int main(void)
{
size_t clen;
for (clen = 0; clen < 10000; ++clen) {
randombytes_buf(key, sizeof key);
randombytes_buf(c, clen);
crypto_auth(a, c, clen, key);
if (crypto_auth_verify(a, c, clen, key) != 0) {
printf("fail %u\n", (unsigned int) clen);
return 100;
}
if (clen > 0) {
c[rand() % clen] += 1 + (rand() % 255);
if (crypto_auth_verify(a, c, clen, key) == 0) {
printf("forgery %u\n", (unsigned int) clen);
return 100;
}
a[rand() % sizeof a] += 1 + (rand() % 255);
if (crypto_auth_verify(a, c, clen, key) == 0) {
printf("forgery %u\n", (unsigned int) clen);
return 100;
}
}
}
return 0;
}
void measure(void)
{
int i;
int loop;
int mlen;
for (loop = 0;loop < LOOPS;++loop) {
for (mlen = 0;mlen <= MAXTEST_BYTES;mlen += 1 + mlen / MGAP) {
randombytes(k,crypto_auth_KEYBYTES);
randombytes(m,mlen);
randombytes(h,crypto_auth_BYTES);
for (i = 0;i <= TIMINGS;++i) {
cycles[i] = cpucycles();
crypto_auth(h,m,mlen,k);
}
for (i = 0;i < TIMINGS;++i) cycles[i] = cycles[i + 1] - cycles[i];
printentry(mlen,"cycles",cycles,TIMINGS);
for (i = 0;i <= TIMINGS;++i) {
cycles[i] = cpucycles();
crypto_auth_verify(h,m,mlen,k);
}
for (i = 0;i < TIMINGS;++i) cycles[i] = cycles[i + 1] - cycles[i];
printentry(mlen,"verify_cycles",cycles,TIMINGS);
}
}
}
i64 packet_verify(u8 *output, u8 *key, u8 *signed_data, i64 signed_size) {
u8 authorization[SIGN_BYTES];
if (!output || !key || !signed_data ||
signed_size < (IPV4_AND_UDP_HEADER_SIZE + SIGN_BYTES)) {
return -1;
}
//copy tag from signed packet
memcpy(authorization, signed_data + IPV4_AND_UDP_HEADER_SIZE, SIGN_BYTES);
//reconstruct original packet without tag
memcpy(output, signed_data, IPV4_AND_UDP_HEADER_SIZE);
memcpy(output + IPV4_AND_UDP_HEADER_SIZE,
signed_data + IPV4_AND_UDP_HEADER_SIZE + SIGN_BYTES,
signed_size - IPV4_AND_UDP_HEADER_SIZE - SIGN_BYTES);
if(crypto_auth_verify(authorization, output, signed_size - SIGN_BYTES, key)) {
return -1;
}
return signed_size - SIGN_BYTES;
}
static nif_term_t
salt_auth_verify(nif_heap_t *hp, int argc, const nif_term_t argv[])
{
/* salt_auth_verify(Authenticator, Message, Secret_key) -> authenticated | forged_or_garbled. */
nif_bin_t au;
nif_bin_t ms;
nif_bin_t sk;
if (argc != 3)
return (BADARG);
/* Unpack arguments ensuring they're suitably typed. */
if (! enif_inspect_binary(hp, argv[0], &au))
return (BADARG);
if (! enif_inspect_iolist_as_binary(hp, argv[1], &ms))
return (BADARG);
if (! enif_inspect_binary(hp, argv[2], &sk))
return (BADARG);
/* Check constraints on size. */
if (au.size != crypto_auth_BYTES)
return (BADARG);
if (ms.size < 1 || ms.size > SALT_MAX_MESSAGE_SIZE)
return (BADARG);
if (sk.size != crypto_auth_KEYBYTES)
return (BADARG);
/* Perform the crypto. */
if (crypto_auth_verify(au.data, ms.data, ms.size, sk.data) != 0)
return (enif_make_atom(hp, "forged_or_garbled"));
return (enif_make_atom(hp, "authenticated"));
}
const char *checksum_compute(void)
{
long long i;
