src/libsodium/crypto_secretbox/try.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

/*
 * crypto_secretbox/try.c version 20090118
 * D. J. Bernstein
 * Public domain.
 */

#include <stdlib.h>
#include "crypto_secretbox.h"
#include "utils.h"
#include "windows/windows-quirks.h"

extern unsigned char *alignedcalloc(unsigned long long);

const char *primitiveimplementation = crypto_secretbox_IMPLEMENTATION;

#define MAXTEST_BYTES 10000
#define CHECKSUM_BYTES 4096
#define TUNE_BYTES 1536

static unsigned char *k;
static unsigned char *n;
static unsigned char *m;
static unsigned char *c;
static unsigned char *t;
static unsigned char *k2;
static unsigned char *n2;
static unsigned char *m2;
static unsigned char *c2;
static unsigned char *t2;

#define klen crypto_secretbox_KEYBYTES
#define nlen crypto_secretbox_NONCEBYTES

void preallocate(void)
{
}

void allocate(void)
{
  k = alignedcalloc(klen);
  n = alignedcalloc(nlen);
  m = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
  c = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
  t = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
  k2 = alignedcalloc(klen);
  n2 = alignedcalloc(nlen);
  m2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
  c2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
  t2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES);
}

void predoit(void)
{
}

void doit(void)
{
  crypto_secretbox(c,m,TUNE_BYTES + crypto_secretbox_ZEROBYTES,n,k);
  crypto_secretbox_open(t,c,TUNE_BYTES + crypto_secretbox_ZEROBYTES,n,k);
}

char checksum[klen * 2 + 1];

const char *checksum_compute(void)
{
  long long i;
  long long j;

  for (j = 0;j < crypto_secretbox_ZEROBYTES;++j) m[j] = 0;

  for (i = 0;i < CHECKSUM_BYTES;++i) {
    long long mlen = i + crypto_secretbox_ZEROBYTES;
    long long tlen = i + crypto_secretbox_ZEROBYTES;
    long long clen = i + crypto_secretbox_ZEROBYTES;

    for (j = -16;j < 0;++j) k[j] = rand();
    for (j = -16;j < 0;++j) n[j] = rand();
    for (j = -16;j < 0;++j) m[j] = rand();
    for (j = klen;j < klen + 16;++j) k[j] = rand();
    for (j = nlen;j < nlen + 16;++j) n[j] = rand();
    for (j = mlen;j < mlen + 16;++j) m[j] = rand();
    for (j = -16;j < klen + 16;++j) k2[j] = k[j];
    for (j = -16;j < nlen + 16;++j) n2[j] = n[j];
    for (j = -16;j < mlen + 16;++j) m2[j] = m[j];
    for (j = -16;j < clen + 16;++j) c2[j] = c[j] = rand();

    if (crypto_secretbox(c,m,mlen,n,k) != 0) return "crypto_secretbox returns nonzero";

    for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_secretbox overwrites m";
    for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_secretbox overwrites n";
    for (j = -16;j < klen + 16;++j) if (k2[j] != k[j]) return "crypto_secretbox overwrites k";
    for (j = -16;j < 0;++j) if (c2[j] != c[j]) return "crypto_secretbox writes before output";
    for (j = clen;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_secretbox writes after output";
    for (j = 0;j < crypto_secretbox_BOXZEROBYTES;++j)
      if (c[j] != 0) return "crypto_secretbox does not clear extra bytes";

    for (j = -16;j < 0;++j) c[j] = rand();
    for (j = clen;j < clen + 16;++j) c[j] = rand();
    for (j = -16;j < clen + 16;++j) c2[j] = c[j];
    for (j = -16;j < tlen + 16;++j) t2[j] = t[j] = rand();

    if (crypto_secretbox_open(t,c,clen,n,k) != 0) return "crypto_secretbox_open returns nonzero";

    for (j = -16;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_secretbox_open overwrites c";
    for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_secretbox_open overwrites n";
    for (j = -16;j < klen + 16;++j) if (k2[j] != k[j]) return "crypto_secretbox_open overwrites k";
    for (j = -16;j < 0;++j) if (t2[j] != t[j]) return "crypto_secretbox_open writes before output";
    for (j = tlen;j < tlen + 16;++j) if (t2[j] != t[j]) return "crypto_secretbox_open writes after output";
    for (j = 0;j < crypto_secretbox_ZEROBYTES;++j)
      if (t[j] != 0) return "crypto_secretbox_open does not clear extra bytes";

    for (j = 0;j < i;++j) if (t[j] != m[j]) return "plaintext does not match";

    for (j = 0;j < i;++j)
      k[j % klen] ^= c[j + crypto_secretbox_BOXZEROBYTES];
    crypto_secretbox(c,m,mlen,n,k);
    for (j = 0;j < i;++j)
      n[j % nlen] ^= c[j + crypto_secretbox_BOXZEROBYTES];
    crypto_secretbox(c,m,mlen,n,k);
    if (i == 0) m[crypto_secretbox_ZEROBYTES + 0] = 0;
    m[crypto_secretbox_ZEROBYTES + i] = m[crypto_secretbox_ZEROBYTES + 0];
    for (j = 0;j < i;++j)
      m[j + crypto_secretbox_ZEROBYTES] ^= c[j + crypto_secretbox_BOXZEROBYTES];
  }

  sodium_bin2hex(checksum, sizeof checksum, k, klen);

  return 0;
}