Path: blob/main/sys/contrib/libsodium/test/default/aead_chacha20poly1305.c
48375 views
1#define TEST_NAME "aead_chacha20poly1305"2#include "cmptest.h"34static int5tv(void)6{7#undef MLEN8#define MLEN 10U9#undef ADLEN10#define ADLEN 10U11#undef CLEN12#define CLEN (MLEN + crypto_aead_chacha20poly1305_ABYTES)13static const unsigned char firstkey[crypto_aead_chacha20poly1305_KEYBYTES]14= { 0x42, 0x90, 0xbc, 0xb1, 0x54, 0x17, 0x35, 0x31, 0xf3, 0x14, 0xaf,150x57, 0xf3, 0xbe, 0x3b, 0x50, 0x06, 0xda, 0x37, 0x1e, 0xce, 0x27,160x2a, 0xfa, 0x1b, 0x5d, 0xbd, 0xd1, 0x10, 0x0a, 0x10, 0x07 };17static const unsigned char m[MLEN]18= { 0x86, 0xd0, 0x99, 0x74, 0x84, 0x0b, 0xde, 0xd2, 0xa5, 0xca };19static const unsigned char nonce[crypto_aead_chacha20poly1305_NPUBBYTES]20= { 0xcd, 0x7c, 0xf6, 0x7b, 0xe3, 0x9c, 0x79, 0x4a };21static const unsigned char ad[ADLEN]22= { 0x87, 0xe2, 0x29, 0xd4, 0x50, 0x08, 0x45, 0xa0, 0x79, 0xc0 };23unsigned char *c = (unsigned char *) sodium_malloc(CLEN);24unsigned char *detached_c = (unsigned char *) sodium_malloc(MLEN);25unsigned char *mac = (unsigned char *) sodium_malloc(crypto_aead_chacha20poly1305_ABYTES);26unsigned char *m2 = (unsigned char *) sodium_malloc(MLEN);27unsigned long long found_clen;28unsigned long long found_maclen;29unsigned long long m2len;30size_t i;3132crypto_aead_chacha20poly1305_encrypt(c, &found_clen, m, MLEN,33ad, ADLEN,34NULL, nonce, firstkey);35if (found_clen != CLEN) {36printf("found_clen is not properly set\n");37}38for (i = 0U; i < CLEN; ++i) {39printf(",0x%02x", (unsigned int) c[i]);40if (i % 8 == 7) {41printf("\n");42}43}44printf("\n");45crypto_aead_chacha20poly1305_encrypt_detached(detached_c,46mac, &found_maclen,47m, MLEN, ad, ADLEN,48NULL, nonce, firstkey);49if (found_maclen != crypto_aead_chacha20poly1305_abytes()) {50printf("found_maclen is not properly set\n");51}52if (memcmp(detached_c, c, MLEN) != 0) {53printf("detached ciphertext is bogus\n");54}5556if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, CLEN,57ad, ADLEN,58nonce, firstkey) != 0) {59printf("crypto_aead_chacha20poly1305_decrypt() failed\n");60}61if (m2len != MLEN) {62printf("m2len is not properly set\n");63}64if (memcmp(m, m2, MLEN) != 0) {65printf("m != m2\n");66}67memset(m2, 0, m2len);68assert(crypto_aead_chacha20poly1305_decrypt_detached(NULL, NULL,69c, MLEN, mac,70ad, ADLEN,71nonce, firstkey) == 0);72if (crypto_aead_chacha20poly1305_decrypt_detached(m2, NULL,73c, MLEN, mac,74ad, ADLEN,75nonce, firstkey) != 0) {76printf("crypto_aead_chacha20poly1305_decrypt_detached() failed\n");77}78if (memcmp(m, m2, MLEN) != 0) {79printf("detached m != m2\n");80}8182for (i = 0U; i < CLEN; i++) {83c[i] ^= (i + 1U);84if (crypto_aead_chacha20poly1305_decrypt(m2, NULL, NULL, c, CLEN,85ad, ADLEN, nonce, firstkey)86== 0 || memcmp(m, m2, MLEN) == 0) {87printf("message can be forged\n");88}89c[i] ^= (i + 1U);90}9192crypto_aead_chacha20poly1305_encrypt(c, &found_clen, m, MLEN,93NULL, 0U, NULL, nonce, firstkey);94if (found_clen != CLEN) {95printf("found_clen is not properly set (adlen=0)\n");96}97for (i = 0U; i < CLEN; ++i) {98printf(",0x%02x", (unsigned int) c[i]);99if (i % 8 == 7) {100printf("\n");101}102}103printf("\n");104105if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, CLEN,106NULL, 0U, nonce, firstkey) != 0) {107printf("crypto_aead_chacha20poly1305_decrypt() failed (adlen=0)\n");108}109if (m2len != MLEN) {110printf("m2len is not properly set (adlen=0)\n");111}112if (memcmp(m, m2, MLEN) != 0) {113printf("m != m2 (adlen=0)\n");114}115m2len = 1;116if (crypto_aead_chacha20poly1305_decrypt(117m2, &m2len, NULL, NULL,118randombytes_uniform(crypto_aead_chacha20poly1305_ABYTES),119NULL, 0U, nonce, firstkey) != -1) {120printf("crypto_aead_chacha20poly1305_decrypt() worked with a short "121"ciphertext\n");122}123if (m2len != 0) {124printf("Message length should have been set to zero after a failure\n");125}126m2len = 1;127if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, 0U, NULL, 0U,128nonce, firstkey) != -1) {129printf("crypto_aead_chacha20poly1305_decrypt() worked with an empty "130"ciphertext\n");131}132if (m2len != 0) {133printf("Message length should have been set to zero after a failure\n");134}135136memcpy(c, m, MLEN);137crypto_aead_chacha20poly1305_encrypt(c, &found_clen, c, MLEN,138NULL, 0U, NULL, nonce, firstkey);139if (found_clen != CLEN) {140printf("found_clen is not properly set (adlen=0)\n");141}142for (i = 0U; i < CLEN; ++i) {143printf(",0x%02x", (unsigned int) c[i]);144if (i % 8 == 7) {145printf("\n");146}147}148printf("\n");149150if (crypto_aead_chacha20poly1305_decrypt(c, &m2len, NULL, c, CLEN,151NULL, 0U, nonce, firstkey) != 0) {152printf("crypto_aead_chacha20poly1305_decrypt() failed (adlen=0)\n");153}154if (m2len != MLEN) {155printf("m2len is not properly set (adlen=0)\n");156}157if (memcmp(m, c, MLEN) != 0) {158printf("m != c (adlen=0)\n");159}160161sodium_free(c);162sodium_free(detached_c);163sodium_free(mac);164sodium_free(m2);165166assert(crypto_aead_chacha20poly1305_keybytes() > 0U);167assert(crypto_aead_chacha20poly1305_npubbytes() > 0U);168assert(crypto_aead_chacha20poly1305_nsecbytes() == 0U);169assert(crypto_aead_chacha20poly1305_messagebytes_max() > 0U);170assert(crypto_aead_chacha20poly1305_messagebytes_max() == crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX);171assert(crypto_aead_chacha20poly1305_keybytes() == crypto_aead_chacha20poly1305_KEYBYTES);172assert(crypto_aead_chacha20poly1305_nsecbytes() == crypto_aead_chacha20poly1305_NSECBYTES);173assert(crypto_aead_chacha20poly1305_npubbytes() == crypto_aead_chacha20poly1305_NPUBBYTES);174assert(crypto_aead_chacha20poly1305_abytes() == crypto_aead_chacha20poly1305_ABYTES);175176return 0;177}178179static int180tv_ietf(void)181{182#undef MLEN183#define MLEN 114U184#undef ADLEN185#define ADLEN 12U186#undef CLEN187#define CLEN (MLEN + crypto_aead_chacha20poly1305_ietf_ABYTES)188static const unsigned char firstkey[crypto_aead_chacha20poly1305_ietf_KEYBYTES]189= {1900x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,1910x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,1920x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,1930x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f194};195#undef MESSAGE196#define MESSAGE "Ladies and Gentlemen of the class of '99: If I could offer you " \197"only one tip for the future, sunscreen would be it."198unsigned char *m = (unsigned char *) sodium_malloc(MLEN);199static const unsigned char nonce[crypto_aead_chacha20poly1305_ietf_NPUBBYTES]200= { 0x07, 0x00, 0x00, 0x00,2010x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 };202static const unsigned char ad[ADLEN]203= { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 };204unsigned char *c = (unsigned char *) sodium_malloc(CLEN);205unsigned char *detached_c = (unsigned char *) sodium_malloc(MLEN);206unsigned char *mac = (unsigned char *) sodium_malloc(crypto_aead_chacha20poly1305_ietf_ABYTES);207unsigned char *m2 = (unsigned char *) sodium_malloc(MLEN);208unsigned long long found_clen;209unsigned long long found_maclen;210unsigned long long m2len;211size_t i;212213assert(sizeof MESSAGE - 1U == MLEN);214memcpy(m, MESSAGE, MLEN);215crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN,216ad, ADLEN,217NULL, nonce, firstkey);218if (found_clen != MLEN + crypto_aead_chacha20poly1305_ietf_abytes()) {219printf("found_clen is not properly set\n");220}221for (i = 0U; i < CLEN; ++i) {222printf(",0x%02x", (unsigned int) c[i]);223if (i % 8 == 7) {224printf("\n");225}226}227printf("\n");228crypto_aead_chacha20poly1305_ietf_encrypt_detached(detached_c,229mac, &found_maclen,230m, MLEN,231ad, ADLEN,232NULL, nonce, firstkey);233if (found_maclen != crypto_aead_chacha20poly1305_ietf_abytes()) {234printf("found_maclen is not properly set\n");235}236if (memcmp(detached_c, c, MLEN) != 0) {237printf("detached ciphertext is bogus\n");238}239240if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN, ad,241ADLEN, nonce, firstkey) != 0) {242printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed\n");243}244if (m2len != MLEN) {245printf("m2len is not properly set\n");246}247if (memcmp(m, m2, MLEN) != 0) {248printf("m != m2\n");249}250memset(m2, 0, m2len);251assert(crypto_aead_chacha20poly1305_ietf_decrypt_detached(NULL, NULL,252c, MLEN, mac,253ad, ADLEN,254nonce, firstkey) == 0);255if (crypto_aead_chacha20poly1305_ietf_decrypt_detached(m2, NULL,256c, MLEN, mac,257ad, ADLEN,258nonce, firstkey) != 0) {259printf("crypto_aead_chacha20poly1305_ietf_decrypt_detached() failed\n");260}261if (memcmp(m, m2, MLEN) != 0) {262printf("detached m != m2\n");263}264265for (i = 0U; i < CLEN; i++) {266c[i] ^= (i + 1U);267if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, NULL, NULL, c, CLEN,268ad, ADLEN, nonce, firstkey)269== 0 || memcmp(m, m2, MLEN) == 0) {270printf("message can be forged\n");271}272c[i] ^= (i + 1U);273}274crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN,275NULL, 0U, NULL, nonce, firstkey);276if (found_clen != CLEN) {277printf("clen is not properly set (adlen=0)\n");278}279for (i = 0U; i < CLEN; ++i) {280printf(",0x%02x", (unsigned int) c[i]);281if (i % 8 == 7) {282printf("\n");283}284}285printf("\n");286if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN,287NULL, 0U, nonce, firstkey) != 0) {288printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed (adlen=0)\n");289}290if (m2len != MLEN) {291printf("m2len is not properly set (adlen=0)\n");292}293if (memcmp(m, m2, MLEN) != 0) {294printf("m != m2 (adlen=0)\n");295}296m2len = 1;297if (crypto_aead_chacha20poly1305_ietf_decrypt(298m2, &m2len, NULL, NULL,299randombytes_uniform(crypto_aead_chacha20poly1305_ietf_ABYTES),300NULL, 0U, nonce, firstkey) != -1) {301printf("crypto_aead_chacha20poly1305_ietf_decrypt() worked with a short "302"ciphertext\n");303}304if (m2len != 0) {305printf("Message length should have been set to zero after a failure\n");306}307m2len = 1;308if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, 0U, NULL, 0U,309nonce, firstkey) != -1) {310printf("crypto_aead_chacha20poly1305_ietf_decrypt() worked with an empty "311"ciphertext\n");312}313if (m2len != 0) {314printf("Message length should have been set to zero after a failure\n");315}316317memcpy(c, m, MLEN);318crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, c, MLEN,319NULL, 0U, NULL, nonce, firstkey);320if (found_clen != CLEN) {321printf("clen is not properly set (adlen=0)\n");322}323for (i = 0U; i < CLEN; ++i) {324printf(",0x%02x", (unsigned int) c[i]);325if (i % 8 == 7) {326printf("\n");327}328}329printf("\n");330331if (crypto_aead_chacha20poly1305_ietf_decrypt(c, &m2len, NULL, c, CLEN,332NULL, 0U, nonce, firstkey) != 0) {333printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed (adlen=0)\n");334}335if (m2len != MLEN) {336printf("m2len is not properly set (adlen=0)\n");337}338if (memcmp(m, c, MLEN) != 0) {339printf("m != c (adlen=0)\n");340}341342sodium_free(c);343sodium_free(detached_c);344sodium_free(mac);345sodium_free(m2);346sodium_free(m);347348assert(crypto_aead_chacha20poly1305_ietf_keybytes() > 0U);349assert(crypto_aead_chacha20poly1305_ietf_keybytes() == crypto_aead_chacha20poly1305_keybytes());350assert(crypto_aead_chacha20poly1305_ietf_npubbytes() > 0U);351assert(crypto_aead_chacha20poly1305_ietf_npubbytes() > crypto_aead_chacha20poly1305_npubbytes());352assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == 0U);353assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == crypto_aead_chacha20poly1305_nsecbytes());354assert(crypto_aead_chacha20poly1305_ietf_messagebytes_max() == crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);355assert(crypto_aead_chacha20poly1305_IETF_KEYBYTES == crypto_aead_chacha20poly1305_ietf_KEYBYTES);356assert(crypto_aead_chacha20poly1305_IETF_NSECBYTES == crypto_aead_chacha20poly1305_ietf_NSECBYTES);357assert(crypto_aead_chacha20poly1305_IETF_NPUBBYTES == crypto_aead_chacha20poly1305_ietf_NPUBBYTES);358assert(crypto_aead_chacha20poly1305_IETF_ABYTES == crypto_aead_chacha20poly1305_ietf_ABYTES);359assert(crypto_aead_chacha20poly1305_IETF_MESSAGEBYTES_MAX == crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);360361return 0;362}363364int365main(void)366{367tv();368tv_ietf();369370return 0;371}372373374