long long j;
for (i = 0; i < CHECKSUM_BYTES; ++i) {
long long mlen = i;
long long klen = crypto_auth_KEYBYTES;
long long hlen = crypto_auth_BYTES;
for (j = -16; j < 0; ++j) h[j] = rand();
for (j = -16; j < 0; ++j) k[j] = rand();
for (j = -16; j < 0; ++j) m[j] = rand();
for (j = hlen; j < hlen + 16; ++j) h[j] = rand();
for (j = klen; j < klen + 16; ++j) k[j] = rand();
for (j = mlen; j < mlen + 16; ++j) m[j] = rand();
for (j = -16; j < hlen + 16; ++j) h2[j] = h[j];
for (j = -16; j < klen + 16; ++j) k2[j] = k[j];
for (j = -16; j < mlen + 16; ++j) m2[j] = m[j];
if (crypto_auth(h,m,mlen,k) != 0) return "crypto_auth returns nonzero";
for (j = -16; j < klen + 16; ++j) if (k[j] != k2[j]) return "crypto_auth overwrites k";
for (j = -16; j < mlen + 16; ++j) if (m[j] != m2[j]) return "crypto_auth overwrites m";
for (j = -16; j < 0; ++j) if (h[j] != h2[j]) return "crypto_auth writes before output";
for (j = hlen; j < hlen + 16; ++j) if (h[j] != h2[j]) return "crypto_auth writes after output";
for (j = -16; j < 0; ++j) h[j] = rand();
for (j = -16; j < 0; ++j) k[j] = rand();
for (j = -16; j < 0; ++j) m[j] = rand();
for (j = hlen; j < hlen + 16; ++j) h[j] = rand();
for (j = klen; j < klen + 16; ++j) k[j] = rand();
for (j = mlen; j < mlen + 16; ++j) m[j] = rand();
for (j = -16; j < hlen + 16; ++j) h2[j] = h[j];
for (j = -16; j < klen + 16; ++j) k2[j] = k[j];
for (j = -16; j < mlen + 16; ++j) m2[j] = m[j];
if (crypto_auth(m2,m2,mlen,k) != 0) return "crypto_auth returns nonzero";
for (j = 0; j < hlen; ++j) if (m2[j] != h[j]) return "crypto_auth does not handle m overlap";
for (j = 0; j < hlen; ++j) m2[j] = m[j];
if (crypto_auth(k2,m2,mlen,k2) != 0) return "crypto_auth returns nonzero";
for (j = 0; j < hlen; ++j) if (k2[j] != h[j]) return "crypto_auth does not handle k overlap";
for (j = 0; j < hlen; ++j) k2[j] = k[j];
if (crypto_auth_verify(h,m,mlen,k) != 0) return "crypto_auth_verify returns nonzero";
for (j = -16; j < hlen + 16; ++j) if (h[j] != h2[j]) return "crypto_auth overwrites h";
for (j = -16; j < klen + 16; ++j) if (k[j] != k2[j]) return "crypto_auth overwrites k";
for (j = -16; j < mlen + 16; ++j) if (m[j] != m2[j]) return "crypto_auth overwrites m";
crypto_hash_sha256(h2,h,hlen);
for (j = 0; j < klen; ++j) k[j] ^= h2[j % 32];
if (crypto_auth(h,m,mlen,k) != 0) return "crypto_auth returns nonzero";
if (crypto_auth_verify(h,m,mlen,k) != 0) return "crypto_auth_verify returns nonzero";
crypto_hash_sha256(h2,h,hlen);
for (j = 0; j < mlen; ++j) m[j] ^= h2[j % 32];
m[mlen] = h2[0];
}
if (crypto_auth(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_auth returns nonzero";
if (crypto_auth_verify(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_auth_verify returns nonzero";
sodium_bin2hex(checksum, sizeof checksum, h, crypto_auth_BYTES);
return 0;
}
void doit(void)
{
crypto_auth(h,m,TUNE_BYTES,k);
crypto_auth_verify(h,m,TUNE_BYTES,k);
}
