1 /*
2 * crypto_sign/try.c version 20111119
3 * D. J. Bernstein
4 * Public domain.
5 */
6
7 #include <stdlib.h>
8 #include "randombytes.h"
9 #include "crypto_sign.h"
10
11 #define MAXTEST_BYTES 10000
12 #define TUNE_BYTES 1536
13
14 extern unsigned char *alignedcalloc(unsigned long long);
15
16 const char *primitiveimplementation = crypto_sign_IMPLEMENTATION;
17
18 static unsigned char *pk; unsigned long long pklen; static unsigned char *pk2;
19 static unsigned char *sk; unsigned long long sklen; static unsigned char *sk2;
20 static unsigned char *m; unsigned long long mlen; static unsigned char *m2;
21 static unsigned char *sm; unsigned long long smlen; static unsigned char *sm2;
22 static unsigned char *t; unsigned long long tlen; static unsigned char *t2;
23
preallocate(void)24 void preallocate(void)
25 {
26 #ifdef RAND_R_PRNG_NOT_SEEDED
27 RAND_status();
28 #endif
29 }
30
allocate(void)31 void allocate(void)
32 {
33 pk = alignedcalloc(pklen = crypto_sign_PUBLICKEYBYTES);
34 sk = alignedcalloc(sklen = crypto_sign_SECRETKEYBYTES);
35 m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
36 sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
37 t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
38 pk2 = alignedcalloc(pklen);
39 sk2 = alignedcalloc(sklen);
40 m2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
41 sm2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
42 t2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
43 }
44
predoit(void)45 void predoit(void)
46 {
47 crypto_sign_keypair(pk,sk);
48 mlen = TUNE_BYTES;
49 smlen = 0;
50 }
51
doit(void)52 void doit(void)
53 {
54 randombytes(m,mlen);
55 crypto_sign(sm,&smlen,m,mlen,sk);
56 crypto_sign_open(t,&tlen,sm,smlen,pk);
57 }
58
59 static unsigned char chain[37]; long long chainlen = 37;
60 char checksum[37 * 2 + 1];
61
checksum_compute(void)62 const char *checksum_compute(void)
63 {
64 long long mlen;
65 long long i;
66 long long j;
67 long long loops;
68
69 for (loops = 0;loops < 10;++loops) {
70 for (j = -16;j < 0;++j) sk2[j] = sk[j] = random();
71 for (j = 0;j < sklen + 16;++j) sk2[j] = sk[j] = random();
72 for (j = -16;j < 0;++j) pk2[j] = pk[j] = random();
73 for (j = 0;j < pklen + 16;++j) pk2[j] = pk[j] = random();
74 if (crypto_sign_keypair(pk,sk) != 0) return "crypto_sign_keypair returns nonzero";
75 for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_keypair writes before pk";
76 for (j = pklen;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_keypair writes after pk";
77 for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_keypair writes before sk";
78 for (j = sklen;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_keypair writes after sk";
79
80 for (mlen = 0;mlen < MAXTEST_BYTES;mlen += 1 + (mlen / 16)) {
81 for (j = -16;j < 0;++j) m2[j] = m[j] = random();
82 for (j = mlen;j < mlen + 16;++j) m2[j] = m[j] = random();
83 randombytes(m,mlen);
84 if (mlen > 0)
85 for (j = 0;j < chainlen;++j) m[j % mlen] ^= chain[j];
86 for (j = 0;j < mlen;++j) m2[j] = m[j];
87 for (j = -16;j < 0;++j) pk2[j] = pk[j];
88 for (j = 0;j < pklen + 16;++j) pk2[j] = pk[j];
89 for (j = -16;j < 0;++j) sk2[j] = sk[j];
90 for (j = 0;j < sklen + 16;++j) sk2[j] = sk[j];
91 for (j = -16;j < 0;++j) sm2[j] = sm[j] = random();
92 for (j = 0;j < mlen + crypto_sign_BYTES + 16;++j) sm2[j] = sm[j] = random();
93
94 if (crypto_sign(sm,&smlen,m,mlen,sk) != 0) return "crypto_sign returns nonzero";
95 if (smlen > mlen + crypto_sign_BYTES) return "crypto_sign returns more than crypto_sign_BYTES extra bytes";
96 if (smlen == 0) return "crypto_sign returns empty message";
97 for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign overwrites pk";
98 for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign overwrites pk";
99 for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign overwrites sk";
100 for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign overwrites sk";
101 for (j = -16;j < 0;++j) if (m[j] != m2[j]) return "crypto_sign overwrites m";
102 for (j = 0;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_sign overwrites m";
103 for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign writes before sm";
104 for (j = smlen;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign writes after sm";
105
106 for (j = 0;j < smlen;++j) chain[j % chainlen] ^= sm[j];
107
108 for (j = -16;j < 0;++j) sm2[j] = sm[j];
109 for (j = 0;j < smlen + 16;++j) sm2[j] = sm[j];
110 for (j = -16;j < 0;++j) t2[j] = t[j] = random();
111 for (j = 0;j < smlen + 16;++j) t2[j] = t[j] = random();
112
113 if (crypto_sign_open(t,&tlen,sm,smlen,pk) != 0) return "crypto_sign_open returns nonzero";
114 if (tlen != mlen) return "crypto_sign_open does not match length";
115 for (i = 0;i < tlen;++i)
116 if (t[i] != m[i])
117 return "crypto_sign_open does not match contents";
118 for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
119 for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
120 for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
121 for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
122 for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
123 for (j = 0;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
124 for (j = -16;j < 0;++j) if (t[j] != t2[j]) return "crypto_sign_open writes before t";
125 for (j = smlen;j < smlen + 16;++j) if (t[j] != t2[j]) return "crypto_sign_open writes after t";
126
127 j = random() % smlen;
128 sm[j] ^= 1;
129 for (j = -16;j < 0;++j) sm2[j] = sm[j];
130 for (j = 0;j < smlen + 16;++j) sm2[j] = sm[j];
131 for (j = -16;j < 0;++j) t2[j] = t[j] = random();
132 for (j = 0;j < smlen + 16;++j) t2[j] = t[j] = random();
133 if (crypto_sign_open(t,&tlen,sm,smlen,pk) == 0) {
134 if (tlen != mlen) return "crypto_sign_open allows trivial forgery of length";
135 for (i = 0;i < tlen;++i)
136 if (t[i] != m[i])
137 return "crypto_sign_open allows trivial forgery of contents";
138 }
139 for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
140 for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
141 for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
142 for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
143 for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
144 for (j = 0;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
145 for (j = -16;j < 0;++j) if (t[j] != t2[j]) return "crypto_sign_open writes before t";
146 for (j = smlen;j < smlen + 16;++j) if (t[j] != t2[j]) return "crypto_sign_open writes after t";
147 sm[j] ^= 1;
148 }
149 }
150
151 for (i = 0;i < chainlen;++i) {
152 checksum[2 * i] = "0123456789abcdef"[15 & (chain[i] >> 4)];
153 checksum[2 * i + 1] = "0123456789abcdef"[15 & chain[i]];
154 }
155 checksum[2 * i] = 0;
156 return 0;
157 }
158