bool unit_test_onetimeauth(){ // Global length uint64_t len = HACL_UNIT_TESTS_SIZE * sizeof(uint8_t); // Scratch buffers uint8_t hacl_mac[POLY_MACSIZE], expected_mac[POLY_MACSIZE], key[POLY_KEYSIZE]; uint8_t *plaintext = malloc(HACL_UNIT_TESTS_SIZE * sizeof (uint8_t)); // Initializing random plaintext READ_RANDOM_BYTES(HACL_UNIT_TESTS_SIZE, plaintext); // Tests int a; bool pass = true; for (int i = 0; i < 3 * POLY_BLOCKSIZE; i++){ // Testing crypto_onetimeauth on different length tweet_crypto_onetimeauth(expected_mac, plaintext, i, key); crypto_onetimeauth(hacl_mac, plaintext, i, key); a = memcmp(hacl_mac, expected_mac, 16 * sizeof (uint8_t)); if (a != 0){ pass = false; printf("Poly1305 failed on input of size %d\n.", i); break; } // Testing crypto_onetimeauth verify on different length a = crypto_onetimeauth_verify(hacl_mac, plaintext, i, key); if (a != 0){ pass = false; printf("Poly1305 verify failed on input of size %d\n.", i); break; } hacl_mac[i%16] = ~(hacl_mac[i%16]); // Testing crypto_onetimeauth proper failure on different length a = crypto_onetimeauth_verify(hacl_mac, plaintext, i, key); if (a == 0){ pass = false; printf("Poly1305 verify fail failed on input of size %d\n.", i); break; } } tweet_crypto_onetimeauth(expected_mac, plaintext, HACL_UNIT_TESTS_SIZE, key); crypto_onetimeauth(hacl_mac, plaintext, HACL_UNIT_TESTS_SIZE, key); a = memcmp(hacl_mac, expected_mac, 16 * sizeof (uint8_t)); if (a != 0){ pass = false; printf("Poly1305 failed on input of size %d\n.", HACL_UNIT_TESTS_SIZE); } free(plaintext); return pass; }
static nif_term_t salt_onetimeauth(nif_heap_t *hp, int argc, const nif_term_t argv[]) { /* salt_onetimeauth(Message, Secret_key) -> Authenticator. */ nif_bin_t ms; nif_bin_t sk; nif_bin_t au; if (argc != 2) return (BADARG); /* Unpack arguments ensuring they're suitably typed. */ if (! enif_inspect_iolist_as_binary(hp, argv[0], &ms)) return (BADARG); if (! enif_inspect_binary(hp, argv[1], &sk)) return (BADARG); /* Check constraints on size. */ if (ms.size < 1 || ms.size > SALT_MAX_MESSAGE_SIZE) return (BADARG); if (sk.size != crypto_onetimeauth_KEYBYTES) return (BADARG); /* Allocate space for authenticator. NB: Passing ENOMEM as BADARG. */ if (! enif_alloc_binary(crypto_onetimeauth_BYTES, &au)) return (BADARG); (void)crypto_onetimeauth(au.data, ms.data, ms.size, sk.data); return (enif_make_binary(hp, &au)); }
int main(void) { int clen; for (clen = 0; clen < 10000; ++clen) { randombytes_buf(key, sizeof key); randombytes_buf(c, clen); crypto_onetimeauth(a, c, clen, key); if (crypto_onetimeauth_verify(a, c, clen, key) != 0) { printf("fail %d\n", clen); return 100; } if (clen > 0) { c[rand() % clen] += 1 + (rand() % 255); if (crypto_onetimeauth_verify(a, c, clen, key) == 0) { printf("forgery %d\n", clen); return 100; } a[rand() % sizeof a] += 1 + (rand() % 255); if (crypto_onetimeauth_verify(a, c, clen, key) == 0) { printf("forgery %d\n", clen); return 100; } } } return 0; }
lob_t remote_encrypt(remote_t remote, local_t local, lob_t inner) { uint8_t secret[crypto_box_BEFORENMBYTES], nonce[24], shared[24+crypto_box_BEFORENMBYTES], hash[32], csid = 0x3a; lob_t outer; size_t inner_len; outer = lob_new(); lob_head(outer,&csid,1); inner_len = lob_len(inner); if(!lob_body(outer,NULL,32+24+inner_len+crypto_secretbox_MACBYTES+16)) return lob_free(outer); // copy in the ephemeral public key/nonce memcpy(outer->body, remote->ekey, 32); randombytes(nonce,24); memcpy(outer->body+32, nonce, 24); // get the shared secret to create the nonce+key for the open aes crypto_box_beforenm(secret, remote->key, remote->esecret); // encrypt the inner if(crypto_secretbox_easy(outer->body+32+24, lob_raw(inner), inner_len, nonce, secret) != 0) return lob_free(outer); // generate secret for hmac crypto_box_beforenm(secret, remote->key, local->secret); memcpy(shared,nonce,24); memcpy(shared+24,secret,crypto_box_BEFORENMBYTES); e3x_hash(shared,24+crypto_box_BEFORENMBYTES,hash); crypto_onetimeauth(outer->body+32+24+inner_len+crypto_secretbox_MACBYTES, outer->body, outer->body_len-16, hash); return outer; }
