1 /*
2  * crypto_sign/try.c version 20111119
3  * D. J. Bernstein
4  * Public domain.
5  */
6 
7 #include <stdlib.h>
8 #include "randombytes.h"
9 #include "crypto_sign.h"
10 
11 #define MAXTEST_BYTES 10000
12 #define TUNE_BYTES 1536
13 
14 extern unsigned char *alignedcalloc(unsigned long long);
15 
16 const char *primitiveimplementation = crypto_sign_IMPLEMENTATION;
17 
18 static unsigned char *pk; unsigned long long pklen; static unsigned char *pk2;
19 static unsigned char *sk; unsigned long long sklen; static unsigned char *sk2;
20 static unsigned char *m; unsigned long long mlen; static unsigned char *m2;
21 static unsigned char *sm; unsigned long long smlen; static unsigned char *sm2;
22 static unsigned char *t; unsigned long long tlen; static unsigned char *t2;
23 
preallocate(void)24 void preallocate(void)
25 {
26 #ifdef RAND_R_PRNG_NOT_SEEDED
27   RAND_status();
28 #endif
29 }
30 
allocate(void)31 void allocate(void)
32 {
33   pk = alignedcalloc(pklen = crypto_sign_PUBLICKEYBYTES);
34   sk = alignedcalloc(sklen = crypto_sign_SECRETKEYBYTES);
35   m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
36   sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
37   t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
38   pk2 = alignedcalloc(pklen);
39   sk2 = alignedcalloc(sklen);
40   m2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
41   sm2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
42   t2 = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES);
43 }
44 
predoit(void)45 void predoit(void)
46 {
47   crypto_sign_keypair(pk,sk);
48   mlen = TUNE_BYTES;
49   smlen = 0;
50 }
51 
doit(void)52 void doit(void)
53 {
54   randombytes(m,mlen);
55   crypto_sign(sm,&smlen,m,mlen,sk);
56   crypto_sign_open(t,&tlen,sm,smlen,pk);
57 }
58 
59 static unsigned char chain[37]; long long chainlen = 37;
60 char checksum[37 * 2 + 1];
61 
checksum_compute(void)62 const char *checksum_compute(void)
63 {
64   long long mlen;
65   long long i;
66   long long j;
67   long long loops;
68 
69   for (loops = 0;loops < 10;++loops) {
70     for (j = -16;j < 0;++j) sk2[j] = sk[j] = random();
71     for (j = 0;j < sklen + 16;++j) sk2[j] = sk[j] = random();
72     for (j = -16;j < 0;++j) pk2[j] = pk[j] = random();
73     for (j = 0;j < pklen + 16;++j) pk2[j] = pk[j] = random();
74     if (crypto_sign_keypair(pk,sk) != 0) return "crypto_sign_keypair returns nonzero";
75     for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_keypair writes before pk";
76     for (j = pklen;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_keypair writes after pk";
77     for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_keypair writes before sk";
78     for (j = sklen;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_keypair writes after sk";
79 
80     for (mlen = 0;mlen < MAXTEST_BYTES;mlen += 1 + (mlen / 16)) {
81       for (j = -16;j < 0;++j) m2[j] = m[j] = random();
82       for (j = mlen;j < mlen + 16;++j) m2[j] = m[j] = random();
83       randombytes(m,mlen);
84       if (mlen > 0)
85         for (j = 0;j < chainlen;++j) m[j % mlen] ^= chain[j];
86       for (j = 0;j < mlen;++j) m2[j] = m[j];
87       for (j = -16;j < 0;++j) pk2[j] = pk[j];
88       for (j = 0;j < pklen + 16;++j) pk2[j] = pk[j];
89       for (j = -16;j < 0;++j) sk2[j] = sk[j];
90       for (j = 0;j < sklen + 16;++j) sk2[j] = sk[j];
91       for (j = -16;j < 0;++j) sm2[j] = sm[j] = random();
92       for (j = 0;j < mlen + crypto_sign_BYTES + 16;++j) sm2[j] = sm[j] = random();
93 
94       if (crypto_sign(sm,&smlen,m,mlen,sk) != 0) return "crypto_sign returns nonzero";
95       if (smlen > mlen + crypto_sign_BYTES) return "crypto_sign returns more than crypto_sign_BYTES extra bytes";
96       if (smlen == 0) return "crypto_sign returns empty message";
97       for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign overwrites pk";
98       for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign overwrites pk";
99       for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign overwrites sk";
100       for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign overwrites sk";
101       for (j = -16;j < 0;++j) if (m[j] != m2[j]) return "crypto_sign overwrites m";
102       for (j = 0;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_sign overwrites m";
103       for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign writes before sm";
104       for (j = smlen;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign writes after sm";
105 
106       for (j = 0;j < smlen;++j) chain[j % chainlen] ^= sm[j];
107 
108       for (j = -16;j < 0;++j) sm2[j] = sm[j];
109       for (j = 0;j < smlen + 16;++j) sm2[j] = sm[j];
110       for (j = -16;j < 0;++j) t2[j] = t[j] = random();
111       for (j = 0;j < smlen + 16;++j) t2[j] = t[j] = random();
112 
113       if (crypto_sign_open(t,&tlen,sm,smlen,pk) != 0) return "crypto_sign_open returns nonzero";
114       if (tlen != mlen) return "crypto_sign_open does not match length";
115       for (i = 0;i < tlen;++i)
116         if (t[i] != m[i])
117           return "crypto_sign_open does not match contents";
118       for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
119       for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
120       for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
121       for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
122       for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
123       for (j = 0;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
124       for (j = -16;j < 0;++j) if (t[j] != t2[j]) return "crypto_sign_open writes before t";
125       for (j = smlen;j < smlen + 16;++j) if (t[j] != t2[j]) return "crypto_sign_open writes after t";
126 
127       j = random() % smlen;
128       sm[j] ^= 1;
129       for (j = -16;j < 0;++j) sm2[j] = sm[j];
130       for (j = 0;j < smlen + 16;++j) sm2[j] = sm[j];
131       for (j = -16;j < 0;++j) t2[j] = t[j] = random();
132       for (j = 0;j < smlen + 16;++j) t2[j] = t[j] = random();
133       if (crypto_sign_open(t,&tlen,sm,smlen,pk) == 0) {
134         if (tlen != mlen) return "crypto_sign_open allows trivial forgery of length";
135         for (i = 0;i < tlen;++i)
136           if (t[i] != m[i])
137             return "crypto_sign_open allows trivial forgery of contents";
138       }
139       for (j = -16;j < 0;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
140       for (j = 0;j < pklen + 16;++j) if (pk[j] != pk2[j]) return "crypto_sign_open overwrites pk";
141       for (j = -16;j < 0;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
142       for (j = 0;j < sklen + 16;++j) if (sk[j] != sk2[j]) return "crypto_sign_open overwrites sk";
143       for (j = -16;j < 0;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
144       for (j = 0;j < smlen + 16;++j) if (sm[j] != sm2[j]) return "crypto_sign_open overwrites sm";
145       for (j = -16;j < 0;++j) if (t[j] != t2[j]) return "crypto_sign_open writes before t";
146       for (j = smlen;j < smlen + 16;++j) if (t[j] != t2[j]) return "crypto_sign_open writes after t";
147       sm[j] ^= 1;
148     }
149   }
150 
151   for (i = 0;i < chainlen;++i) {
152     checksum[2 * i] = "0123456789abcdef"[15 & (chain[i] >> 4)];
153     checksum[2 * i + 1] = "0123456789abcdef"[15 & chain[i]];
154   }
155   checksum[2 * i] = 0;
156   return 0;
157 }
158