}
int main(void)
{
int clen;
for (clen = 0; clen < 10000; ++clen) {
randombytes_buf(key, sizeof key);
randombytes_buf(c, clen);
crypto_onetimeauth(a, c, clen, key);
if (crypto_onetimeauth_verify(a, c, clen, key) != 0) {
printf("fail %d\n", clen);
return 100;
}
if (clen > 0) {
c[rand() % clen] += 1 + (rand() % 255);
if (crypto_onetimeauth_verify(a, c, clen, key) == 0) {
printf("forgery %d\n", clen);
return 100;
}
a[rand() % sizeof a] += 1 + (rand() % 255);
if (crypto_onetimeauth_verify(a, c, clen, key) == 0) {
printf("forgery %d\n", clen);
return 100;
}
}
}
return 0;
}
lob_t remote_encrypt(remote_t remote, local_t local, lob_t inner)
{
uint8_t secret[crypto_box_BEFORENMBYTES], nonce[24], shared[24+crypto_box_BEFORENMBYTES], hash[32], csid = 0x3a;
lob_t outer;
size_t inner_len;
outer = lob_new();
lob_head(outer,&csid,1);
inner_len = lob_len(inner);
if(!lob_body(outer,NULL,32+24+inner_len+crypto_secretbox_MACBYTES+16)) return lob_free(outer);
// copy in the ephemeral public key/nonce
memcpy(outer->body, remote->ekey, 32);
randombytes(nonce,24);
memcpy(outer->body+32, nonce, 24);
// get the shared secret to create the nonce+key for the open aes
crypto_box_beforenm(secret, remote->key, remote->esecret);
// encrypt the inner
if(crypto_secretbox_easy(outer->body+32+24,
lob_raw(inner),
inner_len,
nonce,
secret) != 0) return lob_free(outer);
// generate secret for hmac
crypto_box_beforenm(secret, remote->key, local->secret);
memcpy(shared,nonce,24);
memcpy(shared+24,secret,crypto_box_BEFORENMBYTES);
e3x_hash(shared,24+crypto_box_BEFORENMBYTES,hash);
crypto_onetimeauth(outer->body+32+24+inner_len+crypto_secretbox_MACBYTES, outer->body, outer->body_len-16, hash);
return outer;
}
void speed_poly1305()
{
unsigned long long t[NTIMINGS];
unsigned char m[1024];
unsigned char out[16];
int i;
for(i=0;i<NTIMINGS;i++)
{
t[i] = cpucycles();
crypto_onetimeauth(out,m,8,key);
}
print_bench("poly1305 (8 bytes)",t,NTIMINGS);
for(i=0;i<NTIMINGS;i++)
{
t[i] = cpucycles();
crypto_onetimeauth(out,m,64,key);
}
print_bench("poly1305 (64 bytes)",t,NTIMINGS);
for(i=0;i<NTIMINGS;i++)
{
t[i] = cpucycles();
crypto_onetimeauth(out,m,576,key);
}
print_bench("poly1305 (576 bytes)",t,NTIMINGS);
for(i=0;i<NTIMINGS;i++)
{
t[i] = cpucycles();
crypto_onetimeauth(out,m,1024,key);
}
print_bench("poly1305 (1024 bytes)",t,NTIMINGS);
for(i=0;i<NTIMINGS;i++)
{
t[i] = cpucycles();
crypto_onetimeauth(out,m,2048,key);
}
print_bench("poly1305 (2048 bytes)",t,NTIMINGS);
}
int main(void)
{
int i;
crypto_onetimeauth(a, c, 131, rs);
for (i = 0; i < 16; ++i) {
printf(",0x%02x", (unsigned int)a[i]);
if (i % 8 == 7)
printf("\n");
}
assert(crypto_onetimeauth_bytes() > 0U);
assert(crypto_onetimeauth_keybytes() > 0U);
assert(strcmp(crypto_onetimeauth_primitive(), "poly1305") == 0);
assert(crypto_onetimeauth_poly1305_bytes() == crypto_onetimeauth_bytes());
assert(crypto_onetimeauth_poly1305_keybytes()
== crypto_onetimeauth_keybytes());
return 0;
}
static void
mm_onetimeauth(void)
{
crypto_onetimeauth_state st;
unsigned char *h, *h2;
unsigned char *k;
unsigned char *m;
size_t mlen;
size_t l1, l2;
int i;
for (i = 0; i < MAX_ITER; i++) {
mlen = randombytes_uniform(MAXLEN);
m = (unsigned char *) sodium_malloc(mlen);
k = (unsigned char *) sodium_malloc(crypto_onetimeauth_KEYBYTES);
h = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES);
h2 = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES);
crypto_onetimeauth_keygen(k);
randombytes_buf(m, mlen);
crypto_onetimeauth_init(&st, k);
l1 = randombytes_uniform(mlen);
l2 = randombytes_uniform(mlen - l1);
crypto_onetimeauth_update(&st, m, l1);
crypto_onetimeauth_update(&st, m + l1, l2);
crypto_onetimeauth_update(&st, m + l1 + l2, mlen - l1 - l2);
crypto_onetimeauth_final(&st, h);
crypto_onetimeauth(h2, m, mlen, k);
assert(memcmp(h, h2, crypto_onetimeauth_BYTES) == 0);
sodium_free(h2);
sodium_free(h);
sodium_free(k);
sodium_free(m);
}
}
/**
* @brief ChaCha-AVX data encryption
* @see el_chacha_avx_create_key()
* @see el_chacha_avx_decrypt_data()
* @param key The key generated by el_chacha_avx_create_key()
* @param out Output buffer containing the encrypted data
* @param in Input buffer containing the plain-text data