void speed_poly1305() { unsigned long long t[NTIMINGS]; unsigned char m[1024]; unsigned char out[16]; int i; for(i=0;i<NTIMINGS;i++) { t[i] = cpucycles(); crypto_onetimeauth(out,m,8,key); } print_bench("poly1305 (8 bytes)",t,NTIMINGS); for(i=0;i<NTIMINGS;i++) { t[i] = cpucycles(); crypto_onetimeauth(out,m,64,key); } print_bench("poly1305 (64 bytes)",t,NTIMINGS); for(i=0;i<NTIMINGS;i++) { t[i] = cpucycles(); crypto_onetimeauth(out,m,576,key); } print_bench("poly1305 (576 bytes)",t,NTIMINGS); for(i=0;i<NTIMINGS;i++) { t[i] = cpucycles(); crypto_onetimeauth(out,m,1024,key); } print_bench("poly1305 (1024 bytes)",t,NTIMINGS); for(i=0;i<NTIMINGS;i++) { t[i] = cpucycles(); crypto_onetimeauth(out,m,2048,key); } print_bench("poly1305 (2048 bytes)",t,NTIMINGS); }
int main(void) { int i; crypto_onetimeauth(a, c, 131, rs); for (i = 0; i < 16; ++i) { printf(",0x%02x", (unsigned int)a[i]); if (i % 8 == 7) printf("\n"); } assert(crypto_onetimeauth_bytes() > 0U); assert(crypto_onetimeauth_keybytes() > 0U); assert(strcmp(crypto_onetimeauth_primitive(), "poly1305") == 0); assert(crypto_onetimeauth_poly1305_bytes() == crypto_onetimeauth_bytes()); assert(crypto_onetimeauth_poly1305_keybytes() == crypto_onetimeauth_keybytes()); return 0; }
static void mm_onetimeauth(void) { crypto_onetimeauth_state st; unsigned char *h, *h2; unsigned char *k; unsigned char *m; size_t mlen; size_t l1, l2; int i; for (i = 0; i < MAX_ITER; i++) { mlen = randombytes_uniform(MAXLEN); m = (unsigned char *) sodium_malloc(mlen); k = (unsigned char *) sodium_malloc(crypto_onetimeauth_KEYBYTES); h = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES); h2 = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES); crypto_onetimeauth_keygen(k); randombytes_buf(m, mlen); crypto_onetimeauth_init(&st, k); l1 = randombytes_uniform(mlen); l2 = randombytes_uniform(mlen - l1); crypto_onetimeauth_update(&st, m, l1); crypto_onetimeauth_update(&st, m + l1, l2); crypto_onetimeauth_update(&st, m + l1 + l2, mlen - l1 - l2); crypto_onetimeauth_final(&st, h); crypto_onetimeauth(h2, m, mlen, k); assert(memcmp(h, h2, crypto_onetimeauth_BYTES) == 0); sodium_free(h2); sodium_free(h); sodium_free(k); sodium_free(m); } }
/** * @brief ChaCha-AVX data encryption * @see el_chacha_avx_create_key() * @see el_chacha_avx_decrypt_data() * @param key The key generated by el_chacha_avx_create_key() * @param out Output buffer containing the encrypted data * @param in Input buffer containing the plain-text data * @param in_len The size of the plain-text data buffer * @return The size of encrypted data buffer (output) or -1 on error */ int el_chacha_avx_encrypt_data( const unsigned char *key, unsigned char *out, const unsigned char *in, size_t in_len) { unsigned char a[crypto_onetimeauth_KEYBYTES]; unsigned char n[CHACHA_AVX_CRYPTO_NONCEBYTES]; /* XXX: Get rid of openssl from chacha_avx code asap */ if (!RAND_bytes(n, CHACHA_AVX_CRYPTO_NONCEBYTES)) return -1; if (chacha_avx_crypto_stream_xor(out + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES, in, in_len, n, key) < 0) return -2; if (crypto_onetimeauth(a, out + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES, in_len, key) < 0) return -3; memcpy(out, n, CHACHA_AVX_CRYPTO_NONCEBYTES); memcpy(out + CHACHA_AVX_CRYPTO_NONCEBYTES, a, crypto_onetimeauth_KEYBYTES); return in_len + CHACHA_AVX_CRYPTO_NONCEBYTES + crypto_onetimeauth_KEYBYTES; }
int crypto_onetimeauth_verify(const unsigned char *h,const unsigned char *in,unsigned int inlen,const unsigned char *k) { unsigned char correct[16]; crypto_onetimeauth(correct,in,inlen,k); return crypto_verify_16(h,correct); }
int ss_onetimeauth(char *auth, char *msg, int msg_len) { return crypto_onetimeauth((uint8_t *)auth, (uint8_t *)msg, msg_len, auth_key); }
static const char * checksum_compute(void) { long long i; long long j; for (i = 0;i < CHECKSUM_BYTES;++i) { long long mlen = i; long long klen = crypto_onetimeauth_KEYBYTES; long long hlen = crypto_onetimeauth_BYTES; for (j = -16;j < 0;++j) h[j] = rand(); for (j = -16;j < 0;++j) k[j] = rand(); for (j = -16;j < 0;++j) m[j] = rand(); for (j = hlen;j < hlen + 16;++j) h[j] = rand(); for (j = klen;j < klen + 16;++j) k[j] = rand(); for (j = mlen;j < mlen + 16;++j) m[j] = rand(); for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; for (j = -16;j < klen + 16;++j) k2[j] = k[j]; for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; if (crypto_onetimeauth(h,m,mlen,k) != 0) return "crypto_onetimeauth returns nonzero"; for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_onetimeauth overwrites k"; for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_onetimeauth overwrites m"; for (j = -16;j < 0;++j) if (h[j] != h2[j]) return "crypto_onetimeauth writes before output"; for (j = hlen;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_onetimeauth writes after output"; for (j = -16;j < 0;++j) h[j] = rand(); for (j = -16;j < 0;++j) k[j] = rand(); for (j = -16;j < 0;++j) m[j] = rand(); for (j = hlen;j < hlen + 16;++j) h[j] = rand(); for (j = klen;j < klen + 16;++j) k[j] = rand(); for (j = mlen;j < mlen + 16;++j) m[j] = rand(); for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; for (j = -16;j < klen + 16;++j) k2[j] = k[j]; for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; if (crypto_onetimeauth(m2,m2,mlen,k) != 0) return "crypto_onetimeauth returns nonzero"; for (j = 0;j < hlen;++j) if (m2[j] != h[j]) return "crypto_onetimeauth does not handle m overlap"; for (j = 0;j < hlen;++j) m2[j] = m[j]; if (crypto_onetimeauth(k2,m2,mlen,k2) != 0) return "crypto_onetimeauth returns nonzero"; for (j = 0;j < hlen;++j) if (k2[j] != h[j]) return "crypto_onetimeauth does not handle k overlap"; for (j = 0;j < hlen;++j) k2[j] = k[j]; if (crypto_onetimeauth_verify(h,m,mlen,k) != 0) return "crypto_onetimeauth_verify returns nonzero"; for (j = -16;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_onetimeauth overwrites h"; for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_onetimeauth overwrites k"; for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_onetimeauth overwrites m"; crypto_hash_sha256(h2,h,hlen); for (j = 0;j < klen;++j) k[j] ^= h2[j % 32]; if (crypto_onetimeauth(h,m,mlen,k) != 0) return "crypto_onetimeauth returns nonzero"; if (crypto_onetimeauth_verify(h,m,mlen,k) != 0) return "crypto_onetimeauth_verify returns nonzero"; crypto_hash_sha256(h2,h,hlen); for (j = 0;j < mlen;++j) m[j] ^= h2[j % 32]; m[mlen] = h2[0]; } if (crypto_onetimeauth(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_onetimeauth returns nonzero"; if (crypto_onetimeauth_verify(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_onetimeauth_verify returns nonzero"; sodium_bin2hex(checksum, sizeof checksum, h, crypto_onetimeauth_BYTES); return NULL; }