* @param in_len The size of the plain-text data buffer
* @return The size of encrypted data buffer (output) or -1 on error
*/
int el_chacha_avx_encrypt_data(
const unsigned char *key,
unsigned char *out,
const unsigned char *in,
size_t in_len) {
unsigned char a[crypto_onetimeauth_KEYBYTES];
unsigned char n[CHACHA_AVX_CRYPTO_NONCEBYTES];
/* XXX: Get rid of openssl from chacha_avx code asap */
if (!RAND_bytes(n, CHACHA_AVX_CRYPTO_NONCEBYTES))
return -1;
if (chacha_avx_crypto_stream_xor(out + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES, in, in_len, n, key) < 0)
return -2;
if (crypto_onetimeauth(a, out + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES, in_len, key) < 0)
return -3;
memcpy(out, n, CHACHA_AVX_CRYPTO_NONCEBYTES);
memcpy(out + CHACHA_AVX_CRYPTO_NONCEBYTES, a, crypto_onetimeauth_KEYBYTES);
return in_len + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES;
}
int crypto_onetimeauth_verify(const unsigned char *h,const unsigned char *in,unsigned int inlen,const unsigned char *k)
{
unsigned char correct[16];
crypto_onetimeauth(correct,in,inlen,k);
return crypto_verify_16(h,correct);
}
int ss_onetimeauth(char *auth, char *msg, int msg_len)
{
return crypto_onetimeauth((uint8_t *)auth, (uint8_t *)msg, msg_len, auth_key);
}
static const char *
checksum_compute(void)
{
long long i;
long long j;
for (i = 0;i < CHECKSUM_BYTES;++i) {
long long mlen = i;
long long klen = crypto_onetimeauth_KEYBYTES;
long long hlen = crypto_onetimeauth_BYTES;
for (j = -16;j < 0;++j) h[j] = rand();
for (j = -16;j < 0;++j) k[j] = rand();
for (j = -16;j < 0;++j) m[j] = rand();
for (j = hlen;j < hlen + 16;++j) h[j] = rand();
for (j = klen;j < klen + 16;++j) k[j] = rand();
for (j = mlen;j < mlen + 16;++j) m[j] = rand();
for (j = -16;j < hlen + 16;++j) h2[j] = h[j];
for (j = -16;j < klen + 16;++j) k2[j] = k[j];
for (j = -16;j < mlen + 16;++j) m2[j] = m[j];
if (crypto_onetimeauth(h,m,mlen,k) != 0) return "crypto_onetimeauth returns nonzero";
for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_onetimeauth overwrites k";
for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_onetimeauth overwrites m";
for (j = -16;j < 0;++j) if (h[j] != h2[j]) return "crypto_onetimeauth writes before output";
for (j = hlen;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_onetimeauth writes after output";
for (j = -16;j < 0;++j) h[j] = rand();
for (j = -16;j < 0;++j) k[j] = rand();
for (j = -16;j < 0;++j) m[j] = rand();
for (j = hlen;j < hlen + 16;++j) h[j] = rand();
for (j = klen;j < klen + 16;++j) k[j] = rand();
for (j = mlen;j < mlen + 16;++j) m[j] = rand();
for (j = -16;j < hlen + 16;++j) h2[j] = h[j];
for (j = -16;j < klen + 16;++j) k2[j] = k[j];
for (j = -16;j < mlen + 16;++j) m2[j] = m[j];
if (crypto_onetimeauth(m2,m2,mlen,k) != 0) return "crypto_onetimeauth returns nonzero";
for (j = 0;j < hlen;++j) if (m2[j] != h[j]) return "crypto_onetimeauth does not handle m overlap";
for (j = 0;j < hlen;++j) m2[j] = m[j];
if (crypto_onetimeauth(k2,m2,mlen,k2) != 0) return "crypto_onetimeauth returns nonzero";
for (j = 0;j < hlen;++j) if (k2[j] != h[j]) return "crypto_onetimeauth does not handle k overlap";
for (j = 0;j < hlen;++j) k2[j] = k[j];
if (crypto_onetimeauth_verify(h,m,mlen,k) != 0) return "crypto_onetimeauth_verify returns nonzero";
for (j = -16;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_onetimeauth overwrites h";
for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_onetimeauth overwrites k";
for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_onetimeauth overwrites m";
crypto_hash_sha256(h2,h,hlen);
for (j = 0;j < klen;++j) k[j] ^= h2[j % 32];
if (crypto_onetimeauth(h,m,mlen,k) != 0) return "crypto_onetimeauth returns nonzero";
if (crypto_onetimeauth_verify(h,m,mlen,k) != 0) return "crypto_onetimeauth_verify returns nonzero";
crypto_hash_sha256(h2,h,hlen);
for (j = 0;j < mlen;++j) m[j] ^= h2[j % 32];
m[mlen] = h2[0];
}
if (crypto_onetimeauth(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_onetimeauth returns nonzero";
if (crypto_onetimeauth_verify(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_onetimeauth_verify returns nonzero";
sodium_bin2hex(checksum, sizeof checksum, h, crypto_onetimeauth_BYTES);
return NULL;
}
